Stay up to date! Sign up to receive our fortnightly digest via email.

End-to-end algorithmic audit

The EDPB offers a non-binding auditing methodology for AI systems, specifically focused on impact assessment. A socio-technical, end-to-end algorithmic audit (E2EST/AA), should inspect a system in its actual implementation, processing activity and running context, looking at the specific data used and the data subjects impacted. It is designed to inspect algorithmic systems used in ranking, image recognition and natural language processing. An AI system may be composed of several algorithms, and an AI service or product may include several AI systems. 

It is also an iterative process of interaction between the auditors and the development teams. The method provides templates and instructions to guide such interaction, specifying the data inputs that are necessary for auditors to complete the assessment and validate results. In particular, one of them is ‘Model cards’ – documents designed to compile information about the training and testing of AI models, as well as the features and the motivations of a given dataset or algorithmic model. 

Vinted fine

The Lithuanian Data Protection Inspectorate VDAI imposed a 2,385,276 euro fine on Vinted, an online second-hand clothing trade and exchange platform. Violations concern transparency of information, notification and conditions for the data subject rights. VDAI investigated the 2021 and 2022 complaints from applicants forwarded by the French and Polish supervisory authorities regarding the company’s possible improper implementation of their requests for data deletion, (“right to be forgotten”), and the right to access data.

In response to the requests, the company stated that it would not take action because the individuals did not detail their requests following Art. 17 of the GDPR. It was also established that to ensure the platform’s and its users’ safety, the company applied “shadow blocking” without individuals knowing about such processing, (and thus unable to exercise other rights established by the GDPR and their remedies). In addition, the company did not take sufficient technical and organisational measures to ensure and to be able to demonstrate that it took, (or reasonably refused to take), steps regarding the right to access the data. 

Meta non-compliance under DMA

The European Commission stated Meta’s “Pay or Consent” advertising model failed to comply with the Digital Markets Act. The binary choice forces users to consent to the combination of their data and fails to provide them with a less personalised but equivalent version of Meta’s social networks. In response to regulatory changes in the EU, Meta introduced a binary offer whereby EU users have to choose between a subscription for a monthly fee to an ads-free version, or free-of-charge access with personalised ads.

The possible solution would be for users who do not consent to still get access to an equivalent service which uses less of their data. In case of non-compliance, the Commission can impose fines of up to 10% of the gatekeeper’s total worldwide turnover. Such fines can go up to 20% in the case of repeated infringement. The Commission is also empowered to adopt additional remedies such as obliging a gatekeeper to sell a business or parts of it or banning the gatekeeper from acquisitions of additional services.

Non-material damage under the GDPR

The CJEU has found that the damage caused by a personal data breach is not inherently less serious than a physical injury. In the related case, a data controller managed a trading application in which a data subject opened accounts and entered personal data to do so. In 2020, their data were seized by third parties whose identity and purposes remain unknown. 

An individual requesting compensation under the GDPR must prove not only that the infringement occurred but also that the violation caused them harm; this cannot be automatically assumed. In the event of identity theft, as in the above case, the data must have been misused by a third party. Also, determining the damages payable is up to the legal system of each Member State in each given context. 

Apple AI delayed in the EU

Apple decided to delay the release of three new AI features in Europe due to EU competition regulations requiring competing goods and services to be compatible with its devices. The company is concerned that to meet the interoperability requirements of the Digital Market Act, it may be required to make compromises to the integrity of its devices that endanger user privacy and data security. The features will debut in the US this autumn, but they won’t make it to Europe until 2025. 

More legal updates

US privacy legislation: On July 1, the Florida Digital Bill of Rights, Oregon Consumer Privacy Act, and Texas Data Security and Privacy Act entered into effect, joining California, Colorado, Connecticut, Virginia, and Utah. Among many things, they guarantee consumers rights to access, correct, delete, and opt out of the sale of their data concerning targeted advertising, and certain profiling. There are also provisions relating to data minimisation, children’s data, sensitive data consent, biometric data, and impact assessments. 

Foreign adversaries: On June 23,  the Protecting American’s Data from Foreign Adversaries Act of 2024 entered into effect. It makes it unlawful for a data broker to sell, license, rent, trade, transfer, release, disclose, or otherwise make available specified personally identifiable sensitive data of individuals who reside in the US to North Korea, China, Russia, Iran or an entity controlled by those countries. Sensitive data includes government-issued identifiers, financial account numbers, biometric information, genetic information, precise geolocation information, and private communications.

Minors’ data: To safeguard children’s internet privacy, New York State established new laws. The SAFE For Kids Act defines operators that offer minors an “addictive feed” as a major component of their online or mobile service. Addictive feeds rely on the user’s past interactions, privacy or accessibility settings related to their device, content displayed or blocked by the user, private communication, search inquiries, chronological order etc. The other piece of legislation – the Child Data Protection Act governs, (GDPR-enhanced), processing obligations of relevant minors’ data by operators, processors and third parties. 

More official guidance

Messenger standardised audit: The EDPB offers the Standardised Messenger Audit initiative to inspect any messenger service used within businesses from a data protection perspective. It consists of two documents – the requirement catalogue and the audit methodology. The requirements within this catalogue are formulated in such a way so that a distinction is made between MUST, SHOULD and MAY requirements of the respective data protection principles. It is also closely based on the structure and outline of the GDPR.

Data processor: According to the Latvian data protection regulator, for an organisation to be considered a processor, it must meet two basic conditions – be a separate and independent organisation and process personal data on behalf of the controller. The organisation usually appoints a processor when it needs more knowledge, resources, etc. Finding such a processor would require a feasibility study: compliance of the set of security requirements chosen by the processor with the controller’s wishes and needs, reputation, and responsibility. Finally, the signing of the agreement indicates the readiness of both parties to cooperate. Further guidance can be read here.

Joint controllership: The Bavarian State Data Protection Commissioner publishes new guidance, (in German), on the legal concept where two or more controllers jointly determine the purposes and means of processing. The GDPR requires a clear allocation of responsibilities, including where a controller determines the purposes and means of processing jointly with other controllers or where a processing operation is carried out on behalf of a controller. However, joint responsibility may still seem less “familiar” than the contractual data processing that has always been established. 

DPOs getting into small business

The Data Protection Officer is a profession that is increasingly represented in small enterprises, according to the French data protection regulator CNIL. The regulator came to such a conclusion after a joint survey of 3,625 DPO respondents in the country, including 2,842 internal, 366 shared and 417 external. Certain components, such the age distribution, territorialisation, and contract type, have stabilised, but certain responder characteristics have changed significantly between 2019 and 2024. 57% of respondents now work in structures with fewer than 250 employees, (+19% compared to 2019). Also, 91% are convinced of the social usefulness of the DPO’s function and profession for the protection of customers’, users’ and citizens’ personal data. 

Digital identity

The US NIST meanwhile has launched a collaborative project to adapt its digital identity guidelines to support public benefits programs, such as those designed to help beneficiaries pay for food, housing, medical and other basic living expenses. In response to heightened fraud and related cybersecurity threats during the COVID-19 pandemic, some benefits-administering agencies began to integrate new safeguards such as individual digital accounts and identity verification, also known as identity proofing, into online applications.

However, the use of certain approaches, like those reliant upon facial recognition or data brokers, has raised questions about privacy and data security, (and potential biases that disproportionately impact communities of colour and marginalized groups).

Enforcement decisions

Avanza Bank and Meta Pixel: Sweden’s privacy regulator fined Avanza Bank AB 1,3 mln euros for failing to implement security measures, leading to the unauthorised transfer of personal data of more than half a million data subjects to Meta by accidentally turning on two functions of the Meta Pixel analytics tool. The controller used Meta Pixel to measure the effectiveness of the bank’s Facebook advertising. Two new functions of the analytics tool, the Automatic Advanced Matching and the Automatic Events,(for the recognisable form fields and buttons used on the page), were activated by mistake. 

Avast browsing data: The US Federal Trade Commission will require Avast to pay 16,5 million dollars and prohibit the company from selling or licensing any web browsing data for advertising purposes. The FTC alleged that UK-based Avast Limited, via its Czech subsidiary, unfairly collected consumers’ browsing information through the company’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and consumer consent. 

Car retail software: A cyber outage at a major retail software provider for automobile dealers delayed car sales throughout North America, (approx. 15,000 retail locations), the Guardian reports. CDK, which provides different kinds of software to car dealerships, proactively shut down most of its systems but is working to reinstate its services. 

Cloud banking security

In terms of data security, operational continuity, and regulatory compliance, outsourcing cloud services to outside providers entails serious risks, according to a new analysis by DLA Piper. One example is financial institutions that retain full operational responsibility even when they outsource critical services. This includes risk management, performance monitoring, and vendor selection. To that end, the EU has established two legal frameworks concerning the provision of cloud and ICT services, (DORA, NIS 2), complementing guidelines issued by the European Central Bank.  

Neuro data processing

In addition to privacy and data protection, fundamental rights such as human dignity and physical and mental integrity are jeopardised by certain uses of neuro data, states an EDPS analysis. The use of AI systems may also make technically possible exploitation of neuro data by private entities for workplace or commercial surveillance. Certain uses of neuro data pose unacceptable risks to fundamental rights and are likely unlawful under EU law. 

In other cases, mitigating techniques should always include impact assessments, data minimisation, transparency, accuracy, necessity and fairness of processing, local storage of raw data, efficient anonymisation for re-use and analysis, (eg, controlling specific aspects of a videogame, monitoring concentration in educational environments, managing chronic pain by modifying brain activity, etc).

The post Data protection digest 18 Jun – 2 Jul 2024: end-to-end algorithmic audit, DPOs for small business, Vinted fine appeared first on TechGDPR.

Sign up to receive our fortnightly digest via email.

Children at risk

Last week, the CEOs of Meta, X, TikTok, Snap and Discord were questioned before the US Congress over alleged harms to young users on their platforms – access to drugs and subsequent overdoses, harassment, grooming and trafficking exploitation, leading in some cases to death. Legislators stated that the industry, through its constant pursuit of engagement and profit, failed to adequately invest in trust and child safety. Executives highlighted controls and tools they have introduced to mitigate harm. 

US legislators are pushing forward legal solutions to the existing crisis through the debated Kids Online Safety Act and anti-CSAM legislation, as well as changes to the COPPA rule. Meanwhile in neighbouring Canada, (British Columbia province), some of the measures have just been enforced.

In the EU, a draft Parliament position was adopted by the LIBE Committee at the end of last year, now awaiting further enforcement. The privacy regulators meanwhile warn about present risks to children and their personal information online. For instance, the Guernsey data protection authority recently identified a local Snapchat group that includes children as young as seven, possibly encouraging them to share explicit images of themselves. The police now advise parents:

• to have conversations with their children regarding the reputational and long-term risks associated with sharing personal information via such networks, and 
• ensure children are not using social networks or apps if they’re under the authorised age for those networks/apps, (13 for Snapchat). 

In the UK, the Information Commissioner’s Office also created a toolkit of free resources to promote responsible data sharing to safeguard children and renewed its age assurance opinion, an important part of its world-leading Children’s code, reflecting developments over the past two years. A similar age-assurance design code was passed into law in California in 2022.

