Legal processes: US hosting provider in the EU, Google Fonts, IAB Europe, California Age-Appropriate Design Code, new Swiss privacy law

In Germany, a public procurement chamber’s decision to ban hospitals’ digital discharge management to store data in Luxembourg was overturned by a higher regional court. Two public hospitals in Baden-Württemberg agreed to send data to a Luxembourg branch of a US hosting provider. The Karlsruhe court, however, overturned the decision that the use of the services of the Luxembourg subsidiary of a US company would be accompanied by an inadmissible data transfer to a third country: “The latent risk of access by government and private bodies outside the European Union, (here the US), is sufficient for this assumption.” In this case specific guarantees offered by one of the bidders to store and process data only in Germany convinced the court sufficient safeguards would apply. This decision is final.

According to TechnikNews, Google Fonts are presently the subject of a veritable tsunami of GDPR claims in Austria and Germany. Many website owners have received letters and emails from data protection lawyers informing them of data breaches and requesting a “settlement.” Without the customer’s permission, the website operator is said to have “forwarded the client to a business of the US Alphabet Inc.”, (owners of Google). The claims could potentially refer to one Munich Regional Court decision that supported a lawsuit in the “Google Fonts” issue. Google sees it differently, according to its own privacy policy: although a request from the user’s browser to Google takes place, IP addresses are not protocoled. Furthermore, “the use of the Google Fonts API is not authenticated and the Google Fonts API does not set any cookies or protocol them.” See more technical analysis in the original publication.

The Belgian Market court referred the IAB Europe Ruling on the Transparency & Consent Framework to the CJEU. In an interim ruling, the court has decided to refer preliminary questions to the CJEU on how the concept of data controllership in the GDPR as it pertains to this ruling, is to be interpreted and on whether a TC String, (a digital signal containing user preferences), can be considered as “personal data” under the GDPR. The referral to the EU top court means a final judgment is unlikely until 2023. IAB Europe disputes the initial decision by the Belgian supervisory authority APD, that it acts as a controller for the recording of TC Strings and as a joint controller for the dissemination of TC Strings and other data processing done by TCF vendors under the OpenRTB protocol. It also challenges the APD’s assessments on the validity of legal bases established by the TCF, which were done in the abstract, without reference to the particular circumstances surrounding the data processing.

California approved its own version of the Age-Appropriate Design Code. If the state governor signs the bipartisan bill, (AB-2273), into law, online services that violate its provisions could face fines as high as 7,500 dollars per affected child. This includes social media, the gaming industry and other online services likely to be accessed by children under age 18. They shall take all of the following actions:

• complete and implement a DPIA,
• estimate the age of child users with a reasonable level of certainty, or
• apply the privacy and data protections afforded to children to all consumers and configure all default settings,
• provide any privacy information, using language suited for the age group,
• do not use the child’s data in a way that the business knows, or has reason to know, is materially detrimental to their physical or mental health, or well-being,
• do not profile a child by default, (unless sufficient safeguards are in place, or it is necessary for the performance of the contract and is in the best interest of the child),
• do not collect, sell, share, or retain personal information that is not necessary to provide an online service, product, or feature with which a child is actively and knowingly engaged, etc.

In Switzerland, a new data protection law will enter into force on 1 September 2023, according to the recent decision of the Federal Council. The one-year grace period leaves sufficient time for the economic community to implement the new law. The reviewed legislation is adapted to technological advances and the rights of individuals vis-à-vis their data, as well as transparency on how it is collected. Some private data controllers are relieved of certain obligations relating to the duty to inform when personal data is communicated. The modalities of the right of access are simplified thanks to the removal of the obligation to document the reasons for refusing, restricting or deferring disclosure. The data security requirements are reinforced, (eg, a one-year retention period for data processing logging records), due to critical feedback during the consultation period. Swiss legislators claim the new modernized law guarantees adequate privacy levels and safe cross-border transfers. The EU has recognised Switzerland’s level of data protection since 2000. This recognition is currently being reviewed. 

Official guidance: PETs, GDPR implementation, secondary use of health data, decentralised AI, employees’ digital activities, token access, privacy notice

The UK ICO issued draft guidance on Privacy-enhancing technologies, (PETs). These could be software and hardware solutions, methods or knowledge to achieve specific privacy or data protection functionalities or to protect against risks to the privacy of an individual or a group of natural persons. The guide answers questions on:

• How can PETs help with data protection compliance? (data protection by design and by default, data minimisation, robust anonymisation or pseudonymisation solutions)
• What are the different types of PETs? (derive or generate data that reduces or removes the identifiability of individuals, hide or shield data, split datasets or control access to certain parts of the data, etc)
• A detailed description of some PETs, their residual risks, and implementation considerations with practical examples, (Homomorphic encryption, Secure multiparty computation, Private set intersection, Federated learning, Trusted execution environments, Zero-knowledge proofs, Differential privacy, Synthetic data, Reference table).

The Dutch Ministry of Justice published a review of the implementation of the GDPR at the national level. The GDPR is based on open standards, such as necessity and proportionality. The experts recommend the concretisation and specific interpretation of those standards, special sectorial legislation, codes of conduct and guidelines for the practice of data protection law. After studying some cases, the researchers could not clearly understand how the country’s data protection regulator AP determines the size of fines. Therefore a more transparent method of setting and imposing penalties can lead to greater understanding and acceptance by the organisations under supervision. The investigation also raises issue with the obligation to report data breaches and lack of enforcement capacity by AP in the case of unreported data breaches. 

A Polish law blog is looking at the secondary use of electronic health data in the EU. The draft Regulation on the European Health Data Space allows for certain reuse of both personal and non-personal health data collected in the context of primary use. Apart from public interest or statistical and scientific purposes, the advanced purposes include training, testing, and evaluation of algorithms, including in medical devices, AI systems, or digital health applications. Some categories of data are described in general terms, which would allow new types of data to be included in these categories and in the future may include :

• “electronic data related to insurance status, professional status, education, lifestyle, wellness and behavioural data relevant to health”, or 
• “data impacting on health, including social, environmental or behavioural determinants of health.”

Additionally, national health data access bodies will be able to grant access to additional categories of electronic health data entrusted to them by the national laws or based on voluntary cooperation with data holders, ( the “data altruism” principle as per the EU’s Data Governance Act). At the same time, the processing of such electronic data must avoid risks, (eg, insurance exclusion, targeted advertising, access to data by third parties, unauthorised medical products or services), causing harm to natural persons.

The Swedish privacy agency IMY is starting a pilot project to create in-depth legal guidance in matters relating to decentralised AI. IMY’s pilot project is being carried out with Sahlgrenska University Hospital and Region Halland. The project is part of a larger strategic initiative led by AI Sweden: information-driven care where AI helps to tailor decisions at the individual and system level and develop more advanced and accurate diagnoses and treatments. Decentralised AI is a way to avoid collecting large amounts of data to train algorithms centrally and instead produce models that are trained locally. The trained algorithms are then returned to a central point where insights are aggregated. 

Is the boss watching you? The Norwegian data protection authority Datatilsynet issued an in-depth monitoring and control of employees’ digital activities report. It states that:

• More than half of employees have an insufficient overview of what information the employer collects, (digital work tools record such large amounts of information that it can be challenging for employees to keep track).
• The employer has the opportunity to collect large amounts of information about employees’ digital activities, (eg, Google, Microsoft and Zoom have built-in additional functions that allow the employer to monitor the employee’s activities).
• Software designed to monitor employees can be very intrusive.
• Several employees see signs that the employer monitors visits to websites, or access to e-mail or PC/screen recording, activity log, audio recording, and GPS tracking.
• The spread of monitoring tools aimed at employees who work from home, (while Portugal has already prohibited remote worker monitoring).

To help employers comply with the privacy regulations when performing worker monitoring, which legal basis or software to choose from, and notorious infringement cases, see the original guidance, (in Norwegian).

The French supervisory authority CNIL has published a guide on individual login tokens or token access. A mechanism frequently integrated into authentication procedures, it allows a secure connection to a personal space, an account or office documents. In addition, tokens are often used in a two-factor authentication procedure to reduce the risk of account spoofing. An access token materialized as a link can be considered continuous access to personal data accessible from the Internet. This “gateway” is a vulnerability whose security risk is exploitable by malicious actors. Certain principles can reduce the likelihood that this will occur:

• Log the creation and use of tokens and define a purpose-based validity period.
• Generate an authentication link that contains no personal data or variables with easily understandable and reusable content, such as hashed content.
• Impose a new authentication if the token allows access to personal data or if the token has an insufficiently limited lifespan.
• Limit the number of accesses such as single or temporary use depending on the intended purposes.
• In the context of a data transfer between two services, using an access token to establish the connection between the two services must also be limited in time.
• Restrict the use of the token to certain services or resources by avoiding its reuse.
• Automatically delete, temporarily or permanently, access to the requested resource in case of suspicious intensive requests.
• Users should be able to choose how to transmit their remote access token, (email, SMS, postal sending, phone call).

The Latvian data protection authority DVI published a simple yet essential reminder of what is a privacy notice. The first step in controlling personal data is awareness of the organisation’s planned activities. Even before starting data processing, the organisation must provide information, and the person whose data they intend to process has the right to get acquainted with:

• information about the organisation and its contact information;
• the data protection specialist and their contact information;
• purposes and legal basis for obtaining the personal information;
• if the processing is based on legitimate interests, a description of these interests;
• recipients of personal data, their categories, if any;
• a reference to how personal data will be protected in case of transfer to a third country or an international organisation;
• the period for which the information will be stored or, if this is not possible, how this period will be determined;
• on the exercise of other personal rights – access to personal data, its correction or deletion, restriction of processing, the right to object, the right to data portability;
• if the processing is based on consent – the right to withdraw it at any time, and how this will affect the lawfulness of processing before withdrawal;
• the right to submit a complaint to the supervisory authority;
• whether the provision of personal data is required by law or a contract;
• whether it is a prerequisite for concluding a contract;
• whether the person is obliged to provide personal data and what the consequences may be in cases where such data are not provided;
• there is automated decision-making, including profiling – meaningful information about the logic involved, as well as consequences of such processing to the person.

