Legal processes and redress: compliant cookie banner, CEO liabilities, litigation data, virtual currencies

NOYB privacy foundation launches the second wave of complaints against deceptive cookie banners after the campaign first started last spring: “Another 270 draft complaints were sent to website operators whose banners don’t comply with the GPDR”, the statement on their website says. NOYB also offers guidelines for companies on how to comply and only files formal GDPR complaints against those who remain non-compliant after a 60-day grace period. Overall, NOYB claims, the first wave of complaints was successful with more and more websites implementing compliant cookie banner. NOYB also published screenshots of sites and their improved banners, including Nikon, Domino’s Pizza and Unilever, and others, available for download. In the coming months, NOYB  will continue to review, warn and enforce the law on up to 10,000 websites. It will extend its scope to pages that use other Consent Management Platforms, (CMPs), than OneTrust, such as TrustArc, Cookiebot, Usercentrics, Quantcast, etc.

A German court recently ruled that a CEO was personally liable for a data privacy breach after they hired a detective to investigate possible criminal acts by the plaintiff, Technologyquotient reports. Under Art. 82 of the GDPR anyone who suffers non-material damage as a result of a GDPR infringement shall have the right to receive compensation for the damage suffered. In the related case the CEO, on behalf of the defendant company, commissioned a detective to investigate possible criminal acts committed by the plaintiff who had submitted a membership inquiry to the company. The detective’s findings revealed that the plaintiff had been involved in criminal acts. When the company’s shareholders were informed of this, they rejected the membership application. The court ruled that:

• the CEO hiring a detective violated data protection law and the plaintiff was awarded 5,000 euros in non-material damages;
• the CEO was personally liable for the data protection violations and the damage claim, alongside the company;
• it classified the CEO as a data controller, which distinguishes them from an employee who is bound by instructions;
• Since the European Court of Justice has tended to apply a very broad interpretation of a data controller, it seems likely that other courts could follow suit.

Italy’s Ministry of Economics and Finance has published its recent decree on the registration of service providers on Italian soil for virtual currencies and digital wallets, Data Guidance reports. They will have to register in a special section of the currency exchange register run by the Body for the Management of the Lists of Financial Agents and Credit Brokers (‘OAM’). Legal trading will not be possible without registration. Once the decree comes into force the OAM has 90 days to initiate the system, and companies already operating in Italy or online in the country will have a further 60 days to register. Before the OAM processes any personal data its technical and organizational security measures for personal data will need endorsement by the national data protection authority, ’Garante’.

The US Department of Justice has reportedly knocked a Senate-passed cybersecurity bill as having “serious flaws,” criticizing it over a lack of direct reporting to the FBI. The bill, the Strengthening American Cybersecurity Act, unanimously passed in the Senate on Tuesday night. It would require companies in critical sectors to alert the government of potential hacks or ransomware. The legislation would require cyber incidents to be reported to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, though Justice Department officials argue that agencies should also report to the FBI.

Chinese data security laws increasingly create roadblocks for litigants seeking discovery in US courts, Technology Law Dispatch reports. Two Chinese information security laws, the Data Security Law, DSL, and the Personal Information Protection Law, PIPL, are creating difficulties for parties involved in litigation in the US seeking discovery materials stored in China. Both require data processors to obtain approval from the Chinese government before transferring any data stored in China to a foreign court or law enforcement authority or otherwise face significant penalties such as fines in the millions of dollars. In particular:

• The DSL broadly applies to “data processing activities” which include collection, use, processing, transmission, disclosure, and data management, and where “data” includes any record of information in electronic or another form.
• The DSL applies to extraterritorial data processing activities, as well as activities within China that would be detrimental to its national interests. 
• Similarly, the PIPL applies to the processing of personal information about individuals in China. 

