The Bank of England, in its October statement, confirmed that many firms in the financial sector are already using AI, exploring opportunities to use quantum computing, and piloting DLT applications. One example is stablecoins built on DLT networks, which are already being used at scale by individuals and businesses worldwide for faster, cheaper cross-border payments and automated financial contracting. However, the bank admits that key barriers to scaling up blockchain solutions are regulatory frameworks that are not entirely suited to digital assets and cross-border initiatives. Blockchain’s inherent characteristics present unique challenges for GDPR compliance. 

When it comes to handling personal data, blockchains present a significant challenge in respecting data subject rights. Its immutability, for example, contradicts the fundamental “Right to be Forgotten”. The global distribution of blockchain nodes also complicates regulatory supervision. Conducting a Data Protection Impact Assessment (DPIA) is not just a legal requirement for high-risk blockchain-based personal data processing, but is an important step towards responsible innovation. To help organisations meet these requirements, TechGDPR has created a free downloadable Blockchain DPIA Template, which guides users through all required areas of GDPR compliance:

• Description of the processing operations
• Legal basis and necessity assessment
• Identification of risks
• Safeguards and technical measures
• Implementing privacy by design principles
• Data subject rights and governance structures

The pre-designed template includes ready-to-use sections, prompts, and examples, significantly saving time and ensuring that no critical aspect of your DPIA is overlooked.

Stay up to date! Sign up to receive our fortnightly digest via email.

UK Adequacy

The European Data Protection Board, EDPB, has issued its opinion on the adequate protection of personal data by the United Kingdom. In July 2025, the European Commission started the process towards the adoption of its draft implementing decision on the adequate protection of personal data by the UK. It extends the validity of certain parts of the previous adequacy decision until December 2031. In particular, the EDPB asks for the need to further clarify by the Commission recent changes in the UK post-Brexit legislation regarding: 

• removing the direct application of the principles of EU law, including the right to privacy and data protection
• new powers to introduce changes via secondary regulations, which require less Parliamentary scrutiny (eg, on international transfers, automated decision-making)
• changes to the rules governing third-country transfers
• processing exemptions for law enforcement 
• restructuring of the Information Commissioner’s Office 
• safeguards provided by the EU-US Umbrella Agreement, whose privacy and data protection safeguards are incorporated into the UK-US Cloud Act Agreement
• encryption to remain essential for ensuring the security and confidentiality of personal data and electronic communications.

AI Act and the GDPR

The European Parliament has published a study on the Interplay between the AI Act and the EU digital legislative framework, including the GDPR. In particular, the AI Act introduces requirements for fundamental rights impact assessments (FRIAs) in cases that often also trigger data protection impact assessments (DPIAs) under the GDPR. These instruments differ in scope, supervision, and procedural requirements, creating duplication and uncertainty. Transparency and logging obligations are also redundant across both regimes. Moreover, there is ambiguity over how data controllers and AI providers should manage rights of access, rectification, and erasure when personal data becomes embedded in complex AI models. 

In AI contexts, the GDPR-governed “legitimate interests” legal basis is widely regarded as the most relevant and frequently invoked basis, states the report. Meanwhile, consent is often impracticable and contractual or legal obligation bases rarely map neatly onto AI training or deployment scenarios. Finally, the AI Act introduces additional governance layers: the AI Office and the European AI Board at the EU level and the national GDPR supervisory bodies with respect to data protection issues, which produce a potentially overlapping set of competent supervisory bodies. 

Legal updates

Dragi report: The Future of Privacy Forum takes a closer look at the report on European competitiveness issued in 2024 by former Italian Prime Minister Mario Draghi, which calls for simplification of the GDPR, and criticizes “heavy gold-plating” by Member States in GDPR implementation. The Commission is now set to announce a Digital Omnibus package with proposals to quickly reduce the burden on businesses. However, changes to the GDPR fundamental principles could bring any reform into conflict with the TFEU and the Charter and lead to action before the Court of Justice. 

GDPR enforcement: On 21 October, the European Parliament passed the regulation on additional procedural rules regarding the enforcement of the GDPR. The document aims to harmonise the criteria for assessing the admissibility of cross-border complaints and clarifies the rights of complainants and entities under investigation. The regulation establishes the same admissibility standards no matter where in the EU the GDPR complaint was filed. Both complainants and companies involved will have the right to be heard at specific stages of the investigation and will receive preliminary findings to express their views before a final decision is issued. 

Data for research: From 29 October, researchers can request data access from very large online platforms and search engines to study systemic risks. Access to public platform data has been available since the Digital Services Act (DSA) came into force in February 2024. Researchers now have the opportunity to request access to platforms’ internal data and to investigate its impact on society. Since datasets can allow direct or indirect inferences about individual users through their interactions, profiles, or other published content, researchers must comply with the requirements of the GDPR when carrying out their projects.

More from supervisory authorities

DSA and the GDPR: The EDPB has closed the consultation on the guidelines on the interplay between the Digital Services Act and the GDPR. One of its sections examines the limits on automated decision-making that involves the processing of personal data by intermediary service providers. The paper also further examines the transparency of processing and deceptive design patterns prohibited by the DSA when these practices involve personal data.  It also reviews the relationship between profiling restrictions and advertising technology, systematic risk assessments and minors’ data protection.

