Stay tuned! Sign up to receive our fortnightly digest via email.

AI and data protection standardisation

The French CNIL elaborates on the contribution of ISO/IEC 27701 and 42001 standards on compliance with data protection laws. For many years, IT security has benefited from two recognised international standardisation frameworks: ISO/IEC 27001, and 27002, which detail best practices for implementing the necessary security measures. The ISO/IEC 2770, published in 2019, complements these two standards by defining and detailing a “privacy management system”. 

At the same time, the new ISO/IEC 42001, published in 2023, proposes a “management system for AI” for organisations. This standardisation tool describes the processes for managing concerns related to the reliability of AI systems: security, safety, fairness, transparency, and data and system quality throughout the lifecycle. In addition, it provides a series of operational measures to implement them including the various impacts and risks of an AI system, ensuring responsible development and use and documenting and monitoring. 

Public tasks and AI

The Swedish IMY is starting a regulatory sandbox project to test how generative AI can create more efficient data processing when issuing public documents. The goal of Lidingö city’s project “Right to transparency 2.0” is to be able to use generative AI to get help with masking personal data and confidential information. In addition to IMY, the Atea Sweden company will participate with technical expertise and know-how. 

CPPA enforcement

California’s Privacy Protection Agency has issued its first enforcement advisory – on applying data minimisation to consumer requests. Businesses should apply this principle to every purpose for which they collect, use, retain, and share consumers’ personal information. For example, it shall not require a consumer to provide additional information beyond what is necessary to send the opt-out signal, (of selling/sharing their data), or when determining the method by which to verify the consumer’s identity. What is the minimum personal information that is necessary to achieve this purpose? Read in the original guidance.

More official guidance

Patient medical apps: The Italian ‘Garante’ has published a guide on apps and sites that connect patients with healthcare professionals, including general practitioners and pediatricians, concentrating on free choice, the booking of visits, and the sending and archiving of health documents, (in Italian only). The compendium provides clarifications concerning three macro types of processing: 

• patient data, necessary to offer them online services,
• data of healthcare professionals processed for various purposes,
• data on the health of patients, processed for diagnosis and treatment purposes.

Tech vendors and HIPAA: The US government reminds us of the correct use of online tracking technologies by covered entities and business associates under the Health Insurance Portability and Accountability Act, (HIPAA). As a rule, they are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of protected health information, (PHI), to tracking technology vendors, (eg, via user webpages and mobile apps). This primarily includes the disclosures of PHI for marketing purposes without a user’s HIPAA-compliant authorisation.

AI-powered employment practices: Privacy International has responded to the UK ICO’s draft guidance for employers and recruiters on deploying AI tools. Its response focuses on the processor/controller designation of recruiters and the third-party LLMs they outsource and candidates’ employment rights that may be undermined by algorithmic decision-making.  PI’s submission relates to the different technologies used and different types of data collected, the use of candidate data for model training purposes, the role of DPIAs and what constitutes meaningful human intervention. 

UK standard clauses

As of 21 March 2024, any contracts depending on the old EU SCCs for data transfers with the UK should have been upgraded to the UK IDTA or UK Addendum. From 21 September 2022, organisations had to utilise the IDTA or the Addendum if they intended to engage in new, (or update the existing), arrangements for transfers that are subject to the UK GDPR. The deadline is further explained by the TechGDPR blog post. 

German healthcare data

The country’s new Health Data Use Act entered into effect on 26 March, IAPP News reports. By allowing pharmaceutical corporations to access patient health data for research reasons, the act seeks to further health research. Researchers will only be permitted to access pseudonymised data, and any violations of patient privacy would result in administrative sanctions. The original legal text in German can be consulted here. 

More legal updates

Florida’s under 16 law: The Florida Governor signed a bill that bans children aged under 14 from social media platforms and requires 14 and 15-year-olds to get parental consent. The measure requires social media platforms to terminate the accounts of people under 14 and those of people under 16 who do not have parental consent. It also requires the use of a third-party verification system to screen out those who are underage. On 1 January 2025, the measure will become law. The critical views can be read in the original analysis by Reuters.

Australia’s doxxing reform: The Government proposes new provisions to address doxxing as part of the Privacy Act Review. ‘Doxxing’ is the intentional online exposure of an individual’s identity, private information or personal details without their consent, (eg, for de-anonymising, targeting purposes). A new statutory tort for serious invasions of privacy would allow individuals to seek redress through the courts if they have fallen victim to doxxing, as well as access, objection and erasure rights, and the right to correct their personal information.

Chinese restricted transfers: The Cyberspace Administration finalised guidelines setting out exemptions to certain cross-border data transfer laws, DLA Piper reports. This includes collection outside of mainland China, cross-border HR management, cross-border contracts, volume thresholds and others. The guidelines include updated filing templates for those still falling outside the exemptions and a reminder that consent and contractual/other measures remain in place. More details on the current security assessments and standard contracts for data exporters are available here. 

UK data protection reform

UK civil society organisations have issued an alert on the financial surveillance powers proposed in the UK Data Protection and Digital Information Bill, (in the Committee stage now). It introduces mass algorithmic surveillance aimed at scrutinising banks and any third-party accounts purportedly to detect welfare fraud and errors. Reportedly, there are no restrictions on the type of information that can be requested. Enacting a law that allows for disproportionate mass surveillance could also impact the adequacy status of the EU. 

Facial recognition abuse at the workplace

Facial recognition to check attendance in the workplace violates employee privacy, stated the Italian ‘Garante’ when sanctioning five companies all engaged in various capacities at the same waste disposal site, for having unlawfully processed the biometric data of a large number of workers. In particular, three companies had shared the same illegal biometric detection system for more than a year, without having adopted adequate technical and security measures. The companies had not provided clear and detailed information to workers nor had they carried out an impact assessment. They should have more appropriately used less invasive systems to control the presence of their employees in the workplace, (such as by badge). 

More enforcement decisions

Cookie walls: The Danish data protection authority has confirmed its decisions in the cases concerning JFM’s, (media company), and GulogGratis’, (online marketplace), approach to using cookie walls. In particular, statistics were not a necessary part of the paid access alternative – the processing of personal data to generate statistics was not directly linked to financing the content. The marketing purpose – unlike the statistical purpose – made it possible for advertising partners to buy access to banner advertisements etc. on the website to process personalised ads and thus generate advertising revenue. 

Access and log control: The Norwegian data protection authority has issued an approx. 1.7 mln euro fine and several injunctions to the Norwegian Labor and Welfare Agency, (NAV). NAV lacked management and understanding of the importance of safeguarding data confidentiality through access management and log control. The majority of Norwegian citizens receive benefits from NAV at one time or another during their lives. 

There is therefore an inherently high privacy risk in NAV’s operations. But in fact, local offices were given greater freedom to organise themselves in their own ways. As a result, special categories of personal data were often treated for a long time and involved a large number of people, without the necessary security measures being established, and despite repeated calls for compliance.

Retailer’s indefinite data storage: The Finnish data protection commissioner has ordered Verkkokauppa.com to pay an administrative fine of 856,000 euros, as the company had not defined how long the data of online store customer accounts would be kept. The limitation of the data retention period was left to the responsibility of the customer. In addition, Verkkokauppa.com’s policy of making online purchases require the creation of a customer account violates data protection regulations. 

Data breaches

Ransom attack: The Estonian privacy regulator explains the recent Asper Biogene data leak. Sensitive personal health data was leaked. The company learned of the intrusion through a ransom demand. Thanks to the notification made by the data controller, people learned about the situation – this allowed them to protect themselves from possible fraudulent letters. The data leak involved a healthcare service provider and an authorized processor, (Asper Biogene). In this case, the agreement concluded between the controller and the authorised processor largely helped to confirm the parties’ roles and goals in data processing. 

Data security 

Human factor: What is the weakest link in the data security chain? The Estonian regulator states that it is still a person that interacts with that data. Therefore every month there are cases where the requirements for personal data processing are violated due to an employee’s mistake, carelessness or lack of organisation in the workplace. Some recent cases resolved by the regulator included: 

• an intranet was accessible from the public Internet, where the only measure to protect its content was the same username and password used by multiple persons.
• the employees of a cafe discovered that paper documents concerning the inmates of a detention facility had been left there.
• a hosting company sent a newsletter to its customers in a way where the e-mail addresses of others were visible to all recipients.
• an employee of a financial company was mistakenly given access to a bank account used for salary payments of the company’s employees.
• the publication of people’s debt data in various default registers without a legal basis. 
• a ransomware and code injection attack, hijacked employees emails and phishing. 

