The EDPB has issued an opinion on the interpretation of certain duties of controllers relying on processors and sub-processors, arising from Art. 28 of the GDPR, as well as the wording of controller-processor contracts. In particular, controllers should have information on the identity of all processors and sub-processors etc. readily available at all times, regardless of the risk associated with the processing activity. To this end, the processor should proactively provide the controller with all this information and should keep them up to date at all times. Download the opinion here. 

Stay up to date! Sign on to receive our fortnightly digest via email.

More legal updates

Scaling up user tracking: The EDPB also clarifies the applicability of the ePrivacy Directive to emerging tracking solutions. It explains several key elements, namely ‘information’, ‘terminal equipment of a subscriber or user’, ‘gaining access’ and ‘storage of information’. For instance, information could mean non-personal and personal data, regardless of how this data was stored and by whom, (third party,  user, manufacturer, or any other scenario).

Also, it would be incorrect to interpret that the third party does not require consent to access the user information simply because it did not store it. The consent requirement applies even when a read-only value is accessed, (eg, requesting the MAC address of a network interface via the OS API), etc. It applies to a non-exhaustive list of use cases including URL and pixel tracking, Local processing, Tracking based on IP only, Intermittent and mediated Internet of Things reporting, Unique Identifier.

Legitimate interest assessment: The CJEU’s recent decision, that legitimate interests can cover purely commercial interests, is now being followed by new EDPB guidelines. For processing to be based on legitimate interest, three cumulative conditions must be fulfilled: a) the pursuit of a legitimate interest by the controller or by a third party; b) the need to process personal data for the legitimate interest(s) pursued; and c) the interests or fundamental freedoms and rights of the concerned data subjects do not take precedence over the legitimate interest(s) of the controller or of a third party. The assessment should be done before carrying out the relevant processing activity, with special attention when the data subjects are children.

Consent management in Germany

The German government has tabled a new regulation on cookie consent management. It establishes a recognised consent management service, intended to provide a user-friendly alternative to the multitude of individual decisions that end users have to make through cookie banners. The aim is to strengthen trust in such services through a recognition procedure by an independent body. For providers of digital services, this process offers a way to request and store consent “without having to disturb the end user” by displaying the consent banner each time. Read further technical modalities in the original publication, (in German).

AI programming assistants

As AI usage continues to intensify, the use of AI programming assistants has already spread to numerous public and private entities. These tools are being employed at different stages of the software development process – primarily to generate source code, to help developers familiarise themselves with the source code of new projects, or to generate tests and documentation. The French and German Information Security agencies have prepared recommendations (in English) on the risks associated with the use of AI programming with concrete mitigation measures: internal security guidelines, training, instructions on permissible tools and data usage, and risk and success assessments.

More official guidance

Children and the digital environment: The Spanish regulator AEPD stresses the importance of having an age verification system where the burden of proof is on the person who is of the age required to access the content, and never on the minor. The system does not need to verify a specific age or date of birth, but only that the established age threshold has been exceeded. These efforts by default will protect minors from the risks related to accessing adult content, such as contact with people who may put them in danger, the contracting of products and services, the monetisation of their data, the incitement of addictive behaviours that affect their physical or mental integrity and other aspects. 

Data protection audit framework: A new toolkit from the UK Commissioner’s Office helps organisations assess their compliance with some of the key requirements under data protection law. Data controllers, auditors or data protection specialists may use it for various purposes such as for creating a privacy management programme, auditing your existing practices against the ICO’s expectations, improving existing practices, recording, tracking and progress reports, or increasing senior management engagement and privacy awareness across the organisation.

Automated driving: Several data protection authorities in Germany are consulting with Volkswagen AG about new types of data processing. Volkswagen intends to use sequences of sensor and image data of the environment from customer vehicles to further develop driver assistance systems and automated driving functions more quickly and continuously as key technologies for improving road safety. From the fourth quarter of 2024, the company plans to start triggering the extraction of such data and processing it in some vehicle series – initially only in Germany – based on predetermined, narrowly defined scenarios, subject to the consent of vehicle users. 

Enforcement decisions

US hotels fine: America’s FTC is taking action against Marriott and Starwood over multiple data breaches, from 2014 to 2020 impacting more than 344 million customers worldwide. Marriott and Starwood failed to implement appropriate password controls, access controls, firewall controls or network segmentation, patch outdated software and systems, adequately log and monitor network environments and deploy adequate multifactor authentication. In addition to monetary and other penalties, (certify compliance to the FTC annually for 20 years), the companies now must provide a method for consumers to request a review of unauthorized activity in their loyalty rewards accounts and restore any loyalty points stolen by malicious actors.

“Afraid of answering the phone”: The UK Information Commissioner meanwhile issued hefty fines to two companies for predatory marketing campaigns, often targeting elderly people with dementia. These calls were made to people who had explicitly opted out of receiving marketing communications. Some individuals were subjected to repeated phone calls, attempting to pressure them into buying warranties for white goods, such as fridges and washing machines, that they did not need. 

To that end the ICO is encouraging the public to take proactive steps to safeguard their loved ones: a) look out for rogue direct debits being paid for unknown reasons, b) ensure they are registered for the TPS, which provides a free and easy way to opt out of unwanted marketing calls, c) if they are still receiving unsolicited marketing calls despite opting out, report these incidents to the regulator without delay.

‘Deposit and return’ app

The Danish data protection authority has investigated Dansk Retursystem’s app “Pant”, (a deposit and return system for bottles and cans). The app allegedly processed users’ financial information. The investigation showed that it has a built-in component that needs to obtain the user’s account information to pay out money to the right account. But the component, which is made available by a third party, can also collect information about the user’s balances, identity information, transaction history, etc.

If the app’s APIs allow for the processing of more personal data than is necessary for its intended use, the authority can decide to issue a warning for non-compliance. These especially concern APIs and services when an external supplier is used.

Data security

Police access to personal data: The CJEU has ruled that police access to data contained in a mobile telephone is not necessarily limited to the fight against serious crime. The review must strike a fair balance between the legitimate interests relating to the investigation and the fundamental rights. Such access must, moreover, be subject to a prior review carried out either by a court or an independent administrative authority. The data subject must be informed of the grounds on which the authorisation to access their data is based, as soon as the communication of that information is no longer liable to jeopardise the investigations. 

Meta AI avoiding the EU market: Meta has introduced its AI assistant in the UK and Brazil after launching it in the US and Australia. However, because of strict regulations in the EU, services are still not available there. Users must complete an objection form found in the privacy settings of their applications if they would like to prevent Meta from using their Instagram and Facebook posts to train its AI models, The Guardian reports. Users of Meta’s AI products, however, are unable to prevent the Llama model from being trained and improved by their interactions with the AI tools.

Election technologies

Electors’ data: When it comes to elections around the world, we find ourselves in a terrain that is more and more populated by digital technologies, (Biometric Voter Registration, Electronic Voter Identification, and Result Transmission), explains Privacy International. This calls for changing customs and procedures to guarantee free, fair, and transparent elections. Election observers must also learn new techniques and abilities. Use of biometric information should only occur when it is required to properly identify or authenticate voters. It must be kept safe, apart from other information, and not on any publicly accessible record where access may be purchased.

If the digital system fails, backup plans should be in place, such as distributing hardcopy registers to voting locations. No further use of the collected data, including sharing with law enforcement or security agencies, is permitted. The lowest possible access level should be the default setting. Modern encryption and secure data channels should be used for transmission. When there is less than 100% internet coverage across all stations, for example, a backup mechanism, like using satellite phones, should be provided. 

Party political use of personal data: Finally, on a related item, ahead of the recent UK General election NGO The Good Law Project asked its supporters to contact all Britain’s political parties requesting they stop processing their personal data, (eg, political parties can combine the electoral roll with other data for targeting campaigns), and refrain from using it. Every party complied except for Nigel Farage’s Reform Party. The NGO has sent Reform a pre-action protocol letter warning them they are breaking the law.

The post Data protection digest 2 – 16 Oct 2024: knowing your processors and sub-processors, automated driving, election technologies appeared first on TechGDPR.

Meta subscription model vs GDPR

Meta platform’s latest announcement of ads-free paid services in Europe is now challenged by the EDPB’s urgent binding decision. At the request of the Norwegian privacy regulator, Meta will soon be banned from using the legal basis of the contract and legitimate interest for tracking and profiling users for ad targeting across the entire EEA. The EDPB takes note of Meta’s new proposal to rely on a consent-based subscription model as a legal basis instead. The lead Irish Data Protection Commission is currently evaluating this together with the concerned supervisory authorities, (who have already expresses serious doubts).

Meta has just announced that it will offer people in the EU, EEA and Switzerland the choice to pay a monthly subscription to use Facebook and Instagram without any ads. Meanwhile, advertisers will be able to continue running personalised advertising campaigns in Europe to reach those who choose to continue to receive a free, ad-supported online service. Meta believes the above subscription model – “pay or agree” is a valid form of consent for an ads-funded service, anticipating the requirements of the European privacy regulators and the recent CJEU ruling. 

