The Hamburg Data Protection Commissioner provided a comprehensive questionnaire for determining the legitimate interests legal basis for processing. It helps those responsible to examine and document precisely what their interest in data processing is and whether the rights and interests of the data subject are adequately considered. It guides users step-by-step through the most important checkpoints:

• Determination: What objectives are pursued with the data processing, and are these legally permissible?
• Necessity: Is the processing necessary, and is only the required personal data collected?
• Balancing: Are the rights and interests of the individuals concerned sufficiently considered and protected?
• Documentation and compliance: Are the audit procedures recorded and regularly updated?

You can download the LIA questionnaire in German or the LIA questionnaire in English.

Stay up to date! Sign up to receive our fortnightly digest via email.

EDPB updates

The European Data Protection Board welcomes comments on the recommendations on the elements and principles to be found in Processor Binding Corporate Rules – BCR-P. Such comments should be sent by 2 March. BCRs are a tool for providing appropriate safeguards for transfers of personal data by a group of undertakings engaged in a joint economic activity with third countries that have not been providing an adequate level of protection pursuant to the GDPR. The recommendations clarify when BCR-P can be used, namely, only for intra-group transfers between processors, when the controller is not part of the group. Read more about the scope of BCR-P and its interplay with the data processing agreements here.

Other developments

AWS Europe Sovereign Cloud: The German Federal Office for Information Security BSI has announced its support for the US cloud provider Amazon Web Services in the design of security and sovereignty features for its new European Sovereign Cloud (ESC): an independent cloud infrastructure located entirely within the EU, whose operation will be technically and organisationally independent from the global AWS instance.

Later this year, the BSI will publish general sovereignty criteria for cloud computing solutions based on the new framework. It will serve as a basis for assessing the degree of autonomy of cloud solutions and can also be used in procurement processes. 

HIPAA Security Rule: In the US, for HIPAA-covered entities and business associates, the HIPAA Security Rule requires ensuring the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the regulated entity creates, receives, maintains, or transmits. To that end, the US Department of Health and Human Services has published the latest recommendations on System Hardening and Protecting ePHI. The measures include: 

• patching known vulnerabilities
• removing or disabling unneeded software and services
• enabling and configuring security measures that sometimes intersect with some of the technical safeguard standards and implementation specifications of the HIPAA Security Rule, such as access controls, encryption, audit controls, and authentication.

GDPR certifications and codes of conduct

France’s CNIL maps the deployment of GDPR compliance tools across Europe. Two maps list the certifications and codes of conduct approved by national supervisory authorities or by the European Data Protection Board since the entry into force of the GDPR. These instruments may operate at either the national or European level. Certification (Art. 42 of the GDPR) makes it possible to demonstrate that a product, service, or data processing activity meets data protection criteria set out in an approved referential. And a code of conduct (Art. 40 of the GDPR) translates the Regulation’s obligations into concrete, sector-specific rules, and becomes binding on its members. 

UK international transfers

The UK Information Commissioner published an updated guidance on international transfers of personal data, making it quicker for businesses to understand and comply with the transfer rules under the UK GDPR. It sets out a clear ‘three-step test’ for organisations to use to identify if they’re making restricted transfers. New content also provides clarity on areas where organisations have questions, such as roles and responsibilities, which reflects the complexity of multi-layered transfer scenarios.

Multi-device consent

The French regulator also published its recommendations (in French) on the collection of cross-device consent. For instance, when a user accesses a website or a mobile app, they express their choices about the use of cookies or other trackers on a device connected to their account. These choices are then automatically applied to all devices connected to that account. This includes, but is not limited to, their phone, tablet, computer or connected TV, as well as the browser or app they are using. Thus, users must be well-informed of this login system.

More from supervisory authorities

Remote job interviews: According to the Latvian regulator DVI, an employer may collect the content of a remote job interview using AI tools if an appropriate legal basis can be applied. Such data processing may be carried out based on the candidate’s consent or the legitimate interests of the company. Consent must be freely given, specific, unambiguous and informed. If the processing is carried out based on legitimate interests, a balancing test of the interests of both parties must be carried out before such processing is initiated.

Regardless of the chosen legal basis, the data controller is obliged to inform the candidate before the interview about the planned data processing during the interview, including the use of AI tools, the purposes of processing, the data retention period and the candidate’s rights. The candidate has the right to object, and such objections must be taken into account; in the event of potential harm, the processing must be stopped.

Cybersecurity guide: The Australian Cyber Security Centre published guidance with a checklist on managing cybersecurity risks of artificial intelligence for small businesses when adopting cloud-based AI technologies. Reportedly, more small businesses are using AI through applications, websites and enterprise systems hosted in the public cloud like OpenAI’s ChatGPT, Google Gemini, Anthropic’s Claude, and Microsoft Copilot. Before adopting AI tools, small businesses should understand the related risks and ways to mitigate them, including: 

• data leaks and privacy breaches
• reliability and manipulation of AI outputs
• supply chain vulnerabilities.

Data subject rights in the event of a bankruptcy

The Norwegian data protection authority has imposed a fine on Timegrip AS. The case concerns a retail chain that went bankrupt, and the employees needed to document the hours they had worked. The company Timegrip had been the data processor for the retail chain until the bankruptcy, and stored this data. However, they would not provide the data to either the bankruptcy estate or the employees themselves. 

Timegrip argued that the company did not have the right to provide the complainant with a copy because a data processor can only process personal data on the basis of an instruction from the controller. Since the controller retail chain had gone bankrupt, Timegrip claimed that no one could give them such an instruction. At the same time, Timegrip refused access requests from 80 different individuals, despite the company being aware that they were in a vulnerable situation and dependent on the timesheets to document their salary claims. 

In addition, it was Timegrip that made decisions about essential aspects of the processing, such as what the data could be used for, the storage period and who could have access to the personal data. In other words, it was clear that it was Timegrip that exercised the real control over the personal data.

Google multimillion-dollar settlement over child data

In the US, a federal judge granted final approval for a 30 million dollar class action settlement against Google, after six years of litigation with parents claiming the tech giant violated children’s privacy by collecting data while they watched YouTube videos. Although Google doesn’t charge for access to YouTube, the company does use it as a revenue source. It collaborates with advertisers and the owners of popular YouTube channels to advertise on specific videos, with Google and the channel owners splitting the payments received from advertisers.