China privacy updates: China has issued its first national standard for certification of cross-border personal information processing. The standard, which takes effect on March 1, 2026, sets out fundamental principles, security requirements, and obligations for safeguarding individuals’ rights in cross-border data processing. Reportedly, the certification is valid for three years. The applicant may reapply for certification for continual use of such certification six months before its expiration. In general, under the Chinese Personal Information Protection Law (PIPL), a data handler may transfer personal information outside of China if one of the following three conditions (with some exemptions) is met:

• Apply for and pass the security assessment;
• Sign and file the standard contract; or
• Obtain the personal information protection certification.

Hacked emails

Almost one in ten people affected by cybercrime in the previous year experienced unauthorised access to an online account or email. To provide targeted support to consumers in such cases, the German Federal Office for Information Security (BSI) published a guide – Emergency checklist: Hacked account (in German). If a person can no longer log in despite having the correct password, their email account may have been hacked. Changes in settings or attempts to log in from new devices can also be signs. To protect your account, the BSI recommends securing it with either a strong password combined with two-factor authentication or with passkeys. 

IoT security

According to America’s NIST, IoT products often lack product cybersecurity capabilities that their customers, organisations and individuals can use to help mitigate their cybersecurity risks. Manufacturers can help their customers by providing necessary cybersecurity functionality and the cybersecurity-related information they need. To that end, NIST closes public consultations and offers a public draft of Foundational Cybersecurity Activities for IoT Product Manufacturers. This publication describes recommended activities that manufacturers should consider performing before their IoT products are sold to customers. 

GenAI guidance

European Data Protection Supervisor (EDPS) has published its revised and updated guidelines on the use of generative AI and processing of personal data by EU institutions, bodies, offices, and agencies (EUIs), reflecting the fast-moving technological landscape and the evolving challenges posed by generative AI systems. It introduces several key updates, including:

• a refined definition of generative AI for greater clarity and consistency
• a new, action-oriented compliance checklist for EUIs to assess and ensure the lawfulness of their processing activities
• clarified roles and responsibilities, assisting EUIs in determining whether they act as controllers, joint controllers, or processors
• detailed advice on lawful bases, purpose limitation, and the handling of data subjects’ rights in the context of generative AI.

Capita fine

The UK’s privacy regulator, ICO, issued a fine of 14 million pounds to Capita for failing to ensure the security of personal data related to a breach in 2023 that saw hackers steal millions of people’s information, from pension records to the details of customers of organisations Capita supports. For some people, this included sensitive information such as details of criminal records, financial data or special category data. Capita processes personal information on behalf of over 600 organisations providing pension schemes, with 325 of these organisations also impacted by the data breach.

The investigation found that Capita, in its capacity as a data controller, had failed to ensure the security of the processing, as well as lacking the appropriate technical and organisational measures. In particular, Capita did not prevent both privilege escalation and unauthorised lateral movement through the network, and did not effectively respond to security alerts when detected.    

Grindr fine confirmed

On October 21, Norway’s Borgarting Court of Appeal upheld Grindr’s multi-million privacy fine for violating Art. 9 of the GDPR, which forbids the processing of specific categories of personal data. The court decided that sharing a dating app user ID with advertisers revealed sensitive information regarding their sexual orientation. It further stated that consent was invalid since it was combined with service access, giving customers no real option.

Grindr’s multi-page privacy policy was also unclear concerning the extent and beneficiaries of data sharing, according to the Digital Policy Alert legal blog.

In other news

Data security fine: Australian Clinical Labs (ACL) has been ordered to pay AUD 5.8 million for breach of the Privacy Act 1988 following a 2022 cyber incident which impacted the personal information of over 223,000 individuals. This is the first civil penalty under the Privacy Act, DLA Piper law blog reports. The incident occurred within the IT environment of ACL’s subsidiary, Medlab Pathology, which was acquired only 3 months prior. Critical vulnerabilities in the subsidiary’s IT systems were not properly identified before the acquisition, as part of the due diligence process, as ACL intended to fully integrate them into its own IT environment within the following 6 months.

Insurance data security fines: The New York state Attorney General secured a 14.2 million fine from car Insurance companies over data breaches. Eight car insurance companies’ poor cybersecurity allowed hackers to steal driver’s license numbers to fraudulently obtain unemployment benefits, failing to protect the private information of more than 825,000 New Yorkers. These companies allowed people to obtain a car insurance price quote using an online tool. Some of the companies also provided password-protected tools to insurance agents to generate quotes for customers. The investigation found that data thieves were able to exploit a “pre-fill” function in the companies’ online quoting tools.

Electronic identification services fine: In Finland, the Data Protection Ombudsman has imposed an 865,000 euro fine on Aktia Bank for neglecting information security in its electronic identification service. Due to a short-term disruption, some people who logged into various services with Aktia’s bank codes had access to other customers’ highly personal information, as the service mixed up the identification of people. The regulator found that the bank had shortcomings in the planning, implementation and testing of a technical change made to the service.

Patient data breaches

Polish regulator UODO imposed an approximately 10,000 euro fine on Gyncentrum for failing to report a personal data breach. A medical centre specialising in infertility treatment, among other things, sent a communication, the subject line of which indicated the name of a genetic test, to another person, also a patient of the centre (with the same name). The document contained personal data: first name, last name, bank account number, and address. It also included the transfer amount and the name of the test performed, revealing that it was part of an extensive prenatal diagnostic program. The patient herself learned of the incident from another patient at the centre. 

