The usual assumption of most US businesses is, “the GDPR is an EU regulation, hence it does not impact my organisation.” This belief results most often in unnecessary risk. The US equivalent of this misconception would be a company registered in Texas thinking its services don’t fall under the scope of the CCPA. 

The GDPR has extraterritorial effect, that is, it has effect on and more often than not, does affect organisations which are outside the European Union.

Note that since Brexit, the UK has maintained GDPR provisions but further adapted them to its body of laws, this is known as the UK GDPR which adds an additional but small level of complexity for transfers of data outside the UK. For the sake of simplicity, the term GDPR used in this article will also apply to the UK.

What is the GDPR and why it has global reach

The GDPR is the code name for the UK and the EU’s General Data Protection Regulation. It shields the personal data of individuals who are within the European Union, provides rights to the data owners (i.e. individuals) and lays out obligations for the organisations handling that data. It has a general territorial scope such that it may apply to organisations outside of the EU if certain conditions are fulfilled.

A US company may be controlled by the GDPR if it is:

1. Providing goods or services to data subjects in the European Union (EEA and UK)

This trigger is independent of payment or contractual terms. A business will be deemed to be targeting or envisaging an EU audience if it engages in any of the following activity:

• Sending physical goods or providing access to digital services into a member state of the EU/EEA/UK;
• Taking payments in a European currency such as Euros;
• Running campaigns that market to email recipients in the EU/EEA/UK; and
• Providing a website or service in a language that is widely spoken across the EU/EEA/UK.

2. Tracking the behavior of users in the European Union

This trigger is extremely applicable to digital-first companies today. If your business is tracking or profiling users in the European Union, the GDPR will most likely apply. This includes practices like:

• Tracking European Union website and app users with analytics tools;
• Placing cookies or other tracking tags on the devices of users in the European Union which triggers additional requirements from the ePrivacy Directive and other local laws; and
• Running targeted advertisement campaigns against users within the European Union on the basis of their online behavior.

Article 3 of the GDPR expressly sets out these conditions. These are detailed in additional guidance by the European Data Protection Board (Guidelines 05/2021). Registration of an organization outside of the EU does not necessarily remove a business from scope.

What constitutes personal data under the GDPR?

The GDPR defines personal data as any information relating to an identified or identifiable natural person. This definition is deliberately broad. This is to encompass a wider range of data than the concept of “personally identifiable information” (PII) used in other jurisdictions. It is critical for any organisation to understand what information falls under this comprehensive definition to determine its compliance obligations.

Personal data includes, but is not limited to:

• Direct identifiers: A person’s name, email address, physical address, or telephone number.
• Online identifiers: An individual’s Internet Protocol (IP) address, browser cookies, and device identifiers (IP/MAC address, IMEIs, …).
• Pseudonyms like user IDs, vehicle numbers (VINs), randomly chosen usernames, hashes…
• Metadata in context like timestamps, 
• Special categories of data: Biometric data, such as fingerprints or facial recognition information. To learn more about sensitive data under the GDPR, that is addressed in Art.9 of the GDPR and our blog article detailing the differences between PII and personal data. 
• Other information: Video or photo recordings, and an individual’s location data.
• IoT data associated with a device purchaser, owner, user, maintenance person, etc…

If your organization collects any of this information from individuals in the European Union, it is processing personal data and must assess its compliance obligations under the GDPR.

What if my business doesn’t comply?

Non-compliance with the GDPR will result in massive financial and reputational losses. Supervisory authorities can impose fines of up to twenty million euros or four percent of the annual global turnover of an organization. This is decided by whichever is the greater. The GDPR has a highly structured framework of administrative fines, which can be applied in two tiers:

• Tier 1: Up to €10 million, or 2% of the company’s total annual turnover worldwide in the preceding financial year. This is decided by whichever is the greater.
• Tier 2: Up to €20 million, or 4% of the company’s total annual turnover worldwide in the preceding financial year. This is decided by whichever is the greater.

Enforcement is also a legitimate concern for U.S. companies. For example, Clearview AI, a U.S.-based firm, was the subject of enforcement action and fines by multiple EU data protection authorities for processing EU individuals’ personal data lacking a sufficient legal basis. 

Along with fines, organizations can anticipate loss of customer trust, damage to their reputation, and legal restrictions on their data processing activities. Enforcement action against household names demonstrates that regulators are willing to act against organizations outside the European Union when the GDPR applies. 

A simple checklist for your U.S. company

To allow you to consider at a glance whether the GDPR applies to your business, ask yourself the following questions:

• Does your company’s website, app, or service deliver goods or services to individuals in the European Union?
• Do you use instruments that monitor the online behavior of individuals in the European Union?
• Does your company process the personal data of any of your staff members working in the European Union?
• Do you implement any vendor tool to carry any of that data processing for you?

If you answered yes to any of these queries, then it is highly likely your company is subject to the GDPR.

Real-life examples of when the GDPR applies

• An online store in the United States accepting payment in euros and shipping goods to customers in the European Union;
• A company processing payroll for a remote employee working in the European Union;
• A marketing company running targeted campaigns aimed at audiences within the European Union.

Conversely, a strictly internal website with no European customer targeting and only incidental EU visits generally will not be subject to the GDPR.

Special Case: United States companies with EU-Based employees

The processing of employees’ personal data in the European Union triggers GDPR obligations. Some examples are maintaining personal records, processing sensitive information, and monitoring work performance. Paying an employee in the European Union without additional data processing might not necessarily trigger full GDPR compliance requirements. That being the case HR processes need to be carefully reviewed. Please check out our blog article on how the GDPR and effects HR data for non EU-companies for further information. 

Your next steps toward compliance

If your business is subject to the GDPR, it’s essential to be forward-leaning with regards to compliance.

• Carry out a data mapping exercise: This will lead to Records of Processing Activities, the details of which are outlined in Art. 30 of the GDPR. Record all personal data your organization gathers and processes, the reason for the data, and where it is stored;
• Determining a lawful basis for all your data processing activities: This provides a documented and valid legal rationale for collecting and using personal data. This could be e.g., user consent, contractual necessity with the person, or legitimate interest of your organization, EU legal obligation;
• Drafting accessible  privacy notices: Provides an intelligible and accessible privacy notice describing data collection, purposes, storage, and data sharing practices;
• Respecting the rights of data subjects: Enable individuals to exercise their rights under the GDPR. These rights include access, rectification, erasure, restriction, and objection;
• Appointing a Data Protection Officer (DPO): Appoint a DPO where required. This could be due to processing vast volumes of sensitive personal data or conduct systematic monitoring of individuals;
• Consider an EU Representative: If your business is established outside of the European Union, you may need to have a representative within one of the member states under Article 27; and/or
• Seek expert advice: The GDPR is complex. For complete compliance, it would be ideal to obtain a professional GDPR compliance audit.

Conclusion

Whether the GDPR affects an American business or not is not a matter of a business’s physical presence, but if it has a connection with individuals in the European Union. If your business offers goods or services to EU residents or monitors their activities, then it is very likely the GDPR will affect you. The penalty for failure to comply can be extremely high, both financially and with regard to one’s reputation.

It is suggested that all U.S. businesses conduct an internal examination of data processing operations. If unsure, securing a professional GDPR compliance assessment can guarantee a clear and secure path forward.

The post Does the GDPR apply to my US company? appeared first on TechGDPR.

Stay tuned! Sign up to receive our fortnightly digest via email.

Non-material damage under the GDPR

In one of its recent decisions the CJEU clarifies the right to compensation for non-material damage for data subjects. The request was made in proceedings between a natural person and Juris GmbH, concerning compensation for the damage suffered by the claimant as a result of various processing operations involving their personal data which were carried out for marketing purposes, despite the objections he had sent to that company. The CJEU upheld its previous decision, (of 25 January 2024 MediaMarktSaturn, C‑687/21), that infringement of the GDPR which confers rights on the data subject is not sufficient to constitute ‘non-material damage’, irrespective of the gravity of the damage suffered by that person:

“The existence of ‘damage’, material or non-material, or of ‘damage’ which has been ‘suffered’ constitutes one of the conditions for the right to compensation laid down in Art. 82 (1) of the GDPR, as does the existence of an infringement of that regulation and of a causal link between that damage and that infringement, those three conditions being cumulative.” 

At the same time, it is not sufficient for the data controller, in order to be exempted from liability, to claim that the damage in question was caused by the failure of a person acting under his or her authority, within the meaning of Art. 29 of the GDPR. More legal reasoning of the case as well as rules on determining the amount of damages due as compensation for damage can be read in the court ruling. 

 ‘Pay or okay’ consent model

The EDPB adopted a long-awaited Opinion on Valid Consent in the context of Consent or Pay models implemented by Large Online Platforms. In most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they only offer users a binary choice between consenting to the processing of personal data for behavioural advertising purposes and paying a fee. The EDPB underlines that personal data cannot be considered a tradeable commodity, and controllers should consider the need to prevent the fundamental right to data protection from being transformed into a feature that data subjects have to pay to enjoy. 

Thus, controllers should consider also offering a further alternative, free of charge, without behavioural advertising, with a form of advertising involving the processing of less or no personal data. 

GDPR enforcement: new rules, strict deadlines, dispute resolution

On 10 April, the European Parliament adopted amendments to a proposal laying down additional procedural rules relating to the enforcement of the GDPR. In its 2023 work programme, the Commission announced that it would propose harmonising some national procedural aspects to improve cooperation between national data protection authorities. The MEPs amendments include:

• the right of all parties to equal and impartial treatment regardless of where their complaint was lodged;
• their right to be heard before any measure is taken that would adversely affect them, and 
• their right to procedural transparency, including access to a joint case file. 

MEPs want to standardise procedural deadlines for a supervisory authority to acknowledge that they have received a complaint and declare it admissible or inadmissible. Then, the authority would have to determine if the case is a cross-border one, and which authority should be the lead authority. Draft decisions must be delivered within nine months of receiving the complaint, outside of certain exceptional situations.

MEPs also want to clarify the rules involving amicable settlements, (consensual, negotiated resolutions to disputes). However, these do not prevent a DPA from starting its own initiative investigation into the matter. Finally, all parties to complaint procedures have the right to effective judicial remedies, for example when DPAs do not take necessary actions or comply with deadlines. 

FISA Section 702 reauthorisation

Last week the US House of Representatives voted to reauthorise Section 702 of the Foreign Intelligence Surveillance Act, (FISA), which includes a crucial provision allowing for American citizens to be surveilled without a warrant for another two years. The law has made it possible to monitor foreign communications in great detail, but it has also resulted in the gathering of phone conversations and correspondence from US individuals. 

Some privacy protections, such as the ban on sweeping up communications about a target along with communications to or from the target, were maintained. However, other amendments, including a new definition of internet service providers, might broaden FISA’s application. Prior to the statutory expiration of Section 702 on April 19, the measure now goes to the Senate. More analysis by the Lawfare Institute can be read here. 

