EU-US Data Privacy Framework

Effective Immediately: On 10 July, the European Commission’s decision on the adequacy of the level of data protection in the US within the new data privacy framework entered into force. If an American-based business is on the approved list, you can transfer personal data to it as if it were a European (EEA) business. You still have to follow the other rules in the GDPR, for example having a legal basis for processing or a data processing agreement to share personal data with others.

Self-certification: The new data privacy framework enables US organisations to make self-certification submissions and, as applicable, the UK and/or the Swiss extensions and to enable participating organisations to make their annual re-certification submissions, (the self-certified organisations under the invalidated Privacy Shield framework must comply with the updated principles, but they do not need to make a separate submission).

Transfer Impact Assessment: Data transfer to the US by the use of EU standard contractual clauses or binding corporate rules are still possible, providing that a Transfer Impact Assessment is made. In this case, state security services’ ability to access and use transferred personal data is limited and recognised in the Commission’s adequacy decision.

Redress mechanism: The new framework gives European residents a legal remedy and allows them rectification of data collected in an illegal manner. In practice, reportedly, data subjects can file a data breach notification with their national data protection authority, which will be transmitted to the US. The national authority will ensure that the person concerned receives information related to the procedure and the final decision, (either that no breach of US law has been identified or that a breach has been identified and that it has been remedied.) Individuals also will be able to appeal a complaint if needed.

Criticism: Although the new data privacy framework marks a significant step forward, it was criticised by the EDPB and the Parliament as not sufficiently addressing the temporary bulk collection, retention, and dissemination of data by the US intelligence services, the scope of exemptions, the onward transfers, the exercisability of the data subject rights, and the practical functioning of the redress mechanism. Privacy advocacy group NOYB is also ready to newly challenge the framework in court by the end of 2023 or the beginning of 2024. 

Legal processes and redress

Procedural rules: The European Commission proposes a new law to streamline cooperation between data protection authorities when enforcing the GDPR in cross-border cases. For example, it will introduce an obligation for the lead Data Protection Authority to send a ‘summary of key issues’ to their counterparts concerned, identifying the main elements of the investigation and its views on the case. For individuals, the new rules will clarify what they need to submit when making a complaint and ensure that they are appropriately involved in the process. And for businesses, it will clarify their due process rights when a DPA investigates a potential breach of the GDPR. The new law also recognises the importance and the legality of amicable settlement of complaint-based cases. 

“Stop”, “revoke”, “end”, and “opt-out”: The US Federal Communications Commission proposed guidelines that would allow customers to cancel consent to calls and text messages sent using automated technology “in any reasonable way”, allaboutadvertisinglaw.com reports. This contains texts such as “stop,” “revoke,” “end,” and “opt-out.” Callers and texters would be unable to limit the ways in which customers might cancel consent. Consumers can revoke via text, voicemail, or email to any phone number or email address where they would expect to contact the sender. A request must be fulfilled within 24 hours of being received. The government is also investigating and soliciting feedback on the present exemptions.  

CCPA/CPRA:  Businesses that planned to comply with the amended California Consumer Privacy Act this month will now have until spring 2024. After the California Chamber of Commerce demanded businesses have one year from the adoption of final regulations before enforcement could begin, a state court judge made a last-minute decision to postpone enforcement. 

Minors safety online: On 28 June, the Louisiana Secure Online Child Interaction and Age Limitation Act was signed by the Governor. Notably the act will require social media companies to withhold certain functions from accounts held by Louisiana residents who are minors, including prohibiting direct messaging with unfamiliar accounts and not displaying advertising and suggested groups, products, posts, services or users to the minor. Further, accounts held by minors will not show up in search results of other accounts unless they were already linked through “friending”.

Official guidance

APIs: The French privacy regulator CNIL published technical recommendations on data sharing by Application Programming Interfaces, (in French). All types of sharing of personal data by API, whether open or restricted, and all types of organisations, public or private, are covered by these recommendations. Three categories of actors in API data sharing are defined: data holders, API managers and data reusers. Recommendations are given to each category to guide them towards measures to achieve the desired level of security, but also measures likely to facilitate compliance with data protection principles, (exercise of rights, information obligation). However, it is up to organisations to evaluate their level of risk and apply the appropriate measures.

Google Search: The Danish data protection authority has recently published an advisory on how to have a search result about you deleted from a search engine, (eg, Google or Bing). If you wish to have a search result removed, you must first contact the search engine. This is done most easily through the complaint form. You must specify exactly which search result is in question and why you want the search result in question removed. A number of grounds to the right to erasure are laid down in Art. 17 of the GDPR. If the search engine does not want to remove the search result in question, you still have the option of complaining to the data protection authority, which then assesses whether it is appropriate to investigate the matter.

Research projects: The Danish data protection authority also published new guidance on GDPR-goverened role allocation in research projects, (in Danish). It mainly consists of numerous examples of data controllers, data processors and joint data controllers that can arise in practice. In many cases, legal and professional obligations as well as professional standards could mean that the actor in question is prevented from being able to follow a detailed instruction from a business partner. For example, doctors who test a new surgical method as part of a research project will continue to be bound by their medical oath and are obliged to carry out the surgery in the most responsible manner, possibly without providing information or following an instruction that is relevant and necessary according to the trial protocol. Similarly, a laboratory remains subject to professional standards for the analysis of, for example, blood samples. Read the full instructions here. 

Lessons learned from reprimands: Looking back at the reprimands issued by the UK Information Comissioner’s Office in the past three months, here are three brief lessons for organisations across the public and private sectors to improve their data protection practices:

• Avoid inappropriate disclosure of personal information by having policies in place and training your staff, (redacting documents properly, correct disposal, avoid accidental on-screen display of personal information).
• Respond to information access requests on time, (organisations must respond within one month of receipt of the request. However, this could be extended by up to two months if the request is complex).
• Deployment of any new apps should take a Data Protection by Design and Default approach from the very start.

Case law

Meta and consent: The CJEU decided that competition authorities can rule on GDPR compliance in the undertakings. In the test case, the German cartel office in 2019 ordered Meta to stop collecting users’ data without their consent, calling the practice an abuse of market power. According to Art. 6 of the GDPR, there are six legal bases for processing personal data, one of which is consent, but Meta decided to use only the other five legal bases. The need for the performance of the contract with the user may justify the practice only if the processing is objectively indispensable. The CJEU expressed doubts as to whether personalised content and use of the Meta group’s own services, like Meta Pixel, fulfil this criteria. For companies to be able to use the ‘consent’ lawful processing condition they need to demonstrate that a person has ‘freely given’ that consent. This may be difficult to prove when a company such as Meta holds a dominant position in the market as people have less choice over what platform they can use.

Big Tech

Google’s Privacy Sandbox: Since 2021, different features have been tested as part of Chrome Beta’s Origin Trials. As a result of these tests, and starting 13 March, some of the users of the standard version of Chrome were asked to enable three new targeting and ad measurement tools – the Privacy Sandbox. As part of the Chrome browser, it consists of a set of Google interfaces, (APIs), accessible by site publishers. These interfaces allow the continuation of targeted advertising, avoiding the technical constraints that could emerge with the end of third-party cookies. Google Chrome users included in the experimental phase are randomly selected and are informed by a specific screen when their browser is launched, asking for their consent to participate. A refusal will not affect navigation: it is still possible for users who have agreed to activate these features to reconsider their choice within the Chrome settings in the “Privacy and Security” tab and then “Privacy Sandbox”.

The post Data protection digest 3 – 16 July 2023: can the new EU-US data privacy framework respect the GDPR to the letter? appeared first on TechGDPR.

Legal processes

New rules on GDPR fines: New rules, issued by the EDPB, are now in effect for calculating fines for companies that violate the GDPR. All privacy supervisors in the EU will calculate the size of fines in the same way. The size and turnover of a company will play a major role. Companies can find in the guidelines which amount is used as a starting point for calculating the fine for a particular violation and the severity level for a company of their size. 

US State legislation: More state privacy laws have joined the ranks of those in the US enacting such legislation – Montana, Florida, and Texas. California, Virginia, Colorado, Utah, and Connecticut were the five states with consumer privacy laws in 2022, with all of them slated to go into effect in 2023. Early this year, Iowa, Indiana, and Tennessee passed their own privacy legislation, that will take effect by 2025 or 2026. In many circumstances, the new legislation compels covered entities to recognize opt-out preferences for users and to include particular disclosures in the sale of sensitive personal data or biometric data.

Foreign Surveillance: The White House is putting pressure on to reauthorize an electronic surveillance law that allows the targeted monitoring of foreign individuals. The Foreign Intelligence Surveillance Act’s Section 702 is due to sunset at the end of the year. While the program is designed to acquire information on non-Americans residing outside the US, it also collects information on their conversations with US citizens. Curbing US state surveillance practices is also a cornerstone of the future EU-US Data Privacy Framework, which is now being considered by the EU Commission for adoption. 

Official guidance

Updated BCR-C: The EDPB approved the recommendations regarding Controller Binding Corporate Rules. All data controllers using BCRs must update the rules they use to comply with the new recommendations. It clarifies, among other things, what should be included in the controller’s BCR rules, and what must be presented in the BCR application. The recommendations also include an updated standard application form for the BCRs. All users of the BCRs and those applying for approval under them must bring themselves into compliance either during the application process or as part of the annual update, depending on their situation. The EDPB is currently drafting recommendations on the BCRs for personal data processors as well.

Data subject complaints: Another form issued by the EDPB makes it easier for individuals to make complaints to data protection authorities in the EU and EEA. Its use is voluntary for data protection authorities, and they can modify the model to suit their national requirements. The form can be used in cases where a private person files a complaint, or cases where someone else files a complaint, (a legal representative or an entity acting on behalf of an individual).

Age assurance tech:  The “Future of Privacy Forum” organisation publishes infographics on age assurance technology. The analysis outlines the three categories of age assurance, their risks and advantages: a) Age declaration, (age gate, parental consent/vouching); b) Age estimation, (facial characterisation and other algorithmic estimation methods based on browsing history, voice, gait, or data points/signals); c) Age verification, (government, biometrics or digital ID). another report by the organisation looks at verifiable parental consent, a form of age declaration and requirement of the Children’s Online Privacy Protection Act, and its analyses of new children’s privacy laws in various US states.

‘Gestiona’ tool: The Spanish data protection agency has launched a new version of its Gestiona tool, aimed especially at small public or private entities,  which allows managing records of processing activities, carrying out risk management and, where appropriate, providing support for carrying out impact assessments. The tool now has a more intuitive design and incorporates the latest guidelines. The management is carried out in the user’s own browser, without data being transmitted to the regulator.. The information can be stored in a file on the user’s computer and retrieved after each session.

PETs: The UK Information Commissioner’s Office issued guidance that discusses privacy-enhancing technologies in detail. The first part of the guidance is aimed at DPOs, (data protection officers) and those with specific data protection responsibilities in larger organisations. The second part is intended for a more technical audience, and for DPOs who want to understand more detail about the types of PETs that are currently available. It gives a brief introduction to eight types of PETs and explains their risks and benefits, with reference tables and case studies. 

Case Law

‘Right to know’: The CJEU stated that every person has the right to know the date of and the reasons for the consultation of their personal data. In the related case, an employee of a bank, who was also their client, had requested information about the persons who had reviewed his customer information in connection with an internal audit. The bank had refused to disclose the identity of the employees who performed the review but disclosed the reasons and other details. The CJEU states that a person has the right to receive a ‘copy’ of information about the inquiries, such as log data, (eg, it may show the frequency of the review). However, the data subject does not have the right to receive information about the identity of the reviewer, under the authority of the data controller.

DPO’s conflict of interest: In a recent ruling, (not yet published in full), the German Federal Labour Court, (‘BAG’), has decided that the chair of a works council is not eligible to serve as DPO, Ius Laboris Law blog reports. In the case in question, following GDPR instructions, an employer twice dismissed the works council chairman as DPO as a precautionary measure. Before deciding that the revocation of the appointment had been justified, the court had referred the question to the CJEU. 

The CJEU ruled that the roles of works council chair and DPO could not be undertaken by the same individual without creating a conflict of interest. Because the works council decides the aims and means of processing personal data, (as required by applicable laws), the works council chair is unable to supervise data protection law compliance in a sufficiently independent manner. The court clearly left open the question of whether all members of the works council are barred from acting as DPO. However, the conflict of interest considerations may exist for them as well. 

Enforcement decisions

IAB Europe’s TCF update: Interactive Advertising Bureau Europe, (the European-level association for the digital marketing and advertising ecosystem), launched an updated Transparency & Consent Framework in response to industry demand and the Belgian data protection authority action plan. Among changes, the TCF includes revised purpose names and descriptions, new retention periods, the removal of the legitimate interest legal basis for advertising and content personalisation, the introduction of data categories used in conjunction with the purposes, and a more robust vendor compliance program. Participants will have until the end of the third quarter of 2023 to adopt it.

User profiling for direct marketing: The Swedish Privacy Protection Agency issued a sanction of approx. 1 mln euros against Bonnier News, because the group profiled its customers and web visitors without their consent. The company, as a stated legitimate interest, collects information from several different sources for targeted advertising on the web and marketing via physical mail and telephone sales. The data includes information about purchases made in various companies in the group and surfing behaviour. In some cases, this information is also combined with other personal data that is bought in from outside, such as information about the customer’s gender, the household’s car ownership and postcode, as well as statistical information based on the individual’s area of ​​residence such as stage of life, purchasing power and type of residence.

Facial recognition at stadiums: The Danish data protection authority reauthorized Brøndby football club’s use of facial recognition at stadiums for its matches. Brøndby will be able to use images from surveillance cameras to register individuals who violate the rules of order so that such persons can be apprehended when they subsequently try to access the stadium again. The club must ensure it observes the duty of disclosure when collecting the personal data of individuals concerned and provide information that access control is being carried out. The storage period for such data would be for 30 days or even longer. 

Personalised ads: Criteo, which specialises in “behavioural retargeting”, was fined 40 million euros in France for failing to verify an individual’s consent and the fulfilment of data subject rights. The company collects the browsing data of Internet users thanks to its cookie which is placed on their terminals when they visit certain e-commerce websites. The company determines which advertiser and which product would be most relevant to display to a particular user. Then, it participates in real-time bidding to display it. Additionally, when a person exercises their right to withdraw consent or deletion of their data, the process implemented by the company only stops the display of personalised advertisements to the user and does not delete the identifier assigned to the person or erase navigational history. 