Legal processes

America’s AI Action: President Biden issued a comprehensive Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence. The most sweeping actions compel the most powerful AI system developers to disclose their safety test findings and other key information to the US government. It promotes advancing the responsible use of AI in education as well as healthcare and the development of affordable and life-saving drugs. The document also promotes best practices to mitigate harms and maximize benefits of AI for workers and customers. Finally, it emphasizes the responsible government deployment of AI and modernization of the federal AI infrastructure. 

Biden’s Administration will continue to collaborate with Congress to pursue bipartisan legislation for responsible innovation. The US Department of Commerce, along with the National Institute of Standards and Technology and other federal players will be responsible for carrying out the EO’s objectives. 

Draft EU AI Act: Meanwhile, the EDPS issued its opinion on the Artificial Intelligence Act, as discussions between the EU’s co-legislators reach the final stages. It includes the banning of high-risk AI systems with decision-making patterns, such as for automatic recognition of human characteristics and other behavioural signals in public spaces, as well as profiling based on biometric traits. The EDPS is prepared to serve as the EU’s AI Supervisor and welcomes the formation of the European Artificial Intelligence Office. It believes that persons harmed by the usage of AI systems should have the right to file a complaint with competent national data protection authorities. 

Legal redress

Clearview AI escapes punishment: Last year the UK Information Commissioner fined Clearview more than 7.5 million pounds for illegally keeping millions of face pictures. Now the First-tier Tribunal has quashed the enforcement as the company services were only utilised by law enforcement agencies outside the UK. Although Clearview did engage in data processing connected to monitoring people’s behaviour in the UK, the ICO “did not have jurisdiction” to initiate enforcement action or levy a fine. France, Italy and Australia had taken similar action against the firm. Clearview previously had commercial customers, but following a 2020 settlement with the US, the company now only takes clients that carry out criminal law enforcement or national security duties. 

Official guidance

Shoplifting: According to the UK Information Commissioner, more retailers are turning to technology to protect their businesses. Data protection law enables retailers to share criminal offence data as long as it’s necessary and proportionate. Sharing information with a manager of another store in your shopping centre is likely to be appropriate, while wider public disclosures, such as posting it on an online retail-related social media platform, are less likely to be justifiable. 

Consent criteria: Quebec has published guidelines on valid consent criteria, (in French). Consent must be obtained before carrying out any processing activity. It is also essential that the organisation document. Consent must be: evident, free, informed, specific, granular, understandable, temporary, and presented separately from any other information. Subject to exceptions, organisations must obtain consent to reuse data or to disclose it to a third party. Equally, consent can be withdrawn at any time by the data subject. If any above are not respected, the validity of such consent is to be null.

DP Toolkit: Jersey’s data protection authority created a dedicated resource zone. It features a variety of toolkits for small, medium and large organisations as well as financial services, non-executive directors, and non-profit organisations: a blend of infographics, step-by-step guidance, how-to-guides, templates, checklists and videos.

AI Q&A: The French privacy regulator published the first set of guidelines for the use of AI that respects the GDPR. The CNIL confirms the compatibility of AI research and development with the data protection principles. The principle of data minimisation does not prevent the training of algorithms on very large datasets. On the other hand, the data used must, in principle, have been selected to optimise the training while avoiding the use of unnecessary information. In any case, certain precautions to ensure data security are essential. 

Enforcement decisions

BBVA: Following a complaint by an individual, the Spanish data protection regulator issued a fine of one million euros on Banco Bilbao Vizcaya Argentaria, (BBVA).The complainant, a BBVA client, had lost their purse containing their bank card. Following that, they claimed to have demanded that BBVA block all of their banking products. Third parties reportedly used identity theft to access the complainant’s financial products, take out loans, and transfer money from the complainant’s bank accounts after BBVA allegedly refused to act on the complainant’s request.

Canal+: The French data protection authority CNIL fined CANAL+ group 600,000 euros for poor data practices. In particular its standard forms for the collection of prospect data did not contain any information on the identity of the recipients to whom the data was transmitted. It also failed to inform individuals when creating a MyCanal account and during cold calling calls. The company also did not respond to some access requests. Apart from that, the CNIL found that a subcontracting contract did not include all the information required, and the storage of the company’s employees’ passwords was not sufficiently secure.

Data breaches

Gap Personnel: A UK recruitment company did not have appropriate security measures in place, which resulted in an unauthorised threat actor accessing and exfiltrating individuals’ data, (13,720 UK data subjects), twice within 12 months. Gap was unable to determine the specific cause of the incident but believes it is likely that the threat actor leveraged an insecure script, (PHP file), and performed an SQL injection attack. At the time of the incident, there were four specific vulnerabilities: a) an unsupported version of MySQL, b) an unsupported PHP version, c) poorly written PHP code and d) insufficient logging. 

Optionis: In another similar reprimand, a data controller, (Optionis Group), suffered a ransomware attack, which resulted in the exfiltration of personal data. A reprimand was issued in respect of specific infringements of the UK GDPR, which include lack of multi-factor authentication, an inadequate account lockout policy, and no clear Bring Your Own Device policy.  Aggravating factors were that Optionis took 11 months to notify all individuals of the breach. The company explained that the analysis of the impacted personal data took a considerable amount of time to complete, in particular, due to the size of the dataset. You can read the full decision here. 

Data security

Telehealth: The US Office for Civil Rights released a HIPAA dedicated resource to help health care providers explain to patients, in plain language, the health information privacy and security risks that are present when using remote communication technologies such as video conferencing websites and applications. The HIPAA Rules do not require covered health care providers to educate patients about these risks; however, OCR is sharing this resource to assist providers who would like to explain to patients the privacy and security risks to their protected health information. Some examples of risks include viruses and other malware, unauthorized access, and accidental disclosures. 

Code of Practice for app developers: The UK government published the latest version of its code, which should be used from now on by app store operators and app developers. The UK government has investigated the app ecosystem and found a range of threats relating to malicious and poorly developed apps. In particular, app store operators and developers shall comply with the broader requirements of data protection law, therefore new sections have been added to highlight requirements of particular relevance to the Code of Practice. 

Non-banking financial services: The US Federal Trade Commission has approved an amendment that would require non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lending institutions, to report data security breaches. The amendment will require the FTC to be notified as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers. Such an event requires notification if unencrypted customer information has been acquired without authorization. The notice to the FTC must also include the number of consumers affected or potentially affected.

Big Tech

SolarWinds breach aftershock: The US Securities and Exchange Commission charges SolarWinds and its Chief Information Security Officer with fraud and internal control failures. In 2020, hackers targeted SolarWinds by deploying malicious code into its Orion IT monitoring and management software used by thousands of enterprises and government agencies worldwide. The complaint alleges the software company misled investors about its cybersecurity practices and known risks, in particular, that SolarWinds’ remote access set-up was not very secure and that someone exploiting the vulnerability “could basically do whatever without detecting it”.

In-vehicle monitoring: California enacted legislation that requires vehicle manufacturers to disclose the presence of in-vehicle cameras and prohibits any images or video recordings collected from being used for any advertising purpose, sold, or shared with any third party. The act requires consent to retain at any location other than the vehicle itself or download, retrieve a recording from the operation of an in-vehicle camera by a person or entity other than the user unless for diagnostics, service, repair, or improvement of equipment and systems. The act also provides consumers the right to revoke consent.

London Ulez fines: The Guardian reports that thousands of fines for breaches of London’s ultra-low emissions zone, (Ulez), rules may have been sent unlawfully to EU drivers, according to the Belgian authorities. Since Brexit, UK authorities do not have access to personal data of EU citizens for non-criminal enforcement. However, drivers in several EU countries have received fines, many totalling thousands of pounds, for failing to pay their Ulez charge before driving into London. Some have been penalised mistakenly, and one driver was fined nearly 11,000 pounds after a three-day visit in a hire car. Read the full story here. 

The post Data protection digest 18 – 31 Oct 2023: “Pay or Okay” – Will Meta new subscription model survive the GDPR test? appeared first on TechGDPR.

Legal processes and redress: gatekeeper obligations, US adequacy decision, Google litigation, UK data protection reform, Quebec privacy laws

Gatekeeper in the EU: The European Commission has designated, for the first time, six gatekeepers – Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft – under the Digital Markets Act. They will now have six months to ensure full compliance with the DMA obligations for each of their designated core platform services. This includes a list of do’s and don’ts: 

• allowing third parties to inter-operate with the gatekeeper’s own services,
• enabling end users to unsubscribe from the gatekeeper’s main platform services as simply as they subscribe to them, 
• giving companies that advertise on a gatekeeper’s platform access to the gatekeeper’s performance measurement tools and information, allowing advertisers and publishers to undertake their independent verification of advertising hosted by the gatekeeper, and
• a ban on tracking end users outside of the gatekeepers’ core platform service for targeted advertising without effective consent having been granted. 