More legal updates

Child safety online: On 10 April, the European Parliament endorsed certain derogations to the E-Privacy Directive to combat online child sexual abuse. In particular, MEPs adopted a temporary extension that allows the voluntary detection, by internet platforms, of child sexual abuse material, (CSAM), online. The implementation measures follow strict data protection safeguards pursuant to the GDPR, (legal basis for data processing, data retention policies, restricted data transfers, etc.). The derogation will be extended until 3 April 2026 so that an agreement on the long-term legal framework can be reached. The provisional rules will now have to be formally adopted by the Council before they can become law. 

US privacy legislation: Last week, a bipartisan group of lawmakers in Congress announced the Federal Privacy Bill, (APRA), with the likelihood of long months of discussions before the bill’s passage. This comprehensive draft legislation promises clear, national data privacy rights and protections for Americans, boosts data minimisation in the commercial sector and curbs large data holders and brokers, harmonises the existing state data privacy laws, and establishes new enforcement mechanisms and a private right of action for individuals. At the same time, the Federal Trade Commission would still have the authority to provide further recommendations and rules covering a significant portion of the APRA. 

Right of access basics 

The Luxembourg data protection authority has published a new illustrative factsheet, (only available in French), on the right of access. Any individual can ask a private or public entity, (the data controller), whether it holds their personal data and obtain a copy of the data processed. This right allows in particular to check whether the data is correct. The organisations can be asked to provide the categories of data processed, retention periods, explanations on how to exercise your rights, the lawful basis for processing, other recipients of your data, data transfers to third countries, data sources, and explanations on decisions made by automated processing or profiling. 

However, the right of access is not an absolute right. The organisation may refuse to provide you with data about third parties in some cases or a confidentiality obligation may be imposed by law. The organisation must respond to the request within one month including the justifications for refusal or possible delays in providing information. If the organisation does not respond, does not meet deadlines or you are not satisfied with its response, you can submit a complaint to the data protection authority. 

AI development and data protection guide

The French data protection authority CNIL has published its first recommendations on the development of artificial intelligence, in a way that respects personal data. The recommendations, (in French only), concern the development of AI systems involving the processing of personal data, (Machine Learning, general purpose AI, systems that are trained “once and for all” or continuously). The points addressed in the initial recommendations make it possible to:

• determine the applicable legal regime;
• define a purpose;
• determine the legal qualification of the actors;
• define a legal basis;
• perform tests and verifications in case of data reuse;
• carry out an impact assessment if necessary;
• take data protection into account when making system design choices;
• take data protection into account in the collection and management of data.

More official guidance

Legal basis for customer health data processing: When obtaining data from a person about their health condition, their explicit consent is required – confirms an administrative court in Poland. In the related case, a law firm contacted people injured in traffic accidents to represent them against insurance companies in courts in order to obtain compensation and pensions, as well as reimbursement of treatment and rehabilitation costs. The company obtained information about potential customers based on, among other things, press releases, online publications or content available on social media, as well as information provided or disseminated by organisations engaged in charitable activities. 

Subsequently, when meeting prospective clients, a representative of the law firm received only oral consent to the processing of personal data ahead of a possible conclusion of a contract with these persons but did not record or register it in any way. Also, the collection of this data was not necessary to perform the contract, because the persons from whom the data was obtained were not yet customers. However, this data was processed for other purposes, (eg. examining the profitability of concluding a contract with a potential customer and possibly establishing contact with such a person again). 

Recruitment data: The Latvian data protection regulator reminds us that an employer must avoid excessive data processing when selecting applicants. For example, a job advertisement should indicate as specifically as possible what information the employer expects from the candidate, and develop its own CV form. Also, after submitting their data, applicants as data subjects have the right to submit information requests asking for clarification on various aspects related to the processing of their personal data, so the employer must ensure that it is able to respond to such requests. Finally, there must be established procedures for how information obtained during the selection process, including applicants who are not hired, is stored and deleted. 

In the event that, after data collection, the employer concludes that data processing could also be carried out for a purpose different from that originally collected, the employer must assess whether this purpose is compatible with the initial processing, and also ensure that the applicant is informed. If the employer chooses to use the services of recruitment companies to find suitable employees, it is important to determine the role of such service providers and if the company is considered a data processor, an agreement on the data processing must be concluded. 

Avast non-anonymised data fine

Internet security company Avast has contested a fine of approx 13 mln euros from the Czech data protection agency over transferring the non-anonymised data of 100 million users to its subsidiary Jumpshot in 2019. Although Avast stated that it used robust anonymisation techniques, it was proven that at least some of the data subjects using its antivirus program and browser extensions could be re-identified. Moreover, the purpose of processing this data was not (only) to create statistical analyses, as Avast stated. 

In fact, the pseudonymised Internet browsing history was linked to a unique identifier. Jumpshot, among other things, presented itself as a company that made data available to “marketers,” providing them with insight into online consumer behaviour and offering “atomic-level” tracking of user journeys. The decision, (a cross-border case under the EU one-stop-shop procedure), comes after a 16.5 million fine from the US Federal Trade Commission and restrictions on selling user data for advertising. Avast, now part of Gen Digital, faces challenges both in the Czech Republic and the US.

Other enforcement decisions

Biometrics abuse in the workplace: In the UK, dozens of companies including national leisure centre chains are reviewing or pulling facial recognition technology and fingerprint scanning used to monitor staff attendance after a clampdown by the Information Comissioner’s Office. In February, the regulator found that the biometric data of more than 2,000 employees had been unlawfully processed at 38 centres managed by Serco Leisure. The ICO’s latest recommendations require companies to consider alternative and less intrusive options rather than biometrics scanning to meet their staff management objectives. In light of the ICO decision, a number of other leisure centre operators, like Virgin Active and 1Life, are either reviewing or stopping the use of similar biometric technology, according to The Guardian.  

Ransom attack on a healthcare system: Italian privacy regulator Garante issued fines on several technical and administrative entities, (in the Lazio region), in proceedings opened after a cyber attack on a regional healthcare system back in 2021. The ransomware was introduced into the system through a laptop used by an employee. It blocked access to many health services, preventing, among other things, management of reservations, payments, collection of reports or registration of vaccinations. Local health authorities, hospitals and nursing homes were unable to use some regional information systems, through which data on the health of millions of patients is processed, for a period of time that ranged from a few days to a few months. 

Outdated systems and inadequate management of the data breach failed to mitigate the negative consequences of the attack – from the inability to determine which of the servers were compromised by the IT service provider, to the inability to avoid further propagation of malware targeting numerous healthcare facilities under the umbrella of the data controller, (the regional administration). 

Audit methodology

The UK ICO conducted a consensual data governance audit of East Surrey College, (ESC). The recommendations by the regulator not only provided the ESC with independent assurance of compliance but also could serve as guidance for other organisations concerning:

• Data Governance and Accountability, (creating a privacy culture; comprehensive and up-to-date data maps and ROPA; training needs analysis).
• Records Management, (eg, creating a local-level asset register alongside the ROPA; correct use of attachments, encryption and the security of personal data in transit).
• Data Sharing, (reviewing, updating and creating data sharing policies, procedures and registers; documenting and appropriately justifying the lawful basis for sharing personal data;  data sharing agreements containing sufficient detail;  documenting and regularly reviewing technical and organisational security arrangements with data sharing parties, etc). 

Data security

Underestimated risks to data subjects: The Dutch national data protection agency AP claims that an excessive number of Dutch organisations that suffer from cyberattacks neglect to notify individuals that their personal information has been compromised. Approximately 70% of the time, organisations underestimate the likelihood of an attack. Therefore, the individuals whose personal information was compromised are unable to defend themselves against potential fraud or other crimes committed by online criminals.  They often target IT suppliers that manage large amounts of personal data. However, the organisations contacting them generally remain responsible if anything happens to this data. 

Countering cyber threats: An organisation that takes security measures seriously will not only be able to protect its data but will also be a trusted partner and a role model for others. The Estonian privacy regulator reiterates some simple but important recommendations on how to safely handle personal data in everyday work: 

• data encryption and pseudonymisation for long-term data storage;
• strong password rules or at least two-factor authentication;
• monitoring system activity and detecting unusual activity or requests;
• an incident response plan that is reasonable and clear;
• regular training or testing so that employees recognise scams and phishing emails;
• security audits, testing; 
• involvement of the data protection specialist;
• implementation of the information security standards;
• authorised processor due diligence.

The post Data protection digest 3 – 17 Apr 2024: non-material damage dilemma when losing control of your data appeared first on TechGDPR.

Legal processes

New rules on GDPR fines: New rules, issued by the EDPB, are now in effect for calculating fines for companies that violate the GDPR. All privacy supervisors in the EU will calculate the size of fines in the same way. The size and turnover of a company will play a major role. Companies can find in the guidelines which amount is used as a starting point for calculating the fine for a particular violation and the severity level for a company of their size. 

US State legislation: More state privacy laws have joined the ranks of those in the US enacting such legislation – Montana, Florida, and Texas. California, Virginia, Colorado, Utah, and Connecticut were the five states with consumer privacy laws in 2022, with all of them slated to go into effect in 2023. Early this year, Iowa, Indiana, and Tennessee passed their own privacy legislation, that will take effect by 2025 or 2026. In many circumstances, the new legislation compels covered entities to recognize opt-out preferences for users and to include particular disclosures in the sale of sensitive personal data or biometric data.

Foreign Surveillance: The White House is putting pressure on to reauthorize an electronic surveillance law that allows the targeted monitoring of foreign individuals. The Foreign Intelligence Surveillance Act’s Section 702 is due to sunset at the end of the year. While the program is designed to acquire information on non-Americans residing outside the US, it also collects information on their conversations with US citizens. Curbing US state surveillance practices is also a cornerstone of the future EU-US Data Privacy Framework, which is now being considered by the EU Commission for adoption. 

Official guidance

Updated BCR-C: The EDPB approved the recommendations regarding Controller Binding Corporate Rules. All data controllers using BCRs must update the rules they use to comply with the new recommendations. It clarifies, among other things, what should be included in the controller’s BCR rules, and what must be presented in the BCR application. The recommendations also include an updated standard application form for the BCRs. All users of the BCRs and those applying for approval under them must bring themselves into compliance either during the application process or as part of the annual update, depending on their situation. The EDPB is currently drafting recommendations on the BCRs for personal data processors as well.

Data subject complaints: Another form issued by the EDPB makes it easier for individuals to make complaints to data protection authorities in the EU and EEA. Its use is voluntary for data protection authorities, and they can modify the model to suit their national requirements. The form can be used in cases where a private person files a complaint, or cases where someone else files a complaint, (a legal representative or an entity acting on behalf of an individual).

Age assurance tech:  The “Future of Privacy Forum” organisation publishes infographics on age assurance technology. The analysis outlines the three categories of age assurance, their risks and advantages: a) Age declaration, (age gate, parental consent/vouching); b) Age estimation, (facial characterisation and other algorithmic estimation methods based on browsing history, voice, gait, or data points/signals); c) Age verification, (government, biometrics or digital ID). another report by the organisation looks at verifiable parental consent, a form of age declaration and requirement of the Children’s Online Privacy Protection Act, and its analyses of new children’s privacy laws in various US states.

