Stay up to date! Sign up to receive our fortnightly digest via email.

Wi-Fi tracking

The Spanish data protection regulator AEPD has published guidelines for personal data processing activities that incorporate Wi-Fi tracking technologies. Wi-Fi tracking identifies and tracks mobile devices based on the Wi-Fi signals they generate, detecting their existence in a certain region and determining movement patterns. Practical uses may be found in shopping malls, museums, public places, transit, and huge events to assess capacity, analyse traffic movements, and track dwell times. 

Because technology may make it possible to follow people’s movements without their knowledge or with a valid legal reason, Wi-Fi tracking may cause significant privacy problems. A prior Data Protection Impact Assessment (DPIA) must be completed, despite the possibility that the person in charge of the tracking may not be fully aware of their responsibility, given the risk factors. Using these technologies also requires the provision of easily understandable information via, among other things, voice alerts, public signs, visible information panels, and information campaigns.

Providing public Internet access

Many spaces offer internet access to their users: hotels, restaurants, media libraries, museums, transport, etc. Those responsible for this access provision are subject to legal obligations to retain “traffic data” and to comply with data protection principles according to the French regulator CNIL. “Traffic data” is the technical information which includes, for example, the IP address that can be used to identify the device used, the date, time and duration of each connection, or data that can be used to identify the addressee of the communication, (e.g. the telephone number called). 

In principle, this information should be erased or anonymised. However, some legal texts derogate from this rule by requiring bodies to keep them, to allow the investigation and prosecution of criminal offences by the police, gendarmerie and justice services. What data should be kept and for how long, read the original guidance (In French). 

Credit bureau databases

The information available in databases about the financial obligations of individuals may adversely affect the possibility of receiving loan services, states the Latvian data protection authority DVI. To reduce credit risk, promote responsible and honest commitment, and ensure more effective availability of credit information, credit information bureaus collect a wide amount of credit information on natural persons based on the powers specified in regulatory acts, following deadlines set by law. 

As a result, the mere fact that an individual has not granted permission for their information to be included in databases or that they do not wish for it to be collected does not imply that unlawful processing of personal data is taking place. Normative acts specify in detail the sources from which a credit bureau gets its data and the circumstances under which users of credit information are permitted to add details about personal debt to the database, (such as late payments, court orders, or client approval). Should an individual think that inaccurate data is there in the database, they ought to get in touch with the bureau or the source of the credit obligations information by sending a formal objection, as well as attaching copies of the supporting documents. 

More official guidance

AI application: The German data protection authorities have published joint guidance on AI and data protection. It is primarily aimed at those responsible for using AI applications – developers, manufacturers and providers of AI systems. It covers many aspects of AI systems from legal bases, transparency obligations and data subject rights along with warnings regarding special categories of personal data and checking results for accuracy and discrimination. Finally, certain usages of AI applications may be inadmissible from the outset. For example, according to the upcoming EU AI Act, “social scoring” and biometric real-time surveillance of public spaces are considered either completely prohibited or only permitted under very strict exceptional conditions.

Privacy-related survey: Meanwhile in Canada, a new survey states that 12% of businesses across the country collect personal information from minors. Although just 6% of Canadian companies say that they currently use AI, nearly a quarter indicated that they intend to use this emerging technology in the next five years. Actions that businesses report taking to manage their privacy obligations include:

• designating a privacy officer (56%)
• having procedures to deal with complaints (53%)
• having internal privacy policies (50%)
• having procedures to deal with access requests (50%)
• providing staff with privacy training (33%)

Car and consumer data: The US Federal Trade Commission reminds us that while connectivity can let drivers do things like play their favourite internet radio stations or unlock their car with an app, connected cars can also collect a lot of data about people. Companies that feed consumer data, (which may include sensitive information like location or biometric data), into algorithms may be liable for harmful automated decisions, (eg, affect their insurance rates). Finally, if a company gathers a lot of sensitive data and shares it with foreign parties, it may cause problems for national security.

Legal processes

Germany’s DSA adjustments: The German Digital Services Act, (DDG), came into effect on 14 May, creating the essential national framework required to effectively implement the EU Digital Services Act, (DSA), including adjustments in jurisdictions and duties of information, summarises a Taylor Wessing law blog. In particular, this requires changes to a website’s legal notice if it still expressly refers to the Telemedia Act and the Telecommunications Telemedia Data Protection Act, which no longer apply. 

The DSA and its member-state implementing acts apply to all digital services across the EU. Among many things, the DSA sets out rules for advertising on online platforms, including a ban on using certain personal data for advertising purposes. The national data protection authorities generally will enforce rules in this area, along with assigned national regulatory authorities. Meanwhile, the compliance for very large online platforms and very large online search engines remains with the Commission in Brussels. 

Combating child abuse online: On 15 May, the amending EU regulation, (derogation from ePrivacy Directive), which allows providers of so-called number-independent interpersonal communications services, (eg, messaging services), the use of specific technologies for the processing of personal and other data to detect online child sexual abuse on their services, and to report and remove it, will now be enforced until 3 April 2026. This prolongation also insists on comprehensive reporting and comparable statistics to be submitted to the authorities and the Commission, available in a structured format. 

Child safety online code of practice

In the UK, communications regulator Ofcom sets out more than 40 practical steps that digital services must take to keep children safer in its draft recommendations: a) introduce robust age checks to prevent children from seeing harmful content; b) ensure that algorithms which recommend content do not operate in a way that harms children; c) harmful material must be filtered out, (‘safe search’ setting), or downranked in the recommended content etc.

The new UK Online Safety Act imposes strict new duties on services, (“user-to-user services” and “search services”), that can be accessed by children, including popular social media sites, apps and search engines. Firms must first assess the risk their service poses to children and then implement safety measures to mitigate it. In some cases, this will mean preventing children from accessing the entire, (or a part of), a site or app. Some platforms will be required to publish annual transparency reports, such as information about the algorithms they use and their effect on users’ experience, including children. 

Algorithmic management abuse

Privacy International, (PI), reports that companies are increasingly tracking their workers and deploying unaccountable algorithms to make major employment decisions over which workers have little or no control or understanding. While gig economy workers, content creators and warehouse operatives are at the sharp end of the algorithmic black box, opaque and intrusive surveillance practices are embedding themselves across many industries and workplaces. PI monitors and records these cases by country and by industry and catalogues harms. 

More enforcement decisions

Telephone operator: In Finland, the data protection regulator considers that a telecom operator has the right to keep the data of its mobile phone customers for three years after the end of the customer relationship. The time limit stems from the fact that, according to the law, debts expire in three years. If the information were deleted earlier than that, the company would not have the opportunity to defend itself in a situation where a customer or other creditor makes claims, (invoicing or complaints). In the related case, the customer had asked the telecom operator to delete all the data about him. The operator had not agreed to the request, despite the customer relationship ending more than ten years earlier. 

Car rental: In the UK, a car rental management trainee was fined, (approx. 800 euros), after unlawfully obtaining customer data. An internal audit found he accessed over two hundred records of customer data concerning 25 different rental branches. He was dismissed for gross misconduct shortly thereafter. The company did not consent to the manager obtaining this data, stating that accessing this information fell outside of his role and there was no business need for him to do so. 

Exam monitoring: The Danish data protection authority has completed an inspection of Roskilde Katedralskole’s use of software for examination monitoring. The school did not carry out a sufficient risk assessment and as a result, failed to ensure data protection through design. It should have been taken into account that the examination and monitoring took place using the student’s computer. It should be possible for students to shield confidential information against unintentional disclosure during exams. Policies could, for instance, advise students to use a different browser throughout the test that does not save their data. 

Data security

Ransom attacks: The potential harm caused by recent ransom attacks is explained by the UK National Cyber Security Centre. Some groups started to conduct ‘data theft and extortion only’, without deploying ransomware and encrypting victims’ systems. These tactics, whether it’s ransomware encryption or extortion-only, show how cybercriminals will adopt whatever technology, (or business model), allows them to best exploit their victims. 

For example, criminals employ ransomware attacks to disrupt logistics companies that need the data to function but favour extortion-only attacks against healthcare services, (where patient privacy is paramount). Data stolen in a “least-worse case” scenario is system data,  (necessary for the victim’s IT operations to function). In a worst-case scenario, sensitive personal data, (such as medical or legal information), is compromised. Read more about the main causes of security breaches here. 