Official guidance: CoC as data transfer tool and for clinical trials data, direct marketing

The EDPB has adopted final Guidelines on Codes of Conduct, (CoC), as tools for personal data transfers. Its executive summary says the GDPR requires that controllers/processors shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by organisations under Art. 46 for framing transfers to third countries by introducing amongst others, CoC as a new transfer mechanism (Art. 40-3 and Art. 46-2-e). Once approved by the competent supervisory authority and having been granted general validity within the Commission, a CoC may be used by controllers or processors not subject to the GDPR located in third countries for the purpose of providing appropriate safeguards to data transferred to third countries. The guide provides clarification as to the role of the different actors involved in the setting of a code to be used as a tool for transfers and the adoption process with flow charts.

Meanwhile, the Spanish data protection authority AEPD published, in Spanish, its first CoC on the processing of personal data on clinical trials, DLAPiper reports. The Code has been published in collaboration with an association that brings together the majority of pharmaceutical companies established in Spain. It is the first sectorial code of conduct approved in Spain since the GDPR came into force, as well as the first code approved in the EU in this field. Thus, while the territorial scope is limited to Spain, it could become a benchmark at the EU level. The Code regulates how sponsors of clinical trials and contract research organizations decide to adhere, and to the implementation of the GDPR within the scope of clinical trials, as well as during the fulfillment of the obligations imposed by pharmacovigilance regulations, for the detection and prevention of adverse effects of medicines already on the market:

• establishment of protocols facilitating the application of the GDPR; 
• details on the codification of the data; and
• the responsibility of each participant on the clinical trial;
• the establishment of protocols for the collection of information on possible adverse reactions, depending on who makes the notification;
• the establishment of a mediation procedure, voluntary and free of charge, which allows for an agile response to possible claims made by interested parties against member entities. The CoC is available in Spanish on the AEPD website. 

The German Data Protection Conference, ‘DSK’, published revised guidance, (in German), on the processing of personal data for direct marketing purposes, DataGuidance reports. The guidance supplements information obligations and the conditions for consent, namely:

• informed consent requires that the type of intended advertising, (eg, letter, email, SMS, telephone, or fax), as well as the products or services to be advertised and the advertising companies, are mentioned in order to meet the requirements;
• a separate text or text section without any other content is to be used on a regular basis; 
• if the declaration of consent under data protection law is to be given together with other; in particular contractual declarations in writing or in an electronic format, it must be presented in a manner that is clearly distinguishable from other facts, (Art. 7-2 of the GDPR);
• apart from explicit consent under Art. 9, the GDPR does not contain standard permission for the processing of special categories of personal data for advertising purposes, (it must be examined in each individual case whether conclusions about the health of a person can be drawn from the fact that they are a customer of a certain company in the health sector), etc. You can read the guidance here.

Enforcement actions: former employees’ email accounts, technical and organisational measures, verification of the processor

The Slovakian data protection authority has ruled on two cases where employers failed to deactivate former employees’ email accounts, Iuslaboris blog post reports. Both cases found that the employers, in both private and public sectors, were in breach of data privacy rules. In the first case:

• A former manager objected that the employer had not deactivated his email account after the termination of his employment and that it was still active and monitored by another manager within the company. In its defense, the employer used the legitimate interest argument, (protection of the employer’s property, business contacts, client responses).
• The regulator stated that legitimate interest can be a suitable legal basis for this kind of processing, however, the processing can only be carried out for a necessary period; ten months cannot be considered as necessary.

In the second case, after the termination of her employment, a former employee of a municipality created a fake email account. Subsequently, she used this fake account and sent a question to her municipality’s email. Her goal was to find out whether or not the municipality had deactivated this email account. Once she received an answer, and thus had proof of a possible breach of the GDPR, she filed a complaint with the regulator:

• The municipality claimed that the former employee had failed to hand over her agenda properly (communication with various state authorities, social security agencies, health insurance companies, rental apartment agendas). 
• The municipality was therefore obliged to monitor this email account to prevent itself from being held liable for potential damages or unlawful conduct.
• The regulator found an absence of proof of a demonstrable legal basis for the above processing activities.