Legal updates

Draft AI Act: The draft legislation received a unanimous endorsement from all 27 European Union member states. Negotiations over the shape of the law concluded last December, with the main focus on safeguards for foundation models and the use of facial recognition software. According to Euractiv analysis, the primary opponent of the political agreement was France, which, together with Germany and Italy, asked for a lighter regulatory regime for powerful AI models, that support general-purpose AI systems, (protecting domestic start-ups). Nonetheless, the Parliament insisted on the need for strict guidelines for these models. In April, Parliament will hold its final vote on the law.

German employee data protection: DLA Piper’s legal analysis looks at the data protection provisions relating to employees and other workers in Germany. Currently, it is largely determined by case law, and national legislators are very cautious about using Art. 88 of the GDPR – the adoption of provisions that specify data protection requirements in the employment context. Even more problematic, relevant provisions of the Federal Data Protection Act, (BDSG),  after being clarified by the CJEU last year, did not meet the conditions set out in the GDPR. Read more on the envisaged Single Employee Data Protection Act in Germany, in the original analysis. 

Automated decisions

The Isle of Man data protection commissioner reminds the public of Art. 22 of the GDPR which provides individuals with the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. It is permitted to use such methods only: a) with the explicit consent of the individual; b) if necessary for entering into, or performing a contract between the individual and the data controller; or c) is authorised by law. The controller must also have safeguards in place to allow individuals to obtain human intervention regarding the decision, to contest it in certain cases or to express their point of view. 

AI checklist

The Bavarian data protection authority for the private sector published a draft ‘Data Protection and AI’ checklist, (in German). In addition to a legal basis for the creation of AI models and the operation/use of AI applications, the rights of those affected and other compliance requirements of the GDPR must also be implemented. The data protection risk model must be documented and regularly checked to ensure that it is up-to-date and complete. If necessary, the test points, (see them here), can be checked as part of the control activities by the data protection officer.

Software for schools

The Danish supervisory authority has investigated the use of Google Workspace in Danish schools in 53 municipalities. The report considers that the municipalities have had no reason to forward student data to Google for the development and measurement of services, ChromeOS and the Chrome browser. The data protection authority also reminds the municipalities that they should have found out how Google processes the transmitted personal data before implementing the tools. Municipalities now have to bring the processing in line with the rules:

• Municipalities should no longer pass on personal data to Google for these purposes. This will likely require Google to develop a technical option for the data streams in question to be intercepted.
• Google must itself refrain from processing the information for these purposes.
• The Danish Parliament provides a sufficiently clear legal basis for disclosure for these purposes.

A similar investigation on the use of Google’s teaching platform in schools was conducted in Finland in 2021. The decision does not prohibit the use of the educational platform but states that a legal basis must be defined for the processing of students’ data in Google services.

Purpose limitation

How to comply with the principle of purpose limitation? The Latvian data protection authority explains that when your data is transferred to someone else, it is usually done with the confidence that the data will be used for a specific purpose that is clearly understood by you. The principle of purpose limitation is closely related to other principles established in the GDPR, such as the principle of transparency, because only by knowing the specific purpose of data processing can a person understand what to expect within the scope of their data processing. 

Likewise, determining the exact purpose is related to the principles of data minimisation and storage limitation, because depending on the purpose, the amount of data needed to achieve it can be determined, as well as how long the data needs to be stored. The connection is also with the principle of legality because only the data that is planned to be used to achieve a clearly defined purpose will be able to establish an appropriate legal basis. When concluding processing for a different purpose, the controller must first assess whether this purpose is compatible with the initial processing, including the following aspects:

• the connection between the purposes;
• the context in which data has been collected;
• nature of data;
• the consequences that further processing would have for the data subject;
• the existence of adequate safeguards in both initial and intended subsequent processing operations.

EDPB documentation

The EDPB published a One-Stop-Shop case digest on Security of Processing and Data Breach Notification. The relevant decisions were initially filtered using Art. 32 of the GDPR, (security of processing), as the main legal reference. This article establishes an obligation for both data controllers and data processors to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. The analysis of decisions will provide insights into how regulators interpret these obligations in concrete situations, such as how to protect organisations against hacking, how to ensure meaningful and robust encryption, how to build strong passwords, etc. 

The EDPB has launched a website auditing tool that can be used to help analyse whether websites are compliant with the law. It can be used by both legal and technical auditors at data protection authorities, as well as by controllers and processors who wish to test their websites. The tool is Free and Open Source Software under the EUPL 1.2 Licence and is available for download on code.europa.eu. The source code is available here. 

Enforcement decisions

Prospect data: The French CNIL fined TAGADAMEDIA, (online competition and product testing websites), 75,000 eurost. The data collected by brokers is sent to the company’s partners for commercial prospecting. The prospect questionnaire did not allow free, informed and unambiguous consent to be obtained. The highlighting of the button allowing users to give their consent contrasted to the one allowing users refuse consent, which also featured an incomplete text of reduced size, alongside a strong encouragement for users to agree to the transmission of their data to partners.

Insurance companies: An administrative court in Finland upheld the data protection commissioner’s decisions on the handling of health data by insurance companies. In some situations, insurance companies request personal health information directly from healthcare providers. However, data should be identified and precisely defined, which means only the necessary information from the provider and for the period that is relevant in assessing the insurance company’s liability is required. Also, the insurance applicant’s data from health services cannot be processed before concluding the contract.

Intrusive scientific research: The Italian regulator sanctioned a municipality for conducting two scientific studies, using cameras, microphones and social networks. The projects, financed with European funds, aim to develop technological solutions to improve safety in urban areas. It involved footage from video surveillance cameras already installed in the municipal area, as well as audio obtained from microphones specifically placed on the street. One of the projects also analysed hateful messages and comments published on social media, detecting any negative emotions and processing information of interest to the police. The municipality has not proven the existence of any legal framework for the processing: the data was unlawfully shared with third parties and partners. Furthermore, the anonymisation techniques proved insufficient.

Data breaches

Undetected attacker: America’s FTC’s proposed action against Blackbaud alleges that the company’s failure to implement some basic safeguards resulted in the theft of highly sensitive data about millions of consumers, including Social Security numbers and bank account information. South Carolina-based Blackbaud provides a wide variety of data, fundraising, and financial services to more than 45,000 companies, including nonprofits, foundations, educational institutions, and healthcare organisations. 

In 2020, an attacker purportedly used a Blackbaud customer’s login and password to access certain Blackbaud databases. The attacker rummaged around undetected for three months until Blackbaud finally spotted a suspicious login on a backup server. By then, the attacker had stolen data from tens of thousands of Blackbaud’s customers, which compromised the personal information of millions of consumers. Blackbaud eventually agreed to pay 24 Bitcoin, (valued at about 250,000 dollars), in exchange for the attacker’s promise to delete the stolen data. But Blackbaud hasn’t been able to verify that the attacker followed through. 

Data processor supervision: The Danish data protection authority reported Capio A/S to the police for not having supervised data processors. The private hospital may face a fine of approx 200,000 euros. In particular,  the hospital has not been able to ensure and demonstrate that personal data is processed for legal and reasonable purposes and in a way that ensures sufficient security for the sensitive personal data of the large number of data subjects in question, over several years.

Data security

TOMs: The Swiss data protection authority has revised its guide on technical and organisational security measures, (in English). The guide is primarily intended for people in charge of information systems, whether technicians or not, who are directly confronted with the problem of personal data management. 

Cloud: The French CNIL published factsheets on encryption and data security, (in French). It offers a detailed analysis of the different types of encryption applied to a cloud computing service: encryption at rest, in transit and in-process, and e2ee. The guide also looks at various tools to secure cloud services, (anti-DDoS, WAF, CDN, load balancer), and key vigilance points.

Login: What to do if you detect a credential-stuffing attack? The Lithuanian data protection authority recommends responding quickly and proactively:

• determining whether the attacker managed to use the available accesses,
• blocking potential malicious activity,
• notifying users of an attack and encouraging them to change their passwords,
• notifying the regulator about the personal data security breach that has occurred,
• conducting a thorough incident investigation and implement additional security measures to prevent similar attacks in the future, (2FA, automatic attack detection systems, password policy).

Finally, if the attack is systemic or involves multiple platforms, it is recommended to collaborate with other data controllers in analyzing the incident.

Cybersecurity program: As cybersecurity threats continue to mount, you need to show improvements over time to your CEO and customers. How do you measure your progress and present it using meaningful, numerical details? America’s NIST offers a Draft Guidance on Measuring and Improving Your Company’s Cybersecurity Program. It is aimed at different audiences within an organisation –  security specialists and C-suite and can help organisations move from general statements about risk level toward a more coherent picture founded on hard data. 

Big Tech 

Amazon “stalking” employees: The French data protection authority fined Amazon France Logistique 32 mln euros for putting employees under constant surveillance. The company manages the Amazon group’s large warehouses in France, where it receives and stores items and then prepares parcels for customer delivery. Each warehouse employee is given a scanner to document the performance of certain tasks in real time. Each scan results in the recording and prolonged storing of data used to calculate employee quality, productivity and periods of inactivity, (the “error” margin was set to less than 1.25 seconds or longer than 10 minutes). The company was also fined for video surveillance without information or sufficient security. 

Uber has been fined 10 mln euros by the Dutch data protection authority for violating privacy regulations related to its drivers’ data. Uber failed to specify in its terms and conditions the duration for which drivers’ data is retained and the security measures in place, particularly when transferring data to non-European countries. The fine was imposed following a complaint by over 170 French drivers, which was then forwarded to the French data protection authority and subsequently to the Dutch regulator, as Uber’s European headquarters is in the Netherlands. 

The post Data protection digest 18 Jan – 2 Feb 2024: social media industry grilled over child safety and mental health appeared first on TechGDPR.

Legal processes: commercial surveillance, sensitive data “by comparison”, workers electronic monitoring, farming data

The CJEU’s recent decision may have a major impact on digital services that use background tracking and profiling to target users with behavioral ads, TechCrunch reports. The EU top court’s decision related to the anticorruption law in Lithuania. It found out that the country’s law covering online disclosure of data contained in the declaration of private interest of directors of institutions receiving public funds, (data concerning the declarant’s spouse, cohabitee, partner, etc.), is contrary to the fundamental rights to privacy and data protection in the EU. The court believes disclosure online of relatives and associates’ names and their significant financial transactions is not strictly necessary for the objective pursued and may constitute highly sensitive data “by comparison”.

It is likely to reveal information of sensitive aspects of the private life of the persons concerned and to make it possible to draw up a particular detailed portrait of them, such as their sex life and sexual orientation, (Art. 9 of the GDPR). Finally, such processing results in this data being freely accessible on the internet to a potentially unlimited number of people. Thus, some privacy law experts suggest the judgement’s broad definition of what constitutes sensitive data, (involving the act of comparison or deduction), potentially covers a wide range of online processing, including online ads, dating and health apps, location tracking and more, concludes TechCrunch. 