E-mail service provider: The Finnish data protection authority has issued a notice to an e-mail service provider, as the company had not offered the user the possibility to transfer their e-mail messages from the service as required by the GDPR. Users of the free version of the e-mail service had the option to manually export their messages one at a time. Instead, customers who paid for the use of the service were offered tools that made it possible to export messages in bulk. As a rule, the registered person must receive his personal data in a structured, commonly used and machine-readable format, and the controller must not make it difficult or prevent the transfer of data, (Art. 20 of the GDPR “Right to data portability”).

Data security

Mobile device data: In an effort to assist organisations with deployment strategies, the US National Institute of Standards and Technology released a revised guide for managing the security of mobile devices in the enterprise. The publication provides a five-step enterprise mobile device deployment life cycle:

• Identify Mobile Requirements, (Bring Your Own Device or Corporate-Owned and Personally-Enabled is selected).
• Perform Risk Assessment, (performed on a regular basis).
• Implement Enterprise Mobility Strategy, (management, policies, configurations, system testing, additional security).
• Operate and Maintain, (control settings, periodic audits).
• Dispose of and/or Reuse Devices. 

Big Tech

Draft Data Act: The Council and the Parliament reached an agreement on rules to access and use data collected in the EU across all economic sectors, where the data are generated through smart objects, machines, and devices. The Data Act will provide consumers more control over their data by strengthening portability rights, interoperability standards, and safeguards against unlawful data transfers by service providers. The Data Act takes into account current horizontal and sectorial laws including the GDPR. 

It has received criticism from a variety of sources, including by the crypto industry bodies on the wide classification of smart contracts as “computer programs.” Smart contracts might potentially be constructed to provide an access control mechanism, but this would undermine the technology’s basic functions. Concerns were expressed by software businesses about a clause requiring corporations to share data that might jeopardize trade secrets. Furthermore, some scientists are concerned that the Data Act would favor companies in its goal of expanding access rights to big data, and that publicly financed science will suffer as a result.

Metaverse: Finally, the EU Parliament issued a comprehensive analysis of the Metaverse. Commercial, industrial and military applications bring both opportunities as well as significant concerns for everyday life, health, work, and security, says the paper. The metaverse can be provided by public or private actors for single users or as a networking platform. It can mirror reality, create a simulation of an entirely new space and actors , or mix both. Forecasts indicate that we are experiencing a decade of metaverse and that it will take 6 to 8 years to achieve its full potential. However, important elements of the metaverse such as digital ethics, digital twins, blockchain, generative AI, tokenization, or digital humans will start to have significant impact much earlier, (1 to 3 years and 3 to 6 years). See the full report here.

The post Data protection digest 17 June – 2 July 2023: rules on GDPR fines, controllers’ BCRs and ‘right to know’ appeared first on TechGDPR.

Legal processes and redress

Electronic evidence: The European Parliament voted to adopt new rules on the exchange of electronic evidence by law enforcement authorities to make cross-border investigations more effective. It will allow national authorities to request evidence directly from service providers in other member states, (“production orders”), or ask that data be stored for up to 60 days. Evidence can consist of content data, (text, voice, images, video or sound), traffic data, (timestamps, protocol and compression details, and information about recipients), or subscriber data. Currently, the exchange depends on various bilateral and international agreements on mutual legal assistance, resulting in a fragmented landscape and, often, lengthy procedures. However, authorities can refuse the requests when they have concerns about media freedom or fundamental rights violations in the requesting member state. 

From MiCA to MiCAR: The Market in Crypto Assets Regulation has been published in the Official Journal of the EU and will apply in all EU Member States through 2024. The new rules cover issuers of utility tokens, asset-referenced tokens and so-called ‘stablecoins’. It also covers service providers such as trading venues and the wallets where crypto-assets are held. It ensures that crypto transfers, as is the case with any other financial operation, can always be traced and suspicious transactions blocked. Information on the source of the asset and its beneficiary will have to “travel” with the transaction and be stored on both sides of the transfer.

In addition to the MiCAR, the EU financial digital package contains a Digital Operational Resilience Act, (DORA), that covers crypto-asset service providers as well, and a proposal on distributed ledger technology, (DLT) pilot regime for wholesale uses.

Draft AI Act: The European Parliament also adopted its negotiating position on the Artificial Intelligence Act, and is ready to discuss the final form of the law with the Council and the Commission. MEPs have enlarged the list of AI systems with an unacceptable level of risk to people’s safety and would therefore be prohibited to include: 

• “real-time” remote biometric identification systems in publicly accessible spaces;
• “post” remote biometric identification systems, with the only exception for serious crime law enforcement;
• biometric categorisation systems using sensitive data, (gender, race, ethnicity, etc.);
• predictive policing systems, (based on profiling, location or past criminal behaviour);
• emotion recognition systems in law enforcement, border management, the workplace, and educational institutions; and
• untargeted scraping of facial images from the internet or CCTV footage to create facial recognition databases. 

MEPs added exemptions for research activities and AI components provided under open-source licenses. The so-called regulatory sandboxes, or real-life environments will be established by public authorities to test AI before it is deployed, along with an individual’s  right to complain and receive information.

CJEU Opinion

Data subject rights: A CJEU Advocate General’s opinion states that a data subject must have available judicial recourse against an independent supervisory authority where they exercise their rights through that authority. In the related case, an individual was refused by the Belgian National Security Authority a ‘security clearance certificate’ because he had participated in various demonstrations in the past. He asked the national supervisory body for police information, (“OCIP”), to identify the controllers responsible for the data processing at issue and to order them to provide him with access to all the information concerning him. The OCIP replied that it had carried out all necessary checks without providing any further details. Unsatisfied with that answer, the individual brought an action against the OCIP. 

The opinion clarifies that in the above case, the level of information provided by the supervisory authority to the data subject on the outcome of the check may not always be restricted to the minimum information that all necessary verifications have been carried out, but may vary depending on the circumstances of the case applying the principle of proportionality. Read more legal reasoning on the case in the original opinion. 

Official guidance

UK Children’s Code: The latest evaluation report shows that a fifth of UK children are familiar with the code and a third are aware of data privacy due to the implementation of the Children’s Code, (a statutory code of practice since 2020). The code applies to any ISS provider, (including ed-tech products and services), that processes the data of children in the UK, including some organisations that are not based in the UK. For the supervision and enforcement phase, there were initial resource challenges around the integration of Children’s code activities into ‘business as usual’. Also, there could have been greater external expectation management around supervision and enforcement activities, as these were only possible once the transition period ended. Key skill gaps identified included technology professionals lacking awareness of:

• how ISS providers operate as well as supporting technology (eg; age assurance technology);
• the importance of communication and engagement policies, as without them  knowledge and experience embedded within the organisation is lost when a project or phase finishes. Read the full report here.  

Input data for triage algorithms: The Spanish data protection authority examined the performance of a running algorithm that could be compromised by inaccurate input data. Their analysis looked at the triage algorithms of the emergency health system, which must optimize resources in order to save lives. The authority suggests assessment of the algorithm used in the triage processing should just be a part of the wider assessment, including factors such as data gathering operations, data checking, human involvement and the way in which decisions are executed, reviewed and contested. 

A lack of definition of the input data could lead to errors or biases that are not part of the algorithm itself. Thus, the accuracy principle should be implemented for the input data, the output data, and even in the intermediate data of the whole processing activity. The precise definition of every input data, (gathered both directly and indirectly), and its semantics, must be set up “by design” and properly documented. Even more importantly, the value range, (“yes/no”, “0 to 10” or “high/medium/low”), should be defined and assessed in the context of the processing. 

Explainable AI: The latest analysis by the EDPS states that modern AI models often work as opaque decision-making engines, truly black boxes reaching conclusions with little transparency or explanation on how a given result is obtained. Explainable AI, or XAI, focuses on developing AI systems that can not only provide accurate predictions and decisions. Individuals using XAI would be able to understand the reasoning behind an automated decision and to take the appropriate, and informed, course of action. Obtaining clear information about the behaviour of AI also has an impact on the ability of its users, such as data controllers and processors, to evaluate the risks that this tool may pose to individuals’ rights to data protection and privacy.  

DSARs: Guernsey’s data protection authority has published new guidance on ‘data subject access requests, (for data controllers and individuals). One of the most commonly-used rights is the right of access, also sometimes referred to as a ‘subject access request’, or ‘data subject access request’. This is where individuals ask what personal data a controller holds about them and why. An individual can also request information about the reasoning behind any automated decisions, such as a computer-generated decision to grant or deny credit or assess performance at work, (except where this information is a trade secret). In short, a DSAR is when an individual asks you:

• what do you know about me?
• what do you think about me?
• what do you think you know about me?
• what are you doing with all this information? 

Another guidance for individuals who may wish to make a DSAR contains information about how to make one, what you should receive back, and what to do if you’re not happy with what you receive.

CCTV: Another comprehensive guidance from the Guernsey regulator looks at CCTV use by data controllers, (with exceptions for household, journalistic, and artistic activities). It is based on seven principles that require you to do the following: 

• Be clear about how personal information is used, for what purpose and on what legal basis.
• Use personal information only for specific, explicit and legitimate purposes.
• Collect no more information than is needed.
• Make sure personal information is accurate and kept up to date. 
• Keep information for no longer than necessary. 
• Keep information secure. 
• Be responsible and accountable for how personal information is used.

Loyalty programs: What rules should an entrepreneur follow when creating customer loyalty programs? A loyalty program is an additional service and the initial legal basis, which is the performance of the contract, is not applicable. The customer must give their consent to the processing of their personal data for one or more specific purposes. If the entrepreneur includes customer data transfer to other partners as part of the loyalty program, then the customer must not only be informed about it but also their consent must be obtained. 

There should be no direct or indirect pressure on the client. The entrepreneur must also take into account that the customer has the right to withdraw their consent to the processing and demand it cease, along with the deletion of all their personal data that is no longer necessary for the performance of the contract.

Enforcement decisions

Wildcat telemarketing and confiscated databases: The Italian data protection authority confiscated databases, for the first time, at two call centre companies allegedly conducting illegal and unregulated telemarketing activities. The operation was conducted by the finance branch of the Special Privacy Protection and Technological Fraud Unit in collaboration with the military. Four companies were fined between 200,000 and 800,000 euros in the operation. The sanctioned companies, through the acquisition of specific illegally-produced lists, contacted tens of thousands of subjects without their having ever given the necessary consent for the processing of their data for marketing purposes, proposing offers from various energy companies.

Clairvoyance consultations: The French privacy regulator has imposed a 150,000 euro fine against KG COM. It collected data excessively, including sensitive data, without prior and explicit consent, and did not sufficiently ensure data security. KG COM operates several websites offering clairvoyance consultations via an online dialogue interface, (chat), or by telephone. The investigation found that: 

• it systematically recorded all telephone calls between teleoperators and prospects;
• it kept health data relating to sexual orientation without obtaining consent; 
• it kept customers’ banking data beyond the time strictly necessary to carry out the transaction, (while the legal basis for the retention of bank data for anti-fraud purposes is a legitimate interest, this does not apply to retention for subsequent purchases, for which the company should have obtained consent);
• it systematically recorded all conversations for the purposes of service quality  control, proof of contract subscription and potential judicial requisitions;
• it implemented insufficiently strong passwords for user accounts and failed to secure access to them by using HTTP instead of HTTPS;
• it also used a mechanism to encrypt banking data that was vulnerable.

Spotify fine: The Swedish privacy authority has reviewed how Spotify handles customers’ right to access their personal data, and sanctioned the company to the tune of around 5 mln euros. Spotify has divided the customers’ personal data into different layers. One layer contains the customer’s contact and payment details, which artists the customer follows and the listening history for a certain period of time. If the customer wants more detailed information, for example, all technical log files relating to the customer, it has also been possible to request these from another layer. 

The regulator believes that although Spotify releases personal data the company processes when individuals request it,  the company does not inform customers clearly enough about how this data is used by the company. Often the individual receiving sufficient information is a prerequisite for exercising other rights; for example, the right to have incorrect information corrected or removed. 

Audits

College group: The UK Information Commissioner’s Office has conducted a consensual audit of the Chichester College Group concerning its data protection measures. Various areas requiring improvement were found, as the college group does not have a complete and fully documented information governance, (IG), policy and framework:

• the flow of information between the senior management team, the data protection office, the audit and risk committee and other key IG committees and groups have not been finalised,
• implementation of a process that ensures information risks need to be fully documented and managed throughout the organisation,
• there is no ongoing compliance monitoring of staff who are involved in the processing of personal information,
• the group must ensure that an appropriate written contract is in place with each of its data processors,
• a central record of data processor contracts and a data processor procurement, due diligence and compliance process need to be finalised,
• the group must ensure that an appropriate written contract is in place with each of its data processors.

Data security

Mobile applications: Users of mobile applications, before installing or starting to use mobile applications, should familiarize themselves with the privacy notices and rules of use of such applications, as well as carefully evaluate the requested collection of personal data or the permissions granted, states the Lithuanian data protection authority. The mentioned information must be available, (on the website that offers the app and on the app itself), to the user even before entering their personal data, granting permissions or creating accounts. Before using mobile applications, it is important to assess what goals are being pursued. For example, when using applications for direct communication, it is possible to restrict access to photos, and the device’s camera.

It is important to note that access to mobile applications may be restricted during application installation or at any other time chosen by the user. For example, restricting access to location data is also relevant if the location functionality is not needed by the user at that time. Similarly, it is advisable not to grant permission to the contacts saved on the user’s mobile device for social networking, dating, and messaging mobile applications, but to add specific persons selected by the user to such an application separately.

2FA: The Office of the Privacy Commissioner in New Zealand recommended all firms use two-factor authentication to secure the information they store. Any firm should exercise caution by implementing 2FA wherever applicable, as this would be a particularly valuable mitigating argument when defending against regulatory fines and other legal ramifications that may result from a data breach. In this scenario, what is appropriate is determined by the organization’s size as well as the scope and sensitivity of the personal information it has.

Big Tech

MOVEit cyberattack: According to the Guardian, British Airways, Boots, the BBC, Ofcom, Transport of London and others are probing the potential theft of personal information from employees following a cyber-attack. It targeted MOVEit software used by Zellis, a payroll provider. Zellis stated that a “small” number of its clients were affected by a vulnerability in the company’s file transfer technology. Microsoft’s threat intelligence team blamed the MOVEit assaults on a group known as Lace Tempest. Names, surnames, employee numbers, dates of birth, email addresses, first lines of home addresses, and national insurance numbers might have been among the information compromised in the hack. 