Investigations and enforcement actions: Instagram fine, Sephora settlement, research data processing, worker video and audio surveillance, costs of data protection

Ireland’s data protection commissioner will fine Instagram 405 million euros for breaking the GDPR by improperly handling the data of youngsters using the platform. The parent company of Instagram, Meta, has already declared that it will appeal against the ruling. Although it may seem like a sizable figure, it is not the largest fine a corporation has ever been required to pay under the GDPR. The inquiry, which began in 2020, concentrated on young users between the ages of 13 and 17 who had access to business accounts, which made it easier for the user’s phone number and/or email address to be made public. Instagram unveiled additional measures to keep teenagers safe and secure after updating its settings over a year ago.

The California Consumer Privacy Act’s first initial enforcement agreement: French cosmetics company Sephora will pay a fine of 1.2 million dollars and adhere to several compliance requirements. According to the attorney general, Sephora violated several laws by failing to inform customers that it was selling their personal information, only honoring user requests to opt out via user-enabled global privacy controls, and failing to remedy these violations within the allotted 30-day period. Sale in this case means Sephora disclosed or made available consumers’ data to third parties, (ad networks and analytics companies), through the use of online tracking technologies such as pixels, web beacons, software developer kits, third-party libraries, and cookies, in exchange for monetary or other valuable consideration. The case also signals a significant increase in risk for businesses operating in California ahead of the California Privacy Rights Act’s implementation in January 2023.

The Danish data protection authority has completed an inspection of the Southern Denmark Region with a focus on the processing of personal data in the health research area. It selected three research projects as the inspection subject for “processing basis” and “responsibilities and roles”. The regulator requested a copy of the data processing agreements, documentation for any supervision of the data processors, and the guideline “Conclusion of data processing agreements and supervision of data processors” which was listed on the region’s list of policies. At the end of the revision, the regulator stated that the data controller would not be able to meet the above requirements by simply entering into a data processing agreement with the data processor. The data controller must therefore also carry out minor or major supervision to ensure that the entered data processing agreement is complied with, including ensuring the data processor has implemented the agreed technical and organizational security measures. For instance in two cases the region entered into data processing agreements with three different data processors in 2018 and 2020, and the agreements have not been subsequently updated.

Following a complaint from an employee, the Spanish data protection regulator AEPD punished Muxers Concept 20,000 euros. An audio recording device was found in the corporate locker room hidden behind ceiling tiles, and an alleged video surveillance camera and sound recorder were found in the employee restrooms. Even recording employees’ interactions with clients is considered disproportionate to guarantee compliance with labor laws. All surveillance and control measures must be reasonable to the purpose pursued, which is to provide security and comply with labor rights. As a result, the AEPD determined that Muxers had violated Art.6 of the GDPR by performing data processing without a legal basis.

Meanwhile, the EDPB has published an overview of resources made available by EU member states to the data protection supervisory authorities, (SAs), in the last years – financial and human. It shows that the SAs need more staff to contribute more effectively to the GDPR cooperation and consistency procedures, to educate and to conduct more investigations, especially linked to complaints and security breaches. The SAs need more staff to be able to act more proactively, conduct on-site investigations, and to be able to conduct further examination of the growing number of complaints or breach notifications as only basic processing of them is currently possible in many cases. They also need more resources to develop information systems, increase their national and European communication, and to deal with the new tasks related to evolutions in EU regulations. In some cases, the staff salaries were reported to be too low compared to the salaries of the private sector in the same field. 

Data security: data medium destruction, internet-connected appliances, credential theft

Germany’s Federal commissioner for data protection BfDI published a guide on destroying data mediums, (in German). The destruction of data carriers is a technical and organisational measure to ensure data security, and in particular to prevent unauthorised third parties from gaining knowledge of personal data. The responsible body, following international standards, must first classify the processed personal data, or the data carriers storing them for protection requirement and define appropriate protection classes, (from normal to a very high level). The higher the security level, the greater the effort required for an attacker to be able to restore and take note of the destroyed data carriers or the personal data stored on them. Additionally, there are different specifications for various material supports, (such as paper, microfilm, magnetic hard drives, optical data carriers, and semiconductor memories), that must be observed when destroying a data carrier. 

According to a European Commission document seen by Reuters, internet-connected smart appliances like refrigerators and TVs will have to adhere to stringent cybersecurity regulations or face fines or expulsion from the EU. Following high-profile events where hackers damaged businesses and demanded astronomical ransoms, worries about cybersecurity threats have increased. Through September, the EU executives will make its Cyber Resilience Act plan public. Manufacturers will have to evaluate the cybersecurity risks associated with their products and implement the necessary measures. After becoming aware of concerns, the organisations must report events to ENISA, the EU’s cybersecurity agency, within 24 hours and take action to resolve the flaws. Distributors and importers will have to confirm that the goods adhere to EU regulations. National surveillance authorities will have the power to “prohibit or restrict that product from being made available on its national market” if businesses fail to comply.

US cybersecurity expert Brian Krebs looks into how phishers have such incredible success stealing one-time passcodes and remote access credentials from employees using text messages. In one of the examples, a deluge of SMS phishing messages targeting workers at commercial staffing agencies that offer outsourcing and customer assistance to hundreds of businesses started to appear in mid-June 2022. The emails instructed recipients to click a link and log in to a phishing page that looked like the authentication page for their workplace. The one-time password for multi-factor authentication was then requested from those who had already submitted their credentials. The phishers behind this scam sent text messages pushing employees to click on links to freshly registered domains that frequently incorporated the name of the target organization in order to learn details about an impending change in their work schedule. The phishing websites used a Telegram instant chat bot to relay any provided credentials in real-time, enabling the attackers to log in as that employee at the legitimate employer’s website.

Big Tech: UK Children’s code use cases, SpongeBob app vs COPPA, fingerprints in a school WC

The ICO’s groundbreaking Children’s code was fully rolled out in the UK in September 2021, requiring online services including websites, apps, and games to provide better privacy protections for children. Some changes over the past year included:

• Facebook and Instagram limited targeting by age, gender, and location for those under 18.
• Facebook and Instagram asking for people’s date of birth at sign-up, preventing them from signing up if they repeatedly entered different dates and disabling accounts where people can’t prove they’re over 13. 
• Instagram launched parental supervision tools, along with features like Take A Break to help teens manage their time on the app.
• YouTube has turned off autoplay by default and turned on take a break and bedtime reminders by default for those under 18s.
• Google has enabled anyone under 18 (or their parent/guardian) to request to remove their images from Google image search results, location history cannot be enabled by Google accounts of under 18s, and they have expanded safeguards to prohibit age-sensitive ad categories from being shown to these users.
• Nintendo only allows users above 16 years of age to create their own accounts and set their own preferences.

In the US, the Children’s Advertising Review Unit, (CARU), has found Tilting Point Media, owner and operator of the SpongeBob: Krusty Cook-Off app, in violation of the COPPA and CARU’s Self-Regulatory Guidelines for Advertising and Children’s Online Privacy Protection. As the operator of a mixed audience child-directed app, Tilting Point must ensure that no personal information is collected, used, or disclosed from users under age 13, or that notice is provided, and verifiable parental consent is obtained before such collection, use, or disclosure. Tilting Point does have an age screen on its app, however it did not prevent CARU from using the app as a 10-year-old child, agreeing to Tilting Point’s terms of service and privacy policy, and consenting to the processing of the data to receive “personalized” advertising. The app’s non-declinable privacy policy and terms of service provide that the user must be at least 13 years old to use the company’s product, but the age gate does not prevent a child from checking those boxes and playing the game.

In Australia, a Sydney high school is requiring students to scan their fingerprints if they wish to use the WC. Some parents say they weren’t asked for consent to take their children’s fingerprints, and one mother has requested that her daughter’s fingerprints be deleted from the system. The education department offered biometric technology to stop vandalism and anti-social behaviour in the toilets. It also stated, “The use of this system is not compulsory. If students or parents prefer, students can also access the toilets during those times by obtaining an access card from the office”. Issues surrounding biometric data and consent have not been extensively tested in the Australian courts. Other schools across New South Wales have used the technology for several years for students to mark their attendance. Yet New South Wales state police cannot conduct forensic procedures such as obtaining fingerprints without a person’s informed consent or court order. 

The post Data protection & privacy digest 30 Aug – 12 Sep 2022: the US hosting provider in the EU, Google Fonts claims, Children’s Code appeared first on TechGDPR.

Official guidance: data subject complaints, new business, identity cards, traffic licenses, TCF/OpenRTB, education platforms, insolvency claims, data sent by mistake, dpos

The UK Information Commissioner’s Office offers a brief guide on how to deal with data subject complaints, (your staff, contractors, customers), when you are a small business. The main steps are as follows: 

• Respond as soon as possible, in plain language, to let the customer know you’ve received their data protection complaint and are looking into it. 
• Let them know when they can expect further information from you and give them a point of contact. Include information about what you’ll do at each stage.
• Send them a link to a complaints procedure, (if there is one). 
• Check the complaint has come from an appropriate person. 
• Check all the details of their complaint against the information you hold.
• Ask for additional information if necessary. 
• Update them so they know you’re working to resolve the issue. 
• Record all your actions, due dates, and 
• Keep copies of relevant documents and conversations.

Starting a new business? The Jersey data protection regulator offers a quick guide on customer information, employee details, contact or payment details for suppliers and contractors, and other data points you’ll need to take responsibility for when getting a new business venture off the ground. The measures may include training your staff, limiting administrative rights, minimising data collection and storage, locking sensitive data, drafting a privacy policy, regular software updates and more. But even simple actions like turning off the ‘auto-complete’ function for email addresses or avoiding email forwarding may save you from personal data breaches. 