In other news 

Free mobile fine: The French CNIL issued two sanctions against the companies FREE MOBILE and FREE, imposing fines of 27 and 15 million euros, respectively, over the inadequacy of the measures taken to ensure the security of their subscribers’ data. In October 2024, an attacker managed to infiltrate the companies’ information systems and access personal data concerning 24 million subscriber contracts, including IBANs, when the people were customers of both companies. 

The investigation has shown that the authentication procedure for connecting to the VPN of both companies, used in particular for the remote work of the company’s employees, was not sufficiently robust. In addition, the measures deployed by the companies in order to detect abnormal behaviour on their information system were ineffective.

Major university data breach: In Australia, a cyberattack compromised the personal information of students from all Victorian government schools. An unauthorised external third party accessed a database containing information about current and past school student accounts, including student names, school-issued email addresses, and encrypted passwords. In the opinion of the Australian legal expert from Moores, who analysed the breach, certain factors tend to correlate with such incidents. These include:

• Adoption of new CRMs and platforms (including leaving administrator access open, and having incorrect privacy settings, which make online forms publicly searchable);
• Keeping old information which is no longer required;
• A spike in emails sent to incorrect recipients on Fridays and in the lead-up to school holidays.
• Spreadsheets sent via email (instead of SharePoint, for example).

Business email compromise

Business Email Compromise (BEC) is currently one of the fastest-growing forms of digital fraud, according to the Dutch National Cybersecurity Centre. In BEC, criminals pose as trusted individuals within an organisation, often a director or manager, but also a colleague, supplier, or customer.

The criminals’ goals can vary, such as changing account numbers, obtaining login credentials, stealing sensitive information, or using compromised accounts for new phishing campaigns. The power of BEC lies not in its technical complexity but in exploiting the principles of social influence. BEC fraudsters cleverly utilise subtle social pressure, for example, by capitalising on scarcity by creating a sense of urgency, exploiting reciprocity by first building trust or asking for small favours, or relying on an authority figure. 

And finally 

AI prompting guide: IAB Europe has published its AI Prompting Guide. It provides practical, reusable techniques you can apply immediately, including, among others, managing risks such as hallucinations, sensitive data exposure, bias, and prompt injection. Mitigating methods in this case may be addressed through careful prompting, review, and user judgment, while others require more structural safeguards such as validation, monitoring, and clear boundaries around how models are used. 

For instance, sensitive data exposure occurs when confidential, personal, or proprietary information is included in prompts or generated in outputs inappropriately. This can involve personal data, commercial secrets, or information subject to legal or contractual restrictions. The mitigation strategy would include: 

• removing or anonymising sensitive information before including it in prompts 
• limiting the amount of context shared to what is strictly necessary for the task 
• following organisational guidance on approved tools and data handling, and 
• applying access controls where models are integrated into workflows. 

For sensitive use cases, ensure outputs are reviewed before being stored, shared, or acted upon.

The post Data protection digest 4-18 Jan 2026: Legitimate Interests Assessment, AWS Europe Sovereign Cloud, Google settlement over child data appeared first on TechGDPR.

Meta subscription model vs GDPR

Meta platform’s latest announcement of ads-free paid services in Europe is now challenged by the EDPB’s urgent binding decision. At the request of the Norwegian privacy regulator, Meta will soon be banned from using the legal basis of the contract and legitimate interest for tracking and profiling users for ad targeting across the entire EEA. The EDPB takes note of Meta’s new proposal to rely on a consent-based subscription model as a legal basis instead. The lead Irish Data Protection Commission is currently evaluating this together with the concerned supervisory authorities, (who have already expresses serious doubts).

Meta has just announced that it will offer people in the EU, EEA and Switzerland the choice to pay a monthly subscription to use Facebook and Instagram without any ads. Meanwhile, advertisers will be able to continue running personalised advertising campaigns in Europe to reach those who choose to continue to receive a free, ad-supported online service. Meta believes the above subscription model – “pay or agree” is a valid form of consent for an ads-funded service, anticipating the requirements of the European privacy regulators and the recent CJEU ruling. 

Legal processes

America’s AI Action: President Biden issued a comprehensive Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence. The most sweeping actions compel the most powerful AI system developers to disclose their safety test findings and other key information to the US government. It promotes advancing the responsible use of AI in education as well as healthcare and the development of affordable and life-saving drugs. The document also promotes best practices to mitigate harms and maximize benefits of AI for workers and customers. Finally, it emphasizes the responsible government deployment of AI and modernization of the federal AI infrastructure. 

Biden’s Administration will continue to collaborate with Congress to pursue bipartisan legislation for responsible innovation. The US Department of Commerce, along with the National Institute of Standards and Technology and other federal players will be responsible for carrying out the EO’s objectives. 

Draft EU AI Act: Meanwhile, the EDPS issued its opinion on the Artificial Intelligence Act, as discussions between the EU’s co-legislators reach the final stages. It includes the banning of high-risk AI systems with decision-making patterns, such as for automatic recognition of human characteristics and other behavioural signals in public spaces, as well as profiling based on biometric traits. The EDPS is prepared to serve as the EU’s AI Supervisor and welcomes the formation of the European Artificial Intelligence Office. It believes that persons harmed by the usage of AI systems should have the right to file a complaint with competent national data protection authorities. 

Legal redress

Clearview AI escapes punishment: Last year the UK Information Commissioner fined Clearview more than 7.5 million pounds for illegally keeping millions of face pictures. Now the First-tier Tribunal has quashed the enforcement as the company services were only utilised by law enforcement agencies outside the UK. Although Clearview did engage in data processing connected to monitoring people’s behaviour in the UK, the ICO “did not have jurisdiction” to initiate enforcement action or levy a fine. France, Italy and Australia had taken similar action against the firm. Clearview previously had commercial customers, but following a 2020 settlement with the US, the company now only takes clients that carry out criminal law enforcement or national security duties. 