Health apps: According to Netskope’s recent analysis, the average user in the healthcare sector interacts with an average of 22 cloud apps per month. However, the top 1% of users,  public and professional, engaged with 94 applications every month. Since its peak a year ago, the percentage of malware downloads across all sectors via cloud applications has progressively declined, averaging around 50%, (the other half originates from standard websites). The inverse is true for the healthcare sector, where cloud apps account for nearly 40% of all malware downloads, up from roughly 30% a year earlier.

The Azorult, Amaday, and Trojan NjRat were three of the most common malware families that targeted the healthcare industry.

Big Tech

Facebook/Instagram investigation: The European Commission has launched an investigation into Facebook and Instagram based on the Digital Services Act. The suspected infringements cover Meta’s policies and practices relating to deceptive advertising and political content on its services. They are also concerned about the non-availability of an effective third-party real-time civic discourse and election-monitoring tool ahead of the elections to the European Parliament, against the background of Meta’s scrapping, (on August 14), of its real-time public insights tool CrowdTangle without an adequate replacement.

The Commission also suspects that the mechanism for flagging illegal content on the services and the user redress and internal complaint mechanisms are not compliant with the requirements of the Act and that there are shortcomings in Meta’s provision of access to publicly available data to researchers. The opening of proceedings is based on a preliminary analysis of the risk assessment report sent by Meta in 2023. Read more allegations in the original publication.

The post Data protection digest 3 – 17 May 2024: Wi-Fi tracking, exam monitoring, data theft and extortion appeared first on TechGDPR.

Legal processes and redress

US data transfers: A full parliamentary vote on the upcoming EU-US Data Privacy Framework is planned in the coming weeks. So far, a resolution adopted by Civil Liberties Committee MEPs argues that the European Commission should not grant the US an adequacy decision deeming its level of personal data protection essentially equivalent to that of the EU and allowing for transfers of personal data between the two. However this resolution will not be binding on the European Commission. 

MEPs note that the framework still allows for bulk collection of personal data in certain cases, does not make bulk data collection subject to independent prior authorisation, and does not provide for clear rules on data retention. The transparency and independence of the new redress mechanism for EU data subjects are also under question. Finally, the US Intelligence Community is still updating its practises based on the framework, so an assessment of its impact on the ground is not yet possible, say MEPs. 

CCPA/CPRA: The updated CCPA regulations were approved by the California state and come into effect in three months’ time. These revisions reflect the CCPA’s amendment by the California Privacy Rights Act of 2020, which added new business obligations addressing: consumer rights regarding the sharing, sale, and restriction of sensitive personal data, information notice, user-enabled privacy controls, out-out options, contractor and third-party contract requirements, and more. 

Employees data: In its recent judgement the CJEU ruled out important aspects of data processing in the employment context, interpreting Art. 88 of the GDPR. The preliminary ruling concerns the lawfulness of a system for the live streaming of classes by videoconference introduced in state schools in Hessen, (Germany,) without the prior consent of the teachers. Art. 88 of the GDPR enables the national legislator to enact “more specific regulations” in employee data protection.  However, they should not be general clauses that simply repeat the GDPR’s provisions. 

Instead, they should include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing. For organisations and employers this means that in the absence of valid national provisions GDPR rules must be complied with, including the balancing tests for the appropriate legal basis for employee data processing, (employment contract, legitimate interest or consent). 

In response to the decision, the Hamburg data protection commissioner also stated that Section 23 of the Hessian data protection act does not constitute a ‘more specific rule’, and that the moment had arrived for a new federal employment data protection act. 

Automated employment tools: Meanwhile, on the other side of the Atlantic, the New York City Department of Consumer and Workforce Protection promulgated its final regulations on the Automated Employment Decision Tools Law (AEDTL). Once enforced, it will restrict employers’ ability to use machine learning, statistical modelling, data analytics or AI tools in hiring and promotion decisions within New York City. Employers who use automated employment decision tools must also disclose it to candidates before the tool is used, as well as systematically undergo and disclose independent “bias audits”. Read the full analysis here.

EDPB guidance

A set of updated guidance and studies, along with the annual 2022 report, was published by the EDPB.

National administrative rules: The EDPB conducted a study on national administrative rules applicable when the national supervisory authorities carry out their duties under the One-Stop-Shop, (OSS), procedure. For instance, the requirements for the admissibility of complaints from individuals vary considerably from one country to another. Furthermore, the possibility to reach an amicable settlement between controllers or processors and complainants does not exist in all countries, and there is no clear indication of differing regulations’ impact on the OSS procedure. Finally, there is no convergence regarding the prior notification of forthcoming investigations or exercise of corrective powers. Read more challenges and possible solutions in the original publication.

Entities outside the EEA: Another study by the EDPB looks at the enforcement of GDPR obligations against entities established outside the EEA, (California, the UK and China). It aimed to analyse the possibilities available to enforce supervisory authorities’ investigative and corrective powers against third-country controllers/processors that fall under the scope of the GDPR but are not willing to cooperate with regulators and did not designate an EEA representative. This included the possibility to summon third-country controllers/processors to appear before the SA’s office, or in the SA’s national courts or tribunals, choice of jurisdiction and additional restrictive measures. 

Right of access: The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights and Art. 15 of the GDPR, says the EDPB’s latest guidance. The overall aim of the right of access is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data so that they can be aware of and verify the lawfulness of the processing and the accuracy of the processed data. This will make it easier – but is not a condition – for the individual to exercise other rights such as the right to erasure or rectification. 

Personal data breach notification: The EDPB considers that complying with the notification requirement has a number of benefits. When notifying the supervisory authority, controllers can obtain advice on whether the affected individuals need to be informed. Breach notification should be seen as a tool for enhancing compliance. At the same time, failure to report a breach to either an individual or a supervisory authority may mean a possible sanction applicable to the controller. Controllers and processors are therefore encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach.

Lead supervisory authority: The EDPB has noticed that there was a need for further clarifications, specifically regarding the notion of main establishment in the context of joint controllership and taking into account the concepts of controller and processor in the GDPR. Correct identification of the main establishment is in the interests of controllers and processors because it provides clarity in terms of which supervisory authority they have to deal with in respect of their various compliance duties under the GDPR. 

The most complex situations are when it is difficult to identify the main establishment or to determine where decisions about data processing are taken. This might be the case where there is cross-border processing activity and the controller is established in several Member States, but there is no central administration, or none of the EEA establishments is taking decisions about the processing.

Other official guidance

Generative AI risks: The UK privacy regulator the ICO poses eight questions about generative AI that developers and users need to answer. The EU legal backlash on ChatGPT is just the beginning of the journey states the analysis, and organisations developing or using generative AI should be considering their data protection obligations from the outset, taking a data protection by design and by default approach. This isn’t optional – if you’re processing personal data, it’s the law, (data protection law still applies when the personal information that you’re processing comes from publicly accessible sources):

• Are you a controller, joint controller or processor? 
• What is your lawful basis for processing personal data? 
• How will you comply with individual rights requests? 
• How will you limit unnecessary processing? 
• How will you mitigate security risks? 
• Have you prepared a Data Protection Impact Assessment? 
• Will you use generative AI to make solely automated decisions? 
• How will you ensure transparency? To know more, here’s the ICO publication. 

AI-assisted employment: Meanwhile the Spanish data protection authority AEPD explains how to apply AI tools for employment activities. In essence the data controller decides when designing the programme whether or not to include an additional operation of human supervision on the results produced by the AI ​​system. AI systems will form part of the nature of data treatment when they have been included in some of the necessary operations for this explicit purpose. This may include AI systems implemented locally or in the cloud, mobile systems, outsourced data processors, etc. Therefore, the fact that decision-making is automated is not a feature of the AI ​​system itself. 

For example, the procedure to guide candidates to complete an application form where they would include their CVs could be implemented using a chatbot. In addition, the number of applications, and therefore the number of CVs, could be so large that the manager could decide to use an AI system for the automatic selection of the most interesting CVs, according to certain criteria that the manager should also establish. The manager could go further and implement the evaluation of the candidates through another AI system that performs and evaluates the tests for the previously selected candidates. 

Sports industry: A large amount of personal data including special categories is generated in digitised sports, states the German federal data commissioner. If these are not so comprehensively anonymised that it is impossible to trace them back to individual athletes, data protection rules on purpose limitation, storage limitation, lawfulness data minimisation, transparency, and data security apply. This extends to all bodies and organisations that process athletes’ personal data – coaches, associations, doping agencies, sports facility operators, scientific institutes, doctors, laboratories, consultants, agents, and sometimes also sponsors, betting shops or even manufacturers of hardware and software.