The Polish data protection authority, UODO, ordered a record-breaking penalty, (approx. 1 mln euros), on “Fortum Marketing and Sales Polska” for failure to implement appropriate technical and organisational measures ensuring the security of personal data, and for failure to verify the processor, who was also fined approx. 50,000 euros. After analyzing the notification of a personal data breach from the company, the supervisory body initiated ex officio administrative proceedings. Here are some facts from the case:

• The data breach consisted of copying the data of the administrator’s clients by unauthorized persons.
• It happened at the moment of introducing changes in the ICT environment.
• This change was made by the processor with which the administrator cooperated on the basis of concluded contracts, including contracts for entrusting the processing of personal data. 
• During the changes made, an additional customer database was created. 
• However, this database was copied by unauthorized persons, because the server on which it was deployed did not have properly configured security.
• The administrator learned about the incident not from the processor, but from two independent Internet users.

Moreover, the safety functions were not tested in the course of the work carried out for this purpose. The processing entity acted inconsistently with the commonly known ISO standards, and at the same time against the provisions of its own security policy. The processor also did not comply with the provisions of the contract for entrusting the processing of personal data, in which he undertook, inter alia, to implement pseudonymisation of data, which was to be treated as a mechanism guaranteeing an appropriate level of data security. 

Individual rights: health apps data

Privacy International published a ‘long-read’ on how health apps could exploit users’ data: “Digital health apps of all kinds are being used by people to better understand their bodies, their fertility, and to access health information. But there are concerns that the information people both knowingly and unknowingly provide to the app, which can be very personal health information, can be exploited in unexpected ways”. Key findings of the report are:

• Apps that support women through pregnancy are one example where data privacy concerns are brought sharply into the spotlight.
• Reproductive health information is highly sensitive, and the implications of services that do not respect that fact can be serious.
• Apps that are taking on the responsibility of collecting that data need to take it seriously – but as PI has repeatedly found, many don’t, (eg, this includes the involvement of the DPO, availability of privacy policies, difficulties with anonymisation of health data, and more). 

Big Tech: anti-AI discrimination law, identity proofing systems

Starting from March, China outlaws algorithmic discrimination, Wired reports. Under the new rules, companies will be prohibited from using personal information to offer users different prices for a product or service. The regulations, known as the Internet Information Service Algorithmic Recommendation Management Provisions, were drafted by the Cyberspace Administration of China, a powerful body that enforces cybersecurity, internet censorship, and e-commerce rules. Among other things, they prohibit fake accounts, manipulating traffic numbers, and promoting addictive content. They also provide protections for delivery workers, ride-hail drivers, and other gig workers. Companies that violate the rules could face fines, be barred from enrolling new users, have their business licenses pulled, or see their websites or apps shut down. However, some elements of the new regulations may prove difficult or impossible to enforce, (eg, it can be technically challenging to police the behavior of an algorithm that is continually changing due to new input).

America’s Internal Revenue Service, (IRS), says taxpayers will no longer have to provide facial scans to the private identity proofing system ID.me. to create an online account at irs.gov., KrebsOnSecurity reports. All biometric data already held by ID.me. will be destroyed, and any created to make new accounts in the future will be destroyed once the account is operational. ID.me will now offer the option of a live video interview, while the IRS is also rolling out Login.gov, already used by 28 other government agencies. Critics say this federal system provides excellent digital identity security, and should be a core government service, but is underfunded and underresourced. 

The post Weekly digest Feb 28 – Mar 6, 2022: more EU websites to obtain compliant cookie banner appeared first on TechGDPR.

Legal processes

China’s Personal Information Protection Law, PIPL, came into effect on November 1. It largely blends the EU (GDPR) and California (CCPA) privacy rules for the handling of personal and sensitive information, including different legal bases, as well as general principles for data processors, including the conducting of regular audits, training and data management programs, as well as the appointment of personal data protection officers, and places restrictions on the cross-border transfer of personal information. The PIPL contains penalties for breach of its provisions, including fines of up to 6.7 mln euros or up to 5% of the preceding year’s business income, whichever is higher. Finally, foreign companies, (even with no presence in China), engaging in the processing of personal information of individuals in the country  are required to establish a dedicated entity or appoint an agent or designated representative in China to be responsible for dealing in related matters. The name and contact details of such local agents or representatives will need to be provided to the relevant authority. Read more analysis by WhiteCastle.