Official guidance

Shoplifting: According to the UK Information Commissioner, more retailers are turning to technology to protect their businesses. Data protection law enables retailers to share criminal offence data as long as it’s necessary and proportionate. Sharing information with a manager of another store in your shopping centre is likely to be appropriate, while wider public disclosures, such as posting it on an online retail-related social media platform, are less likely to be justifiable. 

Consent criteria: Quebec has published guidelines on valid consent criteria, (in French). Consent must be obtained before carrying out any processing activity. It is also essential that the organisation document. Consent must be: evident, free, informed, specific, granular, understandable, temporary, and presented separately from any other information. Subject to exceptions, organisations must obtain consent to reuse data or to disclose it to a third party. Equally, consent can be withdrawn at any time by the data subject. If any above are not respected, the validity of such consent is to be null.

DP Toolkit: Jersey’s data protection authority created a dedicated resource zone. It features a variety of toolkits for small, medium and large organisations as well as financial services, non-executive directors, and non-profit organisations: a blend of infographics, step-by-step guidance, how-to-guides, templates, checklists and videos.

AI Q&A: The French privacy regulator published the first set of guidelines for the use of AI that respects the GDPR. The CNIL confirms the compatibility of AI research and development with the data protection principles. The principle of data minimisation does not prevent the training of algorithms on very large datasets. On the other hand, the data used must, in principle, have been selected to optimise the training while avoiding the use of unnecessary information. In any case, certain precautions to ensure data security are essential. 

Enforcement decisions

BBVA: Following a complaint by an individual, the Spanish data protection regulator issued a fine of one million euros on Banco Bilbao Vizcaya Argentaria, (BBVA).The complainant, a BBVA client, had lost their purse containing their bank card. Following that, they claimed to have demanded that BBVA block all of their banking products. Third parties reportedly used identity theft to access the complainant’s financial products, take out loans, and transfer money from the complainant’s bank accounts after BBVA allegedly refused to act on the complainant’s request.

Canal+: The French data protection authority CNIL fined CANAL+ group 600,000 euros for poor data practices. In particular its standard forms for the collection of prospect data did not contain any information on the identity of the recipients to whom the data was transmitted. It also failed to inform individuals when creating a MyCanal account and during cold calling calls. The company also did not respond to some access requests. Apart from that, the CNIL found that a subcontracting contract did not include all the information required, and the storage of the company’s employees’ passwords was not sufficiently secure.

Data breaches

Gap Personnel: A UK recruitment company did not have appropriate security measures in place, which resulted in an unauthorised threat actor accessing and exfiltrating individuals’ data, (13,720 UK data subjects), twice within 12 months. Gap was unable to determine the specific cause of the incident but believes it is likely that the threat actor leveraged an insecure script, (PHP file), and performed an SQL injection attack. At the time of the incident, there were four specific vulnerabilities: a) an unsupported version of MySQL, b) an unsupported PHP version, c) poorly written PHP code and d) insufficient logging. 

Optionis: In another similar reprimand, a data controller, (Optionis Group), suffered a ransomware attack, which resulted in the exfiltration of personal data. A reprimand was issued in respect of specific infringements of the UK GDPR, which include lack of multi-factor authentication, an inadequate account lockout policy, and no clear Bring Your Own Device policy.  Aggravating factors were that Optionis took 11 months to notify all individuals of the breach. The company explained that the analysis of the impacted personal data took a considerable amount of time to complete, in particular, due to the size of the dataset. You can read the full decision here. 

Data security

Telehealth: The US Office for Civil Rights released a HIPAA dedicated resource to help health care providers explain to patients, in plain language, the health information privacy and security risks that are present when using remote communication technologies such as video conferencing websites and applications. The HIPAA Rules do not require covered health care providers to educate patients about these risks; however, OCR is sharing this resource to assist providers who would like to explain to patients the privacy and security risks to their protected health information. Some examples of risks include viruses and other malware, unauthorized access, and accidental disclosures. 

Code of Practice for app developers: The UK government published the latest version of its code, which should be used from now on by app store operators and app developers. The UK government has investigated the app ecosystem and found a range of threats relating to malicious and poorly developed apps. In particular, app store operators and developers shall comply with the broader requirements of data protection law, therefore new sections have been added to highlight requirements of particular relevance to the Code of Practice. 

Non-banking financial services: The US Federal Trade Commission has approved an amendment that would require non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lending institutions, to report data security breaches. The amendment will require the FTC to be notified as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers. Such an event requires notification if unencrypted customer information has been acquired without authorization. The notice to the FTC must also include the number of consumers affected or potentially affected.

Big Tech

SolarWinds breach aftershock: The US Securities and Exchange Commission charges SolarWinds and its Chief Information Security Officer with fraud and internal control failures. In 2020, hackers targeted SolarWinds by deploying malicious code into its Orion IT monitoring and management software used by thousands of enterprises and government agencies worldwide. The complaint alleges the software company misled investors about its cybersecurity practices and known risks, in particular, that SolarWinds’ remote access set-up was not very secure and that someone exploiting the vulnerability “could basically do whatever without detecting it”.

In-vehicle monitoring: California enacted legislation that requires vehicle manufacturers to disclose the presence of in-vehicle cameras and prohibits any images or video recordings collected from being used for any advertising purpose, sold, or shared with any third party. The act requires consent to retain at any location other than the vehicle itself or download, retrieve a recording from the operation of an in-vehicle camera by a person or entity other than the user unless for diagnostics, service, repair, or improvement of equipment and systems. The act also provides consumers the right to revoke consent.

London Ulez fines: The Guardian reports that thousands of fines for breaches of London’s ultra-low emissions zone, (Ulez), rules may have been sent unlawfully to EU drivers, according to the Belgian authorities. Since Brexit, UK authorities do not have access to personal data of EU citizens for non-criminal enforcement. However, drivers in several EU countries have received fines, many totalling thousands of pounds, for failing to pay their Ulez charge before driving into London. Some have been penalised mistakenly, and one driver was fined nearly 11,000 pounds after a three-day visit in a hire car. Read the full story here. 

The post Data protection digest 18 – 31 Oct 2023: “Pay or Okay” – Will Meta new subscription model survive the GDPR test? appeared first on TechGDPR.

