The EDPB and EDPS adopted a Joint Opinion on the European Commission’s Proposal for a European Biotech Act. It aims to strengthen Europe’s biotechnology and biomanufacturing sectors, including streamlining the regulatory framework and updating the rules for clinical trials (in the form of proposed amendments to the Clinical Trials Regulation). The privacy regulators welcome the aim to establish a single legal basis for the processing of personal data by sponsors and investigators in the context of clinical studies. The opinion provides several recommendations to ensure that the proposed simplifications do not lower the level of protection for clinical trial participants:

• Clarifying the controller roles of the actors involved in funding and conducting clinical trials, jointly and severally
• Limiting data retention for various personal data collected throughout the clinical trial (except master files storage requirements)
• Further processing for other clinical trials and scientific research
• Coherence with the AI Act
• Appropriate technical and organisational measures (the use of pseudonymisation)
• Regulatory sandboxes

Stay up to date! Sign up to receive our fortnightly digest via email.

Main developments 

Transparency enforcement action: On 18 March, the EDPB launched its Coordinated Enforcement Framework (CEF) action for 2026. Following a year-long coordinated action on the right to erasure in 2025, the CEF’s focus this year will shift to compliance with the obligations of transparency and information under the GDPR. The GDPR ensures that individuals are informed when their data is being processed (under Art. 12, 13 and 14). This right to be informed is a core element of transparency and ensures that individuals have more control over their data. Participating authorities will soon contact controllers from different sectors across Europe.

European Blockchain sandbox: The European Commission has published the results of the third edition of the ‘European Blockchain Sandbox‘, an initiative in which European data protection agencies participate along with other authorities. Following the publication of the selected projects, which cover all EU/EEA regions and represent a wide range of sectors and issues, and once the stage of confidential regulatory dialogues was completed, the report of good practices will follow, the same process as the first two editions.

Other legal updates

Data Brokers EU study: The Belgian data protection agency and the EDPB commissioned a study to gain greater insights into the ecosystem of data brokerage. In particular, several types of data brokers and providers were identified: personal data brokers, AI platforms integrating personal data, business data brokers, data pools and cleanrooms, data marketplaces, self-generated data providers, data brokers with user control, and aggregated data providers with re-identification risk.

The study shows that the data broker and provider market in Belgium is highly diverse, with varying levels of risk associated with the use of personal data. More than 40 data brokers and providers active in Belgium were identified in the study.

Big Tech compliance with the EU DMA: The gatekeepers designated in 2023, Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft, have submitted reports on their updated compliance measures under the Digital Markets Act (DMA), outlining the changes they have implemented and measures they have taken during the past year. The gatekeepers also submitted to the Commission updated, independently audited reports on consumer profiling techniques. The public versions of the updated compliance reports will shortly be available here and here.

US privacy laws development: DLA Piper publishes a list of recently introduced comprehensive privacy bills, state by state (Alabama, Arizona, Iowa, Illinois and more). They are reflecting a continued trend toward expanding individual privacy rights and creating new compliance obligations on businesses that collect and process personal data, including consent requirements, data minimisation, data brokers, child data, geolocation, biometrics and other types of sensitive data.

More from supervisory authorities

Age assurance guide: The Australian Information Commissioner (OAIC) has published new guidance on age assurance technologies to assist entities in ensuring Australians’ privacy is protected when they encounter age checks online. Three months on from the commencement of the Social Media Minimum Age (SMMA) scheme, the OAIC has observed significant growth in age checks taking place in Australia to allow people access to other online services. The guidance calls on entities to: 

• establish whether age checks are needed and take a privacy-by-design approach
• undertake due diligence to ensure the security of the entity’s age assurance ecosystem
• assess risk and choose age-assurance methods that are proportionate and data minimising
• ensure clear consent requests are used for the collection of sensitive information (such as biometric templates) or for secondary use or disclosure
• be transparent in privacy notices and ensure meaningful support is available to individuals, through simple and easy to access complaints processes

IT security in the health sector: The IT security of software products in the healthcare sector has room for improvement. This is a recent conclusion reached by Germany’s Federal Office for Information Security (BSI) after testing the standard configurations of various healthcare software products. As part of the project, four exemplary practice management systems (PMS) vulnerabilities were examined using penetration tests. The results included: the lack of encryption methods for data transmission and the use of outdated and therefore insecure encryption algorithms. 

AI systems monitoring criteria

AI outputs are typically non-deterministic, meaning the AI may exhibit a range of behaviours under the same input conditions. To that end, America’s NIST publishes much needed analysis of post-deployment AI system monitoring aimed at improving their reliability. The study introduces the six monitoring categories to support a more organised discussion: 

• Functionality: Does the system continue to work as intended? 
• Operational: Does the system maintain consistent service across its infrastructure? 
• Human Factors: Is the system transparent to humans and of high quality?
• Security: Is the system secure against attacks and misuse? 
• Compliance: Does the system adhere to relevant regulations and directives? 
• Large-Scale Impacts: Does the system promote human flourishing?

Web filtering proxy

The French privacy regulator CNIL promotes cybersecurity solutions that comply with the GDPR, both in their use and in their design. To this end, it publishes a recommendation to support users and providers of filtering web proxies – a device or service used to secure internet access by filtering web content for security and compliance reasons. Web filters can help meet the data security obligation (Art. 32 of GDPR). However, they are themselves based on data processing that must also be ensured to comply with the GDPR. CNIL recommendations aim in particular to inform data controllers:

• on compliance with the principles of the GDPR in the use of a web filtering proxy, including the determination of a legal basis, the minimisation of the data collected, the retention periods and the respect of the exercise of rights by the data subjects;
• on the points of attention relating to the use of HTTPS decryption and the implementation of a list of exceptions;
• on the deployment modalities;
• on the security of the access filtering and logging solution.

In other news

Account deletion and purchase history: The Privacy Commissioner of Canada has issued its findings in an investigation into complaints against Loblaw Companies (the biggest Canadian food retailer) related to the PC Optimum Loyalty Program. Several complainants alleged that Loblaw did not delete their PC Optimum accounts after they requested it, and/or that it had not responded to inquiries about their deletion requests.

The investigation found that, while Loblaw had mechanisms in place for customers to request an account deletion or to raise privacy concerns, it took an unreasonable amount of time to address the requests, and also failed to respond to some privacy-related inquiries. The investigation also found that Loblaw retained PC Optimum members’ purchase history after their account had been deleted, and that the removal of personal identifiers such as names and email addresses was an insufficient measure to have in place.

Age assurance technology fine: The Spanish AEPD fined Yoti 950,000 euros following an investigation into its role as an intermediary in identity and age-verification processes. The fine includes 500,000 euros for processing special category biometric data without a valid exemption under Article 9 of the GDPR, 200,000 euros for obtaining consent for research and analytics through pre-ticked boxes in breach of Article 7, and 250,000 euros for retaining data, including biometric and geolocation information, for longer than necessary in violation of the storage limitation principle under Article 5(1). 

The AEPD required Yoti to demonstrate within six months that its processing of biometric data, consent mechanisms, and data retention practices comply with the GDPR, digitalpolicyalert.org reports.

More enforcement decisions

Amazon Italy ban: The Italian Data Protection Authority Garante ordered Amazon Italia Logistica to immediately stop processing the personal data of more than 1,800 employees at its Passo Corese (RI) site. The ban concerns workers’ sensitive information, which Amazon systematically collected and stored throughout their employment and retained for up to ten years after they left the company, using an internal platform linked to the attendance tracking system and accessible to numerous managers.

The information was recorded on the platform following interviews conducted when employees returned from periods of absence. It included details about medical conditions such as Crohn’s disease, herniated discs, and pacemaker implants, as well as participation in strikes and trade union activities. In some cases, notes referred to alleged misuse of leave. Personal and family matters were also documented, including references to a terminally ill parent, a sibling with brain cancer and marital separations, according to the Maltese data protection agency analysis.