Investigations and enforcement decisions

Data breach statistics: The Guernsey data protection agency ODPA published the latest personal data breach statistics: Nearly 10 million people were reported to be affected by 38 personal data breaches from January to March. Reportedly, the majority of those were customers of a UK-based company which was the victim of a large cyber-attack. Although the company is not based locally, it reported the breach to data protection regulators in all jurisdictions where its customers are based. Additionally, the most striking examples of personal data breaches involved:

• people using personal email accounts to send work-related information, (email providers are outside the control of the organisation meaning usual security policies do not apply and the organisation does not know what its data is being used for),
• accounts shared by couples or devices, (the boundaries of your personal life and your job intersect in a way that is not helpful for you or your workplace, which means information could fall into the wrong hands.)

Failed data subjects’ right of access: Following a complaint the Spanish AEPD fined Banco Bilbao Vizcaya Argentaria, or BBVA, 84,000 euros, according to Data Guidance. Despite ceasing to be a client of BBVA in 2012, the complainant discovered in 2021 that there were two debts registered in their name in the Bank of Spain’s Risk Information Center. Regarding the use of the right of access, the AEPD explained that BBVA had asked the complainant for additional details in order to recover the recordings, which constituted an unfair burden on the data subject for the fulfilment of their request. 

In another recent enforcement decision by the AEPD, the claimant requested access to the images from the video surveillance system located at a commercial centre. Unable to find a way to make a request in person, the claimant submitted one via electronic means of communication, (using the company’s marketing email address). This email address is not related to the processing of personal data nor was the means of contact enabled for the exercise of any rights. However, the company responded only to state that such access was not possible, except when there is a prior complaint, or when requested by the police or authorised personnel. The regulator found that the right of access of the complainant to their personal data was not respected, as established in Art. 15 of the GDPR.

Data security

Established cooperation: A long-term relationship between a controller and a processing entity does not guarantee data security, states the Polish privacy regulator UODO. In the related case, the verification of the competence of the processor was not formalized, because it consisted of conducting an interview, and the services provided by the entity, (a file depositary service), did not raise objections from the controller. The explanations of both the controller and the processor indicated that these entities only applied the controller’s internal regulations, (the Personal Data Protection Policy). The lack of any risk analysis resulted in the selection of inadequate measures.

The mere signing of a contract for entrusting the processing of personal data without proper assessment of the processing entity cannot be considered as fulfilment of the data security obligation. The determinant for such an assessment cannot be only long-term cooperation and the use of the services of a given processor. In the opinion of UODO, positively assessed cooperation may only be a starting point when verifying whether the processing entity provides sufficient guarantees for the implementation of appropriate technical and organisational measures. 

Certifying employees’ qualifications: The Hungarian data protection agency NAIH publishes detailed recommendations on how to handle documents certifying employees’ qualifications according to the data protection requirements. The employer may require the employee to present a document in its legitimate interest. The employer can also keep their own, internal records of the education of each employee, the date and the method of proof of education. However, “objective evidence”, (as defined in ISO 9000:2015 Quality management systems), needs to be supported by documented information.

A copy of a document certifying education or training does not have the power to prove that it is an authentic copy of a valid public document, so it is not suitable for establishing the authenticity of the data contained therein, and it may include additional unnecessary personal information.

Instead, the organisation may prepare a note or protocol stating that the given employee presented the original documents certifying their education, the relevant data of which is now recorded by the organisation, (eg, serial number of the document, date of qualification).

Tracking pixels: The Norwegian data protection authority encourages businesses to review their websites for tracking pixels or other tracking technologies. Recent media reports revealed that a large number of European online pharmacies have shared customers’ personal data through tracking technologies. For website users this is potentially a major privacy risk, while for the websites it poses a significant legal and reputational risk. The regulator now encourages all Norwegian websites to review for tracking pixels and other tracking technologies. Unless the business has assessed the tools, has an overview of data flow and is confident that their use is in line with privacy rules, the trackers should simply be removed. 

Cyber ​​risks management: The German Federal Office for Information Security updated its manual on ‘Management of Cyber ​​Risks’. It is dedicated to a comprehensive corporate culture that takes cyber security into account at all times, aiming to increase the resilience of companies. As cyber ​​security starts with senior management, IT managers need the necessary support and the right understanding on the part of company management. The guide formulates six basic principles that support management and supervisory boards when considering cyber risks:

• Understanding cyber security as a component of company-wide risk management.
• Understanding and closely examining the legal implications of cyber risks.
• Ensuring access to cyber security expertise and regular exchange.
• Implementing suitable frameworks and resources for cyber risk management.
• Preparing risk analysis based on business risk appetite, goals and strategies.
• Encouraging company-wide collaboration and sharing of best practices.

Big Tech

Meta binding decision: The EDPB adopted a dispute resolution concerning a draft decision of the Irish data protection authority DPC on the legality of data transfers to the US by Meta Ireland for its Facebook service. The decision will be announced soon and may constitute an order on blocking Facebook’s transatlantic data flows. The Irish regulator shall adopt its final decision, addressed to Meta Ireland, on the basis of the EDPB binding decision and taking into account the EDPB’s legal assessment, at the latest one month after the EDPB publishes its decision. 

In January this year the DPC, also instructed by the EDPB, ordered Meta to pay a hefty fine for making users accept targeted ads and was directed to bring its processing operations into compliance with the GDPR within a period of 3 months. The EDPB also directed the DPC to conduct a fresh investigation of all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed. However, the DPC stated that EDPB is not entitled to instruct and direct a national authority to engage in a new “open-ended and speculative” investigation.

TikTok privacy fine: Finally, the UK fined TikTok 12.7 million pounds for misusing children’s data. More than one million British children under 13 were estimated to be on TikTok in 2020, contrary to its terms of service. As a result, personal data belonging to children was used without parental consent. TikTok  “did not do enough” to check who was using their platform and take sufficient action to remove the underage children. Since the conclusion of the investigation of TikTok, the ICO has published a statutory Children’s Code to help online services, such as apps, gaming platforms and web and social media sites, that are likely to be accessed by children. 

The post Data protection & privacy digest 3 – 17 Apr 2023: US data transfers and AI tools occupy EU appeared first on TechGDPR.

  Legal processes and redress

DPOs enforcement action: The EDPB launches coordinated enforcement action on the designation and position of data protection officers. DPOs across the EU will be sent questionnaires, with the possibility of further formal investigations and follow-ups. According to the Portuguese data protection agency, it will ask DPOs to voluntarily participate in the action and they do not have to identify themselves or the organisation concerned. The Spanish privacy regulator says it will analyse the practices of tens of thousands of public and private sector entities, (education, banking, health, security, financial solvency, etc.) 

The questions will be related, among others, to the designation, knowledge, and experience of the data protection officers, their tasks, and resources. Special attention will be paid to the independent and effective performance of the tasks of the DPO, and their possible conflict of interest, (where they exercise additional functions of compliance officers, IT managers, etc.), explains the Bavarian data protection supervisor. The requirement for DPOs to report directly to the highest management level of the controller or processor, and their operating conditions, (based on organisational charts, annual reports, etc), also will be checked.

UK Data Protection reform resumes: The Data Protection and Digital Information Bill was reintroduced in the House of Commons. Followed by a rapid change in the UK government last summer, the reading of the old document did not occur as expected. Much of the new bill is the same as the withdrawn one. The new document also followed a detailed co-design process with industry, business, privacy, and consumer groups. It would reduce burdens on companies and researchers and boost the economy by 4,7 billion pounds over the next decade. The research briefing on the draft reform bill is available here. 

Creditworthiness and profiling risks: The CJEU’s Advocate General suggests that the automated establishment of the ability of a person to service a loan constitutes profiling under the GDPR. In the related case, a German company governed by private law, (SCHUFA), provided a credit institution with a score for the citizen in question, which served as the basis for a refusal to grant credit. The citizen requested SCHUFA erase the entry concerning her and to grant her access to the corresponding data. The latter merely informed her of the relevant score and of the principles underlying the calculation method, without informing her of the specific data included, arguing that the calculation method is a trade secret. Other related cases concerned the lawfulness of the storage of citizen data from public registers, (on discharge from remaining debts), by credit information agencies.