Airdrop and Bluetooth restrictions in China: Meanwhile, China is developing new guidelines to govern file-sharing systems such as Airdrop and Bluetooth. Service providers would be required to prevent the spread of harmful and unlawful material, maintain records, and report their discoveries. The Chinese Cyberspace Administration has produced draft regulations on “close-range mesh network services” and initiated a month-long public consultation. When conducting inspections, service providers would also be required to offer data and technical support to the authorities, including internet regulators and police. Users must also register their true names. Furthermore, features and technologies that have the potential to mobilise public opinion must be subjected to a security evaluation before they may be implemented.

The post Data protection digest 2 – 16 June 2023: rules on electronic evidence, explainable AI, and wildcat telemarketing appeared first on TechGDPR.

Legal processes

‘Machine learning is no excuse to break the law’: The US Federal Trade Commission alleged that Amazon, (Alexa voice assistant), kept kids’ data indefinitely to further refine its voice recognition algorithm. If approved by the federal court, on top of a multimillion fine, Amazon will have to delete inactive child accounts and certain voice recordings and geolocation information and will be prohibited from using such data to train its algorithms. Reportedly, Amazon is not alone in seeking to amass data to refine its machine-learning models. 

Similarly, the FTC proposed enforcement against Amazon’s subsidiary, Ring. The allegations say the company compromised its customers’ privacy by allowing any employee or contractor to access consumers’ private videos to train algorithms, among other purposes, without consent, and failing to implement security safeguards.

China SCCs: On 1 June, China’s new Standard Contractual Clauses for the cross-border transfer of personal data went into force. Entities using the SCCs must meet two requirements: a) a data transfer impact assessment must be performed by the data exporter, and b) the data exporter must sign SCC-compliant agreements with overseas recipients of the data. The Chinese SCCs do not distinguish between an exporter or receiver being a controller or a processor, in contrast to the EU SCCs. As an alternative to SCCs, organisations may also be required to undergo a security check by the Cyberspace regulator or certification by recognised institutions. Read more analysis by connectontech.com. 

Montana’s new privacy law and TikTok ban: Montana became the first US state to ban the use of TikTok and prohibit mobile application stores from offering the Chinese app within the state by next year. The ban covers state networks, but also third-party firms conducting business for or on behalf of the state from using applications with ties to foreign adversaries. The state would fine any entity, (an app store or TikTok), 10,000 dollars per day for each time someone “offers the ability” to access the platform or download the app. How these prohibitions will be implemented, though, is still unclear. 

Montana’s Governor also signed a new Consumer Data Privacy Act, joining California, Colorado, Connecticut, Indiana, Iowa, Tennessee, Utah, and Virginia, which already enacted comprehensive consumer privacy laws. The law is scheduled to take effect in October 2024.

Health care data: The US Federal Trade Commission is modernising the Health Breach Notification Rule, clarifying the rule’s applicability to health apps and similar technologies, many of which aren’t covered by HIPAA. Changes will be made to the terms “identifiable health information,” “breach of security,” “health care provider,” and “health care services or supplies,” as well as the information that must be included in the consumer notice, and more. In parallel, to bridge the gap between HIPAA safeguards and health data that is obtained outside of conventional medical settings, Washington enhanced the protection for customers’ identifiable health information by passing the “My Health My Data Act”. 

Official guidance

Generative AI: The US Congressional Research Service published a paper on Generative AI and Data Privacy. Recently the term “general-purpose models”, (GPAI), was created by academics and policymakers to refer to software programs like ChatGPT that can do a variety of tasks. Large language models, (LLMs), which have the ability to detect, predict, translate, summarize, and produce language, are the foundation for many general-purpose AI applications. Duolingo, Snapchat, and other companies have partnered with OpenAI to deploy ChatGPT in their services. However, individuals may not know their data was used to train models that are monetized and deployed across such applications. 

SAR guidance: The UK Information Commissioner’s Office has published new guidance for businesses and employers on responding to Subject Access Requests. Individuals can request the personal information held by their employer, or former employer, such as details of their attendance and sickness records, personal development or HR records. This includes where you got their information from, what you’re using it for and who you are sharing it with. 

Organisations must respond to a SAR from a worker without delay and within one month of receipt of the request. However, you could extend the time limit for responding by up to two months if the SAR is complex or if they have sent you a number of requests. At the same time, the UK GDPR does not set out formal requirements for a valid request. Therefore, a worker can make a SAR verbally or in writing, including by social media. 

Right to object and right to erasure: The EDPB summarises the right to object in connection to the right to be forgotten in complaints from data subjects. Requests to stop processing personal data for marketing purposes and to delete already gathered data are frequently linked. Most of the cases show deficiencies in the internal procedure adopted to deal with such requests, including the accuracy of the procedure and internal communication, the timeframe for processing requests, and the accountability of the system for receiving/tracking complaints.

Workforce monitoring: Employers tend to control employees’ work performance, to keep track of the duration and frequency of the employee’s work, but also of their location and other indicators. As a basic setting, the systematic monitoring of employees using automated means, (cameras, apps), is considered a non-standard solution, states the Latvian data protection authority. It can only be used for short-term employee monitoring, and only if less privacy-intrusive means will not achieve the goal. Such processing must be clearly agreed upon in advance and must be understandable to both parties. Otherwise, this can undermine mutual trust with the employee, and even may contribute to a decline in the quality of work.

Enforcement decisions

Meta/Facebook enforcement: The largest GDPR fine to date of 1,2 bln euros has been issued by the Irish data protection authority on Meta Ireland. Following the “Schrems II” ruling Meta affected data transfers to the US on the basis of the Standard Contractual Clauses in conjunction with additional measures. But they did not prevent fundamental risks to data subjects in view of US state surveillance practices. 

Meta now must return already transferred personal data and stop other illegal processing within the next few months. The decision may have similar effects for any digital service provider subject to US surveillance laws and relying on EU Standard Contractual clauses until the problems have been resolved by the adoption of the upcoming  EU-US Data Privacy Framework by the Commission. 

Charity organisation: The ICO completed an audit of Age UK Wiltshire, (charitable and voluntary sector). AUKW requested an audit in January and submitted an audit questionnaire detailing their data protection compliance concerns. After the investigation, the main areas for improvement were identified: 

• Review and update existing data protection policies and create new policies covering records management, data sharing, DPIA, and information security. 
• Ensure that data protection training is mandatory for all staff, including annual refreshers and specialised seminars. 
• Complete an information audit to help the organisation have an understanding of all of the information that is held and its flows. 
• Create an Information Asset Register, (IAR), to record the information assets identified by the information audit and ensure that the IAR is periodically reviewed.
• Review and update the current subject access requests, (SARs), and policy, including completing identity checks, that are communicated to staff.
• Create and maintain a SARs log as a documented record of all completed and ongoing SARs. 

Video surveillance: The Italian privacy regulator ‘Garante’ imposed a 50,000 euro fine on a clothing company, (with over 160 stores), for having installed video surveillance systems in various company outlets. The company had justified the need to defend against theft and to ensure the safety of employees and corporate assets, and prevent unauthorized access. The investigation showed that all the shops were equipped with at least 3 video cameras, active 24 hours a day, 7 days a week, in the areas reserved for workers and suppliers. In larger outlets, it was up to 27. The fine was issued, taking into account the significant number of employees involved, (over 500), and points of sale, as well as the absence, (or violation), of authorization or agreement with the trade union representatives.

Tax data: The Belgian data protection authority decided to prohibit the transfers of data of Belgian “Accidental Americans” by the Belgian Federal Public Finance Service to the US tax authorities under the intergovernmental FATCA agreement. According to the Belgian data protection regulator, the data processing carried out under this agreement does not comply with all the principles of the GDPR, including the rules on data transfers outside the EU. The regulator also orders the public service to inform in a complete and accessible manner the data subjects of the data processing carried out as part of the FATCA agreement and of its modalities. It also asks to carry out a DPIA.

Automated rejection of credit card application: Berlin’s supervisory authority imposed a 300,000 euro fine against a bank after a lack of transparency over the automated rejection of credit card applications, according to the EDPB summary. A Berlin-based bank offered a credit card on their website. Using an online form, the bank requested various data about the applicant’s income, occupation and personal details. Based on the information requested and additional data from external sources, the bank’s algorithm rejected the application without any particular justification. Even when asked by the complainant, the bank only provided blanket information about the scoring procedure, detached from the individual case. However, it refused to tell him why it assumed poor creditworthiness in his case. 

Biometric ID checks: Mobile World Congress’s organizer received a 200,000 euro fine in Spain for doing inadequate biometric ID checks at the 2021 venue. For the “in-person” option, the organizer requested a complainant to upload passport details, including photographs that were transferred to a service provider in a third country for facial recognition security purposes. However, the legal basis for it was verified from consent to legal obligation in different notices. Plus, neither the privacy policies nor the email communications provided clear information on data transfers to a third country. Additionally, the organiser’s DPIA failed to assess risks or the proportionality and necessity of the system implemented, (called BREEZZ).

Doctissimo fine: Following a complaint by the Privacy International association, the French privacy regulator fined the doctissimo.fr website 380,000 euros. It mainly offers articles, tests, quizzes and discussions related to health and well-being for the general public. The regulator noted infringements concerning the duration of data retention, the collection of health data via online tests, the security of data as well as the ways cookies were deposited on user’s terminals. Additionally, the company processes personal data with other entities, in particular for the marketing of advertising spaces on the website. These relationships of joint responsibilities were not framed by any contract.

Google Analytics: The Finnish data protection commissioner has issued a notice to the meteorological institute about the transfer of personal data to the US via website tracking technologies. The institute had not defined or applied the legal basis for the transfer of data in the use of reCAPTCHA and Google Analytics services. Nor had it suspended data transfers without delay after the CJEU’s “Schrems II” decision, even though it no longer had a valid basis. The institute has taken steps to remove the tools and services from its website. The order also includes the deletion of data that had been transferred illegally to the US. 

Data security

Mobile device management: Mobile devices make it easier for employees to complete their job from home, at the workplace, or while on the road. In order to reduce an organisation’s risk profile, it is critical to manage security and device health. The US NIST explains the benefits of Mobile Device Management when an employee’s personal or corporate-owned device can be enrolled into an MDM solution to apply enterprise configurations, manage enterprise applications, and enforce compliance. To learn more about how to use standards-based, commercially available products to meet security and privacy needs you can download the latest guidance by NIST here and here. 

De-identification: The Government of Canada publishes instructions on de‑identification as a privacy‑preserving technique. Although the pseudonymisation of data is a step toward anonymisation, it still permits re-identification. The acceptable risk level must be determined based on the context. it is always preferable that privacy experts work together with data specialists. For instance, there are activities that increase the risk of re‑identification, such as integrating datasets or data matching, so it is important to continually assess privacy and re‑identification risks, even after applying privacy safeguards. 

Big Tech

NHS data sharing: According to the Guardian, NHS trusts are sharing sensitive data about patients’ health conditions, medical appointments, and treatments with Facebook without their knowledge and despite promises to never do so. An Observer investigation revealed a monitoring feature, (Meta Pixel), on the websites of 20 NHS trusts that has been collecting medical and patients’ browsing data for years and sharing it with the tech giant. The information contains specific details such as sites viewed, buttons pressed, and keywords searched, and matched to the user’s IP address. This included patients who visited hundreds of NHS webpages about HIV, self-harm, gender identity services, sexual health, cancer, children’s treatment and more.

Microsoft cookies: Microsoft Ireland revised its cookie policy for the Bing search engine in France after it received a reprimand from the country’s data protection agency CNIL for privacy violations, govinfosecurity.com reports.  In December the CNIL fined the company 60 million euros for a deceptive cookie policy that it claimed made it impossible for Bing users to stop data collection. CNIL gave Microsoft three months to comply with its cookie policy or risk further penalties of 60,000 euros per day.  In particular, Microsoft needed to obtain French Bing users’ consent to enable cookies used to combat advertising fraud.

The Privacy Sandbox: Google announced the next stages of Privacy Sandbox – General availability and supporting scaled testing. In Q1 of 2024, it plans to deprecate third-party cookies for one per cent of Chrome users. This will support developers in conducting real-world experiments that assess the readiness and effectiveness of their products without third-party cookies. This will follow the introduction in Q4 of 2023 of the ability for developers to simulate Chrome third-party cookie deprecation for a configurable percentage of their users. 

The post Data protection digest 17 May – 1 June 2023: amassing data for machine learning is ‘no excuse for breaking the law’ appeared first on TechGDPR.

Legal processes and redress

US data transfers: A full parliamentary vote on the upcoming EU-US Data Privacy Framework is planned in the coming weeks. So far, a resolution adopted by Civil Liberties Committee MEPs argues that the European Commission should not grant the US an adequacy decision deeming its level of personal data protection essentially equivalent to that of the EU and allowing for transfers of personal data between the two. However this resolution will not be binding on the European Commission. 

MEPs note that the framework still allows for bulk collection of personal data in certain cases, does not make bulk data collection subject to independent prior authorisation, and does not provide for clear rules on data retention. The transparency and independence of the new redress mechanism for EU data subjects are also under question. Finally, the US Intelligence Community is still updating its practises based on the framework, so an assessment of its impact on the ground is not yet possible, say MEPs. 

CCPA/CPRA: The updated CCPA regulations were approved by the California state and come into effect in three months’ time. These revisions reflect the CCPA’s amendment by the California Privacy Rights Act of 2020, which added new business obligations addressing: consumer rights regarding the sharing, sale, and restriction of sensitive personal data, information notice, user-enabled privacy controls, out-out options, contractor and third-party contract requirements, and more. 

Employees data: In its recent judgement the CJEU ruled out important aspects of data processing in the employment context, interpreting Art. 88 of the GDPR. The preliminary ruling concerns the lawfulness of a system for the live streaming of classes by videoconference introduced in state schools in Hessen, (Germany,) without the prior consent of the teachers. Art. 88 of the GDPR enables the national legislator to enact “more specific regulations” in employee data protection.  However, they should not be general clauses that simply repeat the GDPR’s provisions. 

Instead, they should include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing. For organisations and employers this means that in the absence of valid national provisions GDPR rules must be complied with, including the balancing tests for the appropriate legal basis for employee data processing, (employment contract, legitimate interest or consent). 

In response to the decision, the Hamburg data protection commissioner also stated that Section 23 of the Hessian data protection act does not constitute a ‘more specific rule’, and that the moment had arrived for a new federal employment data protection act. 

Automated employment tools: Meanwhile, on the other side of the Atlantic, the New York City Department of Consumer and Workforce Protection promulgated its final regulations on the Automated Employment Decision Tools Law (AEDTL). Once enforced, it will restrict employers’ ability to use machine learning, statistical modelling, data analytics or AI tools in hiring and promotion decisions within New York City. Employers who use automated employment decision tools must also disclose it to candidates before the tool is used, as well as systematically undergo and disclose independent “bias audits”. Read the full analysis here.