In the US, the Federal Trade Commission, (FTC), seeks public comment ahead of ruling on the prevalence of commercial surveillance and data security practices that harm consumers. The Commission invites comment on whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies a) collect, aggregate, protect, use, analyze, and retain consumer data, as well as b), transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive. The permissions that consumers give may not always be meaningful or informed. Studies have shown that most people do not generally understand the market for consumer data that operates beyond their monitors and displays, the FTC states. Many privacy notices that acknowledge such risks are reportedly not readable to the average consumer or a minor. In the end, these practices that nowadays heavily rely on automated systems may have significant consequences for consumers’ wallets, safety, and mental health. 

The EDPS published its opinion on the proposal for a regulation regarding conversion of the Farm Accountancy Data Network into a Farm Sustainability Data Network (FSDN). The proposal aims to regulate the processing of personal data in the context of the collection of individual farm’s economic, environmental and social data as well as the further management and use of such data. The EDPS positively notes that in case individual data will be shared by the Commission or liaison agencies, the data of the farmers and all other individual details obtained would be anonymised or pseudonymised. However the EDPS considers that the proposal does not provide a specific reason of public interest justifying the publication of personal data in identifiable form, even if the data were to be pseudonymised prior to publication. 

The EDPS therefore recommended specifying that only duly anonymised FSDN data may be made publicly available. That being said, the regulator considered it important to preserve a clear distinction between these concepts, as pseudonymous data can still be related to an identifiable individual and therefore qualifies as personal data. Moreover, the EDPS considered that it is not clear whether the proposal refers only to the exchange of data between the national liaison agencies and the Commission or also extends to the sharing of data with the general public or otherwise making it available for reuse. Finally, the interoperability provisions include the need to identify all the IT tools and linked databases, data protection roles and responsibilities and relevant applicable safeguards. Read the full opinion here.

Meanwhile Ontario provided updated guidance on a new legislation which includes an electronic monitoring policy for workers. “Electronic monitoring” may include GPS systems to track employee movement, using sensors to track how quickly an employee performs a task or tracking the websites an employee visits during working hours. The policy must include:

• A statement as to whether or not the employer electronically monitors employees.
• How the employer may electronically monitor employees.
• The circumstances in which the employer may electronically monitor employees; and
• The purposes for which information obtained through electronic monitoring may be used by the employer.
• The date the Policy was prepared, and the date any revisions were made.

Any employer that employs 25 or more people in total across all of its locations in Ontario will be required to have a written policy. When determining whether the 25-employee threshold has been met, an employer must count all employees across all of its locations in Ontario, regardless of the number of hours worked by the employees or if they are full or part-time, including probationary employees, employees on layoff, leave of absence or strike and employees who are trainees.

Official guidance: use of cloud, sports associations, dpo, government data, customer research

The Danish data protection authority has published a questionnaire after recent inspections of the use of the cloud, (in Danish only), by public authorities and private companies. The questionnaire covers most of the points that data controllers must be aware of if they use  cloud solutions. It is divided into four parts:

• know your services,
• know your suppliers,
• supervision of suppliers,
• transfer to third countries.

Furthermore, each part is subdivided into two parts: a) the first part concerns the organisation’s general rules, policies, procedures, etc. to enable the organisation to comply with the relevant data protection rules; b) the second part looks at whether the organisation has followed these policies, etc. with regard to the specific cloud service and provider, and if not, how the organisation ensures compliance with the relevant data protection rules. The questionnaire can be downloaded via this link.

The French regulator CNIL offers amateur sport associations a self-assessment tool to test their compliance with the GDPR. The data subjects in this case include member athletes, athletes of an opposing team, paid or volunteer sports educators, referees, etc. The information collected responds to very different uses: storing the file of members, organizing competitions and tournaments, managing the club’s website, etc. The life cycle of the personal information contained in the files created by sports structures is likely to include 4 stages:

• collection,
• sharing and exchange, 
• reuse, 
• retention and destruction. (You can access the original questionnaire here).

The Dutch data protection authority recommends adjusting the proposal for an amendment of the Reuse of Government Information Act. The proposal, in which the government encourages government institutions to make government data, including personal data, available for reuse, does not set sufficient limits, raising the risk that personal data is shared without the permission or knowledge of the people involved. According to the proposal, that data must also be searchable with software and can be combined with other data. Personal data in the country’s Trade Register and the Land Registry is already public and that is already causing problems. By running an algorithm on it and combining the personal data with other sources, companies can, for example, create profiles of people to sell it.

The Latvian privacy regulator published guidance on the mandatory appointment of a data protection officer. Especially in cases where the economic activity of the company is directly related to the processing of personal data on a large scale, any company is obliged to involve a data protection specialist in the organisation of specific processes:

• for a company whose main activity is related to the profiling of natural persons, with the intention of carrying out an assessment of their creditworthiness;
• for a security company that uses video surveillance of publicly accessible areas as part of its core service;
• for a company that performs customer behavior analysis, (products a customer has viewed, purchased, etc.), in order to send targeted marketing communications;
• to a person who conducts customer research for the purpose of preventing money laundering;
• mobile apps that process user geolocation data for the maintainer;
• for companies that collect customer data as part of loyalty programs;
• for persons who monitor clients’ well-being, physical fitness and health data through wearable devices;
• for companies that process information obtained from devices connected to the IoT, (smart meters, connected cars, home automation devices, etc.).

Another guidance by the Latvian privacy regulator refers to the prevention of money laundering and financing of terrorism and arms proliferation. According to the country’s legislation anyone must conduct customer research before starting a business relationship, as well as during the maintenance of a business relationship. Taking into account the fact that customer research applies not only to legal entities, but also to natural persons, the regulator explains new procedures that determine the licensing of common customer research tools for service providers, as well as the monitoring of their activities. Considering that personal data will be processed in the customer research tool, the privacy regulator has the following rights: 

• re-registration, suspension or cancellation of the service provider’s license;
• inspections of the customer research tool service;
• receiving information and documents free of charge from the service provider, which are necessary for the verification of the operation or for the consideration of the customer complaint received about its operation;
• information erroneously or illegally included in the shared customer research tool be corrected or deleted;
• requiring the service provider of the customer research tool to review its information systems, facilities and procedures and appoint an independent expert.

Investigations and enforcement actions: profiling, video surveillance and geolocation, access codes, privacy notice, reused mail box

The Lower Saxony data protection commissioner has imposed a fine of 900,000 euros on a bank for profiling for advertising purposes. The company had evaluated data from active and former customers without their consent. To do this, it analysed digital usage behaviour and the total volume of purchases in app stores, the frequency of use of account statement printers and the total amount of transfers in online banking compared to the use of branch counters. For this it used a service provider. In addition, the results of the analysis were compared with a credit agency and enriched from there. The aim was to identify customers with an increased inclination for digital media and to prioritise electronic communication channels to contact them. Information was sent to most customers in advance along with other documents. However, these do not replace the necessary consents. The fine is not yet final.

The Luxembourg data protection authority recently issued a 3000 euro fine to an unnamed company for intrusive use of CCTV cameras and failing in their obligation to inform their workers and third-party visitors. The company neither justified not demonstrated how the video surveillance, (installed and operated by subcontractor firms), of the interior of the premises using door cameras was appropriate and necessary to protect the property, (fencing in this case could be a replacement measure), and in particular to prevent burglary. It also considered the psychological pressure that the cameras exerted on employees and third-party visitors, who felt observed at their workstations or meeting tables because of the cameras, which did not indicate if were working, or not.

In another recent case the Luxembourg regulator fined an unnamed company 1500 euros for performing geolocation on its employees while using a vehicle to travel to customers. The following purposes of geolocation were stated by the data controller: geographical tracking, asset protection, optimal fleet management, optimisation of work processes as well as the provision of responses to customer complaints.” Further investigation found out other undisclosed purposes such as: combatting theft, reduction of the number of kilometres driven, justification in the event of a dispute, monitoring and invoicing of services, and finally, monitoring of working time and setting remuneration.

 In the regulator’s opinion, the lack of clear policy, an unidentified legal basis for all the above-mentioned processing, as well as a one-year data retention period, were in violation with the requirements of Art. 5, (lawfulness, fairness and transparency), and Art. 13, (information obligation), of the GDPR. Finally, the employees were unaware that their data could have been transferred to the parent company, situated in a third country. 

In Denmark, citizens’ information was exposed to an unnecessary risk, as Lolland Municipality’s employees were able to disable access codes on phones and tablets. The Danish data protection authority issued a fine of approx. 6000 euros. In 2020 an employee in the municipality had a work phone stolen. Via the phone there was access to the employee’s work email account, which contained information about several citizens’ names, social security numbers, health information and sensitive events. The phone was not protected by a code as it was switched off, so access to its information was unlimited. The municipality stated that over a number of years it had been possible for employees to remove the otherwise mandatory access codes, so that telephones could be used without the use of a code. It had immediately initiated restorative measures in the form of new precautions and changes in the technical set-up of telephones handed out. 

The Romanian data protection authority has fined the CDI Transport Intern si Internazionale, (among the largest passenger transport companies in Romania), 7000 euros after a complaint that the company’s website contained no information regarding the method of collecting personal data. It also failed to inform users of the rights provided for in Art. 15-22 of the GDPR that data subjects benefit from, such as those relating to the purpose of processing and the legal basis, the identity and contact details of the operator, the period for which the data will be stored or the criteria used to establish this period, nor the fact that the operator has the obligation to inform the data subjects in the event of a breach of personal data security.

Finally, the Spanish data protection authority AEPD punished an online teaching institution to the tune of 3000 euros after a claimant, a newly hired tutor, was offered a corporate email box that belonged to the person they were replacing. The organisation stated that the plaintiff started working as an employee to replace another worker in the same field and with the same tasks on sick leave, so that their work was a continuation of those specific teaching activities and tutoring with students, for which it was necessary to have knowledge of all the background and communications between teacher and pupil. It argued that the data to which the plaintiff could have access was needed for the exercise of their duties. The data in the mailbox included pupils’ personal information, but also tax documentation, banking details, invoices, etc. The new tutor was instructed that she could access and delete folders in the inbox if needed. The regulator decided that the basic security measures were not respected in this case. 

Data security: email aliases, IoT devices

According to the US cybersecurity guru Brian Krebs, one way to protect your email inbox is to get into the habit of using unique email aliases when signing up for new accounts online. You can create an endless number of different email addresses linked to the same account by adding a “+” character after the username section of your email address, followed by a notation relevant to the website you’re signing up at. It is said that many threat actors will remove any aliases from their distribution lists because they believe that these consumers are more concerned with security and privacy than other users and are therefore more likely to report spam to their aliased addresses. Finally, email aliases are so uncommon that finding just a few email addresses using the same alias in a database breach can make it easy to determine which organization was probably hacked and which database was released.