Financial institutions, for a range of services such as setting up and maintaining a bank account, electronic banking services, granting a loan or even a transfer order, make copies of our identity documents. The Polish data protection authority UODO assumes that such copying is not allowed in any situation. For instance, the country’s banking law allows processing information contained in identity documents, but this does not give the right to make copies. In many cases, it is enough to show an identity document for inspection. On the other hand, anti-money laundering and financing of terrorism legislation entitles financial institutions to make copies of identity documents. Before applying financial security measures, institutions must assess whether it is necessary to process the personal data of a natural person contained in the copy of the identity card for these purposes. According to the principles of purpose limitation and data minimisation, personal data must be collected for specific, explicit and legitimate purposes, using relevant criteria and limited to what is necessary for the purposes for which they are processed.

The Hungarian data protection authority NAIH issued a notice on data management related to the reading of the bar code on traffic licenses at filling stations. According to the submissions received by the regulator, in order to sell fuel at the official price, a fuel provider reads bar codes on vehicle registrations, (or records the registration number of the vehicle), and stores it in its system. The data is then forwarded for tax control purposes. In relation to data management, information was not available for customers at the filling stations, and the employees were not able to provide any meaningful information. The NAIH started an ex-officio investigation into the lawfulness of the processing, and to see if the tax authority and fuel providers had complied with Art. 13 of the GDPR. 

The Latvian data protection authority DVI recently issued a series of recommendations, (in Latvian), including:

• To evaluate the use of TCF and OpenRTB systems. Following the Belgian regulator’s decision, the transparency and consent system created by IAB Europe and the real-time bidding system were recognised as non-compliant. The decision stipulates that personal data obtained through TCF must be deleted immediately. This means that organisations using the tools, (website/app operators, advertisers and online ad technology companies), must stop using the tool, (unless it uses non-personal data).
• What to do if another person’s data has been received by mistake, (Do not open, do not publish, use minimal research to identify the sender, who should be notified, let the sender solve this situation himself, etc.).
• Safe use of online platforms used during the educational process.
• The processing of personal data by insolvency administrators in the register of creditors’ claims, and
• Functions and tasks of a data protection specialist.

Legal processes: EU Data Act, Quebec Bill 64, California privacy laws, China cross-border transfers

The Czech Presidency of the EU Council brought more clarity on the proposed Data Act, namely the part that refers to public sector bodies’ access to privately held data, Euractiv.com reports. Public authorities might request data, including the relevant metadata, if its timely access is necessary to fulfil a specific task in the public interest, (eg, local transportation, city planning and infrastructural services). At the same time, safeguards for requests involving personal data have been added, as the public body will have to explain why the personal data is needed and what measures are taken to protect it. The top priority should be anonymisation, or at least aggregation and pseudonymisation, of collected data.

In Quebec, the first amendments from Bill 64, (modernises data protection legislative provisions), to the Quebec Privacy Act and the Quebec IT Act will come into force on 22 September. They create obligation for a person carrying on an enterprise to protect personal information and automatically designates the person exercising the highest authority within the enterprise as the main responsible. Other provisions create mandatory reporting of confidential incidents, biometric information database registration no later than 60 days before it is put in service, notification of any processes used to verify/confirm an individual’s identity based on biometric data, and allow disclosure of personal data necessary for commercial transactions, (eg, mergers, leasing).

In California a new privacy rights act, the CPRA, will take effect on 1 January 2023, while the new California privacy protection agency is consulting on draft regulations, with special attention on the draft American Data Privacy and Protection Act and its possible preemptive effect on California privacy laws. Other key regulatory issues include data processing agreements, programs on exercising data subjects rights, data minimisation and valid consent requirements, and prohibition of  “dark patterns”.

China will enforce cross-border data transfer rules starting from 1 September. Consequently, many critical industries like communication and finance or transportation will face additional checks under the countries’ latest cybersecurity, data security and personal information protection legislation. Companies seeking to transfer personal data on 100,000 or more people, (10,000 or more for sensitive data), handle the personal data of 1 million or more people, as well as operators that transfer the personal information of at least 100,000 cumulative individuals a year will undergo security reviews. Business will have to explain to government investigators the purpose of transfer, the security measures in place, and the laws and regulations of the destination country. More details on the new regulatory framework can be found in this guidance (by KPMG China).

Enforcement actions: commercial prospecting, employee’s consent, smart TV reset, Chromebook ban, PHI disposal, medical results without encryption

A famous French hotel group was slapped with a 600,000 euro fine from the privacy regulator CNIL for carrying out commercial prospecting without the consent of customers, when making a reservation directly with the staff of a hotel or on the website. The consent box to receive the newsletter was prechecked by default. Also a technical glitch prevented a number of people from opposing the receipt of such messages for several weeks. As the processing in question was implemented in many EU countries, the EDPB was asked to rule on the dispute concerning the amount of the fine. The CNIL was then asked to increase the sum so that the penalty would be more dissuasive.

Guernsey’s data protection authority has issued a reprimand, (recognition of wrongdoing), to HSBC Bank’s local branch for inappropriate reliance on consent. An employee felt obliged to consent to providing sensitive information about themselves in connection with what they believed was a possible internal disciplinary matter. They then made a formal complaint. The authority’s opinion is that reliance on “consent” where a clear imbalance of power exists is inappropriate, as it is difficult for employers to demonstrate that consent was freely given. Whilst in this case the controller ceased processing as soon as concerns were raised, they nonetheless continued to use consent as justification for the processing. How to manage data protection in employment? See in Guernsey’s latest guide.

The Danish data protection authority expressed serious criticism of retailer Elgiganten A/S that had a returned television stolen during a break-in at their warehouse, which had not been reset to zero for the plaintiff’s personal data. This meant that a third party gained access to the TV and thus to information from streaming services that the plaintiff was logged into, as well as the browsing history. Before the break-in, the company had carried out a risk assessment for theft of their products and assessed the risk to be high, so the warehouse was secured by locks, a high wall, surveillance cameras and motion sensors. The burglar gained access by simply punching a hole in the wall. 

The Danish data protection authority is maintaining its ban on Chromebook use by a Helsingør municipality, on the grounds of high risks for individuals. The regulator stated that the decision does not prohibit the use of Google Workspace in schools – but the specific use of certain tools in the municipality is not justifiable regarding children’s information. The Municipality assessed that Google only acts as a data processor, but in the opinion of the regulator, it acts in several areas as an independent data controller, processing personal data for its own purposes in the US. 

The Danish regulator ruled that the municipality cannot reduce the risk to an acceptable level without changes to the contract basis and the technology the municipality has chosen to use. Although the decision specifically relates to the processing of personal data in Helsingør Municipality, the regulator encourages other municipalities to look at the same areas in relation to unauthorised disclosure and transfers to unsafe third countries.

The recent HIPAA settlement, (over 300,000 dollars), offers lessons on data disposal and the meaning of Protected Health Information, (PHI), workplaceprivacyreport.com reports. A dermatology practice reported a breach last year when empty specimen containers with PHI labels were placed in a garbage bin on the practice’s carpark. The labels included patient names and dates of birth, dates of sample collection, and name of the provider who took the specimen. The workforce should have been trained to follow disposal policies and procedures. These requirements can include: shredding, burning, pulping, or pulverizing records so that PHI is rendered essentially unreadable; store labelled prescription bottles in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI. 

The Belgian data protection authority also fined a laboratory 20,000 euros for insufficient security measures, DPIA, and privacy policy (Art. 5, 12-14, 32 and 35 of the GDPR), Data Guidance reports. Namely:  

• the laboratory webpage allowed doctors to remotely consult the medical results of patients without employing any encryption;
• the laboratory failed to conduct a DPIA for the large-scale processing of health data;
• while rejecting that the health data had been processed on a large-scale, it had failed to clarify what criteria they were using to determine this;
• the laboratory failed to include a privacy policy on their webpage related to the  maintenance of the abovementioned medical results.

Data security: cyber security breaches landscape, personal data bought by FBI, social engineering on healthcare

The UK government published an in-depth qualitative study with a range of businesses and organisations which have been affected by cyber security breaches. The findings help businesses and organisations understand the nature and significance of the cyber security threats they face, and what others are doing to stay secure. It also supports the government to shape future policy in this area. The guide also contains 10 practical case studies on: understanding the level of existing cyber security before a breach, determining the type of cyber attack , understanding how businesses and organisations act in the immediate, medium, and long-term aftermath of a breach, etc.

Top US Democrats in Congress demand the FBI and Department of Homeland Security detail their alleged purchases of Americans’ personal data, Gizmodo.com reports. They suspect federal law enforcement agencies of using commercial dealings with data brokers and location aggregators to sidestep warrant requirements in obtaining Americans’ private data. Reportedly data points may include, among others, records of internet browsing activity and precise locations. The demand includes the release of of documents and communications between the agencies and data brokers with whom they may have dealings or contracts.

The US Health Sector Cybersecurity Coordination Center published guidance on the impact of social engineering on healthcare. Social engineering is the manipulation of human psychology for one’s own gain. “A social engineer can manipulate staff members into giving access to their computers, routers, or Wi-Fi; the social engineer can then steal Protected Health Information, (PHI), Personal Identifiable Information, (PII), or install malware posing a significant threat to the Health sector”, says the study. It also answers the questions on phases, types of social engineering attacks, (eg, tailgating, vishing, deepfake software, smishing, baiting and more), the personality traits of a social engineer, data breaches and steps to protect your organisation.

Big Tech: US mobile carriers, Google location data, Cambridge Analytica settlement, TikTok iOS app, Oracle class action

The US Federal Communications Commission will investigate mobile carriers’ compliance with disclosure to consumers how they are using and sharing location data, Reuters reports. Top mobile carriers like Verizon, AT&T, T-Mobile, Comcast, Alphabet’s Google Fi and others were requested to detail their data retention and privacy policies and practices. Recent enforcement of anti-abortion legislation in many states also raised concern that the police could obtain warrants for customers’ search histories, location and other information that would reveal pregnancy plans. Last month Google responded to this by promising to delete location data showing when users visit an abortion clinic.