Intesa Sanpaolo fine: Garante also fined Intesa Sanpaolo 17.628 million euros for unlawful personal data processing. Intesa Sanpaolo had profiled approximately 2.4 million customers identified as “predominantly digital customers” through automated processing of personal data, including age, use of digital channels, absence of investment products, and financial balances below 100,000 euros. This profiling lacked a valid legal basis. The regulator determined that informed consent under Article 6(1) of the GDPR was the only applicable legal basis, and that such consent had not been obtained, digitalpolicyalert.org sums up. 

Foreign service providers and the choice of jurisdiction

A DLA Piper analysis looks at a case in California demonstrating the expanding reach of personal jurisdiction over foreign companies operating online platforms. It relates to an appellate court’s decision to reverse a district court’s dismissal of a class action against an Estonian software company for lack of personal jurisdiction. The plaintiffs brought a class action in the Northern District of California against 3Commas Technologies, an Estonian private limited company that provides software services for cryptocurrency trading, based on an alleged data breach. 

In the above case, the foreign company collected IP addresses, billing addresses, and location data that could reveal users as California residents, contacted them, and interacted with them for cryptocurrency trades. The appeal court also decided that including specific references to California privacy rights can be construed as evidence of intentionally targeting California consumers. Finally, the choice of law and forum selection clauses in vendor contracts may be used as evidence, too.

And Finally

Data altruism: The French CNIL also publishes FAQs on Recognised Data Altruism Organizations in the EU. The Data Governance Regulation (DGA) creates an EU-recognised Data Altruism Organisation (DAO) status. These altruistic organisations voluntarily share data for general interest and non-profit purposes. In particular, Article 18 of the DGA sets out the various general conditions for registration:

• conducts altruistic data activities
• be a legal person pursuing objectives of general interest under national law
• operates on a not-for-profit basis and is legally independent of any entity operating for profit
• conducts its data altruism activities through a structure that is functionally separate from its other activities
• complies with a set of common European rules, known as the ‘compendium of rules’, in a transparent, secure and interoperable manner 

AI agents and data security: A Krebs-on Security law blog looks at AI-based assistants, autonomous programs that have access to the user’s computer, files, online services and can automate virtually any task. In particular, their popularity is growing among developers and IT workers. These powerful new tools are rapidly shifting the security priorities for organisations, while blurring the lines between data and code, trusted co-worker and insider threat. The article explains various vulnerabilities for users, including the case where exposing a misconfigured AI agent web interface to the Internet allows external parties to read the bot’s complete configuration file, including every credential, from API keys and bot tokens to signing keys. Another experiment showed how easy it is to create a successful supply chain attack through a public repository of downloadable “skills” that allow AI agents to integrate with and control other applications.

The post Data protection digest 3-18 Mar 2026: Proposed EU Biotech Act strengthens clinical trial participants’ rights appeared first on TechGDPR.

Updated privacy guidance for not-for-profit has been released by the Office of the Australian Information Commissioner. It includes a discussion on what to consider when engaging third-party providers, such as for fundraising, or software vendors. For instance, when entering into arrangements with third parties, your non-for-profit should take reasonable steps to ensure that the third party’s privacy practices meet the expectations of both your non-for-profit and the wider community, (donors, volunteers, and people who engage with the sector as clients and staff). It is important to read the terms of your agreement carefully, conduct periodic reviews, and ensure the third party deletes any personal information at the end of the contract term. 

Stay up to date! Sign on to receive our fortnightly digest via email.

Consent management in Germany

On 17 October the Bundestag approved the regulation that introduces recognised consent management services to manage decisions made by end users regarding consent or non-consent to a digital service provider, thus relieving them of some of the burden, (of individual decisions that have to be made with cookie consent banners). The integration of recognised consent management services by providers of digital services is voluntary. It now has to be approved by the government and officially published to come into effect. The original regulation, (in German), can be read here.

Clinical research organisations (CROs)

The French CNIL has approved a Code of Conduct intended for clinical research organisations and other service providers ,(CROs), who act as processors on behalf of sponsors. It brings an operational dimension to the requirements of the GDPR. It is supported by the non-for-profit European Clinical Research Federation (EUCROF) and is mandatory for those who adhere to it. 

Among the services offered by CROs that may be covered by the code are the design of the protocol, the selection and contracting with the investigator centers, the collection and hosting of data, their analysis and the production of reports, or archiving or technical support services.

Other legal updates

NIS2 directive takes effect: New regulations to improve the cybersecurity of the EU’s vital networks and entities, (“NIS2”), should have been incorporated into national legislation by the October 17 deadline. According to a DLA Piper analysis, although some Member States such as Croatia, Hungary and Belgium have transposed the directive into national legislation, the majority of EU countries do not yet have the relevant implementing legislation and necessary guidelines for organisations in place. 

Sanction lists: The Swedish IMY has drawn up new regulations that make it permissible for certain companies to handle personal data about violations of the law without seeking permission from the regulator when, among other things, checking their customers against various sanction lists. In particular, companies that operate in the financial sector as well as in the security and defence market may need to check their customers, suppliers and employees, to comply with international export restrictions, and against money laundering and the financing of terrorism.  

Lawful collection of criminal records: The Danish data protection authority investigated Parken Services A/S’ procedures for obtaining information in the recruitment process. In particular, it obtains copies of passports and criminal records from applicants. The regulator found this processing lawful taking into account the special circumstances that apply to Parken Services A/S as an employer, including the very large number of people employed by the company, and the very special risk profile associated with a company servicing large sporting and entertainment events, especially concerning terrorism and crime. 

Worker transfers data to private account without permission

An Ius Laboris law blog post analyses the recent case in the Netherlands where an employee was dismissed because he sent 791 documents from his employer’s server to his personal Dropbox account, shortly after he was told that his fixed-term employment contract would not be extended. The employer had an IT policy that stated that employees could not make copies of the employer’s data or store information from the employer in personal locations.

Additionally, the employer had recently sent an email to all employees reminding them that they were not allowed to take any documents or property from the employer with them at the end of their contract. Read more discoveries of the case in the original publication. 

Commercially available AI

The Office of the Australian Information Commissioner has also issued new AI guidance. AI products should not be used simply because they are available, it says. Robust privacy governance and safeguards are essential for businesses to gain any advantage from AI and build trust and confidence in the community. Similarly, during AI model training, it must be carefully considered whether this will involve the collection, storage, use or disclosure of personal information, either by design or through an overly broad collection of data for training. Do this early in the process to help mitigate any privacy risks. Personal information is a broad category, and the risk of data re-identification needs to be considered. 

More official guidance

Mobile apps design: Apps often ask for permissions that they don’t need to function properly, (geolocation, contacts, camera or mic). It is recommended to accept only those strictly necessary for the function of the service. Apps also collect data about your behaviour, such as which web pages you visit, how long you spend in an app, or which features you use most often. This information may be used for ad personalisation, but you can limit or disable it in the privacy settings of your account. It is also recommended to use temporary accounts or alternate email addresses that are not linked to sensitive data. 

Learning environments: The Estonian regulator emphasized the obligation of educational institutions and their learning environments to maintain the appropriate technical and organisational measures. This includes reviewing the documents and personal data entered into online environments and their retention periods, creating a system for monitoring data retention periods and deleting data at the end of a period, and ensuring that employees are informed of data protection conditions. 

It is also important that the data can be partially deleted so that it does not prevent the further processing of other data, (eg, making the data non-personal and storing it for archiving, scientific and historical research or statistical purposes). 

Work emails backup: The Italian Garante fined a company 80,000 euros for carrying out backups during the employment relationship. The complaint was filed by a commercial agent who realised that the company, during their collaboration, used software to back up emails, preserving both their contents and access logs to the emails and the company management system. The information collected was then used by the company in litigation. This also allowed the company to reconstruct the collaborator’s activity, thus incurring a form of control prohibited by the workers’ statute.