Official guidance

Data subject access rights: The Latvian data protection agency DVI explains what the right to access your data means. Every natural person has the right to obtain accurate information about their data, (or a copy of it), held by an organisation. For example, a person participated in a job interview and has not passed the rounds of applicant selection. In order to find out whether or not the company has stored personal data, the person can contact the company and ask, and if this is the case, demand an explanation for what purpose it is processed. The individual must first contact the organisation using the communication channels or methods specified in the privacy policy. The request should be as clear as possible, and include:

• identifying information of the requester, (the organisation has the right to additional information, so the person can be identified correctly);
• an indication whether the information is desired for all data or for a specific case;
• an indication of the period for which information is to be provided;
• precise requests referring to all or any of the above questions.

The organisation may refuse the request if it was already answered or it is disproportionally large, unidentified, or the information is covered by other regulatory acts. But if the organisation does not respond to the request within a month, and does not provide the information, (or the reasons for refusal), the person has the right to file a complaint with the data protection authority. 

Dematerialised receipts: The French privacy regulator CNIL looked at dematerialised receipts that merchants can offer you in place of traditional printed ones. You still must have the choice of whether or not to receive it, (via email, sms), as dematerialisation is not provided for by law. The dematerialised receipts allow the merchant to collect and reuse your data for advertising: but they must respect your rights by asking for your consent or by allowing you to opt out. If a merchant offers the retrieval your receipt by scanning a QR code with your smartphone, only the technical data necessary to establish the connection between the devices should be collected. Finally, the creation of a loyalty or online account is not mandatory to obtain your receipt. 

User and Entity Behavior Analysis: UEBA techniques have a multitude of applications that always have something in common: recording user behavior in the past, then modeling this behavior in the present, and, if possible, predicting what it will be like in the future. According to the Spanish privacy regulator AEPD, techniques used online collect massive amounts of data and almost always apply machine learning or AI. Users are always people, entities can be animals, vehicles, mobile devices, sensors, etc. The application of these techniques depends on the specific application domain, since it may be interesting to analyse the individual behavior of people or their behavior from a social perspective in three main domains: 

• service and marketing optimisation; 
• cybersecurity; 
• health and safety.

When personal data is processed, the principles established in the GDPR are mandatory, including transparency, data minimisation, and purpose limitation. But in many cases, users are not informed about the types of techniques that are being used, the depth of the treatment, the scope of data sharing, or the potential impact that a data breach may have.

Algorithmic fairness: The UK privacy regulator ICO decided to update its guidance to help organisations adopt new technologies while protecting people and vulnerable groups. New content was added on AI and inferences, affinity groups, special category data, as well as things to consider as part of your DPIA. The updated guidance explains the differences between fairness, algorithmic fairness, bias, and discrimination. It also explains the different sources of bias that can lead to unfairness and possible mitigation measures. There is a new section about data protection fairness considerations across the AI lifecycle, from problem formulation to decommissioning. Technical terms are also explained in the updated glossary.

Enforcement decisions

Irish queries: The Irish data protection authority DPC in its 2022 report stated that the most frequent GDPR topics for queries and complaints were: access requests, fair-processing, disclosure, direct marketing, and right to be forgotten, (delisting and/or removal requests). At the same time, breach notifications were down 12% on 2021 figures. The most frequent cause of breaches reported arose as a result of correspondence inadvertently being misdirected to the wrong recipients, at 62% of the overall total. Where possible the DPC endeavored to resolve individual complaints informally – as provided for in the Data Protection Act 2018. Overall, the DPC concluded 10,008 cases in 2022 of which 3,133 were resolved through formal complaint handling. 

Medical research data: The French privacy regulator CNIL reminds two medical research organisations of their legal obligations – to carry out an impact assessment on data protection and to properly inform individuals. Health research must be authorised by the CNIL or comply with a reference methodology. These methodologies require a DPIA to be carried out before starting the research. A single analysis may cover a set of processing operations that present similar risks, (eg, similar projects, using the same IT tools). 

Information notices provided by the two organisations also did not specify the nature of the information collected or its retention period, contact details of the data protection officer or the procedures for appealing to the CNIL. Finally, an information notice stated that the data was anonymised, which was not the case since the identity of the patients was only replaced by a three-digit “patient number” and a “patient code” composed of two letters corresponding to the first initial of the name and surname of the person concerned.

Political affiliation data: In Romania, a political party was fined following a data breach notification. The data stored in an operator’s server hosting an application became subject to a phishing attack. It was found that the operator did not implement adequate technical and organisational measures to ensure an appropriate level of security, such as the encryption/pseudonymisation of personal data stored, which led to the loss of the confidentiality of the data processed by accessing unauthorised use of personal data such as name, surname, personal number code, e-mail, telephone number, and political affiliation data.

Non-conformant data breach notice: The Norwegian data protection authority Datatilsynet imposed a fine of approx. 220,000 euros on the US company Argon Medical Devices for breaching the GDPR. In July 2021, Argon discovered a security breach that affected the personal data of all their European employees, including in Norway. Argon believed that they did not need to report the security breach until after they had a complete overview of the incident and all its consequences. The US company sent a notice to the Norwegian regulator only in September 2021, long after the 72-hour deadline for reporting a breach under the Art. 33 of the GDPR. The security breach concerned personal data that could be be used for fraud and identity theft.

Data Security

PETs: The OECD offers guidance on emerging privacy-enhancing technologies – digital solutions that allow information to be collected, processed, analysed, and shared while protecting data confidentiality and privacy. This often includes zero-knowledge proofs, differential privacy, synthetic data, anonymisation, and pseudonymisation tools, as well as homomorphic encryption, multi-party computation, federated learning, and personal data stores. However, the majority of these tools lack standalone applications, have limited use cases, and are still in the early stages of development.

Big Tech

Meta and Dutch users: Facebook Ireland acted unlawfully when processing the personal data of Dutch users, states an Amsterdam court. Between 2010 and 2020, users’ personal information was processed illegally for marketing purposes. Additionally, it was distributed to third parties devoid of legal justification and without properly informing users about it. Also, consent was not obtained before processing sensitive personal data for advertising purposes, such as sexual orientation or religion. This concerned both information voluntarily provided by users and information that Facebook Ireland collected by observing users’ online browsing patterns outside the Facebook service. 

Meta tracking tools: According to the Austrian data protection authority DSB, the use of Facebook’s tracking tools (Login and Meta Pixel) is a violation of both the GDPR and the “Schrems II” ruling. As a result of US surveillance laws requiring companies, like Facebook, to disclose users’ information to the authorities, the CJEU determined in 2020 that using US providers violates the GDPR.  According to the NOYB foundation, which launched the complaint, numerous websites track users using Meta tracking technology to display personalised ads. Websites using this technology also send all user data to US multinationals. And while the EU-US Data Privacy Framework is waiting for approval from the European Commission, the US government continues bulk surveillance of EU users. 

Meta’s WhatsApp settlement in the EU: The European Commission and the European network of consumer authorities have closed their investigation into Meta’s messaging app WhatsApp following a complaint made by the BEUC, (the European Consumer Organisation). WhatsApp has committed to better explain the policy changes it intends to make and to give users a possibility to reject them as easily as to accept them. Unfortunately, this will only apply to future changes to the app. However, the complaint identified multiple breaches of consumer and data subject rights since 2021 including aggressive commercial practices, and unclear and misleading terms of use and notices to its users. 

The post Data protection & privacy digest 4 – 17 March 2023: position of DPOs, user behavior analysis, creditworthiness and profiling appeared first on TechGDPR.

Legal processes: new EU-US data transfer deal, Digital Markets Act, China’s algorithmic rules

The EU and US have announced a new preparatory data transfer deal, seeking to end the legal uncertainty in which thousands of companies found themselves after the CJEU threw out two previous agreements due to America’s governmental surveillance practices, Reuters reports. It will take months to turn the provisional agreement into a final legal deal, as the US will need to prepare their executive order, and then the EU must complete internal consultation in the Commission and within the EDPB. So far the White House has released a fact sheet on the new deal, which addresses the CJEU ‘Schrems II’ decision concerning US law governing signals intelligence activities:

• Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties;
• EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the US Government who would have full authority to adjudicate claims and direct remedial measures as needed; and
• US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards. 

Earlier last week, EU privacy experts raised their concerns over the lack of details of the deal. Austrian privacy activist Max Schrems, who started a long-running dispute with Meta/Facebook, (resulting in the invalidation of the EU-US Privacy Shield data transfer framework), stated: “The final text will need more time, once this arrives we will analyze it in-depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it.”  The legal stance over transatlantic data flows has led, in recent months, to European data protection agencies issuing orders against flows of personal data passing via products such as Google Analytics, Google Fonts, and Stripe, along with long-standing and multilayered complaints against Meta/Facebook, TechCrunch sums up.