The US Health Sector Cybersecurity Coordination Center published an advisory note for the healthcare sector of the risks posed by Internet of Things devices. Since these devices can collect data that includes personally identifiable information it is important to secure these systems. Ultimately, the goal is to protect the entire system, but there are steps that can be taken to help accomplish this: a) securely store, process, and transfer data, b) keep devices safeguarded, c) update devices to reduce vulnerabilities. To minimize risks from IoT devices you need to:

• Change default router settings: Most people do not rename their router and keep the manufacturer’s default settings. Those settings typically benefit manufacturers more than the user. 
• Pick a strong password: Make sure to use a secure password for each device. 
• Avoid using Universal Plug and Play: It makes it easier to network devices without additional configuration. 
• Keep your software and firmware updated: Firmware keeps you protected with the latest security patches and reduces the chances of cyber-attacks. 
• Implement a Zero Trust Model: A zero trust model assumes that nothing can be trusted in or outside of the network. Only a limited amount of people require access to certain resources to accomplish their jobs. For this strategy to be effective administrators must determine who the users are and what role they play.  

Big Tech: drivers data, cyberattack on NHS software, Meta’s tracking code

Only 28% of drivers have any idea what sort of data they generate, and is collected, when they drive, and they may never have heard of the at least 37 companies that are leading a growing vehicle data market says a report in The Markup. It’s a market with vast amounts of personal data all for sale: by whom, for whom, and with what aim? With the growth of third party vehicle data hubs concentrating data, and the range of data presenting a risk to anonymisation, the report notes a lack of regulation that High Mobility’s CEO and founder Ristro Vahtra warns could be a “privacy hell”. The report also criticises car manufacturers for failing to develop clear screen interfaces like mobile phones for drivers to choose privacy settings, which in some cases are entirely lacking. Legislation tackling this is currently in the committee stage in the US Congress.

UK government agencies along with the National Cyber Security Centre are investigating if patient data was stolen in a severe cyberattack on NHS software supplier Advanced. It was hit by ransomware on August 4th, taking several urgent treatment centres, the 111 phoneline for, among other things, booking a doctor’s appointment, and some mental health facilities offline. The hack could take nearly two weeks to resolve, and updates on the status of the data are awaited, although Advanced says it has “contained” the breach.

When you click on anything you see on Facebook or Instagram, owner Meta has been inserting code into the websites you visit, allowing your navigation to be tracked. That’s according to former Google engineer and privacy activist Felix Krause, who has published new research. It’s unknown how long Meta have been using the tracking code on their in-app browser. Krause built a tool to see how many extra instructions were added to a website by a browser. In most cases none were added, but navigation via Facebook or Instagram added as many as 18 lines of code. This so-called “Javascript injection” is often classified as a “malicious attack”, but there is no suggestion Meta has used it beyond monitoring all user interactions, like every button and link tapped, text selections, or screenshots.

The post Data protection & privacy digest 2 – 15 Aug 2022: commercial surveillance, sensitive data “by comparison”, worker electronic monitoring appeared first on TechGDPR.

Official guidance: credential stuffing, patient privacy, use of drones

The latest report from international data protection and privacy authorities has identified credential stuffing as a significant and growing cyber threat to personal information. A credential stuffing attack is a cyber-attack method that exploits an individual’s tendency to use the same credentials (e.g. username/email address and password combination) across multiple online accounts. The attacks are automated and often large-scale, using stolen credentials (e.g. that are leaked in connection with data breaches and made available on the ‘dark web’), to unlawfully access users’ accounts on unrelated websites. 

Successful credential stuffing attacks may result in fraud or other means of financial loss, as attackers may, for example, make purchases using the compromised account or transfer funds to their own account. Upon establishing a secure foothold, an attacker may attempt to obtain further access to data and systems through the harvesting of other visible or accessible credentials. Such attacks may also be used to cause intangible harm such as reputational damage by spreading disinformation or making false statements about an individual whilst using their compromised account. 

The guidance by international privacy authorities provides measures to detect, prevent and/or mitigate the risk from credential stuffing (guest checkouts, strong passwords and usernames, and their alternatives, multi-factor authentication, secondary passwords and pins, device fingerprinting, identifying leaked passwords, rate-limiting, account monitoring and lockout, incident response plans and user notifications, and more).

The US Department of Health issued guidance to protect patient privacy in wake of the Supreme Court decision where the right to safe and legal abortion was taken away. In general, the guidance addresses:

• how federal law and regulations protect individuals’ private medical information, (known as protected health information or PHI), relating to abortion and other sexual and reproductive health care – making it clear that providers are not required to disclose private medical information to third parties; and

• the extent to which private medical information is protected on personal cell phones and tablets, and provides tips for protecting individuals’ privacy when using period trackers and other health information apps.

According to recent reports, many patients are concerned that such apps on smartphones may threaten their right to privacy by disclosing geolocation data which may be misused by those seeking to deny care. The guidance also addresses the circumstances under which the Health Insurance Portability and Accountability Act, (HIPAA), permits disclosure of PHI without an individual’s authorisation. It explains that disclosures for purposes not related to health care, such as disclosures to law enforcement officials, are permitted only in narrow circumstances tailored to protect the individual’s privacy and support their access to health care. 

Switzerland’s data protection commissioner FDPIC issued an annual 2021-2022 report, noting widespread indifference towards protecting citizens’ data and a growing disregard for privacy. The deficiencies in processing sensitive personal data that have become more frequent on health platforms, and the tendency, now also perceptible in Europe, to discredit the public’s right to encrypt their data as an abuse of freedoms, are evidence of this development. In relation to freedom of information, the FDPIC continues to see an increase in the number of requests for access and for mediation, which poses problems in meeting the legal deadlines in view of the pandemic-related backlog of work. You can read the detailed report here. 

The Irish data protection commission issued a guide on the use of drones. Similar to body-worn cameras drones can effectively turn into a mobile surveillance system and are highly likely to capture the personal data of passers-by, (data subjects). These guidelines have been developed for drone operators for purposes other than public law-related use and also to answer queries from the perspective of data subjects. Regardless of the nature, (professional or recreational), of your activity, under EU law regulating unmanned aircraft, the collection of information related to an identifiable person through the operation of a data collection system mounted on a drone potentially constitutes personal data processing. 

When buying your equipment, you must check whether the device has been produced with data protection obligations in mind. For example, in order to comply with data minimisation, data collection systems mounted on drones should be capable of being switched on and off when appropriate and their visual angle limited in accordance with your purposes. In order to comply with the transparency principle, the drone should have adequate signaling such as lights or buzzers. It is also your responsibility to ensure that appropriate security of processing: check whether the video footage is stored on the device itself, on a portable storage medium, or on a cloud storage service, and take steps to mitigate any additional risk of loss or theft of personal data, such as encrypting data before it is transferred from the device to cloud storage.

Legal processes: criminal activity data

After the amended Europol Regulation entered into force on 28 June, the EDPS expressed its concerns that the amendments weaken the fundamental right to data protection. The new document “expands the mandate of Europol with regard to exchanges of personal data with private parties, the use of artificial intelligence, and the processing of large datasets”, the EDPS states. Consequently, data relating to individuals that have no established link to criminal activity may be treated in the same way as the personal data of individuals with a link to criminal activity. Putting in place strong safeguards, says the regulator, is crucial since the impact of the amended Regulation on personal data protection is further aggravated by the fact that the EU Member States have the possibility to retroactively authorise Europol to process large data sets already shared with Europol prior to the entry into force of the amended Regulation. 

Investigations and enforcement actions: bulk emails, sales prospecting calls, unnecessary cookies, unauthorised logins

The UK Information Commissioner’s Office issued a monetary penalty to an NHS foundation trust. It used Outlook to send bulk emails to 1,781 Gender Identity Clinic service users. The accident happened despite the fact that the trust had in place some measures including a suite of policies. In particular, the “Email, Text and Internet Use Procedure” states: “To avoid inadvertently sharing other people’s email addresses, recipients should be selected in the ‘Bee’ box, not the ‘To’ box”. Data security and protection training was available to all staff with measures in place to update this at timely intervals. Here are some facts of the case:

• The trust’s intention was to send a bulk email relating to an art competition to approximately 5,000 patients. 
• The distribution list was extracted from the trust’s electronic patient record system using a specific set of search criteria which ensured recipients were active patients and had consented to be contacted by email in certain circumstances. 
• The output report produced from the system was then manually split into batches of around 1,000 addresses each. 
• In two batches the email addresses were copied from the output report and entered into the “To” field instead of the “Blind carbon copy” field. The recipients of each email could therefore see the email addresses of the other recipients of that email. 
• Four of the emails were returned as undeliverable and so potentially 1,777 emails were delivered and opened. 
• The staff member who sent the email noticed the error straight away and attempted, albeit unsuccessfully, to recall both the emails. They also contacted the trusts’ Information Management and Technology Service Desk to report the breach. 

The French Council of State validated the 2020 sanction pronounced by the state privacy regulator CNIL against Amazon. In December 2020, the CNIL imposed a fine of 35 million euros against the company, in particular for having placed advertising cookies on the computers of users of the sales site “Amazon.fr” without prior consent or satisfactory information, (in violations of Art. 82 of the Data Protection Act (transposing the “e-Privacy” directive). In addition, the CNIL noted that when users went to the “Amazon.fr” site after clicking on an advertisement published on another website, the same cookies were deposited but without any banner being displayed. Finally, the Council of State considers that the size of the fine imposed by the CNIL is not disproportionate with regard to the seriousness of the breaches, the scope of the processing and the financial capacity of the company.

The CNIL also issued a fine of 1 mln euros against TOTALENERGIES ÉLECTRICITÉ ET GAZ. The regulator has received several complaints concerning the difficulties encountered by people when dealing with a French energy producer and supplier, their requests for access to their data, and opposition to receiving sales prospecting calls. The company offered, on its website, a subscription form for an energy contract in which the user acknowledged giving his consent for the use of his personal data in order to subsequently receive commercial offers, without having the possibility of opposing it. Therefore, by completing this form, the user,  had no means of opposing the reuse of his data for commercial prospecting purposes for similar products or services.

In 2020 Norway’s parliament the Storting was exposed to data breaches, and in January this year, the Norwegian data protection authority Datatilsynet announced a fine of approx 200,000 euros for a lack of security measures. The regulator assessed Storting’s comments and maintains the notified fine. The data breach was related to an unauthorized login to the email accounts of an unknown number of Storting representatives and employees in the administration and group secretariats. The regulator has placed particular emphasis on the fact that the Storting had not established two-factor authentication or similar effective security measures to achieve adequate protection.

Data security: mobile devices at work

America’s NIST’s publication explains how to organise enterprise mobile data security and avoid getting hacked. According to the agency, most phishing attempts come by email, while other attacks—including text messages — are also on the rise. Ultimately, phishing attacks are not just limited to laptops or desktops, mobile phones can be the target of phishing attacks as well. 

URL filtering, multi-factor authentication and mobile threat defense can help protect against phishing attacks. In environments that use multi-factor authentication, if a phishing attacker successfully gains a user’s password, they can still be denied access to enterprise information because they do not have the second factor required for authentication. For more information on phishing protection and other mobile device security and privacy enhancements for your organisation, refer to NIST publication on corporate-owned personally-enabled mobile devices and personal mobile devices to perform work-related activities.