More enforcement decisions

LinkedIn fine: The Irish Data Protection Commission fined LinkedIn Ireland 310 million euros. The inquiry examined LinkedIn’s processing of personal data for behavioural analysis and targeted advertising of users who have created LinkedIn profiles. LinkedIn did not validly rely on consent to process third-party data of its members for behavioural analysis and targeted advertising. Similar validity issues applied to the legitimate interest and contractual processing of first-party personal data. 

Health data breach: The New York Attorney General secured 2.25 million dollars from a health care provider AENT for failing to protect the medical data of 200,000 New York patients. AENT failed to adequately monitor the third-party vendors responsible for their cybersecurity functions. As a result, those vendors did not install critical security software updates promptly, adequately log and monitor network activity, properly encrypt consumers’ private information before and after any attacks, utilise multi-factor authentication for all remote access, or otherwise maintain a reasonable information security program. Finally, AENT’s data storage devices continued to host unprotected private information months after two ransomware incidents occurred. Read more insights on massive health data breaches in the US here.

Pinterest: Privacy advocacy group NOYB filed a complaint against the social media platform Pinterest, including its visual mood board used for finding ideas and inspiration. Advertisers, on the other hand, use the platform to push their products to consumers. Pinterest’s business model is also based on personalised advertising and the associated user tracking. The platform allegedly uses people’s data without asking for their consent.

Pinterest claims to have a legitimate interest and enables tracking by default. 

Data security

Ransomware: In 2023, there were more ransomware attacks in the Netherlands than previously. The AP counted at least 178 successful attacks. The number of affected organisations runs into hundreds. Millions of people’s data were affected, from emails and phone numbers to copies of passports, bank account numbers, and passwords. The AP notes that while cybercriminals sometimes target one specific company in a certain sector, they also regularly attack IT suppliers that manage data on behalf of a range of companies from all sectors. 

Google Analytics: The Saxony Data Protection Commissioner discovered the illegal use of Google Analytics on 2,300 out of the 30,000 websites it examined, (compliance improved significantly throughout the inspections). Data was collected without the visitors having previously consented to the setting of analytics cookies and/or the establishment of server connections to Google Analytics. A significant number of consent banners often did not do what the settings promised users. Services were executed and cookies were set even though the settings indicated “off”. Many of the website administrators were unaware of this. 

Mobile surveillance: The Krebs-on-Security law blog reports on a recent ad data surveillance case. The Delaware-based Atlas Data Privacy Corp. invoked a lawsuit against Babel Street, a technology company that allows customers to use a real-time finder at and around nearly any location on a map of the world, and view a time-lapse history of all mobile devices seen coming in and out of the specified area.

Babel Street consumes location data and other identifying information, (built into all Google Android and Apple mobile devices), that is collected by many websites and makes this available to dozens and sometimes hundreds of ad networks that may wish to bid on showing their ad to a particular user, the analysis states. 

The post Data protection digest 17 – 31 Oct 2024: clinical research service providers, non-for-profit, commercially available AI appeared first on TechGDPR.

Stay up to date! Sign up to receive our fortnightly digest via email.

Decentralised clinical research

To support sponsors in designing their decentralised clinical research projects, the French data protection authority CNIL with other state agencies set up a pilot project, (from January to September 2024). 20 selected projects will receive targeted support and updated guidance, looking especially at the entire lifecycle of personal data processing: 

• Roles and responsibilities, (oversight of incoming data);
• Informed consent process, (interviews, leaflets, signatures);
• Delivery of investigational products, (safety data, biological sample handling, home visits etc);
• Data collection and management, (defining and handling source data);
• Trial monitoring, (remote access).

In December 2022, the Commission published the European recommendations on decentralised clinical trials. It came after the COVID-19 pandemic, highlighting the importance of digital tools and decentralisation procedures in health research projects.

Meta’s AI virtual assistant under investigation in the EU

Norway’s data protection regulator reports that as of June 26, posts and photos on Facebook, (often of a private nature), and Instagram will be used to develop and improve Meta’s AI assistant service. This won’t include private messages to friends and family. Reportedly, Meta believes that the company does not need to ask for users’ consent since their interest in using the content outweighs the users’ interests and rights. The regulator has already received a complaint and started an investigation into the new practice and expects that there will be more complaints, both in Norway and in Europe. 

At the moment individuals in Norway can only object to it in a dedicated form on Facebook and Instagram if they wish.

Protections against Data Scraping

The Italian data protection authority has issued nonmandatory guidance on how to protect personal data published online by public and private entities in their capacity as data controllers from web scraping. It particularly targets the indiscriminate collection of personal data on the internet, carried out by third parties for training generative AI models. Some concrete measures, (taking into account the latest technology and the costs of implementation, in particular for SMEs) may include: 

• creation of areas, accessible only upon registration, to remove data from public availability;
• the inclusion of anti-scraping clauses in the terms of service of websites; 
• the monitoring of traffic to web pages, to identify any abnormal flows of incoming and outgoing data; 
• the technological solutions made available by the same companies responsible for web scraping, (eg, intervening on the robots.txt file).

Other official guidance

Data collection: Getting data collection right is a key to your overall GDPR compliance, as once you have understood and complied with the principles of your data collection, the same principles apply throughout the lifecycle of what you do with the data you have, explains the Guernsey data protection authority. It also offers new guidance regardless of the collection method, (in-person interviews, emails, online forms, paper forms, video surveillance, social media activity, phone calls etc). 

Dynamic data security: Data security measures must be viewed as dynamic, as opposed to a static, obligation, according to the Guernsey regulator. In its latest statistical research, the agency found that the long-established trend of emails being sent to the wrong person continues to be the most common reported breach. At the same time, the vast majority of breaches were still discovered by individuals, and not through system auditing or testing. The regulator requests a deeper understanding of the potential associated harms, ranging from “loss of confidentiality” to “emotional distress,” to properly assess the risk of such incidents. 

‘Manage GDPR’:  The Spanish regulator AEPD published a new version of its Manage GDPR tool,(available in English). ‘Gestiona’ targets controllers and processors as well as data protection specialists. It allows managing the records of the processing activities, (ROPA), with up to 500 treatments, in an integrated way, and for different entities. It is now possible to manage the risk with privacy measures that the tool suggests for each identified risk factor. The tool is managed on the user’s device via their browser, without installing any application and storing the information locally. 

Legal processes

Anonymisation standard: The Quebec government enforced the Regulation respecting the anonymisation of personal information. It prescribes that once the purposes for which personal data was used are achieved, organisations, (including the private sector), have two choices: destroy or anonymise it for use only for serious and legitimate purposes. It will largely apply from 2025. 

UK Data Protection reform on hold: The Data Protection and Digital Information Bill falls ahead of a snap UK general election. As UK observers explain, any legislation that did not complete its passage by the end of the ‘wash-up’ on 24 May falls and will need to be reintroduced in the next Parliament. The draft bill was criticised for its flexibility towards data sharing in trade and innovation and state surveillance, threatening the adequacy decision granted by the EU. 

US Privacy and AI legislation: A good chunk of future privacy and AI bills has moved forward through state legislatures this past month. This includes the Maryland Age-Appropriate Design Code and other privacy acts, the Colorado Consumer Protections for AI Act, and the Vermont, Minnesota, and Kentucky Consumer Data Privacy Acts. California’s Bill on AI Accountability was read in the state Assembly, and the House of Representatives subcommittee advanced the American Privacy Rights Act Discussion Draft. 

Worldcoin on pause in Spain

The Worldcoin project committed to freeze its activity in Spain until the end of the year or until the final approval of its processing activities. The data protection authority of Bavaria, where the company has its main establishment in Europe, is progressing and is expected to conclude soon with a final binding decision. Worldcoin uses iris scans for unique identification with plans to expand for wider adoption of a global currency on the blockchain, explains the Techtarget.com article. The iris structure is used to generate a unique identifying code that is saved on the Worldcoin decentralised blockchain to prevent others from replicating the code.