The Federal Court of Australia ordered Google to pay 60 million dollars for misleading consumers about the collection and use of personal location data. Google was guilty of misleading and deceptive conduct, breaching Australian Consumer Law. The conduct arose from representations made about two settings on Android devices – “Location History” and “Web & App Activity”. Some users spotted that the Location History default setting changed from from “off” to “on”. Another misleading practice was telling some users that having the Web & App Activity setting turned “on” would not allow Google to obtain, retain or use personal data about the user’s location.

Facebook agreed to settle a lawsuit seeking damages for allowing Cambridge Analytica access to the private data of tens of millions of users, The Guardian reports. Facebook users sued the tech giant in 2018 after it emerged that the British data analytics firm, connected to former US president Donald Trump’s successful 2016 campaign for the White House, gained access to the data of as many as 87 million of the social media network’s subscribers. Reportedly, if owner Meta had lost the case it could have been made to pay hundreds of millions of dollars.  

Reportedly, when you open any link on the TikTok iOS app, it’s opened inside their in-app browser. While you are interacting with the website, TikTok subscribes to all keyboard inputs, (including passwords, credit card information, etc.), and every tap on the screen, like which buttons and links you click. Such discovery was made by a software engineer Felix Krause. You can read more technical analysis of the most popular iOS apps that have their own in-app browser in the original publication. 

Finally, the Irish Council for Civil Liberties, (ICCL), started a class action against Oracle in the US for its worldwide surveillance machine. Oracle is an important part of the tracking and data industry. It claims to have amassed detailed dossiers on billions of people, and generates over 42 billion dollars in annual revenue. Oracle’s dossiers may include names, addresses, emails, purchases online and in the real world, physical movements, income, interests and political views, and a detailed account of online activity. For example, one database included a record of a man who used a prepaid debit card to place a 10 euro bet online. Oracle also coordinates a global trade of people’s dossiers through the Oracle Data Marketplace, claims the ICCL. You can view the full complaint here.

The post Data protection & privacy digest 16 – 29 Aug 2022: data subject complaints, inappropriate reliance on consent & Smart TV reset appeared first on TechGDPR.

Legal processes: personal data breaches, EU Commission’s data transfers, non-implementation of the GDPR by a country, US-UK data access, targeted ads

In Poland, an administrative court upheld the decision of the personal data protection office UODO on the fine imposed on Bank Millennium. A personal data breach occurred as a result of the loss of bank correspondence including client names, surnames, registration address, bank account numbers, etc. by courier services. The UODO learned about the incident from a complaint against the bank. The controller decided there was a medium risk of negative consequences for the persons affected by the breaches, so did not report the breach to the supervisory authority and did not fully comply with the obligation to notify the data subjects. 

In its decision the court clarified that a breach of personal data is not only when personal data has been read by an unauthorized person, but also when the data controller cannot exclude such a situation due to the lack of information in this regard. According to the court, the supervisory authority also correctly recognised that the bank is the controller of the personal data concerned by the breach. It was the bank, and not the postal operator, that defined the purposes and methods of data processing. However it is true that postal operators or courier service providers are controllers, but only for the data needed for correct delivery.

The European Commission urged Slovenia to fulfil its obligations under the GDPR, as well as make it possible for its data protection authority to use all the corrective powers under the legislation. The Commission considers that Slovenia has failed to fulfil its obligations stemming from the GDPR due to its persistent failure to reform its pre-GDPR national data protection framework. Slovenia now has two months to reply to the Commission’s reasoned opinion. If the reply is not satisfactory, the Commission may decide to bring this matter before the Court of Justice of the European Union. 

Conversely, according to the euractiv.com news website, the Commission may face a lawsuit for violating its own data protection rules when transferring EU users’ personal data from one of its websites to the US. Reportedly, the action was initiated by a German citizen with regard to the Conference of the Future of Europe’s website, meant to engage EU citizens in deciding the future of the bloc and its member states. Amazon Web Services hosts the website, hence when registering for the event, personal data such as the IP address is transferred to the US. Moreover, the Commission’s website also allows users to log in via their Facebook account, which is US-based media too and faces an investigation by the Irish data regulator on similar allegations. In parallel, a complaint was filed before the European Data Protection Supervisor that has jurisdiction over the application of the data protection rules by EU institutions. However, the EDPS has put investigations on hold because a lawsuit is pending and the decision might take up to 18 months. 

The US-UK Data Access Agreement will go into effect in October, according to the joint statement shared by the US Justice department. It will be the first agreement of its kind, allowing each country’s investigators to gain better access to vital data to combat serious crime. Namely, it will allow information and evidence that is held by service providers and big tech companies related to the prevention, detection, investigation or prosecution of serious crime to be accessed more quickly than ever before. This will help, for example, the law enforcement agencies gain more effective access to the evidence they need to bring offenders to justice, including terrorists and child abuse offenders, thereby preventing further victims.

According to Privacy International the UK Department for Culture, Media and Sport (DCMS) recently ran a consultation to review the regulatory framework for paid-for online advertising. The aim according to DCMS is “to tackle the evident lack of transparency and accountability across the whole supply chain.” While PI agrees with the rationale for intervention, as a starting point it would like to see existing regulation, (such as the UK GDPR), be properly and regularly enforced. PI would rather resources were focused on enforcing existing data protection standards, and as a result that more investigations be opened into intermediaries and platforms such as data brokers, data suppliers, data management platforms, and measurement and verification providers, third-party software development kits etc. The risks to privacy do not stem from ad targeting alone, or the content of adverts. There are many steps in the process before adverts are served in a targeted manner:

• Data collection, (hidden means such as trackers placed on the websites you visit)
• Profiling, (dividing users into small groups or “segments” based on previous online behaviour)
• Personalisation, (designing personalised content for each segment), and
• Targeting, (delivering tailor-made, targeted messages)

Through each of these stages the users still have very little understanding on where that data came from, or by who and for what profiling is used, or the level of detail of profiling practices, etc. PI concludes it is impossible to address the problem without tackling the whole supply chain, (eg, real time bidding technology), and creating accountability at each stage.

Official guidance: smart video devices, geographical indications for EU producers

The French privacy regulator CNIL has published its position on the conditions for the deployment of smart video devices in places open to the public, (excluding offices, warehouses, and domestic use). For several years, says CNIL, new types of cameras equipped with artificial intelligence software have been evolving. The CNIL’s position concerns “augmented” video devices that differ from biometric recognition devices such as facial recognition devices. Two criteria make it possible to distinguish these devices:

• the nature of the data processed: physical, physiological or behavioural characteristics;
• the purpose of the device: to uniquely identify or authenticate a person.

A biometric recognition device will always combine these two criteria while an “augmented” camera will not meet any, (eg, an “augmented” camera that films the street to classify the different uses: cars, bicycles, etc.), or only one of the two, (eg, an “augmented” camera that detects fights in a crowd). This distinction has legal consequences: biometric recognition devices involve the processing of so-called “sensitive” data which are, in principle, prohibited by the GDPR, with some exceptions. 

The CNIL considers that any actor who wishes to deploy an “augmented” video device will have to rely on a legal basis determined on a case-by-case basis. While none is excluded or privileged in principle, the legal basis of “legitimate interest” must not lead to a manifest imbalance between the interests pursued by the user of an “augmented” video device and the reasonable expectations of individuals, (eg, a store that analyses the mood of customers to display them appropriate advertisements). More generally from the outset it is necessary to demonstrate proportionality, (that is to say, the conditions for implementing the device in relation to the objectives pursued), of the envisaged device. Even the police are not authorised by law to connect automatic analysis devices to video protection cameras to detect conduct contrary to public order or offences, says the CNIL. 

As such, effective data protection and privacy by design mechanisms must be implemented to help reduce the risks to data subjects. Strong safeguards include, for example, the integration of measures allowing the almost immediate deletion of source images or the production of anonymous information. Finally the CNIL states that people generally cannot oppose the analysis of their images, for example, when the algorithms do not keep the images, or that the conditions for exercising this right are not practicable, (marking one’s opposition requires pressing a button, making a particular gesture in front of a camera, etc). You can read the full opinion by the CNIL, (in French), here. 

The EDPS meanwhile published an opinion on protecting the personal data of EU foodstuff producers. While supporting the proposal for a regulation on geographical indications for wine, spirits, agricultural products, and quality schemes for agricultural products, the EDPS recommends that a number of measures related to the processing of personal data are clarified and added:

• explicitly indicating the role of the European Union Intellectual Property Office as joint controller together with the European Commission;
• identifying in the proposal itself the different categories of personal data to be included in the supporting documentation accompanying the applications for registration, oppositions and official comments, extracts from the Union register and the single document;
• indicating in which circumstances and/or conditions it is necessary to make which categories of personal data publicly available and clearly define for which objectives;
• assessing whether it would be appropriate to put in place a procedure whereby only individuals who demonstrate a legitimate interest have access to additional categories of personal data, such as contact details;
• the chosen data retention period for the documentation related to the cancellation of geographical indications should be further justified or reduced.

Enforcement actions: passwords in clear text, wrongful emails, membership and consent, web hosting, vehicle geolocation, healthcare data, Google Workspace

The Danish data protection authority Datatilsynet expresses serious criticism of Salling Group for having stored a number of customers’ passwords in clear text format in a log file from one of the grocery group’s websites. The error persisted for more than a year. Salling Group uses a common login – Salling Group profile – so that the username and password can be used on all the services where the Salling Group profile provides access. In 2021, Salling Group implemented a monitoring tool to register incidents and events. Due to a human error, the customers’ passwords were not encrypted before they were stored in the system’s log file when the customers logged in to the website. 