Big Tech: misconfigured data storage containers, French “trusted cloud” in partnership with Google

According to Reuters, the US supermarket chain Wegmans agreed to pay 400,000 dollars and upgrade its security practices over a data breach that exposed the personal information of more than 3 million consumers nationwide. Reportedly, the company was accused of storing customer information in cloud storage containers hosted on Microsoft Azure that were left open because they had been misconfigured, leaving the data vulnerable to hackers. “Customers’ email addresses and Wegman’s account passwords were exposed for about 39 months, while customers’ names, mailing addresses, and data tied to their driver’s license numbers were exposed for about 30 months”, states the article quoting the New York Attorney General Letitia James.

Meanwhile, French defense company Thales has introduced a new firm within its group – S3NS in partnership with Google Cloud to offer state-vetted cloud computing services for the storage of some of the country’s most sensitive data, Reuters reports. The new company is the result of a government plan under which France acknowledged US technological superiority. Some of France’s biggest banks and healthcare organisations are among 40 potential customers of the new company. S3NS will offer from the second half of 2024 its “trusted cloud” that will ultimately combine full performance, services and applications of Google Cloud technology while allowing protection against extraterritorial foreign laws and in compliance with the requirements of the “Trusted Cloud” label of France’s Information Systems Security Agency.

The post Weekly digest 27 June – 03 July 2022: credential stuffing, misconfigured cloud storage, mobile devices at work, drones & privacy appeared first on TechGDPR.

Official guidance: workplace conversations, use of the cloud

The Latvian data protection authority suggested when an employee could secretly record a conversation in the workplace to protect their interests, IAPP News reports. The regulator concluded that employees can secretly audio record their employer if it is the only way to collect evidence of illegality; (eg, mobbing, bossing, illegal activities at the workplace). However, some data protection regulations are applicable because a person’s recorded voice still constitutes personal data. It suggests:

• submit recordings as evidence to the state labor Inspectorate, the police, or a court;
• avoid publishing it to social networks or otherwise make a voice recording publicly available, including distribution within a team;
• when audio is transferred to law enforcement, the recording cannot be excessive, unrelated segments must be deleted;
• the information disclosed in a secret recording must also outweigh an individual’s right to data protection. 

The Danish data protection authority Datatilsynet has published guidance on the use of the Cloud, (available in English). The guide contains 14 practical examples with explanations. It is targeted primarily at organizations, (data controllers), that would like to start using one or more cloud service(s) and attempts to address the relevant elements of data protection law. However, many of the issues addressed in this guidance apply equally to most other IT service delivery models. A large number of cloud services are usually provided as standardized services where each organization as a customer has limited possibilities to tailor the service in question. Parts of the guide are therefore simultaneously addressed to cloud service providers, (CSP), who can learn more about how they can provide their services in accordance with data protection law. The main steps for data protection when using cloud services include: a) know your services, (data protection and security risk assessments), b) know your supplier, (screening, data processing agreements), and c) audit the CSP and sub-processors.

The guide also evaluates transfers to third countries. In this context, companies should be aware that if their European CSP as a processor complies with a request from law enforcement authorities in a third country, it is considered a personal data breach on part of the controller as unauthorized disclosure of personal data to the concerned law enforcement authority will have occurred. However, this question of an appropriate level of security of processing is limited only to cases where the use of the CSP does not otherwise involve any intended transfers of personal data to third countries, including in relation to the provider’s servicing of its infrastructure, the provider’s provision of support of your cloud service, the provider’s access to its infrastructure for the purposes of capacity planning, etc.

Legal processes and redress: EU sanctions & whistleblowing, employee’s image rights, rules on AI

The European Commission launched a whistleblower tool to facilitate reporting of possible sanctions violations. This is a secure online platform, which whistleblowers from around the world can use to anonymously report EU sanctions violations. This information can relate to:

• facts concerning sanctions violations, their circumstances, and the individuals, companies, and third countries involved, 
• facts that are not publicly known but are known to you and can cover past, ongoing, or planned sanctions violations, as well as attempts to circumvent EU sanctions.

The EU has more than 40 sanctions regimes in place and their effectiveness relies on their proper implementation and enforcement regarding:

• arms embargoes,
• restrictions on admission, (travel bans), 
• asset freezes,
• other economic measures such as restrictions on imports and exports. 

The Commission is committed to protecting the identity of whistleblowers who take personal risks to report sanctions violations. If it considers that the whistleblower information it received is credible, it will share the anonymized report and any additional information gathered during the internal inquiry into the case with the national competent authorities in the relevant Member State(s). Access to the whistleblower tool is available here. 

An employee can obtain damages simply after the employer delayed to removing, upon request, a group photo including him from the company’s website, L&EGlobal blog post reports. In its recent decision, the French Court of Cassation ruled that “the mere fact that an employee’s image rights have been infringed when he or she objects to the publication of his or her image gives rise to a right to compensation, without the employee having to prove any prejudice.” Other findings of the case were: 

• every citizen, every employee, has a right to the protection of his or her image, (Art. 9 of the French Civil Code);
• The employee’s agreement must be obtained before any photo-taking, reproduction, or use, whatever the final medium of this image, (intranet, company newspaper, internet site, promotional video, etc.);
• The agreement must be in writing and as precise as possible, indicating the purpose, the medium used, and its duration;
• The employee’s silence does not constitute tacit consent.

The Irish Council for Civil Liberties, the ICCL, informed the European Commission and co-legislators of two errors in the proposal for harmonized rules on Artificial Intelligence in the EU, Data Guidance reports. In particular:

• A technically inaccurate reference to “validation and testing data sets” accidentally puts most machine learning techniques out of scope, (eg, important AI techniques such as unsupervised and reinforcement learning do not rely on validation and testing data sets).
• The text incorrectly relies on accuracy metrics, which cannot on their own yield adequate reporting about AI systems’ performance, (eg, AI systems based on unsupervised learning and reinforcement learning use other performance metrics, not accuracy. One of the performance metrics used in reinforcement learning is its reliability).

The two errors are unintended and can easily be corrected. However failing to correct these errors will put health, safety, and fundamental rights at risk, (eg, for cancer diagnosis, it is important that the AI system has fewer false negatives than false positives, as false negatives can be fatal while false positives cause inconvenience). The technical errors are available here, and the AI Act proposal is here.

Investigations and enforcement actions: ex-employees unauthorized access, Clearview AI ban in Italy, video surveillance footage on social media

The EDPB continues to analyze some important recent data breaches within the EU at the request of national regulators. This week it looked at the ‘Santander Bank Polska’ case and levied an administrative fine of 120,000 euros. The controller reported a data breach when it was established that a former employee of the bank, despite the termination of their employment contract, had unauthorized access to the controller’s profile, (on the Electronic Services Platform of the Social Insurance Institution), containing the bank employees’ data. The Polish regulator concluded that a breach of data confidentiality occurred, which simultaneously involved a high risk to the rights or freedoms of the data subjects. Here are some findings from the case:

• The bank posted a message on the internal communication platform, but it was general and not referred to a specified case. 
• It was addressed only to those employed at the time of notification, which could leave many data subjects unaware. 
• There was a high risk to the rights or freedoms of the data subjects and the controller should have communicated the incident to them, (all employees of the bank who were employed during the period when the former employee of the controller had unauthorized access to the data on the platform).

Meanwhile, the Italian supervisory authority ‘Garante’ imposed a fine amounting to 20 mln euros on Clearview AI Inc for multiple violations of the GDPR. The regulator launched its own proceedings following press reports in connection with facial recognition products which were offered by Clearview AI. Moreover, in 2021 ‘Garante’ received complaints and alerts from organizations that are active in the field of protecting the privacy and the fundamental rights of individuals against Clearview. The personal data held by the company, including biometric and geolocation information, was processed unlawfully without an appropriate legal basis. The company also infringed several fundamental principles of the GDPR, such as transparency, purpose limitation, and storage limitation. 

‘Garante’ imposed a ban on further collection and processing, ordered the erasure of the data, including biometric data, processed by Clearview’s facial recognition system with regard to persons in the Italian territory, and the designation of a representative in the EU. It’s the strongest enforcement yet from a European privacy regulator, following prohibiting decisions by UK’s ICO and France’s CNIL last year. However, whether Italy will be able to collect the penalty from Clearview, a US-based entity, is one rather salient question, TechCrunch analysis suggests.

The Croatian supervisory authority AZOP fined a retail chain company 90,000 euros for failure to take appropriate technical and organizational, (TOMs), measures for the processing of personal data, Data Guidance reports. AZOP received a report on alleged violations of personal data from the company, stating that the employees of the company, without authorization and contrary to internal acts and instructions, recorded video surveillance footage with their mobile devices and published it on social networks and in the media. AZOP found that:

• the company did not take adequate actions to prevent its employees from taking video surveillance images using their mobile devices;
• the company took certain organizational measures, such as employee education and adoption of internal acts, but did not take appropriate technical security measures that could reduce the risk of a similar violation, neither before nor after an incident;
• the company did not regularly monitor the implementation of TOM aimed at ensuring the confidentiality, integrity, and availability of personal data;
• the company failed to regularly test, evaluate, and determine the effectiveness of TOMS to ensure the security of video surveillance. 

Big Tech: TikTok child privacy class action, cybersecurity firms booming, Twitter Tor version

A class-action lawsuit against TikTok originally initiated by a 12-year-old girl has been granted permission to proceed by the UK High Court. At its heart is the claim the Chinese social networking giant processes children’s personal data unlawfully. The suit seeks damages in the name of millions of children, potentially exposing TikTok to billions in fines. TikTok contests the case and insists it has high-security standards across its platform.

With software security expected to be a booming market, more than doubling in value to 350 billion dollars by 2026, Alphabet Inc’s Google has snapped up Mendiant Inc. for 5.4 billion. The cybersecurity firm has become a reference for companies investigating cyberattacks, and Microsoft was also in the running to buy the company. Analysts say all the big cloud firms will be looking to buy cybersecurity companies, as cyberattacks have spiked with home working, and the Russia – Ukraine war also driving the market for security software.

In what has been described as a tectonic shift at Twitter the company is launching a Tor onion version of its site, with the clear aim of ensuring privacy and avoiding censorship. Software engineer Alec Muffett said, “It’s a commitment from the platform to dealing with people who use Tor in an equitable fashion.” The Tor network will now also feature as a supported browser on Twitter. Unlike accessing Twitter via Tor, the new service is designed specifically for it and adds layers of protection.

The post Weekly digest March 7 – 13, 2022: can employees secretly record workplace conversations? appeared first on TechGDPR.

Legal processes: cloud in the EU, cookie consent, AI standards, children’s data protection in California

The EDPB has announced a coordinated investigation and enforcement probe on the use of the cloud in the EU by the public sector. Reportedly, the cloud uptake by enterprises doubled across Europe in the last 6 years. The COVID-19 pandemic has sparked a digital transformation of organisations, with many turning to cloud technology. However, public bodies at the national and EU levels may face difficulties in obtaining information and communication technology products and services that comply with EU data protection rules. 22 national supervisory authorities, (also in coordination with the EDPS), will examine public bodies’ challenges with GDPR compliance when using cloud-based services, including the process and safeguards implemented when acquiring cloud services, challenges related to international transfers, and provisions governing the controller-processor relationship. The probe followed by an end-of-year report will be covering a wide range of sectors – health, finance, tax, education, and central buyers, or providers of IT services. 