Legal processes and redress: synthetic data for fintech, draft Data Act, DPO dismissals

The UK Financial Conduct Authority, (FCA), issued a statement on synthetic data for beneficial innovation in UK financial markets. It strongly indicated fraud and anti-money laundering as a key use case for synthetic data, in part due to its ability to augment rare patterns of behavior in a dataset. Whilst the data protection legislation places conditions on such data processing, the FCA emphasizes that data sharing between different entities, (eg, access to the real datasets, as well as synthetic transactional datasets with embedded fraud typologies), is possible under the current regulatory framework if at least one lawful basis is met, accompanied by built-in privacy by design, data protection impact assessments, data sharing agreements, and other legal requirements.

The European Parliament adopted the draft Data Act – new rules for fair access and use of industrial data. It would contribute to the development of new services, in particular in the sector of AI where huge amounts of data are needed for algorithm training. It can also lead to better prices for after-sales services and repairs of connected devices. When companies draft their data-sharing contracts, the law will rebalance the negotiation power in favour of SMEs, by shielding them from unfair contractual terms imposed by companies that are in a significantly stronger bargaining position. Finally, the proposed act would facilitate switching between providers of cloud services, and other data processing services, and introduce safeguards against unlawful international data transfer by cloud service providers.

The CJEU rendered two decisions regarding the procedures for dismissing data protection officers and their potential conflicts of interest, (under the German Federal Data Protection Law), insideprivacy.com reports. In the relevant cases, the DPO also handled other organisational duties in a professional capacity. The data controllers argued that since those positions were incompatible, (chair of the work council in one of the cases), the DPO’s dismissal was appropriate. The former DPO started a legal action which ended up in the EU top court. 

However, the CJEU determined that as long as the national laws do not undermine the goals set for DPOs under the GDPR, EU member states may require that DPOs be dismissed for “just cause”. It is also for the national courts to decide whether a conflict of interest existed taking into account “all the relevant circumstances, in particular the organisational structure of the controller or its processor and in light of all the applicable rules, including any policies of the controller or its processor.”

Official guidance: MS Excel, research projects, free data protection tool, game developers

Bavaria’s data protection authority explains how to avoid data breaches when using Microsoft Excel. It is not uncommon for users to encounter the program intuitively; Contrary to the primary purpose, Excel is often used when the number of columns in Word is not sufficient. However, if there is personal data in an Excel workbook, improper handling of the application can easily trigger a data breach. Excel workbooks can contain multiple worksheets, (the number is only limited by the available memory), even if you don’t work regularly with such “multi-sheet” workbooks yourself. Be especially careful with Excel files created by others, as Excel workbooks can contain invisible worksheets, as well as columns, rows, or even individual cells, comments, and metadata. It is worth remembering:

• before sharing an Excel workbook with personal information, especially before attaching it to an email, make sure that you really want to share everything;
• consider whether the file should be processed further by a recipient, otherwise;
• send a PDF version that can be checked for hidden data before sending;
• if possible, consistently delete the worksheets that are no longer required;
• before creating a new workbook with multiple worksheets, consider whether you can complete the task with multiple single-sheet workbooks;
• consider whether you need Excel for the task to be completed or whether a “simple” resource, (eg, a word processing program), will suffice.

If not careful, an Excel data breach can trigger the reporting obligation under Art. 33 of the GDPR, and the notification obligation under Art. 34 of the GDPR.

Meanwhile, the Danish data protection authority has amended rules for deleting personal data at the end of research projects. Data controllers may have a legitimate need to process information for a period after the end of the investigation, (eg, for the purposes of peer review or countering accusations of scientific misconduct), so data should not always be deleted, anonymised, destroyed or returned at the end of a research project. Personal data can be transferred for storage in an archive in accordance with the rules in archive legislation. In addition, in some research areas, work is done with ongoing coverage of research fields, and building of relationships or data material, where it is not meaningful to talk about a project being “finished”. 

The Finnish data protection authority is promoting its data protection tool available as open source code to increase the data protection expertise of SMEs. You can familiarise yourself with the tool (in English) here. With the initial level test, the respondent can first check how well they control the basic issues of the data protection regulation. The role-mapping test helps the respondent to define what role the company plays in regard to the processing of personal data. Each role also has its own tests. The source code and content of the data protection tool are for free use, to further develop a company or industry-specific privacy tool or to produce new language versions, or even in commercial applications.

Finally, the UK Information Commissioner’s Office offers new guidance to game developers on protecting minors. The recommendations are based on the experiences and findings during a series of voluntary audits, (eg, on Yubo, Facepunch), of game developers, studios and publishers within the gaming industry: 

• The age range of the players and the different needs of children at different ages and stages of development should be at the heart of how you design your games. 
• Designing games to promote meaningful parent/guardian – child interactions, while setting a high level of privacy by default and appropriate parental controls is key.
• It is important to only process children’s personal data in ways that are not detrimental to their health or wellbeing. 
• It is crucial that games do not use nudge techniques to lead children to make poor privacy decisions.
• Bad privacy information design obscures risks, unravels good player experiences, and sows mistrust between children, parents, and game providers.

Investigations and enforcement actions: employee emails monitoring, failed data subject requests at a sports center, HBNR and BIPA violations in the US, student data management

In Austria, the data protection authority finds employer’s monitoring of employee emails unlawful. Several complainants argued that the company, without their consent and knowledge, checked the technical mail server logs of all 6,000 employees for a specific recipient domain. The reason for this control measure was the suspicion of a breach of trade secrets. The data protection authority came to the conclusion that the control measure, which only took place six months after the incident that gave rise to it, was not proportionate due to the lack of a temporal connection and the topicality. Plus, there was no valid consent from the works council. 

The Norwegian data protection authority confirmed its fine of over 900,000 euros to Sats for breach of several provisions in the GDPR. The complaints were related to the company’s failure to comply with clients’ demands for access and deletion. Furthermore, the fitness centre chain lacked the authorisation to process data about the customers’ training history. Sats is the Nordic region’s largest fitness center chain and has its head office in Norway.  Therefore the Norwegian regulators dealt with the case in collaboration with other supervisory authorities under the so called one-stop-shop mechanism.