As a result, up to 146 internal users in the Salling Group were given technical access to read both usernames and passwords for a number of customers who had logged in on the website. If this access had been used, it would have been possible to gain access to the name, address, email address, telephone number, masked payment card information and purchase history of a number of Salling Group’s customers. The regulator also ordered the company to notify the customers whose passwords have been stored unencrypted in the log for the monitoring tool. 

In a separate ruling Datatilsynet also assessed the benefits of membership, (of Magasin’s customer club Goodie), in return for giving consent to marketing. The consumer will not be prevented from buying certain products/services simply because consent is not given – they will simply have to pay regular prices and the general discounts that apply at Magasin. In other words, it is voluntary whether a customer gives marketing consent in exchange for benefits or buys products/services on normal market terms. Members can revoke their consent to marketing at any time, with the consequence that membership of a customer club ends. There are no costs associated with revoking consent, and in connection with registration for the customer club, it is clearly stated that revoking consent results in the termination of membership. On this basis, the Danish regulator found that Magasin’s processing of personal data had taken place in accordance with data protection regulations. The full decision, (in Danish), is available here.

The Spanish privacy regulator AEPD fined DKV Seguros y Reaseguros, (health insurance for individuals), 220,000 euros for confidentiality and security violations, (Art 5, 32, 33 GDPR), Data Guidance reports. According to the individual plaintiff, they received dozens of emails with medical clearances of unknown individuals from the company, including the individuals’ names, surnames, and test data, from 2020-2021. Further, the AEPD specified that the plaintiff had repeatedly brought the situation to the attention of DKV Seguros y Reaseguros, but they did not act until receiving notice from a regulator. The investigation found out that:  .

• the company’s technical and organisational security measures were inadequate, taking into consideration that the data in question was of a sensitive nature; 
• the company had failed to notify the AEPD that it had suffered a personal data security breach since it had become aware of it back in 2020. 

However, the AEPD noted that due to an admission of guilt and a voluntary payment on the part of the defendant, the fine was reduced by 20%.

Meanwhile the Berlin data protection commissioner is examining data processing contracts between web hosting providers and their customers. Many organisations operate their websites or online shops via an third-party service provider. As a rule, related data processing takes place on behalf of the responsible party, the site operator. This means that the web hoster is technically a processor and a specific contract needs to be signed. In order to support responsible parties and prevent them from future sanction and enforcement actions, the Berlin data protection commissioner is examining the agreements of selected large web hosters the area. Many organisations in Berlin have complained about standard form contracts offered by web hosting companies, who are not willing to change them. Thus, the regulator encourages all IT service providers to check their standard contracts independently and to adapt them to the law.

The HIPAA journal has published the latest statistics on healthcare data breaches in the US.  Reportedly, there were 31 reported breaches of 10,000 or more healthcare records in June – the same number as in May 2022  – two of which, (the Texas Tech University Health Sciences Center and Baptist Medical Center), affected more than 1.2 million individuals. Healthcare providers were the worst affected HIPAA-covered entities, along with business associates. Several healthcare providers submitted breach reports in June 2022 due to a ransomware attack on HIPAA business associate, Eye Care Leaders. At least 37 healthcare providers are now known to have been affected by that ransomware attack and more than 3 million records are known to have been exposed in the attack. 

The French CNIL has imposed a penalty of 175,000 euros against the company UBEEQO International, (short vehicle rentals), for having disproportionately infringed the privacy of its customers by geolocating them almost permanently. The checks covered in particular the data collected, the retention periods defined, the information provided to individuals and the security measures implemented. The CNIL found in particular that, during the rental of a vehicle by an individual, the company collected data relating to the geolocation of the rented vehicle every 500 meters when the vehicle was in motion, when the engine was turned on and off or when the doors opened and closed. In addition, the company kept a history of some of the collected geolocation data for an excessive period of time. The company argued that vehicle geolocation data was collected for different reasons:

• ensure the maintenance and performance of the service, (eg, check that the vehicle is in the right place, monitor the state of the fleet);
• find the vehicle in case of theft;
• assist customers in the event of an accident.

The CNIL considers that none of these purposes justifies a collection of geolocation data as fine as that carried out by the company. Such a practice is indeed very intrusive in the privacy of users insofar as it is likely to reveal their movements, their places of frequentation or all the stops made during a route.

Finally, the Danish data protection agency has made a final decision in the case concerning the use of Google Chromebooks in Elsinore municipality, EDPB reports. Last year the municipality of Elsinore was ordered to make a risk assessment of the municipality’s processing of personal data in the primary school using Google Chromebooks and Workspace. Based on the documentation and assessment of the risk for the data subjects which the municipality has prepared, the regulator has now found that the processing does not meet the requirements of the GDPR on several points. The municipality as controller has not assessed some specific risks in relation to the data processor construction as to the processing activities the controller is allowed to do as a public authority. In addition, the data processor agreement states that information can be transferred to third countries in situations for technical support without the required level of security and protection. The regulator has now made a new decision. It contains, among other things:

• A suspension of the municipality of Elsinore’s data processing where information is transferred to third countries without the necessary level of protection.
• A general ban on processing of personal data with Google Workspace until adequate documentation and impact assessment has been carried out and until the processing operations have been brought into line with the GDPR.  

Many of the specific conclusions in this decision probably will apply to other Danish municipalities that use the same data processor setup as Elsinore. 

Data security: private correspondence for a government

The UK Information Commissioner called for a government review into the systemic risks and areas for improvement around the use of private correspondence channels – including private email, WhatsApp and other similar messaging apps. The investigation found that the lack of clear controls and the rapid increase in the use of messaging apps and technologies had the potential to lead to important information around the government’s response to the pandemic being lost or insecurely handled. 

An example of this included some protectively marked information being located in non-corporate or private accounts outside of the Department of Health and Social Care’s official systems. This information, stored on outside servers, betrays an oversight in the consideration of storage and retention of information and the associated risks this could bring. Although the use of private channels brought some real operational benefits at a time in which the UK was facing exceptional pressures throughout the COVID-19 pandemic, it is of concern that such practices continued without any review of their appropriateness or the risks they present.

Big Tech: Microsoft cloud for governments, DiDi Global privacy fine, UBER massive data breach

Microsoft is beefing up its cloud offer, in partnership with Italy’s Leonardo and Belgium’s Proximus, by launching a public cloud to service government customers. Dubbed the “Cloud  for Sovereignty” Microsoft says it will offer greater control over data, be cheaper, and be closer to developing technology. Rivals Amazon and Google are doing good cloud business in the US and elsewhere, but the EU’s privacy watchdog is currently checking to see if private cloud operators are doing enough to ensure the safety of public data.

Chinese ride-hailing service DiDi Global has been hit with a billion-dollar fine by the national cybersecurity regulator for going public on the NYSE before a Chinese probe into the company’s data practices had been completed. The probe found user data had been illegally collected for years, and that DiDi had endangered national cybersecurity with their data processing methods. The inquiry forced the New York delisting of the company, which says it will review and change its practices.

Uber has admitted to failing to report a massive 2016 data breach and covering it up from regulators for a year as part of a Non-Prosecution agreement in the ongoing federal criminal case in California; Data from over fifty million users was stolen, but the company points to a complete overhaul of data protection and privacy and change of top management since then. The company also fully co-operated with prosecutors. Uber has already paid out nearly 150 million dollars in all 50 US states in civil litigation related to the breach, Reuters reports.

The post Weekly digest 18 – 24 July 2022: personal data breaches, web hosting, targeted ads, smart video devices, geolocation & privacy appeared first on TechGDPR.

Legal processes: UK data protection reform

Last week in the Queen’s Speech it was announced that the UK’s data protection regime will be reformed through the introduction of the Data Reform Bill, dataprotectionlawhub.com reports. The Bill’s purpose is to “create a trusted UK data protection framework that reduces burdens on businesses and boosts the economy.” Reportedly, the main elements of the Bill include:

• a more flexible, outcomes-focused approach to data protection focused on privacy outcomes that will replace the “box tick exercises” required under current data protection law; 
• public bodies will be able to share data to improve the delivery of services, with data protection, ensuring that the personal data of UK citizens is protected to a ‘gold standard’. 

Additionally, the introduction of the Brexit Freedoms Bill in the future will end the supremacy of European law. This would enable the Government to change the position of retained EU data protection law which is currently enshrined under UK data protection law. Taken all together this could undermine the EU’s adequacy decision for data flows with the UK. Read the full governmental proposal here. 

Official guidance: UK AI toolkit, China cross-border processing, CNIL and EDPB’s annual wrap-ups

The UK’s ICO has presented its AI toolkit designed to provide further practical support to organisations to reduce the risks to individuals’ rights and freedoms caused by their own AI systems. It contains advice on a) how to interpret relevant law as it applies to AI, b) recommendations on good practice for organisations, c) technical measures to mitigate the risks to individuals that AI may cause or exacerbate, d)  an AI glossary. This guidance is not a statutory code. There is no penalty if you fail to adopt good practice recommendations, as long as you find another way to comply with the law, the ICO says. 

The guidance covers both the AI and data-protection-specific risks, and the implications of those risks for governance and accountability. Regardless of whether you are using AI, you should have accountability measures in place. However, adopting AI applications may require you to re-assess your existing governance and risk management practices. AI applications can exacerbate existing risks, introduce new ones, or generally make risks more difficult to assess or manage.

Meanwhile, China issued new specifications for cross-border processing of personal Information for multinational corporations, as stipulated in the Personal Information Protection Law (PIPL). In particular, such companies must meet one of the following criteria in order to transfer personal information over a certain scale overseas: 

• Undergo a security review organized by the Cyberspace Administration of China, except where exempted by relevant laws and regulations. 
• Undergo personal information protection certification by a professional institution in accordance with the regulations of the CAC. 
• Sign a contract with a foreign party stipulating the rights and obligations of each party in accordance with standards set by the CAC, etc.