EDPB guidance

A set of updated guidance and studies, along with the annual 2022 report, was published by the EDPB.

National administrative rules: The EDPB conducted a study on national administrative rules applicable when the national supervisory authorities carry out their duties under the One-Stop-Shop, (OSS), procedure. For instance, the requirements for the admissibility of complaints from individuals vary considerably from one country to another. Furthermore, the possibility to reach an amicable settlement between controllers or processors and complainants does not exist in all countries, and there is no clear indication of differing regulations’ impact on the OSS procedure. Finally, there is no convergence regarding the prior notification of forthcoming investigations or exercise of corrective powers. Read more challenges and possible solutions in the original publication.

Entities outside the EEA: Another study by the EDPB looks at the enforcement of GDPR obligations against entities established outside the EEA, (California, the UK and China). It aimed to analyse the possibilities available to enforce supervisory authorities’ investigative and corrective powers against third-country controllers/processors that fall under the scope of the GDPR but are not willing to cooperate with regulators and did not designate an EEA representative. This included the possibility to summon third-country controllers/processors to appear before the SA’s office, or in the SA’s national courts or tribunals, choice of jurisdiction and additional restrictive measures. 

Right of access: The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights and Art. 15 of the GDPR, says the EDPB’s latest guidance. The overall aim of the right of access is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data so that they can be aware of and verify the lawfulness of the processing and the accuracy of the processed data. This will make it easier – but is not a condition – for the individual to exercise other rights such as the right to erasure or rectification. 

Personal data breach notification: The EDPB considers that complying with the notification requirement has a number of benefits. When notifying the supervisory authority, controllers can obtain advice on whether the affected individuals need to be informed. Breach notification should be seen as a tool for enhancing compliance. At the same time, failure to report a breach to either an individual or a supervisory authority may mean a possible sanction applicable to the controller. Controllers and processors are therefore encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach.

Lead supervisory authority: The EDPB has noticed that there was a need for further clarifications, specifically regarding the notion of main establishment in the context of joint controllership and taking into account the concepts of controller and processor in the GDPR. Correct identification of the main establishment is in the interests of controllers and processors because it provides clarity in terms of which supervisory authority they have to deal with in respect of their various compliance duties under the GDPR. 

The most complex situations are when it is difficult to identify the main establishment or to determine where decisions about data processing are taken. This might be the case where there is cross-border processing activity and the controller is established in several Member States, but there is no central administration, or none of the EEA establishments is taking decisions about the processing.

Other official guidance

Generative AI risks: The UK privacy regulator the ICO poses eight questions about generative AI that developers and users need to answer. The EU legal backlash on ChatGPT is just the beginning of the journey states the analysis, and organisations developing or using generative AI should be considering their data protection obligations from the outset, taking a data protection by design and by default approach. This isn’t optional – if you’re processing personal data, it’s the law, (data protection law still applies when the personal information that you’re processing comes from publicly accessible sources):

• Are you a controller, joint controller or processor? 
• What is your lawful basis for processing personal data? 
• How will you comply with individual rights requests? 
• How will you limit unnecessary processing? 
• How will you mitigate security risks? 
• Have you prepared a Data Protection Impact Assessment? 
• Will you use generative AI to make solely automated decisions? 
• How will you ensure transparency? To know more, here’s the ICO publication. 

AI-assisted employment: Meanwhile the Spanish data protection authority AEPD explains how to apply AI tools for employment activities. In essence the data controller decides when designing the programme whether or not to include an additional operation of human supervision on the results produced by the AI ​​system. AI systems will form part of the nature of data treatment when they have been included in some of the necessary operations for this explicit purpose. This may include AI systems implemented locally or in the cloud, mobile systems, outsourced data processors, etc. Therefore, the fact that decision-making is automated is not a feature of the AI ​​system itself. 

For example, the procedure to guide candidates to complete an application form where they would include their CVs could be implemented using a chatbot. In addition, the number of applications, and therefore the number of CVs, could be so large that the manager could decide to use an AI system for the automatic selection of the most interesting CVs, according to certain criteria that the manager should also establish. The manager could go further and implement the evaluation of the candidates through another AI system that performs and evaluates the tests for the previously selected candidates. 

Sports industry: A large amount of personal data including special categories is generated in digitised sports, states the German federal data commissioner. If these are not so comprehensively anonymised that it is impossible to trace them back to individual athletes, data protection rules on purpose limitation, storage limitation, lawfulness data minimisation, transparency, and data security apply. This extends to all bodies and organisations that process athletes’ personal data – coaches, associations, doping agencies, sports facility operators, scientific institutes, doctors, laboratories, consultants, agents, and sometimes also sponsors, betting shops or even manufacturers of hardware and software.

Investigations and enforcement decisions

Data breach statistics: The Guernsey data protection agency ODPA published the latest personal data breach statistics: Nearly 10 million people were reported to be affected by 38 personal data breaches from January to March. Reportedly, the majority of those were customers of a UK-based company which was the victim of a large cyber-attack. Although the company is not based locally, it reported the breach to data protection regulators in all jurisdictions where its customers are based. Additionally, the most striking examples of personal data breaches involved:

• people using personal email accounts to send work-related information, (email providers are outside the control of the organisation meaning usual security policies do not apply and the organisation does not know what its data is being used for),
• accounts shared by couples or devices, (the boundaries of your personal life and your job intersect in a way that is not helpful for you or your workplace, which means information could fall into the wrong hands.)

Failed data subjects’ right of access: Following a complaint the Spanish AEPD fined Banco Bilbao Vizcaya Argentaria, or BBVA, 84,000 euros, according to Data Guidance. Despite ceasing to be a client of BBVA in 2012, the complainant discovered in 2021 that there were two debts registered in their name in the Bank of Spain’s Risk Information Center. Regarding the use of the right of access, the AEPD explained that BBVA had asked the complainant for additional details in order to recover the recordings, which constituted an unfair burden on the data subject for the fulfilment of their request. 

In another recent enforcement decision by the AEPD, the claimant requested access to the images from the video surveillance system located at a commercial centre. Unable to find a way to make a request in person, the claimant submitted one via electronic means of communication, (using the company’s marketing email address). This email address is not related to the processing of personal data nor was the means of contact enabled for the exercise of any rights. However, the company responded only to state that such access was not possible, except when there is a prior complaint, or when requested by the police or authorised personnel. The regulator found that the right of access of the complainant to their personal data was not respected, as established in Art. 15 of the GDPR.

Data security

Established cooperation: A long-term relationship between a controller and a processing entity does not guarantee data security, states the Polish privacy regulator UODO. In the related case, the verification of the competence of the processor was not formalized, because it consisted of conducting an interview, and the services provided by the entity, (a file depositary service), did not raise objections from the controller. The explanations of both the controller and the processor indicated that these entities only applied the controller’s internal regulations, (the Personal Data Protection Policy). The lack of any risk analysis resulted in the selection of inadequate measures.

The mere signing of a contract for entrusting the processing of personal data without proper assessment of the processing entity cannot be considered as fulfilment of the data security obligation. The determinant for such an assessment cannot be only long-term cooperation and the use of the services of a given processor. In the opinion of UODO, positively assessed cooperation may only be a starting point when verifying whether the processing entity provides sufficient guarantees for the implementation of appropriate technical and organisational measures. 

Certifying employees’ qualifications: The Hungarian data protection agency NAIH publishes detailed recommendations on how to handle documents certifying employees’ qualifications according to the data protection requirements. The employer may require the employee to present a document in its legitimate interest. The employer can also keep their own, internal records of the education of each employee, the date and the method of proof of education. However, “objective evidence”, (as defined in ISO 9000:2015 Quality management systems), needs to be supported by documented information.

A copy of a document certifying education or training does not have the power to prove that it is an authentic copy of a valid public document, so it is not suitable for establishing the authenticity of the data contained therein, and it may include additional unnecessary personal information.

Instead, the organisation may prepare a note or protocol stating that the given employee presented the original documents certifying their education, the relevant data of which is now recorded by the organisation, (eg, serial number of the document, date of qualification).

Tracking pixels: The Norwegian data protection authority encourages businesses to review their websites for tracking pixels or other tracking technologies. Recent media reports revealed that a large number of European online pharmacies have shared customers’ personal data through tracking technologies. For website users this is potentially a major privacy risk, while for the websites it poses a significant legal and reputational risk. The regulator now encourages all Norwegian websites to review for tracking pixels and other tracking technologies. Unless the business has assessed the tools, has an overview of data flow and is confident that their use is in line with privacy rules, the trackers should simply be removed. 

Cyber ​​risks management: The German Federal Office for Information Security updated its manual on ‘Management of Cyber ​​Risks’. It is dedicated to a comprehensive corporate culture that takes cyber security into account at all times, aiming to increase the resilience of companies. As cyber ​​security starts with senior management, IT managers need the necessary support and the right understanding on the part of company management. The guide formulates six basic principles that support management and supervisory boards when considering cyber risks:

• Understanding cyber security as a component of company-wide risk management.
• Understanding and closely examining the legal implications of cyber risks.
• Ensuring access to cyber security expertise and regular exchange.
• Implementing suitable frameworks and resources for cyber risk management.
• Preparing risk analysis based on business risk appetite, goals and strategies.
• Encouraging company-wide collaboration and sharing of best practices.

Big Tech

Meta binding decision: The EDPB adopted a dispute resolution concerning a draft decision of the Irish data protection authority DPC on the legality of data transfers to the US by Meta Ireland for its Facebook service. The decision will be announced soon and may constitute an order on blocking Facebook’s transatlantic data flows. The Irish regulator shall adopt its final decision, addressed to Meta Ireland, on the basis of the EDPB binding decision and taking into account the EDPB’s legal assessment, at the latest one month after the EDPB publishes its decision. 

In January this year the DPC, also instructed by the EDPB, ordered Meta to pay a hefty fine for making users accept targeted ads and was directed to bring its processing operations into compliance with the GDPR within a period of 3 months. The EDPB also directed the DPC to conduct a fresh investigation of all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed. However, the DPC stated that EDPB is not entitled to instruct and direct a national authority to engage in a new “open-ended and speculative” investigation.

TikTok privacy fine: Finally, the UK fined TikTok 12.7 million pounds for misusing children’s data. More than one million British children under 13 were estimated to be on TikTok in 2020, contrary to its terms of service. As a result, personal data belonging to children was used without parental consent. TikTok  “did not do enough” to check who was using their platform and take sufficient action to remove the underage children. Since the conclusion of the investigation of TikTok, the ICO has published a statutory Children’s Code to help online services, such as apps, gaming platforms and web and social media sites, that are likely to be accessed by children. 

The post Data protection & privacy digest 3 – 17 Apr 2023: US data transfers and AI tools occupy EU appeared first on TechGDPR.

Legal processes: EU-US data privacy framework, China’s outbound data rules, international transfer risk assessment, Australian small business to adopt data protection

The EDPB sees improvements under the EU-US Data Privacy Framework, but many more concerns remain. The improvements include the introduction of requirements embodying the principles of necessity and proportionality for US intelligence data gathering and the new redress mechanism for EU data subjects. However further clarifications are needed for:

• rights of data subjects,
• rules on automated decision-making and profiling,
• onward transfers, (eg, to sub-processors in the US), 
• the scope of exemptions, 
•  the practical functioning of the redress mechanism,
• temporary bulk collection, retention, and dissemination of data by the government, (targeted surveillance of foreign persons located outside the US under Section 702 FISA and Executive Order 12333).

Finally, the EDPB recognises the role of special advocates and the supervision of the redress mechanism by the Privacy and Civil Liberties Oversight Board. In addition, it is troubled by the general application of the Data Protection Review Court’s standard reply informing the complainant that either no covered violations were found or a determination requiring appropriate remediation was made, especially given that this decision cannot be appealed.

The German Data Protection Conference also assesses the risks of third-country authorities’ access to personal data processed in the EU/EEA. The mere possibility that a foreign public authority or parent company of a European subsidiary can demand the transfer of data does not constitute a data transfer in itself. However, if a processor does proceed with a data transfer under third-country laws or corporate law instructions, it needs to provide sufficient guarantees, through transfer impact assessments or suitable technical and organisational measures, to ensure GDPR compliance.

Meanwhile, the Cyberspace Administration of China, (CAC), started the approval of outbound data transfers.  All international data transfers from now on must follow one of three procedures in order to be legal: mandatory security assessment measures for significant data transfers, and state-approved standard contractual clauses or certification for less significant data sets. Typically, companies need to prepare a 180-page document mapping out the data flow and then justify to the local and national authorities why certain data must leave China. For less-significant cross-border transfers, newly released standard contractual clauses do not require approval, however, the CAC has the right to intervene at any moment. 

In Australia, small businesses with a 3 million dollar or less annual revenue may soon be required to abide by the Privacy Act, even though they are not currently required to protect user personal information or disclose how it is used. The 20-year-old exemption was introduced prior to businesses’ take-up of online platforms. Now experts say they are no longer a low risk for cybercriminals. Small business associations claim data security obligations will result in severe damages for the whole sector. The Australian government has not yet announced which changes it will adopt. Basically, companies would need to have a privacy policy, assure adequate data security measures, and delete data or de-identify it when no longer required.

Official guidance: international transfers definition, privacy by design and default for developers, deceptive design patterns, ROPAs, video surveillance

The EDPB updated guidelines on the concept of international transfers. A clarification was added regarding the responsibilities of the controller when the data exporter is a processor. In addition, further examples were added to clarify aspects of “direct collection” from individuals in the EU, as well as the meaning of “the data importer in a third country”, with further examples and illustrations. Processing of personal data outside the EU often involves increased risks, for example, because foreign authorities can gain access to the data. This needs to be identified and handled in order for the processing to be permitted according to the GDPR.

The Catalan data protection authority issued guidance on Privacy by design and by default for developers. The regulations governing data protection by design and default do not specify which particular technical and organisational measures must be put in place, says the document. The controller, as well as the developers of the technological solutions, must conduct a prior analysis before determining the necessary measures. Determining the nature, scope, context, and purposes of the processing is the controller’s responsibility. The risks associated with each available technology must be taken into account when choosing a specific technological solution. Collaboration with developers is crucial at this point. 

Overloading, Skipping, Stirring, Obstructing, Fickle, Left in the Dark – These are terms used to describe the main tactics employed in deceptive design patterns, and the EDPB has issued an update on how they apply to social media interfaces, and the best practices to recognise and avoid them. The guide offers assistance in design thinking processes for designers, but also alerts users of social media platforms, with numerous examples and illustrations.

