Legal processes

Draft AI Act: The long-discussed AI legislation is expected to go through the full European parliamentary vote in mid-June. Reportedly MEPs, after two years of discussions with stakeholders, have finally reached a common political position. However, it will take a few years for it to be enforced: the EU interinstitutional ‘trilogue’ that comes after parliamentary approval may take a while. 

The most rigorous regulations will apply to the high-risk systems that could be used for biometric identification, critical infrastructure management, or by large online platforms and search engines if they create health and safety or fundamental threats for individuals. The framework includes testing, proper documentation, data quality and human oversight. Extra safeguards are promised when such systems are intended to process special categories of personal data, prioritising instead synthetic, anonymised, pseudonymised or encrypted data. 

MEPs also support the idea to put stricter data governance obligations on foundation models, (like ChatGPT), distinguishing them from general-purpose AI. 

MiCA: Meanwhile the Parliament endorsed the EU rules to trace crypto-asset transfers and prevent money laundering, as well as common rules on supervision and customer protection. The “travel rule”, already used in traditional finance, will in the future cover transfers of crypto assets. Information on the source of the asset and its beneficiary will have to follow the transaction and be stored on both sides of the transfer. The rules will not apply to person-to-person transfers conducted without a provider or among providers acting on their own behalf. The end of 2024 or early 2025 will see the full implementation of the framework. 

America’s Innovative tech: The existing legal authorities apply to the use of automated systems and innovative new technologies just as they apply to other practices, states the US Justice Department with its federal partners. The US Constitution and federal statutes prohibit discrimination across many facets of life, including education, criminal justice, housing, lending, and voting. It is illegal for an employer to discriminate against an applicant or employee due to their race, religion, gender, age, pregnancy, disability, or genetic information. The firms are also required to destroy algorithms or other work products that were trained on illegally collected data. 

Case law

Apartment surveillance: The Estonian supreme court explained the possibility of installing surveillance cameras in an apartment building if some owners do not agree. In the given case, drug gang activity in the building was spotted, but one owner contested the cooperative’s decision to install the cameras as an intrusion into his privacy and the risk of monitoring. As CCTV processes personal data, a legal basis is necessary according to the GDPR. If an agreement between the owners cannot be reached, it can be done by a majority vote. In this case, there must be a legitimate interest, which outweighs the interests or fundamental rights of the apartment owners, (eg, a security threat – in the given case).

However, the court stated, if the installation of cameras is decided by a majority vote at the general meeting, then all apartment owners must be given the opportunity to familiarize themselves with the planned conditions, including a privacy notice for the use of cameras before the meeting. In case of violation of this requirement, the decision of the general meeting would be null and void.

Official guidance

SMEs guide: An organisation not only has to process personal data according to the GDPR, but it also needs to be able to demonstrate its compliance. For this purpose, the EDPB published its Guide for SMEs. It applies whenever you process personal data about your staff, consumers, and business partners. Transparency, data minimisation, respect for individual rights and good security practices are basic precautions for both data controllers and processors. The guide contains visual tools and other practical materials. In addition, it contains an overview of handy materials developed for SMEs by the national data protection authorities.

Employer’s guide: The Irish data protection regulator meanwhile published Data Protection in the Workplace instructions. Employers collect and process significant amounts of personal data on prospective, current and former employees. Although not all organisations are required to have a data protection officer, organisations might still find it useful to designate an individual within their organisation to overview the recruitment data processing.  The guide includes explanations and examples of appropriate legal bases, storage periods, fulfilment of data subject requests, employee monitoring technologies, email status, and much more. 

Employees’ photos: The Slovenian data protection agency published its opinion regarding the revocation of consent for the publication of employees’ photos on the employer’s social networks. The processing of the employee’s personal data based on their personal consent is permissible only in exceptional cases, due to the obviously unequal position of the employer and the employee. 

Nonetheless, if the circumstances of the employment relationship do not require the production, publication and continued storage of a photograph, the employer should obtain consent, (and provide all the necessary information stipulated in Art. 13 of the GDPR). In this case, the fact that the photos are made public has no effect on the possibility of revocation of consent to their publication. And refusals or silence of the manager gives rise to the possibility of deposing a complaint with the data protection authority. 

RoPA: A fresh new guide on records of processing activities with some practical examples was issued by the Irish data protection agency. The RoPA should not just be a ‘catch all’ document that refers to other documents; all processing activities should be recorded in sufficient detail, it states. An external reader or an auditor needs to be able to fully comprehend the document. Smaller organisations may not be required to maintain a full RoPA due to their size. However, most organisations will need to record processing activities such as HR and payroll functions. It may be that a simple spreadsheet is sufficient. For more complex organisations, the data controller may opt to use a relational database or one of the RoPA tools available from third-party data protection service providers. 

Online training: During the planning stage of a seminar, explains the Latvian data protection regulator, best practice means writing down and evaluating what kind of data about the event’s visitors is intended to be processed, and for what purposes. Beyond registration data, this can include the participant’s technical data from a device and broadcast and recording of the seminar. The next questions should be what is the applicable legal basis, the types of personal data, and the storage periods necessary to achieve the goal. 

In the case of other (joint) controllers, or processors involved, they must agree among themselves, determine the specific responsibilities and inform the workshop participants. The organizer(s) can include such information in the general privacy policy or develop it separately for each individual seminar. The information must be provided in a concise, transparent, understandable and easily accessible way, (it is considered good practice to have the privacy policy no more than two clicks away from the website’s front page). 

Enforcement decisions

ChatGPT: The temporary ban against Open AI and its Chat GPT has been dropped by the Italian data protection authority. The platform has introduced the required opt-out option for the user’s data processing before running the AI chatbot. A number of European regulators are also moving into action. The French data protection authority has announced the investigation of received complaints, and the German regulators want to know if a data protection impact assessment has been conducted. At the same time, Ireland’s regulator advises against rushing into ChatGPT prohibitions that “really aren’t going to stand up”, stressing it is necessary first to understand a bit more about the technology. 

Record number of cases: The Spanish data protection agency published its 2022 report. 15,128 claims were filed, which represents an increase of 9% compared to 2021 and 47% compared to 2020. This figure rises to 15,822 including cross-border cases from other European authorities and the cases in which the agency acts on its own initiative. The areas of activity with the highest amount of fines imposed have been Internet services, advertising, labour matters, personal data breaches, fraudulent contracting and telecommunications. The main way of resolving claims involves their transfer to the data controller, obtaining a satisfactory response for the citizen in an average of less than 3 months, states the report.

Employee’s dismissal: The Danish data protection authority criticizes an employer who informed the entire workplace that an employee had been dismissed due to, among other things, cooperation difficulties – The employer’s briefing emails went further than what was necessary for the purpose – namely to inform the relevant persons about the resignation. The employer stated that making the reason for the resignation public was to avoid the creation of rumours. However, the Danish regulator found that consideration for the resigning employee weighed more heavily

Security clearance: The Danish authority also decided against a former security guard who complained that his employer, (Securitas), had passed on information about him to the intelligence services in connection with a security clearance without obtaining consent. However, Securitas insists that all on-call employees are informed of the requirement for security clearance, and the complainant had completed an employment form with a declaration of consent, as his application for security approval would have been rejected if the complainant had not completed, signed and consented to it. 

Dark patterns: In Italy, a company that offers digital marketing services was found guilty of having illegally processed personal data. It emerged that in some of the portals owned by the company, “dark patterns” were used which, through suitably created graphical interfaces and other potentially misleading methods, enticed the user to give their consent to the processing of data for marketing purposes and to the communication of data to third parties. In addition, an invitation to click on a link that led to another site to download an e-book had the user’s profile data already recognized and the consent already selected. 

Security evidence logs: For a careless response to a data access request, the Spanish data protection authority fined Securitas Direct Espana 50,000 euros, according to Data Guidance. The complainant used their right of access when their vacation home was robbed for which they had signed a security service contract, The data logs from the alarm system were not provided by Securitas Direct, and those that were sent to the complainant were incomplete, out of order chronologically, and missing the decryption keys The logs produced by the alarm system installed in the complainant’s home, stated the regulator, are considered personal data and are thus subject to the right of access.

Data security

Consumers’ personal data: New York’s Attorney General released a guide to help businesses adopt effective data security measures to better protect personal information.  The guide offers a series of recommendations intended to help companies prevent breaches and secure their data, including:

• maintaining controls for secure authentication,
• encrypting sensitive customer information,
• ensuring your service providers use reasonable security measures,
• knowing where you keep consumer information,
• guarding against automated attacks, and
• notifying consumers quickly and accurately of a data breach, etc.

Cybersecurity of AI: The European Union Agency for Cybersecurity published an assessment of standards for the cybersecurity of AI and issued recommendations to support the implementation of upcoming AI legislation. AI mainly includes machine learning resorting to methods such as deep learning, logic, and knowledge-based and statistical approaches. However, the exact scope of an AI system is constantly evolving both in the legislative debate on the draft AI Act, as well in the scientific and standardisation communities. 

The assessment is based on the observation concerning the software layer of AI. It follows that what is applicable to software could be applicable to AI. However, it does not mean the work ends here. Other aspects still need to be considered, such as a system-specific analysis to cater for security requirements deriving from the domain of application, and standards to cover aspects specific to AI, such as the traceability of data and testing procedures. Meanwhile, some key recommendations include:

• establishing a standardised AI terminology for cybersecurity;
• developing technical guidance on how existing standards related to the cybersecurity of software;
• reflecting on the inherent features of machine learning in AI;
• risk mitigation should be considered by associating software components to AI, reliable metrics, and testing;
• promoting cooperation and coordination across standards organisations’ technical committees.

Big Tech

VLOPs: The first designations of ‘Very Large Online Platforms and Online Search Engines’ under the Digital Services Act, (and the Digital Markets Act), were made public by the European Commission. As the 19 registered entities reach 45 million monthly active users, they will be subject to more regulatory requirements: user rights offerings, targeted advertising opt-outs, restriction on sensitive data and profiling of minors, as well as improved transparency and risk assessment measures. By 4 months after notification, the platforms will have to redesign their services, including their interfaces, recommender systems, and terms and conditions.

Salesforce Community leaks: A large number of businesses, including banks and healthcare, are leaking information from their open Salesforce Community websites, KrebsOnSecurity analysis has discovered  Customers can access a Salesforce Community website in two different ways: through authenticated access, (which requires logging in), and through guest user access, (which doesn’t). It appears that Salesforce administrators may inadvertently give guest users access to internal resources, (payroll, loan amount, bank account information combined with other data), which could allow unauthorised users to gain access to a company’s confidential information and result in possible data leaks.

The post Data protection & privacy digest 18 Apr – 2 May 2023: draft AI legislation finalised, and employers’ compliance in focus appeared first on TechGDPR.

Official guidance: data subject complaints, new business, identity cards, traffic licenses, TCF/OpenRTB, education platforms, insolvency claims, data sent by mistake, dpos

The UK Information Commissioner’s Office offers a brief guide on how to deal with data subject complaints, (your staff, contractors, customers), when you are a small business. The main steps are as follows: 

• Respond as soon as possible, in plain language, to let the customer know you’ve received their data protection complaint and are looking into it. 
• Let them know when they can expect further information from you and give them a point of contact. Include information about what you’ll do at each stage.
• Send them a link to a complaints procedure, (if there is one). 
• Check the complaint has come from an appropriate person. 
• Check all the details of their complaint against the information you hold.
• Ask for additional information if necessary. 
• Update them so they know you’re working to resolve the issue. 
• Record all your actions, due dates, and 
• Keep copies of relevant documents and conversations.

Starting a new business? The Jersey data protection regulator offers a quick guide on customer information, employee details, contact or payment details for suppliers and contractors, and other data points you’ll need to take responsibility for when getting a new business venture off the ground. The measures may include training your staff, limiting administrative rights, minimising data collection and storage, locking sensitive data, drafting a privacy policy, regular software updates and more. But even simple actions like turning off the ‘auto-complete’ function for email addresses or avoiding email forwarding may save you from personal data breaches. 

Financial institutions, for a range of services such as setting up and maintaining a bank account, electronic banking services, granting a loan or even a transfer order, make copies of our identity documents. The Polish data protection authority UODO assumes that such copying is not allowed in any situation. For instance, the country’s banking law allows processing information contained in identity documents, but this does not give the right to make copies. In many cases, it is enough to show an identity document for inspection. On the other hand, anti-money laundering and financing of terrorism legislation entitles financial institutions to make copies of identity documents. Before applying financial security measures, institutions must assess whether it is necessary to process the personal data of a natural person contained in the copy of the identity card for these purposes. According to the principles of purpose limitation and data minimisation, personal data must be collected for specific, explicit and legitimate purposes, using relevant criteria and limited to what is necessary for the purposes for which they are processed.

The Hungarian data protection authority NAIH issued a notice on data management related to the reading of the bar code on traffic licenses at filling stations. According to the submissions received by the regulator, in order to sell fuel at the official price, a fuel provider reads bar codes on vehicle registrations, (or records the registration number of the vehicle), and stores it in its system. The data is then forwarded for tax control purposes. In relation to data management, information was not available for customers at the filling stations, and the employees were not able to provide any meaningful information. The NAIH started an ex-officio investigation into the lawfulness of the processing, and to see if the tax authority and fuel providers had complied with Art. 13 of the GDPR. 

The Latvian data protection authority DVI recently issued a series of recommendations, (in Latvian), including:

• To evaluate the use of TCF and OpenRTB systems. Following the Belgian regulator’s decision, the transparency and consent system created by IAB Europe and the real-time bidding system were recognised as non-compliant. The decision stipulates that personal data obtained through TCF must be deleted immediately. This means that organisations using the tools, (website/app operators, advertisers and online ad technology companies), must stop using the tool, (unless it uses non-personal data).
• What to do if another person’s data has been received by mistake, (Do not open, do not publish, use minimal research to identify the sender, who should be notified, let the sender solve this situation himself, etc.).
• Safe use of online platforms used during the educational process.
• The processing of personal data by insolvency administrators in the register of creditors’ claims, and
• Functions and tasks of a data protection specialist.

Legal processes: EU Data Act, Quebec Bill 64, California privacy laws, China cross-border transfers

The Czech Presidency of the EU Council brought more clarity on the proposed Data Act, namely the part that refers to public sector bodies’ access to privately held data, Euractiv.com reports. Public authorities might request data, including the relevant metadata, if its timely access is necessary to fulfil a specific task in the public interest, (eg, local transportation, city planning and infrastructural services). At the same time, safeguards for requests involving personal data have been added, as the public body will have to explain why the personal data is needed and what measures are taken to protect it. The top priority should be anonymisation, or at least aggregation and pseudonymisation, of collected data.