EU-US DPF application: The German Data Protection Conference publishes application instructions for the EU-US Data Privacy Framework. The document contains, on the one hand, information for data exporters, those data controllers and processors who transfer data to the US. On the other hand, individuals can find out what legal protection and complaint options they have. This includes links to numerous materials, for example from the EDPB. At this point, the adequacy decision applies to EU law. However, given the previous adequacy decisions for the US that were declared invalid, many want to know whether the new adequacy decision will suffer the same fate as Safe Harbor and the Privacy Shield. 

In addition to the planned evaluations by the EU Commission, which can result in adjustments or a repeal, there are options for a judicial review of the new adequacy decision. For instance, on 6 September, a French member of parliament, who is also a member of the data protection authority CNIL, requested that the framework be annulled due to the lack of guarantees of a right to an effective remedy for data subjects by US companies, as well as a violation of the GDPR’s minimisation and proportionality principles due to the access and use of EU personal data for the US security purposes. 

Google taken to court: Alphabet’s Google is facing a class action in the Netherlands brought by non-profit organisations, demanding Google stop its constant surveillance and profiling of consumers and the sharing of data in online ad auctions, and also pay damages to consumers. Allegedly, through its services and products, the tech giant:

• Collects users’ online behaviour and location data on an immense scale, without having provided adequate information about it and without users’ consent.
• Through the use of ‘invisible’ third-party cookies, Google continues to collect data through others’ websites and apps, even when someone is not using its products or services. 
• Continually collects users’ physical locations, even when they are not actively using their devices and think they are ‘offline’. 
• Shares users’ data, including highly sensitive data concerning health, ethnicity and political affiliation, with hundreds of parties through its online advertising platform, (a recent study shows that in Europe, the real-time bidding industry exposes people’s data 376 times a day.) 

In total, Alphabet’s Google faces approximately 25 billion euros in damages claims and regulatory administrative fines over its ad tech practices in Europe, Reuters sums up.

UK data protection amendments:  By the end of the year, the UK government will amend the UK’s data protection legislation by updating the ‘fundamental rights and freedoms’ definition, so it will refer to rights recognised under UK law, rather than retained EU law rights. There is no direct equivalent to the right to the protection of personal data in UK law. However, the protection of personal data falls within the right to respect for private and family life under Article 8 of the European Convention of Human Rights, which is enshrined in UK law by the Human Rights Act 1998. Data protection rights are also protected by UK GDPR, and the Data Protection Act 2018 and will continue to be protected by the Data Protection and Digital Information Bill in the UK’s domestic legislation, states the explanatory memorandum. 

Quebec privacy amendments: On 22 September, the latest set of amendments (Bill 64) to Quebec’s Privacy Act will come into force. Some of the major updates include strengthened privacy rights for individuals and several controller requirements, such as a new consent and cookies management framework, privacy policies, risk assessments, rules on automated decisions, cross-border transfers, and monetary penalties. Previously companies were also obliged to designate privacy officers, conduct mandatory breach reporting, and register their biometric information systems while receiving some exceptions to the consent requirement, (under commercial transactions and research and statistical purposes). 

Official guidance: ‘sharenting’, online exams, smart data sandbox, right to object

‘Sharenting’ children’s data: The Italian data protection authority has prepared tips for parents to limit the online dissemination of content concerning their children. The neologism, coined in the US, derives from the English words “share” and “parenting”. It has been a phenomenon that has been under the attention of the Guarantor for some time, especially due to the risks it entails on the digital identity of the minor and therefore on the correct formation of their personality. When something appears on a screen, not only can it be captured and reused without our knowledge by anyone for improper purposes or illicit activities, but it contains more information than we think, such as geolocation data. If you decide to publish images of your children, it is important to at least try to follow some precautions, such as:

• make the minor’s face unrecognizable, (by simply covering the faces with the emoticon “smiley”);
• limit the visibility settings of images on social networks only to people who know each other or who are trustworthy and who do not share without consent in the case of sending via an instant messaging program;
• avoid creating a social account dedicated to the minor;
• read and understand the privacy policies of the social networks on which we upload photographs, videos, etc.

Online proctoring: The use of digital distance learning by public and private higher education institutions is becoming more widespread. With the remote monitoring devices used in this context being intrusive by nature, the French data protection regulator CNIL reiterates the obligations under the GDPR: For instance, institutions organising examinations, as well as any subcontractors, (e.g. remote monitoring solution providers), should assure candidates that their data will not be used for any purpose other than taking and proctoring a remote examination. Also, examination modalities allowing remote validation of skills without the use of remote monitoring devices should be given priority where possible. 

In general, taking proctored exams remotely should be an opportunity for students, not an obligation. In this case, a face-to-face alternative should be offered to candidates, (except in specific cases, such as a health crisis or for institutions that have made distance learning the very essence of their organisation). Students should be informed as soon as possible of the conditions for implementing remote monitoring so that they can make their choice with full knowledge of the facts. Institutions and organisations should ensure that devices used for remote monitoring are compatible with the equipment available to students, that they do not pose security risks to students and that the necessary software can be easily installed and uninstalled. Read the full guidance, (in French), here. 

Smart Data: The UK Information Commissioner’s Office has published the Regulatory Sandbox Final Report for Smart Data Foundry. The sandbox specifically targets projects operating within challenging areas of data protection. Smart Data Foundry’s product is comprised of two parts. The first is the research facility, and the second is the innovation service which provides synthetic data for further research opportunities. There are broadly speaking two approaches to the creation of these synthetic datasets:  

• Using simulation – known as ‘agent-based modelling’ – where data is generated from approximations and predictions of behaviour using characteristics given to a computer-generated population to understand how they would interact. This processing does not use personal data beyond some aggregate information generated from real data to test and improve parameters. This is the synthetic data approach that Smart Data Foundry is already using. 
• Using ‘learning-based’ synthetic data generation to create synthetic doubles of existing datasets utilising differential privacy and modern learning-based approaches which aim to learn all the meaningful patterns in data, and use this learnt knowledge of patterns in the original data to generate new data that exhibit similar patterns, without recreating any input data. 

To understand key data protection considerations in such scenarios, read the full report. 

Right to object to data processing: The right to object gives a person the opportunity to request the termination of the processing of their data if it is processed for the following purposes: a) for legitimate interests of the data controller including marketing, as well as in the case of automated decision-making, b) in the public interest and c) for scientific or historical research and statistics. To exercise your right to object, you should:

• Identify the data controller, (It can be a natural person, company, organisation or state administrative body.)
• Contact the controller in writing, (recommended), and clearly state that you are exercising your right to object to the processing of your data. Please specify which processing operations you object to.
• State the reason. The reason and the characteristics of your special situation require the manager to evaluate the necessary changes in data processing and whether, by continuing data processing, you as a data subject will not have your rights infringed. 
• Wait for the answer. The administrator is obliged to respond to your request within a month. This must either stop the processing of your data to which you have objected or provide a valid reason for continuing the processing.

Enforcement decisions: fertility apps, Chinese academic database, Meta ban in Norway, waste collection and the GDPR

Fertility apps checks: The Information Commissioner’s Office is reviewing period and fertility apps available in the UK as new figures show more than half of women have concerns over data security. A poll commissioned by the regulator revealed women said transparency over how their data was used and how secure it was were bigger concerns than cost and ease of use when it came to choosing an app. The poll showed a third of women have used apps to track periods or fertility. The research also showed over half of people who use the apps believed they had noticed an increase in baby or fertility-related adverts since signing up. While some found the adverts positive, 17% described receiving these adverts as distressing. The ICO is now urging users to come forward to share their experiences through a survey in a call for evidence. 

Chinese academic database: The China Cyberspace Administration announced that the China National Knowledge Infrastructure, (CNKI),  has been fined approx. 6 million euros for illegally collecting and processing personal information. The operators collected users’ personal information without consent on the 14 CNKI-related apps that failed to publicly disclose or state collection and usage rules, did not provide an account cancellation function, and illegally kept their information after the users closed their accounts. CNKI is one of the biggest Chinese academic information gateway websites. It has over 1,600 institutional clients in 60 countries and regions, as well as 32,000 institutional customers from diverse sectors on the Chinese mainland. Top universities, research institutions, government think tanks, corporations, hospitals, and public libraries are among the primary consumers.

Waste disposal and the GDPR: A fine of 45,000 euros was imposed by the Italian privacy agency on a Sicilian municipality for having installed cameras to control the collection of waste. The municipality had appointed two companies, also sanctioned by the guarantor, to purchase, install and maintain fixed cameras, and to collect and analyse the videos relating to violations. The authority’s intervention follows reports from a citizen who complained about receiving some fines for having disposed of unsorted waste incorrectly. 

The monitoring was carried out without the citizens having been adequately informed of the presence of the cameras and the processing of the data. The municipality had placed a sign directly on the dumpster, which was not easily visible and lacked the necessary information. Furthermore, the municipality had not identified the data retention periods and had not appointed, before the start of the processing, the two aforementioned companies as data processors.  