The importance of records of data processing activities, (ROPAs), needs underlining says the Latvian data protection agency. A ROPA is not a document that can be developed, put on the shelf, and forgotten about, explains the regulator. The organisation can assign one or more responsible persons to maintain the register, (either in electronic, excel, or paper format). The responsible person can also be a data protection officer, whose duties include the creation and maintenance of the document. The organisation can include not only the mandatory amount of information for each data processing activity but also supplement the records with supportive documentation, for example, impact assessment reports.

Video surveillance is a strong invasion of privacy because it profoundly affects people’s thinking and actions, states the Estonian data protection agency. The smaller the area of surveillance, the better. The shorter you keep data, the better. Recordings may not be used for purposes other than the original objective, (with rare exceptions). Finally, visual warning signs should be always complemented with more detailed privacy notices on demand. 

Investigations and enforcement actions: security patches and ransomware, non-existent debts and data deletion, conditions for cookie walls, Tesla security camera improvements

The Irish data protection authority fined Centric Health 460,000 euros for a data breach caused by a ransom attack in 2019. The attack, which restricted access to patient data, hit 11 Primacare GP practices integrated into Centric Health’s IT system.  The attack affected the data of 70,000 patients. Of those, 2,500 had their data deleted with no backup available during attempts to mitigate the attack, the Irish Times reports. The investigation into Centric Health discovered ‘Calum’ ransomware on the system, which encrypts data and asks for payment to decrypt it. Back-ups of the system were also affected by the ransomware. 

A forensic expert, hired by Centric, did not find any evidence of data exfiltration: “No evidence of archive files consistent with the attacker compressing large amounts of data for exfiltration was found on any of the systems, but this does not definitively rule it out”. However the regulator’s investigation identified that a large number of patches were released by Microsoft in 2018 that should have been applied to the Windows Operating System by Centric. It demonstrated a serious lapse on the part of Centric and an inability to identify all software operating on its system at the time of the breach.

The Danish data protection authority examined the use of cookie walls in two different cases. Where the user can access the content of a website or service in exchange for the processing of their data, or by paying,  the requirements of data protection rules for valid consent are met concluded the regulator. The exception is when the service offered by consent is different from that offered by payment, and when users are not really presented with a free choice. 

The Dutch privacy authority decided against a fine after Tesla made security camera settings more privacy-friendly. Tesla used ‘Sentry Mode’ to help owners protect themselves against theft or vandalism by filming everyone nearby. Now the cameras respond only if the vehicle is touched; it does not automatically begin filming but the owner receives an alert on their phone; the headlights flash to indicate to the passersby that filming has begun; records are saved in the car and not shared with Tesla, and limited to no more than 10 minutes of footage. 

Finally, the Croatian data protection agency fined a telecommunication company for failure to maintain up-to-date and accurate data. The complainant stated that their personal data was processed by the company, despite not being their client for more than ten years. The respondent found out about this during a security incident notification she received from the telecommunication company and then confirmed by customer service. After the respondent’s inquiry, the company found that it was still processing their personal data, all due to the fact that the data controller linked the existence of a non-existent debt to the respondent for unknown reasons, which is why the computer system did not allow the deletion of data until the non-existent debt was not canceled manually. 

Data security: danger of low-tech hacks, UK’s new certification scheme, genomic data

The UK Information Commissioner’s Office has approved the new set of UK GDPR certification scheme criteria. The scheme is aimed at training and qualification for service providers and will enable their candidates to make informed choices when applying for training programs, having confidence that their personal data will be processed in accordance with the UK’s GDPR. This scheme follows three others: one offering secure re-use and disposal of IT assets and the other two looking at areas including age assurance and children’s online privacy.

The US cyber security expert Brian Krebs demonstrates how low-tech hacks cause high-impact breaches. Last month web hosting giant GoDaddy revealed a multi-year hack had given hackers access to company source code, login information for clients and employees, and customer websites. The incidents could have stemmed from a small number of GoDaddy employees falling for a sophisticated social engineering scam. Attacks using voice phishing or vishing frequently target workers who are based off-site. The phishers typically pose as members of the employer’s IT department when calling. The objective is to persuade the target to enter their login information at a website that the attackers have set up that looks like the company’s corporate email or VPN portal.

The US National Cybersecurity Center of Excellence has published a draft internal report on the cybersecurity of genomic data. Genomic data is immutable, associative, and conveys important health, phenotype, and personal information about individuals and their past and future. In some cases, small fragments of genomic data stripped of identifiers can be used to re-identify persons, though the vast majority of the genome is shared among individuals. The report proposes a set of solutions that address real-life use cases occurring at various stages of the genomic data lifecycle along with candidate mitigation strategies and the expected benefits of the solutions. Additionally, areas needing regulatory/policy enactment or further research are highlighted. The public comment period is now open through 3 April.

Big Tech: TikTok scrutiny, YouTube child data complaint

TikTok announced that it is creating a tool that will enable parents to prevent their teenagers from viewing certain content, as well as limit the amount of time spent on the app. TikTok, owned by China’s ByteDance, is currently facing an international backlash for illicit content, and data security concerns. The app has been banned from government-owned and work-related devices in the United States, and Canada. The European Commission also banned the app on its corporate devices and personal devices that might be connected to the official mobile network provided by the institutions within their premises. 

Finally, in the UK, a member of child advocacy group 5Rights, filed a complaint with the Information Commissioner’s Office, asking Google/YouTube to stop collecting children’s data and potentially make it liable for the maximum penalty- of as much as four percent of annual turnover. It is the first such complaint alleging a major tech firm has broken the new Age-Appropriate Design Code, The Guardian reports. Although YouTube officially forbids users under the age of 13 from accessing its main website, the complaint claims the company failed to ensure that younger users were abiding by the rules and only accessing the main platform with parental permission.

The post Data protection & privacy digest 18 Feb – 3 Mar 2023: practical application of the EU-US Data Privacy Framework remains a concern appeared first on TechGDPR.

Legal processes and redress: synthetic data for fintech, draft Data Act, DPO dismissals

The UK Financial Conduct Authority, (FCA), issued a statement on synthetic data for beneficial innovation in UK financial markets. It strongly indicated fraud and anti-money laundering as a key use case for synthetic data, in part due to its ability to augment rare patterns of behavior in a dataset. Whilst the data protection legislation places conditions on such data processing, the FCA emphasizes that data sharing between different entities, (eg, access to the real datasets, as well as synthetic transactional datasets with embedded fraud typologies), is possible under the current regulatory framework if at least one lawful basis is met, accompanied by built-in privacy by design, data protection impact assessments, data sharing agreements, and other legal requirements.

The European Parliament adopted the draft Data Act – new rules for fair access and use of industrial data. It would contribute to the development of new services, in particular in the sector of AI where huge amounts of data are needed for algorithm training. It can also lead to better prices for after-sales services and repairs of connected devices. When companies draft their data-sharing contracts, the law will rebalance the negotiation power in favour of SMEs, by shielding them from unfair contractual terms imposed by companies that are in a significantly stronger bargaining position. Finally, the proposed act would facilitate switching between providers of cloud services, and other data processing services, and introduce safeguards against unlawful international data transfer by cloud service providers.

The CJEU rendered two decisions regarding the procedures for dismissing data protection officers and their potential conflicts of interest, (under the German Federal Data Protection Law), insideprivacy.com reports. In the relevant cases, the DPO also handled other organisational duties in a professional capacity. The data controllers argued that since those positions were incompatible, (chair of the work council in one of the cases), the DPO’s dismissal was appropriate. The former DPO started a legal action which ended up in the EU top court. 

However, the CJEU determined that as long as the national laws do not undermine the goals set for DPOs under the GDPR, EU member states may require that DPOs be dismissed for “just cause”. It is also for the national courts to decide whether a conflict of interest existed taking into account “all the relevant circumstances, in particular the organisational structure of the controller or its processor and in light of all the applicable rules, including any policies of the controller or its processor.”

Official guidance: MS Excel, research projects, free data protection tool, game developers

Bavaria’s data protection authority explains how to avoid data breaches when using Microsoft Excel. It is not uncommon for users to encounter the program intuitively; Contrary to the primary purpose, Excel is often used when the number of columns in Word is not sufficient. However, if there is personal data in an Excel workbook, improper handling of the application can easily trigger a data breach. Excel workbooks can contain multiple worksheets, (the number is only limited by the available memory), even if you don’t work regularly with such “multi-sheet” workbooks yourself. Be especially careful with Excel files created by others, as Excel workbooks can contain invisible worksheets, as well as columns, rows, or even individual cells, comments, and metadata. It is worth remembering:

• before sharing an Excel workbook with personal information, especially before attaching it to an email, make sure that you really want to share everything;
• consider whether the file should be processed further by a recipient, otherwise;
• send a PDF version that can be checked for hidden data before sending;
• if possible, consistently delete the worksheets that are no longer required;
• before creating a new workbook with multiple worksheets, consider whether you can complete the task with multiple single-sheet workbooks;
• consider whether you need Excel for the task to be completed or whether a “simple” resource, (eg, a word processing program), will suffice.

If not careful, an Excel data breach can trigger the reporting obligation under Art. 33 of the GDPR, and the notification obligation under Art. 34 of the GDPR.

Meanwhile, the Danish data protection authority has amended rules for deleting personal data at the end of research projects. Data controllers may have a legitimate need to process information for a period after the end of the investigation, (eg, for the purposes of peer review or countering accusations of scientific misconduct), so data should not always be deleted, anonymised, destroyed or returned at the end of a research project. Personal data can be transferred for storage in an archive in accordance with the rules in archive legislation. In addition, in some research areas, work is done with ongoing coverage of research fields, and building of relationships or data material, where it is not meaningful to talk about a project being “finished”. 

The Finnish data protection authority is promoting its data protection tool available as open source code to increase the data protection expertise of SMEs. You can familiarise yourself with the tool (in English) here. With the initial level test, the respondent can first check how well they control the basic issues of the data protection regulation. The role-mapping test helps the respondent to define what role the company plays in regard to the processing of personal data. Each role also has its own tests. The source code and content of the data protection tool are for free use, to further develop a company or industry-specific privacy tool or to produce new language versions, or even in commercial applications.

Finally, the UK Information Commissioner’s Office offers new guidance to game developers on protecting minors. The recommendations are based on the experiences and findings during a series of voluntary audits, (eg, on Yubo, Facepunch), of game developers, studios and publishers within the gaming industry: 

• The age range of the players and the different needs of children at different ages and stages of development should be at the heart of how you design your games. 
• Designing games to promote meaningful parent/guardian – child interactions, while setting a high level of privacy by default and appropriate parental controls is key.
• It is important to only process children’s personal data in ways that are not detrimental to their health or wellbeing. 
• It is crucial that games do not use nudge techniques to lead children to make poor privacy decisions.
• Bad privacy information design obscures risks, unravels good player experiences, and sows mistrust between children, parents, and game providers.

Investigations and enforcement actions: employee emails monitoring, failed data subject requests at a sports center, HBNR and BIPA violations in the US, student data management

In Austria, the data protection authority finds employer’s monitoring of employee emails unlawful. Several complainants argued that the company, without their consent and knowledge, checked the technical mail server logs of all 6,000 employees for a specific recipient domain. The reason for this control measure was the suspicion of a breach of trade secrets. The data protection authority came to the conclusion that the control measure, which only took place six months after the incident that gave rise to it, was not proportionate due to the lack of a temporal connection and the topicality. Plus, there was no valid consent from the works council. 

The Norwegian data protection authority confirmed its fine of over 900,000 euros to Sats for breach of several provisions in the GDPR. The complaints were related to the company’s failure to comply with clients’ demands for access and deletion. Furthermore, the fitness centre chain lacked the authorisation to process data about the customers’ training history. Sats is the Nordic region’s largest fitness center chain and has its head office in Norway.  Therefore the Norwegian regulators dealt with the case in collaboration with other supervisory authorities under the so called one-stop-shop mechanism.

In the US, the Illinois Supreme Court ruled that fast food chain White Castle System must face claims that it repeatedly scanned the fingerprints of nearly 9,500 employees without their consent, (to access a company computer system), which the company says could cost it more than 17 billion dollars. The Illinois Biometric Information Privacy Act, (BIPA), imposes penalties of 1000 dollars per violation and 5000 dollars for reckless or intentional violations. The law requires companies to obtain permission before collecting fingerprints, retinal scans, and other biometric information from workers and consumers. 

Also in the US, the Federal Trade Commission has taken enforcement action for the first time under its Health Breach Notification, (HBN), Rule against the telehealth and prescription drug discount provider GoodRx Holdings, for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies. The company collects personal and health information about its users, including information from users themselves and from pharmacy benefit managers confirming when a consumer purchases a medication using a GoodRx coupon. 

From 2021 US health apps and smart products that collect or use consumers’ health information must comply with the HBN Rule. It ensures that entities not covered by the Health Insurance Portability and Accountability Act, (HIPAA), face accountability when consumers’ sensitive health information is breached. In the above case, GoodRx also displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the HIPAA.

The French privacy regulator CNIL gave formal notice to two higher education institutions to comply with the GDPR concerning files used for administrative and pedagogical management. Areas of non-compliance include data retention period, student information, use of subcontractors, and data security:

• they had not provided a precise retention period for all processing of students’ personal data, nor have they provided for a purge and archiving system;
• they do not properly inform students about the collection of their data via the various forms they fill out during their schooling;
• they were not able to send the CNIL the duly signed data processing agreements with subcontractors;
• they had no password policy to guarantee a minimum level of security in this area.

Data security: messaging apps

Privacy International issued a guide on communicating with others via messaging apps. Reportedly, there are two main aspects to consider: a) whether it offers end-to-end encryption that protects the content of your communication; and b) whether it collects any information beyond the content of the message, such as location, who you communicate with, and other details referred to as ‘metadata’. For sensitive conversations, it may be sensible to use disappearing messages if offered by your app, (however, it is unclear whether self-destructing messages are also recoverable by mobile phone extraction technology).

The use of E2EE for messaging should always be preferred over text messages, which are completely unencrypted meaning they can be easily read, manipulated in transit, or spoofed. They may also be stored by your telecommunications provider, which may be subject to access requests from governments and law enforcement. For example, Signal uses E2EE not only to encrypt the contents of messages but also to obscure all metadata even from itself. In contrast, both WhatsApp and Telegram store, and can access IP addresses, profile photos, “social graphs”, and more.

Big Tech: Palantir technology ban in Germany, more Tik Tok data centers in Europe

A top German court ruled against the use of software developed by the Palantir Technologies, saying that police use of automated data analysis to prevent crime in some German states was unconstitutional as it infringes on the right to informational self-determination. The US-based technology has so far been employed, among other things, to look into the criminal organisation accused of plotting to overthrow the German government in December, Reuters reports. Palantir says it only offers software for processing data. However, the German Society for Civil Rights, which brought the lawsuit, claimed the software used data from innocent people to form suspicions and could produce errors.