‘Gestiona’ tool: The Spanish data protection agency has launched a new version of its Gestiona tool, aimed especially at small public or private entities,  which allows managing records of processing activities, carrying out risk management and, where appropriate, providing support for carrying out impact assessments. The tool now has a more intuitive design and incorporates the latest guidelines. The management is carried out in the user’s own browser, without data being transmitted to the regulator.. The information can be stored in a file on the user’s computer and retrieved after each session.

PETs: The UK Information Commissioner’s Office issued guidance that discusses privacy-enhancing technologies in detail. The first part of the guidance is aimed at DPOs, (data protection officers) and those with specific data protection responsibilities in larger organisations. The second part is intended for a more technical audience, and for DPOs who want to understand more detail about the types of PETs that are currently available. It gives a brief introduction to eight types of PETs and explains their risks and benefits, with reference tables and case studies. 

Case Law

‘Right to know’: The CJEU stated that every person has the right to know the date of and the reasons for the consultation of their personal data. In the related case, an employee of a bank, who was also their client, had requested information about the persons who had reviewed his customer information in connection with an internal audit. The bank had refused to disclose the identity of the employees who performed the review but disclosed the reasons and other details. The CJEU states that a person has the right to receive a ‘copy’ of information about the inquiries, such as log data, (eg, it may show the frequency of the review). However, the data subject does not have the right to receive information about the identity of the reviewer, under the authority of the data controller.

DPO’s conflict of interest: In a recent ruling, (not yet published in full), the German Federal Labour Court, (‘BAG’), has decided that the chair of a works council is not eligible to serve as DPO, Ius Laboris Law blog reports. In the case in question, following GDPR instructions, an employer twice dismissed the works council chairman as DPO as a precautionary measure. Before deciding that the revocation of the appointment had been justified, the court had referred the question to the CJEU. 

The CJEU ruled that the roles of works council chair and DPO could not be undertaken by the same individual without creating a conflict of interest. Because the works council decides the aims and means of processing personal data, (as required by applicable laws), the works council chair is unable to supervise data protection law compliance in a sufficiently independent manner. The court clearly left open the question of whether all members of the works council are barred from acting as DPO. However, the conflict of interest considerations may exist for them as well. 

Enforcement decisions

IAB Europe’s TCF update: Interactive Advertising Bureau Europe, (the European-level association for the digital marketing and advertising ecosystem), launched an updated Transparency & Consent Framework in response to industry demand and the Belgian data protection authority action plan. Among changes, the TCF includes revised purpose names and descriptions, new retention periods, the removal of the legitimate interest legal basis for advertising and content personalisation, the introduction of data categories used in conjunction with the purposes, and a more robust vendor compliance program. Participants will have until the end of the third quarter of 2023 to adopt it.

User profiling for direct marketing: The Swedish Privacy Protection Agency issued a sanction of approx. 1 mln euros against Bonnier News, because the group profiled its customers and web visitors without their consent. The company, as a stated legitimate interest, collects information from several different sources for targeted advertising on the web and marketing via physical mail and telephone sales. The data includes information about purchases made in various companies in the group and surfing behaviour. In some cases, this information is also combined with other personal data that is bought in from outside, such as information about the customer’s gender, the household’s car ownership and postcode, as well as statistical information based on the individual’s area of ​​residence such as stage of life, purchasing power and type of residence.

Facial recognition at stadiums: The Danish data protection authority reauthorized Brøndby football club’s use of facial recognition at stadiums for its matches. Brøndby will be able to use images from surveillance cameras to register individuals who violate the rules of order so that such persons can be apprehended when they subsequently try to access the stadium again. The club must ensure it observes the duty of disclosure when collecting the personal data of individuals concerned and provide information that access control is being carried out. The storage period for such data would be for 30 days or even longer. 

Personalised ads: Criteo, which specialises in “behavioural retargeting”, was fined 40 million euros in France for failing to verify an individual’s consent and the fulfilment of data subject rights. The company collects the browsing data of Internet users thanks to its cookie which is placed on their terminals when they visit certain e-commerce websites. The company determines which advertiser and which product would be most relevant to display to a particular user. Then, it participates in real-time bidding to display it. Additionally, when a person exercises their right to withdraw consent or deletion of their data, the process implemented by the company only stops the display of personalised advertisements to the user and does not delete the identifier assigned to the person or erase navigational history. 

E-mail service provider: The Finnish data protection authority has issued a notice to an e-mail service provider, as the company had not offered the user the possibility to transfer their e-mail messages from the service as required by the GDPR. Users of the free version of the e-mail service had the option to manually export their messages one at a time. Instead, customers who paid for the use of the service were offered tools that made it possible to export messages in bulk. As a rule, the registered person must receive his personal data in a structured, commonly used and machine-readable format, and the controller must not make it difficult or prevent the transfer of data, (Art. 20 of the GDPR “Right to data portability”).

Data security

Mobile device data: In an effort to assist organisations with deployment strategies, the US National Institute of Standards and Technology released a revised guide for managing the security of mobile devices in the enterprise. The publication provides a five-step enterprise mobile device deployment life cycle:

• Identify Mobile Requirements, (Bring Your Own Device or Corporate-Owned and Personally-Enabled is selected).
• Perform Risk Assessment, (performed on a regular basis).
• Implement Enterprise Mobility Strategy, (management, policies, configurations, system testing, additional security).
• Operate and Maintain, (control settings, periodic audits).
• Dispose of and/or Reuse Devices. 

Big Tech

Draft Data Act: The Council and the Parliament reached an agreement on rules to access and use data collected in the EU across all economic sectors, where the data are generated through smart objects, machines, and devices. The Data Act will provide consumers more control over their data by strengthening portability rights, interoperability standards, and safeguards against unlawful data transfers by service providers. The Data Act takes into account current horizontal and sectorial laws including the GDPR. 

It has received criticism from a variety of sources, including by the crypto industry bodies on the wide classification of smart contracts as “computer programs.” Smart contracts might potentially be constructed to provide an access control mechanism, but this would undermine the technology’s basic functions. Concerns were expressed by software businesses about a clause requiring corporations to share data that might jeopardize trade secrets. Furthermore, some scientists are concerned that the Data Act would favor companies in its goal of expanding access rights to big data, and that publicly financed science will suffer as a result.

Metaverse: Finally, the EU Parliament issued a comprehensive analysis of the Metaverse. Commercial, industrial and military applications bring both opportunities as well as significant concerns for everyday life, health, work, and security, says the paper. The metaverse can be provided by public or private actors for single users or as a networking platform. It can mirror reality, create a simulation of an entirely new space and actors , or mix both. Forecasts indicate that we are experiencing a decade of metaverse and that it will take 6 to 8 years to achieve its full potential. However, important elements of the metaverse such as digital ethics, digital twins, blockchain, generative AI, tokenization, or digital humans will start to have significant impact much earlier, (1 to 3 years and 3 to 6 years). See the full report here.

The post Data protection digest 17 June – 2 July 2023: rules on GDPR fines, controllers’ BCRs and ‘right to know’ appeared first on TechGDPR.

Legal redress

Pseudonymised (non-personal) data processing: In the instance of SRB v. EDPS, the European General Court ruled that pseudonymised data communicated by one party with another would not be regarded as personal data in the recipient’s hands if that party lacks a legal way to obtain the extra, identifiable information. The lawsuit resulted from the Single Resolution Board, (SRB), decision to conduct a shareholder poll in the case of Banco Popular Español, as part of which it shared the results with a consulting firm. In order to guarantee that replies could not be traced back to specific respondents, SRB pseudonymised the data. The decoding key that might identify specific responses from the alphanumeric codes was not given to the consulting company.

Additionally, the court did not rule out that personal views or opinions may constitute personal data. However, such a conclusion must be based on a case-by-case examination. View the court’s ruling here.

Right to GDPR compensations: The CJEU has recently published a number of rulings related to data subject rights. In one case, Österreichische Post collected information on the political affinities of the Austrian population, using an algorithm. Following lawsuits for compensation from upset citizens who did not consent to that, the Austrian supreme court asked the CJEU whether mere infringement of the GDPR is sufficient to confer that right and whether compensation is possible only if the non-material damage suffered reaches a certain degree of severity. It also asked what are the EU-law requirements for the determination of the amount of damages. 

The EU top court responds that mere infringement of the GDPR does not give rise to a right to compensation. However, there is no requirement for the non-material damage suffered to reach a certain threshold of severity. The court notes that the GDPR does not contain any rules governing the assessment of damages. It is therefore for the legal system of each Member State to prescribe the detailed rules. 

“Copy” of personal data definition: The CJEU also ruled that the right to obtain a ‘copy’ of personal data means that the data subject must be given a faithful and intelligible reproduction of all those data. The Court notes that the term ‘copy’ does not relate to a document as such, but to the personal data which it contains and which must be complete. That right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain those data. 

The case relates to the CRIF in Austia, (a business consulting agency that provides, at the request of its clients, information on the creditworthiness of third parties). It sent the applicant in question a summary of his personal data undergoing processing. However, the individual had expected a copy of all of the documents containing his data, such as emails and database extracts. After the Austrian data protection authority rejected his complaint, the applicant went to court. 

CJEU opinions

Data controllers’ strict liability: A non-binding opinion by a CJEU Advocate General limits the strict liability of data controllers for GDPR fines: they may only be imposed on intentional or negligent conduct, (‘mens rea’). The referring court wanted to know whether the state agency could be fined on the simple basis that it breached the obligations imposed on it by virtue of being a controller, (strict liability), or whether an element of fault in committing the relevant breach is required. 

The case concerns the Lithuanian Public Health Centre in the design and deployment of a mobile application for tracking COVID-infected people. After funding for the project failed the state agency asked the app developers, (initially defined as joint controllers), not to use the LPHC details or any association with them in the mobile product. However it continued to be available for download by the public unaltered. To that end, the data protection authority decided to impose a fine on both entities in their capacity as joint controllers. 

The CJEU’s opinion confirmed that an entity which initiates the development of a mobile application can only be regarded as the ‘controller’. Furthermore, the absence of any agreement or even coordination between joint controllers cannot exclude a finding that the controllers are ‘joint controllers’.

Concept of lawful “data processing”: In the above case, the referring court also called for clarification as to whether the fact that the unlawful processing of personal data was not done by the controller itself but by a processor affects the ability of supervisory authorities to impose a fine on the controller.

The CJEU reasoned that a controller may be fined even though the unlawful processing is carried out by a processor. That possibility is open for so long as the processor acts on the controller’s behalf. However, if the processor uses personal data outside of, or contrary to, the lawful instructions of the controller, then the controller cannot be fined. 

The concept of ‘processing’ encompasses a situation in which personal data is used during the testing phase of a mobile application, unless such data has been anonymised in such a way that the data subject is not, or no longer, identifiable. 

Official guidance

Direct marketing: Effective direct marketing relies on you having a positive relationship with individuals you are marketing to and that is usually rooted in them having consented to you contacting them, states the latest guidance by the Guernsey data protection authority. The document answers the questions on how to obtain people’s consent in a lawful way, while being able to pursue commercial communication and inform people about what you are doing; explains lawful processing conditions under consent and legitimate interest; looks at the dangers of soft opt-in and automated calling systems and silent calls; and provides options for stopping direct marketing. See the full guidance (in English) here.