Latest technology guide: The French CNIL has published a new edition of its Personal Data Security Guide, (available in English). The new version restructures the guide and introduces new fact sheets, including tips on artificial intelligence, mobile applications, cloud computing, and application programming interfaces. For instance, current practices such as the use of BYOD have been added to the existing fact sheets. This guide references DPOs, CISOs, IT specialists, and the CNIL assessments. 

Big Tech

Google Incognito data deletion: The Guardian reports that Google settled a lawsuit alleging it surreptitiously monitored the internet activities of users who believed they were surfing incognito on its Chrome browser, and it agreed to delete billions of data sets. Users alleged that Google’s analytics, cookies and apps let the Alphabet unit improperly track people who set Google’s Chrome browser to “incognito” mode and other browsers to “private” browsing mode. This included Google’s analytics, cookies and apps. As part of the settlement, Google will update its disclosures on the data it gathers during “private” surfing. Users in incognito mode will also be able to disable third-party cookies.

Mozilla/Onerep data brokerage case: The nonprofit that supports the Firefox web browser is winding down its new partnership with Onerep, an identity protection service recently bundled with Firefox that offers to remove users from hundreds of people-search sites. The move comes just days after a report by US cybersecurity expert Brian Krebs forced Onerep’s CEO to admit that he has founded dozens of people-search networks over the years. 

In the US, data brokers, people-search services like Onerep, and online reputation management firms exist because virtually all US states exempt so-called “public” or “government” records from consumer privacy laws. Those include voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, bankruptcy filings, social media data and known associates.

The post Data protection digest 18 Mar – 02 Apr 2024: AI and DP standardisation, patient medical data, human factor in data security appeared first on TechGDPR.

Legal processes

‘Machine learning is no excuse to break the law’: The US Federal Trade Commission alleged that Amazon, (Alexa voice assistant), kept kids’ data indefinitely to further refine its voice recognition algorithm. If approved by the federal court, on top of a multimillion fine, Amazon will have to delete inactive child accounts and certain voice recordings and geolocation information and will be prohibited from using such data to train its algorithms. Reportedly, Amazon is not alone in seeking to amass data to refine its machine-learning models. 

Similarly, the FTC proposed enforcement against Amazon’s subsidiary, Ring. The allegations say the company compromised its customers’ privacy by allowing any employee or contractor to access consumers’ private videos to train algorithms, among other purposes, without consent, and failing to implement security safeguards.

China SCCs: On 1 June, China’s new Standard Contractual Clauses for the cross-border transfer of personal data went into force. Entities using the SCCs must meet two requirements: a) a data transfer impact assessment must be performed by the data exporter, and b) the data exporter must sign SCC-compliant agreements with overseas recipients of the data. The Chinese SCCs do not distinguish between an exporter or receiver being a controller or a processor, in contrast to the EU SCCs. As an alternative to SCCs, organisations may also be required to undergo a security check by the Cyberspace regulator or certification by recognised institutions. Read more analysis by connectontech.com. 

Montana’s new privacy law and TikTok ban: Montana became the first US state to ban the use of TikTok and prohibit mobile application stores from offering the Chinese app within the state by next year. The ban covers state networks, but also third-party firms conducting business for or on behalf of the state from using applications with ties to foreign adversaries. The state would fine any entity, (an app store or TikTok), 10,000 dollars per day for each time someone “offers the ability” to access the platform or download the app. How these prohibitions will be implemented, though, is still unclear. 

Montana’s Governor also signed a new Consumer Data Privacy Act, joining California, Colorado, Connecticut, Indiana, Iowa, Tennessee, Utah, and Virginia, which already enacted comprehensive consumer privacy laws. The law is scheduled to take effect in October 2024.

Health care data: The US Federal Trade Commission is modernising the Health Breach Notification Rule, clarifying the rule’s applicability to health apps and similar technologies, many of which aren’t covered by HIPAA. Changes will be made to the terms “identifiable health information,” “breach of security,” “health care provider,” and “health care services or supplies,” as well as the information that must be included in the consumer notice, and more. In parallel, to bridge the gap between HIPAA safeguards and health data that is obtained outside of conventional medical settings, Washington enhanced the protection for customers’ identifiable health information by passing the “My Health My Data Act”. 

Official guidance

Generative AI: The US Congressional Research Service published a paper on Generative AI and Data Privacy. Recently the term “general-purpose models”, (GPAI), was created by academics and policymakers to refer to software programs like ChatGPT that can do a variety of tasks. Large language models, (LLMs), which have the ability to detect, predict, translate, summarize, and produce language, are the foundation for many general-purpose AI applications. Duolingo, Snapchat, and other companies have partnered with OpenAI to deploy ChatGPT in their services. However, individuals may not know their data was used to train models that are monetized and deployed across such applications. 

SAR guidance: The UK Information Commissioner’s Office has published new guidance for businesses and employers on responding to Subject Access Requests. Individuals can request the personal information held by their employer, or former employer, such as details of their attendance and sickness records, personal development or HR records. This includes where you got their information from, what you’re using it for and who you are sharing it with. 

Organisations must respond to a SAR from a worker without delay and within one month of receipt of the request. However, you could extend the time limit for responding by up to two months if the SAR is complex or if they have sent you a number of requests. At the same time, the UK GDPR does not set out formal requirements for a valid request. Therefore, a worker can make a SAR verbally or in writing, including by social media. 

Right to object and right to erasure: The EDPB summarises the right to object in connection to the right to be forgotten in complaints from data subjects. Requests to stop processing personal data for marketing purposes and to delete already gathered data are frequently linked. Most of the cases show deficiencies in the internal procedure adopted to deal with such requests, including the accuracy of the procedure and internal communication, the timeframe for processing requests, and the accountability of the system for receiving/tracking complaints.

Workforce monitoring: Employers tend to control employees’ work performance, to keep track of the duration and frequency of the employee’s work, but also of their location and other indicators. As a basic setting, the systematic monitoring of employees using automated means, (cameras, apps), is considered a non-standard solution, states the Latvian data protection authority. It can only be used for short-term employee monitoring, and only if less privacy-intrusive means will not achieve the goal. Such processing must be clearly agreed upon in advance and must be understandable to both parties. Otherwise, this can undermine mutual trust with the employee, and even may contribute to a decline in the quality of work.

Enforcement decisions

Meta/Facebook enforcement: The largest GDPR fine to date of 1,2 bln euros has been issued by the Irish data protection authority on Meta Ireland. Following the “Schrems II” ruling Meta affected data transfers to the US on the basis of the Standard Contractual Clauses in conjunction with additional measures. But they did not prevent fundamental risks to data subjects in view of US state surveillance practices. 

Meta now must return already transferred personal data and stop other illegal processing within the next few months. The decision may have similar effects for any digital service provider subject to US surveillance laws and relying on EU Standard Contractual clauses until the problems have been resolved by the adoption of the upcoming  EU-US Data Privacy Framework by the Commission. 

Charity organisation: The ICO completed an audit of Age UK Wiltshire, (charitable and voluntary sector). AUKW requested an audit in January and submitted an audit questionnaire detailing their data protection compliance concerns. After the investigation, the main areas for improvement were identified: 

• Review and update existing data protection policies and create new policies covering records management, data sharing, DPIA, and information security. 
• Ensure that data protection training is mandatory for all staff, including annual refreshers and specialised seminars. 
• Complete an information audit to help the organisation have an understanding of all of the information that is held and its flows. 
• Create an Information Asset Register, (IAR), to record the information assets identified by the information audit and ensure that the IAR is periodically reviewed.
• Review and update the current subject access requests, (SARs), and policy, including completing identity checks, that are communicated to staff.
• Create and maintain a SARs log as a documented record of all completed and ongoing SARs. 

Video surveillance: The Italian privacy regulator ‘Garante’ imposed a 50,000 euro fine on a clothing company, (with over 160 stores), for having installed video surveillance systems in various company outlets. The company had justified the need to defend against theft and to ensure the safety of employees and corporate assets, and prevent unauthorized access. The investigation showed that all the shops were equipped with at least 3 video cameras, active 24 hours a day, 7 days a week, in the areas reserved for workers and suppliers. In larger outlets, it was up to 27. The fine was issued, taking into account the significant number of employees involved, (over 500), and points of sale, as well as the absence, (or violation), of authorization or agreement with the trade union representatives.

Tax data: The Belgian data protection authority decided to prohibit the transfers of data of Belgian “Accidental Americans” by the Belgian Federal Public Finance Service to the US tax authorities under the intergovernmental FATCA agreement. According to the Belgian data protection regulator, the data processing carried out under this agreement does not comply with all the principles of the GDPR, including the rules on data transfers outside the EU. The regulator also orders the public service to inform in a complete and accessible manner the data subjects of the data processing carried out as part of the FATCA agreement and of its modalities. It also asks to carry out a DPIA.