In Guernsey, the Medical Specialist Group (MSG) was also fined 100,000 pounds following a cyber-attack. In 2021, the MSG became aware of a personal data breach after it received suspicious emails indicating that its email server had been accessed by cybercriminals. These vulnerabilities enabled criminals to access and steal e-mails stored on the server, some of which contained sensitive patient health data. These e-mails were subsequently used to facilitate multiple phishing campaigns targeting MSG patients over a series of months. The MSG notified the regulator of this breach. The inquiry found that the company routinely failed to install security updates to its e-mail server over the course of 13 months. This included updates directly related to the breach exploit and other critical vulnerabilities. 

California privacy violations

California’s Attorney General secured a settlement with Sling TV, a streaming service, resolving allegations that the company violated the California Consumer Privacy Act (CCPA) by failing to provide an easy-to-use method for consumers to stop the sale of their personal information and by failing to provide sufficient privacy protections for children. Sling TV is an internet-based live TV service that offers both a paid subscription and a free, ad-supported streaming service. Unlike traditional television, where advertising is based on the content of the programming, Sling TV uses its internet-based platform to deliver highly targeted advertising, using detailed consumer data such as age, gender, location, and income to personalise ads for viewers, often without their awareness.   

In case you missed it

Digital health care: Privacy International suggests that a Digital Health Technology Assessment (dHTA) is needed to make sure that tools developed by the private sector and relied on by public healthcare providers do not harm people and their rights. The Health Technology Assessment (HTA) is a longstanding practice that is used to assess the effectiveness and safety of technological innovations before they can be used in the diagnosis, treatment, management and prevention of health problems.

Thus, there is an overwhelming need for clear and specific rules that engage with the specific needs and challenges of new and emerging practices.

Multi-party computation: An EDPS blog article states that across sectors from health research to financial systems, data sharing continues to drive innovation, yet it also intensifies privacy and compliance challenges, making the balance between access to data and confidentiality increasingly difficult. Secure multi-party computation (SMPC) proposes a way to reconcile these seemingly conflicting goals – enabling organisations to jointly compute insights without revealing their underlying data. Under SMPC, multiple parties can work together to compute a result from their private data without ever exposing that data to one another. Unlike traditional encryption, which protects data only while it’s stored or transmitted, SMPC ensures confidentiality throughout the computation process itself for:

• hospitals improving disease prediction models using patient data,
• banks detecting cross-border fraud patterns,
• governments analysing the impact of social policies,

From a legal perspective, SMPC challenges traditional interpretations of privacy law. Frameworks like the GDPR were not designed with cooperative computation in mind; thus, they must be embedded within transparent governance frameworks and ethical oversight.

The post Data protection digest 19 Oct – 2 Nov 2025: New AI Act and GDPR study & personal data stored on Blockchain appeared first on TechGDPR.

According to the Norwegian regulator Datatilsynet, Meta will start training its AI service on photos, posts and comments from Facebook and Instagram users in the EEA at the end of May 2025. The purpose of the training is to develop and improve Meta’s generative AI services, based on users’ content and interactions with Meta’s AI services. The training will only include content that is publicly published. Furthermore, Meta will only use photos and posts published by users over the age of 18 to train the AI ​​model. The training includes both historical and future information that is shared publicly. If you do not want your posts and photos to be used to develop Meta’s AI, you can object. If you have both a Facebook and Instagram account, or multiple accounts, the protest applies to all accounts if they are added to the same ‘Account Center’. You do not need to justify your protest. Meta has stated that they accept all objections. 

Stay up to date! Sign on to receive our fortnightly digest via email.

GDPR supervision in Germany to be eased?

According to a DLA Piper analysis, the future German government plans to centralise the country’s data protection supervisory authority structure and to ease the regulatory burden for small and medium-sized companies. Responsibilities and competencies for the private sector in all 16 states are to be bundled into one Federal Commissioner for Data Protection and Information Security (BfDI).

Therefore, there would be no need to report data security breaches to multiple state supervisory authorities where impacted data subjects reside, and data controllers and processors would only need to collaborate with one national supervisory authority. The German plan coincides with the recent announcement of the Commission’s plans to amend or simplify some obligations for small and medium-sized companies, among others, under the GDPR. 

More legal updates

Cloud computing and data sharing in the EU: Before the Data Act starts being applied from 12 September 2025, the Commission is providing guidlines on non-binding Model Contractual Terms (MCTs) for data sharing, and Standard Contractual Clauses (SCCs) for cloud computing contracts. These models (B2B) intend to help especially small and medium-sized companies and other organisations which may lack the resources to draft and negotiate fair contractual clauses.  The Commission also seeks feedback on the preparatory work for the Cloud and AI Development Act and the single EU-wide cloud policy for public administrations and public procurement. The Commission would like to gather different stakeholders’ views on the EU’s capacity in cloud and edge computing infrastructure, especially in light of increasing data volumes and demand for computing resources, both fueled by the rise of computer-intensive AI services. Submissions are open from 9 April to 4 June. 