The biometric data is not stored by the scanning device, but is kept in the form of anonymised ‘IrisHash’. 

More enforcement decisions

Failed backup testing: The Danish data protection authority criticised the breakdown of NemID in 2022, where up to 1.5 million users experienced problems logging in to major public services. The data controller followed their emergency procedure to restore the operation with a backup solution. This appeared to be unavailable, and the test to establish the viability of the backup solution was last carried out two years before the collapse. Such tests show whether recovery can be done with existing guides/procedures, that hardware, software, and data can work together, and that recovery can happen quickly enough as the consequences usually increase with time.

Spreadsheet error: In the UK, the Police Service of Northern Ireland is facing a 750,000 pound fine for failing to protect the personal information of its entire workforce. Personal information including surname, initials, rank and role of all 9,483 serving officers and staff was included in a “hidden” tab of a spreadsheet published online in response to a freedom of information request. The error caused several officers to move house, cut themselves off from family members and completely alter their daily routines because of the tangible fear of threat to life. The cause of the data breach was more than trivial as there were insufficient internal procedures and sign-off protocols for the safe disclosure of information.

Data security

US financial entities: If your business is covered by the FTC’s Gramm-Leach Bliley Safeguards Rule, an amendment that requires covered companies to report certain data breaches is now in effect. It lists thirteen distinct company categories, including payday lenders, mortgage lenders, finance companies, mortgage brokers, account servicers, cheque cashers, wire transfers, collection agencies, tax preparation organisations, credit counsellors, and other financial consultants. According to the amendment, financial institutions must report to the FTC any security breach involving the personal data of at least 500 customers as soon as feasible, but no later than 30 days after discovery.

Big Data

Microsoft vs schools: Microsoft’s 365 Education services violate children’s privacy by shifting the responsibility to the school administrations, states the NOYB privacy advocacy group. Digital service providers like Microsoft tend to designate educational bodies as data controllers in their Terms and Conditions. However, in practice, the schools have no control over the applications, their design, and data operations. In just one example, they cannot satisfy data access requests by individuals as they don’t hold the necessary data. 

Malware and data stealing: Law enforcement agencies in the US and EU announced massive operations against some of the most influential cybercrime platforms for delivering ransomware and data-stealing malware. They targeted droppers/loaders, (a custom-made program designed to surreptitiously install malware onto a system), deployed through email attachments, hacked websites, or bundled with legitimate software. Droppers are typically used in the initial stages of a breach, and they allow cybercriminals to bypass security measures and deploy additional harmful programs. 

ShinyHunters ransom: Meanwhile Ticketmaster in the US was hit by a data hack that may affect 560m customers, the Guardian reports. Cybercrime group ShinyHunters reportedly demanded 400,000 pounds ransom to prevent data from being sold. The unauthorised access was spotted by a third-party cloud database environment containing the company’s data. Earlier Bank Santander also confirmed being hacked by the same group. ShinyHunters claimed it had the data of 30m customers and staff details, 6m account numbers and balances, and 28m credit card numbers, and is demanding a ransom of 1.6m pounds. 

The post Data protection digest 18 May – 2 Jun 2024: decentralised clinical research, Meta’s new virtual assistant appeared first on TechGDPR.

Legal processes and redress: compliant cookie banner, CEO liabilities, litigation data, virtual currencies

NOYB privacy foundation launches the second wave of complaints against deceptive cookie banners after the campaign first started last spring: “Another 270 draft complaints were sent to website operators whose banners don’t comply with the GPDR”, the statement on their website says. NOYB also offers guidelines for companies on how to comply and only files formal GDPR complaints against those who remain non-compliant after a 60-day grace period. Overall, NOYB claims, the first wave of complaints was successful with more and more websites implementing compliant cookie banner. NOYB also published screenshots of sites and their improved banners, including Nikon, Domino’s Pizza and Unilever, and others, available for download. In the coming months, NOYB  will continue to review, warn and enforce the law on up to 10,000 websites. It will extend its scope to pages that use other Consent Management Platforms, (CMPs), than OneTrust, such as TrustArc, Cookiebot, Usercentrics, Quantcast, etc.

A German court recently ruled that a CEO was personally liable for a data privacy breach after they hired a detective to investigate possible criminal acts by the plaintiff, Technologyquotient reports. Under Art. 82 of the GDPR anyone who suffers non-material damage as a result of a GDPR infringement shall have the right to receive compensation for the damage suffered. In the related case the CEO, on behalf of the defendant company, commissioned a detective to investigate possible criminal acts committed by the plaintiff who had submitted a membership inquiry to the company. The detective’s findings revealed that the plaintiff had been involved in criminal acts. When the company’s shareholders were informed of this, they rejected the membership application. The court ruled that:

• the CEO hiring a detective violated data protection law and the plaintiff was awarded 5,000 euros in non-material damages;
• the CEO was personally liable for the data protection violations and the damage claim, alongside the company;
• it classified the CEO as a data controller, which distinguishes them from an employee who is bound by instructions;
• Since the European Court of Justice has tended to apply a very broad interpretation of a data controller, it seems likely that other courts could follow suit.

Italy’s Ministry of Economics and Finance has published its recent decree on the registration of service providers on Italian soil for virtual currencies and digital wallets, Data Guidance reports. They will have to register in a special section of the currency exchange register run by the Body for the Management of the Lists of Financial Agents and Credit Brokers (‘OAM’). Legal trading will not be possible without registration. Once the decree comes into force the OAM has 90 days to initiate the system, and companies already operating in Italy or online in the country will have a further 60 days to register. Before the OAM processes any personal data its technical and organizational security measures for personal data will need endorsement by the national data protection authority, ’Garante’.

The US Department of Justice has reportedly knocked a Senate-passed cybersecurity bill as having “serious flaws,” criticizing it over a lack of direct reporting to the FBI. The bill, the Strengthening American Cybersecurity Act, unanimously passed in the Senate on Tuesday night. It would require companies in critical sectors to alert the government of potential hacks or ransomware. The legislation would require cyber incidents to be reported to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, though Justice Department officials argue that agencies should also report to the FBI.

Chinese data security laws increasingly create roadblocks for litigants seeking discovery in US courts, Technology Law Dispatch reports. Two Chinese information security laws, the Data Security Law, DSL, and the Personal Information Protection Law, PIPL, are creating difficulties for parties involved in litigation in the US seeking discovery materials stored in China. Both require data processors to obtain approval from the Chinese government before transferring any data stored in China to a foreign court or law enforcement authority or otherwise face significant penalties such as fines in the millions of dollars. In particular:

• The DSL broadly applies to “data processing activities” which include collection, use, processing, transmission, disclosure, and data management, and where “data” includes any record of information in electronic or another form.
• The DSL applies to extraterritorial data processing activities, as well as activities within China that would be detrimental to its national interests. 
• Similarly, the PIPL applies to the processing of personal information about individuals in China. 

Official guidance: CoC as data transfer tool and for clinical trials data, direct marketing

The EDPB has adopted final Guidelines on Codes of Conduct, (CoC), as tools for personal data transfers. Its executive summary says the GDPR requires that controllers/processors shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by organisations under Art. 46 for framing transfers to third countries by introducing amongst others, CoC as a new transfer mechanism (Art. 40-3 and Art. 46-2-e). Once approved by the competent supervisory authority and having been granted general validity within the Commission, a CoC may be used by controllers or processors not subject to the GDPR located in third countries for the purpose of providing appropriate safeguards to data transferred to third countries. The guide provides clarification as to the role of the different actors involved in the setting of a code to be used as a tool for transfers and the adoption process with flow charts.