Automated rejection of credit card application: Berlin’s supervisory authority imposed a 300,000 euro fine against a bank after a lack of transparency over the automated rejection of credit card applications, according to the EDPB summary. A Berlin-based bank offered a credit card on their website. Using an online form, the bank requested various data about the applicant’s income, occupation and personal details. Based on the information requested and additional data from external sources, the bank’s algorithm rejected the application without any particular justification. Even when asked by the complainant, the bank only provided blanket information about the scoring procedure, detached from the individual case. However, it refused to tell him why it assumed poor creditworthiness in his case. 

Biometric ID checks: Mobile World Congress’s organizer received a 200,000 euro fine in Spain for doing inadequate biometric ID checks at the 2021 venue. For the “in-person” option, the organizer requested a complainant to upload passport details, including photographs that were transferred to a service provider in a third country for facial recognition security purposes. However, the legal basis for it was verified from consent to legal obligation in different notices. Plus, neither the privacy policies nor the email communications provided clear information on data transfers to a third country. Additionally, the organiser’s DPIA failed to assess risks or the proportionality and necessity of the system implemented, (called BREEZZ).

Doctissimo fine: Following a complaint by the Privacy International association, the French privacy regulator fined the doctissimo.fr website 380,000 euros. It mainly offers articles, tests, quizzes and discussions related to health and well-being for the general public. The regulator noted infringements concerning the duration of data retention, the collection of health data via online tests, the security of data as well as the ways cookies were deposited on user’s terminals. Additionally, the company processes personal data with other entities, in particular for the marketing of advertising spaces on the website. These relationships of joint responsibilities were not framed by any contract.

Google Analytics: The Finnish data protection commissioner has issued a notice to the meteorological institute about the transfer of personal data to the US via website tracking technologies. The institute had not defined or applied the legal basis for the transfer of data in the use of reCAPTCHA and Google Analytics services. Nor had it suspended data transfers without delay after the CJEU’s “Schrems II” decision, even though it no longer had a valid basis. The institute has taken steps to remove the tools and services from its website. The order also includes the deletion of data that had been transferred illegally to the US. 

Data security

Mobile device management: Mobile devices make it easier for employees to complete their job from home, at the workplace, or while on the road. In order to reduce an organisation’s risk profile, it is critical to manage security and device health. The US NIST explains the benefits of Mobile Device Management when an employee’s personal or corporate-owned device can be enrolled into an MDM solution to apply enterprise configurations, manage enterprise applications, and enforce compliance. To learn more about how to use standards-based, commercially available products to meet security and privacy needs you can download the latest guidance by NIST here and here. 

De-identification: The Government of Canada publishes instructions on de‑identification as a privacy‑preserving technique. Although the pseudonymisation of data is a step toward anonymisation, it still permits re-identification. The acceptable risk level must be determined based on the context. it is always preferable that privacy experts work together with data specialists. For instance, there are activities that increase the risk of re‑identification, such as integrating datasets or data matching, so it is important to continually assess privacy and re‑identification risks, even after applying privacy safeguards. 

Big Tech

NHS data sharing: According to the Guardian, NHS trusts are sharing sensitive data about patients’ health conditions, medical appointments, and treatments with Facebook without their knowledge and despite promises to never do so. An Observer investigation revealed a monitoring feature, (Meta Pixel), on the websites of 20 NHS trusts that has been collecting medical and patients’ browsing data for years and sharing it with the tech giant. The information contains specific details such as sites viewed, buttons pressed, and keywords searched, and matched to the user’s IP address. This included patients who visited hundreds of NHS webpages about HIV, self-harm, gender identity services, sexual health, cancer, children’s treatment and more.

Microsoft cookies: Microsoft Ireland revised its cookie policy for the Bing search engine in France after it received a reprimand from the country’s data protection agency CNIL for privacy violations, govinfosecurity.com reports.  In December the CNIL fined the company 60 million euros for a deceptive cookie policy that it claimed made it impossible for Bing users to stop data collection. CNIL gave Microsoft three months to comply with its cookie policy or risk further penalties of 60,000 euros per day.  In particular, Microsoft needed to obtain French Bing users’ consent to enable cookies used to combat advertising fraud.

The Privacy Sandbox: Google announced the next stages of Privacy Sandbox – General availability and supporting scaled testing. In Q1 of 2024, it plans to deprecate third-party cookies for one per cent of Chrome users. This will support developers in conducting real-world experiments that assess the readiness and effectiveness of their products without third-party cookies. This will follow the introduction in Q4 of 2023 of the ability for developers to simulate Chrome third-party cookie deprecation for a configurable percentage of their users. 

The post Data protection digest 17 May – 1 June 2023: amassing data for machine learning is ‘no excuse for breaking the law’ appeared first on TechGDPR.

Legal redress

Pseudonymised (non-personal) data processing: In the instance of SRB v. EDPS, the European General Court ruled that pseudonymised data communicated by one party with another would not be regarded as personal data in the recipient’s hands if that party lacks a legal way to obtain the extra, identifiable information. The lawsuit resulted from the Single Resolution Board, (SRB), decision to conduct a shareholder poll in the case of Banco Popular Español, as part of which it shared the results with a consulting firm. In order to guarantee that replies could not be traced back to specific respondents, SRB pseudonymised the data. The decoding key that might identify specific responses from the alphanumeric codes was not given to the consulting company.

Additionally, the court did not rule out that personal views or opinions may constitute personal data. However, such a conclusion must be based on a case-by-case examination. View the court’s ruling here.

Right to GDPR compensations: The CJEU has recently published a number of rulings related to data subject rights. In one case, Österreichische Post collected information on the political affinities of the Austrian population, using an algorithm. Following lawsuits for compensation from upset citizens who did not consent to that, the Austrian supreme court asked the CJEU whether mere infringement of the GDPR is sufficient to confer that right and whether compensation is possible only if the non-material damage suffered reaches a certain degree of severity. It also asked what are the EU-law requirements for the determination of the amount of damages. 

The EU top court responds that mere infringement of the GDPR does not give rise to a right to compensation. However, there is no requirement for the non-material damage suffered to reach a certain threshold of severity. The court notes that the GDPR does not contain any rules governing the assessment of damages. It is therefore for the legal system of each Member State to prescribe the detailed rules. 

“Copy” of personal data definition: The CJEU also ruled that the right to obtain a ‘copy’ of personal data means that the data subject must be given a faithful and intelligible reproduction of all those data. The Court notes that the term ‘copy’ does not relate to a document as such, but to the personal data which it contains and which must be complete. That right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain those data. 

The case relates to the CRIF in Austia, (a business consulting agency that provides, at the request of its clients, information on the creditworthiness of third parties). It sent the applicant in question a summary of his personal data undergoing processing. However, the individual had expected a copy of all of the documents containing his data, such as emails and database extracts. After the Austrian data protection authority rejected his complaint, the applicant went to court. 

CJEU opinions

Data controllers’ strict liability: A non-binding opinion by a CJEU Advocate General limits the strict liability of data controllers for GDPR fines: they may only be imposed on intentional or negligent conduct, (‘mens rea’). The referring court wanted to know whether the state agency could be fined on the simple basis that it breached the obligations imposed on it by virtue of being a controller, (strict liability), or whether an element of fault in committing the relevant breach is required. 

The case concerns the Lithuanian Public Health Centre in the design and deployment of a mobile application for tracking COVID-infected people. After funding for the project failed the state agency asked the app developers, (initially defined as joint controllers), not to use the LPHC details or any association with them in the mobile product. However it continued to be available for download by the public unaltered. To that end, the data protection authority decided to impose a fine on both entities in their capacity as joint controllers. 

The CJEU’s opinion confirmed that an entity which initiates the development of a mobile application can only be regarded as the ‘controller’. Furthermore, the absence of any agreement or even coordination between joint controllers cannot exclude a finding that the controllers are ‘joint controllers’.

Concept of lawful “data processing”: In the above case, the referring court also called for clarification as to whether the fact that the unlawful processing of personal data was not done by the controller itself but by a processor affects the ability of supervisory authorities to impose a fine on the controller.

The CJEU reasoned that a controller may be fined even though the unlawful processing is carried out by a processor. That possibility is open for so long as the processor acts on the controller’s behalf. However, if the processor uses personal data outside of, or contrary to, the lawful instructions of the controller, then the controller cannot be fined. 

The concept of ‘processing’ encompasses a situation in which personal data is used during the testing phase of a mobile application, unless such data has been anonymised in such a way that the data subject is not, or no longer, identifiable. 