Meta ban confirmed: The Norwegian data protection authority won against Meta in court. In July, the regulator made an emergency decision on a temporary ban on behaviour-based marketing on Facebook and Instagram, which involves very intrusive monitoring of users. The regulator therefore decided on a compulsory fine of approx. 90,000 euros per day if the ban was breached. The penalty was set to start on 14 August. However, Meta has petitioned the Oslo District Court for a temporary injunction. In the ruling, the court stated that the Norwegian data protection authority’s decision was valid and that there was no reason to stop it. In addition to this case, Meta has submitted several administrative complaints against the Norwegian Data Protection Authority’s decision. Those processes are ongoing. 

DNA data and transparency obligations: The US Federal Trade Commission finalised an order with 1Health.io, that settles charges that the genetic testing firm left sensitive genetic and health data unsecured, deceived consumers about their ability to get their data deleted, and changed its privacy policy retroactively without adequately notifying consumers and obtaining their consent. The company failed to keep its promises to only share consumers’ sensitive data in limited circumstances, to destroy customers’ DNA samples shortly after they had been analyzed, to not store DNA results with a consumer’s name or other identifying information, and to remove such data from its servers upon consumers’ request. 

Data security: automotive industry

Automotive cybersecurity: The Federal Office for Information Security in Germany published a report on the status of cybersecurity in the automotive industry. The greatest damage in the automotive industry comes from cybercriminal “double extortion” – ransomware and data leaks. The report contains:

• Assessments of the cybersecurity of production systems and processes.
• Advice on exploiting security vulnerabilities for car theft and unauthorized opening of vehicles.
• Description of attacks on vulnerabilities in the communication protocol or other security mechanisms used to control charging processes between electric vehicles and their charging stations.
• Assessments of new legal regulations and standardization activities.
• Outlook on technological and regulatory developments that will be important in the coming years, (the industry is affected by the EU NIS 2 Directive as a critical sector).

According to the Associated Press’s recent publication, automakers are failing the privacy test, and owners have little or no control over the data collected. The nonprofit Mozilla Foundation’s newest “Privacy Not Included” study states that security requirements are a major worry considering manufacturers’ record of vulnerability to hacking. The minimal privacy criteria were not fulfilled by any of the 25 automobile companies whose privacy notices were assessed in Europe and North America. This outcome is significant for over a dozen other product categories, including fitness trackers, reproductive health applications, smart speakers, and other connected household products. 

Big Tech: ads-free Facebook and Instagram, the Privacy Sandbox

Paid Facebook and Instagram: Meta may allow Facebook and Instagram users in the EU to pay to avoid ads as a response to scrutiny from privacy regulators. Those who pay for the subscriptions would not see ads while Meta would also continue to offer free versions of the apps with ads in the EU. Previously users had effectively agreed to allow their data to be used in targeted advertising when they signed up to the services’ terms and conditions until the lead Irish regulator ruled it could not process personal information in that way. Therefore Meta also proposed offering EU users a new opt-in consent mechanism for receiving targeted ads. Reportedly, it would be updated to offer users a “yes or no” option for opt-ins across its platforms. 

Privacy Sandbox ‘availability’: Finally, the Privacy Sandbox for the Web reaches general availability on Chrome for relevance and measurement APIs. General availability means advertising providers and developers can now scale usage of these new technologies within their products and services, as these are now available for the majority of Chrome users. Google also rolled out new Ad privacy controls in Chrome that allow people to manage how the Privacy Sandbox technologies may be used to deliver the ads they see. These controls allow users to tailor their experience by customising what ad topics they’re interested in, what relevance and measurement APIs they want enabled, and more. Starting in Q4 of 2023, Google will enable the industry to bolster their testing efforts with the ability to simulate the deprecation of third-party cookies for a percentage of its users. Then, in Q1 of 2024, it will turn off third-party cookies for 1 per cent of all Chrome users for effectiveness testing.

The post Data protection digest 1 – 14 September 2023:  gatekeeper obligations, synthetic datasets, automotive cybersecurity appeared first on TechGDPR.

Legal processes and redress

Court-dismissed fine: A multimillion-euro fine imposed by the Spanish privacy regulator has been overturned by a court decision, according to a publication by Clifford Chance law firm. The AEPD fined Banco Bilbao Vizcaya Argentaria 5 million euros in 2020, the first of many hefty fines for GDPR violations in the country’s corporate sector. In the above case, the AEPD received several complaints about commercial communications. Ultimately, it found that BBVA’s privacy policy, which was applicable to all of its clients and to processing other than the sending of marketing communications, violated the duty of information, and occasionally misused consent and legitimate interest as the basis for processing. However, the decision and fine with regard to BBVA’s privacy and the initial complaints were completely at odds, and the court found that the AEPD had broken the sanctioning procedural rules. 

EU Health Data Space: EU legislators are actively working on safeguards for the upcoming European Health Data Space. This includes promoting patients’ understanding and control of their personal health data. The latest amendments look at the main characteristics of electronic health data categories: patient summary, electronic prescription, electronic dispensation, medical image and image report, laboratory result, and discharge report. Under the Commission’s proposal, researchers, companies, and institutions will require a permit from a health data access body, to be set up in all member states. Access will only be granted to use de-identified data for approved research projects, which will be carried out in closed, secure environments, Sciencebusiness.com publication sums up. 

Iowa privacy legislation: Iowa enacted its new comprehensive privacy law, making it the sixth US state to do so after California, Virginia, Colorado, Utah, and Connecticut. It will take effect in 2025. Anyone conducting business in Iowa or creating goods or services marketed toward Iowans who does one of the following is subject to the law: processes at least 100,000 consumers’ personal data; processes 25,000 consumers’ personal data, and more than 50% of gross revenue is generated from the sale of it. The law does not apply to financial institutions, nonprofit organizations, institutions of higher education, information bearing consumers’ creditworthiness, various research data, protected health information, and more.

Utah minors protection: Utah enacted two laws to limit children’s access to social media, making it the first US state to demand parental consent before children can use Instagram and TikTok. It also makes suing social media companies for damages simpler. To date, US lawmakers have had difficulty enacting stricter federal laws governing online child safety. Under Section 230 of the US Communications Decency Act, media service providers are largely shielded from liability for the content they provide. 

Online service providers are also not required by federal statutes to use a particular method of age verification. Because of this, some have minimum age restrictions and ask users to enter their birthdate or age before granting access to the content. These restrictions are typically stated in the terms of service. According to Utah legislation, all users must submit age verification before creating a social media account. Minors under the age of 18 must have parental or guardian consent. 

Official guidance

AI white paper: Principles, including safety, transparency, fairness, contestability, and redress will guide the use of AI in the UK, as part of a new pro-innovation national blueprint. Reportedly, Britain has more businesses offering AI goods and services than any other European nation, and hundreds more are being founded annually. Regulators pledge to provide organisations with advice over the coming year, as well as other resources like risk assessment templates. Currently, there is no deadline envisaged in the UK for passing AI legislation. Meanwhile, the EU AI act, which inherited a more risk-based approach and is being discussed by parliamentarians, can be reasonably expected this year. 

Data protection by default: UK privacy regulator the ICO published resources to help UX designers, product managers, and software engineers embed privacy by default. The guidance looks at key privacy considerations for each stage of product design, from kick-off to post-launch when designing websites, apps, or other technology products and services. The ICO has also published videos with experts, technologists, and designers. 

Employment guide: The Danish data protection authority’s guidance on data protection in employment relationships has been revised, (in Danish only). The update includes the acquisition of criminal records and references. The regulator also clarified an employer’s obligation to disclose information, trade union processing activities, workers monitoring needs, the use of IQ and personality tests, and more. In parallel, the Lithuanian regulator is preparing similar guidance for employees, business, and public sector, (in Lithuanian only). 

Joint controllers: What is the difference between joint and independent data controllers? Joint controllers are established when the entities involved in processing perform it for the same or common purposes. Joint management can be established even when the entities pursue purposes that are only closely related or complementary, explains the Slovenian data protection authority. Purposes and means of processing are not always the same for all joint controllers but must be mutually determined via an agreement. They can also be defined by law. Subsequently, joint controllers are jointly and severally liable for damages. 

Suspected data breach: Pursuant to the GDPR, in the event of a personal data breach that is likely to cause a high risk to the rights and freedoms of individuals, the data controller must notify the data subject without undue delay. However, notification is not mandatory if any of the conditions stipulated in Art. 34 (3) of the GDPR are met. Regardless of the above, in case of a suspected breach, (eg, unauthorised disclosure of a large amount of personal data), you have the right to request information from the data controller, (if they processed your data), as to whether your personal data is included in the incident, concludes the Croatian data protection agency.