Meanwhile, the Spanish data protection authority AEPD published, in Spanish, its first CoC on the processing of personal data on clinical trials, DLAPiper reports. The Code has been published in collaboration with an association that brings together the majority of pharmaceutical companies established in Spain. It is the first sectorial code of conduct approved in Spain since the GDPR came into force, as well as the first code approved in the EU in this field. Thus, while the territorial scope is limited to Spain, it could become a benchmark at the EU level. The Code regulates how sponsors of clinical trials and contract research organizations decide to adhere, and to the implementation of the GDPR within the scope of clinical trials, as well as during the fulfillment of the obligations imposed by pharmacovigilance regulations, for the detection and prevention of adverse effects of medicines already on the market:

• establishment of protocols facilitating the application of the GDPR; 
• details on the codification of the data; and
• the responsibility of each participant on the clinical trial;
• the establishment of protocols for the collection of information on possible adverse reactions, depending on who makes the notification;
• the establishment of a mediation procedure, voluntary and free of charge, which allows for an agile response to possible claims made by interested parties against member entities. The CoC is available in Spanish on the AEPD website. 

The German Data Protection Conference, ‘DSK’, published revised guidance, (in German), on the processing of personal data for direct marketing purposes, DataGuidance reports. The guidance supplements information obligations and the conditions for consent, namely:

• informed consent requires that the type of intended advertising, (eg, letter, email, SMS, telephone, or fax), as well as the products or services to be advertised and the advertising companies, are mentioned in order to meet the requirements;
• a separate text or text section without any other content is to be used on a regular basis; 
• if the declaration of consent under data protection law is to be given together with other; in particular contractual declarations in writing or in an electronic format, it must be presented in a manner that is clearly distinguishable from other facts, (Art. 7-2 of the GDPR);
• apart from explicit consent under Art. 9, the GDPR does not contain standard permission for the processing of special categories of personal data for advertising purposes, (it must be examined in each individual case whether conclusions about the health of a person can be drawn from the fact that they are a customer of a certain company in the health sector), etc. You can read the guidance here.

Enforcement actions: former employees’ email accounts, technical and organisational measures, verification of the processor

The Slovakian data protection authority has ruled on two cases where employers failed to deactivate former employees’ email accounts, Iuslaboris blog post reports. Both cases found that the employers, in both private and public sectors, were in breach of data privacy rules. In the first case:

• A former manager objected that the employer had not deactivated his email account after the termination of his employment and that it was still active and monitored by another manager within the company. In its defense, the employer used the legitimate interest argument, (protection of the employer’s property, business contacts, client responses).
• The regulator stated that legitimate interest can be a suitable legal basis for this kind of processing, however, the processing can only be carried out for a necessary period; ten months cannot be considered as necessary.

In the second case, after the termination of her employment, a former employee of a municipality created a fake email account. Subsequently, she used this fake account and sent a question to her municipality’s email. Her goal was to find out whether or not the municipality had deactivated this email account. Once she received an answer, and thus had proof of a possible breach of the GDPR, she filed a complaint with the regulator:

• The municipality claimed that the former employee had failed to hand over her agenda properly (communication with various state authorities, social security agencies, health insurance companies, rental apartment agendas). 
• The municipality was therefore obliged to monitor this email account to prevent itself from being held liable for potential damages or unlawful conduct.
• The regulator found an absence of proof of a demonstrable legal basis for the above processing activities.

The Polish data protection authority, UODO, ordered a record-breaking penalty, (approx. 1 mln euros), on “Fortum Marketing and Sales Polska” for failure to implement appropriate technical and organisational measures ensuring the security of personal data, and for failure to verify the processor, who was also fined approx. 50,000 euros. After analyzing the notification of a personal data breach from the company, the supervisory body initiated ex officio administrative proceedings. Here are some facts from the case:

• The data breach consisted of copying the data of the administrator’s clients by unauthorized persons.
• It happened at the moment of introducing changes in the ICT environment.
• This change was made by the processor with which the administrator cooperated on the basis of concluded contracts, including contracts for entrusting the processing of personal data. 
• During the changes made, an additional customer database was created. 
• However, this database was copied by unauthorized persons, because the server on which it was deployed did not have properly configured security.
• The administrator learned about the incident not from the processor, but from two independent Internet users.

Moreover, the safety functions were not tested in the course of the work carried out for this purpose. The processing entity acted inconsistently with the commonly known ISO standards, and at the same time against the provisions of its own security policy. The processor also did not comply with the provisions of the contract for entrusting the processing of personal data, in which he undertook, inter alia, to implement pseudonymisation of data, which was to be treated as a mechanism guaranteeing an appropriate level of data security. 

Individual rights: health apps data

Privacy International published a ‘long-read’ on how health apps could exploit users’ data: “Digital health apps of all kinds are being used by people to better understand their bodies, their fertility, and to access health information. But there are concerns that the information people both knowingly and unknowingly provide to the app, which can be very personal health information, can be exploited in unexpected ways”. Key findings of the report are:

• Apps that support women through pregnancy are one example where data privacy concerns are brought sharply into the spotlight.
• Reproductive health information is highly sensitive, and the implications of services that do not respect that fact can be serious.
• Apps that are taking on the responsibility of collecting that data need to take it seriously – but as PI has repeatedly found, many don’t, (eg, this includes the involvement of the DPO, availability of privacy policies, difficulties with anonymisation of health data, and more). 

Big Tech: anti-AI discrimination law, identity proofing systems

Starting from March, China outlaws algorithmic discrimination, Wired reports. Under the new rules, companies will be prohibited from using personal information to offer users different prices for a product or service. The regulations, known as the Internet Information Service Algorithmic Recommendation Management Provisions, were drafted by the Cyberspace Administration of China, a powerful body that enforces cybersecurity, internet censorship, and e-commerce rules. Among other things, they prohibit fake accounts, manipulating traffic numbers, and promoting addictive content. They also provide protections for delivery workers, ride-hail drivers, and other gig workers. Companies that violate the rules could face fines, be barred from enrolling new users, have their business licenses pulled, or see their websites or apps shut down. However, some elements of the new regulations may prove difficult or impossible to enforce, (eg, it can be technically challenging to police the behavior of an algorithm that is continually changing due to new input).

America’s Internal Revenue Service, (IRS), says taxpayers will no longer have to provide facial scans to the private identity proofing system ID.me. to create an online account at irs.gov., KrebsOnSecurity reports. All biometric data already held by ID.me. will be destroyed, and any created to make new accounts in the future will be destroyed once the account is operational. ID.me will now offer the option of a live video interview, while the IRS is also rolling out Login.gov, already used by 28 other government agencies. Critics say this federal system provides excellent digital identity security, and should be a core government service, but is underfunded and underresourced. 

The post Weekly digest Feb 28 – Mar 6, 2022: more EU websites to obtain compliant cookie banner appeared first on TechGDPR.

Legal processes: UK IDTA, EU Clinical Trials Regulation, digital Surveillance & International law

The implementation of the UK (post-Brexit) international data transfer agreement, (IDTA), stepped into its final stage after being laid before Parliament. If no objections are raised, the IDTA, the Addendum to the EU Commission’s Standard Contractual Clauses and transitional provisions come into force on 21 March. All documents will be immediately of use to organisations to comply with Art. 46 of the GDPR when making restricted transfers outside of the UK to countries not covered by adequacy decisions. The IDTA and Addendum replace the current standard contractual clauses for international transfers. They also take into account the binding judgement of the CJEU, in the case commonly referred to as “Schrems II”, which invalidates the EU-US data transfer framework. Read more on the UK restricted transfers including a checklist with various examples and exemptions for the organisations here.

The EU Clinical Trials Regulation, enacted back in 2014, took effect on 31 January. It repealed the Clinical Trials Directive and national implementing legislation in the EU Member States. Under the Regulation, clinical trial sponsors can use the Clinical Trials Information System (CTIS) from 31 January, but are not obliged to use it immediately, in line with a three-year transition period. The CTIS provides a single-entry point for clinical trial application submission, authorisation and supervision in the EU/EEA while ensuring the highest levels of protection and safeguarding the integrity of the data generated from the trials. Recently the European Federation of Pharmaceutical Industries and Associations also confirmed that its GDPR Code of Conduct on Clinical Trials and Pharmacovigilance had progressed to the final phase of review by Data Protection Authorities prior to formal submission to the EDPB for approval.