In Quebec, the first amendments from Bill 64, (modernises data protection legislative provisions), to the Quebec Privacy Act and the Quebec IT Act will come into force on 22 September. They create obligation for a person carrying on an enterprise to protect personal information and automatically designates the person exercising the highest authority within the enterprise as the main responsible. Other provisions create mandatory reporting of confidential incidents, biometric information database registration no later than 60 days before it is put in service, notification of any processes used to verify/confirm an individual’s identity based on biometric data, and allow disclosure of personal data necessary for commercial transactions, (eg, mergers, leasing).

In California a new privacy rights act, the CPRA, will take effect on 1 January 2023, while the new California privacy protection agency is consulting on draft regulations, with special attention on the draft American Data Privacy and Protection Act and its possible preemptive effect on California privacy laws. Other key regulatory issues include data processing agreements, programs on exercising data subjects rights, data minimisation and valid consent requirements, and prohibition of  “dark patterns”.

China will enforce cross-border data transfer rules starting from 1 September. Consequently, many critical industries like communication and finance or transportation will face additional checks under the countries’ latest cybersecurity, data security and personal information protection legislation. Companies seeking to transfer personal data on 100,000 or more people, (10,000 or more for sensitive data), handle the personal data of 1 million or more people, as well as operators that transfer the personal information of at least 100,000 cumulative individuals a year will undergo security reviews. Business will have to explain to government investigators the purpose of transfer, the security measures in place, and the laws and regulations of the destination country. More details on the new regulatory framework can be found in this guidance (by KPMG China).

Enforcement actions: commercial prospecting, employee’s consent, smart TV reset, Chromebook ban, PHI disposal, medical results without encryption

A famous French hotel group was slapped with a 600,000 euro fine from the privacy regulator CNIL for carrying out commercial prospecting without the consent of customers, when making a reservation directly with the staff of a hotel or on the website. The consent box to receive the newsletter was prechecked by default. Also a technical glitch prevented a number of people from opposing the receipt of such messages for several weeks. As the processing in question was implemented in many EU countries, the EDPB was asked to rule on the dispute concerning the amount of the fine. The CNIL was then asked to increase the sum so that the penalty would be more dissuasive.

Guernsey’s data protection authority has issued a reprimand, (recognition of wrongdoing), to HSBC Bank’s local branch for inappropriate reliance on consent. An employee felt obliged to consent to providing sensitive information about themselves in connection with what they believed was a possible internal disciplinary matter. They then made a formal complaint. The authority’s opinion is that reliance on “consent” where a clear imbalance of power exists is inappropriate, as it is difficult for employers to demonstrate that consent was freely given. Whilst in this case the controller ceased processing as soon as concerns were raised, they nonetheless continued to use consent as justification for the processing. How to manage data protection in employment? See in Guernsey’s latest guide.

The Danish data protection authority expressed serious criticism of retailer Elgiganten A/S that had a returned television stolen during a break-in at their warehouse, which had not been reset to zero for the plaintiff’s personal data. This meant that a third party gained access to the TV and thus to information from streaming services that the plaintiff was logged into, as well as the browsing history. Before the break-in, the company had carried out a risk assessment for theft of their products and assessed the risk to be high, so the warehouse was secured by locks, a high wall, surveillance cameras and motion sensors. The burglar gained access by simply punching a hole in the wall. 

The Danish data protection authority is maintaining its ban on Chromebook use by a Helsingør municipality, on the grounds of high risks for individuals. The regulator stated that the decision does not prohibit the use of Google Workspace in schools – but the specific use of certain tools in the municipality is not justifiable regarding children’s information. The Municipality assessed that Google only acts as a data processor, but in the opinion of the regulator, it acts in several areas as an independent data controller, processing personal data for its own purposes in the US. 

The Danish regulator ruled that the municipality cannot reduce the risk to an acceptable level without changes to the contract basis and the technology the municipality has chosen to use. Although the decision specifically relates to the processing of personal data in Helsingør Municipality, the regulator encourages other municipalities to look at the same areas in relation to unauthorised disclosure and transfers to unsafe third countries.

The recent HIPAA settlement, (over 300,000 dollars), offers lessons on data disposal and the meaning of Protected Health Information, (PHI), workplaceprivacyreport.com reports. A dermatology practice reported a breach last year when empty specimen containers with PHI labels were placed in a garbage bin on the practice’s carpark. The labels included patient names and dates of birth, dates of sample collection, and name of the provider who took the specimen. The workforce should have been trained to follow disposal policies and procedures. These requirements can include: shredding, burning, pulping, or pulverizing records so that PHI is rendered essentially unreadable; store labelled prescription bottles in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI. 

The Belgian data protection authority also fined a laboratory 20,000 euros for insufficient security measures, DPIA, and privacy policy (Art. 5, 12-14, 32 and 35 of the GDPR), Data Guidance reports. Namely:  

• the laboratory webpage allowed doctors to remotely consult the medical results of patients without employing any encryption;
• the laboratory failed to conduct a DPIA for the large-scale processing of health data;
• while rejecting that the health data had been processed on a large-scale, it had failed to clarify what criteria they were using to determine this;
• the laboratory failed to include a privacy policy on their webpage related to the  maintenance of the abovementioned medical results.

Data security: cyber security breaches landscape, personal data bought by FBI, social engineering on healthcare

The UK government published an in-depth qualitative study with a range of businesses and organisations which have been affected by cyber security breaches. The findings help businesses and organisations understand the nature and significance of the cyber security threats they face, and what others are doing to stay secure. It also supports the government to shape future policy in this area. The guide also contains 10 practical case studies on: understanding the level of existing cyber security before a breach, determining the type of cyber attack , understanding how businesses and organisations act in the immediate, medium, and long-term aftermath of a breach, etc.

Top US Democrats in Congress demand the FBI and Department of Homeland Security detail their alleged purchases of Americans’ personal data, Gizmodo.com reports. They suspect federal law enforcement agencies of using commercial dealings with data brokers and location aggregators to sidestep warrant requirements in obtaining Americans’ private data. Reportedly data points may include, among others, records of internet browsing activity and precise locations. The demand includes the release of of documents and communications between the agencies and data brokers with whom they may have dealings or contracts.

The US Health Sector Cybersecurity Coordination Center published guidance on the impact of social engineering on healthcare. Social engineering is the manipulation of human psychology for one’s own gain. “A social engineer can manipulate staff members into giving access to their computers, routers, or Wi-Fi; the social engineer can then steal Protected Health Information, (PHI), Personal Identifiable Information, (PII), or install malware posing a significant threat to the Health sector”, says the study. It also answers the questions on phases, types of social engineering attacks, (eg, tailgating, vishing, deepfake software, smishing, baiting and more), the personality traits of a social engineer, data breaches and steps to protect your organisation.

Big Tech: US mobile carriers, Google location data, Cambridge Analytica settlement, TikTok iOS app, Oracle class action

The US Federal Communications Commission will investigate mobile carriers’ compliance with disclosure to consumers how they are using and sharing location data, Reuters reports. Top mobile carriers like Verizon, AT&T, T-Mobile, Comcast, Alphabet’s Google Fi and others were requested to detail their data retention and privacy policies and practices. Recent enforcement of anti-abortion legislation in many states also raised concern that the police could obtain warrants for customers’ search histories, location and other information that would reveal pregnancy plans. Last month Google responded to this by promising to delete location data showing when users visit an abortion clinic.

The Federal Court of Australia ordered Google to pay 60 million dollars for misleading consumers about the collection and use of personal location data. Google was guilty of misleading and deceptive conduct, breaching Australian Consumer Law. The conduct arose from representations made about two settings on Android devices – “Location History” and “Web & App Activity”. Some users spotted that the Location History default setting changed from from “off” to “on”. Another misleading practice was telling some users that having the Web & App Activity setting turned “on” would not allow Google to obtain, retain or use personal data about the user’s location.

Facebook agreed to settle a lawsuit seeking damages for allowing Cambridge Analytica access to the private data of tens of millions of users, The Guardian reports. Facebook users sued the tech giant in 2018 after it emerged that the British data analytics firm, connected to former US president Donald Trump’s successful 2016 campaign for the White House, gained access to the data of as many as 87 million of the social media network’s subscribers. Reportedly, if owner Meta had lost the case it could have been made to pay hundreds of millions of dollars.  

Reportedly, when you open any link on the TikTok iOS app, it’s opened inside their in-app browser. While you are interacting with the website, TikTok subscribes to all keyboard inputs, (including passwords, credit card information, etc.), and every tap on the screen, like which buttons and links you click. Such discovery was made by a software engineer Felix Krause. You can read more technical analysis of the most popular iOS apps that have their own in-app browser in the original publication. 

Finally, the Irish Council for Civil Liberties, (ICCL), started a class action against Oracle in the US for its worldwide surveillance machine. Oracle is an important part of the tracking and data industry. It claims to have amassed detailed dossiers on billions of people, and generates over 42 billion dollars in annual revenue. Oracle’s dossiers may include names, addresses, emails, purchases online and in the real world, physical movements, income, interests and political views, and a detailed account of online activity. For example, one database included a record of a man who used a prepaid debit card to place a 10 euro bet online. Oracle also coordinates a global trade of people’s dossiers through the Oracle Data Marketplace, claims the ICCL. You can view the full complaint here.

The post Data protection & privacy digest 16 – 29 Aug 2022: data subject complaints, inappropriate reliance on consent & Smart TV reset appeared first on TechGDPR.

Legal processes: commercial surveillance, sensitive data “by comparison”, workers electronic monitoring, farming data

The CJEU’s recent decision may have a major impact on digital services that use background tracking and profiling to target users with behavioral ads, TechCrunch reports. The EU top court’s decision related to the anticorruption law in Lithuania. It found out that the country’s law covering online disclosure of data contained in the declaration of private interest of directors of institutions receiving public funds, (data concerning the declarant’s spouse, cohabitee, partner, etc.), is contrary to the fundamental rights to privacy and data protection in the EU. The court believes disclosure online of relatives and associates’ names and their significant financial transactions is not strictly necessary for the objective pursued and may constitute highly sensitive data “by comparison”.

It is likely to reveal information of sensitive aspects of the private life of the persons concerned and to make it possible to draw up a particular detailed portrait of them, such as their sex life and sexual orientation, (Art. 9 of the GDPR). Finally, such processing results in this data being freely accessible on the internet to a potentially unlimited number of people. Thus, some privacy law experts suggest the judgement’s broad definition of what constitutes sensitive data, (involving the act of comparison or deduction), potentially covers a wide range of online processing, including online ads, dating and health apps, location tracking and more, concludes TechCrunch. 

In the US, the Federal Trade Commission, (FTC), seeks public comment ahead of ruling on the prevalence of commercial surveillance and data security practices that harm consumers. The Commission invites comment on whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies a) collect, aggregate, protect, use, analyze, and retain consumer data, as well as b), transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive. The permissions that consumers give may not always be meaningful or informed. Studies have shown that most people do not generally understand the market for consumer data that operates beyond their monitors and displays, the FTC states. Many privacy notices that acknowledge such risks are reportedly not readable to the average consumer or a minor. In the end, these practices that nowadays heavily rely on automated systems may have significant consequences for consumers’ wallets, safety, and mental health. 

The EDPS published its opinion on the proposal for a regulation regarding conversion of the Farm Accountancy Data Network into a Farm Sustainability Data Network (FSDN). The proposal aims to regulate the processing of personal data in the context of the collection of individual farm’s economic, environmental and social data as well as the further management and use of such data. The EDPS positively notes that in case individual data will be shared by the Commission or liaison agencies, the data of the farmers and all other individual details obtained would be anonymised or pseudonymised. However the EDPS considers that the proposal does not provide a specific reason of public interest justifying the publication of personal data in identifiable form, even if the data were to be pseudonymised prior to publication. 

The EDPS therefore recommended specifying that only duly anonymised FSDN data may be made publicly available. That being said, the regulator considered it important to preserve a clear distinction between these concepts, as pseudonymous data can still be related to an identifiable individual and therefore qualifies as personal data. Moreover, the EDPS considered that it is not clear whether the proposal refers only to the exchange of data between the national liaison agencies and the Commission or also extends to the sharing of data with the general public or otherwise making it available for reuse. Finally, the interoperability provisions include the need to identify all the IT tools and linked databases, data protection roles and responsibilities and relevant applicable safeguards. Read the full opinion here.

Meanwhile Ontario provided updated guidance on a new legislation which includes an electronic monitoring policy for workers. “Electronic monitoring” may include GPS systems to track employee movement, using sensors to track how quickly an employee performs a task or tracking the websites an employee visits during working hours. The policy must include:

• A statement as to whether or not the employer electronically monitors employees.
• How the employer may electronically monitor employees.
• The circumstances in which the employer may electronically monitor employees; and
• The purposes for which information obtained through electronic monitoring may be used by the employer.
• The date the Policy was prepared, and the date any revisions were made.

Any employer that employs 25 or more people in total across all of its locations in Ontario will be required to have a written policy. When determining whether the 25-employee threshold has been met, an employer must count all employees across all of its locations in Ontario, regardless of the number of hours worked by the employees or if they are full or part-time, including probationary employees, employees on layoff, leave of absence or strike and employees who are trainees.

Official guidance: use of cloud, sports associations, dpo, government data, customer research

The Danish data protection authority has published a questionnaire after recent inspections of the use of the cloud, (in Danish only), by public authorities and private companies. The questionnaire covers most of the points that data controllers must be aware of if they use  cloud solutions. It is divided into four parts:

• know your services,
• know your suppliers,
• supervision of suppliers,
• transfer to third countries.

Furthermore, each part is subdivided into two parts: a) the first part concerns the organisation’s general rules, policies, procedures, etc. to enable the organisation to comply with the relevant data protection rules; b) the second part looks at whether the organisation has followed these policies, etc. with regard to the specific cloud service and provider, and if not, how the organisation ensures compliance with the relevant data protection rules. The questionnaire can be downloaded via this link.

The French regulator CNIL offers amateur sport associations a self-assessment tool to test their compliance with the GDPR. The data subjects in this case include member athletes, athletes of an opposing team, paid or volunteer sports educators, referees, etc. The information collected responds to very different uses: storing the file of members, organizing competitions and tournaments, managing the club’s website, etc. The life cycle of the personal information contained in the files created by sports structures is likely to include 4 stages:

• collection,
• sharing and exchange, 
• reuse, 
• retention and destruction. (You can access the original questionnaire here).

The Dutch data protection authority recommends adjusting the proposal for an amendment of the Reuse of Government Information Act. The proposal, in which the government encourages government institutions to make government data, including personal data, available for reuse, does not set sufficient limits, raising the risk that personal data is shared without the permission or knowledge of the people involved. According to the proposal, that data must also be searchable with software and can be combined with other data. Personal data in the country’s Trade Register and the Land Registry is already public and that is already causing problems. By running an algorithm on it and combining the personal data with other sources, companies can, for example, create profiles of people to sell it.