The UK government steps into the active phase of consultations on reform of the national data protection regime, with the deadline for organisations to respond expiring on November 19. The proposed reforms aim to establish a “pro-growth and innovation friendly” data protection regime, shifting away from a “one size fits all” approach to compliance with data regulations. The consultation concentrates on 6 key areas:

• Reducing barriers to responsible innovation by relaxing the rules around organisations’ reliance on the legitimate interests, or automated decision making under Art. 22 of the GDPR. 
• Reducing burdens on businesses by amending privacy management programmes, DPIAs, appointing DPOs and maintaining detailed records of processing which align with Article 30 of the GDPR, increasing the threshold for reportable data breaches, etc.
• Reworking rules in relation to cookies and direct marketing by allowing the use of analytics cookies and similar technologies without user’s consent, or collecting information from a user’s device without their consent for other limited purposes.
• Boosting trade and reducing barriers to data flows including the use of alternative transfer mechanisms and a “risk-based” approach to granting adequacy decisions to other jurisdictions.
• Allowing the processing of personal data for public health and emergency situations.
• Reforming the Information Commissioner’s Office by refocusing its statutory commitments away from handling a high volume of low-level complaints. 

In Germany, The Federal Ministry of the Interior, Building and Community, the BMI, has evaluated the new Federal Data Protection Act, the BDSG, which came into force in 2018. Both public and private users, including the data protection supervisory authorities as well as leading business associations and other institutions, were interviewed. The new BDSG, a German equivalent of the GDPR,  has proven to be appropriate, practical and with clear standards, despite various criticisms. In addition, the Federal Statistical Office carried out a cost re-measurement as part of the evaluation and found that the compliance effort of the BDSG for the economy has been reduced by about one million euros. The complete evaluation in German can be accessed here. 

The latest insight from EURACTIV, an independent pan-European media network specialized in EU affairs, oversees the upcoming EU Data Act. The aim is to make more data in the EU usable to support sustainable growth and innovation across all sectors (B2B and B2G). However, the independent quality-checks so far have led to rejection of the proposal for reportedly not providing sufficient information on the conditions for public bodies to access data,  compensation for businesses and integration with other legislative measures.  A data-sharing arrangement would be ‘encouraged’ via smart contracts and application programming interfaces. However, the text also refers to the introduction of ‘essential’ technical measures for interoperability, raising the question of whether these measures would be mandatory or not. Transparency obligations would force service providers to specify in the agreement what type of data is likely to be generated and how it can be accessed by customers, with SMEs exempted. Machine-generated data may be also excluded from the scope, making this type of data more accessible. The adoption of the Data Act is expected by the first quarter of 2022.

Official guidance

The US National Institute of Standards and Technology, NIST, explains the role of privacy-enhancing cryptography, PEC, and Differential Privacy techniques. In large, the PEC and the Differential Privacy paradigms can be composed to enable better privacy protection, namely in scenarios where sensitive data should remain confidential for each individual original source. Differential privacy adjusts the query result into a noisy approximation of the accurate answer, which PEC can compute without exfiltrating additional information to any party.  For more practical guidance, such as secure multiparty computation, private set intersection, private information retrieval, zero-knowledge proofs, and fully-homomorphic encryption, followed by a case study related to private medical data research, see the full article.

The Luxembourg data protection authority, the CNPD, published a comprehensive update of the guidelines, (in French), on cookies and similar technologies, such as  “fingerprinting”, “web beacons ”, “flash cookies”, used for excessive tracking, profiling and targeting users and customers. The guidance clearly distinguishes essential and non-essential cookies, draws a line where there is an obligation on data controllers to obtain consent, explains the danger of using consent management platforms set up by third parties, and provides plenty of visual examples on what a “cookie banner” should and should not look like.