In the US, the Illinois Supreme Court ruled that fast food chain White Castle System must face claims that it repeatedly scanned the fingerprints of nearly 9,500 employees without their consent, (to access a company computer system), which the company says could cost it more than 17 billion dollars. The Illinois Biometric Information Privacy Act, (BIPA), imposes penalties of 1000 dollars per violation and 5000 dollars for reckless or intentional violations. The law requires companies to obtain permission before collecting fingerprints, retinal scans, and other biometric information from workers and consumers. 

Also in the US, the Federal Trade Commission has taken enforcement action for the first time under its Health Breach Notification, (HBN), Rule against the telehealth and prescription drug discount provider GoodRx Holdings, for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies. The company collects personal and health information about its users, including information from users themselves and from pharmacy benefit managers confirming when a consumer purchases a medication using a GoodRx coupon. 

From 2021 US health apps and smart products that collect or use consumers’ health information must comply with the HBN Rule. It ensures that entities not covered by the Health Insurance Portability and Accountability Act, (HIPAA), face accountability when consumers’ sensitive health information is breached. In the above case, GoodRx also displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the HIPAA.

The French privacy regulator CNIL gave formal notice to two higher education institutions to comply with the GDPR concerning files used for administrative and pedagogical management. Areas of non-compliance include data retention period, student information, use of subcontractors, and data security:

• they had not provided a precise retention period for all processing of students’ personal data, nor have they provided for a purge and archiving system;
• they do not properly inform students about the collection of their data via the various forms they fill out during their schooling;
• they were not able to send the CNIL the duly signed data processing agreements with subcontractors;
• they had no password policy to guarantee a minimum level of security in this area.

Data security: messaging apps

Privacy International issued a guide on communicating with others via messaging apps. Reportedly, there are two main aspects to consider: a) whether it offers end-to-end encryption that protects the content of your communication; and b) whether it collects any information beyond the content of the message, such as location, who you communicate with, and other details referred to as ‘metadata’. For sensitive conversations, it may be sensible to use disappearing messages if offered by your app, (however, it is unclear whether self-destructing messages are also recoverable by mobile phone extraction technology).

The use of E2EE for messaging should always be preferred over text messages, which are completely unencrypted meaning they can be easily read, manipulated in transit, or spoofed. They may also be stored by your telecommunications provider, which may be subject to access requests from governments and law enforcement. For example, Signal uses E2EE not only to encrypt the contents of messages but also to obscure all metadata even from itself. In contrast, both WhatsApp and Telegram store, and can access IP addresses, profile photos, “social graphs”, and more.

Big Tech: Palantir technology ban in Germany, more Tik Tok data centers in Europe

A top German court ruled against the use of software developed by the Palantir Technologies, saying that police use of automated data analysis to prevent crime in some German states was unconstitutional as it infringes on the right to informational self-determination. The US-based technology has so far been employed, among other things, to look into the criminal organisation accused of plotting to overthrow the German government in December, Reuters reports. Palantir says it only offers software for processing data. However, the German Society for Civil Rights, which brought the lawsuit, claimed the software used data from innocent people to form suspicions and could produce errors.

TikTok plans to open two more data centers in Europe, (Ireland), hoping to lessen regulatory pressure on the business. Data migration for TikTok users in Europe will start this year and last until 2024. TikTok hasn’t been subject to the same hefty fines as Google and Meta in the EU. Now TikTok is attempting to reassure governments and privacy regulators that users’ personal information cannot be accessed and that its content cannot be altered by the Chinese government or anyone else working for Beijing. 

The company also reported an average of 125 million monthly active users in the EU, under the brand-new online content rules known as the Digital Services Act. For comparison, Twitter says it has 100.9 million. Alphabet – 278.6 million at Google Maps, 274.6 million at Google Play, 332 million at Google Search, 74.9 million at Shopping, and 401.7 million at YouTube. The Meta Platform claims 255 million on Facebook and about 250 million on Instagram.

The post Data protection & privacy digest 4 – 17 Feb 2023: synthetic data for fintech, MS Excel guide, Palantir technology ban appeared first on TechGDPR.

Legal processes: draft US adequacy decision, EDPB’s binding decisions, draft AI Act

The EU issued a draft adequacy decision for the United States, saying US safeguards against America’s intelligence activities were strong enough to address EU concerns on data transfers. Previously, personal data could be freely sent to the US through the Privacy Shield framework, but this framework was abolished by the CJEU in the Schrems II judgment. Earlier this year, after negotiations with the European Commission, US President Joe Biden introduced a new EU-US Data Privacy Framework and signed a new law to comply with the CJEU decision. 

The Commission is now to submit the US adequacy decision to the European Privacy Council, which will state whether privacy is adequately safeguarded. The European Parliament will also scrutinise the decision. The Commission must then obtain the approval of all EU countries to formally approve the new mechanism, (probably in the first half of 2023). The decision will come into force when the US has fully implemented the new legislative changes. Finally, users can then challenge the decision via national and European courts. It is worth noting that:

• The new adequacy mechanism will not apply to all transfers to the US. Instead, 
• It will apply to transfers to US organisations that have chosen to participate in the scheme. 
• It probably will become easier to transfer personal data to the US in general if a common transfer tool such as new EU SCCs is used. 

A CJEU ruling upheld the EDPB’s role and authority to arrive at a collective decision under the GDPR’s consistency mechanism. The court stated that the action for annulment brought by WhatsApp Ireland against the EDPB binding decision is inadmissible. The decision led to a 225 million euro fine from Ireland’s Data Protection Commission, (DPC). It is now up to the Irish court to review the legality of the final decision of the Irish regulator. In 2021 the EDPB resolved a dispute on a draft decision of the DPC concerning WhatsApp Ireland’s GDPR transparency obligations to users and non-users of the service.  

The European Council has adopted its common position on the Artificial Intelligence Act ahead of official negotiations with the Parliament. It aims to ensure AI systems placed and used on the EU market are safe and respect existing laws, including relevant data protection. Since AI systems are developed and distributed through complex value chains, the text includes changes clarifying the allocation of responsibilities and roles of the various actors in those chains, particularly providers and users of AI systems. Several new provisions have been added:

• where AI systems can be used for many different purposes, (general-purpose AI), and, where it is subsequently integrated into another high-risk system. In this case;
• consultations and detailed impact assessments considering specific characteristics of general-purpose AI systems and related value chains would be applicable;
• obligation for users of an emotion recognition system to inform natural persons when they are being exposed to such a system;
• prohibition on the use of AI for social scoring by private actors;
• some exclusions for national security, research, and development. 