Personal information can include any data points or information that can be used to identify an individual, such as names, phone numbers, and IP addresses. Separately, the PIPL also defines “sensitive” personal information, which is subject to stricter protection requirements:

• Biometric data, (fingerprints, iris recognition, facial recognition, and DNA);
• Data pertaining to religious beliefs or specific identities;
• Medical history;
• Financial accounts;
• Location and whereabouts;
• Any personal information of minors under the age of 14. 

However, it does not include data that has been anonymised or abstract data that doesn’t contain any specific personal information on individuals, such as aggregated information. Read the full analysis in the original publication. 

The French regulator CNIL published its 2021 activity report, (in French). One of its objectives was to provide legal certainty to all professionals with regard to the GDPR. To support them, it has thus published new sector guides and resources on its website in 2021, in particular for the voluntary associations’ sector, insurance, health and adtech. In 2021 the CNIL received 14,143 complaints and closed 12,522. It carried out 384 checks and the shortcomings noted during some of the investigations led to issuing 135 formal notices and 18 penalties, entailing fines exceeding 214 million euros. 89 of the 135 formal notices concerned cookies, one of the priority themes set by the CNIL for this year. 

The CNIL also carried out 30 new control missions with medical analysis laboratories, hospitals, service providers and data brokers in health, in particular on treatments related to the COVID-19 epidemic. Some of these procedures are still under review. Finally, it paid particular attention to the cybersecurity of the French web by controlling 22 organisations, 15 of which are public. During its investigations, the CNIL noted obsolete cryptographic suites making websites vulnerable to attacks, shortcomings concerning passwords and, more generally, insufficient resources with regard to current security issues.

At the same time the EDPB presented its annual report 2021 with a detailed overview of its work over the last year. In 2021, the EDPB adopted its final version of the recommendations on:

• Supplementary measures following the Schrems II ruling by the Court of Justice of the EU, taking on board the input received from stakeholders during public consultation. 
• Opinions on the UK draft adequacy decisions, under both the GDPR and the Law Enforcement Directive, as well as its opinion on the draft adequacy decision for the Republic of Korea. 
• Guidance documents on other international transfer tools, such as Codes of Conduct, and adopted joint opinions, together with the EDPS, on the new sets of Standard Contractual Clauses, issued by the European Commission for the transfer of personal data to controllers and processors established outside the EEA. 
• Guidelines and recommendations on topics such as personal data breach notifications, connected vehicles and virtual voice assistants, and much more.

In the US, the Network Advertising Initiative, (NAI is the leading self-regulatory association comprised exclusively of third-party digital advertising companies – ed.), issued Best Practices for User Choice and Transparency. The term “dark pattern” was coined in 2010 to refer to “tricks used in websites and apps that make you do things you didn’t mean to do, like buying or signing up for something.” They are also sometimes referred to as “deceptive patterns” or “manipulative designs.” These practices can be dynamic and multifaceted, including a series of tactics and specific design choices in apps and on websites. The guide is intended to help member companies better understand the practice of dark patterns and to implement the highlighted best practices to avoid them, namely:

• to examine the current legal environment at the state and federal levels, (FTC ACT, CCPA and CPRA, Colorado privacy Act, and the GDPR); and 
• to identify best practices and guide companies in maximizing effective and efficient notice and choice mechanisms with respect to collecting consumer data, (Notice and Choice, Exercising Consumer Requests, User Interface considerations).

Pursuant to the GDPR, the NAI quotes the French CNIL that  asserts “the fact of using and abusing a strategy to divert attention or dark patterns can lead to invalidating consent.” Furthermore, in March 2022, the EDPB released a series of its own guidelines on the use of dark patterns in social media platforms, open for public comment. 

Investigations and enforcement actions: IAB Europe case, IKEA Canada internal threat, whistleblowing, community owners

The IAB Europe, (the European-level association for the digital marketing and advertising ecosystem – ed.), withdrew its request for suspension of the execution of the decision issued by the Belgian Data Protection Authority, (APD), on the Transparency & Consent Framework (TCF). The request for suspension had been submitted as part of the appeal to the Belgian Market Court lodged on 4th March. The withdrawal coincides with confirmation that the APD will not take a decision on validation of the action plan submitted by IAB Europe to rectify alleged EU GDPR violations connected with TCF before Sept. 1, the date by which the Market Court is expected to have issued a ruling on the appeal.

IKEA Canada reportedly confirmed a data breach involving the personal information of approximately 95,000 customers. The furniture retailer notified Canada’s privacy regulator saying that some of its customers’ personal information appeared in the results of a “generic search” made by an employee at IKEA Canada between March 1 and March 3 using IKEA’s customer database, but no financial or banking information was involved in the breach. In a letter sent to impacted customers, IKEA Canada said that the data that may have been compromised included customer names, email addresses, phone numbers and postal codes.The IKEA Family loyalty program number belonging to customers may have also been visible. The company already made changes to reinforce its internal policies and no action was needed by customers. 

The Italian privacy regulator ‘Garante’ fined ISWEB and Perugia Hospital 40,000 euros each for GDPR violations in relation to the whistleblowing system, following an ex officio investigation, Data Guidance reports. ISWEB is an IT company that provides and manages the whistleblowing application used by numerous clients, including Perugia Hospital. The ‘Garante’ found that ISWEB had failed to regulate the relationship with the hosting service provider, noting that ISWEB had engaged the hosting service provider both to carry out processing in its capacity as data controller, and for the processing carried out in its capacity as a data processor on behalf of its clients, including the Hospital. The ‘Garante’ noted that the aggravating factors for the administrative fine were: a) the nature, subject, and purpose of the processing; b) the high degree of confidentiality required by sector regulations in relation to the identity of the data subjects in cases of whistleblowing; c) the fact that no whistleblowing reports were available in the system at the time of the investigation; d) ISWEB had not regulated in any way the relationship with the hosting service provider.

At the same time, the Spanish data protection authority imposed a fine of 500 euros on community owners. In particular, the decision states that the Presidency of the Community of Owners had placed a list of debtors on three community bulletin boards, including the claimant. Moreover, the decision noted that the location of the respective bulletin boards is inside the portals and that all the boards are locked, but exposed to viewing by third parties outside of the community. 

Data security: cybersecurity for regulated industries

EU countries and lawmakers agreed last week to tougher cybersecurity rules for regulated industries such as energy, transport and financial firms, digital providers and medical device makers amid concerns about cyber attacks by state actors and other malicious players under the scope of NIS 2 Directive, proposed by the Commission in December 2020.  Medium and large companies are required to assess their cybersecurity risk, notify authorities and take technical and organisational measures to counter the risks, with fines of up to 2% of global turnover for non-compliance. EU countries and the EU cybersecurity agency ENISA can also assess the risks of critical supply chains under the rules. 

The political agreement reached by the European Parliament and the Council is now subject to formal approval by the two co-legislators. Once published in the Official Journal, the Directive will enter into force 20 days after publication and Member States will then need to transpose the new elements of the Directive into national law. Member States will have 21 months to transpose the Directive into national law.

Big Tech: Twitter’s ‘Data Dash’ game, Clearview AI settlement and future fine, EU biometrics, Zoom’s user emotion detection 

Twitter has rolled out a new web video game to make it easier for users to understand its privacy policy, TechCrunch reports.  The goal of the game, which is called Data Dash, is to educate people on the information that Twitter collects, how the information is used and what controls users have over it: “Once you start the game, you’ll be asked to pick the language in which you would like to play. After that, you’ll have the option to select a character. The game is played by helping a dog, named Data, safely navigate “PrivaCity” by dodging ads, steering clear of spammy DMs and avoiding Twitter trolls.”

According to Reuters, France’s data privacy regulator is about to trigger the process of fining US-based Clearview AI, a facial recognition company the regulator had ordered to stop amassing data from people based in the country. The start of a formal penalty process would indicate that CNIL suspected Clearview of failing to comply with its order within the two-month deadline it had set. 

Meanwhile, under a settlement filed in an Illinois state court in Chicago, Clearview AI will stop granting paid or free access to its database to most local private businesses and individuals, as well as police. However, Clearview AI, based in New York, can still work with federal government agencies, including immigration authorities, as well as state government agencies outside Illinois. The case was brought by the American Civil Liberties Union in 2020. Clearview AI repeatedly violated the Illinois Biometric Information Privacy Act by scraping photos taken from the internet, including from social media platforms, Reuters reports.

The European Digital Rights group and 52 other organisations called for banning remote biometric identification systems in public locations, Biometric Update and IAPP News report. They called the technology, like facial recognition, one of the greatest threats to fundamental rights and democracy that destroys the possibility of anonymity in public. They have called for amendments to Article 5(1)(d) of the AI Act to extend the scope of the prohibition to cover all private as well as public actors. 

And nearly 30 civil society groups wrote a letter to Zoom’s CEO calling on the company to cease use of software that detects users’ emotions, The Hill and IAPP News reports. The letter came in response to reports of Zoom beginning to roll out post-meeting sentiment analysis for hosts: “Facial expressions are incredibly variable from culture to culture and nation to nation, making creating an algorithm that can judge them equally difficult.” The groups also launched an online petition demanding Zoom to drop the technology.

The post Weekly digest May 9 – 15, 2022: UK data protection reform, and dark patterns invalidating consent appeared first on TechGDPR.