Enforcement decisions

ChatGPT ban: The Italian supervisory authority Garante has clamped down on ChatGPT. The limitation of the processing of Italian users’ data by OpenAI, the US company that developed and manages the platform, is temporary until it establishes privacy procedures. ChatGPT suffered a data breach on March 20 concerning user conversations and payment information for subscribers to the paid service. Garante noted the lack of information to users and all interested parties whose data is collected by OpenAI, but above all the absence of a legal basis that justified the collection and storage of personal data in order to train the algorithms. 

Additionally, as evidenced by the checks carried out, the information provided by ChatGPT does not always correspond to the real data, thus establishing inaccurate processing of personal data. Finally, the service is aimed at people over 13 but does not use any filter for verifying the age of users and exposes minors to answers that are absolutely inappropriate with respect to their degree of development and self-awareness. OpenAI, which does not have an office in the EU but has appointed a representative in the European Economic Area, must communicate within 20 days on the measures taken.

Wrongful copy: The Greek data protection authority looked into a complaint from a Vodafone subscriber who received a CD containing the conversations of another person  after requesting access to the recorded conversations with the Vodafone call center. Although Vodafone was immediately notified by the complainant, it did not take any investigative steps to confirm the incident, but initially contented itself with the processor’s response that it did not locate the complainant on the phone. It subsequently contacted her to return the CD. Vodafone was ordered to send the correct file and was fined 40,000 euros (Art. 15 and Art. 33 of the GDPR).

Email correspondence: Employees’ right to privacy is unaffected by a legitimate interest in processing personal data for legal defense. The Italian privacy authority fined a company that continued to use an employee’s email account after they had left the firm, viewing the content, and setting up forwarding to a company employee. The former collaborator had gathered references from potential clients they had met at a fair. The company claimed that a legal dispute resulted from the collaborator’s attempt to get in touch with them. Fearing losing relationships with potential customers, the company had not only written to them to explain that the person had been removed, but had also viewed the communications.  

GPS monitoring: Tehnoplus Industry in Romania was fined for a GPS system installed on a company car, without the employee having been informed, or having previously exhausted other less intrusive methods to achieve the purpose of processing – monitoring the service vehicle. Tehnoplus Industry excessively processed the location data related to the complainant even outside working hours. Subsequently, the purpose and the legal basis of this processing and in addition the excessive storage period of the data collected, (over the established 30 days limit); were also unlawful.  

In parallel, the French privacy regulator imposed a fine on Cityscoot for geolocating customers almost permanently in breach of the data minimisation principle. During the rental of a scooter by an individual, the company collected data relating to the geolocation of the vehicle every 30 seconds. In addition, the company kept the history of these trips. None of the established purposes of the processing, (the treatment of traffic offenses, handling customer complaints, user support, and theft management), could justify the monitoring and could have been organised without constant tracking.  

Data security

Cybersecurity tools: The French regulator CNIL has updated its guidance on the security of data protection, (in French). It supports professional actors processing personal data by recalling the basic precautions to be implemented. 17 fact sheets look at the latest recommendations on authenticating users, tracing operations and managing incidents, securing the workplace, guiding IT development, securing exchanges with other organizations, encryption, and much more. 

The European Union Agency for Cybersecurity also releases a tool to help small and medium-sized enterprises assess the level of their cybersecurity maturity. This tool contributes to the implementation of the updated Network and Information Security, (NIS2), Directive. The majority of SMEs are excluded from the scope of the Directive due to their size and this work provides easily accessible guidance and assistance for their specific needs.

Similarly, the UK National Cyber Security Centre launches two new services to help small organisations stay safe online:

• The Cyber Action Plan can be completed online in under 5 minutes and results in tailored advice for businesses on how they can improve their cyber security.
• Check your Cyber Security – which is accessible via the Action Plan – can be used by any small organisation including schools and charities and enables non-tech users to identify and fix cyber security issues within their businesses.

Mobile threat defense: America’s NIST investigates mobile threat defense applications that provide real-time information about a device’s risk level. Like any other app, MTD is installed on a device by a user. The app then finds undesirable activity and alerts users so they can stop or minimize the harm. For instance, it alerts users when it’s time to update their operating systems. Additionally, users of the app can receive alerts when someone is listening in on their internet connection. However, without being integrated with a mobile device management system, MTD applications are only marginally effective in your enterprise environment.  

Big Tech

Child Care apps: In the US childcare facilities are using technology more and more reports edsurge.com which tells the story of a parent who signed her child up for child care. She wasn’t expecting to have to download an app to participate, and when that app began to send her photos of her child, she had some additional questions. Laws like the Family Educational Rights and Privacy Act and the Children’s Online Privacy Protection Act don’t apply in these circumstances, so parents will need to conduct some independent research. The other aspect is that cameras have the potential to make teachers and other classroom employees anxious or otherwise not themselves, she says. They may feel that administrators or parents don’t trust them and make them avoid some activities like dancing. 

You are (not) hired: Reportedly, a third of Australian companies rely on artificial intelligence to help them hire the right person, while there are no laws specifically governing AI recruitment tools. Applicants are often unaware that they will be subjected to an automated process, or if not, on what basis they will be assessed. For instance, AI might say you don’t have good communication skills if you don’t use standard English grammar, or you might have different cultural traits that the system might not recognise because it was trained on native speakers. Another concern is how physical disability is accounted for in something like a chat or video interview. Read more analysis by the Guardian in the original publication. 

Vehicle data: Because data ownership remains undefined under EU law the Commission’s proposed Data Act for fair access to such information, particularly in the vehicles sector, appears to have hit problems. Legislative proposals were expected to regulate a connected car sector estimated to be worth more than 400 billion euros by the end of the decade. Now car services groups warn very few big players are able to access this data, skewing the market, Reuters reports.

The post Data protection & privacy digest 19 Mar – 2 Apr 2023: court-dismissed fine, cybersecurity tools, ChatGPT clampdown appeared first on TechGDPR.

Legal processes and redress: EU Intelligent transport, Oracle and Salesforce court victory, discriminating AI in DC, privacy in Ukraine

The European Commission revised its Intelligent Transport Systems (ITS) Directive to advance smart mobility. The aim is to stimulate the faster deployment of new, intelligent services, by proposing that certain crucial road, travel and traffic data is made available in digital format. ITS applies information and communication technologies such as journey planners, eCall, and automated driving in transport. Since 2010, the ITS Directive has been the tool to ensure the coordinated deployment of such systems across the EU, based on European specifications and standards. The revision includes:

•  an extension in the Directive’s scope to multimodal information (apps to find and book journeys that combine public transport, shared car, or bike services),
• communication between vehicles and infrastructure to increase safety and mobility,
• the collection of crucial data and the provision of essential services such as real-time information services informing the driver about accidents or obstacles on the road,
• updated obligations under the GDPR, and in consultation with the EDPS, on the security of personal data and the need for controllers to comply with their obligations, 
• using anonymisation as one of the techniques for enhancing individuals’ privacy. Read the full text of the proposal here, and the Annex here.

A Court in the Netherlands says a billion euro claim against Oracle and Salesforce is not admissible. The Privacy Collective, (TPC),  foundation filed a lawsuit against tech giants in 2020 for violations of the GDPR. The two US-based companies reportedly collected data from at least 10 million Dutch internet users for advertising purposes, and created a personal profile of each web surfer that they could trade. TPC claimed 500 and 600 euros respectively per victim from Salesforce and Oracle. The latter is also said to have leaked data.  On the internet, TPC appealed to the public in a case under the Mass Damages in Collective Action Settlement Act. By clicking on an icon with the text ‘support with 1 click’, internet users were able to support the claim. The initiative received 75,000 statements.

According to the court, however, it is not possible to determine with these ‘likes’ whether the foundation really stands up for enough injured parties. No contact details are registered for the internet users who ‘clicked’. In addition, TPC is unable to maintain contact with its supporters, which is an important condition of the law. TPC is considering an appeal.

The use of artificial intelligence to determine access to credit and other important life opportunities has been targeted by the District of Columbia, Venable LLP reports. DC’s Attorney has introduced the “Stop Discrimination by Algorithms Act of 2021, which may be considered through January 1, 2023. The proposed legislation add civil rights protections to protect communities from alleged harm caused by algorithmic bias by:

• prohibiting using algorithms that produce biased and unfair results;
• performing annual audits, reporting the results and needed corrective steps;
• documenting how their algorithms are built, how the algorithms make determinations, and how all of the determinations are made;
• disclosing to all consumers about their use of algorithms to reach decisions, what personal information they collect, and how their algorithms use it to reach decisions;
• adverse action (if businesses make an unfavorable decision based on an algorithm, they must provide a more in-depth explanation);
• dispute and corrections opportunity to prevent negative decisions based on inaccurate personal information.

The bill would apply to individuals, legal entities, service providers that make or rely on algorithmic eligibility determinations or algorithmic information availability determinations. Read more about the coverage, key definitions and the enforcement of the Algorithms Act in the original publication.