Official guidance

Direct marketing: Effective direct marketing relies on you having a positive relationship with individuals you are marketing to and that is usually rooted in them having consented to you contacting them, states the latest guidance by the Guernsey data protection authority. The document answers the questions on how to obtain people’s consent in a lawful way, while being able to pursue commercial communication and inform people about what you are doing; explains lawful processing conditions under consent and legitimate interest; looks at the dangers of soft opt-in and automated calling systems and silent calls; and provides options for stopping direct marketing. See the full guidance (in English) here.

Client databases: The Latvian data protection agency also looks at client databases. Customer personal data permeates almost every aspect of business, from the delivery address of an order to the use of customer data to creating a company’s marketing campaign. Whether you only store a customer’s first name, last name and email address, or a personal identification number and bank details, you need to make sure that customer information is kept as correct and as secure as possible. The main principles to be followed are:

• Determine the purpose for which the database is being created  (eg, administration of fees, sending news, ensuring access).
• Evaluate and decide exactly what personal data is required from the client, and don’t collect or store personal data just because you think it might come in handy someday, (eg, if you plan to send information only to e-mail, you do not need to ask the customer for a phone number).
• The information included in the customer database must also be accurate and must be updated as necessary, (eg, inaccurate data may allow the service to be used by a person who has not paid for it).
• The necessary technical and organisational requirements must be implemented, (eg, limit personnel who can access customer information, maintain employee training, and if you transfer personal data, ensure that it is encrypted).

Enforcement decisions

Concept of warning and expansion of investigation periods: Spain has modified its law on the protection of personal data and clarified that a warning should not be considered a sanction, but rather an appropriate measure, of a non-punitive nature, included within the corrective powers of the supervisory authorities. Additionally, the increase and greater complexity, (including a one-stop-shop mechanism), of the issues addressed by the data protection agency in the sanctioning procedures show the need to extend some of the resolution deadlines. In particular, for this reason, the modification contemplates an increase from nine to twelve months in the maximum duration of disciplinary procedures, and from twelve to eighteen months in previous investigation actions.

TikTok fine: The UK Information Commissioner’s Office has issued a 12,7 million pound fine to TikTok Information Technologies UK Limited and TikTok Inc, for a number of breaches of data protection law, including failing to use children’s personal data lawfully. Whilst TikTok purports to rely on, in part, a contractual necessity as its lawful basis for processing the personal data of children under 13, the Commissioner considers that the legal test for contractual necessity is not met in this case. In addition, TikTok failed to make reasonable efforts to ensure that consent was given or authorised for underage child users of its video-sharing platform or to prevent children under 13 from accessing its services. Read the full list of TikTok’s infringements in the original decision.

Information obligation: The Romanian data protection agency fined Libra Internet Bank for not fulfilling its data subject rights obligation. It was found that a response sent to a plaintiff by e-mail did not contain information about the possibility of filing a complaint before a supervisory authority and introducing a judicial appeal for the bank’s refusal to communicate a copy of a requested video recording, thus violating the provisions of Art. 12 in conjunction with Art. 15 of the GDPR. On the same occasion, the regulator noted that the data controller did not present evidence to show that it had adopted measures to facilitate the exercise of the right of access.

Grocery data: The Norwegian data protection authority has taken a decision to ban Statistics Norway’s planned collection of data from the population’s grocery purchases. Through bank data and bank transaction data, Statistics Norway would have information on what a significant proportion of the population buys for groceries. This in turn could be linked to socio-economic data such as household type, income and level of education. No sufficient legal basis for such intrusive processing of personal data exists. Even if the purpose of the collection is anonymous statistics for societal benefit, the intervention in the individual’s privacy will have already occurred once the personal information was collected, (from private actors). Finally, citizens have no real opportunity to oppose such a collection, other than by using cash as a means of payment.

Debt collection data: Croatia’s privacy regulator issued an administrative fine of over 2 million euros on the debt collection agency. The data controller didn’t inform its data subjects, in an accurate and clear manner, about the processing of their personal data. In addition, it did not conclude a data processing agreement with the service of monitoring consumer bankruptcy. The debt collecting agency also did not apply appropriate technical and organisational measures while processing quite sensitive personal data, so it would probably never have noticed a data breach. 

Data security

Encryption pros and cons: The Spanish data protection agency has published a guide for the supervision of cryptographic systems as a security measure in data protection. Encryption is a procedure by which information is transformed into an apparently unintelligible data set using various techniques. The GDPR mentions it as a measure that is part of the conditions for the compliance of the treatment and as an aid to mitigate the risks in the event of a possible breach of personal data. However, if not well designed it can give a  false sense of security, that relaxes the application of other complementary measures, in particular, privacy by design. The document also proposes a list of controls to facilitate the data protection specialist in selecting those that could be the most appropriate in validating the encryption system. Read the full guide, (in Spanish), here.  

Password hurdle: Reportedly, the average internet user has between 70 and 80 passwords for a wide variety of services, explains the Slovenian data protection agency base on recent research. Considering that a strong password is (at least) 12 characters long, complex and of course unique, it is extremely difficult to remember them all. 

Password managers also offer effective management and safe storage of passwords. In this case, it is important to have a very strong master password, which is also the only one we need to remember. Two-factor authentication solves two of the most common problems: short, weak, and repeated passwords are no longer so problematic since access to the service requires an additional unique code that is obtained over the phone. 

Finally, most information security experts do not recommend saving passwords in browsers. The reason is primarily the rapid spread of Trojan horses that specialize in stealing user data. Nothing helps if we have long and unique passwords, because the virus simply copies them and sends them to attackers.

International data transfers

US data transfers: The European Parliament has rejected the draft US adequacy decision during the plenary vote. However the resolution is not binding, MEPs concluded that the EU-US Data Privacy Framework fails to create essential equivalence on the level of protection, and calls on the Commission to continue negotiations with its US counterparts to provide the adequate level of protection required by Union data protection law as interpreted by the CJEU. MEPs call on the Commission not to adopt the adequacy finding until all the recommendations – on safeguards against American intelligence activities, and practical deployment of the redress mechanism for individuals are fully implemented. 

To that end, a parliamentary group from the Civil Liberties Committee visits the US capital this week to meet with members of the House of Representatives and Senators working on privacy, and cybersecurity issues, including sponsors of different federal privacy acts – the Federal Trade Commission, US Courts administration, Department of State, the Data Protection Review Court, the Office of the Director of National Intelligence, NGOs, and think-tanks. 

UK privacy reform: According to govinfosecurity.com, the Information Commissioner gave assurances to UK lawmakers considering changes to the country’s national privacy legislation that they won’t jeopardize the adequacy decision made with the EU in 2021. The Data Protection and Digital Information Bill was once again proposed this spring by the Conservative government as an alternative to the GDPR that is more pro-innovation and less bureaucratic. External observers, however, are less certain, citing rulings by the ECHR that British mass intelligence collecting infringed private communications. 

Supporting documents assessing the impact of the Data Protection and Digital Information Bill can be seen here.

The post Data protection & privacy digest 3 – 16 May 2023: data processing roles and obligations elaborated by EU top court appeared first on TechGDPR.

Legal processes and redress: synthetic data for fintech, draft Data Act, DPO dismissals

The UK Financial Conduct Authority, (FCA), issued a statement on synthetic data for beneficial innovation in UK financial markets. It strongly indicated fraud and anti-money laundering as a key use case for synthetic data, in part due to its ability to augment rare patterns of behavior in a dataset. Whilst the data protection legislation places conditions on such data processing, the FCA emphasizes that data sharing between different entities, (eg, access to the real datasets, as well as synthetic transactional datasets with embedded fraud typologies), is possible under the current regulatory framework if at least one lawful basis is met, accompanied by built-in privacy by design, data protection impact assessments, data sharing agreements, and other legal requirements.

The European Parliament adopted the draft Data Act – new rules for fair access and use of industrial data. It would contribute to the development of new services, in particular in the sector of AI where huge amounts of data are needed for algorithm training. It can also lead to better prices for after-sales services and repairs of connected devices. When companies draft their data-sharing contracts, the law will rebalance the negotiation power in favour of SMEs, by shielding them from unfair contractual terms imposed by companies that are in a significantly stronger bargaining position. Finally, the proposed act would facilitate switching between providers of cloud services, and other data processing services, and introduce safeguards against unlawful international data transfer by cloud service providers.

The CJEU rendered two decisions regarding the procedures for dismissing data protection officers and their potential conflicts of interest, (under the German Federal Data Protection Law), insideprivacy.com reports. In the relevant cases, the DPO also handled other organisational duties in a professional capacity. The data controllers argued that since those positions were incompatible, (chair of the work council in one of the cases), the DPO’s dismissal was appropriate. The former DPO started a legal action which ended up in the EU top court. 

