Legal processes and redress

The EU Commission approved the political agreement reached between the EU Parliament and EU Member States on a European Data Governance Act. Three-way negotiations have now concluded, paving the way for final approval of the legal text. The Data Governance Act will create the basis for a new system of data governance in accordance with EU rules, the GDPR, and consumer protection and competition rules. More data will be available and exchanged in the EU, across sectors and Member States. It aims to boost data sharing and the development of common European data spaces, such as manufacturing or health, as announced in the European strategy for data. The regulation includes:

• increasing trust in data sharing in order to lower costs, 
• allowing novel trustworthy data intermediaries for data sharing,
• facilitating the reuse of certain data held by the public sector, (eg, health data for clinical research of rare or chronic diseases),
• allowing users control over the data they generate, (eg, data volunteerism, when companies and individuals make their data available for the wider common good under clear conditions).

On 1 December, a new law regulating data protection and privacy in telecommunications and telemedia came into effect in Germany, (TTDSG). It contains updated provisions on digital legacy, privacy protection for terminal equipment and consent management. For example, it aims to stem the cookie deluge and give website visitors more control over the data the website collects. It also intends to provide more clarity in the regulatory jungle of  the GDPR, the ePrivacy Directive, the German Telemedia Act, and the German Telecommunications Act, Herbert Smith Freehills LLP reports. Other key takeaways for companies from the TTDSG are:

• All technologies, except those that are “strictly necessary”, may only be activated on the basis of having obtained explicit consent, (eg, marketing cookies, local storage or other storage locations on users’ devices). 
• The scope of application of the consent management platforms has been extended, (eg, storage of information that is not personal data is also subject to consent).
• The TTDSG also applies to apps, messenger services, smart home devices, and the IoT.

EU Member States may allow consumer protection associations to bring representative actions against infringements of the GDPR, according to a CJEU Advocate General. Those actions must be based on infringements of data subject rights derived directly from the regulation. In the related case, the Federation of German Consumer Organisations complained that Facebook Ireland made free games supplied by third parties available in the platform’s App Centre without clear information to users on data processing purposes. The GDPR does not preclude national legislation which allows consumer protection associations to bring legal proceedings on the basis of unfair commercial practices and consumer protection. In the AG’s view, ”Member states may provide for the possibility for certain entities to bring – without a mandate from the data subjects and without there being a need to claim the existence of actual cases affecting named individuals – representative actions designed to protect the collective interests of consumers, provided that an infringement confers subjective rights on data subjects”.

The Irish Council for Civil Liberties, the ICCL, has launched a formal complaint against the EU Commission before the European Ombudsman. This complaint  has two components:

• The Commission has failed to properly monitor the application of the GDPR, and
•  has neglected to act against Ireland’s failure to properly apply the GDPR. 

The ICCL revealed that 98% of Ireland’s major cross-border cases remain unresolved. As a result, EU enforcement against Google, Facebook, Microsoft, Apple, and other Big Tech is paralysed. The Data Protection Commissioner is the “lead supervisory authority” under the GDPR for Big Tech firms who have their European headquarters in Ireland. No other enforcer in the EU can intervene if the Irish regulator takes the lead role. The ICCL has repeatedly alerted the Irish Government about its responsibilities, and has testified on this point in Parliament. 

Official guidance

The French CNIL has published updated recommendations on Remote quality control of clinical trials taking into account the current Covid-19 crisis. Quality control, or monitoring, consists of verifying the completeness and accuracy of data transmitted by investigation centers to sponsors in order to ensure the reliability of the study results. In particular it consists of verifying, by a clinical researcher of the sponsor account, source documents, (medical files, laboratory analysis reports), and comparing it to the observational data collected by the investigator. Data confidentiality takes a key role in the process, as the person in charge of quality control should only have access to the personal data necessary to perform checks.

In the current sanitary context, the CNIL had previously considered that it was not necessary to file a request for their authorization if remote monitoring was implemented. It was the responsibility of data controllers and their subcontractors to document the solutions they chose during this period and to be able to demonstrate that they presented sufficient guarantees for the rights and freedoms of the persons concerned. However, all studies initiated as of January 1 will require the filing of an authorization request with the CNIL. Also, for ongoing studies, the information note must be updated and submitted to the persons concerned, (directly, by post, or in a call), with documentation of the patient’s non-objection in their medical file. Thus, the medical file of a person who has objected cannot be subject to remote quality control.

“Two protections are better than one!” The CNIL has also published its guidance on Two-factor authentication: “Banking, e-commerce, electronic messaging, social networks: everyone has personal accounts on many websites. Each of them contains personal data , some of which are particularly sensitive”. In Two or Multi-factor authentication “what you know”, (a username/password), can be combined with “what you have”, (a single use code, a USB token, a smart card). Since the end of 2019 banks and payment service providers in the EU have had to implement multi-factor authentication for most remote actions, (adding beneficiary of transfers, ordering checkbooks, change of address). The CNIL recommends activating multi-factor authentication each time a service offers it, even if vulnerabilities remain to certain sophisticated attacks such as real-time phishing, the interception of SMS messages containing authentication codes or SIM swapping.

Data breaches, investigations and enforcement actions

The UK Information Commissioner’s Office, (ICO), fined EB Associates Group 140,000 pounds for over 107,000 illegal pension cold calls. The Government banned the practice in 2019 to try and stop people being scammed out of their life savings. The ICO has ordered EB Associates to stop making further illegal calls or face court action. EB Associates did not have the valid consent – freely given, specific and informed – to instigate the making of these calls. Instead, EB Associates contracted the lead generators, (and paid up to 750 pounds for the referrals), to make the calls, knowing the cold calling ban was in place, in order to try and bypass the law.