EU cybersecurity: To strengthen the EU’s resilience against rising cyber threats, the Commission seeks input to evaluate and revise the 2019 Cybersecurity Act. This initiative reflects the Commission’s ongoing commitment to simplifying the rules and facilitate their implementation. Interested parties, including Member State competent authorities, cybersecurity authorities, industry and trade associations, researchers and academia, consumer organisations, and citizens, are invited to give their views on the Have Your Say portal until 20 June. In parallel, the Commission seeks contributions to enhance cybersecurity for hospitals and healthcare providers, as well as for the implementation of the European Digital Health Space, following the publication of the Action Plan in January. This includes citizens, healthcare professionals, healthcare authorities, patients, compliance and data privacy professionals, cybersecurity professionals, organisations, and academia, among others, to share their views. The deadline for contributions is 30 June.

EDPB on blockchain technology

The EDPB has adopted long-awaited guidelines on the processing of personal data through blockchain technologies.  A blockchain is a distributed digital ledger system that can confirm transactions and establish who owns a digital asset  (such as cryptocurrency) at any given time. Blockchains can also support the secure handling and transfer of data, ensuring its integrity and traceability.  Depending on the purpose of processing for which blockchain technology is used, different categories of personal data may be processed. 

The guidelines highlight, among others, the need for Data Protection by Design and by Default and adequate organisational and technical measures.  As a general rule, storing personal data on a blockchain should be avoided if this conflicts with the GDPR (eg, in fulfilling the rights of data subjects regarding data rectification and erasure). The guidlines provide examples of different techniques for data minimisation and for handling and storing personal data. 

Consent management

The Consent Management Ordinance in Germany comes into effect. Effective from April 1, it regulates obligations for trusted consent management service providers. It mandates certain recognised services to store user settings and allows voluntary integration by digital service providers. In addition, it protects data portability rights of users and restricts consent management services from processing personal data beyond the purpose for which it was originally collected and stored. 

Data breach statistics

The Estonian data protection regulator estimates that in the first quarter of 2025, the number of breach reports compared to the same period in 2024 increased by 48%. In January, February and March, organisations notified the agency of a total of 65 data breaches. In 30 cases, the breach involved the public sector or an agency they manage. The most common causes since the start of the year are negligence and human error, technical errors in information systems, and unlawful access to personal data caused by cyberattacks. In particular:

• There were cases where employees abused the access rights granted to them to perform their duties. Requests to view personal data are made both out of curiosity and to distribute it on various social networks or leak it to the press.
• An employee who left an educational institution, being the sole administrator of the school’s Facebook group, refused to transfer the group’s administration rights to the school. He changed the group’s name and smeared his former employer there.
• A popular e-learning environment used in schools was attacked by a cyberattack, in which an attacker, likely using user rights obtained from previous data leaks, (not related to the learning environment), attempted to hijack the accounts of users of the e-learning environment. The environment was not required to use multi-factor authentication.

More from supervisory authorities

AI Privacy Risks and Mitigation: To help developers and users of large language model-based systems handle privacy issues, the EDPB provides a new practical guide. The paper offers organisational and technical measures to maintain data protection following GDPR Art. 25 – Data protection by design and by default, and Art. 32 – Security of processing. The guideline, however, is not meant to replace a Data Protection Impact Assessment (DPIA), following GDPR Art. 35. Instead, by addressing privacy issues unique to LLM systems, it enhances the DPIA process. 

Mobile apps: The French CNIL published a modified version of its recommendations to better protect privacy in mobile applications, adopted in 2024, (in French). It is aimed at professionals working in the mobile application sector in the role of data controllers and processors, namely: a) app publishers; b) app developers; c) software development kit (SDK) providers; d) operating system providers; e) app store providers. This recommendation covers all types of applications, which can be: 

• “native”, (developed in the programming language specific to the operating system in which they are executed); 
• “hybrid”, (developed with languages ​​and technologies from web programming, then transformed into an application using specific tools;
• “progressive web” PWA (dynamic web pages which are presented to the user in the form of apps).

AI public sandbox:  The CNIL has also published the results of its “sandbox” personalised support programme for players who wish to be advised on how to deploy an innovative project: 

• France Travail’s tool, (French unemployment agency), helps its advisors to offer a personalised training course adapted to the needs of job seekers. 
• Nantes Metropole’s Ekonom’IA project: raising awareness among residents about their water consumption levels through an AI program; and 
• The RATP’s, (Paris transport operation company), PRIV-IA project: studying algorithmic processing of images from new video capture technologies (so-called Time-of-flight cameras). 

Emotion recognition under the AI Act

A recent analysis by DLA Piper examines two real-world uses of emotion in AI work environments to highlight the effects of the recently passed EU AI Act. The first case study uses emotion analysis on sales conversations. The global company’s chief revenue officer, who is situated in the US, is trying to implement new software that would enable staff members worldwide to get consistent sales training by comparing the calls made by top performers with those of the lowest performers. 

In the second case study, a busy consulting business wants to use a remote application and onboarding process to broaden its pool of candidates to include people who want to apply for wholly remote positions. The company is eager to implement software that enables interview scheduling through a platform with cutting-edge AI-powered capabilities. One element of the system analyses applicants’ speech tones, facial expressions, and other non-verbal indicators.