Legal processes: CNIL investigation and enforcement, EDPB procedural rules 

The French data protection authority CNIL announced a reform of its corrective procedures: towards simplified investigation and enforcement actions. A simplified procedure was created in particular for less complex cases. This reform will allow the CNIL to respond better to the increasing number of complaints since the GDPR came into force. Right now the CNIL must respond to numerous complaints, (more than 14,000 in 2021), and there is a constant increase in the number of corrective measures it pronounces, (18 sanctions and 135 formal notices issued in 2021). Thus cases that are not very complex or serious will be subject to a simplified sanction procedure: any case will follow the same steps as the ordinary sanction procedure, (for time limits, adversarial procedure), but the implementation methods are simplified:

• The president of the CNIL chooses a restricted committee, (5 members and a chair).
• The president appoints a designated rapporteur, who is in charge of the investigation.
• The chair of the restricted committee, (or a member they appoint), decides alone and no public meeting is organised, unless requested.
• The penalties likely to be pronounced in this context are limited to a fine of a maximum 20,000 euros and an injunction with penalty capped at 100 euros per day of delay. These sanctions cannot be made public.

The ordinary procedure has also been adjusted and clarified on certain points, in particular: a) extended deadlines for submitting observations, b) the possibility for a new rapporteur to use investigative work carried out by a previous rapporteur; c) the possibility for the president of the restricted committee to decide alone that there is no longer any need to proceed with the case, (eg, if the organisation has disappeared since the start of the sanction procedure). Finally, the CNIL can now send formal notices that do not require a written response from the organisations. In this case, the organisation is required to comply within the set deadline, but no longer has to send evidence to the CNIL within this same deadline. Compliance may be verified by other means, for example during a subsequent inspection. The full infographic, (in French), can be found here. 

The EDPB similarly published its latest procedural rules, restating its mission and guiding principles, procedures and working methods as mentioned in the GDPR, the Police and Criminal Justice Data Protection Directive, and other applicable legislative instruments under EU law. The board shall act independently, and apply  appropriate measures to ensure confidentiality when required, and promote cooperation between supervisory authorities and endeavour to operate where possible by consensus. With regard to the processing of personal data by EU institutions and bodies, the board shall appoint a data protection officer.

Among other provisions, the European Commission shall have the right to participate in the activities of the board without voting rights. Additionally, the board may invite external experts, guests or other external parties to take part in a plenary meeting and may set the agenda. The board may also decide to grant a non-EU country data protection authority the status of an observer, if it is in the interest of the board and certain qualitative conditions are met. You can read the full document here.

Official guidance: the use of web fonts, post-pandemic data

The Bavarian data protection authority, (BayLfD), recently published a statement on the use of web fonts, Data Guidance reports. It specified that a website operator, by integrating the external third-party service, acts as a controller within the meaning of the GDPR. They co-decide on the means and purposes of the processing, and let the third-party provider receive personal data from users. The website operator’s responsibility is limited to the collection and transmission of user data. However, a) no data, (eg, IP addresses), may be transmitted to third-party servers before consent has been given, and b) it must be clearly stated which data is being processed, to whom it is being transmitted, and for what purpose. Finally, the safest data protection solution would be to integrate fonts into a website through self-hosting rather than external hosting. 

Meanwhile, the Baden-Württemberg data protection authority, (LfDI Baden-Württemberg), announced as soon as the COVID-19 pandemic is over it will review all pandemic-related restrictions. The regulator will approach healthcare providers, such as test centre operators and pharmacies, but also other companies and public bodies that have stored 3G evidence of their employees and customers. In addition, it will insist on the deletion or blocking of this sensitive data. Additionally, the regulator stated that health information, such as information on employees’ pregnancies or autoimmune diseases, must not be used inappropriately, for example to terminate employment contracts or to deny promotion, Data Guidance reports. 

Investigations and enforcement actions: IAB Europe’s action plan, Frontex cloud, dismissed CCTV footage case

The Interactive Advertising Bureau (IAB) Europe submitted an action plan to comply with the latest investigation and enforcement by Belgium’s data protection authority, (APD), towards the Transparency & Consent Framework (TCF). The submission of the action plan was needed in the two-phase remediation period foreseen in the decision and should enable a version of the TCF with a broader compliance functionality to be rolled out over a 6-month period under the supervision of the APD. The action plan outlines how IAB Europe, in its capacity as managing organisation of the TCF, will deliver in-depth discussions amongst IAB Europe member companies that implement the TCF and convene in the existing TCF working groups and other instances, as well as IAB Tech Lab. These instances are multi-stakeholder, bringing together:

• publishers, 
• ad tech intermediaries, 
• agencies, and 
• consent management platforms.  

However the submission of the action plan is without prejudice to IAB Europe’s appeal of the decision. It contests a number of findings in the decision, in particular the findings that IAB Europe acts as a data controller of the TC String, (digital signals created to capture data subjects’ choices on how their personal data can be processed), and as a joint controller for the dissemination of TC Strings and other data processing done by TCF participants under the OpenRTB protocol.  

The UK Information Commissioner’s Office, (ICO), has found insufficient evidence to prosecute two people suspected of unlawfully obtaining and disclosing CCTV footage from the Department for Health and Social Care, (DHSC). The leaked CCTV images showed the former Secretary of State for Health and Social Care and his former aide engaged in behaviour contravening social distancing rules. The regulator launched a criminal investigation after it received a report of a personal data breach from the DHSC’s CCTV operator, (EMCOR Group plc).  The ICO had a legal duty to carry out an impartial assessment of security within governmental offices. Forensic analysis revealed that the leaked images were most likely obtained by someone recording the CCTV footage screens with a mobile phone. Six phones retrieved during the execution of search warrants did not contain the relevant CCTV footage. The ICO concluded that there was insufficient evidence to charge anyone with criminal offences under the Data Protection Act 2018.

The EDPS issued a reprimand to the European Border and Coast Guard Agency, (Frontex), for moving to the cloud without proper data protection assessment. This constitutes a breach of the data protection legislation, applicable to Union institutions, offices, bodies and agencies. The EDPS found that Frontex:

• moved to the cloud without a timely, exhaustive assessment of the data protection risks and without the identification of appropriate mitigating measures or relevant safeguards for processing;
• failed to demonstrate the necessity of the planned cloud services, as it has not shown that the chosen solution, (Microsoft 365), was the outcome of a thorough process whereby the existence of data protection compliant alternative products and services meeting Frontex’s specific needs were assessed;
• failed to demonstrate that it limited Microsoft’s collection of personal data to what is necessary, based on an identified legal basis and established purposes;
• breached the accountability principle as well as its obligations as a controller and the requirements of data protection by design and by default.

In addition to the reprimand, the EDPS ordered Frontex to review its DPIA, and ROPA.

Data breaches: tax authority, visa service, medical practice, fashion industry, airport temperature checks

The Dutch data protection authority, (AP), has imposed a fine of 3.7 mln euros on the tax authorities  for years of illegal processing of personal data in the Fraud Signalling Facility, (FSV). This was a blacklist on which the tax and customs administration kept records of fraud, with often major consequences for people who were wrongly on the list. 

The UK Home Office’s visa service apologises for an email address data breach. The private contractor running the service sentan  email to applicants containing more than 170 email addresses. Some of the email addresses appeared to be private Gmail accounts, while others belonged to lawyers from a variety of firms.

In the US, Christie Business Holdings Company, (Christie Clinic), a major medical practice in Illinois, informed 500,000 individuals that their personal information was potentially compromised in a data breach. Christie Clinic said the data breach occurred last year, when a third party gained unauthorized access to a single business email account, likely in an attempt to intercept financial transactions.

The fashion industry also has been in breach of privacy lately. Luxury brand Louis Vuitton is facing a class-action lawsuit filed in New York by a customer who alleged its “Virtual Try-On” feature violates the Illinois Biometric Information Privacy Act. The feature is used for eyewear. Users provide an image of their face, which the customer alleged is collected and stored without knowledge or consent. Meanwhile, the UK branch of cosmetics giant Shiseido has reportedly fallen victim to a data breach involving personal details belonging to former and current employees. Some of them have reported being victims of fraud, with their personal data being used to open fraudulent businesses as well as take out bank loans and insurance. 

The Belgian data protection authority fines the airports of Brussels and Charleroi for Covid temperature checks. These airports did not have a valid legal basis to process travellers’ health data. Since data of this type is sensitive, it cannot in principle be processed, except in a very limited number of exceptions, (Art. 9.2 of the GDPR). Processing for reasons of public health or important public interest is part of these exceptions, based on a legal standard that is clear, precise and whose application is foreseeable for the data subjects. The regulator observed shortcomings in terms of the information provided to travellers and the quality of the impact analyses of the existing protocols.

Big Tech: online data brokerage, WhatsApp for work and school

American TV chat show host John Oliver gave 25 minutes to the Data Brokerage industry, personal data and privacy as the “unregulated” sector’s profile rises into the mainstream. He typically uses even more colourful language in his dissection of the problems, that include political interests in using personal data being partially behind the lack of regulation, and potentially life-threatening situations made possible by data abuse. 

With end-to-end encryption built in WhatsApp is testing Communities, a new feature for larger groups tailored for organisations like schools, and work. The Meta Platforms-owned company says it is comparable to other private messaging services like Microsoft Teams and Slack. But before the launch, major changes are coming to WhatsApp’s Groups feature. Group administrators will now have censorship powers over all chat. Communities, once launched, will also have upgraded safeguards like forwarding limits, and a range of anti-abuse tools.

The post Weekly digest April 11 – 17, 2022: France’s CNIL to simplify investigation and enforcement of minor cases appeared first on TechGDPR.

Legal processes: use of Google Analytics in France, Privacy Sandbox commitments in the UK

The use of Google Analytics, (GA), is illegal as it threatens the privacy of French website users, concludes the French data protection regulator CNIL. In its latest decision relating to an unnamed French website manager, the CNIL decided that the analytics service developed by Google risks giving US intelligence services access to the website users’ data. GA provides statistics on website traffic. In this context, a unique identifier is assigned to each visitor. This identifier (which constitutes personal data) and the data associated with it is transferred by Google to the US. The CNIL, in cooperation with its EU counterparts, concludes that in the absence of an adequacy decision following the “Schrems II” CJEU ruling such transfer can only take place if appropriate guarantees are provided. Although Google has adopted additional measures to regulate data transfers in the context of the GA functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services. The CNIL ordered an unnamed website manager to bring this processing into compliance with the GDPR, if necessary:

• by ceasing to use the GA functionality under the current conditions, or 
• by using a tool that does not involve a transfer outside the EU, (and only uses anonymous statistical data). 