TikTok plans to open two more data centers in Europe, (Ireland), hoping to lessen regulatory pressure on the business. Data migration for TikTok users in Europe will start this year and last until 2024. TikTok hasn’t been subject to the same hefty fines as Google and Meta in the EU. Now TikTok is attempting to reassure governments and privacy regulators that users’ personal information cannot be accessed and that its content cannot be altered by the Chinese government or anyone else working for Beijing. 

The company also reported an average of 125 million monthly active users in the EU, under the brand-new online content rules known as the Digital Services Act. For comparison, Twitter says it has 100.9 million. Alphabet – 278.6 million at Google Maps, 274.6 million at Google Play, 332 million at Google Search, 74.9 million at Shopping, and 401.7 million at YouTube. The Meta Platform claims 255 million on Facebook and about 250 million on Instagram.

The post Data protection & privacy digest 4 – 17 Feb 2023: synthetic data for fintech, MS Excel guide, Palantir technology ban appeared first on TechGDPR.

Legal processes and redress: US signals intelligence redress mechanism, Google search results removal, California consumer privacy rights, Australia Privacy Act review

The US Office of the Director of National Intelligence, (ODNI), published a directive for implementing the signals intelligence redress mechanism created under the proposed EU-US Data Privacy Framework. It is necessary for the implementation of the US adequacy decision which received a green light from the European Commission just before the end of 2022. The directive governs the handling of redress complaints regarding certain signals intelligence activities and outlines the process by which qualifying complaints may be transmitted by an appropriate public authority in a qualifying state. Additionally, the directive outlines the role of the ODNI Civil Liberties Protection Officer with a given complaint: 

• investigate, review, and, as necessary, order appropriate remediation for a covered violation regarding qualifying complaints; 
• communicate the conclusion of such investigation to the complainant through the appropriate public authority; and
• provide the necessary support to the US Data Protection Review Court.

In Sweden, the Supreme administrative court rejected the appeal in a case between Google and the Swedish privacy regulator IMY. This means that the judgment gains legal force and that Google must pay a 4.5 million euro fine. In 2020, the IMY charged Google for violating the right to have search results removed. When Google delisted search results the site owner was notified of the webpage and data subject concerned via Search Console, previously Webmaster Tools. But informing the site owner meant that the personal data was used beyond its original purpose, and the information notice was misleading users and restraining them from exercising their right to request removal. 

California consumer privacy rights expanded on 1 January, (but will be enforced in July).  In 2020, California voters approved Proposition 24, known as CPRA, amending some of the older CCPA’s consumer protections and therefore expanding business’ obligations. For example, previously employees, job applicants, owners, directors, officers, and contractors were excluded from the definition of “consumer,” and they had limited data subject access rights. These rights include the ability to opt-out of profiling, opt-out of targeted/cross-context advertising, opt-out of automated decision making, and to limit the use and disclosure of sensitive information. The new law establishes annual privacy risk assessments and cybersecurity audits. Civil lawsuits will also be allowed against companies that fail to take appropriate measures, with potential damages between 100 and 750 dollars per consumer, per incident. 

Australian Attorney-General Mark Dreyfus confirmed that the Privacy Act Review has been completed and a final report received by his department. The announcement came shortly after a wave of spectacular data breaches in the Australian corporate sector. The new privacy regime could include a broader definition of personal data, expanded information obligations for organisations, opt-in consent for users, the right to erasure, and increased penalties for serious or repeated data breaches. 

Official guidance: special categories of data, global cookie review, data brokerage, age-appropriate design tests

The Latvia data protection agency DVI issued a reminder of the rules for the legal processing of special categories of personal data. For special categories of personal data, in order to ensure their legal processing, in addition to complying with the general data protection conditions, it is necessary to observe that by default they are prohibited from processing unless there are exceptional permissions or justifications:

• a person’s consent, (eg, to receive commercial notices about price discounts for specific goods or services in a pharmacy);
• social protection rights, (eg, when terminating the employment of a unionised employee, the employer must contact the trade union); 
• vital interests of a person, (eg, in cases where a person is unconscious and it is necessary to find out his blood group, allergies, etc.);
• non-profit activity for political, philosophical, religious, or trade union-related purposes, (the personal data is not disclosed outside the said organisation without the consent of the individual);
• data deliberately made public, (eg, the person has expressed on social networks that they are vegetarian);
• essential public interests, (eg, information about political party donors must be made public);
• preventive or occupational medicine, ( eg, assessment of the employee’s work capacity, health or social care, or treatment);
• public health, (eg, to limit the spread of COVID-19);
• archiving in the public interest, for scientific, historical or statistical purposes.

The French privacy regulator CNIL published guidelines on the commercial use of customer files – data brokerage. Data controllers need to pay attention to the types of data that can be transferred, (only data relating to active customers can be shared), and on obtaining consent from data subjects for the intended transfer, (eg, via an electronic form). The purchaser also must inform the data subjects of the transfer and the source of the data, (the name of the company that sold the customer files,) and obtain the data subjects’ consent if it wishes to use their data for electronic commercial prospecting.

Bird&Bird offers the latest Global Cookie Review – the legal and regulatory landscape relating to the expanding use of cookies and similar technologies, country by country. Such regulations often follow a path set by the EU GDPR and ePrivacy Directive. The report also contains Asia Pacific, Latin American, and South African overviews, where similar regulations are often lacking or can be even divergent on transparency and consent requirements. 

The UK Information Commissioner’s Office has published design tests to support designers of products or services that are likely to be accessed by children or young people. Each test provides a report detailing areas of good practice as well as ways to improve conformity with the Age-Appropriate Design Code. This includes “best interests of the child” standards like age authentication, safe default settings, parental controls, enforcement, and data protection impact assessments.

Investigations and enforcement actions: credit rating by mistake, “dormant” risk assessment, “defaulting” customers error, employees’ email metadata, mass grocery purchases monitoring, and workers’ fingerprinting

The Norwegian data protection authority has notified Recover of its decision to fine the company 20,000 euros. The matter concerns a credit rating performed without a legal basis. The background to the fine is a complaint from a private individual who was subjected to a credit assessment without any form of customer relationship or other connection to the above company. A credit rating is established after compiling personal data from many different sources including a person’s overall financial situation, any payment remarks, debt-to-income ratio, and whether the person has any mortgages/liens.

The Norwegian regulator also has given Statistics Norway notice of a decision that involves a ban on their planned collection of data on the Norwegian population’s grocery purchases. Through the collection of bank data and bank transaction data, the organisation planned to obtain information on what the population buys, and then link that to socio-economic data such as household type, income, and education level. The regulator believes that a legal basis, (societal benefit of consumption and diet statistics), is not clear and predictable enough for this planned processing of personal data. Even if the purpose is to produce anonymous statistics, intrusion into the individual’s privacy will occur. 

Italian regulator Garante fined Areti 1 million euros: thousands of users were mistakenly classified as “defaulting” customers and unable to switch to other suppliers. The misalignment of the company’s internal systems led to incorrect data migration to the integrated information database consulted by suppliers before signing a new contract. As a result, more than 47,000 Areti customers wanting to change energy supplier were denied an account activation and any potential savings deriving from market advantages, because they were incorrectly red-flagged. 

Additionally, Garante issued a fine to Lazio Regio of 100,000 euros for unlawful monitoring of employees’ email metadata. An internal audit was launched by the region on the suspicion of a possible unauthorised disclosure to third parties of information protected by official secrecy. Metadata was collected in advance and stored for 180 days: date, time, sender, recipient, subject, and size of email. This allowed the region to obtain information relating to employees’ private lives, such as their opinions or contacts. 

No workplace fingerprinting without specific requirements is the ruling from Garante, which fined a sports club 20,000 euros. The authority intervened following a report from a trade union, which complained about the introduction of the biometric system by the company, despite the union’s request to adopt less invasive means of authentication. The company had carried out, for almost four years, the fingerprinting of 132 employees, violating the principles of minimisation and proportionality. It also provided workers with very little information on the characteristics of biometric treatments. 

The Romanian data protection authority completed an investigation at leading retailer Kaufland and issued a fine of 3000 euros. A video recording containing images of a complainant in the parking lot of one of the stores by the commercial chain appeared on the web page of a local newspaper. It turned out that the store manager allowed an employee access to the monitoring room, who captured, with his personal mobile phone, images of the video recordings that were playing and sent them via WhatsApp to a third party. Later, the images were transmitted by posting them by an online publication. As a result, the image and registration number of the car were revealed, with two persons affected by this incident.

The EDPB published a summary on risk assessment and acting in accordance with established procedures. A controller, (in Poland), was notified of a personal data breach that occurred as a result of a break-in at an employee’s apartment and the theft of a laptop. The confidentiality of the personal data was at risk because the stolen computer was only password protected. The controller had kept adequate documentation since the beginning of the application of the GDPR and had performed a risk assessment, but it was only after the data breach occurred that the controller complied with the results of its own risk assessment by encrypting laptop hard drives.

Data security:  zero trust architecture, IoT onboarding, and lifecycle management

The US NIST’s National Cybersecurity Center of Excellence has published a draft practice guide on implementing a zero trust architecture and is seeking the public’s comments on its contents. As an enterprise’s data and resources have become distributed across the on-premises environment and multiple clouds, protecting them has become increasingly challenging. Many users need access from anywhere, at any time, from any device on-premises and in the cloud. Comments from industry participants are welcomed by or before 6 February. 

In parallel, the NIST is also seeking comments on draft guidance on Trusted IoT Onboarding and Lifecycle Management. Scalable mechanisms are needed to safely manage IoT devices throughout their lifecycles, beginning with secure ways to provision devices with their network credentials—a process known as trusted network-layer onboarding. In combination with additional device security capabilities such as device attestation, application-layer onboarding, secure lifecycle management, and device intent enforcement, this could improve the security of networks and IoT devices from unauthorised connections.

Big Tech: face recognition practices by PimEyes, Epic games’ COPPA violations, TikTok apps age rating

The Baden-Württemberg data protection authority announced proceedings against PimEyes, (Face recognition and reverse image search), Data Guidance reports. Recent media reports stated that PimEyes scans the face for individual characteristics on the internet and stores biometric data without proper legal basis, an identified data sharing model, or valid opt-out options. A data subject should be able to agree to the processing of personal data relating to them in an informed and unambiguous manner. In the case of automated retrieval of images on the Internet, these requirements cannot be met. Equally, private company PimEyes cannot undertake police investigative work in the public interest or interfere with the rights of data subjects. Read the original statement here. 

US Video Game Maker Epic will pay a more than half-billion dollar refund over allegations of children’s privacy law, (COPPA), violations, and tricking users into making unwanted charges for in-game items, (eg, costumes and dance moves). Epic’s Fortnite game has more than 400 million users worldwide. The company will be required to adopt strong privacy default settings for children and teens, (parental notice and consent requirements), ensuring that voice and text communications are turned off by default. This is the Federal Trade Commission’s largest refund award in a gaming case and the largest administrative order in its history. 

Finally, Virginia Attorney General joined 14 other state attorneys general to call on Apple and Google to take immediate action and correct their application store age ratings for TikTok. The change will help parents protect their children from being force-fed harmful content online. The current ratings of “T” for “Teen” in the Google Play App store and “12+” in Apple’s App Store falsely represent the objectionable content found and served to children on TikTok. While TikTok does have a “restricted mode” available, it is also aware that many of its users are under 13 and have lied about their age to create a profile.

The post Data protection & privacy digest 16 Dec – 2 Jan 2023: US signals intelligence redress mechanism, “dormant” privacy risk assessment, data brokerage appeared first on TechGDPR.

Legal processes: draft US adequacy decision, EDPB’s binding decisions, draft AI Act

The EU issued a draft adequacy decision for the United States, saying US safeguards against America’s intelligence activities were strong enough to address EU concerns on data transfers. Previously, personal data could be freely sent to the US through the Privacy Shield framework, but this framework was abolished by the CJEU in the Schrems II judgment. Earlier this year, after negotiations with the European Commission, US President Joe Biden introduced a new EU-US Data Privacy Framework and signed a new law to comply with the CJEU decision. 

The Commission is now to submit the US adequacy decision to the European Privacy Council, which will state whether privacy is adequately safeguarded. The European Parliament will also scrutinise the decision. The Commission must then obtain the approval of all EU countries to formally approve the new mechanism, (probably in the first half of 2023). The decision will come into force when the US has fully implemented the new legislative changes. Finally, users can then challenge the decision via national and European courts. It is worth noting that:

• The new adequacy mechanism will not apply to all transfers to the US. Instead, 
• It will apply to transfers to US organisations that have chosen to participate in the scheme. 
• It probably will become easier to transfer personal data to the US in general if a common transfer tool such as new EU SCCs is used. 

A CJEU ruling upheld the EDPB’s role and authority to arrive at a collective decision under the GDPR’s consistency mechanism. The court stated that the action for annulment brought by WhatsApp Ireland against the EDPB binding decision is inadmissible. The decision led to a 225 million euro fine from Ireland’s Data Protection Commission, (DPC). It is now up to the Irish court to review the legality of the final decision of the Irish regulator. In 2021 the EDPB resolved a dispute on a draft decision of the DPC concerning WhatsApp Ireland’s GDPR transparency obligations to users and non-users of the service.  

The European Council has adopted its common position on the Artificial Intelligence Act ahead of official negotiations with the Parliament. It aims to ensure AI systems placed and used on the EU market are safe and respect existing laws, including relevant data protection. Since AI systems are developed and distributed through complex value chains, the text includes changes clarifying the allocation of responsibilities and roles of the various actors in those chains, particularly providers and users of AI systems. Several new provisions have been added:

• where AI systems can be used for many different purposes, (general-purpose AI), and, where it is subsequently integrated into another high-risk system. In this case;
• consultations and detailed impact assessments considering specific characteristics of general-purpose AI systems and related value chains would be applicable;
• obligation for users of an emotion recognition system to inform natural persons when they are being exposed to such a system;
• prohibition on the use of AI for social scoring by private actors;
• some exclusions for national security, research, and development. 

Certain users of high-risk AI systems that are public entities will also be obliged to register in the EU database for such systems. The future AI act provides penalties, with proportionate caps on administrative fines for SMEs and start-ups, and a new complaint mechanism. 