Client databases: The Latvian data protection agency also looks at client databases. Customer personal data permeates almost every aspect of business, from the delivery address of an order to the use of customer data to creating a company’s marketing campaign. Whether you only store a customer’s first name, last name and email address, or a personal identification number and bank details, you need to make sure that customer information is kept as correct and as secure as possible. The main principles to be followed are:

• Determine the purpose for which the database is being created  (eg, administration of fees, sending news, ensuring access).
• Evaluate and decide exactly what personal data is required from the client, and don’t collect or store personal data just because you think it might come in handy someday, (eg, if you plan to send information only to e-mail, you do not need to ask the customer for a phone number).
• The information included in the customer database must also be accurate and must be updated as necessary, (eg, inaccurate data may allow the service to be used by a person who has not paid for it).
• The necessary technical and organisational requirements must be implemented, (eg, limit personnel who can access customer information, maintain employee training, and if you transfer personal data, ensure that it is encrypted).

Enforcement decisions

Concept of warning and expansion of investigation periods: Spain has modified its law on the protection of personal data and clarified that a warning should not be considered a sanction, but rather an appropriate measure, of a non-punitive nature, included within the corrective powers of the supervisory authorities. Additionally, the increase and greater complexity, (including a one-stop-shop mechanism), of the issues addressed by the data protection agency in the sanctioning procedures show the need to extend some of the resolution deadlines. In particular, for this reason, the modification contemplates an increase from nine to twelve months in the maximum duration of disciplinary procedures, and from twelve to eighteen months in previous investigation actions.

TikTok fine: The UK Information Commissioner’s Office has issued a 12,7 million pound fine to TikTok Information Technologies UK Limited and TikTok Inc, for a number of breaches of data protection law, including failing to use children’s personal data lawfully. Whilst TikTok purports to rely on, in part, a contractual necessity as its lawful basis for processing the personal data of children under 13, the Commissioner considers that the legal test for contractual necessity is not met in this case. In addition, TikTok failed to make reasonable efforts to ensure that consent was given or authorised for underage child users of its video-sharing platform or to prevent children under 13 from accessing its services. Read the full list of TikTok’s infringements in the original decision.

Information obligation: The Romanian data protection agency fined Libra Internet Bank for not fulfilling its data subject rights obligation. It was found that a response sent to a plaintiff by e-mail did not contain information about the possibility of filing a complaint before a supervisory authority and introducing a judicial appeal for the bank’s refusal to communicate a copy of a requested video recording, thus violating the provisions of Art. 12 in conjunction with Art. 15 of the GDPR. On the same occasion, the regulator noted that the data controller did not present evidence to show that it had adopted measures to facilitate the exercise of the right of access.

Grocery data: The Norwegian data protection authority has taken a decision to ban Statistics Norway’s planned collection of data from the population’s grocery purchases. Through bank data and bank transaction data, Statistics Norway would have information on what a significant proportion of the population buys for groceries. This in turn could be linked to socio-economic data such as household type, income and level of education. No sufficient legal basis for such intrusive processing of personal data exists. Even if the purpose of the collection is anonymous statistics for societal benefit, the intervention in the individual’s privacy will have already occurred once the personal information was collected, (from private actors). Finally, citizens have no real opportunity to oppose such a collection, other than by using cash as a means of payment.

Debt collection data: Croatia’s privacy regulator issued an administrative fine of over 2 million euros on the debt collection agency. The data controller didn’t inform its data subjects, in an accurate and clear manner, about the processing of their personal data. In addition, it did not conclude a data processing agreement with the service of monitoring consumer bankruptcy. The debt collecting agency also did not apply appropriate technical and organisational measures while processing quite sensitive personal data, so it would probably never have noticed a data breach. 

Data security

Encryption pros and cons: The Spanish data protection agency has published a guide for the supervision of cryptographic systems as a security measure in data protection. Encryption is a procedure by which information is transformed into an apparently unintelligible data set using various techniques. The GDPR mentions it as a measure that is part of the conditions for the compliance of the treatment and as an aid to mitigate the risks in the event of a possible breach of personal data. However, if not well designed it can give a  false sense of security, that relaxes the application of other complementary measures, in particular, privacy by design. The document also proposes a list of controls to facilitate the data protection specialist in selecting those that could be the most appropriate in validating the encryption system. Read the full guide, (in Spanish), here.  

Password hurdle: Reportedly, the average internet user has between 70 and 80 passwords for a wide variety of services, explains the Slovenian data protection agency base on recent research. Considering that a strong password is (at least) 12 characters long, complex and of course unique, it is extremely difficult to remember them all. 

Password managers also offer effective management and safe storage of passwords. In this case, it is important to have a very strong master password, which is also the only one we need to remember. Two-factor authentication solves two of the most common problems: short, weak, and repeated passwords are no longer so problematic since access to the service requires an additional unique code that is obtained over the phone. 

Finally, most information security experts do not recommend saving passwords in browsers. The reason is primarily the rapid spread of Trojan horses that specialize in stealing user data. Nothing helps if we have long and unique passwords, because the virus simply copies them and sends them to attackers.

International data transfers

US data transfers: The European Parliament has rejected the draft US adequacy decision during the plenary vote. However the resolution is not binding, MEPs concluded that the EU-US Data Privacy Framework fails to create essential equivalence on the level of protection, and calls on the Commission to continue negotiations with its US counterparts to provide the adequate level of protection required by Union data protection law as interpreted by the CJEU. MEPs call on the Commission not to adopt the adequacy finding until all the recommendations – on safeguards against American intelligence activities, and practical deployment of the redress mechanism for individuals are fully implemented. 

To that end, a parliamentary group from the Civil Liberties Committee visits the US capital this week to meet with members of the House of Representatives and Senators working on privacy, and cybersecurity issues, including sponsors of different federal privacy acts – the Federal Trade Commission, US Courts administration, Department of State, the Data Protection Review Court, the Office of the Director of National Intelligence, NGOs, and think-tanks. 

UK privacy reform: According to govinfosecurity.com, the Information Commissioner gave assurances to UK lawmakers considering changes to the country’s national privacy legislation that they won’t jeopardize the adequacy decision made with the EU in 2021. The Data Protection and Digital Information Bill was once again proposed this spring by the Conservative government as an alternative to the GDPR that is more pro-innovation and less bureaucratic. External observers, however, are less certain, citing rulings by the ECHR that British mass intelligence collecting infringed private communications. 

Supporting documents assessing the impact of the Data Protection and Digital Information Bill can be seen here.

The post Data protection & privacy digest 3 – 16 May 2023: data processing roles and obligations elaborated by EU top court appeared first on TechGDPR.

Legal processes and redress

US data transfers: A full parliamentary vote on the upcoming EU-US Data Privacy Framework is planned in the coming weeks. So far, a resolution adopted by Civil Liberties Committee MEPs argues that the European Commission should not grant the US an adequacy decision deeming its level of personal data protection essentially equivalent to that of the EU and allowing for transfers of personal data between the two. However this resolution will not be binding on the European Commission. 

MEPs note that the framework still allows for bulk collection of personal data in certain cases, does not make bulk data collection subject to independent prior authorisation, and does not provide for clear rules on data retention. The transparency and independence of the new redress mechanism for EU data subjects are also under question. Finally, the US Intelligence Community is still updating its practises based on the framework, so an assessment of its impact on the ground is not yet possible, say MEPs. 

CCPA/CPRA: The updated CCPA regulations were approved by the California state and come into effect in three months’ time. These revisions reflect the CCPA’s amendment by the California Privacy Rights Act of 2020, which added new business obligations addressing: consumer rights regarding the sharing, sale, and restriction of sensitive personal data, information notice, user-enabled privacy controls, out-out options, contractor and third-party contract requirements, and more. 

Employees data: In its recent judgement the CJEU ruled out important aspects of data processing in the employment context, interpreting Art. 88 of the GDPR. The preliminary ruling concerns the lawfulness of a system for the live streaming of classes by videoconference introduced in state schools in Hessen, (Germany,) without the prior consent of the teachers. Art. 88 of the GDPR enables the national legislator to enact “more specific regulations” in employee data protection.  However, they should not be general clauses that simply repeat the GDPR’s provisions. 

Instead, they should include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing. For organisations and employers this means that in the absence of valid national provisions GDPR rules must be complied with, including the balancing tests for the appropriate legal basis for employee data processing, (employment contract, legitimate interest or consent). 

In response to the decision, the Hamburg data protection commissioner also stated that Section 23 of the Hessian data protection act does not constitute a ‘more specific rule’, and that the moment had arrived for a new federal employment data protection act. 

Automated employment tools: Meanwhile, on the other side of the Atlantic, the New York City Department of Consumer and Workforce Protection promulgated its final regulations on the Automated Employment Decision Tools Law (AEDTL). Once enforced, it will restrict employers’ ability to use machine learning, statistical modelling, data analytics or AI tools in hiring and promotion decisions within New York City. Employers who use automated employment decision tools must also disclose it to candidates before the tool is used, as well as systematically undergo and disclose independent “bias audits”. Read the full analysis here.

EDPB guidance

A set of updated guidance and studies, along with the annual 2022 report, was published by the EDPB.

National administrative rules: The EDPB conducted a study on national administrative rules applicable when the national supervisory authorities carry out their duties under the One-Stop-Shop, (OSS), procedure. For instance, the requirements for the admissibility of complaints from individuals vary considerably from one country to another. Furthermore, the possibility to reach an amicable settlement between controllers or processors and complainants does not exist in all countries, and there is no clear indication of differing regulations’ impact on the OSS procedure. Finally, there is no convergence regarding the prior notification of forthcoming investigations or exercise of corrective powers. Read more challenges and possible solutions in the original publication.

Entities outside the EEA: Another study by the EDPB looks at the enforcement of GDPR obligations against entities established outside the EEA, (California, the UK and China). It aimed to analyse the possibilities available to enforce supervisory authorities’ investigative and corrective powers against third-country controllers/processors that fall under the scope of the GDPR but are not willing to cooperate with regulators and did not designate an EEA representative. This included the possibility to summon third-country controllers/processors to appear before the SA’s office, or in the SA’s national courts or tribunals, choice of jurisdiction and additional restrictive measures. 

Right of access: The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights and Art. 15 of the GDPR, says the EDPB’s latest guidance. The overall aim of the right of access is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data so that they can be aware of and verify the lawfulness of the processing and the accuracy of the processed data. This will make it easier – but is not a condition – for the individual to exercise other rights such as the right to erasure or rectification. 

Personal data breach notification: The EDPB considers that complying with the notification requirement has a number of benefits. When notifying the supervisory authority, controllers can obtain advice on whether the affected individuals need to be informed. Breach notification should be seen as a tool for enhancing compliance. At the same time, failure to report a breach to either an individual or a supervisory authority may mean a possible sanction applicable to the controller. Controllers and processors are therefore encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach.