Meanwhile, sweeping new digital rules targeting US tech giants will likely come into force in October, EU antitrust chief Margrethe Vestager informed. The rules proposed a year ago in the Digital Markets Act set out a list of dos and don’ts for Amazon, Apple, Meta, Google, Microsoft, and others. Fines for violations will range reportedly from 10% of a company’s annual global turnover to 20% for repeat offenders who could face an acquisition ban. Companies that are designated as online gatekeepers, (intermediation services, social networks, search engines, operating systems, advertising services, cloud computing, video-sharing services, web browsers and virtual assistants), which control access to their platforms and the data generated there will have six months to comply with the new rules:

• additional requirements on the use of data for targeted or micro-targeted advertising and the interoperability of services; 
• gives users the option to uninstall pre-installed software applications, such as apps, on a core platform service at any stage; 
• ensures whistleblowers are able to alert competent authorities to actual or potential infringements of this regulation and protect them from retaliation, etc.

In China, the provisions  on the administration of algorithmic recommendations in the Internet Information Service became effective as of March, Chinalawupdate blog reports. It refers to the application of any algorithmic technology, including without limitation, generation and synthesis, individualized push, sorting and selection, searching and filtering, and scheduling and decision-making, to provide information to users. Among many provisions, it requires:

• algorithmic system and mechanism review, science and technology ethics review,
• user registration, information release review, data security protection,
• anti-telecom network fraud, security evaluation, monitoring, and incident emergency plan,
• informing users about its provision of algorithmic recommendation service, and notifying the public, in an appropriate manner, of the basic principles, the purpose and intention, and the main operation mechanism, 
• providing users with options that are not customized based on the users’ individual characteristics, or the option to conveniently close the algorithmic recommendation service, etc.

Official guidance: workplace monitoring

The Norwegian data protection authority Datatilsynet has issued workplace monitoring guidance, (in Norwegian). These activities must take into account important data protection criteria such as providing information about the treatment to jobseekers and employees, facilitating data subject rights, deleting the information when no longer necessary, and having satisfactory information security and internal control of their data. One of the examples, automatic forwarding of e-mails is considered continuous monitoring of the employee’s use of electronic equipment and is not allowed. Monitoring of an employee’s use of electronic equipment is prohibited, and can only exceptionally take place if the purpose is to administer the company’s computer network or detect or solve security breaches in the network. The guide also contains provisions for background checks during the recruitment process, access to e-mail and other electronically stored materials, and camera surveillance in the workplace.

Data breaches and enforcement actions: online retailer, third party provider, school’s trade union, insurance company

An American online retailer of stock and user-customized on-demand products CafePress to pay half a million dollars for FTC violations, DLA Piper reports. The online platform failed to secure consumers’ sensitive personal data collected through its website and covered up a major breach. This included:

• Storing personal information in clear, readable text.
• Maintaining lax password policies that allowed, for example, users to select the same word, including common dictionary words, as both the password and user ID.
• Failing to log sufficient information to adequately assess cybersecurity events.
• Failing to comply with existing written security policies.
• Failing to implement patch policies and procedures.
• Storing personal information indefinitely without a business need to do so, etc.

In 2019, a major data breach exposed millions of emails and passwords, addresses, security questions, and answers as well as a smaller number of social security numbers, partial payment card numbers, and expiration dates of the customer accounts. This information was later discovered for sale on the dark web. The company patched the vulnerability but allegedly failed to properly investigate the breach and notify the affected customers. Read more analysis of the case by the Workplace Privacy Report article.

The US authentication firm Okta has admitted that hundreds of customers may have been impacted by a prolific hacking group’s attack via a third-party provider, Infosecurity Magazine reports. Ransom group Lapsus shared screenshots, which purportedly showed “superuser” access to an internal Okta desktop in January. The attackers did have access to a third-party support engineer’s laptop for a five-day window. Okta initially said the matter with the sub-contractor was investigated and contained, BBC reports. Similarly, none of Okta’s clients such as Cloudflare, FedEx, Thanet has reported any issues.

Cyprus’s data protection commissioner fined English school 4,000 euros for failure to implement sufficient technical and organisational security measures to prevent a data breach, Data Guidance reports. The investigation related to the unauthorized access and use of the email addresses of the students’ parents and guardians, by the school’s staff union ESSA. In particular, a school professor who was also the president of the ESSA, sent an email to all parents/guardians and to the staff, for purposes other than those for which said email addresses were originally collected, and without the parents/guardians being informed of such use. The regulator ruled that irrespective of the responsibility of the school professor and the ESSA, the English school, as a data controller, did not apply sufficient security measures following Art. 32 of the GDPR. ESSA, as a separate joint controller, was also fined 5,000 euros. 

The Icelandic data protection authority ruled in a case about an insurance company’s processing of personal data following a claim for compensation. There were complaints about the insurance company’s disclosure of the plaintiff’s personal data to an expert who prepared a report on the speed and impact of a traffic incident that the plaintiff had encountered. There were also complaints about the insurance company’s use of the report in question when assessing the claim for compensation against the company. The plaintiff contested that the insurance company was not authorized to administer the further use of the report data and that it did not take care to inform the individuals or obtain their consent. Although the data protection authority concluded that the above processing activities were in accordance with the law, based in particular on a contract (Art. 28 of the GDPR). Since the complainant was not informed or educated about the transfer of the data to the specialist and its processing, the regulator found that the company did not comply with the information and transparency obligations (Art.13 of the GDPR). 

Data security: pseudonymisation in the health sector

The European Union Agency for Cybersecurity has published guidance on deploying pseudonymisation techniques in the health sector. From a cybersecurity point of view, the confidentiality, availability, and integrity of medical data and relevant infrastructure are considered essential in order to be able to provide timely, appropriate, and uninterrupted medical care. This is also highlighted by the NIS Directive which categorizes the health sector as an operator of essential service and calls for minimum security requirements to ensure a level of security appropriate to the level of risks presented. Furthermore, the GDPR distinguishes, in Art. 9, data concerning health as a special category of data, and sets out additional requirements and stricter obligations for processing and protecting such data. Lastly, the Medical Devices Regulation imposes requirements regarding the safety, quality, and security of medical devices in order to achieve a high common level for safety. Case studies in the report include:

• exchanging patient’s health data,
• Clinical Trials,
• patients-sources monitoring of health data. 

Big Tech: data brokers, smartphone health monitoring, China’s crackdown on Bing algorithms

The legal implications of personal data usage by the data brokerage industry has been analysed by the Guardian. A new lawsuit reportedly involves two companies in this vast network: X-Mode, a data broker, and NybSys, one of X-Mode’s customers. The lawsuit claims people’s exact location data was sold through a chain of industry players, rather than the summary or analysis of that information, without knowledge or permission from   X-Mode. Data brokers collect personal data from a variety of sources, including social media, public records and other commercial sources or companies. These firms then sell that raw data, or inferences and analysis based on that data – such as a user’s purchase and demographic information – to other companies, like researchers or advertisers.

Google wants to use smartphones to monitor health, saying it would test whether capturing heart sounds and eyeball images could help people identify issues from home, Reuters reports. The company is investigating whether the smartphone’s built-in microphone can detect heartbeats and murmurs when placed over the chest allowing early detection of heart valve disorders, etc. Google also plans to test whether its artificial intelligence software can analyse ultrasound screenings taken by less-skilled technicians, as long as they follow a set pattern.

Microsoft’s Bing, the only major foreign search engine available in China, said a government agency has required it to suspend its auto-suggest function in the country for a week, Reuters reports. It is a second case for Bing since December, and arrives amid an ongoing crackdown on technology platforms and algorithms from Beijing. Since August, China’s top cybersecurity authorities have published draft rules dictating how internet platforms can and cannot make use of algorithms. These came into effect this month.

The post Weekly digest March 21 – 27, 2022: EU and US reach preliminary data transfer agreement, but experts have doubts appeared first on TechGDPR.