Certain users of high-risk AI systems that are public entities will also be obliged to register in the EU database for such systems. The future AI act provides penalties, with proportionate caps on administrative fines for SMEs and start-ups, and a new complaint mechanism. 

Official guidance: standard data protection model, use of cookies, wrongful credit information, age-appropriate design code, HIPAA rules

The German Federal data protection commissioner updated the Standard Data Protection Model, (SDM), to provide suitable mechanisms to translate the legal requirements of the EU GDPR into technical and organisational measures. In particular, the new SDM first records the legal requirements of the GDPR and then assigns them to the protection goals of data minimisation, availability, integrity, confidentiality, transparency, risk assessment, and more. You can read the SDM 3.0 new version here.

The Croatian data protection authority AZOP issued a reminder on the use of cookies. Although the e-Privacy Directive stipulates the need for voluntary and informed consent to store or access cookies, the practical application of legal requirements differs in EU member states. Currently, observed implementations are based on one or more of the following practices:

• an immediately visible notification that the website uses various types of cookies or similar technologies; layered access information that usually offers a link or a series of links, where the user can learn more about cookies whereabouts,
• information on how users can indicate and later withdraw their preferences regarding cookies, including information about the action required to express such a preference,
• the mechanism by which the user can decide to accept all or some or refuse cookies,
• the possibility for the user to subsequently change the previous preference.

However, some cookies can still be exempted from informed consent under certain conditions, and only if they are not used for additional purposes:

• cookies for user input, (session ID), for the duration of the session or permanent cookies in some cases limited to a few hours,
• authentication cookies, which are used to authenticate the services, during the session,
• user-oriented security cookies, used to detect authentication abuse, limited persistent duration,
• multimedia content session cookies, (such as flash players), during the session,
• session cookies for more balanced loading, for the duration of the session,
• cookies for customizing the user interface for the duration of the session, (or a little longer),
• cookies for sharing the content of social networks/third parties for the login of their members. 

Finally, third-party marketing cookies cannot be exempted from consent, including for operational purposes related to third-party advertising, such as frequency limiting, financial records, ad matching, click fraud detection, research and market analysis, product improvement, and troubleshooting.

The Latvian data protection authority DVI explains what to do if as a result of illegal activities, information is included in the database of a credit bureau. In the specific case, the regulator was approached by a person who was refused a loan for the purchase of a home, on the basis that the database of the credit information office contained information about her outstanding debts: loans she had not applied for. 

• If a person finds that a database contains information about debts that they did not undertake, they can ask the creditor to limit the processing of data, including the transfer of this data to the credit information bureau. 
• In practice, the restriction means that debt data will not be deleted, but it will also not be made available to other persons.
• The person must attach evidence to the request that they have tried to resolve the matter on its merits, for example, a criminal case has been initiated.
• Upon receiving a person’s request, the lender must assess whether it is justified.
• Until the question of the validity of the loan is examined, the person can request a temporary settlement from the lenders, making a note in the database.

The Future of Privacy Forum released a brief comparing California and the UK Age-appropriate design codes. The California code of practice is a first-of-its-kind privacy-by-design law in the US which is set to become enforceable on 1 July 2024. It was modeled on the UK’s version and represents a significant change in the regulation of the technology industry and how children will experience online products and services. It follows 15 standards laid down in the UK law, including the “best interests of the child” standard, age assurance, default settings, parental controls, enforcement, and data protection impact assessments. The UK ICO has also published design tests to support designers of the products or services, that are likely to be accessed by children or young people.

The US Department of Health and Human Services highlighted the obligations of the Health Insurance Portability and Accountability Act, (HIPAA), on covered entities and business associates when using online tracking technologies, (Google Analytics, Meta Pixel), on webpages and apps with or without user authentication. Some entities regularly share electronic protected health information, (PHI), with online tracking technology vendors and some may be doing so in a manner that violates HIPAA rules. For instance:

• It does not permit disclosures of PHI to a tracking technology vendor based solely on a regulated entity informing individuals in its privacy policy, notice, or terms and conditions of use that it plans to make such disclosures. 
• Regulated entities must ensure that all tracking technology vendors have signed a Business Associate agreement and that there is applicable permission before the disclosure of PHI.
• If the vendor is not a business associate of the regulated entity, then the individuals’ HIPAA-compliant authorisations are required before the PHI is disclosed to the vendor.  
• Website banners that ask users to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorisation. Read the full guidance here.

Investigations and enforcement actions: census data, diligence in choosing the subcontractor, social audio app, employee’s health data, multimedia boxes security, WC area surveillance

Portugal’s regulator the CNPD concluded that the National Institute of Statistics committed five administrative offenses, for violations the GDPR, within the scope of the 2021 census operation, and imposed a fine of 4.3 million euros. The CNPD decided that the organisation processed personal data relating to health and religion unlawfully. It failed to fulfill its duties of informing respondents of the census questionnaire, violated the duties of diligence in choosing the subcontractor, infringed the legal provisions relating to the international transfer of data and failed to comply with the obligation to carry out a DPIA relating to the census operation. In particular, choosing a subcontractor, (Cloudflare, Inc), despite the existence of a company office in Lisbon, meant the contract was with a US-based company under the jurisdiction of the California Court. It allowed the transit of personal data through any of the company’s 200 servers outside the European Economic Area. It contained the standard contractual clauses approved by the European Commission for the transfer of personal data to the US, without providing for any additional measures that prevent access to data by third-country government entities, established by the CJEU’s Schrems II judgment.

The Finnish data protection authority imposed an administrative fine of 230,000 euros on Viking Line for violations related to the processing of employees’ health data. A former employee complained that he had not received all the personal information requested, which was stored in the company’s systems. The regulator found out that:

• Viking Line had stored his health information in the personnel management system for 20 years. 
• Among other things, this included diagnosis information in connection with information about sickness leave. 
• Some of the stored diagnosis information was incorrect, as it was not possible to enter all existing diagnosis codes into the system. 
• Storing diagnosis information together with other information related to the employment relationship was against the law.