In 2021 almost 4000 people applied to the Ukrainian Parliament’s Commissioner for Human Rights to protect their right to privacy, which is twice as many as last year. Individuals, (mostly legal professionals, representatives of human rights and public organizations, people with disabilities, etc), asked for the protection of their personal data in connection with:

•  activities of debt collection companies and macrofinancial institutions, and
•  publication of personal data in messengers, social networks and on the official websites of public authorities and local governments.

During the implementation of measures to repay overdue debt, collectors resort to insults and psychological pressure against debtors, but also members of their families, friends or acquaintances. For that reason, the law on consumer protection in settlement of overdue debts which came into force last year. At the same time, the draft law “On Personal Data Protection” and the draft Law “On the National Commission for Personal Data Protection and Access to Public Information” were registered in the Ukrainian Parliament. The legislators aim to implement both drafts within the next few months to be able to launch the data privacy reform by 2023 as part of the integration to the EU Digital Single Market, implementation of the EU-Ukraine Association Agreement, and the wider government digital agenda.

Official guidance: China’s automotive sector, employment data and asylum seekers fingerprints in the EU

China’s latest data protection implementation rules include new data guidance for the automotive industry, analyzed by Paul Hastings LLP. It became one of the first set of industry-focused implementation rules of the new Data Security Law, and the Personal Information Protection Law. The auto industry provisions elaborated on:

• Automotive Data, which included personal information data and important data involved in the process of automobile design, production, sales, maintenance, etc. 
• Automotive Data Processors – manufacturers, components and parts suppliers, software suppliers, dealers, maintenance organizations, and mobility service companies, ride-hailing and sharing services.
• Personal Information and sensitive personal information (eg, vehicle trajectory, driving habits, audio, video, images, biometric identification).
• Important Data (eg, geographical information, vehicle flow, personal information involving more than 100,000 subjects).

Key Principles in automotive data processing are:

• all automotive data must be processed inside vehicles unless it is absolutely necessary to send it out;
• unless a driver makes a specific selection otherwise, the default setting should be non-collection each time the driver drives the vehicle;
• the coverage and resolution of cameras and radars, among others, should be determined according to the requirements for data accuracy of the functions and services provided;
• principle of desensitization (data processors are required to apply anonymization and de-identification during processing, if possible).

The Gibraltar data protection authority published fresh guidance on data protection in the employment context, (in English). The document provides general guide on the legitimate expectations of employees with regards to the processing of their personal data by employers, as well as the legitimate interest of employers in deciding how best, within the boundaries of data protection law, to run their organisations:

• The obligations of the employer of accountability and implementation of appropriate security measures to protect employee personal data.
• Recruitment and selection recommendations in relation to personal data in areas such as ‘advertising and applications’, ‘interview notes’, ‘vetting’ and ‘retention’. 
• Employment records and the responsibility of the employer to appropriately notify employees of the personal data processing activities. 
• Monitoring in the workplace.
• Remote working and the risks presented regarding the security of personal data. 
• Compatible, administrative infrastructure that allows adequate data protection.

Asylum seekers and migrants arrested at the EU’s external borders are required to give their fingerprints. This data is kept in the Eurodac file. The EU Agency for Fundamental Rights publishes, in collaboration with multiple data protection authorities, a guide intended to better inform people about the use made of their fingerprints, (now available in all EU languages). EU law requires giving the following information:

• it is an obligation to give fingerprints,
• ten digital fingerprints, the gender, the country fingerprinting, the place and date of the asylum application (if applicable). No other personal data is stored,
• in case more personal data is collected by the authorities, name or age, migrants should be informed about the importance of providing accurate data,
• the fingerprints are kept for 10 years, (if an asylum seeker), or for 18 months, (if an irregular migrant). After that data is automatically deleted,
• only competent asylum and immigration authorities can access the data,
• Indicate that the police and the Europol can access the data under strict conditions,
• communicate why fingerprints are collected and the person’s rights.

The information given must be concise, transparent, comprehensible and in an easily accessible format, written in clear and plain language, adapting to the needs of vulnerable persons, such as children. Where necessary the information should be provided orally in a language that the person understands. Also, a copy of the personal data collected is provided. This helps to exercise the right to access and the right to delete and correct the data.

Data breaches, investigations and enforcement actions: Slimpay, JP Morgan Securities, BBVA

French regulator CNIL sanctioned Slimpay with a fine of 180,000 euros for having insufficiently protected users’ personal data and not having informed them of a data breach. Slimpay offers recurring payment solutions to its customers. During 2015, it carried out an internal research project, during which it used the personal data contained in its databases. When the research project ended in 2016, the data remained stored on a server, without special security measures and was freely accessible from the Internet. It was not until 2020 that Slimpay became aware of the data breach, which affected approximately 12 mln people. Persons affected by the data breach are located in several countries of the EU, so cooperation was needed between the supervisory authorities of four countries – Germany, Spain, Italy and the Netherlands.

The US Securities and Exchange Commission, (SEC), announced that JP Morgan Securities agreed to pay 125 mln dollars to resolve charges that it failed to safeguard written communications of its employees. Its employees, including supervisors and managing directors, regularly used non-company messaging tools such as Facebook’s WhatsApp, text messages and personal email accounts to discuss company business. The company admitted that none of these records were preserved by the firm as required by the federal securities laws. JPMS further admitted that these failures were firm-wide and that practices were not hidden within the firm. The fine is the largest the SEC has ever leveled against a firm for record-keeping violations, beating the previous record of 15 mln, imposed on Morgan Stanley in 2006.

The Spanish data protection authority, the AEPD, fined Banco Bilbao Vizcaya Argentaria, (BBVA), 60,000 euros for insufficient legal basis for data processing. The claimant was receiving constant messages on his mobile phone from BBVA about defaults, appointments, etc. The claimant demanded deletion of the number, however it was not spotted in the client database. The investigation found that the text messages were an error on the part of the team in charge of carrying out functional tests of the tool designed to send notifications from the Bank to its clients. The team believed wrongly that said number did not exist or was not operational and therefore no one was going to receive such fictitious notices.

Audits: Oxford Health NHS Foundation Trust

The UK Information Commissioner’s Office published the Oxford Health NHS Foundation Trust data protection audit report. A major NHS health trust provides physical & mental health and social care for people of all ages in the UK. Its services are delivered at community centres, hospitals, clinics and people’s homes. With an overall reasonable assurance level, the executive summary proposes some areas of improvement : 

• The Trust’s Records of Processing Activity requires upgrading. The evidence provided was more of a data flow map and therefore is not fully in line with the requirements of Art. 30 of the UK GDPR. The requirements include having a record of the name and contact details of the data controller, description of the categories of individuals and recipients of personal data, retention schedules and a description of the technological and organisational security measures in place.
• The Trust has a Data Protection Officer in place who also holds other positions and responsibilities. The Trust needs to consider if these additional roles and responsibilities pose a conflict of interests or a demand on their time, which could impact on their duties as DPO. 
• There is no Information Sharing Agreement (ISA) log to record vital information pertaining to current ISAs.
• There is a lack of specialised training for staff with data sharing roles and those that deal with children’s data.  
• There is no dedicated Information Sharing policy or procedure to provide guidance on ad hoc disclosures as well as the assurances that all ISAs include effective incident management procedures.

Big Tech: China’s low-carbon data clusters, Arsenal fan tokens, the death of Blackberry, racial bias on Airbnb, Zoom latest acquisition

China has approved plans to build four mega clusters of data centres in the country’s north and west with the aim of supporting the data needs of Beijing and major coastal cities. The move comes as energy-hungry data centres located in China’s east have found it difficult to expand due to limits imposed by local governments on electricity consumption. The four new locations can use their energy and environmental advantages (wind and solar). However, their distant locations have meant the centres have struggled to provide the near-instantaneous retrieval demanded by coastal clients with little tolerance for delays. Meanwhile, a new marine economy development plan encouraged major coastal cities such as Guangzhou, Shenzhen and Zhuhai to relocate high energy-consuming data centres to underwater locations to save energy used for cooling.

Britain’s advertising watchdog, the ASA, warned Arsenal FC on Wednesday over ads for its “fan tokens,” a type of cryptocurrency embraced by soccer clubs as coronavirus pummelled their revenues. ASA said ads posted on Arsenal’s website and on Facebook were misleading as they did not make clear the risk of trading crypto, potential tax implications or that the tokens are not regulated in the UK: “The tokens, which can be traded on exchanges like other cryptocurrencies, are prone to wild swings in price and often have little connection to on-field performance.” Fan tokens allow supporters of soccer and other sports clubs to vote on minor decisions such as songs played at matches after a goal is scored, or images used on social media. Arsenal believes that fan tokens were designed to boost participation by supporters, and were “materially different” to other cryptocurrencies used as a means of payment. More than 40 clubs from Europe to South America have launched fan tokens. The largest one, launched by Paris Saint-Germain, reportedly has a total value of 49 mln dollars, versus bitcoin’s 929 bln.