Legal processes and redress: EU Intelligent transport, Oracle and Salesforce court victory, discriminating AI in DC, privacy in Ukraine

The European Commission revised its Intelligent Transport Systems (ITS) Directive to advance smart mobility. The aim is to stimulate the faster deployment of new, intelligent services, by proposing that certain crucial road, travel and traffic data is made available in digital format. ITS applies information and communication technologies such as journey planners, eCall, and automated driving in transport. Since 2010, the ITS Directive has been the tool to ensure the coordinated deployment of such systems across the EU, based on European specifications and standards. The revision includes:

•  an extension in the Directive’s scope to multimodal information (apps to find and book journeys that combine public transport, shared car, or bike services),
• communication between vehicles and infrastructure to increase safety and mobility,
• the collection of crucial data and the provision of essential services such as real-time information services informing the driver about accidents or obstacles on the road,
• updated obligations under the GDPR, and in consultation with the EDPS, on the security of personal data and the need for controllers to comply with their obligations, 
• using anonymisation as one of the techniques for enhancing individuals’ privacy. Read the full text of the proposal here, and the Annex here.

A Court in the Netherlands says a billion euro claim against Oracle and Salesforce is not admissible. The Privacy Collective, (TPC),  foundation filed a lawsuit against tech giants in 2020 for violations of the GDPR. The two US-based companies reportedly collected data from at least 10 million Dutch internet users for advertising purposes, and created a personal profile of each web surfer that they could trade. TPC claimed 500 and 600 euros respectively per victim from Salesforce and Oracle. The latter is also said to have leaked data.  On the internet, TPC appealed to the public in a case under the Mass Damages in Collective Action Settlement Act. By clicking on an icon with the text ‘support with 1 click’, internet users were able to support the claim. The initiative received 75,000 statements.

According to the court, however, it is not possible to determine with these ‘likes’ whether the foundation really stands up for enough injured parties. No contact details are registered for the internet users who ‘clicked’. In addition, TPC is unable to maintain contact with its supporters, which is an important condition of the law. TPC is considering an appeal.

The use of artificial intelligence to determine access to credit and other important life opportunities has been targeted by the District of Columbia, Venable LLP reports. DC’s Attorney has introduced the “Stop Discrimination by Algorithms Act of 2021, which may be considered through January 1, 2023. The proposed legislation add civil rights protections to protect communities from alleged harm caused by algorithmic bias by:

• prohibiting using algorithms that produce biased and unfair results;
• performing annual audits, reporting the results and needed corrective steps;
• documenting how their algorithms are built, how the algorithms make determinations, and how all of the determinations are made;
• disclosing to all consumers about their use of algorithms to reach decisions, what personal information they collect, and how their algorithms use it to reach decisions;
• adverse action (if businesses make an unfavorable decision based on an algorithm, they must provide a more in-depth explanation);
• dispute and corrections opportunity to prevent negative decisions based on inaccurate personal information.

The bill would apply to individuals, legal entities, service providers that make or rely on algorithmic eligibility determinations or algorithmic information availability determinations. Read more about the coverage, key definitions and the enforcement of the Algorithms Act in the original publication.

In 2021 almost 4000 people applied to the Ukrainian Parliament’s Commissioner for Human Rights to protect their right to privacy, which is twice as many as last year. Individuals, (mostly legal professionals, representatives of human rights and public organizations, people with disabilities, etc), asked for the protection of their personal data in connection with:

•  activities of debt collection companies and macrofinancial institutions, and
•  publication of personal data in messengers, social networks and on the official websites of public authorities and local governments.

During the implementation of measures to repay overdue debt, collectors resort to insults and psychological pressure against debtors, but also members of their families, friends or acquaintances. For that reason, the law on consumer protection in settlement of overdue debts which came into force last year. At the same time, the draft law “On Personal Data Protection” and the draft Law “On the National Commission for Personal Data Protection and Access to Public Information” were registered in the Ukrainian Parliament. The legislators aim to implement both drafts within the next few months to be able to launch the data privacy reform by 2023 as part of the integration to the EU Digital Single Market, implementation of the EU-Ukraine Association Agreement, and the wider government digital agenda.

Official guidance: China’s automotive sector, employment data and asylum seekers fingerprints in the EU

China’s latest data protection implementation rules include new data guidance for the automotive industry, analyzed by Paul Hastings LLP. It became one of the first set of industry-focused implementation rules of the new Data Security Law, and the Personal Information Protection Law. The auto industry provisions elaborated on:

• Automotive Data, which included personal information data and important data involved in the process of automobile design, production, sales, maintenance, etc. 
• Automotive Data Processors – manufacturers, components and parts suppliers, software suppliers, dealers, maintenance organizations, and mobility service companies, ride-hailing and sharing services.
• Personal Information and sensitive personal information (eg, vehicle trajectory, driving habits, audio, video, images, biometric identification).
• Important Data (eg, geographical information, vehicle flow, personal information involving more than 100,000 subjects).

Key Principles in automotive data processing are:

• all automotive data must be processed inside vehicles unless it is absolutely necessary to send it out;
• unless a driver makes a specific selection otherwise, the default setting should be non-collection each time the driver drives the vehicle;
• the coverage and resolution of cameras and radars, among others, should be determined according to the requirements for data accuracy of the functions and services provided;
• principle of desensitization (data processors are required to apply anonymization and de-identification during processing, if possible).

The Gibraltar data protection authority published fresh guidance on data protection in the employment context, (in English). The document provides general guide on the legitimate expectations of employees with regards to the processing of their personal data by employers, as well as the legitimate interest of employers in deciding how best, within the boundaries of data protection law, to run their organisations:

• The obligations of the employer of accountability and implementation of appropriate security measures to protect employee personal data.
• Recruitment and selection recommendations in relation to personal data in areas such as ‘advertising and applications’, ‘interview notes’, ‘vetting’ and ‘retention’. 
• Employment records and the responsibility of the employer to appropriately notify employees of the personal data processing activities. 
• Monitoring in the workplace.
• Remote working and the risks presented regarding the security of personal data. 
• Compatible, administrative infrastructure that allows adequate data protection.

Asylum seekers and migrants arrested at the EU’s external borders are required to give their fingerprints. This data is kept in the Eurodac file. The EU Agency for Fundamental Rights publishes, in collaboration with multiple data protection authorities, a guide intended to better inform people about the use made of their fingerprints, (now available in all EU languages). EU law requires giving the following information:

• it is an obligation to give fingerprints,
• ten digital fingerprints, the gender, the country fingerprinting, the place and date of the asylum application (if applicable). No other personal data is stored,
• in case more personal data is collected by the authorities, name or age, migrants should be informed about the importance of providing accurate data,
• the fingerprints are kept for 10 years, (if an asylum seeker), or for 18 months, (if an irregular migrant). After that data is automatically deleted,
• only competent asylum and immigration authorities can access the data,
• Indicate that the police and the Europol can access the data under strict conditions,
• communicate why fingerprints are collected and the person’s rights.

The information given must be concise, transparent, comprehensible and in an easily accessible format, written in clear and plain language, adapting to the needs of vulnerable persons, such as children. Where necessary the information should be provided orally in a language that the person understands. Also, a copy of the personal data collected is provided. This helps to exercise the right to access and the right to delete and correct the data.

Data breaches, investigations and enforcement actions: Slimpay, JP Morgan Securities, BBVA

French regulator CNIL sanctioned Slimpay with a fine of 180,000 euros for having insufficiently protected users’ personal data and not having informed them of a data breach. Slimpay offers recurring payment solutions to its customers. During 2015, it carried out an internal research project, during which it used the personal data contained in its databases. When the research project ended in 2016, the data remained stored on a server, without special security measures and was freely accessible from the Internet. It was not until 2020 that Slimpay became aware of the data breach, which affected approximately 12 mln people. Persons affected by the data breach are located in several countries of the EU, so cooperation was needed between the supervisory authorities of four countries – Germany, Spain, Italy and the Netherlands.

The US Securities and Exchange Commission, (SEC), announced that JP Morgan Securities agreed to pay 125 mln dollars to resolve charges that it failed to safeguard written communications of its employees. Its employees, including supervisors and managing directors, regularly used non-company messaging tools such as Facebook’s WhatsApp, text messages and personal email accounts to discuss company business. The company admitted that none of these records were preserved by the firm as required by the federal securities laws. JPMS further admitted that these failures were firm-wide and that practices were not hidden within the firm. The fine is the largest the SEC has ever leveled against a firm for record-keeping violations, beating the previous record of 15 mln, imposed on Morgan Stanley in 2006.

The Spanish data protection authority, the AEPD, fined Banco Bilbao Vizcaya Argentaria, (BBVA), 60,000 euros for insufficient legal basis for data processing. The claimant was receiving constant messages on his mobile phone from BBVA about defaults, appointments, etc. The claimant demanded deletion of the number, however it was not spotted in the client database. The investigation found that the text messages were an error on the part of the team in charge of carrying out functional tests of the tool designed to send notifications from the Bank to its clients. The team believed wrongly that said number did not exist or was not operational and therefore no one was going to receive such fictitious notices.