The Italian Data Protection Authority, Garante, provided clarification on direct marketing through social media platforms. A data subject complained of receiving a marketing communication sent by the company through LinkedIn. The communication offered real estate services for a specific property owned by the claimant. The company justified this practice on the following grounds: the claimant’s LinkedIn profile was set to allow them to receive communication from any other LinkedIn user. Garante did not accept the company’s arguments.  LinkedIn specifically is a platform whose purpose is to connect users who share the same professional interests or who are seeking job opportunities, and not for sale of products and services. Garante also found the personal data acquired via the public real estate register was in breach of Art. 5 of the GDPR. The real estate register may be accessed only to verify ownership of a certain property, but not for direct marketing purposes. Garante did not sanction the company as it is a micro-enterprise whose business has been strongly impacted by the pandemic, but imposed a 5000 euro fine for failing to respond to its requests during the investigation.

The Polish data protection authority, UODO, continued a series of blog posts, (in Polish), on creating a successful Code of Conduct. This time it pays attention to effective mechanisms for monitoring compliance with the provisions of the code for private entities (Art.41 of the GDPR). First of all, the code of conduct must designate the entity that monitors compliance with this document by the organizations that accede to it. The monitor, in order to be accredited,  must demonstrate its independence in relation to the code’s creator and have appropriate financial, human, organizational and technical resources. From this point, the monitoring entity would be responsible for all preliminary audits and regular checks, as well as for ad hoc audits in case of data breach complaints. Further steps include issuing comments, post-inspection recommendations and their  implementation, imposing sanctions, suspension and exclusion, handling appeals, cooperating with the supervisory authority and authors of the code, participation in the code review mechanism, education and promotion of data protection principles, ongoing cooperation with members of the code, (e.g. in the event of a data breach notification), clarifying doubts and assistance in ensuring an adequate level of personal data protection.

The Dutch data protection authority, the AP, has mapped out the trends and risks for the protection of personal data in education. “Due to the autonomous position of teachers and the ‘proliferation’ of apps and software in education this makes it difficult for educational institutions to keep control over the data processing”, the AP states. The regulator identifies three key trends and risks: excessive monitoring of pupils and students and their learning performance; dependence on major suppliers and the growing exchange of data in partnerships. The recommendations of the AP focus on setting up the basics of privacy and management programs, such as keeping up-to-date records of processing activities and running self risk assessments and employee training. The AP has also called on ministers to table a package of measures to help institutions with the task.

Enforcement actions

The Romanian supervisory authority, the ANSPDCP, found IKEA Romania in violation of Art. 32 of the GDPR. The company organized a drawing contest in which the children of IKEA Family members participated. The participants uploaded to the online platform dedicated to the members their own drawings, together with participation forms which contained their personal data but also that of their parents/legal guardians. In order to vote for the best drawing, the children’s drawings were mistakenly published on the online platform, together with the personal data contained in the participation forms. The disclosed data included name, surname and age of minors, name, surname, city, country, e-mail, IKEA Family membership number and  handwritten signatures. The exposure lasted for about 40 hours, affecting 114 individuals, so a minor fine of 1000 euros was issued.

A British firm – Huq – which sells people’s location data has admitted that some of its information was gained without seeking permission from users. Huq uses location data from apps on people’s phones, and sells it on to clients, which include dozens of English and Scottish city councils. The apps in question  measured wi-fi strength and scanned barcodes. So a council could use the data they provided to estimate how many people visited a High Street within a given timeframe, for example. Huq claimed it was aware of two “technical breaches”, and had asked for code revisions and for the apps to be republished. Firms that collect location data from apps and then sell it on are under increased scrutiny in the EU. The Danish data protection authority is currently looking into whether there is “a legal basis” for the way Huq has processed personal data. Meanwhile, the UK’s Information Commissioner’s Office has issued a reprimand to another UK-based location data collection firm, Tamoco, for failing to provide sufficient user privacy information.

The Danish data protection agency also received a data breach notification from a company, (Coop Danmark A/S), concerning personal information that was located on the company’s shared drive without adequate access control. The information concerned a total of 477 employees and external consultants. Coop discovered the breach while testing a new scanning tool. The regulator found that Coop had not complied with the requirement for necessary security measures. The company should have previously been aware that employees could have incorrectly placed personal data on the company’s shared drive. The company should have checked and cleaned up the company’s common drive and introduced relevant security measures at an earlier stage. However, Coop reported the security breach to the authority in a timely manner, as the notification took place within the time limit of 72 hours, so no fine was issued. 