The Latvian privacy regulator published guidance on the mandatory appointment of a data protection officer. Especially in cases where the economic activity of the company is directly related to the processing of personal data on a large scale, any company is obliged to involve a data protection specialist in the organisation of specific processes:

• for a company whose main activity is related to the profiling of natural persons, with the intention of carrying out an assessment of their creditworthiness;
• for a security company that uses video surveillance of publicly accessible areas as part of its core service;
• for a company that performs customer behavior analysis, (products a customer has viewed, purchased, etc.), in order to send targeted marketing communications;
• to a person who conducts customer research for the purpose of preventing money laundering;
• mobile apps that process user geolocation data for the maintainer;
• for companies that collect customer data as part of loyalty programs;
• for persons who monitor clients’ well-being, physical fitness and health data through wearable devices;
• for companies that process information obtained from devices connected to the IoT, (smart meters, connected cars, home automation devices, etc.).

Another guidance by the Latvian privacy regulator refers to the prevention of money laundering and financing of terrorism and arms proliferation. According to the country’s legislation anyone must conduct customer research before starting a business relationship, as well as during the maintenance of a business relationship. Taking into account the fact that customer research applies not only to legal entities, but also to natural persons, the regulator explains new procedures that determine the licensing of common customer research tools for service providers, as well as the monitoring of their activities. Considering that personal data will be processed in the customer research tool, the privacy regulator has the following rights: 

• re-registration, suspension or cancellation of the service provider’s license;
• inspections of the customer research tool service;
• receiving information and documents free of charge from the service provider, which are necessary for the verification of the operation or for the consideration of the customer complaint received about its operation;
• information erroneously or illegally included in the shared customer research tool be corrected or deleted;
• requiring the service provider of the customer research tool to review its information systems, facilities and procedures and appoint an independent expert.

Investigations and enforcement actions: profiling, video surveillance and geolocation, access codes, privacy notice, reused mail box

The Lower Saxony data protection commissioner has imposed a fine of 900,000 euros on a bank for profiling for advertising purposes. The company had evaluated data from active and former customers without their consent. To do this, it analysed digital usage behaviour and the total volume of purchases in app stores, the frequency of use of account statement printers and the total amount of transfers in online banking compared to the use of branch counters. For this it used a service provider. In addition, the results of the analysis were compared with a credit agency and enriched from there. The aim was to identify customers with an increased inclination for digital media and to prioritise electronic communication channels to contact them. Information was sent to most customers in advance along with other documents. However, these do not replace the necessary consents. The fine is not yet final.

The Luxembourg data protection authority recently issued a 3000 euro fine to an unnamed company for intrusive use of CCTV cameras and failing in their obligation to inform their workers and third-party visitors. The company neither justified not demonstrated how the video surveillance, (installed and operated by subcontractor firms), of the interior of the premises using door cameras was appropriate and necessary to protect the property, (fencing in this case could be a replacement measure), and in particular to prevent burglary. It also considered the psychological pressure that the cameras exerted on employees and third-party visitors, who felt observed at their workstations or meeting tables because of the cameras, which did not indicate if were working, or not.

In another recent case the Luxembourg regulator fined an unnamed company 1500 euros for performing geolocation on its employees while using a vehicle to travel to customers. The following purposes of geolocation were stated by the data controller: geographical tracking, asset protection, optimal fleet management, optimisation of work processes as well as the provision of responses to customer complaints.” Further investigation found out other undisclosed purposes such as: combatting theft, reduction of the number of kilometres driven, justification in the event of a dispute, monitoring and invoicing of services, and finally, monitoring of working time and setting remuneration.

 In the regulator’s opinion, the lack of clear policy, an unidentified legal basis for all the above-mentioned processing, as well as a one-year data retention period, were in violation with the requirements of Art. 5, (lawfulness, fairness and transparency), and Art. 13, (information obligation), of the GDPR. Finally, the employees were unaware that their data could have been transferred to the parent company, situated in a third country. 

In Denmark, citizens’ information was exposed to an unnecessary risk, as Lolland Municipality’s employees were able to disable access codes on phones and tablets. The Danish data protection authority issued a fine of approx. 6000 euros. In 2020 an employee in the municipality had a work phone stolen. Via the phone there was access to the employee’s work email account, which contained information about several citizens’ names, social security numbers, health information and sensitive events. The phone was not protected by a code as it was switched off, so access to its information was unlimited. The municipality stated that over a number of years it had been possible for employees to remove the otherwise mandatory access codes, so that telephones could be used without the use of a code. It had immediately initiated restorative measures in the form of new precautions and changes in the technical set-up of telephones handed out. 

The Romanian data protection authority has fined the CDI Transport Intern si Internazionale, (among the largest passenger transport companies in Romania), 7000 euros after a complaint that the company’s website contained no information regarding the method of collecting personal data. It also failed to inform users of the rights provided for in Art. 15-22 of the GDPR that data subjects benefit from, such as those relating to the purpose of processing and the legal basis, the identity and contact details of the operator, the period for which the data will be stored or the criteria used to establish this period, nor the fact that the operator has the obligation to inform the data subjects in the event of a breach of personal data security.

Finally, the Spanish data protection authority AEPD punished an online teaching institution to the tune of 3000 euros after a claimant, a newly hired tutor, was offered a corporate email box that belonged to the person they were replacing. The organisation stated that the plaintiff started working as an employee to replace another worker in the same field and with the same tasks on sick leave, so that their work was a continuation of those specific teaching activities and tutoring with students, for which it was necessary to have knowledge of all the background and communications between teacher and pupil. It argued that the data to which the plaintiff could have access was needed for the exercise of their duties. The data in the mailbox included pupils’ personal information, but also tax documentation, banking details, invoices, etc. The new tutor was instructed that she could access and delete folders in the inbox if needed. The regulator decided that the basic security measures were not respected in this case. 

Data security: email aliases, IoT devices

According to the US cybersecurity guru Brian Krebs, one way to protect your email inbox is to get into the habit of using unique email aliases when signing up for new accounts online. You can create an endless number of different email addresses linked to the same account by adding a “+” character after the username section of your email address, followed by a notation relevant to the website you’re signing up at. It is said that many threat actors will remove any aliases from their distribution lists because they believe that these consumers are more concerned with security and privacy than other users and are therefore more likely to report spam to their aliased addresses. Finally, email aliases are so uncommon that finding just a few email addresses using the same alias in a database breach can make it easy to determine which organization was probably hacked and which database was released.

The US Health Sector Cybersecurity Coordination Center published an advisory note for the healthcare sector of the risks posed by Internet of Things devices. Since these devices can collect data that includes personally identifiable information it is important to secure these systems. Ultimately, the goal is to protect the entire system, but there are steps that can be taken to help accomplish this: a) securely store, process, and transfer data, b) keep devices safeguarded, c) update devices to reduce vulnerabilities. To minimize risks from IoT devices you need to:

• Change default router settings: Most people do not rename their router and keep the manufacturer’s default settings. Those settings typically benefit manufacturers more than the user. 
• Pick a strong password: Make sure to use a secure password for each device. 
• Avoid using Universal Plug and Play: It makes it easier to network devices without additional configuration. 
• Keep your software and firmware updated: Firmware keeps you protected with the latest security patches and reduces the chances of cyber-attacks. 
• Implement a Zero Trust Model: A zero trust model assumes that nothing can be trusted in or outside of the network. Only a limited amount of people require access to certain resources to accomplish their jobs. For this strategy to be effective administrators must determine who the users are and what role they play.  

Big Tech: drivers data, cyberattack on NHS software, Meta’s tracking code

Only 28% of drivers have any idea what sort of data they generate, and is collected, when they drive, and they may never have heard of the at least 37 companies that are leading a growing vehicle data market says a report in The Markup. It’s a market with vast amounts of personal data all for sale: by whom, for whom, and with what aim? With the growth of third party vehicle data hubs concentrating data, and the range of data presenting a risk to anonymisation, the report notes a lack of regulation that High Mobility’s CEO and founder Ristro Vahtra warns could be a “privacy hell”. The report also criticises car manufacturers for failing to develop clear screen interfaces like mobile phones for drivers to choose privacy settings, which in some cases are entirely lacking. Legislation tackling this is currently in the committee stage in the US Congress.

UK government agencies along with the National Cyber Security Centre are investigating if patient data was stolen in a severe cyberattack on NHS software supplier Advanced. It was hit by ransomware on August 4th, taking several urgent treatment centres, the 111 phoneline for, among other things, booking a doctor’s appointment, and some mental health facilities offline. The hack could take nearly two weeks to resolve, and updates on the status of the data are awaited, although Advanced says it has “contained” the breach.

When you click on anything you see on Facebook or Instagram, owner Meta has been inserting code into the websites you visit, allowing your navigation to be tracked. That’s according to former Google engineer and privacy activist Felix Krause, who has published new research. It’s unknown how long Meta have been using the tracking code on their in-app browser. Krause built a tool to see how many extra instructions were added to a website by a browser. In most cases none were added, but navigation via Facebook or Instagram added as many as 18 lines of code. This so-called “Javascript injection” is often classified as a “malicious attack”, but there is no suggestion Meta has used it beyond monitoring all user interactions, like every button and link tapped, text selections, or screenshots.

The post Data protection & privacy digest 2 – 15 Aug 2022: commercial surveillance, sensitive data “by comparison”, worker electronic monitoring appeared first on TechGDPR.

Legal processes: new EU-US data transfer deal, Digital Markets Act, China’s algorithmic rules

The EU and US have announced a new preparatory data transfer deal, seeking to end the legal uncertainty in which thousands of companies found themselves after the CJEU threw out two previous agreements due to America’s governmental surveillance practices, Reuters reports. It will take months to turn the provisional agreement into a final legal deal, as the US will need to prepare their executive order, and then the EU must complete internal consultation in the Commission and within the EDPB. So far the White House has released a fact sheet on the new deal, which addresses the CJEU ‘Schrems II’ decision concerning US law governing signals intelligence activities:

• Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties;
• EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the US Government who would have full authority to adjudicate claims and direct remedial measures as needed; and
• US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards. 

Earlier last week, EU privacy experts raised their concerns over the lack of details of the deal. Austrian privacy activist Max Schrems, who started a long-running dispute with Meta/Facebook, (resulting in the invalidation of the EU-US Privacy Shield data transfer framework), stated: “The final text will need more time, once this arrives we will analyze it in-depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it.”  The legal stance over transatlantic data flows has led, in recent months, to European data protection agencies issuing orders against flows of personal data passing via products such as Google Analytics, Google Fonts, and Stripe, along with long-standing and multilayered complaints against Meta/Facebook, TechCrunch sums up.

Meanwhile, sweeping new digital rules targeting US tech giants will likely come into force in October, EU antitrust chief Margrethe Vestager informed. The rules proposed a year ago in the Digital Markets Act set out a list of dos and don’ts for Amazon, Apple, Meta, Google, Microsoft, and others. Fines for violations will range reportedly from 10% of a company’s annual global turnover to 20% for repeat offenders who could face an acquisition ban. Companies that are designated as online gatekeepers, (intermediation services, social networks, search engines, operating systems, advertising services, cloud computing, video-sharing services, web browsers and virtual assistants), which control access to their platforms and the data generated there will have six months to comply with the new rules:

• additional requirements on the use of data for targeted or micro-targeted advertising and the interoperability of services; 
• gives users the option to uninstall pre-installed software applications, such as apps, on a core platform service at any stage; 
• ensures whistleblowers are able to alert competent authorities to actual or potential infringements of this regulation and protect them from retaliation, etc.

In China, the provisions  on the administration of algorithmic recommendations in the Internet Information Service became effective as of March, Chinalawupdate blog reports. It refers to the application of any algorithmic technology, including without limitation, generation and synthesis, individualized push, sorting and selection, searching and filtering, and scheduling and decision-making, to provide information to users. Among many provisions, it requires:

• algorithmic system and mechanism review, science and technology ethics review,
• user registration, information release review, data security protection,
• anti-telecom network fraud, security evaluation, monitoring, and incident emergency plan,
• informing users about its provision of algorithmic recommendation service, and notifying the public, in an appropriate manner, of the basic principles, the purpose and intention, and the main operation mechanism, 
• providing users with options that are not customized based on the users’ individual characteristics, or the option to conveniently close the algorithmic recommendation service, etc.

Official guidance: workplace monitoring

The Norwegian data protection authority Datatilsynet has issued workplace monitoring guidance, (in Norwegian). These activities must take into account important data protection criteria such as providing information about the treatment to jobseekers and employees, facilitating data subject rights, deleting the information when no longer necessary, and having satisfactory information security and internal control of their data. One of the examples, automatic forwarding of e-mails is considered continuous monitoring of the employee’s use of electronic equipment and is not allowed. Monitoring of an employee’s use of electronic equipment is prohibited, and can only exceptionally take place if the purpose is to administer the company’s computer network or detect or solve security breaches in the network. The guide also contains provisions for background checks during the recruitment process, access to e-mail and other electronically stored materials, and camera surveillance in the workplace.

Data breaches and enforcement actions: online retailer, third party provider, school’s trade union, insurance company

An American online retailer of stock and user-customized on-demand products CafePress to pay half a million dollars for FTC violations, DLA Piper reports. The online platform failed to secure consumers’ sensitive personal data collected through its website and covered up a major breach. This included:

• Storing personal information in clear, readable text.
• Maintaining lax password policies that allowed, for example, users to select the same word, including common dictionary words, as both the password and user ID.
• Failing to log sufficient information to adequately assess cybersecurity events.
• Failing to comply with existing written security policies.
• Failing to implement patch policies and procedures.
• Storing personal information indefinitely without a business need to do so, etc.

In 2019, a major data breach exposed millions of emails and passwords, addresses, security questions, and answers as well as a smaller number of social security numbers, partial payment card numbers, and expiration dates of the customer accounts. This information was later discovered for sale on the dark web. The company patched the vulnerability but allegedly failed to properly investigate the breach and notify the affected customers. Read more analysis of the case by the Workplace Privacy Report article.

The US authentication firm Okta has admitted that hundreds of customers may have been impacted by a prolific hacking group’s attack via a third-party provider, Infosecurity Magazine reports. Ransom group Lapsus shared screenshots, which purportedly showed “superuser” access to an internal Okta desktop in January. The attackers did have access to a third-party support engineer’s laptop for a five-day window. Okta initially said the matter with the sub-contractor was investigated and contained, BBC reports. Similarly, none of Okta’s clients such as Cloudflare, FedEx, Thanet has reported any issues.

Cyprus’s data protection commissioner fined English school 4,000 euros for failure to implement sufficient technical and organisational security measures to prevent a data breach, Data Guidance reports. The investigation related to the unauthorized access and use of the email addresses of the students’ parents and guardians, by the school’s staff union ESSA. In particular, a school professor who was also the president of the ESSA, sent an email to all parents/guardians and to the staff, for purposes other than those for which said email addresses were originally collected, and without the parents/guardians being informed of such use. The regulator ruled that irrespective of the responsibility of the school professor and the ESSA, the English school, as a data controller, did not apply sufficient security measures following Art. 32 of the GDPR. ESSA, as a separate joint controller, was also fined 5,000 euros. 