Privacy International published updated analysis into International Law and digital Surveillance due to a rapid development in the technological capacities of governments and corporate entities to intercept, extract, filter, store, analyse, and disseminate the communications of whole populations. A 282-page document includes legal updates on UN resolutions, independent expert reports and European and international human rights bodies’ jurisprudence. The right to privacy is analyzed through the lens of legality, necessity, proportionality and adequate safeguards. In particular, it offers a deep dive into: a) extraterritorial application of surveillance capabilities, (intelligence data sharing, adequacy mechanisms, EU-US data transfer dilemma), b) distinctions in safeguards between metadata and content, c) right to privacy and roles and responsibilities of companies, d) encryption, e) biometric data processing, and much more.

Official guidance: GDPR-CARPA, health industry PETs, commercial management data, US Health Breach Notification

The EDPB adopted its opinion, (the first of its kind), on the GDPR-CARPA nationwide certification scheme submitted by the Luxembourg Supervisory Authority CNPD. It is a general scheme, which does not focus on a specific sector or type of processing, but helps data controllers and processors demonstrate compliance with the GDPR. The EDPB believes that organisations adhering to it will gain greater credibility, as individuals will be able to quickly assess the level of protection of their processing activities. After approval by the CNPD, the certification mechanism will be added to the register of certification mechanisms and data protection seals in accordance with Art. 42 of the GDPR. However, the EDPB stresses that GDPR-CARPA is not a certification according to Art. 46 of the GDPR and therefore does not provide appropriate safeguards within the framework of transfers of personal data to third countries or international organisations. Read the full report here.

The UK Information Commissioner’s Office, (ICO), invites organisations in the health sector to participate in workshops on privacy-enhancing technologies (PETs). The aim is to facilitate safe, legal and valuable data sharing in the health sector and understand what’s needed to help organisations use these technologies. According to the Director of Technology and Innovation at the ICO, PETs help organisations build trust and unlock the potential of data by putting data protection by design into practice, but their implementation appears to be incredibly slow. The information gathered from the workshops will help the ICO develop updated guidance and advice. It welcomes people from both the private and public sectors, namely: 

• health organisations and health technology start-ups that aren’t using PETs yet;
• health or care organisations already using PETs;
• academic experts and researchers in this field;
• suppliers of PETs; and
• legal and data protection experts. (Interested organisations can sign up through this link until 14 February.)

The French regulator CNIL has published two new standards  – on commercial management and management of outstanding payments. Both tools provide legal certainty to the organizations and allow them to bring their processing of personal data into compliance. These guidelines are not mandatory: organizations can deviate from their recommendations provided they can justify their choices. The framework applies to management of orders, delivery, performance of the service or supply of goods, management of invoices and payments, unpaid debts, loyalty programs, monitoring customer relations for carrying out satisfaction surveys, managing complaints and after-sales service, or carrying out commercial prospecting actions. Some processing activities are excluded from the standards, such as fraud detection and prevention or processing implemented by debt management and collection organizations. It also does not include scoring outstanding debts, sharing data with or from a third party, etc. Both documents can be read here and here.

The US Federal Trade Commission, (FTC), has updated Guidance on the Health Breach Notification Rule, JD Supra reports. For most hospitals, doctors’ offices and insurance companies, the Health Insurance Portability and Accountability Act (HIPAA) governs the privacy and security of health records stored online. Health Breach Notification Rule requires certain organizations not covered by HIPAA to notify their customers, the FTC and, in some cases, media, if there is a breach of unsecured, individually identifiable health information. Makers of health apps, connected devices, and similar products must comply with the rule (vendor of personal health records, (PHRs), PHR related entity, third party service provider for a vendor of PHRs or a PHR related entity). Read more on the definition of the above terms, as well what to do if a breach occurs, who and when notify, and what information to include, in the original publication.

Data breaches, investigations and enforcement actions: lack of specific consent, SIM Card fraud, failed anonymisation, IAB Europe/TCF

The EDPB published an analysis, at the request of the Spanish data protection regulator AEPD, of the recent Caixabank (Payments & Consumer) 3 mln euro fine. The case relates to lack of specific and informed consent regarding profiling and decision-making for commercial purposes. The financial establishment and payment institution’s business activities include marketing credit or debit cards, credit accounts with or without a card, and loans through three channels: direct, through an agent, or through prescribers, (points of sale with whom you collaborate — for example, IKEA). In the framework of its commercial activities, Caixabank makes profiles for the following purposes:

• Analyzing the risk of default upon application for a product.
• Analyzing the risk of default during the application for a product.
• Selecting target audience.

Consent is requested in the various channels of prescribers and agents for study and profiling purposes. In this case, the interested party was provided only with generic information on the different profiling and was not able to know exactly what the treatment was they were consenting to. Nor was there any provision for the person concerned to express his or her choice on all purposes for which the data are processed. The controller also has to bring processing operations into compliance with the provisions of the GDPR within six months of the decision.

The AEPD has also fined Vodafone 3,9 mln euros for accountability and security failings, (Art. 5 of the GDPR), Data Guidance reports. Several customers lodged complaints with the AEPD as victims of fraud due to the deceitful use of their SIM cards. Reportedly the criminals obtained a replica of the data subjects’ SIM cards through Vodafone, and consequently carried out various bank transfers from online banking services and concluded contracts at the expense of those affected. The investigation found that Vodafone:

• had not properly checked the identity of the fraudsters before issuing the SIM cards;
• was unable to prove that they had verified the identity of the requester of the replication, the invoices issued, or the effectiveness of the measures implemented;
• any person who had the basic personal data of a data subject could avoid Vodafone’s security policy, and obtain a replica of the data subject’s SIM card;
• the duplication of SIM cards occurred as a result of human error, indicating a deeper problem within the organisation, which demonstrated a lack of foresight of the risks;
• data subjects lost their power to organise and control their personal data, as a SIM card allows the access to apps and services that require authentication or password retrieval via SMS. You can read the full decision (in Spanish) here.

The Greek data protection authority imposed a total 9,2 mln euro fine on telecommunications companies for personal data breaches and illegal data processing. The regulator investigated the circumstances under which the breaches took place and the legality of record-keeping, as well as the security measures applied. A leaked file contained subscribers’ traffic data and was retained in order to handle any problems and malfunctions. for a period of 90 days from the date of making the calls. At the same time, the file was also “anonymised”, (in fact pseudonymised), and kept for 12 months to reach statistical conclusions about the optimal design of the mobile telephony network, once it has been enriched with additional simple personal data. As a result, the companies were found responsible for poor data protection impact assessment, poor anonymisation, inadequate security measures taken, insufficiently informing subscribers, and failure to allocate the GDPR-governed roles of collaborating companies (COSMOTE/OTE).

The Belgian data protection authority has found that the Transparency and Consent Framework (TCF), developed by Interactive Advertising Bureau (IAB) Europe, fails to comply with a number of provisions of the GDPR. The TCF is a widespread mechanism that facilitates the management of users’ preferences for online personalised advertising, and which plays a pivotal role in so-called Real Time Bidding. When users access a website or application with advertising space, technology companies representing thousands of advertisers can instantly bid behind the scenes for that advertising space through an automated algorithmic auction system, in order to display targeted ads. The draft decision was examined within the cooperation mechanism of the GDPR, (the one-stop shop mechanism), and was approved by all concerned authorities representing most of the thirty countries in the EEA. IAB Europe now has two months to present an action plan to bring its activities into compliance.