Audits: Oxford Health NHS Foundation Trust

The UK Information Commissioner’s Office published the Oxford Health NHS Foundation Trust data protection audit report. A major NHS health trust provides physical & mental health and social care for people of all ages in the UK. Its services are delivered at community centres, hospitals, clinics and people’s homes. With an overall reasonable assurance level, the executive summary proposes some areas of improvement : 

• The Trust’s Records of Processing Activity requires upgrading. The evidence provided was more of a data flow map and therefore is not fully in line with the requirements of Art. 30 of the UK GDPR. The requirements include having a record of the name and contact details of the data controller, description of the categories of individuals and recipients of personal data, retention schedules and a description of the technological and organisational security measures in place.
• The Trust has a Data Protection Officer in place who also holds other positions and responsibilities. The Trust needs to consider if these additional roles and responsibilities pose a conflict of interests or a demand on their time, which could impact on their duties as DPO. 
• There is no Information Sharing Agreement (ISA) log to record vital information pertaining to current ISAs.
• There is a lack of specialised training for staff with data sharing roles and those that deal with children’s data.  
• There is no dedicated Information Sharing policy or procedure to provide guidance on ad hoc disclosures as well as the assurances that all ISAs include effective incident management procedures.

Big Tech: China’s low-carbon data clusters, Arsenal fan tokens, the death of Blackberry, racial bias on Airbnb, Zoom latest acquisition

China has approved plans to build four mega clusters of data centres in the country’s north and west with the aim of supporting the data needs of Beijing and major coastal cities. The move comes as energy-hungry data centres located in China’s east have found it difficult to expand due to limits imposed by local governments on electricity consumption. The four new locations can use their energy and environmental advantages (wind and solar). However, their distant locations have meant the centres have struggled to provide the near-instantaneous retrieval demanded by coastal clients with little tolerance for delays. Meanwhile, a new marine economy development plan encouraged major coastal cities such as Guangzhou, Shenzhen and Zhuhai to relocate high energy-consuming data centres to underwater locations to save energy used for cooling.

Britain’s advertising watchdog, the ASA, warned Arsenal FC on Wednesday over ads for its “fan tokens,” a type of cryptocurrency embraced by soccer clubs as coronavirus pummelled their revenues. ASA said ads posted on Arsenal’s website and on Facebook were misleading as they did not make clear the risk of trading crypto, potential tax implications or that the tokens are not regulated in the UK: “The tokens, which can be traded on exchanges like other cryptocurrencies, are prone to wild swings in price and often have little connection to on-field performance.” Fan tokens allow supporters of soccer and other sports clubs to vote on minor decisions such as songs played at matches after a goal is scored, or images used on social media. Arsenal believes that fan tokens were designed to boost participation by supporters, and were “materially different” to other cryptocurrencies used as a means of payment. More than 40 clubs from Europe to South America have launched fan tokens. The largest one, launched by Paris Saint-Germain, reportedly has a total value of 49 mln dollars, versus bitcoin’s 929 bln.

Legacy BlackBerry devices loose text, call, and data functionality on January 4th, the Verge reports. Whether on Wi-Fi or cellular, there’ll be no guarantee you can make phone calls, send text messages, use data, establish an SMS connection, or even call 911. The company has experienced a slow decline since its dominant era in the late 2000s, when its QWERTY keyboards and reputation for security gave it a 50% market share in the US, but its parent company has pivoted to selling cybersecurity software.

Airbnb announced that it’s changing the way guest profiles are displayed in its app, for Oregon residents only, the Verge reports. Airbnb hosts who are based in Oregon will now see a potential guest’s initials, rather than their full name, until after they’ve confirmed the booking request. The change aims to prevent racial discrimination among hosts, by stopping them from gleaning a guest’s race from their name. The announcement follows a voluntary settlement agreement that Airbnb reached in 2019 with three Portland-area women. A 2016 study also found that Airbnb guests with names that sounded Black were 16% less likely to have bookings confirmed than guests with names that sounded white.

Zoom gets bigger on virtual events with its latest acquisition, the CNET website reports. The videoconferencing company announced the acquisition of event solutions assets from Liminal. Due to the pandemic, events have increasingly gone online, demanding more from video teleconferencing apps like Zoom. Those apps have needed to expand the features of their products or rely on third-party services like the ones Liminal provided. Liminal offered apps like ZoomISO and ZoomOSC individual video outputs and enhanced sound controls. Liminal’s products will remain available through its site. However, as Zoom expands on those tools and builds something similar into the platform, there will no longer be a need for them as separate add-ons.

The post Weekly digest Dec 27 – Jan 2, 2022: Intelligent transport, Oracle and Salesforce court victory, the death of Blackberry, fan tokens appeared first on TechGDPR.

Legal processes and redress

The EU Whistleblowing Directive is due to be implemented into national law by 17 December. It requires all EU Member States to implement legislation obliging all companies with 50 or more workers to put in place appropriate reporting channels to enable those workers to report breaches of EU law and ensure that those making whistleblowing reports are legally protected against retaliation for having done so. Also, businesses with operations across the EU need to monitor implementation and understand local requirements by the data protection authorities, as there will be variations between jurisdictions, (see the implementation tracker country by country from Bird & Bird LLP). Key areas to address will be ensuring that: 

• reports are handled by the correct people, in accordance with prescribed timescales and with appropriate security and confidentiality;
• required information is given to the whistleblower and to the person investigated;
• there is guidance and training in place to ensure non-retaliation; and 
• there are appropriate retention periods for reports and investigation data. 

How could this be implemented in practice, (Germany example provided), involving work councils, internal codes of conducts, reporting options and controls, is provided in an article by Ius Laboris lawyers.

Uber, Deliveroo and a dozen other two-sided online platforms could be hit by draft EU rules for gig workers. They may have to reclassify some of their workers as employees under a new proposal from the EU Commission meant to boost their social rights. The rules apply to ride-hailing, food delivery apps etc, and require companies to provide information to employees on how their algorithms are used to monitor and evaluate them as well as  allocation of tasks and setting of fees. Employees can also demand compensation for breaches, Reuters reports. The rules place the burden on online platforms to provide evidence that these regulations do not apply to them. Workers can also challenge their reclassification either via an administrative process or in a court. The draft rules will need to be thrashed out with EU member states and EU lawmakers before they can be adopted, with the Commission estimating a 2025 time frame.

In Germany, the administrative court of Wiesbaden issued a preliminary decision prohibiting RheinMain University from using Cybot A/S’s consent management platform Cookiebot by Usercentrics, DataGuidance reports. In particular, the court found that:

• Cookiebot CMP transfers the complete IP address of the end user to the servers of a cloud company whose headquarters are in the US.
• The end user was identifiable from a combination of a key stored in the user’s browser, which identified the website visitor, and the transferred full IP address. 
• This constituted a transfer of personal data to a third country, underlining that this is prohibited in line with the “Schrems II” CJEU judgment. 

Even if the corresponding server is possibly located in the EU, the US group has access to it, so that the US Cloud Act with broad query options for US authorities takes effect. Finally, the university did not ask users’ consent for the data transfer, users were not informed about the possible risks associated with the transfer resulting from the US Cloud Act, and the data transfer was not necessary for the operation of the university’s website.

Official guidance

In Austria, a newly approved Code of Conduct, (available in German only), establishes more legal security for insurance brokers and consultants. In particular, the document, (approved by the data protection authority in accordance with Art.40 of the GDPR), finally clarifies the legal status of the insurance broker as the data controller, who acts independently in the interests of the customer and is not subject to any data protection instructions from an insurance company. In addition, there is now clarity about the justification for data processing with regard to “simple” and “special” categories of personal data. An advantage for all those who want to officially adhere to the Code of Conduct is an objective external monitoring body entrusted with checking compliance.

Data breaches, investigations and enforcement actions

The Dutch data protection authority, AP, imposed a fine of 2.75 mln euros on the tax authorities. For years the tax administration has processed the dual nationality of applicants for childcare allowance in an unlawful, discriminatory and improper manner. The dual nationality of Dutch nationals does not play a role in assessing an application for childcare allowance. Nevertheless, the tax administration kept and used this information. In addition, the tax authorities processed the nationality of applicants indicators to combat organised crime using a system that automatically designated certain applications as high-risk. The data was not necessary for those purposes, and the administration should have deleted the data according to GDPR data minimisation principles. In 2018 the tax administration stopped using these indicators, and by 2020 the dual nationalities of Dutch people were completely removed from its systems. 