The Icelandic data protection authority ruled in a case about an insurance company’s processing of personal data following a claim for compensation. There were complaints about the insurance company’s disclosure of the plaintiff’s personal data to an expert who prepared a report on the speed and impact of a traffic incident that the plaintiff had encountered. There were also complaints about the insurance company’s use of the report in question when assessing the claim for compensation against the company. The plaintiff contested that the insurance company was not authorized to administer the further use of the report data and that it did not take care to inform the individuals or obtain their consent. Although the data protection authority concluded that the above processing activities were in accordance with the law, based in particular on a contract (Art. 28 of the GDPR). Since the complainant was not informed or educated about the transfer of the data to the specialist and its processing, the regulator found that the company did not comply with the information and transparency obligations (Art.13 of the GDPR). 

Data security: pseudonymisation in the health sector

The European Union Agency for Cybersecurity has published guidance on deploying pseudonymisation techniques in the health sector. From a cybersecurity point of view, the confidentiality, availability, and integrity of medical data and relevant infrastructure are considered essential in order to be able to provide timely, appropriate, and uninterrupted medical care. This is also highlighted by the NIS Directive which categorizes the health sector as an operator of essential service and calls for minimum security requirements to ensure a level of security appropriate to the level of risks presented. Furthermore, the GDPR distinguishes, in Art. 9, data concerning health as a special category of data, and sets out additional requirements and stricter obligations for processing and protecting such data. Lastly, the Medical Devices Regulation imposes requirements regarding the safety, quality, and security of medical devices in order to achieve a high common level for safety. Case studies in the report include:

• exchanging patient’s health data,
• Clinical Trials,
• patients-sources monitoring of health data. 

Big Tech: data brokers, smartphone health monitoring, China’s crackdown on Bing algorithms

The legal implications of personal data usage by the data brokerage industry has been analysed by the Guardian. A new lawsuit reportedly involves two companies in this vast network: X-Mode, a data broker, and NybSys, one of X-Mode’s customers. The lawsuit claims people’s exact location data was sold through a chain of industry players, rather than the summary or analysis of that information, without knowledge or permission from   X-Mode. Data brokers collect personal data from a variety of sources, including social media, public records and other commercial sources or companies. These firms then sell that raw data, or inferences and analysis based on that data – such as a user’s purchase and demographic information – to other companies, like researchers or advertisers.

Google wants to use smartphones to monitor health, saying it would test whether capturing heart sounds and eyeball images could help people identify issues from home, Reuters reports. The company is investigating whether the smartphone’s built-in microphone can detect heartbeats and murmurs when placed over the chest allowing early detection of heart valve disorders, etc. Google also plans to test whether its artificial intelligence software can analyse ultrasound screenings taken by less-skilled technicians, as long as they follow a set pattern.

Microsoft’s Bing, the only major foreign search engine available in China, said a government agency has required it to suspend its auto-suggest function in the country for a week, Reuters reports. It is a second case for Bing since December, and arrives amid an ongoing crackdown on technology platforms and algorithms from Beijing. Since August, China’s top cybersecurity authorities have published draft rules dictating how internet platforms can and cannot make use of algorithms. These came into effect this month.

The post Weekly digest March 21 – 27, 2022: EU and US reach preliminary data transfer agreement, but experts have doubts appeared first on TechGDPR.

Official guidance: workplace conversations, use of the cloud

The Latvian data protection authority suggested when an employee could secretly record a conversation in the workplace to protect their interests, IAPP News reports. The regulator concluded that employees can secretly audio record their employer if it is the only way to collect evidence of illegality; (eg, mobbing, bossing, illegal activities at the workplace). However, some data protection regulations are applicable because a person’s recorded voice still constitutes personal data. It suggests:

• submit recordings as evidence to the state labor Inspectorate, the police, or a court;
• avoid publishing it to social networks or otherwise make a voice recording publicly available, including distribution within a team;
• when audio is transferred to law enforcement, the recording cannot be excessive, unrelated segments must be deleted;
• the information disclosed in a secret recording must also outweigh an individual’s right to data protection. 

The Danish data protection authority Datatilsynet has published guidance on the use of the Cloud, (available in English). The guide contains 14 practical examples with explanations. It is targeted primarily at organizations, (data controllers), that would like to start using one or more cloud service(s) and attempts to address the relevant elements of data protection law. However, many of the issues addressed in this guidance apply equally to most other IT service delivery models. A large number of cloud services are usually provided as standardized services where each organization as a customer has limited possibilities to tailor the service in question. Parts of the guide are therefore simultaneously addressed to cloud service providers, (CSP), who can learn more about how they can provide their services in accordance with data protection law. The main steps for data protection when using cloud services include: a) know your services, (data protection and security risk assessments), b) know your supplier, (screening, data processing agreements), and c) audit the CSP and sub-processors.

The guide also evaluates transfers to third countries. In this context, companies should be aware that if their European CSP as a processor complies with a request from law enforcement authorities in a third country, it is considered a personal data breach on part of the controller as unauthorized disclosure of personal data to the concerned law enforcement authority will have occurred. However, this question of an appropriate level of security of processing is limited only to cases where the use of the CSP does not otherwise involve any intended transfers of personal data to third countries, including in relation to the provider’s servicing of its infrastructure, the provider’s provision of support of your cloud service, the provider’s access to its infrastructure for the purposes of capacity planning, etc.

Legal processes and redress: EU sanctions & whistleblowing, employee’s image rights, rules on AI

The European Commission launched a whistleblower tool to facilitate reporting of possible sanctions violations. This is a secure online platform, which whistleblowers from around the world can use to anonymously report EU sanctions violations. This information can relate to:

• facts concerning sanctions violations, their circumstances, and the individuals, companies, and third countries involved, 
• facts that are not publicly known but are known to you and can cover past, ongoing, or planned sanctions violations, as well as attempts to circumvent EU sanctions.

The EU has more than 40 sanctions regimes in place and their effectiveness relies on their proper implementation and enforcement regarding:

• arms embargoes,
• restrictions on admission, (travel bans), 
• asset freezes,
• other economic measures such as restrictions on imports and exports. 

The Commission is committed to protecting the identity of whistleblowers who take personal risks to report sanctions violations. If it considers that the whistleblower information it received is credible, it will share the anonymized report and any additional information gathered during the internal inquiry into the case with the national competent authorities in the relevant Member State(s). Access to the whistleblower tool is available here. 

An employee can obtain damages simply after the employer delayed to removing, upon request, a group photo including him from the company’s website, L&EGlobal blog post reports. In its recent decision, the French Court of Cassation ruled that “the mere fact that an employee’s image rights have been infringed when he or she objects to the publication of his or her image gives rise to a right to compensation, without the employee having to prove any prejudice.” Other findings of the case were: 

• every citizen, every employee, has a right to the protection of his or her image, (Art. 9 of the French Civil Code);
• The employee’s agreement must be obtained before any photo-taking, reproduction, or use, whatever the final medium of this image, (intranet, company newspaper, internet site, promotional video, etc.);
• The agreement must be in writing and as precise as possible, indicating the purpose, the medium used, and its duration;
• The employee’s silence does not constitute tacit consent.

The Irish Council for Civil Liberties, the ICCL, informed the European Commission and co-legislators of two errors in the proposal for harmonized rules on Artificial Intelligence in the EU, Data Guidance reports. In particular:

• A technically inaccurate reference to “validation and testing data sets” accidentally puts most machine learning techniques out of scope, (eg, important AI techniques such as unsupervised and reinforcement learning do not rely on validation and testing data sets).
• The text incorrectly relies on accuracy metrics, which cannot on their own yield adequate reporting about AI systems’ performance, (eg, AI systems based on unsupervised learning and reinforcement learning use other performance metrics, not accuracy. One of the performance metrics used in reinforcement learning is its reliability).

The two errors are unintended and can easily be corrected. However failing to correct these errors will put health, safety, and fundamental rights at risk, (eg, for cancer diagnosis, it is important that the AI system has fewer false negatives than false positives, as false negatives can be fatal while false positives cause inconvenience). The technical errors are available here, and the AI Act proposal is here.

Investigations and enforcement actions: ex-employees unauthorized access, Clearview AI ban in Italy, video surveillance footage on social media

The EDPB continues to analyze some important recent data breaches within the EU at the request of national regulators. This week it looked at the ‘Santander Bank Polska’ case and levied an administrative fine of 120,000 euros. The controller reported a data breach when it was established that a former employee of the bank, despite the termination of their employment contract, had unauthorized access to the controller’s profile, (on the Electronic Services Platform of the Social Insurance Institution), containing the bank employees’ data. The Polish regulator concluded that a breach of data confidentiality occurred, which simultaneously involved a high risk to the rights or freedoms of the data subjects. Here are some findings from the case:

• The bank posted a message on the internal communication platform, but it was general and not referred to a specified case. 
• It was addressed only to those employed at the time of notification, which could leave many data subjects unaware. 
• There was a high risk to the rights or freedoms of the data subjects and the controller should have communicated the incident to them, (all employees of the bank who were employed during the period when the former employee of the controller had unauthorized access to the data on the platform).

Meanwhile, the Italian supervisory authority ‘Garante’ imposed a fine amounting to 20 mln euros on Clearview AI Inc for multiple violations of the GDPR. The regulator launched its own proceedings following press reports in connection with facial recognition products which were offered by Clearview AI. Moreover, in 2021 ‘Garante’ received complaints and alerts from organizations that are active in the field of protecting the privacy and the fundamental rights of individuals against Clearview. The personal data held by the company, including biometric and geolocation information, was processed unlawfully without an appropriate legal basis. The company also infringed several fundamental principles of the GDPR, such as transparency, purpose limitation, and storage limitation. 

‘Garante’ imposed a ban on further collection and processing, ordered the erasure of the data, including biometric data, processed by Clearview’s facial recognition system with regard to persons in the Italian territory, and the designation of a representative in the EU. It’s the strongest enforcement yet from a European privacy regulator, following prohibiting decisions by UK’s ICO and France’s CNIL last year. However, whether Italy will be able to collect the penalty from Clearview, a US-based entity, is one rather salient question, TechCrunch analysis suggests.

The Croatian supervisory authority AZOP fined a retail chain company 90,000 euros for failure to take appropriate technical and organizational, (TOMs), measures for the processing of personal data, Data Guidance reports. AZOP received a report on alleged violations of personal data from the company, stating that the employees of the company, without authorization and contrary to internal acts and instructions, recorded video surveillance footage with their mobile devices and published it on social networks and in the media. AZOP found that:

• the company did not take adequate actions to prevent its employees from taking video surveillance images using their mobile devices;
• the company took certain organizational measures, such as employee education and adoption of internal acts, but did not take appropriate technical security measures that could reduce the risk of a similar violation, neither before nor after an incident;
• the company did not regularly monitor the implementation of TOM aimed at ensuring the confidentiality, integrity, and availability of personal data;
• the company failed to regularly test, evaluate, and determine the effectiveness of TOMS to ensure the security of video surveillance. 

Big Tech: TikTok child privacy class action, cybersecurity firms booming, Twitter Tor version

A class-action lawsuit against TikTok originally initiated by a 12-year-old girl has been granted permission to proceed by the UK High Court. At its heart is the claim the Chinese social networking giant processes children’s personal data unlawfully. The suit seeks damages in the name of millions of children, potentially exposing TikTok to billions in fines. TikTok contests the case and insists it has high-security standards across its platform.

With software security expected to be a booming market, more than doubling in value to 350 billion dollars by 2026, Alphabet Inc’s Google has snapped up Mendiant Inc. for 5.4 billion. The cybersecurity firm has become a reference for companies investigating cyberattacks, and Microsoft was also in the running to buy the company. Analysts say all the big cloud firms will be looking to buy cybersecurity companies, as cyberattacks have spiked with home working, and the Russia – Ukraine war also driving the market for security software.

In what has been described as a tectonic shift at Twitter the company is launching a Tor onion version of its site, with the clear aim of ensuring privacy and avoiding censorship. Software engineer Alec Muffett said, “It’s a commitment from the platform to dealing with people who use Tor in an equitable fashion.” The Tor network will now also feature as a supported browser on Twitter. Unlike accessing Twitter via Tor, the new service is designed specifically for it and adds layers of protection.

The post Weekly digest March 7 – 13, 2022: can employees secretly record workplace conversations? appeared first on TechGDPR.

Legal processes and redress: compliant cookie banner, CEO liabilities, litigation data, virtual currencies

NOYB privacy foundation launches the second wave of complaints against deceptive cookie banners after the campaign first started last spring: “Another 270 draft complaints were sent to website operators whose banners don’t comply with the GPDR”, the statement on their website says. NOYB also offers guidelines for companies on how to comply and only files formal GDPR complaints against those who remain non-compliant after a 60-day grace period. Overall, NOYB claims, the first wave of complaints was successful with more and more websites implementing compliant cookie banner. NOYB also published screenshots of sites and their improved banners, including Nikon, Domino’s Pizza and Unilever, and others, available for download. In the coming months, NOYB  will continue to review, warn and enforce the law on up to 10,000 websites. It will extend its scope to pages that use other Consent Management Platforms, (CMPs), than OneTrust, such as TrustArc, Cookiebot, Usercentrics, Quantcast, etc.

A German court recently ruled that a CEO was personally liable for a data privacy breach after they hired a detective to investigate possible criminal acts by the plaintiff, Technologyquotient reports. Under Art. 82 of the GDPR anyone who suffers non-material damage as a result of a GDPR infringement shall have the right to receive compensation for the damage suffered. In the related case the CEO, on behalf of the defendant company, commissioned a detective to investigate possible criminal acts committed by the plaintiff who had submitted a membership inquiry to the company. The detective’s findings revealed that the plaintiff had been involved in criminal acts. When the company’s shareholders were informed of this, they rejected the membership application. The court ruled that:

• the CEO hiring a detective violated data protection law and the plaintiff was awarded 5,000 euros in non-material damages;
• the CEO was personally liable for the data protection violations and the damage claim, alongside the company;
• it classified the CEO as a data controller, which distinguishes them from an employee who is bound by instructions;
• Since the European Court of Justice has tended to apply a very broad interpretation of a data controller, it seems likely that other courts could follow suit.

Italy’s Ministry of Economics and Finance has published its recent decree on the registration of service providers on Italian soil for virtual currencies and digital wallets, Data Guidance reports. They will have to register in a special section of the currency exchange register run by the Body for the Management of the Lists of Financial Agents and Credit Brokers (‘OAM’). Legal trading will not be possible without registration. Once the decree comes into force the OAM has 90 days to initiate the system, and companies already operating in Italy or online in the country will have a further 60 days to register. Before the OAM processes any personal data its technical and organizational security measures for personal data will need endorsement by the national data protection authority, ’Garante’.