Individual rights: blocking user tracking methods

The French regulator CNIL published a user-oriented guide, (in French), on New online tracking methods and solutions to protect yourself. Cookies are not the only means used to track your online activity. Web players are increasingly using alternatives such as: 

• unique digital fingerprinting uses all the technical information provided by your computer, phone or tablet (language preference, screen size, browser type and version, hardware components, etc.) sometimes combined with the collection of the IP address;
• tracked link (one of the most common is the insertion of web beacons in emails to find out if a message has been opened by its recipient);
• unique identifiers (most often, this data is the e-mail address. When you give your email address, for example to register for a site or a newsletter or to place an order online, it is hashed in order to generate a unique identifier).

The main solutions include either blocking the technical solution or blocking solution provider (eg, blocking domains using these techniques, link cleaning, web beacon blocking, browser extensions, one-time emails, etc.)

Big Tech: supermarket age verification system, mental health helpline

Technology used in checkout-free supermarkets is being trialled to identify underage drinkers in several UK supermarket chains, BBC Tech reports. Designed to cut waiting times in queues, the automated age verification system, which requires the customer’s consent, uses an algorithm to guess how old they are. This is based on a sample of 125,000 faces aged six to sixty. If it decides they are under 25, ID is required at the till. The maker, Yoti, claims that on average the system is accurate to within 1.5 years for 16 to 20 year-olds. This is not facial recognition, Yoti stresses, which tries to match individual faces to those on a database, and the system will not retain the images it takes.

US-based mental health helpline Crisis Text Line, (CTL), is ending data sharing with AI customer support Loris.ai, reports Politico and BBC Tech. Nonprofit CTL, a giant in its field, says it has “the largest mental health dataset in the world”. However it spun Loris.ai off as very much a for-profit venture, and Loris uses the data to create and market customer service software. One CTL board member now says they were “wrong” to share the data with Loris, even anonymised, and transfers have been stopped. CTL insisted that any initial responses to calls for help included a consent feature, and that it was ‘transparent’ about data sharing. Criticisms however questioned the validity of the consent in many cases, considering the state of mind of crisis callers.

The post Weekly digest Jan 31 – Feb 6, 2022: UK international data transfer agreement imminent appeared first on TechGDPR.

Legal processes and redress

The EU Commission approved the political agreement reached between the EU Parliament and EU Member States on a European Data Governance Act. Three-way negotiations have now concluded, paving the way for final approval of the legal text. The Data Governance Act will create the basis for a new system of data governance in accordance with EU rules, the GDPR, and consumer protection and competition rules. More data will be available and exchanged in the EU, across sectors and Member States. It aims to boost data sharing and the development of common European data spaces, such as manufacturing or health, as announced in the European strategy for data. The regulation includes:

• increasing trust in data sharing in order to lower costs, 
• allowing novel trustworthy data intermediaries for data sharing,
• facilitating the reuse of certain data held by the public sector, (eg, health data for clinical research of rare or chronic diseases),
• allowing users control over the data they generate, (eg, data volunteerism, when companies and individuals make their data available for the wider common good under clear conditions).

On 1 December, a new law regulating data protection and privacy in telecommunications and telemedia came into effect in Germany, (TTDSG). It contains updated provisions on digital legacy, privacy protection for terminal equipment and consent management. For example, it aims to stem the cookie deluge and give website visitors more control over the data the website collects. It also intends to provide more clarity in the regulatory jungle of  the GDPR, the ePrivacy Directive, the German Telemedia Act, and the German Telecommunications Act, Herbert Smith Freehills LLP reports. Other key takeaways for companies from the TTDSG are:

• All technologies, except those that are “strictly necessary”, may only be activated on the basis of having obtained explicit consent, (eg, marketing cookies, local storage or other storage locations on users’ devices). 
• The scope of application of the consent management platforms has been extended, (eg, storage of information that is not personal data is also subject to consent).
• The TTDSG also applies to apps, messenger services, smart home devices, and the IoT.

EU Member States may allow consumer protection associations to bring representative actions against infringements of the GDPR, according to a CJEU Advocate General. Those actions must be based on infringements of data subject rights derived directly from the regulation. In the related case, the Federation of German Consumer Organisations complained that Facebook Ireland made free games supplied by third parties available in the platform’s App Centre without clear information to users on data processing purposes. The GDPR does not preclude national legislation which allows consumer protection associations to bring legal proceedings on the basis of unfair commercial practices and consumer protection. In the AG’s view, ”Member states may provide for the possibility for certain entities to bring – without a mandate from the data subjects and without there being a need to claim the existence of actual cases affecting named individuals – representative actions designed to protect the collective interests of consumers, provided that an infringement confers subjective rights on data subjects”.

The Irish Council for Civil Liberties, the ICCL, has launched a formal complaint against the EU Commission before the European Ombudsman. This complaint  has two components:

• The Commission has failed to properly monitor the application of the GDPR, and
•  has neglected to act against Ireland’s failure to properly apply the GDPR. 

The ICCL revealed that 98% of Ireland’s major cross-border cases remain unresolved. As a result, EU enforcement against Google, Facebook, Microsoft, Apple, and other Big Tech is paralysed. The Data Protection Commissioner is the “lead supervisory authority” under the GDPR for Big Tech firms who have their European headquarters in Ireland. No other enforcer in the EU can intervene if the Irish regulator takes the lead role. The ICCL has repeatedly alerted the Irish Government about its responsibilities, and has testified on this point in Parliament. 

Official guidance

The French CNIL has published updated recommendations on Remote quality control of clinical trials taking into account the current Covid-19 crisis. Quality control, or monitoring, consists of verifying the completeness and accuracy of data transmitted by investigation centers to sponsors in order to ensure the reliability of the study results. In particular it consists of verifying, by a clinical researcher of the sponsor account, source documents, (medical files, laboratory analysis reports), and comparing it to the observational data collected by the investigator. Data confidentiality takes a key role in the process, as the person in charge of quality control should only have access to the personal data necessary to perform checks.

In the current sanitary context, the CNIL had previously considered that it was not necessary to file a request for their authorization if remote monitoring was implemented. It was the responsibility of data controllers and their subcontractors to document the solutions they chose during this period and to be able to demonstrate that they presented sufficient guarantees for the rights and freedoms of the persons concerned. However, all studies initiated as of January 1 will require the filing of an authorization request with the CNIL. Also, for ongoing studies, the information note must be updated and submitted to the persons concerned, (directly, by post, or in a call), with documentation of the patient’s non-objection in their medical file. Thus, the medical file of a person who has objected cannot be subject to remote quality control.

“Two protections are better than one!” The CNIL has also published its guidance on Two-factor authentication: “Banking, e-commerce, electronic messaging, social networks: everyone has personal accounts on many websites. Each of them contains personal data , some of which are particularly sensitive”. In Two or Multi-factor authentication “what you know”, (a username/password), can be combined with “what you have”, (a single use code, a USB token, a smart card). Since the end of 2019 banks and payment service providers in the EU have had to implement multi-factor authentication for most remote actions, (adding beneficiary of transfers, ordering checkbooks, change of address). The CNIL recommends activating multi-factor authentication each time a service offers it, even if vulnerabilities remain to certain sophisticated attacks such as real-time phishing, the interception of SMS messages containing authentication codes or SIM swapping.

Data breaches, investigations and enforcement actions

The UK Information Commissioner’s Office, (ICO), fined EB Associates Group 140,000 pounds for over 107,000 illegal pension cold calls. The Government banned the practice in 2019 to try and stop people being scammed out of their life savings. The ICO has ordered EB Associates to stop making further illegal calls or face court action. EB Associates did not have the valid consent – freely given, specific and informed – to instigate the making of these calls. Instead, EB Associates contracted the lead generators, (and paid up to 750 pounds for the referrals), to make the calls, knowing the cold calling ban was in place, in order to try and bypass the law.

The ICO has also fined the Cabinet Office 500,000 pounds for disclosing the postal addresses of the 2020 New Year Honours recipients online. The Cabinet Office failed to put appropriate technical and organisational measures in place to prevent the unauthorised disclosure of people’s information. In 2019 the Cabinet Office published a file on the governmental website containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list. People from a wide range of professions as well as celebrities across the UK were affected. After becoming aware of the data breach, the Cabinet Office removed the web link to the file. However, the file was still cached and accessible online to people who had the exact webpage address. The personal data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times.