Legacy BlackBerry devices loose text, call, and data functionality on January 4th, the Verge reports. Whether on Wi-Fi or cellular, there’ll be no guarantee you can make phone calls, send text messages, use data, establish an SMS connection, or even call 911. The company has experienced a slow decline since its dominant era in the late 2000s, when its QWERTY keyboards and reputation for security gave it a 50% market share in the US, but its parent company has pivoted to selling cybersecurity software.

Airbnb announced that it’s changing the way guest profiles are displayed in its app, for Oregon residents only, the Verge reports. Airbnb hosts who are based in Oregon will now see a potential guest’s initials, rather than their full name, until after they’ve confirmed the booking request. The change aims to prevent racial discrimination among hosts, by stopping them from gleaning a guest’s race from their name. The announcement follows a voluntary settlement agreement that Airbnb reached in 2019 with three Portland-area women. A 2016 study also found that Airbnb guests with names that sounded Black were 16% less likely to have bookings confirmed than guests with names that sounded white.

Zoom gets bigger on virtual events with its latest acquisition, the CNET website reports. The videoconferencing company announced the acquisition of event solutions assets from Liminal. Due to the pandemic, events have increasingly gone online, demanding more from video teleconferencing apps like Zoom. Those apps have needed to expand the features of their products or rely on third-party services like the ones Liminal provided. Liminal offered apps like ZoomISO and ZoomOSC individual video outputs and enhanced sound controls. Liminal’s products will remain available through its site. However, as Zoom expands on those tools and builds something similar into the platform, there will no longer be a need for them as separate add-ons.

The post Weekly digest Dec 27 – Jan 2, 2022: Intelligent transport, Oracle and Salesforce court victory, the death of Blackberry, fan tokens appeared first on TechGDPR.

Legal processes and redress

The Administrative Court of Dusseldorf clarified a non-retroactive applicability of the GDPR. In 2016, charges were brought against the plaintiff, a decades-long civil servant for the police and secret services, for tax evasion followed by an alleged disclosure by the court of details of the investigation to the press. The plaintiff had filed a complaint with the local data protection authority, the DSG NRW. It explained that existing data protection laws were only applicable to the courts where they perform administrative tasks. Thus, the inadmissible disclosure of court files falls within the scope of case-law. In 2019 the plaintiff decided to bring an action seeking the enforcement of the GDPR to the court, based on Art.78 – Right to an effective judicial remedy against a supervisory authority. The DSG NRW decision was upheld with further explanations that, despite a data protection breach being manifestly present, the legal redress would be time-barred. Data protection proceedings of the plaintiff were no longer pending at the time of the entry into force of the GDPR, and neither the GDPR nor the old law contain transitional provisions, and would require specific legislative validation.

Quebec’s Bill 64 and the new requirements for cross-border transfers of personal information are explained in McCarthy Tétrault’s latest blog series. The previous Private Sector Act specified that transferring personal information to third parties was permissible without prior consent if was essential for the original business purposes. The new rules include: conducting a prior privacy impact assessment, a PIA, establishing through a written contract the scope of the mandate, the purposes for which the third party would use the information, the categories of persons who would have access, and data subject rights to objection. The definition of Bill 64’s “adequate protection” in the country of destination remains ambiguous in comparison to PIPEDA’s “comparable level of protection” and the GDPR’s “adequacy decision”. The document also makes no distinction between international and inter-provincial transfers, and does not clarify the frequency at which businesses should conduct PIAs.

The US Court of Appeals 2nd Circuit decided when trivial data breaches of personally identifiable information, PII, are not actionable. To have standing, the plaintiff must primarily establish an “injury in fact.” The court identified three factors courts should consider; whether the PII had been exposed as the result of a targeted attempt to obtain that data, whether any portion of the dataset had already been misused, and whether the type of data that had been exposed is so sensitive that there is a high risk of identity theft or fraud. The decision was inspired by McMorris v. Carlos Lopez & Associates, where former employees brought a class action after an employer accidentally emailed 65 employees a spreadsheet containing social security numbers, home addresses, dates of birth, telephone numbers, educational degrees, and dates of hire for approximately 130 current and former employees. The spreadsheet was not shared with anyone outside the company or otherwise taken or misused by third parties. Read more details in the analysis by Thompson Coburn.

A similar dismissed case of a trivial low-level data breach in the UK was explained by Blake Morgan. In Rolfe & Ors -v- Veale Wasbrough Vizards LLP, it was confirmed that it is not sufficient for claimants to merely establish that there had been a data breach; claimants must go further and establish that they have suffered a material or non-material loss as a result of the data breach which is more than merely trivial. The claim arose from solicitors sending a letter containing some personal information to the incorrect recipient who immediately notified the solicitors and subsequently deleted the e-mail.

In Australia, a draft bill that increases privacy breach penalties was released, inviting industry submissions within the next month. Under the draft bill, the maximum penalties applicable to companies for serious or repeated privacy breaches will increase to whichever is higher: 10 million dollars, three times the value of any benefit obtained through the misuse of the information, or 10% of the corporate group’s annual Australian turnover. It also enables the introduction of an online privacy code, covering a wide scope of organisations to regulate social media services, large online platforms and data brokerage services.

The US Federal Trade Commission announced a newly updated rule that strengthens financial institutions’ data security safeguards, following recent data breaches and significant harm to consumers, including monetary loss, identity theft, and other forms of financial distress. The updated Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders to develop, implement, and maintain a comprehensive security system to keep their customers’ information safe. Institutions must also explain their information sharing practices, specifically the administrative, technical, and physical safeguards the financial institutions use to access, collect, distribute, process, protect, store, transmit, dispose of, or otherwise handle customers’ secure information. In addition, financial institutions will be required to designate a single qualified individual to oversee their information security program and report periodically to an organization’s board of directors, or a senior officer in charge of information security.

The Danish business authority announced that in future it will not prioritize supervision of the consent rules for simple statistics cookies. It justifies the change by recognising that cookies are a necessity for websites, and that the current negotiations in relation to a new regulation on e-data protection indicate that simple statistics cookies for traffic measurement are exempt from consent requirements.

The Danish data protection agency concurs that there may be a need for data controllers to collect and use information for statistical purposes in order to improve their website. However, the rules of the GDPR still apply whenever personal data about website visitors is collected and processed – for statistical or any other purposes. This means that the data controller – e.g. the owner of the website – must ensure that there is a legal basis for the processing of personal data. This also applies to any subsequent processing of data that takes place either at a data processor or when transferred to other independent data controllers.

Official guidance

The German federal data protection authority, the BfDI, clarified how the COVID-19 vaccination status of employees should be processed by employers. Employers generally may not process the “vaccination status” date of their employees without express statutory authorization – not even in the context of the pandemic. The “vaccination status” data is a special category of data pursuant to Art. 9 of the GDPR. Only in individual cases is processing of the “vaccination status” data possible, on the basis of legal requirements, namely, in the health care sector, daycare facilities for children, in the event of a possible infection and subsequent quarantine due to state-required pandemic control requirements, or on the basis of freely given and recorded consent. If the vaccination status is to be stored, no copies of vaccination cards or comparable certificates, (original or copy), may be included in the personnel file. It is sufficient if it is noted that these have been presented in each case.

There were clarifications on CCTV use on private property from Cyprus’s privacy commissioner. While the GDPR does not apply to personal or household activities, the scope of any recording should not go further than the perimeter of said private property. Also any complaints should be made to the police, as the data protection office does not have the power to enter a private property to examine any footage. Visible signs should state that CCTV is in use, explain why, and include a contact number for an operator. If CCTV is installed by a building’s management committee, then it becomes the principal data controller. CCTV may be installed in building entrances and exits, outside lift doors, and over tills and payment points only as long as the camera is only pointed towards them. Cameras can also be installed in building parking areas if the management committee deems it necessary. Finally, CCTV is not allowed in toilets, corridors, lobbies, inside lifts, and indoor or outdoor areas of cafes, bars and restaurants.

Denmark’s data protection agency has published guidance on the use of personal data for testing IT systems, available in Danish. Depending on the circumstances, it may be reasonable and necessary to use personal information when developing and testing IT systems. For example, it will be acceptable to use personal information in connection with final integration tests with other, (external), IT systems, or where there is significant difficulty in creating accurate anonymised test data, in particular because it can be difficult to reflect all the errors and irregularities that may occur in a production environment. In addition, it may be reasonable to use a limited amount of personal information in connection with troubleshooting and error correction. Sometimes it may even be unsafe to put a system into its final production stage without having first tested it with production data, including personal. However, such testing would require a risk assessment for the data subjects, (eg employees, customers and citizens), and appropriate security measures in accordance with the risk assessment.