In other news

Brute force attack: The UK’s Information Commissioner’s Office has issued DDP Law firm a 60,000 pound fine following a cyber-attack which resulted in highly sensitive and confidential personal information being published on the dark web. The brute force incidents were targeted at an administrator account for a legacy case management system. It was only available online sporadically. At the time of the incident DPP had multi-factor authentication for the purposes of connecting to its network via a VPN. However, the administrator account  did not have MFA due to its role as a service-based account. 

Search services: Sweden’s IMY has received a large number of complaints against search services that publish personal data about the population of Sweden. Many of these complaints concern search services that publish information about violations of the law, such as criminal convictions. IMY is now initiating inspections of two of these search services: Lexbase.se and krimfup.se. In a legal opinion from 2024, the IMY ruled that the authority is competent to review search services that have a so-called certificate of publication. There was also a recent decision from the Supreme Court that it is not compatible with EU law to release large numbers of criminal convictions online . 

Unwanted insurance: The Romanian data protection agency fined the operator Banca Transilvania SA the equivalent of 5,000 euros. Following a complaint from a natural person, the data subject claimed that their data had been processed without consent, within the framework of an insurance policy mandated by the operator Banca Transilvania. It was found that the petitioner, although he terminated his real estate loan contract, was erroneously issued a new insurance policy against natural disasters, accessory to the terminated real estate loan contract.

Employee email accounts

The Maltese regulator IDPC published a set of FAQs on the management of employee email accounts once an employee leaves an organisation. While employers have a legitimate interest to maintain business continuity following an employee’s departure from the organisation, the employer’s operational concerns must be balanced against the data protection rights of outgoing employees and any other individuals involved, as set out in the GDPR. This includes handling work email accounts in a manner that is proportionate, transparent, and respects the confidentiality of any personal correspondence that may be in the account. The most common real life cases include:

• Can an employer set up automatic email forwarding following an employee’s departure?
• Can an employer set up an automatic reply message following an employee’s departure?
• As an employer, what are some general practical steps I can take to manage employee email accounts in a manner that complies with the GDPR?

In case you missed it 

AI assistants: Privacy International questions whether we can trust the developers of AI assistants to protect our privacy and security. AI Assistants need to access apps, data and device services to deliver on their promise to operate as agents capable of doing work for us. This is a significant change from the existing voice assistants: the messaging app Signal will ask to access your contacts to identify people with a Signal account you haven’t talked to; similarly, a navigation app will require access to your phone’s location services and hardware to guide you. 

What makes an AI Assistant different from apps is the level of access they constantly require to function. Prioritising automation as one of the main goals/features of AI assistants means that developers will be tempted to allow processing of your data with the lowest amount of friction possible.  

Opt out from Tesla processing your data: Lastly, a piece from The Guardian examines how Tesla owners may safeguard their data and privacy. Any connected car must track and gather a lot of information about you in order to use any of its capabilities. A detailed picture of your life and movements may be created using these data – sent via GPS trackers, sensors, and other devices. The Guardian studied Tesla’s privacy policy, talked to privacy experts, and even asked the company’s AI chatbot how to share as little data as possible with Tesla. There are some safety measures you can and, in many situations, ought to take if you own a Tesla. However, adjusting these settings so that you share the least possible amount of data with Tesla will shut off access to many of your car’s functions.

The post Data protection digest 3 – 17 Apr 2025: Meta AI training restarts in Europe, virtual assistants vs data privacy appeared first on TechGDPR.

The new Product Liability Directive has been published in the Official Journal of the European Union and will take effect in 20 days. The new law extends the definition of “product” to digital manufacturing files and software, (not excluding AI manufacturers in the future). Also, online platforms can be held liable for a defective product sold on their platform just like any other economic operator if they act like one. Equally, under the new rules, to make sure that consumers are compensated for damages caused by a product manufactured outside of the EU, the company importing the product or the EU-based representative of the foreign manufacturer can be held liable for damages.

Stay up to date! Sign on to receive our fortnightly digest via email.

More legal updates

UK privacy legislation: The new government has proposed reforms to data protection and e-privacy laws through the new Data (Use and Access) Bill, DLA Piper reports. This follows the previous government’s unsuccessful attempts to reform these laws post-Brexit, which led to the abandonment of the Data Protection and Digital Information Bill in the run-up to the general election.

The new proposal maintains several changes to the UK data protection regime: definitions for scientific research and special categories of personal data, broader consent to research, easier consent requirements, new criteria for a recognised legitimate interest, and wider use of automated decision-making. 

US data transfers: The European Data Protection Board inquired into the implementation of the EU-US Data Privacy Framework. Regarding commercial aspects, the EDPB notes that the US Department of Commerce has taken all relevant steps to implement the certification process. In addition, the redress mechanism for EU individuals has been implemented and there is comprehensive complaint-handling guidance published on both sides of the Atlantic. However, the regulator recommends that the Commission monitors future developments related to the US Foreign Intelligence Surveillance Act, in particular, the extended reach of Section 702 after its re-authorisation by the US Congress earlier this year. 

Data brokers: The California Privacy Protection Agency, (CPPA), is conducting a public investigative sweep of data broker registration compliance under the Delete Act. Covered businesses must register by 31 January if they operated as a data broker during the previous year. The Delete Act also requires data brokers to pay an annual fee which funds the registry and the development of a first-of-its-kind deletion mechanism, (DROP). Once established, it will allow a consumer to, in a single request, direct all data brokers to delete their personal information. DROP will be available to consumers in 2026.