The Italian regulator Garante sanctioned a public transportation company over remote monitoring of workers. An employee complained about the monitoring of staff through the telephone management system of the call center dedicated to customer care. The company had justified the use of these technological tools with the need to verify the quality standards and manage any complaints, specifying that it had informed the workers and trade unions. Following an inspection, it emerged that the employees had not in fact been adequately informed. Furthermore, this system was not limited to the management of telephone calls, but also allowed the recording, replaying of telephone calls and the storage for an unspecified time of other information, such as the duration of the telephone calls, numbers contacted, date and time of the call. Considering the collaboration offered by the company, and immediate deactivation of the system, the authority applied a fine of 30,000 euros.

Spanish regulator AEPD imposed a fine of 20,000 euros on a business support services company for violating Art. 5 of the GDPR – the unlawful use of fingerprints in changing rooms and toilets. The investigation was initiated following a claim against the installation of fingerprint readers for workplace entrances and exits. Fingerprints fall into a special category, biometric data pursuant to Art. 4 of the GDPR. The use of fingerprints to access changing rooms and toilets was a repeated and continuous unjustified interference in the rights and freedoms of employees, DataGuidance reports.

Romanian regulator ANSPDCP sanctioned a call center, (data processor), 2,000 euros in violation of  Art. 29 and 32 of the GDPR. The investigation was initiated as a result of a notification of  a personal data breach which was transmitted by an operator, (data controller). The personal data processing security breach was due to a call center employee erroneously attaching to an operator’s client an excel file containing the data of that operator’s customers who had Internet Banking services. The breach led to unauthorized disclosure or unauthorized access of certain personal data, such as e-mail address, username, user ID, telephone number, customer name and customer code, of 11,169 individuals. It was established that the call center, as the person authorized by the operator, did not take appropriate measures to ensure that any person acting under its authority and having access to personal data did no processing except at the specific request of the data controller.

In Lithuania, the data protection inspectorate, (VDAI), punished car rental company Prime Leasing UAB 110,000 euros for violating Art. 32 of the GDPR – obligation to ensure the security of the processing of personal data. The company’s customers complained that personal data had been disclosed on a public forum website. Furthermore, the data was actually obtained from an unprotected database backup. Prime Leasing did not assess the risk associated because it claimed it was unaware that the file existed in its infrastructure. The VDAI found that the data of around 110,302 users had been disclosed including names, addresses, telephone numbers, emails, personal identification numbers, type of payment card, the last four digits of payment cards, and payment cards dates of validity. According to the inspectorate, the confidentiality of personal data stored in the file should have been protected by at least one of the following basic security measures: 

• authenticated access to the file only for the company’s employees; 
• connecting to the repository only from the company’s internal computer network; 
• storage of the file after encryption, (entrusting the encryption keys only to authorized company employees), or proper monitoring of information resources.

The Danish data protection agency published, (only in Danish), a Christmas calendar with 24 “doors” on data protection and security breaches. The first week of December cards included cases relating to health data, webshops and bank hacking, followed by the latest analytics and infographics. Many more doors to open before Christmas Eve!

Opinion

The importance of cybersecurity risk management in private equity, (PE), is analysed by Ropes & Gray LLP:

“As PE firms can potentially hold large amounts of personal data from their portfolio companies, they are not immune from cyber risk. Indeed, the GDPR permits national authorities to fine “undertakings” as a whole, which means that parent companies may be fined for infringements of their subsidiaries.”

According to the analysis, this is a result of the commercial reality stemming from increasing competition limiting the time available to conduct pre-deal due diligence. As a result, cyber due diligence for competitive auctions usually takes place post-deal. As a recent example, in 2020, the UK data protection authority fined Marriott 18.4 mln pounds for a cyber-attack stemming from a vulnerability in the data processing systems of Starwood, a company Marriott acquired in 2016. Thus, PE firms should test their resilience against realistic mock scenarios they or their portfolio companies might be subject to, such as a supply chain compromise or extortion-based attack.

Data security

What can starling murmuration teach us about better managing data privacy? Analysis by Gilbert + Tobin lawyers from Australia: “It is not just a pretty stunt; rather, it is an illustration of how optimal outcomes can be produced when intelligence is aggregated and utilised at a group level, an emerging concept known as swarm intelligence”.

Following the theory, machine learning techniques are applied on information sharing across a secure, decentralised, and privacy-preserving network to enable intelligence to develop at a group level. Individual systems upload insights and knowledge they produce to a common network, which incrementally refines a core model that all participants have the benefit of using, (eg, the data is locally stored and only the insights are shared and used centrally.)  Read more revelations and a case study on medical applications in the original publication. 

Human error is the leading cause of serious data breaches, according to a new report released by New Zealand’s Office of the Privacy Commissioner, (OPC). Since reporting of serious privacy breaches became a legal requirement in the country a year ago, the OPC has seen a nearly 300% increase in privacy breach reporting compared to the same 11-month period the year before. Human error has been the leading cause of serious privacy breaches during this period, (61%), with email error accounting for over a quarter of those breaches. Other types of privacy breaches in human error reporting were accidental disclosure of sensitive personal information, data entry errors, confidentiality breaches, redaction errors, and postal and courier errors.

Big Tech

Russia’s  communications regulator Roskomnadzor has filed cases against US tech firms Google and Meta that could see fines imposed on their annual turnover in Russia, Reuters reports. Russian law allows for companies to be fined between 5% and 10% of annual turnover for repeated violations. Court dates for both companies – neither of which immediately responded to a request for comment – were set for December 24. Russia has increased pressure on foreign tech companies, slowing down Twitter since March and routinely fining others for content violations. Google has paid more than 382,000 euros in fines this year. Google, Twitter and Meta have significantly reduced the number of posts prohibited by Moscow on their platforms. Additionally, Russia demanded that 13 foreign and mostly US tech companies be officially represented on Russian soil by the end of 2021 or face possible restrictions or outright bans.

The UK competition authority the CMA is demanding Facebook sell Giphy citing risks over users’ data. Facebook, the largest provider of social media sites and display advertising in the UK, acquired Giphy in 2020, the largest provider of GIFs. The merger would further increase Facebook’s dominance and Facebook would have benefitted from Giphy’s data collection practices and integration with other services. With the acquisition of Giphy, Facebook could limit the ability of rival apps to compete with Facebook in social media and could demand individuals’ data as a condition for rival companies to use Giphy. In particular, through the acquisition of Giphy, Facebook would potentially be able to:

• obtain users’ personal data processed via Giphy and potentially combine it with the vast amount of data it already processes to profile users and predict their behaviour;
• by modifying Giphy’s API, increase the categories of personal data collected;
• Impose on clients, (including Facebook’s competitors in the social media market), conditions for the use of Giphy, preventing clients from protecting their users’ data;
• Increase its capacity to deliver targeted ads both to Giphy’s users and internet users even outside Facebook’s platform and services through increased tracking.

The Australian Competition and Consumer Commission is also reviewing the Facebook/Giphy merger.

Facebook plans to force more at-risk accounts to use Two-factor authentication. The platform joins Google and others in requiring stronger protections for its most vulnerable users. Facebook’s parent company, Meta, has required since last year that advertising accounts and administrators of popular pages turn on two-factor. “While Meta says that its current initiative applies only to the politicians, activists, journalists, and others enrolled in its Facebook Protect program, this seems like a sort of test for figuring out how to make two-factor authentication as easy as possible for everyone to turn on. Meta is also working to make sure it can help troubleshoot any related issues that may arise for users around the world”, The Wired reports.

The post Weekly digest Nov 29 – Dec 5, 2021: data volunteerism, cookie deluge, remote clinical trials, starling murmuration & privacy appeared first on TechGDPR.