Lead supervisory authority: The EDPB has noticed that there was a need for further clarifications, specifically regarding the notion of main establishment in the context of joint controllership and taking into account the concepts of controller and processor in the GDPR. Correct identification of the main establishment is in the interests of controllers and processors because it provides clarity in terms of which supervisory authority they have to deal with in respect of their various compliance duties under the GDPR. 

The most complex situations are when it is difficult to identify the main establishment or to determine where decisions about data processing are taken. This might be the case where there is cross-border processing activity and the controller is established in several Member States, but there is no central administration, or none of the EEA establishments is taking decisions about the processing.

Other official guidance

Generative AI risks: The UK privacy regulator the ICO poses eight questions about generative AI that developers and users need to answer. The EU legal backlash on ChatGPT is just the beginning of the journey states the analysis, and organisations developing or using generative AI should be considering their data protection obligations from the outset, taking a data protection by design and by default approach. This isn’t optional – if you’re processing personal data, it’s the law, (data protection law still applies when the personal information that you’re processing comes from publicly accessible sources):

• Are you a controller, joint controller or processor? 
• What is your lawful basis for processing personal data? 
• How will you comply with individual rights requests? 
• How will you limit unnecessary processing? 
• How will you mitigate security risks? 
• Have you prepared a Data Protection Impact Assessment? 
• Will you use generative AI to make solely automated decisions? 
• How will you ensure transparency? To know more, here’s the ICO publication. 

AI-assisted employment: Meanwhile the Spanish data protection authority AEPD explains how to apply AI tools for employment activities. In essence the data controller decides when designing the programme whether or not to include an additional operation of human supervision on the results produced by the AI ​​system. AI systems will form part of the nature of data treatment when they have been included in some of the necessary operations for this explicit purpose. This may include AI systems implemented locally or in the cloud, mobile systems, outsourced data processors, etc. Therefore, the fact that decision-making is automated is not a feature of the AI ​​system itself. 

For example, the procedure to guide candidates to complete an application form where they would include their CVs could be implemented using a chatbot. In addition, the number of applications, and therefore the number of CVs, could be so large that the manager could decide to use an AI system for the automatic selection of the most interesting CVs, according to certain criteria that the manager should also establish. The manager could go further and implement the evaluation of the candidates through another AI system that performs and evaluates the tests for the previously selected candidates. 

Sports industry: A large amount of personal data including special categories is generated in digitised sports, states the German federal data commissioner. If these are not so comprehensively anonymised that it is impossible to trace them back to individual athletes, data protection rules on purpose limitation, storage limitation, lawfulness data minimisation, transparency, and data security apply. This extends to all bodies and organisations that process athletes’ personal data – coaches, associations, doping agencies, sports facility operators, scientific institutes, doctors, laboratories, consultants, agents, and sometimes also sponsors, betting shops or even manufacturers of hardware and software.

Investigations and enforcement decisions

Data breach statistics: The Guernsey data protection agency ODPA published the latest personal data breach statistics: Nearly 10 million people were reported to be affected by 38 personal data breaches from January to March. Reportedly, the majority of those were customers of a UK-based company which was the victim of a large cyber-attack. Although the company is not based locally, it reported the breach to data protection regulators in all jurisdictions where its customers are based. Additionally, the most striking examples of personal data breaches involved:

• people using personal email accounts to send work-related information, (email providers are outside the control of the organisation meaning usual security policies do not apply and the organisation does not know what its data is being used for),
• accounts shared by couples or devices, (the boundaries of your personal life and your job intersect in a way that is not helpful for you or your workplace, which means information could fall into the wrong hands.)

Failed data subjects’ right of access: Following a complaint the Spanish AEPD fined Banco Bilbao Vizcaya Argentaria, or BBVA, 84,000 euros, according to Data Guidance. Despite ceasing to be a client of BBVA in 2012, the complainant discovered in 2021 that there were two debts registered in their name in the Bank of Spain’s Risk Information Center. Regarding the use of the right of access, the AEPD explained that BBVA had asked the complainant for additional details in order to recover the recordings, which constituted an unfair burden on the data subject for the fulfilment of their request. 

In another recent enforcement decision by the AEPD, the claimant requested access to the images from the video surveillance system located at a commercial centre. Unable to find a way to make a request in person, the claimant submitted one via electronic means of communication, (using the company’s marketing email address). This email address is not related to the processing of personal data nor was the means of contact enabled for the exercise of any rights. However, the company responded only to state that such access was not possible, except when there is a prior complaint, or when requested by the police or authorised personnel. The regulator found that the right of access of the complainant to their personal data was not respected, as established in Art. 15 of the GDPR.

Data security

Established cooperation: A long-term relationship between a controller and a processing entity does not guarantee data security, states the Polish privacy regulator UODO. In the related case, the verification of the competence of the processor was not formalized, because it consisted of conducting an interview, and the services provided by the entity, (a file depositary service), did not raise objections from the controller. The explanations of both the controller and the processor indicated that these entities only applied the controller’s internal regulations, (the Personal Data Protection Policy). The lack of any risk analysis resulted in the selection of inadequate measures.

The mere signing of a contract for entrusting the processing of personal data without proper assessment of the processing entity cannot be considered as fulfilment of the data security obligation. The determinant for such an assessment cannot be only long-term cooperation and the use of the services of a given processor. In the opinion of UODO, positively assessed cooperation may only be a starting point when verifying whether the processing entity provides sufficient guarantees for the implementation of appropriate technical and organisational measures. 

Certifying employees’ qualifications: The Hungarian data protection agency NAIH publishes detailed recommendations on how to handle documents certifying employees’ qualifications according to the data protection requirements. The employer may require the employee to present a document in its legitimate interest. The employer can also keep their own, internal records of the education of each employee, the date and the method of proof of education. However, “objective evidence”, (as defined in ISO 9000:2015 Quality management systems), needs to be supported by documented information.

A copy of a document certifying education or training does not have the power to prove that it is an authentic copy of a valid public document, so it is not suitable for establishing the authenticity of the data contained therein, and it may include additional unnecessary personal information.

Instead, the organisation may prepare a note or protocol stating that the given employee presented the original documents certifying their education, the relevant data of which is now recorded by the organisation, (eg, serial number of the document, date of qualification).

Tracking pixels: The Norwegian data protection authority encourages businesses to review their websites for tracking pixels or other tracking technologies. Recent media reports revealed that a large number of European online pharmacies have shared customers’ personal data through tracking technologies. For website users this is potentially a major privacy risk, while for the websites it poses a significant legal and reputational risk. The regulator now encourages all Norwegian websites to review for tracking pixels and other tracking technologies. Unless the business has assessed the tools, has an overview of data flow and is confident that their use is in line with privacy rules, the trackers should simply be removed. 

Cyber ​​risks management: The German Federal Office for Information Security updated its manual on ‘Management of Cyber ​​Risks’. It is dedicated to a comprehensive corporate culture that takes cyber security into account at all times, aiming to increase the resilience of companies. As cyber ​​security starts with senior management, IT managers need the necessary support and the right understanding on the part of company management. The guide formulates six basic principles that support management and supervisory boards when considering cyber risks:

• Understanding cyber security as a component of company-wide risk management.
• Understanding and closely examining the legal implications of cyber risks.
• Ensuring access to cyber security expertise and regular exchange.
• Implementing suitable frameworks and resources for cyber risk management.
• Preparing risk analysis based on business risk appetite, goals and strategies.
• Encouraging company-wide collaboration and sharing of best practices.

Big Tech

Meta binding decision: The EDPB adopted a dispute resolution concerning a draft decision of the Irish data protection authority DPC on the legality of data transfers to the US by Meta Ireland for its Facebook service. The decision will be announced soon and may constitute an order on blocking Facebook’s transatlantic data flows. The Irish regulator shall adopt its final decision, addressed to Meta Ireland, on the basis of the EDPB binding decision and taking into account the EDPB’s legal assessment, at the latest one month after the EDPB publishes its decision. 

In January this year the DPC, also instructed by the EDPB, ordered Meta to pay a hefty fine for making users accept targeted ads and was directed to bring its processing operations into compliance with the GDPR within a period of 3 months. The EDPB also directed the DPC to conduct a fresh investigation of all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed. However, the DPC stated that EDPB is not entitled to instruct and direct a national authority to engage in a new “open-ended and speculative” investigation.

TikTok privacy fine: Finally, the UK fined TikTok 12.7 million pounds for misusing children’s data. More than one million British children under 13 were estimated to be on TikTok in 2020, contrary to its terms of service. As a result, personal data belonging to children was used without parental consent. TikTok  “did not do enough” to check who was using their platform and take sufficient action to remove the underage children. Since the conclusion of the investigation of TikTok, the ICO has published a statutory Children’s Code to help online services, such as apps, gaming platforms and web and social media sites, that are likely to be accessed by children. 

The post Data protection & privacy digest 3 – 17 Apr 2023: US data transfers and AI tools occupy EU appeared first on TechGDPR.

Legal processes and redress

Court-dismissed fine: A multimillion-euro fine imposed by the Spanish privacy regulator has been overturned by a court decision, according to a publication by Clifford Chance law firm. The AEPD fined Banco Bilbao Vizcaya Argentaria 5 million euros in 2020, the first of many hefty fines for GDPR violations in the country’s corporate sector. In the above case, the AEPD received several complaints about commercial communications. Ultimately, it found that BBVA’s privacy policy, which was applicable to all of its clients and to processing other than the sending of marketing communications, violated the duty of information, and occasionally misused consent and legitimate interest as the basis for processing. However, the decision and fine with regard to BBVA’s privacy and the initial complaints were completely at odds, and the court found that the AEPD had broken the sanctioning procedural rules. 

EU Health Data Space: EU legislators are actively working on safeguards for the upcoming European Health Data Space. This includes promoting patients’ understanding and control of their personal health data. The latest amendments look at the main characteristics of electronic health data categories: patient summary, electronic prescription, electronic dispensation, medical image and image report, laboratory result, and discharge report. Under the Commission’s proposal, researchers, companies, and institutions will require a permit from a health data access body, to be set up in all member states. Access will only be granted to use de-identified data for approved research projects, which will be carried out in closed, secure environments, Sciencebusiness.com publication sums up. 

Iowa privacy legislation: Iowa enacted its new comprehensive privacy law, making it the sixth US state to do so after California, Virginia, Colorado, Utah, and Connecticut. It will take effect in 2025. Anyone conducting business in Iowa or creating goods or services marketed toward Iowans who does one of the following is subject to the law: processes at least 100,000 consumers’ personal data; processes 25,000 consumers’ personal data, and more than 50% of gross revenue is generated from the sale of it. The law does not apply to financial institutions, nonprofit organizations, institutions of higher education, information bearing consumers’ creditworthiness, various research data, protected health information, and more.

Utah minors protection: Utah enacted two laws to limit children’s access to social media, making it the first US state to demand parental consent before children can use Instagram and TikTok. It also makes suing social media companies for damages simpler. To date, US lawmakers have had difficulty enacting stricter federal laws governing online child safety. Under Section 230 of the US Communications Decency Act, media service providers are largely shielded from liability for the content they provide. 