Blockchain

The Spanish AEPD has published a technical note regarding Blockchain infrastructures from a data protection perspective, (text in Spanish, and video version in English). It discusses real-life cases of implementing changes and managing governance common in such infrastructures. Policies, including organisational and technical measures, are then developed to implement the right to erasure in a blockchain infrastructure, including information relating to smart contracts. 

Digital identities

“Verifiable credential,” “digital wallet,” “mobile driver’s license,” are terms that reference a growing ecosystem around what we are calling “verifiable digital credentials”, explains America’s NIST. Though the concept seems simple, deploying it and understanding its impact on security, privacy and usability in practice can be challenging. The new blog post series by NIST helps to navigate the terminology, technology, data formats, and protocols that underpin this new and rapidly evolving ecosystem, and leverage the collective expertise of stakeholders from across both government and industry. 

More official guidance

PETs costs and benefits: The UK government and Information Commissioner published the Privacy Enhancing Technologies, (PETs), Cost-Benefit Awareness Tool. This resource is designed to help organisations understand and assess the costs and benefits associated with adopting a variety of PETs. Alongside this resource, the Commissioner has also published a checklist to support organisations. Examples of PETs include homomorphic encryption, trusted execution environments, secure multi-party computation and differential privacy. The report explores various scenarios to illustrate potential data protection concerns, including Data Security, Discrimination or Bias, Transparency and Consent, and Purpose of Use. The potential expansion of genomic data use beyond its original purpose is leading to concerns around data minimisation and purpose limitation. 

Healthcare data: The Finnish data protection authority elaborates on frequently asked questions about healthcare – instructions for checking, correcting, deleting and disclosing your personal information. The answers include information on whether an incorrect diagnosis can be corrected and what to do if you suspect that your patient records have been viewed without justification, or if the patient wants to deny contact by the healthcare provider due to a scientific research finding. The content of these guidelines will soon also be available in English on the regulator’s website.

Genomics

The UK Information Commissioner has also prepared a report on genomics that could soon impact everyday life in remarkable ways: hospitals might use DNA to predict and prevent diseases, insurers could adjust policies based on genetic health markers, and wearable tech could personalise fitness plans based on genetic tendencies.

Genomics also continues to reshape and expand into sectors such as insurance, education, and law enforcement. The report explores various scenarios to illustrate potential data protection concerns, including Data Security, Discrimination or Bias, Transparency and Consent, and Purpose of Use. The potential expansion of genomic data use beyond its original purpose is leading to concerns around data minimisation and purpose limitation. 

Top exploited vulnerabilities

Cybersecurity agencies around the globe have just identified that malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks in 2023 compared to 2022, allowing them to conduct operations against high-priority targets. The authoring agencies strongly encourage vendors, designers, developers, and end-user organisations to implement several recommendations, including secure-by-design practices into each stage of the software development life cycle, secure-by-default configurations, and timely patches to systems. For more findings and technical details see the original publication.

Data Clean Rooms (DCRs)

Data Clean Rooms are cloud data processing services that let companies exchange and analyse data, restrained by rules that limit data use, explains America’s FTC. They are typically used when two companies want to exchange limited information about their customers, (eg, the efficacy of an advertisement by identifying grocery sales made to newspaper subscribers). In some cases, DCRs can add privacy protections to the handling of consumer data.

In others, disclosure of consumer data via DCRs presents the same privacy risks as disclosure through other means like tracking pixels, states the regulator.

Data breach case study

The Guernsey Data Protection Authority has published its latest breach statistics. In one recent instance, a retailer filed a breach report after police notified them of a claim that a staff member had shown a member of the public CCTV footage taken inside the shop.  This footage contained images of customers and was not viewed according to the retailer’s policy on CCTV use. This event highlights how crucial it is to limit employee access to personal information to that which is necessary for them to carry out their jobs. In data governance, a “need-to-know” basis can greatly decrease the chances of a data breach, states the regulator. It further highlights the importance of having audit trails for instances where personal data is misused.

More enforcement decisions

Cookie fine: Data Guidance reported a case where the Spanish AEPD fined SEAT SA 20,000 euros, (reduced to 12,000 euros), for placing non-technical cookies without user consent on their website. 

SEAT’s website set cookies at session start before any user action, including functionality and segmentation cookies, and continued to do so even after users withdrew consent. In principle, functionality or preference cookies are not considered strictly necessary for the basic functioning of the website, which implies that, under the GDPR, it is necessary to request the user’s prior consent for their installation, since they affect the personal experience, although they are not invasive in terms of data collection. More of the original decision in Spanish can be read here. 

Electronic services: Finland’s Data Protection Commissioner has ordered Posti, (a delivery service),  to pay a penalty of 2.4 million euros for an automatically created electronic OmaPosti mailbox for customers without a separate request. The Commissioner states that electronic services are a significant part of the digital society, and they must be implemented according to the data protection rules. The OmaPosti mailbox has been linked to a wider service package, which has also included, for example, mail resending and the Oma Noutopiste service. The investigation revealed that the customer could not choose whether to use the OmaPosti box or not, because the different services were linked to each other in one contract. The electronic mailbox could also not be discontinued without the other services also being discontinued.