Some other important guidance published by regulators in the EU and abroad includes:

• The most common mistakes made by the communities working on draft codes of conduct, by the Polish data protecting authority, UODO. These include the lack of clear justification of the purpose of the code, or the entity applying for approval of the code does not represent the majority of the sector, or a draft code’s scope of consultations is too narrow, not including, for example, data subjects.
• Guidelines on political campaigns were set by Malta’s IDPC, including the legal bases for door-to-door canvassing, postal and telephony communication, as well as online canvassing, and opting out from direct advertising.
• China’s draft guidance on identifying important data sets out the identification principles as well as a list of important data. One of them divides data into three classes, namely public data, personal information, and legal person data, and five levels according to their importance – public, internal, sensitive, important and core. Entities in the industrial and telecom sectors are also required to first divide the data into different types – research data, production operation data, management data, operation maintenance data, business service data and personal information, and then divide data into levels and classes.
• The European Data Protection Supervisor offers ever-so-simple guidance on protecting your personal information from phishing attacks. Suitable even for a young audience, it encourages you to STOP if you receive a suspicious message or email, THINK before you click on any links or attachments contained in the message, and LOOK for clues such as how the email or message is phrased, the time at which the email or message was sent, the list of recipients of the email, the sender’s number or email address, or the tone of the message if there is a sense of urgency.
• California’s Attorney General has provided consumers and businesses with tips on how to defend against cyber threats. The recommendations emphasise complexity – from creating strong passwords, limiting personal information shared online, checking on privacy settings on your device, to encryption, employee training and wifi network security.

Enforcement actions

Spain’s data protection authority, the AEPD, has issued its third-largest fine after finding flaws in the consent acquisition language used by CaixaBank. The investigation also uncovered that Caixabank requested information about an individual from the solvency file, even though the individual had no ongoing contracts with the bank. The individual was also included in the bank’s marketing campaigns for a pre-granted credit, without proper legal basis or consent and adequate information about the data processing, including profiling. The aggravating factors for the significant fine were the volume of the business and the duration and severity of the negligence.

The AEPD also fined a data controller – Servicios Logísticos Martorell, 16,000 euros for implementing a biometric identification system without carrying out a DPIA beforehand. A workers union complained that a company had implemented a biometric identification system to control its 520 workers’ access using their fingerprints, a system that was used along with a card reader system. The union argued that the workplace was so big that employees had a 20 minute walk to reach their work station, so they needed an additional control system to determine when they really accessed their post. The company argued that the biometric system is more reliable than using cards, since people could use another worker’s card.

The Dutch data protection authority, the AP, has rejected the license application of a Dutch association of small and medium enterprises to keep a blacklist of possible fraudsters and share that blacklist with companies from different sectors. The AP may grant such licenses only when it is necessary for the data to be shared, and sufficient safeguards have been put in place, such as implementing a data collection and sharing protocol. Similarly, the AP rejected a license application for Fraudehelpdesk, a governmental initiative that helps victims of fraud find their way to the right authorities, for not having an implemented protocol in place. “In the event of a data breach, telephone numbers, e-mail addresses and other personal data of suspected perpetrators, whose crime was not proven, can roam the internet. If you are known as a fraudster, even if this is unjustified, you could be fired, for example. Then it may be difficult to get a loan or to rent a home”

The Czech data protection authority, the UOOU, has published an overview of data breaches inspections for the first half of 2021. In one of the complaints, a former insurance company employee stated that the IT department did not fill out an exit checklist at the end of any employee’s contract. This checklist includes the data access revocation, infringing Art. 32 (2) of the GDPR by failing to sufficiently consider the risks of unauthorized access to the data, which could have led to unauthorized disclosure of personal information. In another case, a company operating an online store used cookies illegally. When a user decided to obtain more information about the processing of personal data before granting consent, and clicked on the link “Personal data”, this triggered uninformed consent to the processing of personal data through cookies.

Individual rights

A group of 850 professional footballers in the UK challenged use of their personal data. In the opinion of Herrington Carmichael, “Professional athletes’ performance statistics and attributes have become intrinsic to the sports industry. This information is passed through a multitude of platforms, giving information to clubs on potential player transfers and opponents and it is widely published in the media sphere.” The footballers are arguing that the unchallenged use of their personal data by the firms contravenes their data protection rights under the UK’s GDPR. They do not consent to the sharing of their data which may be used for illegitimate purposes by betting companies, scouting platforms or even video game manufacturers. Moreover, it can be damaging if the data being shared about them is inaccurate. They could miss out on transfers which are not only important for their personal careers but the sports industry as a whole. Collectively the group have claimed compensation for the misuse of their personal data from dozens of firms and demand an annual fee for any firms’ future uses of their personal data.

Opinion

Telemedicine and personal health data exploitation is analysed by Privacy International. The provision of real-time, video-based health consultations, as well as health monitoring software with elements of machine learning capabilities, wireless sensors, etc has become widely used by health professional and patients. As an example, during the pandemic everyday communications technologies, such as FaceTime or Skype, were widely accepted and used by nationwide public health services in the US and the EU. Data collected by these applications varies, and ranges from concrete data points, (eg, heart rate, glucose, blood oxygen levels), to video footage. One of the biggest security concerns stems from the fact that the tools, in terms of design, functionality or security, are controlled by a third party, not the healthcare actors.

European legal challenges for manufacturers of connected vehicles regarding personal data are explained in a nutshell by Bird&Bird:

“It could be that different pieces of information, such as vehicle service information, which on the surface don’t appear to constitute personal data, can be collated and linked to an individual via, for example, a Vehicle Identification Number. The consequence of this is that the CV manufacturer as the data controller might be under an obligation to divulge this data in response to data access requests which can be time consuming. There is a solution known as “tokenisation” which involves anonymising the data irreversibly.”

The EU regulator the EDPB has recently published draft Guidelines on the processing of personal data in the context of CVs and mobility related applications. CV manufacturers must abide by the GDPR obligations in full, including privacy notices to car users, guarantees of data security and minimisation during repair or performing data-driven after sales services.

Big Tech

Canada’s Office of Privacy commissioner published observations following the joint statement by a number of data protection authorities on global privacy expectations of video teleconferencing companies, such as Microsoft, Google, Cisco and Zoom. They should include multilayer visual and audible contextual and timely privacy notices, the ability to opt out of attendance or engagement reports, virtual and blurred backgrounds, user consent prior to host unmuting audio or activating video, transparency on third party contractors, and data center location. Whenever possible users should be able to choose which locations and jurisdictions their personal information is routed through and stored, contractual measures should exist to ensure that information is adequately protected when shared with third parties, including in foreign jurisdictions, along with end-to-end encryption, and limitation of the secondary use of data.

China’s market regulator proposed a long list of responsibilities it said it wanted the country’s internet platforms to uphold, in the latest effort by Beijing to establish an oversight framework for its technology sector. Super large platforms are defined as those having more than 500 million users, a wide range of business types, and a market value of more than 1 trillion yuan, (13 billion euros), a description that would apply to the likes of Alibaba Group, Tencent Holdings and Meituan. Customers data should not be obtained without users’ consent and should be transparent when using big data to recommend products. China’s top internet regulator also published draft guidelines that will subject companies with more than 1 million users in the country to a security review before they can send user-related data abroad. Companies that have already sent abroad, or intend to send abroad, the personal information of more 100,000 users or “sensitive” personal information belonging to 10,000 users, would also be bound by the requirement

Meanwhile in the US, an executive at TikTok, owned by Beijing-based internet technology company ByteDance, faced tough questions during the video-sharing app’s first appearance at a congressional hearing, saying it does not give information to the Chinese government and has sought to safeguard U.S. data. Lawmakers were concerned about TikTok’s data collection, including audio and a user’s location, and the potential for the Chinese government to gain access to the information. An executive testified that TikTok’s U.S. user data is stored in the United States, with backups in Singapore. Senators also voiced concerns that TikTok, rivals of YouTube and Snapchat, have algorithms that can be harmful to young people.

The Apple privacy updates, which began rolling out in April and prevent advertisers from tracking iPhone users without their consent, has had investors in digital ad companies on edge for fear that reduced access to data would upend the nearly 100 bln dollars mobile ad market. Ad businesses such as Snap’s or Facebook’s rely on direct response advertising, an industry term that refers to ad sellers and buyers who use information such as what devices consumers are using and what they are searching for, to place ads in front of interested audiences with the aim of quickly generating sales or website visits. Twitter is likely to be spared because the social networking site is mainly used for brand advertising, and Google is also shielded from the iPhone privacy changes because much of its usage comes from desktops, and promoted results placed on Google searches are not dependent on iPhone data.

While everyone is buzzing about Facebook’s rebranding and transition to the future Metaverse, last week privacy experts once again reminded us of the increasing regulatory lash on Meta: “Regulators the world over are seeking to exercise greater restrictions on what the FB platform can do, with a UK watchdog fining it 70 mln dollars for withholding information related to an ongoing antitrust oversight of its acquisition of GIF-sharing platform Giphy. In Ireland, regulators want to fine the company 38 mln dollars for breaching GDPR data collection policies. And in the US, Congress is increasingly discussing the prospect of amending protections given to social media platforms and reforming antitrust laws and data privacy regulations that affect Facebook.”

The post Weekly digest October 25 – 31, 2021 “Privacy, DP, and Compliance news in focus” appeared first on TechGDPR.