To go deeper on this topic you can also read the recent unfavorable decision on GA by the Austrian data protection regulator. In its defense, Google also recently posted a statement stressing that the GA tool does not track people or profile people across the internet.

Britain’s competition regulator CMA to keep a close eye on Google as it secures final Privacy Sandbox commitments. The CMA has accepted a revised offer from Google of legally binding commitments relating to its proposed removal of third-party cookies from the Chrome browser known as the Privacy Sandbox proposals. The CMA competition investigation was launched in January 2021 over concerns that the proposals would cause online advertising spending to become even more concentrated on Google, weakening competition and so harming consumers. Google has pledged not to remove third-party cookies until the CMA is satisfied.

The CMA is currently working closely with the UK Information Commissioner’s Office, ICO, to oversee the development of the proposals so that they protect privacy without unduly restricting competition and harming consumers. In one of the examples, Google commits to restricting the sharing of data within its ecosystem to ensure that it doesn’t gain an advantage over competitors when third-party cookies are removed. Google will also engage in a more transparent process than initially proposed, including engagement with third parties and publishing test results, with the option for the CMA to require Google to address issues raised by the CMA or third parties. Read more on the Privacy Sandbox initiative here and the ICO’s latest opinion on Data protection and privacy expectations from the advertising technology sector. 

Official guidance: configuration errors, payment services, EU data flows analysis

The French regulator CNIL published a guide, (in French), on security incidents related to configuration errors within public cloud storage spaces, DataGuidance reports. Malicious scenarios may be caused by a) publicly accessible ‘bucket”; b) overly permissive access rights for users, c) inadequate user authentication mechanisms. To detect unauthorized access, CNIL recommended that available logs should be analyzed, and the Data Protection Officer should be updated in a timely manner in the course of the investigation. If the incident was classified as a personal data breach, CNIL must be notified within 72 hours of discovery. Some essential steps to prevent configuration errors include: 

• knowing your infrastructure, (eg, configure security options: do not rely on default settings, in particular public and private access to containers);
• taking inventory of your cloud resources, (eg, separating the storage of personal and sensitive data from other data);
• limiting access, (eg, strong two-factor authentication for sensitive actions);
• encrypting data and performing regular backups;
• tracing, monitoring, and auditing containers and their security configurations;
• educating users on how to handle data stored in the cloud.

The EU Commission presented a new study estimating the volume of data flowing to main cloud infrastructures across the EU Member States, Iceland, Norway, Switzerland, and the UK. In 2020, the largest data flows came from the health sector, and Germany registered the largest volume of data inflow. Reportedly, by 2030, the flow of data stemming from European enterprises will be 15 times higher than in 2020. Furthermore, a follow-up study has just been started to assess the economic values of data flows within the EU, as well as with third countries such as the US and China. Both studies will complement the upcoming Data Act. It will also feed into the evaluation of EU Regulation of the Free Flow of Non-Personal Data, as well as the Digital Decade policy program. Read the full study and the interactive map here. 

A growing number of  EU payment industry associations co-signed a letter addressed to the EDPB, the European Commission, and the European Banking Authority about the final EDPB Guidelines on the interplay of PSD2, (Payment Services Directive), and the GDPR. Although it clarifies certain aspects of the interplay, other elements remain more worrying and raise new uncertainties, notably:

• the provisions on data minimisation;
• the processing of special categories of personal data;
• a lack of coherence with the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication;
• the risk that national data protection authorities could start taking a differentiated approach to the interpretation of the provisions, resulting in fragmentation across the EU.

Investigations and enforcement actions: IAB Europe/APD row, extensive health data collection, unprotected visa order forms, unsolicited marketing email

The Interactive Advertising Bureau (IAB) Europe has published an FAQ on the Belgian data protection authority, (APD), decision about the Transparency and Consent Framework, and its compliance with the GDPR. The IAB Europe states that:

• There is nothing in the APD’s decision that even remotely suggests that consent pop-ups are illegal or that they should not be employed by the digital advertising ecosystem to comply with the EU data protection rules. 
• The APD only requires IAB Europe to ensure the deletion of personal data collected through TC Strings in the context of a specific mechanism called the “global scope”.
• The APD does not consider the TC String itself to be personal data, as the TC string does not allow for direct identification of the user due to the limited metadata value.
• However, the APD holds that the possibility of CMPs being able to combine TC Strings and the IP address means it is ultimately information about an identifiable user and therefore personal data. 
• The APD’s decision only concerns IAB Europe, not any vendor, publishers, or CMPs, but it does hint at the possibility of an order for a given party to delete TC Strings if they contain personal data collected in breach of Art. 5 and 6 of the GDPR.
• It is unclear if reliance on legitimate interests as a legal ground for the processing of personal data by TCF participants is viable for all TCF purposes or solely for personalized advertising and profiling, etc.

The EDPB published an analysis of the recent decision by the Finnish Data Protection Ombudsman. An administrative fine with reprimand was imposed on the Finnish Motor Insurers’ Centre for the collection of unnecessary patient information. The Data Protection Ombudsman stated that the actions of the data controller violated the principle of data minimization provided for in the GDPR. Namely, the data controller requested unredacted patient records from health care providers in order to settle claims. The controller also collected information on the patients’ health care appointments to determine whether the health care provider charged for visits not related to the examination or treatment of injuries sustained in the claim. Information was also requested in cases where the health care recipient may have omitted information essential for claims handling. The decision by the data protection authority is not final as it is under appeal in the administrative court.

Another fine by the Finnish data protection regulator was imposed on a travel agency for multiple violations of the GDPR. In the given case, a customer suspected the travel agency was not processing the data on the electronic visa order form in compliance with data protection regulations. The customer had also requested the travel agency erase their data from the system, but the company had not fulfilled the customer’s request. The investigation showed that: 

• The travel agency used an unencrypted network connection for its visa application forms, and
• Stored personal data on a public web server. 
• The information entered on the form was saved as a PDF file in the web server’s files folder that was open to access from the internet.
• The information entered on the forms included the customer’s name, contact details, and passport number, which in particular poses a privacy risk. 

The regulator also imposed a fine on the small travel industry group that the travel agency is considered a part of.

Meanwhile, the Spanish data protection authority AEPD fined SegurCaixa Adeslas, (health insurance), 300,000  euros for sending marketing emails to the plaintiff, despite their request for deletion of their data, Data Guidance reports. This happened despite the fact that the given email address was registered in an opt-out list of people not willing to receive marketing communications. SegurCaixa Adeslas however indicated that the marketing emails were sent to insurance agents with which it maintained a commercial relationship, claiming that these insurance agents should be responsible for the activity of promoting and attracting clients. The AEPD found SegurCaixa Adeslas in breach of Art. 6, (unlawful processing), 17, (failed requests of data deletion), and 28, (no formalized data processing agreement with the contracted insurance agents), of the GDPR. 

Data security: IoT products

The US National Institute of Standards and Technology published its latest Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) products. An IoT product and its components must protect data stored and transmitted, (both between IoT product components and outside the IoT product), from unauthorized access, disclosure, and modification. Thus, maintaining confidentiality, integrity, and availability of data is foundational to cybersecurity for IoT products. Customers will expect that data is protected and that protection of data helps to ensure the safe and intended functionality of the IoT product. The document provides some real-world IoT product vulnerabilities and related proposed baseline criteria. Here are some examples:

• Weak data protection in storage and transit creates vulnerabilities within home security cameras allowing adversaries to exfiltrate data. 
• Unencrypted sensitive data is available through a baby monitor, leaving the data vulnerable to access, modification, exfiltration, and misuse.
• Using weak de-identification methods leaves data vulnerable to being reidentified allowing unauthorized access to sensitive data, etc.

Big Tech: Meta annual report, TikTok promises minors privacy, AirTag dilemma, surveillance marketing by YouTube, TikTok & Co

Negotiations between the EU and US over transatlantic data transfers and their associated privacy issues need to succeed said Meta this week in its annual report to the SEC and in press releases. Failure to agree on a new transatlantic data transfer framework that complies with the EU’s GDPR could lead to Facebook and Instagram quitting Europe. Meta added and claimed 70 other companies are concerned about the impact on their business. The SEC report noted other data protection requirements at the federal, state, and international level, along with legislation restricting the collection and use of data from minors could impose limitations on Meta’s business. You can investigate Meta’s annual report here.

A TikTok news briefing revealed the company is conducting twin tests to crack down on adult content arriving on minors’ devices, Reuters reports. The company said one small test would look at how users themselves or their parents or guardians could restrict access, while a ratings approach is being trialled for app creators who want to specify adult content, similar to the film and games industries.

Apple has responded to reports its AirTag device is being used by criminals, especially stalkers, updating software and beefing up online support, according to The Guardian. Any initial user of the device will now be warned tracking people without consent is a crime in many places around the world. Guidance on what to do if you find an unwanted AirTag near you and how to disable it is being added to the website, along with links to two US helplines. Apple says additional measures, like precision detection of stalking AirTags, are on the way.

TikTok and YouTube are by far the biggest collectors of personal data among social media apps according to a report by URL Genius. While YouTube mostly collects data for its own business purposes and sells little to third-party trackers, TikTok sells nearly all its user’s data to third parties, more than three times as much, trailed by Twitter and Telegram. The report says that for users this means it is unclear where all this data goes, how it is used, and whether or not, for example, other online activity or location is being tracked, logged in to TikTok or not. The study added TikTok allowed third-party tracking even when users did not use the opt-in feature. Find many other findings on surveillance marketing in the original study report. 

The post Weekly digest February 7 – 13, 2022: France latest EU member to put pressure on Google Analytics appeared first on TechGDPR.