The Norwegian data protection authority Datatilsynet asked the government to tighten national rules on the cookie consent mechanism. Datatylsinet compares the Norwegian and French approaches to cookie opt-out options. In France, like the rest of the EU, consent to the use of cookies is required to be in line with the requirements of the GDPR. The reason for the latest multimillion fines on Google and Facebook from the French regulator CNIL was that the two companies allowed users to consent to the use of cookies through a single click, while the procedure for refusing consent was more cumbersome and time-consuming. In comparison, however, the practice for which tech giants have now been fined in France would hardly have been considered problematic under the regulations for cookies in Norway, where consents are allowed through preset browser settings. In the view of  Datatilsynet, these cases illustrate how unsustainable the current regulation of cookies and similar tracking technologies in Norway is, and they ask that the government grant Datatilsynet supervisory powers. 

The EU’s effort to set a standard for Al will likely take more than a year before it can become legislation. The main debate is focusing on whether facial recognition should be banned and who should enforce the rules, Reuters reports. The initiative moved forward last year due to pandemics and the spread of algorithm-based gadgets and services in daily life. Reportedly the European Commission wants to allow facial recognition use by law enforcement in terror attacks and serious crimes. But civil rights activists fear it could facilitate discrimination and surveillance by governments and companies. Also, a balanced enforcement approach would be needed where the basic implementation would be at the national level by national regulators and certain applications and certain impacts would be left to the Commission. 

In California, legislators proposed a new bipartisan bill to protect children online. The California Age-Appropriate Design Code Act was written after the UK Children’s Code and contains provisions for children’s data protection and limits to online exposure for minors under age 18, IAPP News reports. Existing law, the Parent’s Accountability and Child Protection Act, requires a person or legal entity that conducts business in California and that seeks to sell specified products or services to take reasonable steps to ensure that the purchaser is of legal age. They are prohibited to reuse obtained data during the verification process for any other purposes. Commencing July 1, 2024, this bill would also require a business that creates goods, services, or product features likely to be accessed by children to comply with specified standards, including considering the best interests of children, (eg, using clear language suited to the age of children likely to access that good, service, or product feature).

Official guidance: data for research purposes, DPIA checklist, CNIL’s 2022 strategy

The UK Information Commissioner’s Office is seeking feedback on the draft guidance on the research provisions in the UK GDPR and the Data Protection Act 2018. Both pieces of legislation contain a number of provisions for processing personal data for research purposes: namely a) archiving in the public interest; b) scientific or historical research; and c) statistical purposes. However, they are contained in a number of articles and paragraphs in both pieces of legislation creating a complicated area of data protection. The draft guide helps those engaged in research to carry out their processing while being compliant with the existing law. Adhering to this guide, data controllers should be able to demonstrate their processing is necessary for one of these research purposes and that it meets a set of indicative criteria for each of the three types of research. These provisions cover three broad areas of data protection: 

• the data protection principles, (purpose limitation, storage limitation);
• conditions for processing special category data and criminal offence data; 
• exemptions from data subjects’ rights and 
• appropriate safeguards (data minimization, pseudonymization, anonymisation).

Interested parties can submit their responses by 22 April via this page.

The Spanish regulator AEPD published a checklist, (in Spanish only), to help data controllers carry out data protection impact assessments, Data Guidance reports. The list allows a quick check and prior consultation to ensure all the necessary aspects have been taken into account when carrying out and documenting an impact assessment. In particular:

• those responsible who plan to carry out a prior consultation must complete and submit the said list to the AEPD to verify that it contains the minimum content required;
• if after carrying out the DPIA, and after having adopted measures, the risk is still high, the person in charge must carry out prior consultation with the AEPD before carrying out this processing of personal data, etc.

You can download the full list here. The document also complements AEPD’s risk management and DPIA guide.

The French regulator CNIL published its strategic plan for 2022-2024. The new orientations are divided into three priority areas: a) promoting control and respect for the rights of individuals, b) promoting the GDPR as a trusted asset for organizations, c) prioritizing targeted regulatory actions on subjects with high privacy stakes. Similarly, the CNIL specifies its priority control topics for 2022: commercial prospecting, use of cloud computing, and remote working monitoring. Each year the CNIL conducts several hundred checks, (384 in 2021). Usually, the three themes chosen as priorities for the year represent approximately one-third of the checks carried out:

• Unsolicited commercial prospecting is one of the irritants of French daily life and is a recurring subject of complaints and calls to the CNIL hotline.
• The massive use of teleworking during the Covid-19 pandemic has led to the development of specific tools, allowing employers to ensure closer monitoring of employees’ daily tasks and activities. Many believe that it will become widespread and will continue even when the health situation has returned to normal.
• The use of the cloud is constantly growing in the private and public sectors, followed by massive transfers of data outside the EU to countries that do not provide an adequate level of protection or are vulnerable to data breaches in the event of incorrect configuration.

Data breaches, investigations and enforcement actions: cookie audit, Grindr’s appeal, Danish Capital Region’s data breaches, criminal conviction data

Latvia’s data inspectorate announced the results of cookie audits of websites belonging to 26 companies, IAPP News reports.  Auditors looked for comprehensive information on the user and if the appropriate consent of the website user was obtained, including the use of marketing, statistical and analytical cookies. In total, at least one or more non-compliances with the requirements of the GDPR and Latvia’s Information society services Act were found on the websites inspected. The highest number of non-compliances was found for obtaining appropriate consent from a website user in cases where it is mandatory to obtain it:

• none of the websites examined provided adequate consent, 
• in most cases only partial consent was obtained from the website user,
• in 4 cases it was considered that no consent was obtained at all. 

The least inconsistencies were found in the evaluation of the cookie policy/terms of use available on the website regarding the inclusion of the minimum information required. Official notices were sent to three organizations to evaluate and eliminate non-compliances according to the findings by April, and for the rest by August. 

Grindr has appealed against the 6,5 mln euro fine imposed by the Norwegian data protection authority Datatilsynet. Grindr is a location-based social networking app marketed towards gay, bi, trans, and queer people. In 2020, the Norwegian Consumer Council filed a complaint against Grindr claiming unlawful sharing of personal data with third parties for marketing purposes. The data shared was GPS location, IP address, Advertising ID, age, gender, and the fact that the user in question was on Grindr. Datatilsynet concluded that Grindr disclosed user data to third parties for behavioral advertisement without a valid legal basis. Datatilsynet will now assess Grindr’s appeal and consider whether there are grounds to rescind or alter the decision. The Norwegian Consumer Council will also be given the opportunity to express an opinion. If the decision is not rescinded or altered, the case will be sent to the Privacy Appeals Board for processing. Decisions from the Privacy Appeals Board cannot be further appealed, but depending on the circumstances, the parties can file a lawsuit before the courts against the validity of such a decision.

The Danish data protection authority has used criticism, injunctions, and warnings to the Capital Region after two security breaches. Both incidents were reported by the Danish Health and Medicines Authority in 2020 and 2021. In both cases, a data exchange service from the health platform, (for which the Capital Region of Denmark was the data controller), was involved and a couple of thousand medication prescriptions for patients were affected. The security breaches arose on the basis that the integrations between two systems enabling an update in one affect the integrity of the display of information in another. After reviewing both reported breaches, the Danish data protection agency has expressed serious criticism of the Capital Region for:

• not having qualified relevant test scenarios in order to better identify dependencies on other IT systems,
• not having carried out the necessary tests before the changes were made,
• not informing the Danish Health and Medicines Authority about the security breaches when the incidents were established.

The Danish data protection agency has ordered the region to prepare and introduce a process that ensures that known integrations with other systems do not create incorrect information in these, but also to detail mapping of the internal IT architecture and the IT environment in collaboration with the parties involved. 

The Spanish regulator AEPD fined Amazon Road Transport 2 mln euros for unlawful processing of criminal conviction data, Data Guidance reports. A union representative filed a claim with the AEPD that for the hiring of self-employed contractors, Amazon Road Transport Spain requested certificates of the absence of a criminal record, specifically requiring the consent of the candidates, so that this data could be transferred to the group companies and their supplier located outside the EEA. Amazon Road Transport claimed that when obtaining a negative certificate, data relating to criminal convictions or offenses was not processed, since the certificate did not contain any data relating to the commission of crimes, and as such, does not fall under Art 10. of the GDPR. The regulator refused to accept their interpretation of the GDPR. The AEPD found that Amazon Road Transport was not diligent, as it failed to implement adequate procedures for the collection and processing of personal data relating to a criminal conviction. The company also has to cease requiring the above certificates, delete all the information of the certificates already provided, bring its processing in compliance with Art. 6 and 10 of the GDPR. At the same time, it was not in violation of Art. 7, and 49.1 of the GDPR, (as explicit consent of a data subject can be used as a derogation for restricted international transfer).

Data security: best practices

The European Union Agency for Cybersecurity, (ENISA), and CERT- EU published a joint set of cybersecurity best practices for public and private organisations. There is a substantial increase of cybersecurity threats for organisations in the EU. Three factors are at play in such a trend: a) ransomware remains a prime threat, putting millions of organizations at risk; b) criminals are increasingly motivated by the monetisation of their activities; c) attacks against critical infrastructure are rising exponentially and other economic sectors, as well as society at large, can be exposed. The publication is mainly intended for decision-makers, (both in IT and general management), and security officers, (CISOs). It is also aimed at entities that support organisational risk management. Recommendations are provided in no particular order. Organizations should prioritize their actions according to their specific business needs:

• Ensure remotely accessible services require multi-factor authentication, (MFA).
• Ensure users do not re-use passwords, encourage users to use MFA whenever supported by an application, (eg, on social media).
• Ensure all software is up-to-date.
• Tightly control third-party access to your internal networks and systems. 
• Pay special attention to hardening your cloud environments before moving critical loads to the cloud. 
• Review your data backup strategy and use the so-called 3-2-1 rule approach.
• Change all default credentials, employ appropriate network segmentation.
• Conduct regular training.
• Create a resilient email security environment.
• Protect your web assets from denial-of-service attacks.
• Block or severely limit internet access for servers, etc. 

Big Tech: Texans’ biometric data, employee spying software, Clearview AI image collection expansion

Texas’s Attorney General Ken Paxton is suing Meta for its use of facial recognition technology to harvest the biometric data of millions of Texans without their consent, Reuters reports. The lawsuit claims 20.5 million Texans use Facebook, and data was captured illegally “billions” of times. The plaintiffs are reportedly seeking hundreds of billions of dollars in civil damages. In 2020 Facebook settled a similar suit in Illinois for 650 million dollars, and last November a blog post announced the system was being axed and any data collected destroyed.

Controversial facial recognition specialist Clearview Ai is going the other way, according to the Washington Post. It revealed Clearview had called on investors for 50 million to collect “100 billion” faces within a year to make “every person on earth identifiable”. Clearview, which collects images from social media and other websites without their or the subjects’ consent works mainly for law enforcement but is seeking to expand into monitoring gig economy workers. Facebook, Google, Twitter and YouTube have all demanded Clearview stop, to no avail. The French, Australian, and UK privacy regulators have already ruled against its practices.