The French regulator CNIL imposed a penalty of 300,000 euros against telecoms company FREE, in particular for not having respected the rights of individuals and the security of its users’ data. Checks revealed several shortcomings, in particular in the rights of the persons concerned, (right of access and right of erasure), and data security, (low strength of passwords, storage, and transmission of passwords in plain text), and the recirculation of approximately 4100 poorly refurbished “Freebox” multimedia boxes. The technical and organisational measures of the reconditioning process did not prevent around 4,100 Freeboxes held by former subscribers from being reallocated to new customers without the data stored there having been properly deleted. This data could be photos, home videos, or  recorded television programs.

Finally, the Danish data protection agency has reported Danske Shoppingcentre P/S to the police for not having sufficiently restricted TV surveillance in at least one toilet area in a shopping centre. The regulator has recommended a fine of 47,000 euros. Danske Shoppingcentre explained that there had been problems with, among other things, vandalism in the toilets, and that it had therefore set up TV surveillance to prevent vandalism and theft as well as ensure security for customers. The company had a technical solution with a black marking on the camera to mask the urinal. However, it did not provide sufficiently masking, contrary to the principle of data minimisation. 

Data security: code of practice for app market, risk-based audit, phishing infographic, EU healthcare sector resilience

The UK ICO has completed the Rowan Learning Trust, (school-to-school support), voluntary audit on a risk-based analysis of the processing of personal data. The key elements of this are a desk-based review of selected policies and procedures, remote interviews with selected staff, and a virtual review of evidential documentation. The audit revealed that:

• Data protection compliance is currently not discussed routinely in any local groups or at the board level across the trust. 
• Compliance information is not reported to senior management. 
• The trust should also implement a new data protection policy with supporting  documentation and ensure that staff are aware of and understand the contents.
• There is currently no mandatory data protection training in place for the staff. 
• The trust does not have a Record of Processing Activity document. 
• There is currently no oversight of Records Management and operational responsibility assigned.
• The trust has not conducted an information audit, so does not have an understanding of all of the information that is held and how it flows across the trust.
• There are currently no compliance checks carried out across the trust to ensure that physical and electronic records are destroyed in line with their retention periods.

The UK government has published a voluntary Code of Practice to strengthen consumer protections across the app market. The government will work with the biggest operators and developers to support them in implementing the voluntary code over a nine-month period. Under the code, app store operators and developers will need to:

• share security and privacy information in a user-friendly way with consumers. (eg, when an app and updates are made unavailable on an app store, the locations of  users’ data);
• allow their apps to work even if a user chooses to disable optional permissions, such as preventing the app from accessing a microphone or the user’s location;
• provide clear feedback to developers when an app is not published for security or privacy reasons;
• have a vulnerability disclosure process in place, so software flaws can be reported and resolved without being made publicly known for malicious actors to exploit;
• ensure developers keep their apps up to date to reduce the number of security vulnerabilities in apps.

America’s CISA published a Phishing Infographic to help protect both organisations and individuals from successful phishing operations. This infographic provides a visual summary of how threat actors execute successful phishing operations. Details include metrics that compare the likelihood of certain types of “bait” and how commonly each bait type succeeds in tricking the targeted individual. The infographic also provides detailed actions organisations and individuals can take to prevent successful phishing operations—from blocking phishing attempts to teaching individuals how to report successful phishing operations. 

The European Union Agency for Cybersecurity released the after-action report of the 2022 edition of Cyber Europe, the cybersecurity exercise testing the resilience of the European Healthcare sector. It featured a disinformation campaign of manipulated laboratory results and a cyber attack targeting European hospital networks. The scenario provided for the attack to develop into an EU-wide cyber crisis with the imminent threat of personal medical data being released and another campaign designed to discredit a medical implantable device with a claim on vulnerability. 

Big Tech: Microsoft ‘data boundary’ for the EU, Apple’s end-to-end encryption, Amazon buying customer data

Microsoft says its EU cloud customers will be able to process and store their data in the region from January. It will apply to all of its core cloud services – Azure, Microsoft 365, Dynamics 365 and Power BI platform. For many companies, data storage has become so large and distributed across so many countries that it becomes difficult for them to understand where their data resides and if it complies with the GDPR. The latest criticism of Microsoft 365 cloud services was recently expressed by the German data protection regulators, while the French ministry of national education has urged schools in the country to stop using free versions of Microsoft 365, (and Google Workspace), amid privacy concerns.

In the meantime, Apple unveiled a range of security and privacy enhancements. Users will be given the option to encrypt more of the data they back up to their iCloud using end-to-end encryption. The encryption key, or the code used to gain access to that secure data, will be stored on the device. That means that if a user who opts into this protection loses access to their account, they will be responsible for using their key to regain that access – Apple will no longer store the encryption keys in iCloud. The change will not apply to all data – email, contacts, and calendar entries will not be encrypted. Users will have to voluntarily opt into the feature. 

Finally, some Amazon users will now earn 2 dollars per month for agreeing to share their traffic data with the retail giant, Businessinsider reports. Amazon is keeping track of which advertisements participants viewed, where they saw them, and what time of day they were viewed as part of the business’s new invite-only Ad Verification program. Both Amazon’s own and third-party platform advertisements fall under this category. Only customers who were invited to participate in the program will be eligible for the reward; however, those who were not invited can join a waiting list.

The post Data protection & privacy digest 1 – 15 Dec 2022: draft US adequacy decision, Microsoft ‘data boundary’ for the EU, Age-appropriate design code appeared first on TechGDPR.

What are HIPAA and the GDPR?

HIPAA refers to the Health Insurance Portability and Accountability Act of 1996. HIPAA was enacted to specifically deal with how medical data are shared and processed. Unlike HIPAA the GDPR regulates any information which can lead to the identification of a living person whether it is health-related or not. The GDPR denotes health data as special categories of personal data, commonly referred to as sensitive data. This means that non-consensual processing of health-related data is strictly prohibited unless the processing purposes are related to medical diagnosing, preventative or occupational medicine, provision and management of health or social care or treatment, in accordance with a contract with a medical professional or based on Union or Member State law. 