Data security

Log auditing: The Danish regulator reported the results of an inspection visit to Kerteminde Municipality back in 2023.  The inspection focused on logging and log auditing, internal procedures for data handling, notification and registration of breaches of personal data security, including the use of auto-complete, testing of backups, testing of preparedness, and procedures for deletion, as well as impact analyses. Previously the municipality had not implemented fixed procedures or random checks for ongoing log checks to ensure that the users only accessed information they had a work-related need for. It only checked the log in case of specific suspicions of abuse.  In addition, the municipality must continue to identify which processing activities require impact analyses, and in this case, a plan should be drawn up for the implementation of these analyses.

Thinking of using AI to assist recruitment? The UK Information Commissioner has shared key questions organisations should ask when procuring AI to help with their employee recruitment. Any recruiter may be looking to procure these tools to improve the efficiency of their hiring process, helping to source potential candidates, summarise CVs and score applicants. If not used lawfully, however, AI tools may negatively impact job seekers who could be unfairly excluded from roles or have their privacy compromised. 

For instance, some features in those tools could lead to discrimination by having a search functionality that allowed recruiters to filter out candidates with certain protected characteristics. They could estimate or infer people’s gender, ethnicity, and other characteristics from their job application or even just their name, rather than asking candidates directly. Moreover, this could be processed without a lawful basis or the candidate’s knowledge. 

Big Data

There are two ways to have your information removed from the Internet: by deleting it from the relevant website or by removing the content from the search engine, states the Hamburg Data Protection Authority. The Federal Court of Justice in Germany earlier this year ruled on a case where an association board of directors’s data was still available in the online register of associations 20 years after the board changed. The register entry was therefore to be removed from the Internet register, and could only be made available to third parties if a legitimate interest was demonstrated. In parallel, the CJEU has just ruled that personal data published on the Internet that are not subject to the disclosure obligation under commercial law is entitled to deletion and, in case of doubt, documents may only be published in redacted form. 

Digital Health, Edtech, Surveillance… Privacy International has posted a series of analyses including Big Tech’s dominant vision of digital health, which might pose risks to fundamental rights and the autonomy of society as these digital tools may not always have been designed with people’s privacy in mind; concerns over the Edtech unchecked implementation that can jeopardize students’ rights through potential privacy violations, discrimination, and the lack of student input in the adoption of these technologies; and surveillance databases that are on the rise all around us – from countering terrorism and investigating crimes to border management and migration control. 

The post Data protection digest 1 – 15 Nov 2024: digital product liability, emerging genomics, surveillance databases appeared first on TechGDPR.

In my opinion, however, this needs to be seen with more nuance, and as lawyers like to say, it all depends on the specific circumstances; blockchain is not always strictly immutable, the right to be forgotten is not absolute, and the definition of personal data is still not 100% clear. If you look past the headlines and dive into the details, you will see this situation is not that black and white.

1. Blockchain is not always strictly immutable

Already in the very first paper on blockchain, “Bitcoin: A Peer-to-Peer Electronic Cash System” by Satoshi Nakamoto, there was the notion of pruning: “Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space.” Meaning even in the first-generation protocol of Bitcoin, there is a technical method to delete certain data from the chain. So far, this has not been implemented, but there is a methodology to achieve this without breaking the system. Obviously in this particular way, a node operator could still choose to maintain all data that ever comes across, so in practice this may not with with Bitcoin unless additional safeguards to guarantee this are being put in place.

With later-generation protocols, such as with EOSIO, there is more sophisticated governance in place. By designating certain block producers who could, based on a constitution, agree to remove certain data, or mutually agree to block access to certain data for the outside. Even though this may limit transparency and centralizes some of the decision making, this may still be a feasible solution for certain use cases. For example Europechain aims at setting up networks with only EU/EEA block producers that are all under a Data Protection Agreement (DPA), specifically to offer a GDPR compliant way in which blockchain can be used while keeping most of the advantages of using blockchain in place.

Immutability can for certain purposes be very valuable, but for Personal Data it may not be ideal.

2. The right to be forgotten is not absolute

The right to be forgotten if often cited as the holy grail of protection your personal data, but it can not always be applied. According to Article 17, it can for example be used under the following circumstances:

• Personal data is no longer needed for the purpose, for example, if it was processed for the provision of a contract (Article 6.1(b)), but the contract has been cancelled or has expired.
• It was processed under consent (Article 6.1(a)), and the consent has been withdrawn.
• It has been processed under legitimate interest, but the legitimate interest has been challenged and no overriding interests prevail.
• The processing was unlawful in the first place.

The right to be forgotten does for example not apply if the processing is (still) necessary for the performance of a contract, for scientific or historical reasons in the public interest, to comply with a legal obligation, or if the legitimate interest continues to overrule the interest of the data subject.

If a controller has made personal data public, and publishing on a public blockchain should be seen as making public, they are required to inform others who are processing the data that is should be deleted. It’s an interesting question how that should work in a distributed environment with public actors, but this is not impossible.

3. The definition of personal data is still not 100% clear

In blockchain environments clearly readably personal data should not be used. In particular within public permissionless blockchains there is no good reason to do so. Most projects resort to storing hashes of information or transactions on-chain to prove certain things off-chain. Depending on the circumstances, such hashes could be considered pseudonymous or anonymous. Pseudonymous data is still in-scope of the GDPR, and should therefor adhere to it, anonymous data is out of scope. What exactly is to be considered pseudonymised following a specific approach, and therefor in scope of the GDPR, was previously (before the GDPR) explained in Opinion 2014/05 of the Working Party 29 (WP216). However, this has not been formally adopted by the EDPB. This makes it a lot harder to establish if, for example hashed information is pseudonymous or anonymous from the perspective of the GDPR.