Official guidance: standard data protection model, use of cookies, wrongful credit information, age-appropriate design code, HIPAA rules

The German Federal data protection commissioner updated the Standard Data Protection Model, (SDM), to provide suitable mechanisms to translate the legal requirements of the EU GDPR into technical and organisational measures. In particular, the new SDM first records the legal requirements of the GDPR and then assigns them to the protection goals of data minimisation, availability, integrity, confidentiality, transparency, risk assessment, and more. You can read the SDM 3.0 new version here.

The Croatian data protection authority AZOP issued a reminder on the use of cookies. Although the e-Privacy Directive stipulates the need for voluntary and informed consent to store or access cookies, the practical application of legal requirements differs in EU member states. Currently, observed implementations are based on one or more of the following practices:

• an immediately visible notification that the website uses various types of cookies or similar technologies; layered access information that usually offers a link or a series of links, where the user can learn more about cookies whereabouts,
• information on how users can indicate and later withdraw their preferences regarding cookies, including information about the action required to express such a preference,
• the mechanism by which the user can decide to accept all or some or refuse cookies,
• the possibility for the user to subsequently change the previous preference.

However, some cookies can still be exempted from informed consent under certain conditions, and only if they are not used for additional purposes:

• cookies for user input, (session ID), for the duration of the session or permanent cookies in some cases limited to a few hours,
• authentication cookies, which are used to authenticate the services, during the session,
• user-oriented security cookies, used to detect authentication abuse, limited persistent duration,
• multimedia content session cookies, (such as flash players), during the session,
• session cookies for more balanced loading, for the duration of the session,
• cookies for customizing the user interface for the duration of the session, (or a little longer),
• cookies for sharing the content of social networks/third parties for the login of their members. 

Finally, third-party marketing cookies cannot be exempted from consent, including for operational purposes related to third-party advertising, such as frequency limiting, financial records, ad matching, click fraud detection, research and market analysis, product improvement, and troubleshooting.

The Latvian data protection authority DVI explains what to do if as a result of illegal activities, information is included in the database of a credit bureau. In the specific case, the regulator was approached by a person who was refused a loan for the purchase of a home, on the basis that the database of the credit information office contained information about her outstanding debts: loans she had not applied for. 

• If a person finds that a database contains information about debts that they did not undertake, they can ask the creditor to limit the processing of data, including the transfer of this data to the credit information bureau. 
• In practice, the restriction means that debt data will not be deleted, but it will also not be made available to other persons.
• The person must attach evidence to the request that they have tried to resolve the matter on its merits, for example, a criminal case has been initiated.
• Upon receiving a person’s request, the lender must assess whether it is justified.
• Until the question of the validity of the loan is examined, the person can request a temporary settlement from the lenders, making a note in the database.

The Future of Privacy Forum released a brief comparing California and the UK Age-appropriate design codes. The California code of practice is a first-of-its-kind privacy-by-design law in the US which is set to become enforceable on 1 July 2024. It was modeled on the UK’s version and represents a significant change in the regulation of the technology industry and how children will experience online products and services. It follows 15 standards laid down in the UK law, including the “best interests of the child” standard, age assurance, default settings, parental controls, enforcement, and data protection impact assessments. The UK ICO has also published design tests to support designers of the products or services, that are likely to be accessed by children or young people.

The US Department of Health and Human Services highlighted the obligations of the Health Insurance Portability and Accountability Act, (HIPAA), on covered entities and business associates when using online tracking technologies, (Google Analytics, Meta Pixel), on webpages and apps with or without user authentication. Some entities regularly share electronic protected health information, (PHI), with online tracking technology vendors and some may be doing so in a manner that violates HIPAA rules. For instance:

• It does not permit disclosures of PHI to a tracking technology vendor based solely on a regulated entity informing individuals in its privacy policy, notice, or terms and conditions of use that it plans to make such disclosures. 
• Regulated entities must ensure that all tracking technology vendors have signed a Business Associate agreement and that there is applicable permission before the disclosure of PHI.
• If the vendor is not a business associate of the regulated entity, then the individuals’ HIPAA-compliant authorisations are required before the PHI is disclosed to the vendor.  
• Website banners that ask users to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorisation. Read the full guidance here.

Investigations and enforcement actions: census data, diligence in choosing the subcontractor, social audio app, employee’s health data, multimedia boxes security, WC area surveillance

Portugal’s regulator the CNPD concluded that the National Institute of Statistics committed five administrative offenses, for violations the GDPR, within the scope of the 2021 census operation, and imposed a fine of 4.3 million euros. The CNPD decided that the organisation processed personal data relating to health and religion unlawfully. It failed to fulfill its duties of informing respondents of the census questionnaire, violated the duties of diligence in choosing the subcontractor, infringed the legal provisions relating to the international transfer of data and failed to comply with the obligation to carry out a DPIA relating to the census operation. In particular, choosing a subcontractor, (Cloudflare, Inc), despite the existence of a company office in Lisbon, meant the contract was with a US-based company under the jurisdiction of the California Court. It allowed the transit of personal data through any of the company’s 200 servers outside the European Economic Area. It contained the standard contractual clauses approved by the European Commission for the transfer of personal data to the US, without providing for any additional measures that prevent access to data by third-country government entities, established by the CJEU’s Schrems II judgment.

The Finnish data protection authority imposed an administrative fine of 230,000 euros on Viking Line for violations related to the processing of employees’ health data. A former employee complained that he had not received all the personal information requested, which was stored in the company’s systems. The regulator found out that:

• Viking Line had stored his health information in the personnel management system for 20 years. 
• Among other things, this included diagnosis information in connection with information about sickness leave. 
• Some of the stored diagnosis information was incorrect, as it was not possible to enter all existing diagnosis codes into the system. 
• Storing diagnosis information together with other information related to the employment relationship was against the law.

The French regulator CNIL imposed a penalty of 300,000 euros against telecoms company FREE, in particular for not having respected the rights of individuals and the security of its users’ data. Checks revealed several shortcomings, in particular in the rights of the persons concerned, (right of access and right of erasure), and data security, (low strength of passwords, storage, and transmission of passwords in plain text), and the recirculation of approximately 4100 poorly refurbished “Freebox” multimedia boxes. The technical and organisational measures of the reconditioning process did not prevent around 4,100 Freeboxes held by former subscribers from being reallocated to new customers without the data stored there having been properly deleted. This data could be photos, home videos, or  recorded television programs.

Finally, the Danish data protection agency has reported Danske Shoppingcentre P/S to the police for not having sufficiently restricted TV surveillance in at least one toilet area in a shopping centre. The regulator has recommended a fine of 47,000 euros. Danske Shoppingcentre explained that there had been problems with, among other things, vandalism in the toilets, and that it had therefore set up TV surveillance to prevent vandalism and theft as well as ensure security for customers. The company had a technical solution with a black marking on the camera to mask the urinal. However, it did not provide sufficiently masking, contrary to the principle of data minimisation. 

Data security: code of practice for app market, risk-based audit, phishing infographic, EU healthcare sector resilience

The UK ICO has completed the Rowan Learning Trust, (school-to-school support), voluntary audit on a risk-based analysis of the processing of personal data. The key elements of this are a desk-based review of selected policies and procedures, remote interviews with selected staff, and a virtual review of evidential documentation. The audit revealed that:

• Data protection compliance is currently not discussed routinely in any local groups or at the board level across the trust. 
• Compliance information is not reported to senior management. 
• The trust should also implement a new data protection policy with supporting  documentation and ensure that staff are aware of and understand the contents.
• There is currently no mandatory data protection training in place for the staff. 
• The trust does not have a Record of Processing Activity document. 
• There is currently no oversight of Records Management and operational responsibility assigned.
• The trust has not conducted an information audit, so does not have an understanding of all of the information that is held and how it flows across the trust.
• There are currently no compliance checks carried out across the trust to ensure that physical and electronic records are destroyed in line with their retention periods.

The UK government has published a voluntary Code of Practice to strengthen consumer protections across the app market. The government will work with the biggest operators and developers to support them in implementing the voluntary code over a nine-month period. Under the code, app store operators and developers will need to:

• share security and privacy information in a user-friendly way with consumers. (eg, when an app and updates are made unavailable on an app store, the locations of  users’ data);
• allow their apps to work even if a user chooses to disable optional permissions, such as preventing the app from accessing a microphone or the user’s location;
• provide clear feedback to developers when an app is not published for security or privacy reasons;
• have a vulnerability disclosure process in place, so software flaws can be reported and resolved without being made publicly known for malicious actors to exploit;
• ensure developers keep their apps up to date to reduce the number of security vulnerabilities in apps.

America’s CISA published a Phishing Infographic to help protect both organisations and individuals from successful phishing operations. This infographic provides a visual summary of how threat actors execute successful phishing operations. Details include metrics that compare the likelihood of certain types of “bait” and how commonly each bait type succeeds in tricking the targeted individual. The infographic also provides detailed actions organisations and individuals can take to prevent successful phishing operations—from blocking phishing attempts to teaching individuals how to report successful phishing operations. 

The European Union Agency for Cybersecurity released the after-action report of the 2022 edition of Cyber Europe, the cybersecurity exercise testing the resilience of the European Healthcare sector. It featured a disinformation campaign of manipulated laboratory results and a cyber attack targeting European hospital networks. The scenario provided for the attack to develop into an EU-wide cyber crisis with the imminent threat of personal medical data being released and another campaign designed to discredit a medical implantable device with a claim on vulnerability. 

Big Tech: Microsoft ‘data boundary’ for the EU, Apple’s end-to-end encryption, Amazon buying customer data

Microsoft says its EU cloud customers will be able to process and store their data in the region from January. It will apply to all of its core cloud services – Azure, Microsoft 365, Dynamics 365 and Power BI platform. For many companies, data storage has become so large and distributed across so many countries that it becomes difficult for them to understand where their data resides and if it complies with the GDPR. The latest criticism of Microsoft 365 cloud services was recently expressed by the German data protection regulators, while the French ministry of national education has urged schools in the country to stop using free versions of Microsoft 365, (and Google Workspace), amid privacy concerns.

In the meantime, Apple unveiled a range of security and privacy enhancements. Users will be given the option to encrypt more of the data they back up to their iCloud using end-to-end encryption. The encryption key, or the code used to gain access to that secure data, will be stored on the device. That means that if a user who opts into this protection loses access to their account, they will be responsible for using their key to regain that access – Apple will no longer store the encryption keys in iCloud. The change will not apply to all data – email, contacts, and calendar entries will not be encrypted. Users will have to voluntarily opt into the feature. 

Finally, some Amazon users will now earn 2 dollars per month for agreeing to share their traffic data with the retail giant, Businessinsider reports. Amazon is keeping track of which advertisements participants viewed, where they saw them, and what time of day they were viewed as part of the business’s new invite-only Ad Verification program. Both Amazon’s own and third-party platform advertisements fall under this category. Only customers who were invited to participate in the program will be eligible for the reward; however, those who were not invited can join a waiting list.

The post Data protection & privacy digest 1 – 15 Dec 2022: draft US adequacy decision, Microsoft ‘data boundary’ for the EU, Age-appropriate design code appeared first on TechGDPR.

Legal processes: US hosting provider in the EU, Google Fonts, IAB Europe, California Age-Appropriate Design Code, new Swiss privacy law

In Germany, a public procurement chamber’s decision to ban hospitals’ digital discharge management to store data in Luxembourg was overturned by a higher regional court. Two public hospitals in Baden-Württemberg agreed to send data to a Luxembourg branch of a US hosting provider. The Karlsruhe court, however, overturned the decision that the use of the services of the Luxembourg subsidiary of a US company would be accompanied by an inadmissible data transfer to a third country: “The latent risk of access by government and private bodies outside the European Union, (here the US), is sufficient for this assumption.” In this case specific guarantees offered by one of the bidders to store and process data only in Germany convinced the court sufficient safeguards would apply. This decision is final.

According to TechnikNews, Google Fonts are presently the subject of a veritable tsunami of GDPR claims in Austria and Germany. Many website owners have received letters and emails from data protection lawyers informing them of data breaches and requesting a “settlement.” Without the customer’s permission, the website operator is said to have “forwarded the client to a business of the US Alphabet Inc.”, (owners of Google). The claims could potentially refer to one Munich Regional Court decision that supported a lawsuit in the “Google Fonts” issue. Google sees it differently, according to its own privacy policy: although a request from the user’s browser to Google takes place, IP addresses are not protocoled. Furthermore, “the use of the Google Fonts API is not authenticated and the Google Fonts API does not set any cookies or protocol them.” See more technical analysis in the original publication.

The Belgian Market court referred the IAB Europe Ruling on the Transparency & Consent Framework to the CJEU. In an interim ruling, the court has decided to refer preliminary questions to the CJEU on how the concept of data controllership in the GDPR as it pertains to this ruling, is to be interpreted and on whether a TC String, (a digital signal containing user preferences), can be considered as “personal data” under the GDPR. The referral to the EU top court means a final judgment is unlikely until 2023. IAB Europe disputes the initial decision by the Belgian supervisory authority APD, that it acts as a controller for the recording of TC Strings and as a joint controller for the dissemination of TC Strings and other data processing done by TCF vendors under the OpenRTB protocol. It also challenges the APD’s assessments on the validity of legal bases established by the TCF, which were done in the abstract, without reference to the particular circumstances surrounding the data processing.

California approved its own version of the Age-Appropriate Design Code. If the state governor signs the bipartisan bill, (AB-2273), into law, online services that violate its provisions could face fines as high as 7,500 dollars per affected child. This includes social media, the gaming industry and other online services likely to be accessed by children under age 18. They shall take all of the following actions:

• complete and implement a DPIA,
• estimate the age of child users with a reasonable level of certainty, or
• apply the privacy and data protections afforded to children to all consumers and configure all default settings,
• provide any privacy information, using language suited for the age group,
• do not use the child’s data in a way that the business knows, or has reason to know, is materially detrimental to their physical or mental health, or well-being,
• do not profile a child by default, (unless sufficient safeguards are in place, or it is necessary for the performance of the contract and is in the best interest of the child),
• do not collect, sell, share, or retain personal information that is not necessary to provide an online service, product, or feature with which a child is actively and knowingly engaged, etc.

In Switzerland, a new data protection law will enter into force on 1 September 2023, according to the recent decision of the Federal Council. The one-year grace period leaves sufficient time for the economic community to implement the new law. The reviewed legislation is adapted to technological advances and the rights of individuals vis-à-vis their data, as well as transparency on how it is collected. Some private data controllers are relieved of certain obligations relating to the duty to inform when personal data is communicated. The modalities of the right of access are simplified thanks to the removal of the obligation to document the reasons for refusing, restricting or deferring disclosure. The data security requirements are reinforced, (eg, a one-year retention period for data processing logging records), due to critical feedback during the consultation period. Swiss legislators claim the new modernized law guarantees adequate privacy levels and safe cross-border transfers. The EU has recognised Switzerland’s level of data protection since 2000. This recognition is currently being reviewed. 