Online service providers are also not required by federal statutes to use a particular method of age verification. Because of this, some have minimum age restrictions and ask users to enter their birthdate or age before granting access to the content. These restrictions are typically stated in the terms of service. According to Utah legislation, all users must submit age verification before creating a social media account. Minors under the age of 18 must have parental or guardian consent. 

Official guidance

AI white paper: Principles, including safety, transparency, fairness, contestability, and redress will guide the use of AI in the UK, as part of a new pro-innovation national blueprint. Reportedly, Britain has more businesses offering AI goods and services than any other European nation, and hundreds more are being founded annually. Regulators pledge to provide organisations with advice over the coming year, as well as other resources like risk assessment templates. Currently, there is no deadline envisaged in the UK for passing AI legislation. Meanwhile, the EU AI act, which inherited a more risk-based approach and is being discussed by parliamentarians, can be reasonably expected this year. 

Data protection by default: UK privacy regulator the ICO published resources to help UX designers, product managers, and software engineers embed privacy by default. The guidance looks at key privacy considerations for each stage of product design, from kick-off to post-launch when designing websites, apps, or other technology products and services. The ICO has also published videos with experts, technologists, and designers. 

Employment guide: The Danish data protection authority’s guidance on data protection in employment relationships has been revised, (in Danish only). The update includes the acquisition of criminal records and references. The regulator also clarified an employer’s obligation to disclose information, trade union processing activities, workers monitoring needs, the use of IQ and personality tests, and more. In parallel, the Lithuanian regulator is preparing similar guidance for employees, business, and public sector, (in Lithuanian only). 

Joint controllers: What is the difference between joint and independent data controllers? Joint controllers are established when the entities involved in processing perform it for the same or common purposes. Joint management can be established even when the entities pursue purposes that are only closely related or complementary, explains the Slovenian data protection authority. Purposes and means of processing are not always the same for all joint controllers but must be mutually determined via an agreement. They can also be defined by law. Subsequently, joint controllers are jointly and severally liable for damages. 

Suspected data breach: Pursuant to the GDPR, in the event of a personal data breach that is likely to cause a high risk to the rights and freedoms of individuals, the data controller must notify the data subject without undue delay. However, notification is not mandatory if any of the conditions stipulated in Art. 34 (3) of the GDPR are met. Regardless of the above, in case of a suspected breach, (eg, unauthorised disclosure of a large amount of personal data), you have the right to request information from the data controller, (if they processed your data), as to whether your personal data is included in the incident, concludes the Croatian data protection agency.

Enforcement decisions

ChatGPT ban: The Italian supervisory authority Garante has clamped down on ChatGPT. The limitation of the processing of Italian users’ data by OpenAI, the US company that developed and manages the platform, is temporary until it establishes privacy procedures. ChatGPT suffered a data breach on March 20 concerning user conversations and payment information for subscribers to the paid service. Garante noted the lack of information to users and all interested parties whose data is collected by OpenAI, but above all the absence of a legal basis that justified the collection and storage of personal data in order to train the algorithms. 

Additionally, as evidenced by the checks carried out, the information provided by ChatGPT does not always correspond to the real data, thus establishing inaccurate processing of personal data. Finally, the service is aimed at people over 13 but does not use any filter for verifying the age of users and exposes minors to answers that are absolutely inappropriate with respect to their degree of development and self-awareness. OpenAI, which does not have an office in the EU but has appointed a representative in the European Economic Area, must communicate within 20 days on the measures taken.

Wrongful copy: The Greek data protection authority looked into a complaint from a Vodafone subscriber who received a CD containing the conversations of another person  after requesting access to the recorded conversations with the Vodafone call center. Although Vodafone was immediately notified by the complainant, it did not take any investigative steps to confirm the incident, but initially contented itself with the processor’s response that it did not locate the complainant on the phone. It subsequently contacted her to return the CD. Vodafone was ordered to send the correct file and was fined 40,000 euros (Art. 15 and Art. 33 of the GDPR).

Email correspondence: Employees’ right to privacy is unaffected by a legitimate interest in processing personal data for legal defense. The Italian privacy authority fined a company that continued to use an employee’s email account after they had left the firm, viewing the content, and setting up forwarding to a company employee. The former collaborator had gathered references from potential clients they had met at a fair. The company claimed that a legal dispute resulted from the collaborator’s attempt to get in touch with them. Fearing losing relationships with potential customers, the company had not only written to them to explain that the person had been removed, but had also viewed the communications.  

GPS monitoring: Tehnoplus Industry in Romania was fined for a GPS system installed on a company car, without the employee having been informed, or having previously exhausted other less intrusive methods to achieve the purpose of processing – monitoring the service vehicle. Tehnoplus Industry excessively processed the location data related to the complainant even outside working hours. Subsequently, the purpose and the legal basis of this processing and in addition the excessive storage period of the data collected, (over the established 30 days limit); were also unlawful.  

In parallel, the French privacy regulator imposed a fine on Cityscoot for geolocating customers almost permanently in breach of the data minimisation principle. During the rental of a scooter by an individual, the company collected data relating to the geolocation of the vehicle every 30 seconds. In addition, the company kept the history of these trips. None of the established purposes of the processing, (the treatment of traffic offenses, handling customer complaints, user support, and theft management), could justify the monitoring and could have been organised without constant tracking.  

Data security

Cybersecurity tools: The French regulator CNIL has updated its guidance on the security of data protection, (in French). It supports professional actors processing personal data by recalling the basic precautions to be implemented. 17 fact sheets look at the latest recommendations on authenticating users, tracing operations and managing incidents, securing the workplace, guiding IT development, securing exchanges with other organizations, encryption, and much more. 

The European Union Agency for Cybersecurity also releases a tool to help small and medium-sized enterprises assess the level of their cybersecurity maturity. This tool contributes to the implementation of the updated Network and Information Security, (NIS2), Directive. The majority of SMEs are excluded from the scope of the Directive due to their size and this work provides easily accessible guidance and assistance for their specific needs.

Similarly, the UK National Cyber Security Centre launches two new services to help small organisations stay safe online:

• The Cyber Action Plan can be completed online in under 5 minutes and results in tailored advice for businesses on how they can improve their cyber security.
• Check your Cyber Security – which is accessible via the Action Plan – can be used by any small organisation including schools and charities and enables non-tech users to identify and fix cyber security issues within their businesses.

Mobile threat defense: America’s NIST investigates mobile threat defense applications that provide real-time information about a device’s risk level. Like any other app, MTD is installed on a device by a user. The app then finds undesirable activity and alerts users so they can stop or minimize the harm. For instance, it alerts users when it’s time to update their operating systems. Additionally, users of the app can receive alerts when someone is listening in on their internet connection. However, without being integrated with a mobile device management system, MTD applications are only marginally effective in your enterprise environment.  

Big Tech

Child Care apps: In the US childcare facilities are using technology more and more reports edsurge.com which tells the story of a parent who signed her child up for child care. She wasn’t expecting to have to download an app to participate, and when that app began to send her photos of her child, she had some additional questions. Laws like the Family Educational Rights and Privacy Act and the Children’s Online Privacy Protection Act don’t apply in these circumstances, so parents will need to conduct some independent research. The other aspect is that cameras have the potential to make teachers and other classroom employees anxious or otherwise not themselves, she says. They may feel that administrators or parents don’t trust them and make them avoid some activities like dancing. 

You are (not) hired: Reportedly, a third of Australian companies rely on artificial intelligence to help them hire the right person, while there are no laws specifically governing AI recruitment tools. Applicants are often unaware that they will be subjected to an automated process, or if not, on what basis they will be assessed. For instance, AI might say you don’t have good communication skills if you don’t use standard English grammar, or you might have different cultural traits that the system might not recognise because it was trained on native speakers. Another concern is how physical disability is accounted for in something like a chat or video interview. Read more analysis by the Guardian in the original publication. 

Vehicle data: Because data ownership remains undefined under EU law the Commission’s proposed Data Act for fair access to such information, particularly in the vehicles sector, appears to have hit problems. Legislative proposals were expected to regulate a connected car sector estimated to be worth more than 400 billion euros by the end of the decade. Now car services groups warn very few big players are able to access this data, skewing the market, Reuters reports.

The post Data protection & privacy digest 19 Mar – 2 Apr 2023: court-dismissed fine, cybersecurity tools, ChatGPT clampdown appeared first on TechGDPR.

Official guidance: data subject complaints, new business, identity cards, traffic licenses, TCF/OpenRTB, education platforms, insolvency claims, data sent by mistake, dpos

The UK Information Commissioner’s Office offers a brief guide on how to deal with data subject complaints, (your staff, contractors, customers), when you are a small business. The main steps are as follows: 

• Respond as soon as possible, in plain language, to let the customer know you’ve received their data protection complaint and are looking into it. 
• Let them know when they can expect further information from you and give them a point of contact. Include information about what you’ll do at each stage.
• Send them a link to a complaints procedure, (if there is one). 
• Check the complaint has come from an appropriate person. 
• Check all the details of their complaint against the information you hold.
• Ask for additional information if necessary. 
• Update them so they know you’re working to resolve the issue. 
• Record all your actions, due dates, and 
• Keep copies of relevant documents and conversations.

Starting a new business? The Jersey data protection regulator offers a quick guide on customer information, employee details, contact or payment details for suppliers and contractors, and other data points you’ll need to take responsibility for when getting a new business venture off the ground. The measures may include training your staff, limiting administrative rights, minimising data collection and storage, locking sensitive data, drafting a privacy policy, regular software updates and more. But even simple actions like turning off the ‘auto-complete’ function for email addresses or avoiding email forwarding may save you from personal data breaches. 

Financial institutions, for a range of services such as setting up and maintaining a bank account, electronic banking services, granting a loan or even a transfer order, make copies of our identity documents. The Polish data protection authority UODO assumes that such copying is not allowed in any situation. For instance, the country’s banking law allows processing information contained in identity documents, but this does not give the right to make copies. In many cases, it is enough to show an identity document for inspection. On the other hand, anti-money laundering and financing of terrorism legislation entitles financial institutions to make copies of identity documents. Before applying financial security measures, institutions must assess whether it is necessary to process the personal data of a natural person contained in the copy of the identity card for these purposes. According to the principles of purpose limitation and data minimisation, personal data must be collected for specific, explicit and legitimate purposes, using relevant criteria and limited to what is necessary for the purposes for which they are processed.

The Hungarian data protection authority NAIH issued a notice on data management related to the reading of the bar code on traffic licenses at filling stations. According to the submissions received by the regulator, in order to sell fuel at the official price, a fuel provider reads bar codes on vehicle registrations, (or records the registration number of the vehicle), and stores it in its system. The data is then forwarded for tax control purposes. In relation to data management, information was not available for customers at the filling stations, and the employees were not able to provide any meaningful information. The NAIH started an ex-officio investigation into the lawfulness of the processing, and to see if the tax authority and fuel providers had complied with Art. 13 of the GDPR. 