The US Department of Justice has reportedly knocked a Senate-passed cybersecurity bill as having “serious flaws,” criticizing it over a lack of direct reporting to the FBI. The bill, the Strengthening American Cybersecurity Act, unanimously passed in the Senate on Tuesday night. It would require companies in critical sectors to alert the government of potential hacks or ransomware. The legislation would require cyber incidents to be reported to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, though Justice Department officials argue that agencies should also report to the FBI.

Chinese data security laws increasingly create roadblocks for litigants seeking discovery in US courts, Technology Law Dispatch reports. Two Chinese information security laws, the Data Security Law, DSL, and the Personal Information Protection Law, PIPL, are creating difficulties for parties involved in litigation in the US seeking discovery materials stored in China. Both require data processors to obtain approval from the Chinese government before transferring any data stored in China to a foreign court or law enforcement authority or otherwise face significant penalties such as fines in the millions of dollars. In particular:

• The DSL broadly applies to “data processing activities” which include collection, use, processing, transmission, disclosure, and data management, and where “data” includes any record of information in electronic or another form.
• The DSL applies to extraterritorial data processing activities, as well as activities within China that would be detrimental to its national interests. 
• Similarly, the PIPL applies to the processing of personal information about individuals in China. 

Official guidance: CoC as data transfer tool and for clinical trials data, direct marketing

The EDPB has adopted final Guidelines on Codes of Conduct, (CoC), as tools for personal data transfers. Its executive summary says the GDPR requires that controllers/processors shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by organisations under Art. 46 for framing transfers to third countries by introducing amongst others, CoC as a new transfer mechanism (Art. 40-3 and Art. 46-2-e). Once approved by the competent supervisory authority and having been granted general validity within the Commission, a CoC may be used by controllers or processors not subject to the GDPR located in third countries for the purpose of providing appropriate safeguards to data transferred to third countries. The guide provides clarification as to the role of the different actors involved in the setting of a code to be used as a tool for transfers and the adoption process with flow charts.

Meanwhile, the Spanish data protection authority AEPD published, in Spanish, its first CoC on the processing of personal data on clinical trials, DLAPiper reports. The Code has been published in collaboration with an association that brings together the majority of pharmaceutical companies established in Spain. It is the first sectorial code of conduct approved in Spain since the GDPR came into force, as well as the first code approved in the EU in this field. Thus, while the territorial scope is limited to Spain, it could become a benchmark at the EU level. The Code regulates how sponsors of clinical trials and contract research organizations decide to adhere, and to the implementation of the GDPR within the scope of clinical trials, as well as during the fulfillment of the obligations imposed by pharmacovigilance regulations, for the detection and prevention of adverse effects of medicines already on the market:

• establishment of protocols facilitating the application of the GDPR; 
• details on the codification of the data; and
• the responsibility of each participant on the clinical trial;
• the establishment of protocols for the collection of information on possible adverse reactions, depending on who makes the notification;
• the establishment of a mediation procedure, voluntary and free of charge, which allows for an agile response to possible claims made by interested parties against member entities. The CoC is available in Spanish on the AEPD website. 

The German Data Protection Conference, ‘DSK’, published revised guidance, (in German), on the processing of personal data for direct marketing purposes, DataGuidance reports. The guidance supplements information obligations and the conditions for consent, namely:

• informed consent requires that the type of intended advertising, (eg, letter, email, SMS, telephone, or fax), as well as the products or services to be advertised and the advertising companies, are mentioned in order to meet the requirements;
• a separate text or text section without any other content is to be used on a regular basis; 
• if the declaration of consent under data protection law is to be given together with other; in particular contractual declarations in writing or in an electronic format, it must be presented in a manner that is clearly distinguishable from other facts, (Art. 7-2 of the GDPR);
• apart from explicit consent under Art. 9, the GDPR does not contain standard permission for the processing of special categories of personal data for advertising purposes, (it must be examined in each individual case whether conclusions about the health of a person can be drawn from the fact that they are a customer of a certain company in the health sector), etc. You can read the guidance here.

Enforcement actions: former employees’ email accounts, technical and organisational measures, verification of the processor

The Slovakian data protection authority has ruled on two cases where employers failed to deactivate former employees’ email accounts, Iuslaboris blog post reports. Both cases found that the employers, in both private and public sectors, were in breach of data privacy rules. In the first case:

• A former manager objected that the employer had not deactivated his email account after the termination of his employment and that it was still active and monitored by another manager within the company. In its defense, the employer used the legitimate interest argument, (protection of the employer’s property, business contacts, client responses).
• The regulator stated that legitimate interest can be a suitable legal basis for this kind of processing, however, the processing can only be carried out for a necessary period; ten months cannot be considered as necessary.

In the second case, after the termination of her employment, a former employee of a municipality created a fake email account. Subsequently, she used this fake account and sent a question to her municipality’s email. Her goal was to find out whether or not the municipality had deactivated this email account. Once she received an answer, and thus had proof of a possible breach of the GDPR, she filed a complaint with the regulator:

• The municipality claimed that the former employee had failed to hand over her agenda properly (communication with various state authorities, social security agencies, health insurance companies, rental apartment agendas). 
• The municipality was therefore obliged to monitor this email account to prevent itself from being held liable for potential damages or unlawful conduct.
• The regulator found an absence of proof of a demonstrable legal basis for the above processing activities.

The Polish data protection authority, UODO, ordered a record-breaking penalty, (approx. 1 mln euros), on “Fortum Marketing and Sales Polska” for failure to implement appropriate technical and organisational measures ensuring the security of personal data, and for failure to verify the processor, who was also fined approx. 50,000 euros. After analyzing the notification of a personal data breach from the company, the supervisory body initiated ex officio administrative proceedings. Here are some facts from the case:

• The data breach consisted of copying the data of the administrator’s clients by unauthorized persons.
• It happened at the moment of introducing changes in the ICT environment.
• This change was made by the processor with which the administrator cooperated on the basis of concluded contracts, including contracts for entrusting the processing of personal data. 
• During the changes made, an additional customer database was created. 
• However, this database was copied by unauthorized persons, because the server on which it was deployed did not have properly configured security.
• The administrator learned about the incident not from the processor, but from two independent Internet users.

Moreover, the safety functions were not tested in the course of the work carried out for this purpose. The processing entity acted inconsistently with the commonly known ISO standards, and at the same time against the provisions of its own security policy. The processor also did not comply with the provisions of the contract for entrusting the processing of personal data, in which he undertook, inter alia, to implement pseudonymisation of data, which was to be treated as a mechanism guaranteeing an appropriate level of data security. 

Individual rights: health apps data

Privacy International published a ‘long-read’ on how health apps could exploit users’ data: “Digital health apps of all kinds are being used by people to better understand their bodies, their fertility, and to access health information. But there are concerns that the information people both knowingly and unknowingly provide to the app, which can be very personal health information, can be exploited in unexpected ways”. Key findings of the report are:

• Apps that support women through pregnancy are one example where data privacy concerns are brought sharply into the spotlight.
• Reproductive health information is highly sensitive, and the implications of services that do not respect that fact can be serious.
• Apps that are taking on the responsibility of collecting that data need to take it seriously – but as PI has repeatedly found, many don’t, (eg, this includes the involvement of the DPO, availability of privacy policies, difficulties with anonymisation of health data, and more). 

Big Tech: anti-AI discrimination law, identity proofing systems

Starting from March, China outlaws algorithmic discrimination, Wired reports. Under the new rules, companies will be prohibited from using personal information to offer users different prices for a product or service. The regulations, known as the Internet Information Service Algorithmic Recommendation Management Provisions, were drafted by the Cyberspace Administration of China, a powerful body that enforces cybersecurity, internet censorship, and e-commerce rules. Among other things, they prohibit fake accounts, manipulating traffic numbers, and promoting addictive content. They also provide protections for delivery workers, ride-hail drivers, and other gig workers. Companies that violate the rules could face fines, be barred from enrolling new users, have their business licenses pulled, or see their websites or apps shut down. However, some elements of the new regulations may prove difficult or impossible to enforce, (eg, it can be technically challenging to police the behavior of an algorithm that is continually changing due to new input).

America’s Internal Revenue Service, (IRS), says taxpayers will no longer have to provide facial scans to the private identity proofing system ID.me. to create an online account at irs.gov., KrebsOnSecurity reports. All biometric data already held by ID.me. will be destroyed, and any created to make new accounts in the future will be destroyed once the account is operational. ID.me will now offer the option of a live video interview, while the IRS is also rolling out Login.gov, already used by 28 other government agencies. Critics say this federal system provides excellent digital identity security, and should be a core government service, but is underfunded and underresourced. 

The post Weekly digest Feb 28 – Mar 6, 2022: more EU websites to obtain compliant cookie banner appeared first on TechGDPR.

Enforcement actions: Google, Facebook, FreeMobile, Myheritage, credit assessment by mistake, access rights misconduct

France’s data protection regulator CNIL has fined Alphabet’s Google a record 150 mln euros for making it difficult for users to refuse online trackers known as cookies. Meta’s Facebook was also fined 60 mln euros for the same reason. The CNIL noted that the facebook.com, google.fr and youtube.com sites do not allow users to refuse cookies as simply as to accept them. They offer a button allowing cookies to be accepted immediately. However, to refuse them several clicks are necessary. Since, on the internet, the user expects to be able to consult a site quickly, the fact of not being able to refuse cookies as simply as possible, can influence them to give consent. The two companies have three months to comply with its orders or face an extra penalty payment of 100,000 euros per day of delay. These include the obligation for Google and Facebook to provide French internet users simpler tools for refusing cookies.

The CNIL also imposed a fine of 300,000 euros on Free Mobile, (a wireless service provider), for failing to respect individuals rights and to ensure the security of users’ data. The CNIL has received many complaints concerning the difficulties encountered by individuals in a) getting responses to their requests for access, b) objecting to receiving commercial prospecting messages, or c) being billed after subscriptions had been cancelled. Also, the mobile operator transmitted by email, in clear text, the passwords of users when they subscribed to an offer, without these passwords being temporary or the company requiring them to be changed. All the above infringes Art. 12, 15, 21, 25 and 32 of the GDPR. 

The Norwegian data protection authority has fined Elektro & Automasjon Systemer, (EAS), 20,000 euros for carrying out an individual’s credit assessment without a legal basis (Art.6 of the GDPR). The data subject in this case had no customer relationship or other connection to EAS’s business. The EAS admitted that the credit check took place by accident, due to the general manager’s lack of understanding of a credit assessment tool, the DataGuidance reports. Although EAS did not store the credit information, the damage occurs the moment sensitive data was collected and processed. A credit rating is the result of compiling personal information from many different sources: individuals’ personal finances, payment remarks, voluntary mortgages and debt ratio. The aggravating factors were a lack of technical and organisational measures, and internal controls and guidelines for when and how a credit assessment can be carried out.

The Spanish data protection regulator the AEPD published a couple of similar decisions, (in Spanish), against deficiencies regarding cookie and privacy policies, including:

• the owner of a website, who did not provide users with a cookie banner on the main page that allowed an immediate “Reject all” option. It also lacked clear information on user tracking through registration forms, questionnaires and in the comments section, as well as through embedded content from other sites. Also, the privacy policy wrongly identified the data controller. 
• against Myheritage LTD for similar deficiencies regarding the website’s cookie policy on its Spanish website: the use of non-necessary cookies, no possibility of rejecting them, and a lack of information on cookies used. Additionally, the AEPD found that MyHeritage omitted two pieces of information in its privacy policy – the possibility of exercising the right to data portability and the right to file a claim with the supervisory authority, DataGuidance reports. 

The AEPD also issued a warning to a company for non compliance with individual rights to access the data and to receive a legally established reply. Under the threat of a fine, the company was forced to complete the process, notify the claimant whether the procedure was approved or denied, or indicate the reasons for which the request was not applicable.

Official guidance: employees access rights, data breach notification, real-world data in clinical study

The French CNIL published its guide, (in French), on the right of employees to access their data.  It allows a person to know if data concerning him is being processed and then to obtain the information in an understandable format. This may include the objectives pursued by the use of the data, the categories of data processed, and the other bodies  obtaining the data. This process also makes it possible to check the accuracy of the data and, if necessary, to have it corrected or erased. The rules for the procedure always include:

• verifying the identity of the applicant, (the demand for supporting documents or information must not be abusive, irrelevant and disproportionate to the request);
• responding to the request free of charge;
• the right of access relates to personal data and not to documents. However in the case of email combining both is possible – metadata, (time stamp, recipients, etc.), & the content of the email;
• the right of access must not infringe the rights of third parties, (business and intellectual property secrecy, right to privacy, secrecy of correspondence are regularly invoked by employers to refuse to respond favorably to employees);
• the anonymisation or pseudonymisation of data relating to third parties constitutes good practice;
• different rules exist to protect third party interests depending on the role of the person making the request, (when they are a sender or receiver of the information, or they are mentioned in the content of the document).

Emails identified as personal or whose content turns out to be private despite the absence of any mention of personal character, are subject to special protection, the employer not being authorized to access them. Also, an employer may refuse to act on a request for the communication of emails relating to a disciplinary investigation and the content of which, even redacted, could allow the requester to identify persons of whom they should not be aware.

The EDPB published practice-oriented guidelines on examples regarding Personal Data Breach Notification. Its aim is to help data controllers in deciding how to handle data breaches, what factors to consider during risk assessment, and suggest organisational and technical measures for preventing and mitigating the impacts of hacker attacks. The document complements the  Article 29 Working Party Guidelines and reflects the common experiences of the supervisory authorities across the EEA since the GDPR became applicable.The paper includes 18 case studies from such sectors as hospitals, banking, HR:

• ransomware, (with or without proper backup/exfiltration, data exfiltration attacks on job application data, hashed passwords, credential stuffing);
• internal human risks, (by employees, trusted third parties);
• lost or stolen devices, (encrypted or unencrypted), and paper documents;
• mailing mistakes, and social engineering, (identity theft, mail exfiltration).

The UK Medicine and Healthcare product regulator, the MHRA, has published its guidance on the use of real-world data (RWD) in clinical studies . RWD is the vast amount of data collected on patients in electronic health records, disease and patient registries, from wearable devices, specialised/secure websites as opposed to being specifically collected in a clinical study. Among many quality provisions the guide demands that the sponsor, (data controller), include a protocol in the study describing the tools and methods for selection, extraction, transfer, and handling of data and how it has been or will be validated. It is essential that processes are established to ensure the integrity of the data from acquisition through to archiving and sufficient detail captured to allow for the verification of these activities, and across different centers and countries. Thus, it is important to establish which privacy and security policies apply to the use of the database, interoperability issues, restrictions on the transfer, storage, use, publication and retention of the data, etc. Identical processes would need to be in place for any additional data collected outside of the main source database.

Legal processes and redress: pilot consent e-service, genetic information privacy, medical records snooping incident

The Estonian Information System Authority, the RIA, announced its new consent service that allows companies to ask the state for an individual’s data. An e-service, developed and managed by the RIA, allows a person to give permission to the Estonian State to share their personal data with a certain service provider. First it is being used in the installment application process. If a person gives their consent in the consent service environment, the bank will check the solvency of the person from the database of the Tax and customs board, on the basis of which a data-based decision to allow the person to pay in installments can be made. It will be possible to see all given consents and revoke them at any time. The consent service is currently available to Estonian citizens and requires a valid strong authentication tool (ID-card, Mobile-ID, or Smart-ID).