However, the CJEU determined that as long as the national laws do not undermine the goals set for DPOs under the GDPR, EU member states may require that DPOs be dismissed for “just cause”. It is also for the national courts to decide whether a conflict of interest existed taking into account “all the relevant circumstances, in particular the organisational structure of the controller or its processor and in light of all the applicable rules, including any policies of the controller or its processor.”

Official guidance: MS Excel, research projects, free data protection tool, game developers

Bavaria’s data protection authority explains how to avoid data breaches when using Microsoft Excel. It is not uncommon for users to encounter the program intuitively; Contrary to the primary purpose, Excel is often used when the number of columns in Word is not sufficient. However, if there is personal data in an Excel workbook, improper handling of the application can easily trigger a data breach. Excel workbooks can contain multiple worksheets, (the number is only limited by the available memory), even if you don’t work regularly with such “multi-sheet” workbooks yourself. Be especially careful with Excel files created by others, as Excel workbooks can contain invisible worksheets, as well as columns, rows, or even individual cells, comments, and metadata. It is worth remembering:

• before sharing an Excel workbook with personal information, especially before attaching it to an email, make sure that you really want to share everything;
• consider whether the file should be processed further by a recipient, otherwise;
• send a PDF version that can be checked for hidden data before sending;
• if possible, consistently delete the worksheets that are no longer required;
• before creating a new workbook with multiple worksheets, consider whether you can complete the task with multiple single-sheet workbooks;
• consider whether you need Excel for the task to be completed or whether a “simple” resource, (eg, a word processing program), will suffice.

If not careful, an Excel data breach can trigger the reporting obligation under Art. 33 of the GDPR, and the notification obligation under Art. 34 of the GDPR.

Meanwhile, the Danish data protection authority has amended rules for deleting personal data at the end of research projects. Data controllers may have a legitimate need to process information for a period after the end of the investigation, (eg, for the purposes of peer review or countering accusations of scientific misconduct), so data should not always be deleted, anonymised, destroyed or returned at the end of a research project. Personal data can be transferred for storage in an archive in accordance with the rules in archive legislation. In addition, in some research areas, work is done with ongoing coverage of research fields, and building of relationships or data material, where it is not meaningful to talk about a project being “finished”. 

The Finnish data protection authority is promoting its data protection tool available as open source code to increase the data protection expertise of SMEs. You can familiarise yourself with the tool (in English) here. With the initial level test, the respondent can first check how well they control the basic issues of the data protection regulation. The role-mapping test helps the respondent to define what role the company plays in regard to the processing of personal data. Each role also has its own tests. The source code and content of the data protection tool are for free use, to further develop a company or industry-specific privacy tool or to produce new language versions, or even in commercial applications.

Finally, the UK Information Commissioner’s Office offers new guidance to game developers on protecting minors. The recommendations are based on the experiences and findings during a series of voluntary audits, (eg, on Yubo, Facepunch), of game developers, studios and publishers within the gaming industry: 

• The age range of the players and the different needs of children at different ages and stages of development should be at the heart of how you design your games. 
• Designing games to promote meaningful parent/guardian – child interactions, while setting a high level of privacy by default and appropriate parental controls is key.
• It is important to only process children’s personal data in ways that are not detrimental to their health or wellbeing. 
• It is crucial that games do not use nudge techniques to lead children to make poor privacy decisions.
• Bad privacy information design obscures risks, unravels good player experiences, and sows mistrust between children, parents, and game providers.

Investigations and enforcement actions: employee emails monitoring, failed data subject requests at a sports center, HBNR and BIPA violations in the US, student data management

In Austria, the data protection authority finds employer’s monitoring of employee emails unlawful. Several complainants argued that the company, without their consent and knowledge, checked the technical mail server logs of all 6,000 employees for a specific recipient domain. The reason for this control measure was the suspicion of a breach of trade secrets. The data protection authority came to the conclusion that the control measure, which only took place six months after the incident that gave rise to it, was not proportionate due to the lack of a temporal connection and the topicality. Plus, there was no valid consent from the works council. 

The Norwegian data protection authority confirmed its fine of over 900,000 euros to Sats for breach of several provisions in the GDPR. The complaints were related to the company’s failure to comply with clients’ demands for access and deletion. Furthermore, the fitness centre chain lacked the authorisation to process data about the customers’ training history. Sats is the Nordic region’s largest fitness center chain and has its head office in Norway.  Therefore the Norwegian regulators dealt with the case in collaboration with other supervisory authorities under the so called one-stop-shop mechanism.

In the US, the Illinois Supreme Court ruled that fast food chain White Castle System must face claims that it repeatedly scanned the fingerprints of nearly 9,500 employees without their consent, (to access a company computer system), which the company says could cost it more than 17 billion dollars. The Illinois Biometric Information Privacy Act, (BIPA), imposes penalties of 1000 dollars per violation and 5000 dollars for reckless or intentional violations. The law requires companies to obtain permission before collecting fingerprints, retinal scans, and other biometric information from workers and consumers. 

Also in the US, the Federal Trade Commission has taken enforcement action for the first time under its Health Breach Notification, (HBN), Rule against the telehealth and prescription drug discount provider GoodRx Holdings, for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies. The company collects personal and health information about its users, including information from users themselves and from pharmacy benefit managers confirming when a consumer purchases a medication using a GoodRx coupon. 

From 2021 US health apps and smart products that collect or use consumers’ health information must comply with the HBN Rule. It ensures that entities not covered by the Health Insurance Portability and Accountability Act, (HIPAA), face accountability when consumers’ sensitive health information is breached. In the above case, GoodRx also displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the HIPAA.

The French privacy regulator CNIL gave formal notice to two higher education institutions to comply with the GDPR concerning files used for administrative and pedagogical management. Areas of non-compliance include data retention period, student information, use of subcontractors, and data security:

• they had not provided a precise retention period for all processing of students’ personal data, nor have they provided for a purge and archiving system;
• they do not properly inform students about the collection of their data via the various forms they fill out during their schooling;
• they were not able to send the CNIL the duly signed data processing agreements with subcontractors;
• they had no password policy to guarantee a minimum level of security in this area.

Data security: messaging apps

Privacy International issued a guide on communicating with others via messaging apps. Reportedly, there are two main aspects to consider: a) whether it offers end-to-end encryption that protects the content of your communication; and b) whether it collects any information beyond the content of the message, such as location, who you communicate with, and other details referred to as ‘metadata’. For sensitive conversations, it may be sensible to use disappearing messages if offered by your app, (however, it is unclear whether self-destructing messages are also recoverable by mobile phone extraction technology).

The use of E2EE for messaging should always be preferred over text messages, which are completely unencrypted meaning they can be easily read, manipulated in transit, or spoofed. They may also be stored by your telecommunications provider, which may be subject to access requests from governments and law enforcement. For example, Signal uses E2EE not only to encrypt the contents of messages but also to obscure all metadata even from itself. In contrast, both WhatsApp and Telegram store, and can access IP addresses, profile photos, “social graphs”, and more.

Big Tech: Palantir technology ban in Germany, more Tik Tok data centers in Europe

A top German court ruled against the use of software developed by the Palantir Technologies, saying that police use of automated data analysis to prevent crime in some German states was unconstitutional as it infringes on the right to informational self-determination. The US-based technology has so far been employed, among other things, to look into the criminal organisation accused of plotting to overthrow the German government in December, Reuters reports. Palantir says it only offers software for processing data. However, the German Society for Civil Rights, which brought the lawsuit, claimed the software used data from innocent people to form suspicions and could produce errors.

TikTok plans to open two more data centers in Europe, (Ireland), hoping to lessen regulatory pressure on the business. Data migration for TikTok users in Europe will start this year and last until 2024. TikTok hasn’t been subject to the same hefty fines as Google and Meta in the EU. Now TikTok is attempting to reassure governments and privacy regulators that users’ personal information cannot be accessed and that its content cannot be altered by the Chinese government or anyone else working for Beijing. 

The company also reported an average of 125 million monthly active users in the EU, under the brand-new online content rules known as the Digital Services Act. For comparison, Twitter says it has 100.9 million. Alphabet – 278.6 million at Google Maps, 274.6 million at Google Play, 332 million at Google Search, 74.9 million at Shopping, and 401.7 million at YouTube. The Meta Platform claims 255 million on Facebook and about 250 million on Instagram.

The post Data protection & privacy digest 4 – 17 Feb 2023: synthetic data for fintech, MS Excel guide, Palantir technology ban appeared first on TechGDPR.