The Latvian data protection authority DVI recently issued a series of recommendations, (in Latvian), including:

• To evaluate the use of TCF and OpenRTB systems. Following the Belgian regulator’s decision, the transparency and consent system created by IAB Europe and the real-time bidding system were recognised as non-compliant. The decision stipulates that personal data obtained through TCF must be deleted immediately. This means that organisations using the tools, (website/app operators, advertisers and online ad technology companies), must stop using the tool, (unless it uses non-personal data).
• What to do if another person’s data has been received by mistake, (Do not open, do not publish, use minimal research to identify the sender, who should be notified, let the sender solve this situation himself, etc.).
• Safe use of online platforms used during the educational process.
• The processing of personal data by insolvency administrators in the register of creditors’ claims, and
• Functions and tasks of a data protection specialist.

Legal processes: EU Data Act, Quebec Bill 64, California privacy laws, China cross-border transfers

The Czech Presidency of the EU Council brought more clarity on the proposed Data Act, namely the part that refers to public sector bodies’ access to privately held data, Euractiv.com reports. Public authorities might request data, including the relevant metadata, if its timely access is necessary to fulfil a specific task in the public interest, (eg, local transportation, city planning and infrastructural services). At the same time, safeguards for requests involving personal data have been added, as the public body will have to explain why the personal data is needed and what measures are taken to protect it. The top priority should be anonymisation, or at least aggregation and pseudonymisation, of collected data.

In Quebec, the first amendments from Bill 64, (modernises data protection legislative provisions), to the Quebec Privacy Act and the Quebec IT Act will come into force on 22 September. They create obligation for a person carrying on an enterprise to protect personal information and automatically designates the person exercising the highest authority within the enterprise as the main responsible. Other provisions create mandatory reporting of confidential incidents, biometric information database registration no later than 60 days before it is put in service, notification of any processes used to verify/confirm an individual’s identity based on biometric data, and allow disclosure of personal data necessary for commercial transactions, (eg, mergers, leasing).

In California a new privacy rights act, the CPRA, will take effect on 1 January 2023, while the new California privacy protection agency is consulting on draft regulations, with special attention on the draft American Data Privacy and Protection Act and its possible preemptive effect on California privacy laws. Other key regulatory issues include data processing agreements, programs on exercising data subjects rights, data minimisation and valid consent requirements, and prohibition of  “dark patterns”.

China will enforce cross-border data transfer rules starting from 1 September. Consequently, many critical industries like communication and finance or transportation will face additional checks under the countries’ latest cybersecurity, data security and personal information protection legislation. Companies seeking to transfer personal data on 100,000 or more people, (10,000 or more for sensitive data), handle the personal data of 1 million or more people, as well as operators that transfer the personal information of at least 100,000 cumulative individuals a year will undergo security reviews. Business will have to explain to government investigators the purpose of transfer, the security measures in place, and the laws and regulations of the destination country. More details on the new regulatory framework can be found in this guidance (by KPMG China).

Enforcement actions: commercial prospecting, employee’s consent, smart TV reset, Chromebook ban, PHI disposal, medical results without encryption

A famous French hotel group was slapped with a 600,000 euro fine from the privacy regulator CNIL for carrying out commercial prospecting without the consent of customers, when making a reservation directly with the staff of a hotel or on the website. The consent box to receive the newsletter was prechecked by default. Also a technical glitch prevented a number of people from opposing the receipt of such messages for several weeks. As the processing in question was implemented in many EU countries, the EDPB was asked to rule on the dispute concerning the amount of the fine. The CNIL was then asked to increase the sum so that the penalty would be more dissuasive.

Guernsey’s data protection authority has issued a reprimand, (recognition of wrongdoing), to HSBC Bank’s local branch for inappropriate reliance on consent. An employee felt obliged to consent to providing sensitive information about themselves in connection with what they believed was a possible internal disciplinary matter. They then made a formal complaint. The authority’s opinion is that reliance on “consent” where a clear imbalance of power exists is inappropriate, as it is difficult for employers to demonstrate that consent was freely given. Whilst in this case the controller ceased processing as soon as concerns were raised, they nonetheless continued to use consent as justification for the processing. How to manage data protection in employment? See in Guernsey’s latest guide.

The Danish data protection authority expressed serious criticism of retailer Elgiganten A/S that had a returned television stolen during a break-in at their warehouse, which had not been reset to zero for the plaintiff’s personal data. This meant that a third party gained access to the TV and thus to information from streaming services that the plaintiff was logged into, as well as the browsing history. Before the break-in, the company had carried out a risk assessment for theft of their products and assessed the risk to be high, so the warehouse was secured by locks, a high wall, surveillance cameras and motion sensors. The burglar gained access by simply punching a hole in the wall. 

The Danish data protection authority is maintaining its ban on Chromebook use by a Helsingør municipality, on the grounds of high risks for individuals. The regulator stated that the decision does not prohibit the use of Google Workspace in schools – but the specific use of certain tools in the municipality is not justifiable regarding children’s information. The Municipality assessed that Google only acts as a data processor, but in the opinion of the regulator, it acts in several areas as an independent data controller, processing personal data for its own purposes in the US. 

The Danish regulator ruled that the municipality cannot reduce the risk to an acceptable level without changes to the contract basis and the technology the municipality has chosen to use. Although the decision specifically relates to the processing of personal data in Helsingør Municipality, the regulator encourages other municipalities to look at the same areas in relation to unauthorised disclosure and transfers to unsafe third countries.

The recent HIPAA settlement, (over 300,000 dollars), offers lessons on data disposal and the meaning of Protected Health Information, (PHI), workplaceprivacyreport.com reports. A dermatology practice reported a breach last year when empty specimen containers with PHI labels were placed in a garbage bin on the practice’s carpark. The labels included patient names and dates of birth, dates of sample collection, and name of the provider who took the specimen. The workforce should have been trained to follow disposal policies and procedures. These requirements can include: shredding, burning, pulping, or pulverizing records so that PHI is rendered essentially unreadable; store labelled prescription bottles in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI. 

The Belgian data protection authority also fined a laboratory 20,000 euros for insufficient security measures, DPIA, and privacy policy (Art. 5, 12-14, 32 and 35 of the GDPR), Data Guidance reports. Namely:  

• the laboratory webpage allowed doctors to remotely consult the medical results of patients without employing any encryption;
• the laboratory failed to conduct a DPIA for the large-scale processing of health data;
• while rejecting that the health data had been processed on a large-scale, it had failed to clarify what criteria they were using to determine this;
• the laboratory failed to include a privacy policy on their webpage related to the  maintenance of the abovementioned medical results.

Data security: cyber security breaches landscape, personal data bought by FBI, social engineering on healthcare

The UK government published an in-depth qualitative study with a range of businesses and organisations which have been affected by cyber security breaches. The findings help businesses and organisations understand the nature and significance of the cyber security threats they face, and what others are doing to stay secure. It also supports the government to shape future policy in this area. The guide also contains 10 practical case studies on: understanding the level of existing cyber security before a breach, determining the type of cyber attack , understanding how businesses and organisations act in the immediate, medium, and long-term aftermath of a breach, etc.

Top US Democrats in Congress demand the FBI and Department of Homeland Security detail their alleged purchases of Americans’ personal data, Gizmodo.com reports. They suspect federal law enforcement agencies of using commercial dealings with data brokers and location aggregators to sidestep warrant requirements in obtaining Americans’ private data. Reportedly data points may include, among others, records of internet browsing activity and precise locations. The demand includes the release of of documents and communications between the agencies and data brokers with whom they may have dealings or contracts.

The US Health Sector Cybersecurity Coordination Center published guidance on the impact of social engineering on healthcare. Social engineering is the manipulation of human psychology for one’s own gain. “A social engineer can manipulate staff members into giving access to their computers, routers, or Wi-Fi; the social engineer can then steal Protected Health Information, (PHI), Personal Identifiable Information, (PII), or install malware posing a significant threat to the Health sector”, says the study. It also answers the questions on phases, types of social engineering attacks, (eg, tailgating, vishing, deepfake software, smishing, baiting and more), the personality traits of a social engineer, data breaches and steps to protect your organisation.

Big Tech: US mobile carriers, Google location data, Cambridge Analytica settlement, TikTok iOS app, Oracle class action

The US Federal Communications Commission will investigate mobile carriers’ compliance with disclosure to consumers how they are using and sharing location data, Reuters reports. Top mobile carriers like Verizon, AT&T, T-Mobile, Comcast, Alphabet’s Google Fi and others were requested to detail their data retention and privacy policies and practices. Recent enforcement of anti-abortion legislation in many states also raised concern that the police could obtain warrants for customers’ search histories, location and other information that would reveal pregnancy plans. Last month Google responded to this by promising to delete location data showing when users visit an abortion clinic.

The Federal Court of Australia ordered Google to pay 60 million dollars for misleading consumers about the collection and use of personal location data. Google was guilty of misleading and deceptive conduct, breaching Australian Consumer Law. The conduct arose from representations made about two settings on Android devices – “Location History” and “Web & App Activity”. Some users spotted that the Location History default setting changed from from “off” to “on”. Another misleading practice was telling some users that having the Web & App Activity setting turned “on” would not allow Google to obtain, retain or use personal data about the user’s location.

Facebook agreed to settle a lawsuit seeking damages for allowing Cambridge Analytica access to the private data of tens of millions of users, The Guardian reports. Facebook users sued the tech giant in 2018 after it emerged that the British data analytics firm, connected to former US president Donald Trump’s successful 2016 campaign for the White House, gained access to the data of as many as 87 million of the social media network’s subscribers. Reportedly, if owner Meta had lost the case it could have been made to pay hundreds of millions of dollars.  

Reportedly, when you open any link on the TikTok iOS app, it’s opened inside their in-app browser. While you are interacting with the website, TikTok subscribes to all keyboard inputs, (including passwords, credit card information, etc.), and every tap on the screen, like which buttons and links you click. Such discovery was made by a software engineer Felix Krause. You can read more technical analysis of the most popular iOS apps that have their own in-app browser in the original publication. 

Finally, the Irish Council for Civil Liberties, (ICCL), started a class action against Oracle in the US for its worldwide surveillance machine. Oracle is an important part of the tracking and data industry. It claims to have amassed detailed dossiers on billions of people, and generates over 42 billion dollars in annual revenue. Oracle’s dossiers may include names, addresses, emails, purchases online and in the real world, physical movements, income, interests and political views, and a detailed account of online activity. For example, one database included a record of a man who used a prepaid debit card to place a 10 euro bet online. Oracle also coordinates a global trade of people’s dossiers through the Oracle Data Marketplace, claims the ICCL. You can view the full complaint here.

The post Data protection & privacy digest 16 – 29 Aug 2022: data subject complaints, inappropriate reliance on consent & Smart TV reset appeared first on TechGDPR.

Legal processes: future US data privacy law, Canada’s Bill C-27

Last week the “American Data Privacy and Protection Act” was officially introduced to the US House of Representatives. The document, be it enforced by Congress, promises to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement. The future US data privacy law consists of two key provisions: federal preemption over many state privacy laws and a private right of action. According to dataprotectionreport.com, it is the only bill currently under Congressional consideration that contains both of these components. The bill’s four titles draw upon many of the EU GDPR key principles.