The French regulator, the CNIL, sanctioned the RATP – Paris’s public transportation company,  with a fine of 400,000 euros after noting that several bus centers had counted the number of days of strikes by workers in evaluation files which were used to prepare promotion offers. It also noted an excessive data retention period and data security breaches. The RATP had failed in its obligations, particularly because only data strictly necessary for the assessment agents should have been in the promotion files. The indication of the number of days of absence was sufficient here, without it being necessary to specify the reason for the absence linked to the exercise of the right to strike. The CNIL thus imposed a fine and decided to make its decision public.

Opinion

Challenges with anonymising genetic data are analysed in Herbert Smith Freehills blog series.

“As soon as one dataset is merged with another relating to the same set of data subjects, it becomes more likely that the information could be used to re-identify a data subject. For example, it was reported last year that the British National Health Service had sold medical records to pharmaceutical companies that could be used to re-identify “anonymised” genetic information collected for diagnostic purposes.”

Advances in AI are also making it harder to anonymise data, because it is increasingly easy to match up various pieces of data and link them to one individual. And sometimes anonymisation just isn’t desirable – the more identifiable information that is collated, the more valuable the dataset for research. As a result, an attempt to anonymise genetic data might even end up falling short, resulting in pseudonymisation only.  Unlike anonymised data, pseudonymised data does fall within the GDPR, states the analysis.

Data security

Brian Krebs’s cybersecurity blog shows how the holiday shopping season is a perfect attack vector for phishers. Krebs analyses a fairly elaborate SMS-based phishing scam that spoofs Fedex delivery in a bid to extract personal and financial information from unwary recipients. A phishing link usually implies that the recipient could reschedule delivery. Clicking “Schedule new delivery” brings up a page that requests your name, address, phone number and date of birth. Those who click “Next Step” are asked to add a payment card to cover the “redelivery fee.” After clicking “Pay Now,” the visitor is prompted to verify their identity by providing their Social Security number, driver’s license number, email address and email password. So the main rule is to Avoid clicking on links or attachments that arrive unbidden in emails, text messages and other mediums, or visit the site or service in question manually. Also most phishing scams invoke a temporal element that warns of negative consequences should you fail to respond or act quickly.

Big Tech

The Federal Trade Commission has found that Internet Service Providers accounting for 98% of the US mobile market collect and share more data than their customers might be aware of, and those same customers are ill-informed or even misdirected when trying to exercise choice about how their data is used. Sensitive data like race or sexual orientation was sometimes grouped , and  real-time location was shared with third parties. The Staff Report notes the scope of such data collection is expanding, in line with similar trends in other industries, and so strengthens the argument for restricting data collection and use.

Meta  informed us last week it is ending its use of facial recognition on its platforms, shutting down a feature that has sparked privacy concerns and multiple lawsuits in the US. Facebook platform will delete face scans of over a billion people, and will no longer automatically recognize people’s faces, meaning users who opted in to the service won’t receive alerts when a photo or video of them may have been added to the social network. Tough if you are a blind user as the Automatic Alt-Text tool allowing the tagging of friends will be disabled. In AI VP Jerome Pesenti’s words “the company would consider facial recognition technology for instances where people need to verify their identity or to prevent fraud and impersonation.”

China’s regulatory crackdown continues with 38 apps from a number of companies told to stop excessively gathering personal data immediately or face penalties. The companies include a news app and music streaming service owned by social media behemoth Tencent Corp. The order arrived days after China’s Personal Information Protection Law, PIPL, went into full effect. Meanwhile, internet company Yahoo has announced its withdrawal from the Chinese market in the latest retreat by foreign technology firms responding to Beijing’s tightening control over the industry.  However, analysts say Yahoo’s withdrawal from China is largely symbolic as at least some of Yahoo’s services, including its web portal, have already been blocked. China has also blocked other US internet services, such as Facebook, LinkedIn and Google. Mainland users who wish to access these websites use a virtual private network, VPN, to circumvent the block, the Guardian reports.

The post Weekly digest November 1 – 7, 2021 “Privacy, DP, and Compliance news in focus” appeared first on TechGDPR.