Legal processes: draft US adequacy decision, EDPB’s binding decisions, draft AI Act

The EU issued a draft adequacy decision for the United States, saying US safeguards against America’s intelligence activities were strong enough to address EU concerns on data transfers. Previously, personal data could be freely sent to the US through the Privacy Shield framework, but this framework was abolished by the CJEU in the Schrems II judgment. Earlier this year, after negotiations with the European Commission, US President Joe Biden introduced a new EU-US Data Privacy Framework and signed a new law to comply with the CJEU decision. 

The Commission is now to submit the US adequacy decision to the European Privacy Council, which will state whether privacy is adequately safeguarded. The European Parliament will also scrutinise the decision. The Commission must then obtain the approval of all EU countries to formally approve the new mechanism, (probably in the first half of 2023). The decision will come into force when the US has fully implemented the new legislative changes. Finally, users can then challenge the decision via national and European courts. It is worth noting that:

• The new adequacy mechanism will not apply to all transfers to the US. Instead, 
• It will apply to transfers to US organisations that have chosen to participate in the scheme. 
• It probably will become easier to transfer personal data to the US in general if a common transfer tool such as new EU SCCs is used. 

A CJEU ruling upheld the EDPB’s role and authority to arrive at a collective decision under the GDPR’s consistency mechanism. The court stated that the action for annulment brought by WhatsApp Ireland against the EDPB binding decision is inadmissible. The decision led to a 225 million euro fine from Ireland’s Data Protection Commission, (DPC). It is now up to the Irish court to review the legality of the final decision of the Irish regulator. In 2021 the EDPB resolved a dispute on a draft decision of the DPC concerning WhatsApp Ireland’s GDPR transparency obligations to users and non-users of the service.  

The European Council has adopted its common position on the Artificial Intelligence Act ahead of official negotiations with the Parliament. It aims to ensure AI systems placed and used on the EU market are safe and respect existing laws, including relevant data protection. Since AI systems are developed and distributed through complex value chains, the text includes changes clarifying the allocation of responsibilities and roles of the various actors in those chains, particularly providers and users of AI systems. Several new provisions have been added:

• where AI systems can be used for many different purposes, (general-purpose AI), and, where it is subsequently integrated into another high-risk system. In this case;
• consultations and detailed impact assessments considering specific characteristics of general-purpose AI systems and related value chains would be applicable;
• obligation for users of an emotion recognition system to inform natural persons when they are being exposed to such a system;
• prohibition on the use of AI for social scoring by private actors;
• some exclusions for national security, research, and development. 

Certain users of high-risk AI systems that are public entities will also be obliged to register in the EU database for such systems. The future AI act provides penalties, with proportionate caps on administrative fines for SMEs and start-ups, and a new complaint mechanism. 

Official guidance: standard data protection model, use of cookies, wrongful credit information, age-appropriate design code, HIPAA rules

The German Federal data protection commissioner updated the Standard Data Protection Model, (SDM), to provide suitable mechanisms to translate the legal requirements of the EU GDPR into technical and organisational measures. In particular, the new SDM first records the legal requirements of the GDPR and then assigns them to the protection goals of data minimisation, availability, integrity, confidentiality, transparency, risk assessment, and more. You can read the SDM 3.0 new version here.

The Croatian data protection authority AZOP issued a reminder on the use of cookies. Although the e-Privacy Directive stipulates the need for voluntary and informed consent to store or access cookies, the practical application of legal requirements differs in EU member states. Currently, observed implementations are based on one or more of the following practices:

• an immediately visible notification that the website uses various types of cookies or similar technologies; layered access information that usually offers a link or a series of links, where the user can learn more about cookies whereabouts,
• information on how users can indicate and later withdraw their preferences regarding cookies, including information about the action required to express such a preference,
• the mechanism by which the user can decide to accept all or some or refuse cookies,
• the possibility for the user to subsequently change the previous preference.

However, some cookies can still be exempted from informed consent under certain conditions, and only if they are not used for additional purposes:

• cookies for user input, (session ID), for the duration of the session or permanent cookies in some cases limited to a few hours,
• authentication cookies, which are used to authenticate the services, during the session,
• user-oriented security cookies, used to detect authentication abuse, limited persistent duration,
• multimedia content session cookies, (such as flash players), during the session,
• session cookies for more balanced loading, for the duration of the session,
• cookies for customizing the user interface for the duration of the session, (or a little longer),
• cookies for sharing the content of social networks/third parties for the login of their members. 

Finally, third-party marketing cookies cannot be exempted from consent, including for operational purposes related to third-party advertising, such as frequency limiting, financial records, ad matching, click fraud detection, research and market analysis, product improvement, and troubleshooting.

The Latvian data protection authority DVI explains what to do if as a result of illegal activities, information is included in the database of a credit bureau. In the specific case, the regulator was approached by a person who was refused a loan for the purchase of a home, on the basis that the database of the credit information office contained information about her outstanding debts: loans she had not applied for. 

• If a person finds that a database contains information about debts that they did not undertake, they can ask the creditor to limit the processing of data, including the transfer of this data to the credit information bureau. 
• In practice, the restriction means that debt data will not be deleted, but it will also not be made available to other persons.
• The person must attach evidence to the request that they have tried to resolve the matter on its merits, for example, a criminal case has been initiated.
• Upon receiving a person’s request, the lender must assess whether it is justified.
• Until the question of the validity of the loan is examined, the person can request a temporary settlement from the lenders, making a note in the database.

The Future of Privacy Forum released a brief comparing California and the UK Age-appropriate design codes. The California code of practice is a first-of-its-kind privacy-by-design law in the US which is set to become enforceable on 1 July 2024. It was modeled on the UK’s version and represents a significant change in the regulation of the technology industry and how children will experience online products and services. It follows 15 standards laid down in the UK law, including the “best interests of the child” standard, age assurance, default settings, parental controls, enforcement, and data protection impact assessments. The UK ICO has also published design tests to support designers of the products or services, that are likely to be accessed by children or young people.

The US Department of Health and Human Services highlighted the obligations of the Health Insurance Portability and Accountability Act, (HIPAA), on covered entities and business associates when using online tracking technologies, (Google Analytics, Meta Pixel), on webpages and apps with or without user authentication. Some entities regularly share electronic protected health information, (PHI), with online tracking technology vendors and some may be doing so in a manner that violates HIPAA rules. For instance:

• It does not permit disclosures of PHI to a tracking technology vendor based solely on a regulated entity informing individuals in its privacy policy, notice, or terms and conditions of use that it plans to make such disclosures. 
• Regulated entities must ensure that all tracking technology vendors have signed a Business Associate agreement and that there is applicable permission before the disclosure of PHI.
• If the vendor is not a business associate of the regulated entity, then the individuals’ HIPAA-compliant authorisations are required before the PHI is disclosed to the vendor.  
• Website banners that ask users to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorisation. Read the full guidance here.

Investigations and enforcement actions: census data, diligence in choosing the subcontractor, social audio app, employee’s health data, multimedia boxes security, WC area surveillance

Portugal’s regulator the CNPD concluded that the National Institute of Statistics committed five administrative offenses, for violations the GDPR, within the scope of the 2021 census operation, and imposed a fine of 4.3 million euros. The CNPD decided that the organisation processed personal data relating to health and religion unlawfully. It failed to fulfill its duties of informing respondents of the census questionnaire, violated the duties of diligence in choosing the subcontractor, infringed the legal provisions relating to the international transfer of data and failed to comply with the obligation to carry out a DPIA relating to the census operation. In particular, choosing a subcontractor, (Cloudflare, Inc), despite the existence of a company office in Lisbon, meant the contract was with a US-based company under the jurisdiction of the California Court. It allowed the transit of personal data through any of the company’s 200 servers outside the European Economic Area. It contained the standard contractual clauses approved by the European Commission for the transfer of personal data to the US, without providing for any additional measures that prevent access to data by third-country government entities, established by the CJEU’s Schrems II judgment.

The Finnish data protection authority imposed an administrative fine of 230,000 euros on Viking Line for violations related to the processing of employees’ health data. A former employee complained that he had not received all the personal information requested, which was stored in the company’s systems. The regulator found out that:

• Viking Line had stored his health information in the personnel management system for 20 years. 
• Among other things, this included diagnosis information in connection with information about sickness leave. 
• Some of the stored diagnosis information was incorrect, as it was not possible to enter all existing diagnosis codes into the system. 
• Storing diagnosis information together with other information related to the employment relationship was against the law.