China’s Sangfor Technologies has come under scrutiny for software that spies on company employees and attempts to predict when they will quit, IAPP News reports. The Shenzen-listed company’s “resignation analysis system” monitors employee browsers for job ads, recruitment emails, and social media websites. Ex-employees have been going public about how their employers fired them when they job hunted online, and how they knew exactly what they had been doing on their computers. The story has found an echo on Chinese social media and forums, with many finding the software an infringement of personal privacy.

The post Weekly digest February 14 – 20, 2022: regulating the cloud in the EU, GDPR as a trusted asset appeared first on TechGDPR.

Legal processes: use of Google Analytics in France, Privacy Sandbox commitments in the UK

The use of Google Analytics, (GA), is illegal as it threatens the privacy of French website users, concludes the French data protection regulator CNIL. In its latest decision relating to an unnamed French website manager, the CNIL decided that the analytics service developed by Google risks giving US intelligence services access to the website users’ data. GA provides statistics on website traffic. In this context, a unique identifier is assigned to each visitor. This identifier (which constitutes personal data) and the data associated with it is transferred by Google to the US. The CNIL, in cooperation with its EU counterparts, concludes that in the absence of an adequacy decision following the “Schrems II” CJEU ruling such transfer can only take place if appropriate guarantees are provided. Although Google has adopted additional measures to regulate data transfers in the context of the GA functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services. The CNIL ordered an unnamed website manager to bring this processing into compliance with the GDPR, if necessary:

• by ceasing to use the GA functionality under the current conditions, or 
• by using a tool that does not involve a transfer outside the EU, (and only uses anonymous statistical data). 

To go deeper on this topic you can also read the recent unfavorable decision on GA by the Austrian data protection regulator. In its defense, Google also recently posted a statement stressing that the GA tool does not track people or profile people across the internet.

Britain’s competition regulator CMA to keep a close eye on Google as it secures final Privacy Sandbox commitments. The CMA has accepted a revised offer from Google of legally binding commitments relating to its proposed removal of third-party cookies from the Chrome browser known as the Privacy Sandbox proposals. The CMA competition investigation was launched in January 2021 over concerns that the proposals would cause online advertising spending to become even more concentrated on Google, weakening competition and so harming consumers. Google has pledged not to remove third-party cookies until the CMA is satisfied.

The CMA is currently working closely with the UK Information Commissioner’s Office, ICO, to oversee the development of the proposals so that they protect privacy without unduly restricting competition and harming consumers. In one of the examples, Google commits to restricting the sharing of data within its ecosystem to ensure that it doesn’t gain an advantage over competitors when third-party cookies are removed. Google will also engage in a more transparent process than initially proposed, including engagement with third parties and publishing test results, with the option for the CMA to require Google to address issues raised by the CMA or third parties. Read more on the Privacy Sandbox initiative here and the ICO’s latest opinion on Data protection and privacy expectations from the advertising technology sector. 

Official guidance: configuration errors, payment services, EU data flows analysis

The French regulator CNIL published a guide, (in French), on security incidents related to configuration errors within public cloud storage spaces, DataGuidance reports. Malicious scenarios may be caused by a) publicly accessible ‘bucket”; b) overly permissive access rights for users, c) inadequate user authentication mechanisms. To detect unauthorized access, CNIL recommended that available logs should be analyzed, and the Data Protection Officer should be updated in a timely manner in the course of the investigation. If the incident was classified as a personal data breach, CNIL must be notified within 72 hours of discovery. Some essential steps to prevent configuration errors include: 

• knowing your infrastructure, (eg, configure security options: do not rely on default settings, in particular public and private access to containers);
• taking inventory of your cloud resources, (eg, separating the storage of personal and sensitive data from other data);
• limiting access, (eg, strong two-factor authentication for sensitive actions);
• encrypting data and performing regular backups;
• tracing, monitoring, and auditing containers and their security configurations;
• educating users on how to handle data stored in the cloud.

The EU Commission presented a new study estimating the volume of data flowing to main cloud infrastructures across the EU Member States, Iceland, Norway, Switzerland, and the UK. In 2020, the largest data flows came from the health sector, and Germany registered the largest volume of data inflow. Reportedly, by 2030, the flow of data stemming from European enterprises will be 15 times higher than in 2020. Furthermore, a follow-up study has just been started to assess the economic values of data flows within the EU, as well as with third countries such as the US and China. Both studies will complement the upcoming Data Act. It will also feed into the evaluation of EU Regulation of the Free Flow of Non-Personal Data, as well as the Digital Decade policy program. Read the full study and the interactive map here. 

A growing number of  EU payment industry associations co-signed a letter addressed to the EDPB, the European Commission, and the European Banking Authority about the final EDPB Guidelines on the interplay of PSD2, (Payment Services Directive), and the GDPR. Although it clarifies certain aspects of the interplay, other elements remain more worrying and raise new uncertainties, notably:

• the provisions on data minimisation;
• the processing of special categories of personal data;
• a lack of coherence with the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication;
• the risk that national data protection authorities could start taking a differentiated approach to the interpretation of the provisions, resulting in fragmentation across the EU.

Investigations and enforcement actions: IAB Europe/APD row, extensive health data collection, unprotected visa order forms, unsolicited marketing email

The Interactive Advertising Bureau (IAB) Europe has published an FAQ on the Belgian data protection authority, (APD), decision about the Transparency and Consent Framework, and its compliance with the GDPR. The IAB Europe states that:

• There is nothing in the APD’s decision that even remotely suggests that consent pop-ups are illegal or that they should not be employed by the digital advertising ecosystem to comply with the EU data protection rules. 
• The APD only requires IAB Europe to ensure the deletion of personal data collected through TC Strings in the context of a specific mechanism called the “global scope”.
• The APD does not consider the TC String itself to be personal data, as the TC string does not allow for direct identification of the user due to the limited metadata value.
• However, the APD holds that the possibility of CMPs being able to combine TC Strings and the IP address means it is ultimately information about an identifiable user and therefore personal data. 
• The APD’s decision only concerns IAB Europe, not any vendor, publishers, or CMPs, but it does hint at the possibility of an order for a given party to delete TC Strings if they contain personal data collected in breach of Art. 5 and 6 of the GDPR.
• It is unclear if reliance on legitimate interests as a legal ground for the processing of personal data by TCF participants is viable for all TCF purposes or solely for personalized advertising and profiling, etc.

The EDPB published an analysis of the recent decision by the Finnish Data Protection Ombudsman. An administrative fine with reprimand was imposed on the Finnish Motor Insurers’ Centre for the collection of unnecessary patient information. The Data Protection Ombudsman stated that the actions of the data controller violated the principle of data minimization provided for in the GDPR. Namely, the data controller requested unredacted patient records from health care providers in order to settle claims. The controller also collected information on the patients’ health care appointments to determine whether the health care provider charged for visits not related to the examination or treatment of injuries sustained in the claim. Information was also requested in cases where the health care recipient may have omitted information essential for claims handling. The decision by the data protection authority is not final as it is under appeal in the administrative court.

Another fine by the Finnish data protection regulator was imposed on a travel agency for multiple violations of the GDPR. In the given case, a customer suspected the travel agency was not processing the data on the electronic visa order form in compliance with data protection regulations. The customer had also requested the travel agency erase their data from the system, but the company had not fulfilled the customer’s request. The investigation showed that: 

• The travel agency used an unencrypted network connection for its visa application forms, and
• Stored personal data on a public web server. 
• The information entered on the form was saved as a PDF file in the web server’s files folder that was open to access from the internet.
• The information entered on the forms included the customer’s name, contact details, and passport number, which in particular poses a privacy risk. 

The regulator also imposed a fine on the small travel industry group that the travel agency is considered a part of.

Meanwhile, the Spanish data protection authority AEPD fined SegurCaixa Adeslas, (health insurance), 300,000  euros for sending marketing emails to the plaintiff, despite their request for deletion of their data, Data Guidance reports. This happened despite the fact that the given email address was registered in an opt-out list of people not willing to receive marketing communications. SegurCaixa Adeslas however indicated that the marketing emails were sent to insurance agents with which it maintained a commercial relationship, claiming that these insurance agents should be responsible for the activity of promoting and attracting clients. The AEPD found SegurCaixa Adeslas in breach of Art. 6, (unlawful processing), 17, (failed requests of data deletion), and 28, (no formalized data processing agreement with the contracted insurance agents), of the GDPR. 

Data security: IoT products

The US National Institute of Standards and Technology published its latest Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) products. An IoT product and its components must protect data stored and transmitted, (both between IoT product components and outside the IoT product), from unauthorized access, disclosure, and modification. Thus, maintaining confidentiality, integrity, and availability of data is foundational to cybersecurity for IoT products. Customers will expect that data is protected and that protection of data helps to ensure the safe and intended functionality of the IoT product. The document provides some real-world IoT product vulnerabilities and related proposed baseline criteria. Here are some examples:

• Weak data protection in storage and transit creates vulnerabilities within home security cameras allowing adversaries to exfiltrate data. 
• Unencrypted sensitive data is available through a baby monitor, leaving the data vulnerable to access, modification, exfiltration, and misuse.
• Using weak de-identification methods leaves data vulnerable to being reidentified allowing unauthorized access to sensitive data, etc.

Big Tech: Meta annual report, TikTok promises minors privacy, AirTag dilemma, surveillance marketing by YouTube, TikTok & Co

Negotiations between the EU and US over transatlantic data transfers and their associated privacy issues need to succeed said Meta this week in its annual report to the SEC and in press releases. Failure to agree on a new transatlantic data transfer framework that complies with the EU’s GDPR could lead to Facebook and Instagram quitting Europe. Meta added and claimed 70 other companies are concerned about the impact on their business. The SEC report noted other data protection requirements at the federal, state, and international level, along with legislation restricting the collection and use of data from minors could impose limitations on Meta’s business. You can investigate Meta’s annual report here.

A TikTok news briefing revealed the company is conducting twin tests to crack down on adult content arriving on minors’ devices, Reuters reports. The company said one small test would look at how users themselves or their parents or guardians could restrict access, while a ratings approach is being trialled for app creators who want to specify adult content, similar to the film and games industries.

Apple has responded to reports its AirTag device is being used by criminals, especially stalkers, updating software and beefing up online support, according to The Guardian. Any initial user of the device will now be warned tracking people without consent is a crime in many places around the world. Guidance on what to do if you find an unwanted AirTag near you and how to disable it is being added to the website, along with links to two US helplines. Apple says additional measures, like precision detection of stalking AirTags, are on the way.

TikTok and YouTube are by far the biggest collectors of personal data among social media apps according to a report by URL Genius. While YouTube mostly collects data for its own business purposes and sells little to third-party trackers, TikTok sells nearly all its user’s data to third parties, more than three times as much, trailed by Twitter and Telegram. The report says that for users this means it is unclear where all this data goes, how it is used, and whether or not, for example, other online activity or location is being tracked, logged in to TikTok or not. The study added TikTok allowed third-party tracking even when users did not use the opt-in feature. Find many other findings on surveillance marketing in the original study report. 