In California, the Bill for Genetic Information Privacy Act takes effect in January, Data Guidance reports. The Act applies to direct-to-consumer genetic testing companies, and requires such companies to comply with, among many things, consumer’s revocation of consent, take reasonable measures to ensure that the information cannot be associated with a consumer or household, publicly commit to maintain and use the information only in de-identified form and not to attempt to re-identify the information, except for required by law compliance checks on the procedure. It must contractually obligate any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household, etc.

The Norwegian Supreme Court recently gave a hospital the right to dismiss an employee who had “snooped” on the medical record of her partner’s ex-wife, and a patient in the same hospital, Lexology website reports. The employee read several documents in the ex-wife’s medical record to avoid meeting her and to find out in which ward she was staying. Before the employer became aware of the snooping incident, the employee held that the ex-wife knew that she had looked at her medical record as she had sent a text message to her, which resulted in a heated exchange. The court concluded that the snooping was a serious and gross breach of duty and trust, and that there were means other than accessing medical records to obtain such information. 

The court assesses, among other things, whether the employer had based its decision on information that the company was aware of at the time of dismissal. In the case at hand, the employer had not referred in its reasoning to the text messages or that the employee had failed to notify the employer of the unauthorized access to medical files. The court held that both – were natural in the extension of the violation of the snooping ban. The hospital was therefore still allowed to use this information, even though it did not include it in its reasoning immediately after the employee’s dismissal.

Data security: healthtech vendors

In the US a tech vendor Ciox Health recently reported an email breach that affects dozens of health entities. In its notice, the healthcare information management vendor said an unauthorized person accessed one employee’s email account, potentially downloading emails and attachments, containing all sorts of patient data. However, the employee did not have direct access to any healthcare provider’s or facility’s electronic medical record system. In total, the HIPAA Breach Reporting Tool showed about 700 major health data breaches affecting 45 mln individuals in 2021. Vendor incidents were responsible for nearly 47% of the individuals affected. Among the most critical measures that tech healthcare providers could implement are comprehensive business associate agreements, say US legal experts. The attestation questions in them may include, but are not limited to:

• Does your organization require annual training for workforce members?
• Do you undergo an annual risk analysis to evaluate the requisite technical, administrative, and physical safeguards?
• Do you have business associate agreements in place with all required persons?
• Is your data encrypted both at rest and in transit?

Also, covered entities should continually monitor industry trends, reassess their business associate/vendor relationships, and keep their board informed about any potential risks.

Big Tech: No-cookie data transfer, cryptominer Norton360, China’s credit scoring and oversees listings, Fisher-Price toy failed privacy

Google’s new patent describes how its Technology enables transfer data without cookies. MediaPost website reports. The US Patent and Trademark Office granted Google a patent describing a web browser-based application programming interface that can control the authorization of data transmissions within a network and attribute a click without using cookies. The system can reduce the number of transmissions that do not result in content for the client device – saving bandwidth and computational resources for the client device. The website can transmit small packets of data to the client device when it visits a website. They can include preferences or session information or can be used to authenticate and maintain a session between the client device and the device hosting the website, according to the patent. The full patent document is available here.

According to the KrebsonSecurity blog, Norton 360, one of the most popular antivirus products on the market today, has installed a cryptocurrency mining program on its customers’ computers: “Norton’s parent firm says the cloud-based service that activates the program and allows customers to profit from the scheme — in which the company keeps 15 percent of any currencies mined — is “opt-in,” meaning users have to agree to enable it. But many Norton users complain the mining program is difficult to remove”.  Reportedly, there is no way to fully opt out of the program, and the user actually has to dig into NCrypt.exe in their computer’s directory to delete it. Meanwhile, some longtime Norton customers were horrified at the prospect of their antivirus product installing coin-mining software, regardless of whether the mining service was turned off by default.

China’s central bank said it will adjust the legal framework around financial credit-scoring if needed, state media reported, an indication authorities may tweak guidelines for fintech firms on the amount and type of user data they can collect. The People’s Bank of China has just implemented new rules around what kinds of data can be collected for credit scoring and clarified what kind of businesses the rules would apply to. It also urged companies to apply for credit scoring licenses and to refrain from excessive collection of user data. AI, blockchain, cloud computing and big data have been developed rapidly over recent years in China, prompting governmental concerns about how private individuals could be affected  by the technology, Reuters reports.

China will also order cybersecurity reviews for platform firms seeking overseas listings. The Cyberspace Administration of China said the new rules come into effect on Feb. 15 and apply to platform companies with data on more than 1 million users. However, based on the rules, it remains unclear which types of companies would be affected. The regulator would also implement new rules on March 1 on the use of algorithm recommendation technology to increase oversight of news providers that use the technology to disseminate information. The rules will give users the right to switch off the service if they choose. 

Finally, researchers identified a vulnerability in children’s Bluetooth-connected phones, IAPP News reports. Security researchers at Pen Test Partners found that US Fisher Price Chatter uses Bluetooth Classic with no secure pairing process. When powered on, it just connects to any Bluetooth device in range. Thus, someone nearby could also use the Chatter telephone to speak to and listen to a child in your home, or to bug the neighbors. The attacker can make the Chatter phone ring, so an unsupervised child is likely to answer. While developer Mattel said the Bluetooth pairing times out once a connection occurs or if none is made, TechCrunch claims its attempts found the pairing process did not time out after more than one hour.

The post Weekly digest January 3 – 9, 2022: CNIL fines Google and Facebook for making rejecting cookies difficult appeared first on TechGDPR.

Legal processes and redress: EU Intelligent transport, Oracle and Salesforce court victory, discriminating AI in DC, privacy in Ukraine

The European Commission revised its Intelligent Transport Systems (ITS) Directive to advance smart mobility. The aim is to stimulate the faster deployment of new, intelligent services, by proposing that certain crucial road, travel and traffic data is made available in digital format. ITS applies information and communication technologies such as journey planners, eCall, and automated driving in transport. Since 2010, the ITS Directive has been the tool to ensure the coordinated deployment of such systems across the EU, based on European specifications and standards. The revision includes:

•  an extension in the Directive’s scope to multimodal information (apps to find and book journeys that combine public transport, shared car, or bike services),
• communication between vehicles and infrastructure to increase safety and mobility,
• the collection of crucial data and the provision of essential services such as real-time information services informing the driver about accidents or obstacles on the road,
• updated obligations under the GDPR, and in consultation with the EDPS, on the security of personal data and the need for controllers to comply with their obligations, 
• using anonymisation as one of the techniques for enhancing individuals’ privacy. Read the full text of the proposal here, and the Annex here.

A Court in the Netherlands says a billion euro claim against Oracle and Salesforce is not admissible. The Privacy Collective, (TPC),  foundation filed a lawsuit against tech giants in 2020 for violations of the GDPR. The two US-based companies reportedly collected data from at least 10 million Dutch internet users for advertising purposes, and created a personal profile of each web surfer that they could trade. TPC claimed 500 and 600 euros respectively per victim from Salesforce and Oracle. The latter is also said to have leaked data.  On the internet, TPC appealed to the public in a case under the Mass Damages in Collective Action Settlement Act. By clicking on an icon with the text ‘support with 1 click’, internet users were able to support the claim. The initiative received 75,000 statements.

According to the court, however, it is not possible to determine with these ‘likes’ whether the foundation really stands up for enough injured parties. No contact details are registered for the internet users who ‘clicked’. In addition, TPC is unable to maintain contact with its supporters, which is an important condition of the law. TPC is considering an appeal.

The use of artificial intelligence to determine access to credit and other important life opportunities has been targeted by the District of Columbia, Venable LLP reports. DC’s Attorney has introduced the “Stop Discrimination by Algorithms Act of 2021, which may be considered through January 1, 2023. The proposed legislation add civil rights protections to protect communities from alleged harm caused by algorithmic bias by:

• prohibiting using algorithms that produce biased and unfair results;
• performing annual audits, reporting the results and needed corrective steps;
• documenting how their algorithms are built, how the algorithms make determinations, and how all of the determinations are made;
• disclosing to all consumers about their use of algorithms to reach decisions, what personal information they collect, and how their algorithms use it to reach decisions;
• adverse action (if businesses make an unfavorable decision based on an algorithm, they must provide a more in-depth explanation);
• dispute and corrections opportunity to prevent negative decisions based on inaccurate personal information.

The bill would apply to individuals, legal entities, service providers that make or rely on algorithmic eligibility determinations or algorithmic information availability determinations. Read more about the coverage, key definitions and the enforcement of the Algorithms Act in the original publication.

In 2021 almost 4000 people applied to the Ukrainian Parliament’s Commissioner for Human Rights to protect their right to privacy, which is twice as many as last year. Individuals, (mostly legal professionals, representatives of human rights and public organizations, people with disabilities, etc), asked for the protection of their personal data in connection with:

•  activities of debt collection companies and macrofinancial institutions, and
•  publication of personal data in messengers, social networks and on the official websites of public authorities and local governments.

During the implementation of measures to repay overdue debt, collectors resort to insults and psychological pressure against debtors, but also members of their families, friends or acquaintances. For that reason, the law on consumer protection in settlement of overdue debts which came into force last year. At the same time, the draft law “On Personal Data Protection” and the draft Law “On the National Commission for Personal Data Protection and Access to Public Information” were registered in the Ukrainian Parliament. The legislators aim to implement both drafts within the next few months to be able to launch the data privacy reform by 2023 as part of the integration to the EU Digital Single Market, implementation of the EU-Ukraine Association Agreement, and the wider government digital agenda.

Official guidance: China’s automotive sector, employment data and asylum seekers fingerprints in the EU

China’s latest data protection implementation rules include new data guidance for the automotive industry, analyzed by Paul Hastings LLP. It became one of the first set of industry-focused implementation rules of the new Data Security Law, and the Personal Information Protection Law. The auto industry provisions elaborated on:

• Automotive Data, which included personal information data and important data involved in the process of automobile design, production, sales, maintenance, etc. 
• Automotive Data Processors – manufacturers, components and parts suppliers, software suppliers, dealers, maintenance organizations, and mobility service companies, ride-hailing and sharing services.
• Personal Information and sensitive personal information (eg, vehicle trajectory, driving habits, audio, video, images, biometric identification).
• Important Data (eg, geographical information, vehicle flow, personal information involving more than 100,000 subjects).

Key Principles in automotive data processing are:

• all automotive data must be processed inside vehicles unless it is absolutely necessary to send it out;
• unless a driver makes a specific selection otherwise, the default setting should be non-collection each time the driver drives the vehicle;
• the coverage and resolution of cameras and radars, among others, should be determined according to the requirements for data accuracy of the functions and services provided;
• principle of desensitization (data processors are required to apply anonymization and de-identification during processing, if possible).

The Gibraltar data protection authority published fresh guidance on data protection in the employment context, (in English). The document provides general guide on the legitimate expectations of employees with regards to the processing of their personal data by employers, as well as the legitimate interest of employers in deciding how best, within the boundaries of data protection law, to run their organisations:

• The obligations of the employer of accountability and implementation of appropriate security measures to protect employee personal data.
• Recruitment and selection recommendations in relation to personal data in areas such as ‘advertising and applications’, ‘interview notes’, ‘vetting’ and ‘retention’. 
• Employment records and the responsibility of the employer to appropriately notify employees of the personal data processing activities. 
• Monitoring in the workplace.
• Remote working and the risks presented regarding the security of personal data. 
• Compatible, administrative infrastructure that allows adequate data protection.

Asylum seekers and migrants arrested at the EU’s external borders are required to give their fingerprints. This data is kept in the Eurodac file. The EU Agency for Fundamental Rights publishes, in collaboration with multiple data protection authorities, a guide intended to better inform people about the use made of their fingerprints, (now available in all EU languages). EU law requires giving the following information:

• it is an obligation to give fingerprints,
• ten digital fingerprints, the gender, the country fingerprinting, the place and date of the asylum application (if applicable). No other personal data is stored,
• in case more personal data is collected by the authorities, name or age, migrants should be informed about the importance of providing accurate data,
• the fingerprints are kept for 10 years, (if an asylum seeker), or for 18 months, (if an irregular migrant). After that data is automatically deleted,
• only competent asylum and immigration authorities can access the data,
• Indicate that the police and the Europol can access the data under strict conditions,
• communicate why fingerprints are collected and the person’s rights.

The information given must be concise, transparent, comprehensible and in an easily accessible format, written in clear and plain language, adapting to the needs of vulnerable persons, such as children. Where necessary the information should be provided orally in a language that the person understands. Also, a copy of the personal data collected is provided. This helps to exercise the right to access and the right to delete and correct the data.

Data breaches, investigations and enforcement actions: Slimpay, JP Morgan Securities, BBVA

French regulator CNIL sanctioned Slimpay with a fine of 180,000 euros for having insufficiently protected users’ personal data and not having informed them of a data breach. Slimpay offers recurring payment solutions to its customers. During 2015, it carried out an internal research project, during which it used the personal data contained in its databases. When the research project ended in 2016, the data remained stored on a server, without special security measures and was freely accessible from the Internet. It was not until 2020 that Slimpay became aware of the data breach, which affected approximately 12 mln people. Persons affected by the data breach are located in several countries of the EU, so cooperation was needed between the supervisory authorities of four countries – Germany, Spain, Italy and the Netherlands.

The US Securities and Exchange Commission, (SEC), announced that JP Morgan Securities agreed to pay 125 mln dollars to resolve charges that it failed to safeguard written communications of its employees. Its employees, including supervisors and managing directors, regularly used non-company messaging tools such as Facebook’s WhatsApp, text messages and personal email accounts to discuss company business. The company admitted that none of these records were preserved by the firm as required by the federal securities laws. JPMS further admitted that these failures were firm-wide and that practices were not hidden within the firm. The fine is the largest the SEC has ever leveled against a firm for record-keeping violations, beating the previous record of 15 mln, imposed on Morgan Stanley in 2006.

The Spanish data protection authority, the AEPD, fined Banco Bilbao Vizcaya Argentaria, (BBVA), 60,000 euros for insufficient legal basis for data processing. The claimant was receiving constant messages on his mobile phone from BBVA about defaults, appointments, etc. The claimant demanded deletion of the number, however it was not spotted in the client database. The investigation found that the text messages were an error on the part of the team in charge of carrying out functional tests of the tool designed to send notifications from the Bank to its clients. The team believed wrongly that said number did not exist or was not operational and therefore no one was going to receive such fictitious notices.