The French regulator CNIL imposed a penalty of 300,000 euros against telecoms company FREE, in particular for not having respected the rights of individuals and the security of its users’ data. Checks revealed several shortcomings, in particular in the rights of the persons concerned, (right of access and right of erasure), and data security, (low strength of passwords, storage, and transmission of passwords in plain text), and the recirculation of approximately 4100 poorly refurbished “Freebox” multimedia boxes. The technical and organisational measures of the reconditioning process did not prevent around 4,100 Freeboxes held by former subscribers from being reallocated to new customers without the data stored there having been properly deleted. This data could be photos, home videos, or  recorded television programs.

Finally, the Danish data protection agency has reported Danske Shoppingcentre P/S to the police for not having sufficiently restricted TV surveillance in at least one toilet area in a shopping centre. The regulator has recommended a fine of 47,000 euros. Danske Shoppingcentre explained that there had been problems with, among other things, vandalism in the toilets, and that it had therefore set up TV surveillance to prevent vandalism and theft as well as ensure security for customers. The company had a technical solution with a black marking on the camera to mask the urinal. However, it did not provide sufficiently masking, contrary to the principle of data minimisation. 

Data security: code of practice for app market, risk-based audit, phishing infographic, EU healthcare sector resilience

The UK ICO has completed the Rowan Learning Trust, (school-to-school support), voluntary audit on a risk-based analysis of the processing of personal data. The key elements of this are a desk-based review of selected policies and procedures, remote interviews with selected staff, and a virtual review of evidential documentation. The audit revealed that:

• Data protection compliance is currently not discussed routinely in any local groups or at the board level across the trust. 
• Compliance information is not reported to senior management. 
• The trust should also implement a new data protection policy with supporting  documentation and ensure that staff are aware of and understand the contents.
• There is currently no mandatory data protection training in place for the staff. 
• The trust does not have a Record of Processing Activity document. 
• There is currently no oversight of Records Management and operational responsibility assigned.
• The trust has not conducted an information audit, so does not have an understanding of all of the information that is held and how it flows across the trust.
• There are currently no compliance checks carried out across the trust to ensure that physical and electronic records are destroyed in line with their retention periods.

The UK government has published a voluntary Code of Practice to strengthen consumer protections across the app market. The government will work with the biggest operators and developers to support them in implementing the voluntary code over a nine-month period. Under the code, app store operators and developers will need to:

• share security and privacy information in a user-friendly way with consumers. (eg, when an app and updates are made unavailable on an app store, the locations of  users’ data);
• allow their apps to work even if a user chooses to disable optional permissions, such as preventing the app from accessing a microphone or the user’s location;
• provide clear feedback to developers when an app is not published for security or privacy reasons;
• have a vulnerability disclosure process in place, so software flaws can be reported and resolved without being made publicly known for malicious actors to exploit;
• ensure developers keep their apps up to date to reduce the number of security vulnerabilities in apps.

America’s CISA published a Phishing Infographic to help protect both organisations and individuals from successful phishing operations. This infographic provides a visual summary of how threat actors execute successful phishing operations. Details include metrics that compare the likelihood of certain types of “bait” and how commonly each bait type succeeds in tricking the targeted individual. The infographic also provides detailed actions organisations and individuals can take to prevent successful phishing operations—from blocking phishing attempts to teaching individuals how to report successful phishing operations. 

The European Union Agency for Cybersecurity released the after-action report of the 2022 edition of Cyber Europe, the cybersecurity exercise testing the resilience of the European Healthcare sector. It featured a disinformation campaign of manipulated laboratory results and a cyber attack targeting European hospital networks. The scenario provided for the attack to develop into an EU-wide cyber crisis with the imminent threat of personal medical data being released and another campaign designed to discredit a medical implantable device with a claim on vulnerability. 

Big Tech: Microsoft ‘data boundary’ for the EU, Apple’s end-to-end encryption, Amazon buying customer data

Microsoft says its EU cloud customers will be able to process and store their data in the region from January. It will apply to all of its core cloud services – Azure, Microsoft 365, Dynamics 365 and Power BI platform. For many companies, data storage has become so large and distributed across so many countries that it becomes difficult for them to understand where their data resides and if it complies with the GDPR. The latest criticism of Microsoft 365 cloud services was recently expressed by the German data protection regulators, while the French ministry of national education has urged schools in the country to stop using free versions of Microsoft 365, (and Google Workspace), amid privacy concerns.

In the meantime, Apple unveiled a range of security and privacy enhancements. Users will be given the option to encrypt more of the data they back up to their iCloud using end-to-end encryption. The encryption key, or the code used to gain access to that secure data, will be stored on the device. That means that if a user who opts into this protection loses access to their account, they will be responsible for using their key to regain that access – Apple will no longer store the encryption keys in iCloud. The change will not apply to all data – email, contacts, and calendar entries will not be encrypted. Users will have to voluntarily opt into the feature. 

Finally, some Amazon users will now earn 2 dollars per month for agreeing to share their traffic data with the retail giant, Businessinsider reports. Amazon is keeping track of which advertisements participants viewed, where they saw them, and what time of day they were viewed as part of the business’s new invite-only Ad Verification program. Both Amazon’s own and third-party platform advertisements fall under this category. Only customers who were invited to participate in the program will be eligible for the reward; however, those who were not invited can join a waiting list.

The post Data protection & privacy digest 1 – 15 Dec 2022: draft US adequacy decision, Microsoft ‘data boundary’ for the EU, Age-appropriate design code appeared first on TechGDPR.

Legal processes and redress

The EU commission warned Belgium about failing to ensure full independence of its data protection authority. The Commission considers that Belgium violates Art. 52 of the GDPR, which states that the data protection supervisory authority shall perform its tasks and exercise its powers independently. The independence of data protection authorities requires that their members are free from any external influence or incompatible occupation. However, some members of the Belgian data protection authority currently cannot be regarded as free from external influence because they either report to a management committee depending on the Belgian government, or they have taken part in governmental projects on COVID-19 contact tracing, or they are members of the Information Security Committee. Belgium now has two months to take relevant action, failing which the Commission may decide to refer the case to the Court of Justice of the European Union.

The Dutch regulator, the AP, asks legislators to vote down the proposal for the Data Processing by Partnerships Act, (WGS). In its current version it gives government organizations and private parties very broad powers to share personal data with each other, for example, in cases of suspicion of fraud or organized crime. According to the AP, this can have major consequences for people who end up ‘”on the wrong list” or create a risk of “mass surveillance”. The purpose of the partnerships to share, store and analyze personal data on a large scale is not defined  clearly enough in the bill, the AP states. According to the government, every partnership concerns ‘”weighty general interests”, such as ”monitoring the proper functioning of the market”. The WGS concerns broad categories of data – social security numbers, living situation, residence status, financial data, police data and even data about sexual behaviour. Moreover, it is not only about people’s personal data, but also their family and friends, the AP notes. Read the regulator’s opinion, (in Dutch), here.

A three billion pound class action against Google over tracking millions of iPhone users has been blocked by the UK’s top court. Legal experts said the decision meant the “floodgates” remained closed to US-style representative actions on data breaches and cyber incidents in England and Wales. The Supreme Court has upheld Google’s appeal in Lloyd v Google, limiting the ability for individuals to recover damages for simple loss of control of their personal data. Richard Lloyd, a consumer rights activist, claimed Google illegally misused the data of 4 million iPhone users by tracking and collating their internet usage on their handsets’ Safari browser in 2011 and 2012, even when users were assured they would be opted out of such tracking by default. The Supreme Court found that a claim for damages under the Data Protection Act 1998, (which precedes the UK GDPR), required proof of damage in the form of either material damage, such as financial loss, or mental distress. That could be the time period, the quantity and nature of data captured, how that data was used and what commercial benefit there was to Google in processing it. In the absence of any evidence, an individual is not entitled to compensation. Read the full decision here. 

Official guidance

A new White Paper on digital payments and data privacy was published by the French regulator, the CNIL (in French). Payment data can make it possible to trace personal activities or to identify the behavior of individuals, creating a complex area of compliance for DP specialists. The Paper distinguishes between terms “payment data”, “purchase data”, “contextual” (behavioral) data, “silent party” data, “highly personal nature” (biometric) data. The CNIL considers that only authentication, and not identification, is necessary for merchants and other payment recipients. Qualifying the actors also could be the key: “Criteria such as direct contact with the data subject to subsequent re-use of data for their own account can be used in determining whether an actor should be considered a data controller or data processor.”

Some other criteria include – data minimisation, careful selection of third party recipients, location of payment data storage and international data transfers, determining a specific purpose for each data processing activity from legitimate interest, (eg, for security or fraud prevention), or consent of the user to legal obligations, (eg, for compliance with anti-money laundering laws). For the latter, the CNIL stresses that data protection is only part of the regulatory framework applicable to payment data in the EU, which also includes the Payment Services Directive, the Anti-Money Laundering Directive, and the Network Information Security Directive. Finally, for security reasons, the CNIL promotes  “tokenization,” – the method of substituting payment data with randomly generated, single-use tokens, on which the regulator will soon publish additional recommendations.