• Duty of loyalty (data minimization, privacy by design, loyalty to individuals with respect to pricing).
• Consumer data rights (consumer awareness, transparency, individual data ownership and control, right to consent and object, data protections for children and minors, third-party collecting entities, civil rights and algorithms, data security and protection of covered data, small business protections, and unified opt-out mechanisms).
• Corporate accountability (executive responsibility, service providers and third parties, technical compliance programs, approved compliance guidelines, digital content forgeries).
• Enforcement, applicability, and miscellaneous (Enforcement by the Federal Trade Commission, by State Attorneys General, by individuals, relationship to Federal and State laws, COPPA, etc.).

Meanwhile in Canada, a new draft Digital Charter Implementation Act (Bill C-27) was introduced by the ministers of Industry and Justice. It would strengthen Canada’s existing legal framework for personal information protection in the private sector and introduce new rules related to artificial intelligence: 

• the Consumer Privacy Protection Act, (CPPA), would repeal and replace the Personal Information Protection and Electronic Documents Act with a more robust framework in line with the General Data Protection Regulation;
• the Personal Information and Data Protection Tribunal Act would establish an administrative tribunal for organizations and individuals to seek a review of Privacy Commissioner decisions, as well as impose administrative monetary penalties for certain violations of the CPPA; and
• the Artificial Intelligence and Data Act would regulate the development and deployment of high-impact AI systems, establish an AI and Data Commissioner and outline criminal prohibitions and penalties for certain uses of AI.

Official guidance: proxy servers for US data transfers, advertising and address trading, health sector professionals

The French regulator CNIL has recently published a guide, (in French), on how to bring your audience measurement tool into compliance with the GDPR with reference to the case of Google Analytics. In February 2022 the CNIL, after a process of cooperation with its European counterparts, issued formal notice to several organizations using Google Analytics because of their illegal data transfers to the US. Only modifying the configuration of the conditions of treatment of an IP address is not enough, in particular because the latter continues to be transferred to the US, says the CNIL. Another defence often put forward is that of using “encryption” of the identifier generated by Google Analytics, or replacing it with an identifier generated by the site operator. However, in practice, this provides little or no additional safeguard against possible re-identification of data subjects, mainly due to the continued processing of the IP address by Google. 

However, the use of a correctly configured proxy can constitute an operational solution to limit the risks for people’s privacy, as it breaks the contact between the user’s terminal equipment and the server. Beyond the case of Google Analytics, this type of solution can also make it possible to reconcile the use of other measurement tools with the rules of the GDPR on the transfer of data. The proxy server must also be hosted under conditions guaranteeing that the data it will have to process will not be transferred outside the EU/EEA to a country that does have an adequacy decision. It will be up to the data controllers to carry out an analysis on how to put in place the necessary measures in the event that they wish to use this type of solution, as well as to verify that these measures are maintained over time, as products evolve.

The Berlin data protection authority published guidance on advertising and address trading, (in German). Advertising is relevant to data protection law whenever your personal data is used for advertising purposes. Examples are personally addressed advertising mail or e-mail advertising that is directed to e-mail addresses with personal references or addresses those affected by name. On the other hand, for example, direct mail in the mailbox that is not addressed personally or advertising inserts are not covered by data protection law. 

The address traders may collect personal data from business directories, commercial registers, telephone directories and other publications. As a precautionary measure, the regulator therefore generally recommends that consumers use their own data sparingly. When ordering online, also consider whether they  are interested in advertising from the company and, if not, object to advertising when placing the order. It also offers some sample letters for excercising data subject rights for: information about the data stored about the person, deletion of stored personal data, objection to the use of personal data stored for advertising purposes, objection to the use of personal data stored by Deutsche Post. 

And for those who can read Spanish, the AEPD has published a guide aimed at professionals in the health sector. The document addresses frequent issues such as the legitimacy to process health data, (beyond informed consent of the patient – ed.), who can access the clinical history and in what cases, the responsibility and obligations derived from these treatments, as well as the management of the rights of patients or situations that may involve communication of data to third parties. To that end, the guide attempts to respond to the various situations that arise when health professionals develop their services in hospitals or clinics, indicating the criteria that allow to identify, in each case, who is responsible for the treatment of patients’ data and of the corresponding clinical histories.

Investigations and enforcement actions: sound recording, cookies, ban on GA in Italy, unauthorised disclosure and data storage

The Polish data protection regulator UODO fined the Warsaw Center for Intoxicated Persons some 2000 euros, related to the monitoring system it used. The center was accused of recording sound in the facility without legal basis. The administrator has confirmed that the system records both video and sound, and the purpose of the processing is, inter alia, exercising constant supervision over persons brought in to sober up to ensure their safety. The monitoring record covering all rooms, including audio and video signals, is kept for 30 to 60 days, except when the recording is secured as evidence in any pending proceedings. As the legal basis, the center indicated that the data processing is necessary to fulfill the legal obligation incumbent on the controller. In addition, the administrator referred to the regulations contained in the Act on Upbringing in Sobriety and Counteracting Alcoholism. 

In the opinion of the supervisory body, the legal provisions did not authorize the controller to process sound data as well as video. In this case, sound recording is a redundant activity, which is not justified by the provisions of both the GDPR and the Act on Upbringing in Sobriety and Counteracting Alcoholism. Finally, the fact that audio was recorded for such a long time means that the infringement may potentially affect a very large number of people. In the opinion of the UODO, recording the voices of people who are often intoxicated, making it impossible for them to consciously formulate their statements or control the sounds produced, is an excessive, pointless activity.

The Belgian data protection authority GBA imposed a fine of 50,000 euros on the Rossel press group for its management of cookies on the websites lesoir.be, sudinfo.be and sudpressedigital.be. The fine mainly relates to violations related to the required consent for the placement of non-essential cookies. This is the second decision taken by the GBA as part of its thematic research into the management of cookies on the most popular Belgian press sites. During its investigation in this area, the GBA identified several violations on the above sites:

• several cookies were placed on the visitor’s device by these websites before the visitor’s consent,
• analytical and social network cookies placement was based on legtitmate interest, and not user’s consent,
• the cookie policy was incomplete and difficult to access,
• further browsing was considered as a sign of the user’s consent, while consent can only be considered valid if it is the result of a clear and sufficiently specific, active action to confirm the acceptance of cookies,
• the consent boxes for the placement of cookies by third parties were already pre-ticked. 

Moreover, when a user withdrew their consent, the procedure was ineffective.   

The Italian data protection supervisor Garante ruled that a website using Google Analytics without the safeguards set out in the EU GDPR violates data protection law because it transfers users’ data to the US, which does not have adequate levels of data protection. The regulator came to this conclusion after a complex fact-finding exercise it started in close coordination with other EU data protection authorities, after receiving complaints.

In the related case, the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the US. Based on the above findings, the regulator adopted a decision, to be followed by additional ones, reprimanding Caffeina Media – a website operator – and ordering it to bring the processing into compliance with the GDPR within 90 days. If this is found not to be the case, suspension of the GA-related data flows to the US will be ordered. The Italian authority calls upon all controllers to verify the use of cookies and other tracking tools on their websites. 

The Garante also recently imposed a fine of 2,500 euros to Isabella Gonzaga High School, for violations of Articles 5, 6, and 9 of the GDPR  for unathorised disclosure of a special category of data, Data Guidance reports. According to the complaint, the high school had published, in a special section dedicated to teachers in the electronic register, a document relating to the final timetable for the school year 2020-2021, containing a reference, next to the plaintiff’s name, to the benefits received by the same due to their disability. The regulator found that: 

• the document in question contained detailed information about personal and family events or information linked to the specific employment relationship of other teachers, (eg, maternity leave due to serious pregnancy complications), 
• the restricted document had been published due to a human error to a very wide range of unauthorised persons, namely all of the plaintiff’s colleagues among the teaching staff.

The Danish data protection agency hit Gyldendal A/S with a fine of approx. 135,000 euros for storing information about 685,000 book club members for longer than necessary. Gyldendal kept the information in a so-called “passive database”. Information on some 395,000 of the former members had been intentionally retained for more than 10 years after they had resigned from the book clubs. Gyldendal had no procedures or guidelines for deleting information in the passive database. After the inspection visit, Gyldendal deleted all the information in the passive database and informed the regulator that, according to the company’s assessment, it would be necessary to store information about announced members for up to six years. Also, according to Gyldendal, only two employees had access to the passive database.

Big Tech: pregnancy-related data, coffee-shop location data, new ways to verify age, ‘watched from home’ employee monitoring

The US Tech sector is bracing for the possibility of having to hand over pregnancy-related data to law enforcement, after the Supreme Court overturned women’s constitutional right to an abortion, Reuters reports. As state laws could limit abortion after the ruling, technology trade representatives reportedly fear police will obtain warrants for customers’ search history, geolocation and other information indicating plans to terminate a pregnancy. Prosecutors could access the same via a subpoena, too. In one example, Mississippi prosecutors charged a mother with second-degree murder of her new-born baby after her smartphone showed she had searched for abortion medication in her third trimester. 

Canada’s provincial and federal regulators recently investigated privacy and data management practices of a well-known ‎coffee shop and restaurant chain, DLA Piper reports.  The received complaint alleged that the mobile app unlawfully collected a ‎significant amount of personal information and location data at a ‎very high frequency, even when it was not being used. This data was then processed by a third-party ‎supplier based in the US. The data collected by the app, (either on its own or combined with other data), could be used to deduce a wealth of information about the individual, including some highly sensitive information such as home address, workplace, and travel habits. The business did not:

• conduct a privacy impact assessment before launching its application,
• adequately inform users of how the data would be collected before obtaining their consent,
• obtain clear and detailed consent for such uses of data, 
• clarify contractual obligations with the third party on the use of the data collected for its own purposes.

Privacy International investigated Office 365 and found features that can enable employers to access all communications and activities on Microsoft services. One of these features, the “Microsoft Office 365 Admin Center” can inform administrators about productivity and efficiency of employees within their company. Another source of far more granular employee information is the “Microsoft Teams Admin Center”, followed by “Audit” and “Content Search” features.  From there an administrator can select specific users and read individual metrics from each, including how long they spent on calls, how many messages they exchanged, how many group and 1-1 meetings they attended and more. These features can be operated without the employees’ knowledge and there seems to be a lack of transparency for users in terms of what data is collected and for what purpose, PI says: “This includes not only a list of pretty much most of the actions they take, but also the possibility to plainly access all the content being exchanged within the organisation and external communications through e-mail”. 

Finally, Instagram is to introduce new ways to verify age. In addition to providing an ID, people will now be able to ask others to vouch for their age or use technology that can confirm their age based on a video selfie. For that Meta is partnering with Yoti, a company that specializes in privacy-preserving ways to verify age. “If someone attempts to edit their date of birth on Instagram from under the age of 18 to 18 or over, we’ll require them to verify their age using one of three options: upload their ID, record a video selfie or ask mutual friends to verify their age (social vouching)”, says a company statement. Finally, in addition to testing the new menu of options to verify people’s ages, Meta also claims to be using AI to understand if someone is a teen or an adult. Read more in the original statement by the company. 

The post Weekly digest 20 – 26 June 2022: future US data privacy law, new ban on GA, ‘watched from home’ employees appeared first on TechGDPR.