Official guidance: PETs, GDPR implementation, secondary use of health data, decentralised AI, employees’ digital activities, token access, privacy notice

The UK ICO issued draft guidance on Privacy-enhancing technologies, (PETs). These could be software and hardware solutions, methods or knowledge to achieve specific privacy or data protection functionalities or to protect against risks to the privacy of an individual or a group of natural persons. The guide answers questions on:

• How can PETs help with data protection compliance? (data protection by design and by default, data minimisation, robust anonymisation or pseudonymisation solutions)
• What are the different types of PETs? (derive or generate data that reduces or removes the identifiability of individuals, hide or shield data, split datasets or control access to certain parts of the data, etc)
• A detailed description of some PETs, their residual risks, and implementation considerations with practical examples, (Homomorphic encryption, Secure multiparty computation, Private set intersection, Federated learning, Trusted execution environments, Zero-knowledge proofs, Differential privacy, Synthetic data, Reference table).

The Dutch Ministry of Justice published a review of the implementation of the GDPR at the national level. The GDPR is based on open standards, such as necessity and proportionality. The experts recommend the concretisation and specific interpretation of those standards, special sectorial legislation, codes of conduct and guidelines for the practice of data protection law. After studying some cases, the researchers could not clearly understand how the country’s data protection regulator AP determines the size of fines. Therefore a more transparent method of setting and imposing penalties can lead to greater understanding and acceptance by the organisations under supervision. The investigation also raises issue with the obligation to report data breaches and lack of enforcement capacity by AP in the case of unreported data breaches. 

A Polish law blog is looking at the secondary use of electronic health data in the EU. The draft Regulation on the European Health Data Space allows for certain reuse of both personal and non-personal health data collected in the context of primary use. Apart from public interest or statistical and scientific purposes, the advanced purposes include training, testing, and evaluation of algorithms, including in medical devices, AI systems, or digital health applications. Some categories of data are described in general terms, which would allow new types of data to be included in these categories and in the future may include :

• “electronic data related to insurance status, professional status, education, lifestyle, wellness and behavioural data relevant to health”, or 
• “data impacting on health, including social, environmental or behavioural determinants of health.”

Additionally, national health data access bodies will be able to grant access to additional categories of electronic health data entrusted to them by the national laws or based on voluntary cooperation with data holders, ( the “data altruism” principle as per the EU’s Data Governance Act). At the same time, the processing of such electronic data must avoid risks, (eg, insurance exclusion, targeted advertising, access to data by third parties, unauthorised medical products or services), causing harm to natural persons.

The Swedish privacy agency IMY is starting a pilot project to create in-depth legal guidance in matters relating to decentralised AI. IMY’s pilot project is being carried out with Sahlgrenska University Hospital and Region Halland. The project is part of a larger strategic initiative led by AI Sweden: information-driven care where AI helps to tailor decisions at the individual and system level and develop more advanced and accurate diagnoses and treatments. Decentralised AI is a way to avoid collecting large amounts of data to train algorithms centrally and instead produce models that are trained locally. The trained algorithms are then returned to a central point where insights are aggregated. 

Is the boss watching you? The Norwegian data protection authority Datatilsynet issued an in-depth monitoring and control of employees’ digital activities report. It states that:

• More than half of employees have an insufficient overview of what information the employer collects, (digital work tools record such large amounts of information that it can be challenging for employees to keep track).
• The employer has the opportunity to collect large amounts of information about employees’ digital activities, (eg, Google, Microsoft and Zoom have built-in additional functions that allow the employer to monitor the employee’s activities).
• Software designed to monitor employees can be very intrusive.
• Several employees see signs that the employer monitors visits to websites, or access to e-mail or PC/screen recording, activity log, audio recording, and GPS tracking.
• The spread of monitoring tools aimed at employees who work from home, (while Portugal has already prohibited remote worker monitoring).

To help employers comply with the privacy regulations when performing worker monitoring, which legal basis or software to choose from, and notorious infringement cases, see the original guidance, (in Norwegian).

The French supervisory authority CNIL has published a guide on individual login tokens or token access. A mechanism frequently integrated into authentication procedures, it allows a secure connection to a personal space, an account or office documents. In addition, tokens are often used in a two-factor authentication procedure to reduce the risk of account spoofing. An access token materialized as a link can be considered continuous access to personal data accessible from the Internet. This “gateway” is a vulnerability whose security risk is exploitable by malicious actors. Certain principles can reduce the likelihood that this will occur:

• Log the creation and use of tokens and define a purpose-based validity period.
• Generate an authentication link that contains no personal data or variables with easily understandable and reusable content, such as hashed content.
• Impose a new authentication if the token allows access to personal data or if the token has an insufficiently limited lifespan.
• Limit the number of accesses such as single or temporary use depending on the intended purposes.
• In the context of a data transfer between two services, using an access token to establish the connection between the two services must also be limited in time.
• Restrict the use of the token to certain services or resources by avoiding its reuse.
• Automatically delete, temporarily or permanently, access to the requested resource in case of suspicious intensive requests.
• Users should be able to choose how to transmit their remote access token, (email, SMS, postal sending, phone call).

The Latvian data protection authority DVI published a simple yet essential reminder of what is a privacy notice. The first step in controlling personal data is awareness of the organisation’s planned activities. Even before starting data processing, the organisation must provide information, and the person whose data they intend to process has the right to get acquainted with:

• information about the organisation and its contact information;
• the data protection specialist and their contact information;
• purposes and legal basis for obtaining the personal information;
• if the processing is based on legitimate interests, a description of these interests;
• recipients of personal data, their categories, if any;
• a reference to how personal data will be protected in case of transfer to a third country or an international organisation;
• the period for which the information will be stored or, if this is not possible, how this period will be determined;
• on the exercise of other personal rights – access to personal data, its correction or deletion, restriction of processing, the right to object, the right to data portability;
• if the processing is based on consent – the right to withdraw it at any time, and how this will affect the lawfulness of processing before withdrawal;
• the right to submit a complaint to the supervisory authority;
• whether the provision of personal data is required by law or a contract;
• whether it is a prerequisite for concluding a contract;
• whether the person is obliged to provide personal data and what the consequences may be in cases where such data are not provided;
• there is automated decision-making, including profiling – meaningful information about the logic involved, as well as consequences of such processing to the person.

Investigations and enforcement actions: Instagram fine, Sephora settlement, research data processing, worker video and audio surveillance, costs of data protection

Ireland’s data protection commissioner will fine Instagram 405 million euros for breaking the GDPR by improperly handling the data of youngsters using the platform. The parent company of Instagram, Meta, has already declared that it will appeal against the ruling. Although it may seem like a sizable figure, it is not the largest fine a corporation has ever been required to pay under the GDPR. The inquiry, which began in 2020, concentrated on young users between the ages of 13 and 17 who had access to business accounts, which made it easier for the user’s phone number and/or email address to be made public. Instagram unveiled additional measures to keep teenagers safe and secure after updating its settings over a year ago.

The California Consumer Privacy Act’s first initial enforcement agreement: French cosmetics company Sephora will pay a fine of 1.2 million dollars and adhere to several compliance requirements. According to the attorney general, Sephora violated several laws by failing to inform customers that it was selling their personal information, only honoring user requests to opt out via user-enabled global privacy controls, and failing to remedy these violations within the allotted 30-day period. Sale in this case means Sephora disclosed or made available consumers’ data to third parties, (ad networks and analytics companies), through the use of online tracking technologies such as pixels, web beacons, software developer kits, third-party libraries, and cookies, in exchange for monetary or other valuable consideration. The case also signals a significant increase in risk for businesses operating in California ahead of the California Privacy Rights Act’s implementation in January 2023.

The Danish data protection authority has completed an inspection of the Southern Denmark Region with a focus on the processing of personal data in the health research area. It selected three research projects as the inspection subject for “processing basis” and “responsibilities and roles”. The regulator requested a copy of the data processing agreements, documentation for any supervision of the data processors, and the guideline “Conclusion of data processing agreements and supervision of data processors” which was listed on the region’s list of policies. At the end of the revision, the regulator stated that the data controller would not be able to meet the above requirements by simply entering into a data processing agreement with the data processor. The data controller must therefore also carry out minor or major supervision to ensure that the entered data processing agreement is complied with, including ensuring the data processor has implemented the agreed technical and organizational security measures. For instance in two cases the region entered into data processing agreements with three different data processors in 2018 and 2020, and the agreements have not been subsequently updated.

Following a complaint from an employee, the Spanish data protection regulator AEPD punished Muxers Concept 20,000 euros. An audio recording device was found in the corporate locker room hidden behind ceiling tiles, and an alleged video surveillance camera and sound recorder were found in the employee restrooms. Even recording employees’ interactions with clients is considered disproportionate to guarantee compliance with labor laws. All surveillance and control measures must be reasonable to the purpose pursued, which is to provide security and comply with labor rights. As a result, the AEPD determined that Muxers had violated Art.6 of the GDPR by performing data processing without a legal basis.

Meanwhile, the EDPB has published an overview of resources made available by EU member states to the data protection supervisory authorities, (SAs), in the last years – financial and human. It shows that the SAs need more staff to contribute more effectively to the GDPR cooperation and consistency procedures, to educate and to conduct more investigations, especially linked to complaints and security breaches. The SAs need more staff to be able to act more proactively, conduct on-site investigations, and to be able to conduct further examination of the growing number of complaints or breach notifications as only basic processing of them is currently possible in many cases. They also need more resources to develop information systems, increase their national and European communication, and to deal with the new tasks related to evolutions in EU regulations. In some cases, the staff salaries were reported to be too low compared to the salaries of the private sector in the same field. 

Data security: data medium destruction, internet-connected appliances, credential theft

Germany’s Federal commissioner for data protection BfDI published a guide on destroying data mediums, (in German). The destruction of data carriers is a technical and organisational measure to ensure data security, and in particular to prevent unauthorised third parties from gaining knowledge of personal data. The responsible body, following international standards, must first classify the processed personal data, or the data carriers storing them for protection requirement and define appropriate protection classes, (from normal to a very high level). The higher the security level, the greater the effort required for an attacker to be able to restore and take note of the destroyed data carriers or the personal data stored on them. Additionally, there are different specifications for various material supports, (such as paper, microfilm, magnetic hard drives, optical data carriers, and semiconductor memories), that must be observed when destroying a data carrier. 

According to a European Commission document seen by Reuters, internet-connected smart appliances like refrigerators and TVs will have to adhere to stringent cybersecurity regulations or face fines or expulsion from the EU. Following high-profile events where hackers damaged businesses and demanded astronomical ransoms, worries about cybersecurity threats have increased. Through September, the EU executives will make its Cyber Resilience Act plan public. Manufacturers will have to evaluate the cybersecurity risks associated with their products and implement the necessary measures. After becoming aware of concerns, the organisations must report events to ENISA, the EU’s cybersecurity agency, within 24 hours and take action to resolve the flaws. Distributors and importers will have to confirm that the goods adhere to EU regulations. National surveillance authorities will have the power to “prohibit or restrict that product from being made available on its national market” if businesses fail to comply.

US cybersecurity expert Brian Krebs looks into how phishers have such incredible success stealing one-time passcodes and remote access credentials from employees using text messages. In one of the examples, a deluge of SMS phishing messages targeting workers at commercial staffing agencies that offer outsourcing and customer assistance to hundreds of businesses started to appear in mid-June 2022. The emails instructed recipients to click a link and log in to a phishing page that looked like the authentication page for their workplace. The one-time password for multi-factor authentication was then requested from those who had already submitted their credentials. The phishers behind this scam sent text messages pushing employees to click on links to freshly registered domains that frequently incorporated the name of the target organization in order to learn details about an impending change in their work schedule. The phishing websites used a Telegram instant chat bot to relay any provided credentials in real-time, enabling the attackers to log in as that employee at the legitimate employer’s website.

Big Tech: UK Children’s code use cases, SpongeBob app vs COPPA, fingerprints in a school WC

The ICO’s groundbreaking Children’s code was fully rolled out in the UK in September 2021, requiring online services including websites, apps, and games to provide better privacy protections for children. Some changes over the past year included:

• Facebook and Instagram limited targeting by age, gender, and location for those under 18.
• Facebook and Instagram asking for people’s date of birth at sign-up, preventing them from signing up if they repeatedly entered different dates and disabling accounts where people can’t prove they’re over 13. 
• Instagram launched parental supervision tools, along with features like Take A Break to help teens manage their time on the app.
• YouTube has turned off autoplay by default and turned on take a break and bedtime reminders by default for those under 18s.
• Google has enabled anyone under 18 (or their parent/guardian) to request to remove their images from Google image search results, location history cannot be enabled by Google accounts of under 18s, and they have expanded safeguards to prohibit age-sensitive ad categories from being shown to these users.
• Nintendo only allows users above 16 years of age to create their own accounts and set their own preferences.

In the US, the Children’s Advertising Review Unit, (CARU), has found Tilting Point Media, owner and operator of the SpongeBob: Krusty Cook-Off app, in violation of the COPPA and CARU’s Self-Regulatory Guidelines for Advertising and Children’s Online Privacy Protection. As the operator of a mixed audience child-directed app, Tilting Point must ensure that no personal information is collected, used, or disclosed from users under age 13, or that notice is provided, and verifiable parental consent is obtained before such collection, use, or disclosure. Tilting Point does have an age screen on its app, however it did not prevent CARU from using the app as a 10-year-old child, agreeing to Tilting Point’s terms of service and privacy policy, and consenting to the processing of the data to receive “personalized” advertising. The app’s non-declinable privacy policy and terms of service provide that the user must be at least 13 years old to use the company’s product, but the age gate does not prevent a child from checking those boxes and playing the game.

In Australia, a Sydney high school is requiring students to scan their fingerprints if they wish to use the WC. Some parents say they weren’t asked for consent to take their children’s fingerprints, and one mother has requested that her daughter’s fingerprints be deleted from the system. The education department offered biometric technology to stop vandalism and anti-social behaviour in the toilets. It also stated, “The use of this system is not compulsory. If students or parents prefer, students can also access the toilets during those times by obtaining an access card from the office”. Issues surrounding biometric data and consent have not been extensively tested in the Australian courts. Other schools across New South Wales have used the technology for several years for students to mark their attendance. Yet New South Wales state police cannot conduct forensic procedures such as obtaining fingerprints without a person’s informed consent or court order. 

The post Data protection & privacy digest 30 Aug – 12 Sep 2022: the US hosting provider in the EU, Google Fonts claims, Children’s Code appeared first on TechGDPR.