Is the right to be forgotten in blockchain really a problem?

Well yes. Very often, there are certainly potential problems with storing pseudonimysed personal data in a blockchain, however one should be looking at the particular circumstances: which source-data is pseudonimised, encrypted or hashed, where is it stored, and can it be related to other on-chain events, what happens if you delete the source-data, and how strong is the entropy?

To find solutions for this challenge, it is important to consider both the technical (immutability) and the legal (how absolute is the right to erasure?) aspects, and the overall situation. It will stand or fall with the small details, and because the GDPR is a new regulation and blockchain a new technology, it will always be a risky undertaking to deploy this ‘in the wild’.

The only way in which this challenge can be approached, is through Privacy by Design: ensuring all privacy controls are implemented right from the start, and making sure products, protocols and their apps and UX are designed in a privacy friendly way. Launching an immutable system with privacy weaknesses that are not fully thought through, and documented, is quite clearly a violation against Article 25 of the GDPR on Data Protection by Design and by Default.

The post GDPR’s Right to be Forgotten in Blockchain: it’s not black and white. appeared first on TechGDPR.

1. Is the Opinion 05/2014 by Working Party 29 still valid?

Article 29 Working Party issued comprehensive guidance on Anonymisation Techniques in April 2014 (WP216), setting a high standard for the requirements of true anonymisation, and specifies what is to be interpreted as pseudonymisation – which is merely a method to reduce linkability of a dataset with the original identity of a data subject.

Many applications of DLT requires some verification data to be stored on-chain, which, depending on interpretation and the specific requirements can be seen as anonymous or pseudonymous.

During its first plenary meeting on May 25th, 2018 the European Data Protection Board (EDPB) endorsed a number of GDPR related WP29 Guidelines, but not “Opinion 05/2014 on Anonymization Techniques” by “Art. 29 Working Party”.

The EDPB should clarify whether this opinion by WP29 may be used as a guideline, or ideally issue new guidelines that allow for sufficiently protected pseudonymous data and verification hashes to be recognised as anonymous.

2. Clarification of distribution of responsibilities in a decentralised environment (DLT) according to given roles under GDPR.

The architecture (or topology) of systems using DLT is vastly different from more traditional systems comprising of a client-server, or client-cloud architecture. The GDPR is clearly designed for a client-server architecture, with clear distinguishable rights and duties between a data controller, who is primarily responsible, a data processor, who processes data on behalf of a controller, and a data subject, of whom the personal data is being processed.

This is not translatable into blockchain or distributed ledger technology, where every node could play every role, not overseen by a central entity or system. Participants may have different roles under different circumstances, and may have multiple roles at the same time. In addition, the requirement of concluding a Data Processing Agreement in a public permissionless network is very difficult to fulfil, and other overarching measures may be required.

Clarification of the GDPR roles of the different actors within the blockchain ecosystem, under different circumstances is highly desirable to give innovators enough legal certainty to continue their efforts.

3. Clarification regarding deletion and rectification obligations under DLT.

Under Article 16 and 17 of the GDPR, data subjects have the right to have incorrect personal data corrected, and have their personal data that is no longer required erased.

This poses a problem when using DLT, that primarily derives its trust from its immutability. Because data, including personal data on DLT can not be rectified or erased, and many blockchains are public, the best practice so far is to not directly store personal data on a blockchain but only a verification value, also known as a hash, of some kind. However, as highlighted before, there is no current valid guidance on exact limits of anonymisation, so how this is to be applied remains unclear.

Technical approaches to resolve this problem exist, for example through the ability of nodes to restrict access to certain information, to only allow ‘keyed hashes’, which all have a unique key stored off-chain that can be deleted, or by using a mutable implementation of DLT, which unfortunately hardly ever helps us trust the technology as it relies on a trusted third party and should not be seen as a true solution. Which defeats the appeal of blockchain and DLT.

Within current practices using data backups in more traditional settings, it can also not be assumed that all personal data is effectively deleted, in particular from offline tape backups. It can also be questioned what the technically implementation of ‘deleting data’ in a traditional sense is: under most circumstances this is just ‘unlinking’ data, which can still be recovered.

Further guidance, and more flexibility on the interpretation of deletion and rectification obligations, in particular in a blockchain environment, is requested.

4. Request to ensure future guidance takes the different blockchain and DLT architectures into account.

When the EDPB or other regulators are providing guidance on blockchain under the GDPR, it is essential to understand and consider the different blockchain architectures currently available, and possibly those of the future. A public permissionless blockchain, free to join, participate in and download for everyone, is vastly different from a private permissioned one, related technologies that are technically not blockchain but still fall within the scope of distributed ledger technologies, such as Tangle and Hashgraph, have yet another very different architecture requiring a different approach.

We’d like to urge the regulators and in particular the EDPB to take these fundamental differences into account when issuing further guidance.

The post Blockchain & DLT under the GDPR explained to the European Commission appeared first on TechGDPR.