Audits: Oxford Health NHS Foundation Trust

The UK Information Commissioner’s Office published the Oxford Health NHS Foundation Trust data protection audit report. A major NHS health trust provides physical & mental health and social care for people of all ages in the UK. Its services are delivered at community centres, hospitals, clinics and people’s homes. With an overall reasonable assurance level, the executive summary proposes some areas of improvement : 

• The Trust’s Records of Processing Activity requires upgrading. The evidence provided was more of a data flow map and therefore is not fully in line with the requirements of Art. 30 of the UK GDPR. The requirements include having a record of the name and contact details of the data controller, description of the categories of individuals and recipients of personal data, retention schedules and a description of the technological and organisational security measures in place.
• The Trust has a Data Protection Officer in place who also holds other positions and responsibilities. The Trust needs to consider if these additional roles and responsibilities pose a conflict of interests or a demand on their time, which could impact on their duties as DPO. 
• There is no Information Sharing Agreement (ISA) log to record vital information pertaining to current ISAs.
• There is a lack of specialised training for staff with data sharing roles and those that deal with children’s data.  
• There is no dedicated Information Sharing policy or procedure to provide guidance on ad hoc disclosures as well as the assurances that all ISAs include effective incident management procedures.

Big Tech: China’s low-carbon data clusters, Arsenal fan tokens, the death of Blackberry, racial bias on Airbnb, Zoom latest acquisition

China has approved plans to build four mega clusters of data centres in the country’s north and west with the aim of supporting the data needs of Beijing and major coastal cities. The move comes as energy-hungry data centres located in China’s east have found it difficult to expand due to limits imposed by local governments on electricity consumption. The four new locations can use their energy and environmental advantages (wind and solar). However, their distant locations have meant the centres have struggled to provide the near-instantaneous retrieval demanded by coastal clients with little tolerance for delays. Meanwhile, a new marine economy development plan encouraged major coastal cities such as Guangzhou, Shenzhen and Zhuhai to relocate high energy-consuming data centres to underwater locations to save energy used for cooling.

Britain’s advertising watchdog, the ASA, warned Arsenal FC on Wednesday over ads for its “fan tokens,” a type of cryptocurrency embraced by soccer clubs as coronavirus pummelled their revenues. ASA said ads posted on Arsenal’s website and on Facebook were misleading as they did not make clear the risk of trading crypto, potential tax implications or that the tokens are not regulated in the UK: “The tokens, which can be traded on exchanges like other cryptocurrencies, are prone to wild swings in price and often have little connection to on-field performance.” Fan tokens allow supporters of soccer and other sports clubs to vote on minor decisions such as songs played at matches after a goal is scored, or images used on social media. Arsenal believes that fan tokens were designed to boost participation by supporters, and were “materially different” to other cryptocurrencies used as a means of payment. More than 40 clubs from Europe to South America have launched fan tokens. The largest one, launched by Paris Saint-Germain, reportedly has a total value of 49 mln dollars, versus bitcoin’s 929 bln.

Legacy BlackBerry devices loose text, call, and data functionality on January 4th, the Verge reports. Whether on Wi-Fi or cellular, there’ll be no guarantee you can make phone calls, send text messages, use data, establish an SMS connection, or even call 911. The company has experienced a slow decline since its dominant era in the late 2000s, when its QWERTY keyboards and reputation for security gave it a 50% market share in the US, but its parent company has pivoted to selling cybersecurity software.

Airbnb announced that it’s changing the way guest profiles are displayed in its app, for Oregon residents only, the Verge reports. Airbnb hosts who are based in Oregon will now see a potential guest’s initials, rather than their full name, until after they’ve confirmed the booking request. The change aims to prevent racial discrimination among hosts, by stopping them from gleaning a guest’s race from their name. The announcement follows a voluntary settlement agreement that Airbnb reached in 2019 with three Portland-area women. A 2016 study also found that Airbnb guests with names that sounded Black were 16% less likely to have bookings confirmed than guests with names that sounded white.

Zoom gets bigger on virtual events with its latest acquisition, the CNET website reports. The videoconferencing company announced the acquisition of event solutions assets from Liminal. Due to the pandemic, events have increasingly gone online, demanding more from video teleconferencing apps like Zoom. Those apps have needed to expand the features of their products or rely on third-party services like the ones Liminal provided. Liminal offered apps like ZoomISO and ZoomOSC individual video outputs and enhanced sound controls. Liminal’s products will remain available through its site. However, as Zoom expands on those tools and builds something similar into the platform, there will no longer be a need for them as separate add-ons.

The post Weekly digest Dec 27 – Jan 2, 2022: Intelligent transport, Oracle and Salesforce court victory, the death of Blackberry, fan tokens appeared first on TechGDPR.

Legal processes and redress: Facebook data transfer hustle, Amazon fine halted, adequacy for South Korea

Despite the CJEU twice declaring that the US does not offer sufficient protection for Europeans’ data from American national security agencies, Facebook, (Meta)’s lawyers continue to disagree, according to internal documents seen by the POLITICO EU newspaper. In July 2020, the CJEU struck down a US-EU data transfer framework, the Privacy Shield, but upheld the legality of another safeguard instrument used to export data out of the EU – Standard Contractual Clauses (SCCs). 

Facebook’s lawyers argue that the EU court ruling relates only to the Privacy Shield data pact, (Art. 45 of the GDPR), and not the SCCs, (Art.46 of the GDPR), the instrument Facebook uses to transfer data to the US. The company also says that changes to US law and practices since the 2020 ruling should be taken into account, namely the US Federal Trade Commission, “carrying out its role as a data protection agency with unprecedented force and vigour.” Finally, the platform’s lawyers note that the 234,998 data requests it received from US authorities in 2020 represents a “tiny fraction” of the total number of users, which Facebook estimates at around 3.3 bln. 

At the same time, Austrian activist and lawyer Maximilian Schrems, who in 2013 started the legal battle against Facebook, states that since the 2020 CJEU judgment the platform has not taken any steps to limit its data transfers. “Instead, it produced a 86 page “Transfer Impact Assessment” under the newly introduced SCCs, coming to the surprising result that the CJEU judgment would not apply to Facebook and transfers could continue as they are”.  Reportedly Facebook’s self-assessment document concluded that relevant US law and practice provided protection of personal data that was essentially equivalent to the level of protection required by EU law.

Also last week:

Luxembourg’s legal judgment halts Amazon’s enormous daily GDPR fine. The Administrative court suspended a 746,000 euro fine the US retailer had to pay each day over suspected data privacy breaches. The court ruled that the data protection regulator’s instructions on how to correct the breaches were too vague. In July the Luxembourg data protection commissioner, where Amazon’s European headquarters is based, hit the company with a record fine after deciding that its processing of customers personal data for targeted advertising purposes did not comply with the GDPR. Amazon argued the ruling lacked merit and would be appealed. As of today, hearings between the two parties are still ongoing.

The European Commission has adopted South Korea’s GDPR-governed adequacy ruling. The agreement allows for the free flow of personal data between the EU and the Republic of Korea, without further authorization or additional transfer tools. The decision also covers transfers of personal data between public authorities. The agreement stands on the adequate protections afforded to individuals in the EU under Korean law when their data is transferred to the Republic of Korea, including additional transparency and onward data transfer requirements agreed by both parties. These rules are now binding and enforceable by the South Korean data protection authority, PIPC, and the court system, Hunton Andrews Kurth LLP reports. Read the full South Korea adequacy decision here, as well as the latest Q&As on the EU adequacy mechanism.

Official guidance: TTDSG, card-based payments, COVID status checks

The German Data Protection Conference published their guidance, (in German,) on the Telecommunications and Telemedia Act (TTDSG), which entered into force on 1 December. The document, (open for public consultations), offers operators of websites, apps, and smart home applications assistance in the implementation of the new provisions. The same guide also informs citizens of the key changes in the legal framework, and further clarifies the interplay between the TTDSG, the GDPR and the ePrivacy Directive, namely:

• TTDSG goes beyond the scope of the GDPR and establishes the consent requirement for storing/accessing information on or from users terminal equipment, regardless of whether the information relates to a person. 
• cookie, (and similar technologies), user consent can be bundled with the consent for subsequent data processing/transfers, if sufficiently transparent. 
• TTDSG establishes strict requirements for valid consent with a “reject all” option (with some possible exceptions under anti-fraud/IT security requirements).
• The aforementioned requirements are applicable only for data processing within the EEA. There must therefore always be additional examinations where the processing involves the transfer to third countries, especially such as the US, where there is no adequate agreement with the EU. 

The guide also explains the rationale behind the “absolutely necessary” cookies, main services, services provided at the user’s demand and the additional functions/services. In the context of websites, users do not have to accept every access to their terminal equipment, in particular the setting of cookies, just because a website or an app has been actively called up. They must first become aware that there are additional services and functions that require access to the terminal device in order to provide them (measurements or analysis of visitors numbers or A/B testing, etc). Also, cookies for any additional functions, such as for storing products in the shopping cart or making a payment, can regularly only be regarded as absolutely necessary in terms of the time dimension when a corresponding user interaction has taken place (when items are actually placed in the cart, or the payment process has been initiated).

The EDPS’s latest TechDispatch section investigates card based-payments, that nowadays go beyond debit cards or credit cards. Contactless payments using Near Field Communication or Quick Response technologies and cardless payments via smartphone apps are just a few examples of new card-based payment methods. The key takeaways include analysis on:

• payment gateways and processors;
• balancing interests between anonymity and traceability of personal data;
• necessity and proportionality of customer identification;
• processing of special categories of data;
• GDPR-covered roles and responsibilities; 
• data retention and surveillance, automated decision making and profiling;
• data security standards, etc.

In the UK, the Information Commissioner’s office advised organisations about how to look after customers’ personal data when completing COVID status checks. The provisions require data collectors to be clear, open and honest with people about what they are doing with the personal information:

• display your privacy notice on your website, social media or email it alongside any event information, put up posters around your venue’s entrance;
• follow the government guidance to determine whether you should carry out purely visual checks, or a digital scan;
• use only official governmental apps to scan QR codes;
• don’t create any of your own lists or records with your customers’ status;
• make sure staff can answer questions about how data will be used and stored;
• ensure that your staff treat the information that they are checking confidentially;
• keep up-to-date with the latest advice from the government and the ICO.

Investigations and enforcement actions: gamers’ videos, children’s learning data, ex-employee email box

Gaming giant Ubisoft has confirmed an intrusion into its IT infrastructure targeting the popular game Just Dance. The company explained that the incident “was the result of a misconfiguration, that once identified, was quickly fixed, but made it possible for unauthorized individuals to access and possibly copy some personal player data.” However, Ubisoft did not comment about how many people were affected by the incident: “The data in question was limited to ‘technical identifiers’ which include GamerTags, profile IDs, and Device IDs as well as Just Dance videos that were recorded and uploaded to be shared publicly with the in-game community and/or on social media profiles.” Anyone affected by the breach will receive an email from Ubisoft and will be given more information through the company’s support team. The team also urged players to enable two-factor authentication and to reset passwords.

The Icelandic data protection authority has found the City of Reykjavík guilty of multiple violations of the GDPR, following its failure to comply with data protection obligations in processing children’s personal data, DataGuidance reports. The investigation started over one of the City of Reykjavík’s primary schools’ use of the Seesaw Learning app. The regulator found that the City of Reykjavík failed to process personal data in a fair and transparent manner, noting that:

• The processing of personal information was not based on a valid consent. 
• It was possible to identify registered students for longer than necessary. 
• The system processed the personal data of parents and guardians of students in order to direct them to marketing. 
• The personal information of students was transferred to the US and processed there, without sufficient safeguards. 
• The municipality failed to clarify which of the parties was responsible for the processing, demonstrate any existing data processing agreements or to complete DPIA. 

The City of Reykjavík was requested to close the accounts of school children in Seesaw and ensure that all their personal information is deleted from the system, but not before a copy of the information has been handed over to the children or, as the case may be, kept in schools. 

The Belgian Data Protection Authority, (DPA), issued a reprimand to a company following violations of Art. 5, 6 and 13 of the GDPR. The organisation had kept the complainant’s email address and mailbox active, leading to the possibility a third party could read received emails and respond in the complainant’s name, after the complainant’s employment agreement had terminated, DataGuidance reports. The complainant’s email address was still in the company’s system in January 2020, despite the fact that the employment agreement with the complainant had ended in 2019. Furthermore, the complainant had not received information about further use of their mailbox and email address, besides being told that they no longer would have access to it. The Belgian DPA did not issue a monetary penalty in this case, considering publication of the reprimand would constitute a sufficient warning.

Opinion: ICO’s regulatory powers

The UK Information Commissioner’s Office, (ICO), has launched a consultation to gather the views of data controllers, their representatives and the public on how it regulates the laws it monitors and enforces. People will have 14 weeks to comment on three documents:

• The Regulatory Action Policy that reinforces the proportionate and risk-based approach to enforcement, and explains the factors taken into consideration before taking regulatory action such as monetary penalties, stop-processing orders or compulsory audits.
• Statutory Guidance that specifies the ICO’s legal obligations to publish guidance to help organisations navigate the law.
• Statutory Guidance on The Privacy and Electronic Communications Regulations, (PECR), that explains how the ICO enforces the data protection legislation relating to electronic communications like nuisance calls, emails and texts. The guidance focuses on the ICO’s powers to issue monetary penalty notices on a person, or an officer of a body, for data protection failures in respect of the PECR. This is a power that has recently been incorporated into law. 

The forms for written responses are available here.

Big Tech: Google and Meta fines in Russia, Meta/Giphy deal, Alibaba-cloud, tech buzzwords 2021

A Moscow court on Friday said it was fining Alphabet’s Google about 90 mln euros for what it said was a repeated failure to delete content Russia deems illegal, the first revenue-based fine of its kind in Russia. The court also fined Meta more than 20 mln euros on the same grounds. Russia’s communication watchdog Roskomnadzor said that Facebook and Instagram failed to remove two thousand pieces that violate Russian laws whereas Google keeps 2,600 pieces of banned content. Moscow has also demanded that 13 foreign and mostly US technology companies, which include Google and Meta, be officially represented on Russian soil by January 1 or face possible restrictions or outright bans.

Facebook owner Meta has appealed against the UK’s ruling that it must sell its animated images platform Giphy. The company does not support the finding that buying Giphy in 2020 constituted a threat to its rivals or could impact competition in display advertising. It is the first time the British regulator, the CMA, has blocked a major digital acquisition. Half of the traffic to Giphy’s huge library of looping videos comes from Facebook, Instagram and WhatsApp. Its GIFs are also popular with users of TikTok, Twitter and Snapchat. The CMA was concerned Meta could limit access or force rivals to provide more user data. Meta argued it would not change the terms of access for competitors, nor collect additional data from the use of GIFs, which have no online tracking mechanisms such as pixels or cookies. Meta also pointed out that Giphy has no presence, employees, offices or revenues in Britain. The CMA noted that UK users look for 1 billion GIFs a month on Giphy, and 73% of the time they spend on social media was on Meta’s Facebook, Instagram and WhatsApp.