The post Weekly digest February 7 – 13, 2022: France latest EU member to put pressure on Google Analytics appeared first on TechGDPR.

Legal processes and redress

The EU Parliament Internal Market and Consumer Protection Committee has adopted its position on the Digital Markets Act (DMA). The document sets not-to-do rules for companies with “gatekeeper” status and significant market capitalization in the EU, (online intermediation services, social networks, search engines, operating systems, online advertising services, cloud computing, and video-sharing services). It says, among other measures, that a gatekeeper shall, “for its own commercial purposes, and the placement of third-party advertising in its own services, refrain from combining personal data for the purpose of delivering targeted or micro-targeted advertising”, (eg, A/B testing), except if there is a clear, explicit, renewed, informed consent, in line with the GDPR. In particular, personal data of minors shall not be processed for commercial purposes, marketing, profiling and behaviourally targeted advertising. If a gatekeeper does not comply with the rules, the Commission can impose fines of not less than 4% and not exceeding 20% of its total worldwide turnover in the preceding financial year”.

The EU Commission presented a proposal on transparency and targeting of political advertising and electoral rights. The proposed rules would require any political advert, such as on the Facebook platform, to be clearly labelled and distinguished from organic contents, and include information such as who paid for it and how much. Political targeting and amplification techniques would need to be explained publicly in unprecedented detail and would be banned when using sensitive personal data without explicit consent of the individual. The rules on political adverts must be approved by both the EU Parliament and Council, and are likely to enter into force by 2024.

The CJEU ruled on “inbox advertising” for the purposes of direct marketing. The display in the electronic inbox of advertising messages in a form similar to that of a real email gives “a likelihood of confusion that could lead a user who clicks on the link corresponding to the advertising message to be redirected, against his or her will, to an internet site displaying that advertisement”. In the related case two competing electricity suppliers distributed advertisements, via an advertising company, consisting of displaying banners in the email inboxes of users of a free email service. Those messages were not visually distinguishable in the list from other emails in the user’s account except for the fact that the date was replaced by the word “advertising”.

The Court reiterated that the  “ePrivacy” Directive protects subscribers against intrusion into their privacy by unsolicited communications, automated calling machines, telefaxes, emails, or SMS. However such communication would be compatible with recipients’ prior consent. An email service is offered to users in the form of two categories, namely, a free email service funded by advertising and, second, a paid-for email service, without advertising. Thus, it is important to determine whether the user concerned, having opted for the free email service, was duly informed of the precise means of distribution of such advertising and in fact consented to receiving advertising messages.

Official guidance

Stiffening anti-Covid measures by governments across the EU lead to employers being authorised to collect employees’ vaccination status data. In Germany,  recent legislation obliges employers to monitor compliance with the so-called 3G/2G rules on a daily basis by means of verification checks, and they must also document them on a regular basis. Employees are required to provide proof of their vaccination, recovery, or testing status upon request. The law explicitly states that employers may process employees personal data for the above purposes. The federal data protection regulator, the BfDI, supports the introduction of a legal basis for such queries in the workplace. Nevertheless, the law, in its opinion, does not provide enough protective measures for the data of the employees concerned. There are no pseudonymisation measures and no obligation of the inspecting person to maintain confidentiality. In the opinion of the BfDI, it would be sufficient to check employees’ data for access control and then delete it after or at the end of the respective day. Finally, the law does not specify the purpose of storing these, soon to be very large, amounts of data.

“Turn off the microphone, (on your smartphone), turn on privacy”, says the Italian regulator Garante, which offers suggestions to avoid “prying listeners”. Smartphone sensors – and microphones in particular – can remain active even when we are not using our device. In this way they could be used to collect information, which can also be used for different purposes by third parties: for example for marketing activities. Apps which, among the access permissions requested at the time of installation, also include the use of the microphone, are a widespread phenomenon. “Too often, as users, we grant these permissions without thinking too much and without informing ourselves sufficiently about the use that will be made of our data.” The regulator has now launched an investigation on the other most downloaded apps.

For several years, several digital stakeholders have been developing alternatives to third-party cookies for targeted advertising. The French regulator CNIL’s guide explains the basics behind “necessary” first-party cookies, “behavioural” third-party cookies, and alternative techniques used to bypass the growing restrictions against tracking made by browsers, such as “fingerprinting”, “single sign-on”, “unique identifiers” or  “cohort based targeting”. The CNIL reminds developers that these technologies must always be compliant with the data protection legal framework, the GDPR and ePrivacy Directive, regarding consent and the rights of data subjects to protect their communications and terminal equipment. In particular, the operations necessary for the constitution of an individual or group profile and the provision of targeted advertising, require the prior consent of the user, whether or not personal data are processed, insofar as they are not directly part of the service requested by the user. In order to ensure that the use of these technologies respects users’ privacy the CNIL asks for a minimum set of rules:  

• enabling users to keep control over their personal data;
• exercisability all data subjects’ rights, through user-friendly interfaces;
• non-processing of sensitive data;
• determining responsible(s) (data controller/processor) for the implementation of these techniques within the ad tech supply chain.

Data breaches, investigations and enforcement actions

SmarterSelect, a US-based company that provides software for managing the application process for scholarships, exposed the personal data of thousands of applicants because of a misconfigured Google Cloud Storage bucket, TechCrunch reports. The data spill, discovered by a cybersecurity company, contained 1.5 terabytes of data collected by a number of programs that offer financial support to students. The data included documents such as academic transcripts, resumes and invoices for approximately 1.2 million applications to funding programs. These files contained name, email address, phone number, student photos, Social Security numbers, parents’ education and income, the students’ performance at school, and personal experiences like living in a foster home or abusive situations, descriptions of poverty etc. The company acknowledged the warning before revoking public access to the bucket in October. It’s not known whether SmarterSelect has notified those affected, nor whether it has alerted the relevant state attorney general.

The Spanish data protection authority the AEPD fined Vodafone España 50,000 euros for violation of national legislation on Information Society Services and Electronic Commerce. The complainant issued claims with the AEPD against continuous receipt of promotional communications from Vodafone to the complainant’s phone number. The sending of promotion communications had continued a year after the complainant exercised their right to cancellation of services and deletion of their data, which Vodafone did not adequately respond to.The aggravating factors to the violation were:

• the intentional nature of the infringement;
• the duration of the offence;
• the repetitive nature of the infringement; and
• the nature and amount of damage caused to the complainant, as he/she had to proceed with the claim to the AEPD twice. 

The Spanish regulator has also fined Unión Financiera Asturiana 9,000 euros for violation of Art. 6 of the GDPR, following the unlawful processing of a complainant’s personal data in the course of business activities. Unión Financiera had wrongfully processed the claimant’s personal data instead of blocking it, as they had requested, thus processing the personal data of the complainant without a legal basis. The company did not verify the data processing had been cancelled, simply indicating to the claimant that the data was blocked without detailing the actions taken, and later claimed that there had been no intention by the claimant to request the deletion of their personal data. This prompted the claimant to raise a complaint with the AEPD, DataGuidance reports.

Certification scheme for cloud services

The EDPB adopted a letter to The European Union Agency for Cybersecurity, ENISA, concerning the European Cybersecurity Certification Scheme for Cloud Services’ (EUCS) compatibility with the Schrems II decision. In the letter, the regulator reiterates that the final certification scheme should be consistent with the obligations, including specific criteria for encryption and key management, to ensure protection against threats represented by access from authorities not subject to EU legislation and not offering an adequate level of personal data protection. As an illustration, the EDPB included in the letter its latest Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

Big Tech

Italy’s antitrust regulator the AGCM has fined Alphabet’s Google and iPhone maker Apple 10 mln euros each for “aggressive practices” linked to the commercial use of user data. The authority stated the two tech groups did not provide “clear and immediate information” on how they collect and use the data of those who access their services. Both Google and Apple said they disagreed with the antitrust decision and that they would appeal against it. The watchdog added that when users set up their account with Google, the system was designed in such a way that the terms and conditions on data usage were set up to be accepted. In the case of Apple, users do not have a choice on the issue, the antitrust regulator added. The fine is the maximum amount the watchdog can apply in these cases, the regulator said.

WhatsApp is rewriting its privacy policy as a result of a huge data protection fine earlier this year. Following an investigation the Irish data protection commissioner issued a 225 mln euro fine – the second-largest in history involving the GDPR – and ordered WhatsApp to change its policies. WhatsApp is appealing against the fine, but is amending its policy documents in Europe and the UK to comply. Previously WhatsApp users complained about an update to the company’s terms that many believed would result in data being shared with parent company Facebook, which is now called Meta. Many thought refusing to agree to the new terms and conditions would result in their accounts being blocked. The new privacy policy contains substantially more information about what exactly is done with users’ information, and how WhatsApp works with Meta.

With Tesla’s latest Full Self-Driving release, it’s asking drivers to consent to allowing it to collect video taken by a car’s exterior and interior cameras in case of an accident or “serious safety risk”. Tesla has gathered video footage as part of FSD before, but it was only used to train and improve its AI self-driving systems. According to the new agreement, however, Tesla will now be able to associate video to specific vehicles. “By enabling FSD Beta, I consent to Tesla’s collection of VIN-associated image data from the vehicle’s external cameras and Cabin Camera in the occurrence of a serious safety risk or a safety event like a collision,” the agreement reads. The new policy and footage data likely covers the automaker’s liability in case someone tries to blame a crash or incident on the system, when driver error may be to blame. Despite the name, FSD is not an autonomous system. Tesla’s instructions tell drivers to remain alert and prepared to retake control of critical functions at any given time.

Google has pledged more restrictions on use of data from its Chrome browser. Britain’s competition regulator the CMA has been investigating Google’s plan to cut support for some third-party cookies – an initiative called the “Privacy Sandbox” – because it is worried it will impede competition in digital advertising. Google has said its users want more privacy when they are browsing the web, including not being tracked across sites. Other players in the $250 billion global digital ad sector, however, have said the loss of cookies in the world’s most popular browser will limit their ability to collect information for personalising ads and make them more reliant on Google’s user databases. Google agreed earlier this year to not implement the plan without the CMA’s sign-off, and said the changes agreed with the British regulator will apply globally.

Chinese regulators have pressed ride hailing giant Didi Global Inc to devise a plan to delist from the New York Stock Exchange due to concerns about data security. China’s Cyberspace Administration, (CAC), has asked the management to take the company off the U.S. bourse due to worries about leakage of sensitive data. In July the CAC ordered app stores to remove 25 mobile apps operated by Didi – just days after the company listed in New York. It also told Didi to stop registering new users, citing national security and the public interest. Didi, which has about 377 million annual active users in China, provides 25 million rides a day to users in the country who sign into its app with a phone number and password. Its apps also offer other products such as delivery and financial services. Reportedly Didi is preparing to relaunch its ride-hailing and other apps in China by the end of the year in anticipation of the end Beijing’s cybersecurity investigation into the company.

The post Weekly digest November 22 – 28, 2021 “Privacy, DP, and Compliance news in focus” appeared first on TechGDPR.