The GDPR defines health data as personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his/her health status (GDPR Art.4). HIPAA denotes protected health information as any data uncovering an agent’s identity in respect to his or her past, future or present physical or mental condition, provision of and payment for the health treatment and services. Both definitions are similar, yet HIPAA also designates financial information of the recipient of the treatment as health data. The GDPR applies to all organizations operating in the EU or offering goods or services to individuals located in the EU territorially no matter of the citizenship. HIPAA, on the other hand, applies to special covered entities within the US, those include healthcare providers, health care clearinghouses and health plan providers.

The key differences between HIPAA and GDPR relevant to MedTech 

The principal difference between the regulations is obviously their scope. As previously stated, the GDPR relates to all organizations processing all types of data relating to a person. Furthermore, the GDPR applies to a much broader range of entities. Even if the company is located in the US (or anywhere in the world) and processes data of subjects located in the EU, it must comply with the GDPR. Contrastingly HIPAA only applies to covered entities located in the US. 

The right to be forgotten is another aspect specific only to the GDPR. It stipulates that under certain conditions, such as the revoking of previously granted consent or when the data is no longer necessary, the data subject may exercise a right to request a free of charge erasure of his or her personal data. If a company relies on third-party cloud storage services, it should ensure that it is able to locate and erase the data when required. The GDPR is also stricter on data breaches, it only grants 72 hours to report a data breach while HIPAA allows for up to 60 days to report a data breach if more than 500 individuals. If less than 500 people are affected, the data breach may be reported by the final day of reporting each year. 

The GDPR also introduced the notion of privacy by design and by default. The concept postulates that when developing new services related to MedTech, or any other sector, involving processing personal data, the company must always consider privacy. HIPAA makes no mention of such a framework for launching new services is present in HIPAA. 

Both regulations are compulsory and impose fines for non-compliance. HIPAA fines are mostly around $25.000 per violation, although in the worst case circumstances a company may be fined of up to $1.5 million per year. GDPR opens the door to potentially much larger maximum fines of up to 4% of the annual worldwide turnover. 

Do HIPAA and GDPR overlap?

There are some similarities and overlap between HIPAA and the GDPR which is good news for companies required to comply with both regulations. Firstly, both include obligations relating to individuals or entities handling data on behalf of covered entities who control the processing of data. Under HIPAA, those are distinguished as business associates and are required to sign a business associate agreement (BAA), this is similar to the data processors under the GDPR.

Secondly, HIPAA, as is the case with the GDPR, requires companies to ensure safeguards are in place to protect the data collected and stored from unauthorised access and disclosure. Article 32 of the GDPR specifically deals with the obligation of minimising risks of a security breach. Appropriate measures include pseudonymisation and encryption of data, maintenance of ‘ongoing confidentiality, integrity, availability and resilience of processing systems and services’ as well as ‘ability to restore availability and access to data in the event of an accident’. The same article prescribes regularly testing, assessing and evaluating the effectiveness of security measures in place. Furthermore, the entity subject of the GDPR shall ensure all personnel processing data on their behalf adheres to the code of conduct prescribed by the legislation and does not process data except on their instructions.

Parallel obligations of the covered entities can be found under HIPAA’s Security Rule. HIPAA also postulates confidentiality, integrity, and availability of protected health information in electronic form (ePHI). Likewise, covered entities must ensure potential security threats, or unlawful uses or disclosures of ePHI, are considered and addressed. HIPAA also obliges the covered entities to ‘ensure compliance of the workforce’. 

Both regulations call for minimisation of data collection and minimisation of data disclosure. Data should be disclosed for research purposes, judicial proceedings, public health interest and if required by law in both legislations.

HIPAA and the GDPR grant data subjects analogous rights. In particular, with a few exceptions, such as access to psychotherapy notes, both regulations grant the data subject the right to access and review a copy of the processed data. Moreover, if the information is inaccurate or incomplete, the data subject has a right to request an amendment of the information.

HIPAA and the GDPR grant data subjects a right to be informed of how and for what purpose their personal data is used and processed, this includes information regarding the recipients or categories of recipient to whom the personal data have been or will be disclosed. The privacy notice must include information on individual rights with respect to their personal information and how those rights may be exercised, and the covered entities obligations as well as the purpose of data usage and processing. Interestingly, both GDPR and HIPAA require the privacy notice to be written in clear and plain language.  

HIPAA and GDPR application

Two global trends may be identified with regards to MedTech and data processing. On one hand, there is an evident explosion of consumer health data. Technological advancement has stimulated vast growths in consumer-generated health data. Those can be put to work through data analytics to extract powerful insights. Secondly, as life expectancy increases and larger sections of the population account for senior citizens, the market boom for healthcare is explained by a demand to further digitise and employ analytics to identify the most cost and health effective treatments and insurance plans. 

Beyond the similarities and differences outlined earlier, there is a fair amount of divergence in how the two frameworks are implemented. Consider an app developer seeking to re-use healthcare data to extract insights. Under the GDPR, this app developer handles a special category of data and this handling is subject to strict safeguards. However, in the US, the same app developer will not be is not a subject HIPAA and the GDPR -provided they do not process personal data from an EU data subject. That is because HIPAA postulates that only covered entities of healthcare providers and insurers or their business associates are subject to the legislation. In other words, medical data that is collected and processed in a hospital will be subject to HIPAA and considered PHI.

If an individual voluntarily provides his or her health information to a mobile app, which is not connected to healthcare activities of a covered entity (i.e. not a business associate of any covered entity), most likely this falls outside of HIPAAs’ jurisdiction but the app developer remains subject to additional state or federal law. An example of such laws is the FTC Act that generally regulates commercial use of personal data or the Children Online Privacy Protection Act with regards to the use of children’s data. Ultimately, this has an effect on how consent should be extracted to process the data, as well as on the appropriate security and organisational protection measures, regardless of HIPAA. 

This article is for information purposes only, and does not constitute or replace legal advice. Seek professional support for any specific questions you may have.

The post HIPAA, the GDPR and MedTech appeared first on TechGDPR.