Chinese regulators suspended an information-sharing partnership with Alibaba Cloud Computing, a subsidiary of e-commerce conglomerate Alibaba Group, over accusations it failed to promptly report and address a cybersecurity vulnerability. Reportedly Alibaba Cloud did not immediately report recently discovered vulnerabilities in the popular, open-source logging framework Apache Log4j2 to China’s telecommunications regulator, but notified the US based Apache Software Foundation. In response the Chinese government suspended partnership with the cloud unit, to be reassessed in six months. This latest measure highlights Beijing’s desire to strengthen control over key online infrastructure and data in the name of national security. The Chinese government has also asked state-owned companies to migrate their data from private operators such as Alibaba and Tencent to a state-backed cloud system by next year.

Finally, to end the year, Reuters tech team published a guide to 2021’s tech buzzwords. So, if you’re still drawing a blank as 2021 wraps up – metaverse, web3, social audio, NFTs, tech decentralization, DAOs, “stonks”, gameFI, altcoin, FSD beta, fabs and net zero are all made crystal clear in this quick guide for everyone whose digital lexicon may be in need of an upgrade. 

The post Weekly digest December 20 – 26, 2021: Facebook data transfer hustle, guide on Germany’s TTDSG, contactless payments, tech buzzwords appeared first on TechGDPR.

Legal processes and redress

The EU Commission approved the political agreement reached between the EU Parliament and EU Member States on a European Data Governance Act. Three-way negotiations have now concluded, paving the way for final approval of the legal text. The Data Governance Act will create the basis for a new system of data governance in accordance with EU rules, the GDPR, and consumer protection and competition rules. More data will be available and exchanged in the EU, across sectors and Member States. It aims to boost data sharing and the development of common European data spaces, such as manufacturing or health, as announced in the European strategy for data. The regulation includes:

• increasing trust in data sharing in order to lower costs, 
• allowing novel trustworthy data intermediaries for data sharing,
• facilitating the reuse of certain data held by the public sector, (eg, health data for clinical research of rare or chronic diseases),
• allowing users control over the data they generate, (eg, data volunteerism, when companies and individuals make their data available for the wider common good under clear conditions).

On 1 December, a new law regulating data protection and privacy in telecommunications and telemedia came into effect in Germany, (TTDSG). It contains updated provisions on digital legacy, privacy protection for terminal equipment and consent management. For example, it aims to stem the cookie deluge and give website visitors more control over the data the website collects. It also intends to provide more clarity in the regulatory jungle of  the GDPR, the ePrivacy Directive, the German Telemedia Act, and the German Telecommunications Act, Herbert Smith Freehills LLP reports. Other key takeaways for companies from the TTDSG are:

• All technologies, except those that are “strictly necessary”, may only be activated on the basis of having obtained explicit consent, (eg, marketing cookies, local storage or other storage locations on users’ devices). 
• The scope of application of the consent management platforms has been extended, (eg, storage of information that is not personal data is also subject to consent).
• The TTDSG also applies to apps, messenger services, smart home devices, and the IoT.

EU Member States may allow consumer protection associations to bring representative actions against infringements of the GDPR, according to a CJEU Advocate General. Those actions must be based on infringements of data subject rights derived directly from the regulation. In the related case, the Federation of German Consumer Organisations complained that Facebook Ireland made free games supplied by third parties available in the platform’s App Centre without clear information to users on data processing purposes. The GDPR does not preclude national legislation which allows consumer protection associations to bring legal proceedings on the basis of unfair commercial practices and consumer protection. In the AG’s view, ”Member states may provide for the possibility for certain entities to bring – without a mandate from the data subjects and without there being a need to claim the existence of actual cases affecting named individuals – representative actions designed to protect the collective interests of consumers, provided that an infringement confers subjective rights on data subjects”.

The Irish Council for Civil Liberties, the ICCL, has launched a formal complaint against the EU Commission before the European Ombudsman. This complaint  has two components:

• The Commission has failed to properly monitor the application of the GDPR, and
•  has neglected to act against Ireland’s failure to properly apply the GDPR. 

The ICCL revealed that 98% of Ireland’s major cross-border cases remain unresolved. As a result, EU enforcement against Google, Facebook, Microsoft, Apple, and other Big Tech is paralysed. The Data Protection Commissioner is the “lead supervisory authority” under the GDPR for Big Tech firms who have their European headquarters in Ireland. No other enforcer in the EU can intervene if the Irish regulator takes the lead role. The ICCL has repeatedly alerted the Irish Government about its responsibilities, and has testified on this point in Parliament. 

Official guidance

The French CNIL has published updated recommendations on Remote quality control of clinical trials taking into account the current Covid-19 crisis. Quality control, or monitoring, consists of verifying the completeness and accuracy of data transmitted by investigation centers to sponsors in order to ensure the reliability of the study results. In particular it consists of verifying, by a clinical researcher of the sponsor account, source documents, (medical files, laboratory analysis reports), and comparing it to the observational data collected by the investigator. Data confidentiality takes a key role in the process, as the person in charge of quality control should only have access to the personal data necessary to perform checks.

In the current sanitary context, the CNIL had previously considered that it was not necessary to file a request for their authorization if remote monitoring was implemented. It was the responsibility of data controllers and their subcontractors to document the solutions they chose during this period and to be able to demonstrate that they presented sufficient guarantees for the rights and freedoms of the persons concerned. However, all studies initiated as of January 1 will require the filing of an authorization request with the CNIL. Also, for ongoing studies, the information note must be updated and submitted to the persons concerned, (directly, by post, or in a call), with documentation of the patient’s non-objection in their medical file. Thus, the medical file of a person who has objected cannot be subject to remote quality control.

“Two protections are better than one!” The CNIL has also published its guidance on Two-factor authentication: “Banking, e-commerce, electronic messaging, social networks: everyone has personal accounts on many websites. Each of them contains personal data , some of which are particularly sensitive”. In Two or Multi-factor authentication “what you know”, (a username/password), can be combined with “what you have”, (a single use code, a USB token, a smart card). Since the end of 2019 banks and payment service providers in the EU have had to implement multi-factor authentication for most remote actions, (adding beneficiary of transfers, ordering checkbooks, change of address). The CNIL recommends activating multi-factor authentication each time a service offers it, even if vulnerabilities remain to certain sophisticated attacks such as real-time phishing, the interception of SMS messages containing authentication codes or SIM swapping.

Data breaches, investigations and enforcement actions

The UK Information Commissioner’s Office, (ICO), fined EB Associates Group 140,000 pounds for over 107,000 illegal pension cold calls. The Government banned the practice in 2019 to try and stop people being scammed out of their life savings. The ICO has ordered EB Associates to stop making further illegal calls or face court action. EB Associates did not have the valid consent – freely given, specific and informed – to instigate the making of these calls. Instead, EB Associates contracted the lead generators, (and paid up to 750 pounds for the referrals), to make the calls, knowing the cold calling ban was in place, in order to try and bypass the law.

The ICO has also fined the Cabinet Office 500,000 pounds for disclosing the postal addresses of the 2020 New Year Honours recipients online. The Cabinet Office failed to put appropriate technical and organisational measures in place to prevent the unauthorised disclosure of people’s information. In 2019 the Cabinet Office published a file on the governmental website containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list. People from a wide range of professions as well as celebrities across the UK were affected. After becoming aware of the data breach, the Cabinet Office removed the web link to the file. However, the file was still cached and accessible online to people who had the exact webpage address. The personal data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times.

The Italian regulator Garante sanctioned a public transportation company over remote monitoring of workers. An employee complained about the monitoring of staff through the telephone management system of the call center dedicated to customer care. The company had justified the use of these technological tools with the need to verify the quality standards and manage any complaints, specifying that it had informed the workers and trade unions. Following an inspection, it emerged that the employees had not in fact been adequately informed. Furthermore, this system was not limited to the management of telephone calls, but also allowed the recording, replaying of telephone calls and the storage for an unspecified time of other information, such as the duration of the telephone calls, numbers contacted, date and time of the call. Considering the collaboration offered by the company, and immediate deactivation of the system, the authority applied a fine of 30,000 euros.

Spanish regulator AEPD imposed a fine of 20,000 euros on a business support services company for violating Art. 5 of the GDPR – the unlawful use of fingerprints in changing rooms and toilets. The investigation was initiated following a claim against the installation of fingerprint readers for workplace entrances and exits. Fingerprints fall into a special category, biometric data pursuant to Art. 4 of the GDPR. The use of fingerprints to access changing rooms and toilets was a repeated and continuous unjustified interference in the rights and freedoms of employees, DataGuidance reports.

Romanian regulator ANSPDCP sanctioned a call center, (data processor), 2,000 euros in violation of  Art. 29 and 32 of the GDPR. The investigation was initiated as a result of a notification of  a personal data breach which was transmitted by an operator, (data controller). The personal data processing security breach was due to a call center employee erroneously attaching to an operator’s client an excel file containing the data of that operator’s customers who had Internet Banking services. The breach led to unauthorized disclosure or unauthorized access of certain personal data, such as e-mail address, username, user ID, telephone number, customer name and customer code, of 11,169 individuals. It was established that the call center, as the person authorized by the operator, did not take appropriate measures to ensure that any person acting under its authority and having access to personal data did no processing except at the specific request of the data controller.

In Lithuania, the data protection inspectorate, (VDAI), punished car rental company Prime Leasing UAB 110,000 euros for violating Art. 32 of the GDPR – obligation to ensure the security of the processing of personal data. The company’s customers complained that personal data had been disclosed on a public forum website. Furthermore, the data was actually obtained from an unprotected database backup. Prime Leasing did not assess the risk associated because it claimed it was unaware that the file existed in its infrastructure. The VDAI found that the data of around 110,302 users had been disclosed including names, addresses, telephone numbers, emails, personal identification numbers, type of payment card, the last four digits of payment cards, and payment cards dates of validity. According to the inspectorate, the confidentiality of personal data stored in the file should have been protected by at least one of the following basic security measures: 

• authenticated access to the file only for the company’s employees; 
• connecting to the repository only from the company’s internal computer network; 
• storage of the file after encryption, (entrusting the encryption keys only to authorized company employees), or proper monitoring of information resources.

The Danish data protection agency published, (only in Danish), a Christmas calendar with 24 “doors” on data protection and security breaches. The first week of December cards included cases relating to health data, webshops and bank hacking, followed by the latest analytics and infographics. Many more doors to open before Christmas Eve!

Opinion

The importance of cybersecurity risk management in private equity, (PE), is analysed by Ropes & Gray LLP:

“As PE firms can potentially hold large amounts of personal data from their portfolio companies, they are not immune from cyber risk. Indeed, the GDPR permits national authorities to fine “undertakings” as a whole, which means that parent companies may be fined for infringements of their subsidiaries.”

According to the analysis, this is a result of the commercial reality stemming from increasing competition limiting the time available to conduct pre-deal due diligence. As a result, cyber due diligence for competitive auctions usually takes place post-deal. As a recent example, in 2020, the UK data protection authority fined Marriott 18.4 mln pounds for a cyber-attack stemming from a vulnerability in the data processing systems of Starwood, a company Marriott acquired in 2016. Thus, PE firms should test their resilience against realistic mock scenarios they or their portfolio companies might be subject to, such as a supply chain compromise or extortion-based attack.

Data security

What can starling murmuration teach us about better managing data privacy? Analysis by Gilbert + Tobin lawyers from Australia: “It is not just a pretty stunt; rather, it is an illustration of how optimal outcomes can be produced when intelligence is aggregated and utilised at a group level, an emerging concept known as swarm intelligence”.

Following the theory, machine learning techniques are applied on information sharing across a secure, decentralised, and privacy-preserving network to enable intelligence to develop at a group level. Individual systems upload insights and knowledge they produce to a common network, which incrementally refines a core model that all participants have the benefit of using, (eg, the data is locally stored and only the insights are shared and used centrally.)  Read more revelations and a case study on medical applications in the original publication. 

Human error is the leading cause of serious data breaches, according to a new report released by New Zealand’s Office of the Privacy Commissioner, (OPC). Since reporting of serious privacy breaches became a legal requirement in the country a year ago, the OPC has seen a nearly 300% increase in privacy breach reporting compared to the same 11-month period the year before. Human error has been the leading cause of serious privacy breaches during this period, (61%), with email error accounting for over a quarter of those breaches. Other types of privacy breaches in human error reporting were accidental disclosure of sensitive personal information, data entry errors, confidentiality breaches, redaction errors, and postal and courier errors.

Big Tech

Russia’s  communications regulator Roskomnadzor has filed cases against US tech firms Google and Meta that could see fines imposed on their annual turnover in Russia, Reuters reports. Russian law allows for companies to be fined between 5% and 10% of annual turnover for repeated violations. Court dates for both companies – neither of which immediately responded to a request for comment – were set for December 24. Russia has increased pressure on foreign tech companies, slowing down Twitter since March and routinely fining others for content violations. Google has paid more than 382,000 euros in fines this year. Google, Twitter and Meta have significantly reduced the number of posts prohibited by Moscow on their platforms. Additionally, Russia demanded that 13 foreign and mostly US tech companies be officially represented on Russian soil by the end of 2021 or face possible restrictions or outright bans.

The UK competition authority the CMA is demanding Facebook sell Giphy citing risks over users’ data. Facebook, the largest provider of social media sites and display advertising in the UK, acquired Giphy in 2020, the largest provider of GIFs. The merger would further increase Facebook’s dominance and Facebook would have benefitted from Giphy’s data collection practices and integration with other services. With the acquisition of Giphy, Facebook could limit the ability of rival apps to compete with Facebook in social media and could demand individuals’ data as a condition for rival companies to use Giphy. In particular, through the acquisition of Giphy, Facebook would potentially be able to:

• obtain users’ personal data processed via Giphy and potentially combine it with the vast amount of data it already processes to profile users and predict their behaviour;
• by modifying Giphy’s API, increase the categories of personal data collected;
• Impose on clients, (including Facebook’s competitors in the social media market), conditions for the use of Giphy, preventing clients from protecting their users’ data;
• Increase its capacity to deliver targeted ads both to Giphy’s users and internet users even outside Facebook’s platform and services through increased tracking.

The Australian Competition and Consumer Commission is also reviewing the Facebook/Giphy merger.

Facebook plans to force more at-risk accounts to use Two-factor authentication. The platform joins Google and others in requiring stronger protections for its most vulnerable users. Facebook’s parent company, Meta, has required since last year that advertising accounts and administrators of popular pages turn on two-factor. “While Meta says that its current initiative applies only to the politicians, activists, journalists, and others enrolled in its Facebook Protect program, this seems like a sort of test for figuring out how to make two-factor authentication as easy as possible for everyone to turn on. Meta is also working to make sure it can help troubleshoot any related issues that may arise for users around the world”, The Wired reports.

The post Weekly digest Nov 29 – Dec 5, 2021: data volunteerism, cookie deluge, remote clinical trials, starling murmuration & privacy appeared first on TechGDPR.