The UK Information Commissioner’s Office, the ICO, hit broadband ISP and TV operator Virgin Media with a 50,000 pound fine after it sent nearly half a million direct marketing emails to people who had previously opted out. In August 2020 the regulator received a complaint from one of the operator’s customers about the unsolicited email. The message itself took the form of a price notification and attempted to get the customer to opt back into marketing communications. However just one customer complained to the ICO about receiving the spam – but that was enough to spur the regulator into investigating. Even though 6,500 customers decided to opt back into receiving marketing emails as a result of the mailshot, the ICO said this wasn’t enough to ignore UK regulation of Privacy and Electronic Communications. “The fact that Virgin Media had the potential for financial gain from its breach of the regulation, (by signing up more clients to direct marketing), is an aggravating factor”, the ICO stated.

The Norwegian data protection authority, Datatilsynet, has punished the Government Pension Fund, (SPK), with an infringement fee of 99,000 euros. The SPK has collected unnecessary income information about approx. 24,000 people. SPK had obtained income information from the tax administration since 2016. They themselves revealed that part of the information was data that should not have been collected, as it was not necessary for post-settlement disability benefits. The information was obtained through a predefined data set from the tax authority. Until 2019, SPK did not have routines for reviewing and deleting the surplus information that was collected, violating basic principles for data processing including special categories of personal information.

Artificial Intelligence

More and more companies will become engaged in developing and building AI systems but also in using already deployed AI systems. Therefore, potentially all companies will need to deal with the underlying legal issues to ensure accountability for AI systems sooner or later, says analysis by Bird and Bird LLP. One of these accountability requirements will often be the need to conduct a Data Protection Impact Assessment. DPIAs for AI systems deviate from similar assessments relating to the development and deployment of common software, which results from some peculiarities lying in the inherent nature of AI systems and how they work. The main points to consider are:

• Distinguishing between DPIAs for AI system development/enhancement (eg, training the algorithm) and for AI system deployment for productive use (eg, CVs of candidates are rejected based on the historical data fed into an algorithm).
• Taking a precise, technology-neutral approach to catching the essential characteristics of AI, (eg, systems with the goal of resembling intelligent behaviour by using methods of reasoning, learning, perception, prediction, planning or control).

The most important aspects of DPIAs for AI systems development/enhancement should include: controllership, purpose limitation, purpose alteration, necessity, statistical accuracy, data minimization, transparency, Individual rights, and data security risk assessment. Data controllers (providers of the AI system or the customers that deployed it) may also voluntarily decide to conduct DPIAs as an appropriate measure to strengthen their accountability, safeguarding the data subject’s rights. This may ultimately help to also win customer trust and maintain a competitive edge. 

Opinion

The Guardian publishes thoughts by a former co-leader of Google’s Ethical AI team Timnit Gebru:

“When people ask what regulations need to be in place to safeguard us from the unsafe uses of AI we’ve been seeing, I always start with labor protections and antitrust measures. I can tell that some people find that answer disappointing – perhaps because they expect me to mention regulations specific to the technology itself.” In her opinion, the incentive structure must be changed to prioritize citizens’ well-being. To achieve that, “an independent source of government funding to nourish independent AI research institutes is needed, that can be alternatives to the hugely concentrated power of a few large tech companies and the elite universities closely intertwined with them.”

Individual rights

Monitoring of workers’ personal data via entrance control systems – is featured by the Social Europe website. In tracking entrance to and exit from the workplace and ensuring its safety, electronic control systems, in which limited and non-sensitive data belonging to workers are uploaded, will be more in compliance with legal instruments than biometric systems. Biometric entrance-control systems should therefore be a last resort and limited to access to exceptional areas which require high security or in particular areas where highly confidential information is kept. As the article sums up, the EU’s GDPR does not directly regulate the monitoring of workers by electronic and biometric entrance-control systems. The provisions of such monitoring can be found in specific national legislation, but also in Council of Europe’s Recommendation CM/Rec (2015)5, on the processing of personal data in the context of employment, and Opinion 2/2017 of the Article 29 Working Party. 

Data security

How do Sim Swapping attacks work and what can you do to protect yourself? The European Union Agency for Cybersecurity, ENISA, has taken a technical deep dive into the subject. Since 2017 such attacks have usually targeted banking transactions, but not exclusively. They also hack the cryptocurrency community, social media and email accounts. In a SIM swapping attack, the attacker will convince the telecom provider to do the SIM swap, using social engineering techniques, pretending to be the real customer, claiming that the original SIM card is for example damaged or lost. Specific circumstances may open the opportunity for attackers, which can be:

• Weak customer authentication processes;
• Negligence or lack of cyber training or hygiene;
• Lack of risk awareness.

More information for the public is available in the ENISA Leaflet “How to Avoid SIM-Swapping”.

How long would it take a computer to hack your exact password? The latest chart by Statista website illustrates that a password of 8 standard letters contains 209 billion possible combinations, but a computer is able to calculate this instantly. Adding one upper case letter to a password dramatically alters a computer’s potential to crack a password, extending it to 22 minutes. Having a long mix of upper and lower case letters, symbols and numbers is the best way to make your password more secure. A 12-character password containing at least one upper case letter, one symbol and one number would take 34,000 years for a computer to crack.

Big Tech

Twitter is reviewing a controversial policy that penalizes users who share images of other users without their consent, The Guardian reports. The company has launched an internal review of the policy after making several errors in its enforcement. The platform now allows users to report other users who tweet “private media that is not available elsewhere online as a tool to harass, intimidate, and reveal the identities of individuals”. If a review concludes the complaint has merit and the image wasn’t used for a journalistic or public interest purpose, those accounts are deactivated. Some activists say the broad nature of the new rules makes them ineffective and ripe for abuse against the most vulnerable groups, while some reporters, photographers and journalists are concerned that they do not take into account unreasonable expectation of privacy in public spaces, and would undermine “the ability to report newsworthy events by creating nonexistent privacy rights”.

A Virginia federal court granted Microsoft’s request to seize 42 US-based websites run by a Chinese hacking group, IAPP reports. Microsoft, which has been tracking the hacker group known as Nickel since 2016, is redirecting the websites’ traffic to secure Microsoft servers to “protect existing and future victims.” Microsoft’s Corporate VP of Customer Security and Trust said Nickel targeted organizations in 29 countries, using collected data “for intelligence gathering from government agencies, think tanks, universities and human rights organizations.”

Several Amazon services – including its website, Prime Video and applications that use Amazon Web Services (AWS) – went down last week for thousands of users in the US and EU. Amazon’s Ring security cameras, mobile banking app Chime and robot vacuum cleaner maker iRobot were also facing difficulties. Amazon said the outage was probably due to problems related to application programming interface, which is a set of protocols for building and integrating application software. The huge trail of damage from a network problem came from a single region “US-EAST-1” and underscored how difficult it is for companies to spread their cloud computing around, Reuters reports. With 24% of the overall market, according to research firm IDC, Amazon is the world’s biggest cloud computing firm. Rivals like Microsoft, Alphabet’s Google and Oracle are trying to lure AWS customers to use parts of their clouds, often as a backup. 

Russia blocks popular privacy service Tor, ratcheting up internet control, Reuters reports. Russia has exerted increasing pressure on foreign tech companies this year over content shared on their platforms and has also targeted virtual private networks, (VPN), and other online tools. The Tor anonymity network is used to hide computer IP addresses to conceal the identity of an internet user. Tor also allows users to access the so-called “dark web”. Tor, which says its mission is to advance human rights and freedoms, has more than 300,000 users in Russia, or 14% of all daily users, second only to the US.

Recently uncovered software flaw could be “most critical vulnerability of the last decade”, the Guardian reports. The problem is in “Log4Shell”, which was uncovered in an open-source logging tool in Apache software ubiquitous in websites and web services. The flaw was reported to Apache by AliBaba on November 24th, and disclosed by Apache on December 9th. Reportedly it allows hackers password-free access to internal systems and databases. The open source logging tool is a standard kit for cloud servers, enterprise software, and across business and government. Few computer skills are needed to steal or obliterate data, or install malware by exploiting the bug. It will be days before the full extent of damage is known.

The post Weekly digest December 6 – 12, 2021: whistleblowers, gig-workers, cookiebots, software flows, DPIA for AI appeared first on TechGDPR.