The CNIL also developed an awareness guide, (in French), to the GDPR to support associations in their compliance. Its objectives: to reiterate the main principles, (benchmarks), to respect, and to propose an adapted action plan. France has a particularly rich network of associations, listing more than 1.3 million bodies with various profiles, both in terms of size and sectors of activity, (charitable, political, sporting, social). Most of them collect a lot of information, sometimes sensitive, which concerns various audiences – their members, partners, employees, volunteers or even donors. The guidance includes a variety of steps to be taken: keeping records of processing activities, transparent privacy notices, consent mechanisms and licit cookie banners on the websites, direct advertising, (including charitable prospecting), compliance, prohibition on tracking criminal history of workers and volunteers, running DPIA, data breach notification, establishing a checklist of basic technical and organisational measures, and much more.

Enforcement actions

The Dutch regulator the AP has imposed a 400,000 euro fine on Transavia airline for failing to protect personal data. Poor security allowed a hacker to penetrate Transavia’s systems in 2019, granting access to the data of 25 million people. It has been established that the hacker downloaded personal data of about 83,000 people- name, date of birth, gender, e-mail address, telephone number and flight and booking details, as well as some medical data. Security was not in order on three points:

• The password was easy to guess and was enough to get into the system. 
• There was no so-called multi-factor authentication. 
• Once the hacker took control of these two accounts, they also had access to many of Transavia’s systems. The access was not limited to only the necessary systems.

The hacker penetrated the system in September 2019. Two months later Transavia closed the leak. The airline reported the data breach in a timely manner and informed those involved.

In Italy, the Court of Cassation upheld data protection regulator Garante’s decision to fine C.S. Group 60,000 euros. The C.S. Group, a car-sharing company, lodged a complaint against the fines for failure to notify the processing of the rented vehicles’ geolocation data and of their profiling of customers. The C.S. Group denied that the use of an algorithm to calculate tailored discounts based on additional information provided by customers could be framed as profiling, and requested the redetermination of the sanctions. The court rejected the complaint and confirmed the fines, highlighting that “processing personal data by means of an algorithm is in itself profiling, even when personal data is not stored indefinitely and is not associated with an individual customer, since it constitutes a screening of the data provided, in order to evaluate personal aspects and possibly to predict future behaviour”.

Luxembourg’s CNPD imposed corrective measures on a company for DPO-related violations (Art.37-39 of the GDPR). The company violated its obligations to communicate the data protection officer’s contact details to the supervisory authority, and also failed to ensure that other tasks – current or past – carried out by the DPO did not result in a conflict of interests with their role as a DPO. The investigation showed that the DPO was also Head of Compliance and Money Laundering Reporting Officer, and in such a role could determine the purposes and means of processing of personal data, which contradicts the independent role of the DPO. The court also states that there were no immediate measures to mitigate the risk such as parallel appointment of a deputy DPO, (outside the AML department) who would be in charge of such cases. No administrative fine in this case was imposed.

The Irish data protection authority brought in some changes to its breach notification form. Here are some of the updates for controllers and processors:

• confirming whether the breach is likely to result in a risk to the rights and freedoms of natural persons, (eg, whether the breach reaches the risk threshold), and whether the breach falls under the Law Enforcement Directive. 
• determining whether the breach relates to cross-border processing and related questions including details of the controller’s establishments, location of affected data subjects and whether they are “substantially affected”. 
• classifying the controller’s industry sub-sector according to Eurostat NACE criteria. 
• choosing the approximate numbers of data subjects from bands (1-10, 11-100).
• detailing existing TOMs and other measures to mitigate the risk.
• uploading supporting documents.
• declaring, (controllers), the understanding that any information provided in the breach notification may be utilised at a future date in relation to an inquiry.

Individual rights

UK based Privacy International continues to investigate data related issues in the digital health sector. PI and its partners question whether adopting a given digital solution leads to more effective delivery of quality care. One of the negative outcomes is in places where digital infrastructure is still developing, (eg. India), where the time lag between data collection and digitisation can take up to 72 days, which negatively impacts patients: “Such delays not only call into question the effectiveness of the system, but also raise serious questions as to the safety of the data awaiting to be digitised, ranging from storage to access – as well as participating staff know-how and awareness of data protection obligations.”  

However, similar failures may occur even in digitally progressive countries,(eg, non-functional Track and Trace QR code alert systems in the UK, or the NHS England Covid app outage). At the same time, data protection authorities have limited expertise and resources to effectively advise on the deployment of such systems in the health sector. PI also worries about the absence of proper impact assessment of the security of personal health data in centralised digital systems used by government agencies, or private-public partnerships in the UK, (eg, between NHS and Amazon), and worldwide. Read the full analysis by PI here. 

Data security

Europol has published its Internet Organised Crime Threat Assessment 2021. The report states the rise of ransomware crews deploying multi-extortion methods by exfiltrating victims’ data and threatening to publish it. Such modi operandi could include, for example, cold calling victims’ clients, business partners and employees with the purpose to commit investment fraud. In addition, many of the ransomware affiliate programs deploy DDoS attacks against their victims to pressure them into complying with the ransom demand. “Personal information and credentials are in high demand as they are instrumental in improving the success rate of all types of social engineering attacks. Unfortunately, the market in personal information flourishes as ransomware and mobile information stealers produce an abundance of marketable material as a by-product of the primary attack.”

Criminals have also realised how much potential there is to compromise digital supply chains – organisations need to grant network access to update distributors, which makes these third-party service providers an ideal target. According to Europol, one of the solutions would be to intensify public-private partnerships, (eg, expertise and information sharing with financial institutions can help to obtain data on cybercriminals and may help rapidly freeze their criminal proceeds.).

Opinion

Constant monitoring of workers and setting performance targets through algorithms is damaging employees’ mental health and needs to be controlled by new legislation, according to a group of UK MPs. Under the act workers, like delivery drivers, (who have to log most of their activity on shifts, sometimes while driving on the road), would be given the right to be involved in the design and use of algorithm-driven systems, where computers make and execute decisions about fundamental aspects of someone’s work – including in some cases allocation of shifts and pay. The parliamentary group report also recommended that corporations and public sector employers fill out algorithmic impact assessments, and expand the new umbrella body for digital regulation. Read more analysis of the proposal by the Guardian.

Big Tech

WhatsApp Ireland, owned by Meta, has secured permission from the High Court to challenge the Data Protection Commission ( DPC)’s decision to fine it 225 million euros. Last August the DPC held that the messaging service had failed to comply with its obligations under the GDPR in several respects: WA’s processing of data of users and non-users of the service, and the sharing of personal data between WA and Meta companies. WA also seeks declarations from the court including that certain provisions of the 2018 Data Protection Act are invalid, and are incompatible with the State’s obligations under the European Convention on Human Rights. Namely, the 2018 Act allows the DPC to engage in a form of administration of justice that is not permissible and is contrary to the Irish Constitution. Finally, the  size of the fine constitutes an interference with WhatsApp’s constitutional property rights, WA claims.

Meta plans to remove detailed ad-targeting options that refer to “sensitive” topics, such as ads based on interactions with content around race, health, religious practices, political beliefs or sexual orientation. In its blog post, the company gave examples of targeting categories that would no longer be allowed on its platforms, such as “Lung cancer awareness,” “World Diabetes Day”, “LGBT culture”, “Jewish holidays” or political beliefs and social issues. It said the change would take place starting January 19, 2022. However, advertisers, (small businesses, non-profits, and advocacy groups), on Facebook and other platforms, can still target audiences by location, use their own customer lists, reach custom audiences who have engaged with their content and send ads to people with similar characteristics to those users.

Beginning in 2022, Apple and Google will impose new privacy requirements on mobile apps in the Apple App Store and Google Play Store, a publication by the National Law Review reminds consumers. Apple’s new account deletion requirement will apply to all mobile app submissions to the Apple App Store beginning January 31, 2022. Similarly, Google’s new Data Safety section will launch in February 2022, and app developers will be required to submit to the Google Play Store Data Safety forms and Privacy Policies by April 2022. These announcements have encouraged mobile app developers to review any laws that may require them to maintain certain types of data, and to make sure that their apps clearly explain what data the app collects, how the app collects data, all uses of the data, and the app’s data retention and deletion policies.

The post Weekly digest November 8 – 14, 2021 “Privacy, DP, and Compliance news in focus” appeared first on TechGDPR.