The ICO has also fined the Cabinet Office 500,000 pounds for disclosing the postal addresses of the 2020 New Year Honours recipients online. The Cabinet Office failed to put appropriate technical and organisational measures in place to prevent the unauthorised disclosure of people’s information. In 2019 the Cabinet Office published a file on the governmental website containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list. People from a wide range of professions as well as celebrities across the UK were affected. After becoming aware of the data breach, the Cabinet Office removed the web link to the file. However, the file was still cached and accessible online to people who had the exact webpage address. The personal data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times.

The Italian regulator Garante sanctioned a public transportation company over remote monitoring of workers. An employee complained about the monitoring of staff through the telephone management system of the call center dedicated to customer care. The company had justified the use of these technological tools with the need to verify the quality standards and manage any complaints, specifying that it had informed the workers and trade unions. Following an inspection, it emerged that the employees had not in fact been adequately informed. Furthermore, this system was not limited to the management of telephone calls, but also allowed the recording, replaying of telephone calls and the storage for an unspecified time of other information, such as the duration of the telephone calls, numbers contacted, date and time of the call. Considering the collaboration offered by the company, and immediate deactivation of the system, the authority applied a fine of 30,000 euros.

Spanish regulator AEPD imposed a fine of 20,000 euros on a business support services company for violating Art. 5 of the GDPR – the unlawful use of fingerprints in changing rooms and toilets. The investigation was initiated following a claim against the installation of fingerprint readers for workplace entrances and exits. Fingerprints fall into a special category, biometric data pursuant to Art. 4 of the GDPR. The use of fingerprints to access changing rooms and toilets was a repeated and continuous unjustified interference in the rights and freedoms of employees, DataGuidance reports.

Romanian regulator ANSPDCP sanctioned a call center, (data processor), 2,000 euros in violation of  Art. 29 and 32 of the GDPR. The investigation was initiated as a result of a notification of  a personal data breach which was transmitted by an operator, (data controller). The personal data processing security breach was due to a call center employee erroneously attaching to an operator’s client an excel file containing the data of that operator’s customers who had Internet Banking services. The breach led to unauthorized disclosure or unauthorized access of certain personal data, such as e-mail address, username, user ID, telephone number, customer name and customer code, of 11,169 individuals. It was established that the call center, as the person authorized by the operator, did not take appropriate measures to ensure that any person acting under its authority and having access to personal data did no processing except at the specific request of the data controller.

In Lithuania, the data protection inspectorate, (VDAI), punished car rental company Prime Leasing UAB 110,000 euros for violating Art. 32 of the GDPR – obligation to ensure the security of the processing of personal data. The company’s customers complained that personal data had been disclosed on a public forum website. Furthermore, the data was actually obtained from an unprotected database backup. Prime Leasing did not assess the risk associated because it claimed it was unaware that the file existed in its infrastructure. The VDAI found that the data of around 110,302 users had been disclosed including names, addresses, telephone numbers, emails, personal identification numbers, type of payment card, the last four digits of payment cards, and payment cards dates of validity. According to the inspectorate, the confidentiality of personal data stored in the file should have been protected by at least one of the following basic security measures: 

• authenticated access to the file only for the company’s employees; 
• connecting to the repository only from the company’s internal computer network; 
• storage of the file after encryption, (entrusting the encryption keys only to authorized company employees), or proper monitoring of information resources.

The Danish data protection agency published, (only in Danish), a Christmas calendar with 24 “doors” on data protection and security breaches. The first week of December cards included cases relating to health data, webshops and bank hacking, followed by the latest analytics and infographics. Many more doors to open before Christmas Eve!

Opinion

The importance of cybersecurity risk management in private equity, (PE), is analysed by Ropes & Gray LLP:

“As PE firms can potentially hold large amounts of personal data from their portfolio companies, they are not immune from cyber risk. Indeed, the GDPR permits national authorities to fine “undertakings” as a whole, which means that parent companies may be fined for infringements of their subsidiaries.”

According to the analysis, this is a result of the commercial reality stemming from increasing competition limiting the time available to conduct pre-deal due diligence. As a result, cyber due diligence for competitive auctions usually takes place post-deal. As a recent example, in 2020, the UK data protection authority fined Marriott 18.4 mln pounds for a cyber-attack stemming from a vulnerability in the data processing systems of Starwood, a company Marriott acquired in 2016. Thus, PE firms should test their resilience against realistic mock scenarios they or their portfolio companies might be subject to, such as a supply chain compromise or extortion-based attack.

Data security

What can starling murmuration teach us about better managing data privacy? Analysis by Gilbert + Tobin lawyers from Australia: “It is not just a pretty stunt; rather, it is an illustration of how optimal outcomes can be produced when intelligence is aggregated and utilised at a group level, an emerging concept known as swarm intelligence”.

Following the theory, machine learning techniques are applied on information sharing across a secure, decentralised, and privacy-preserving network to enable intelligence to develop at a group level. Individual systems upload insights and knowledge they produce to a common network, which incrementally refines a core model that all participants have the benefit of using, (eg, the data is locally stored and only the insights are shared and used centrally.)  Read more revelations and a case study on medical applications in the original publication. 

Human error is the leading cause of serious data breaches, according to a new report released by New Zealand’s Office of the Privacy Commissioner, (OPC). Since reporting of serious privacy breaches became a legal requirement in the country a year ago, the OPC has seen a nearly 300% increase in privacy breach reporting compared to the same 11-month period the year before. Human error has been the leading cause of serious privacy breaches during this period, (61%), with email error accounting for over a quarter of those breaches. Other types of privacy breaches in human error reporting were accidental disclosure of sensitive personal information, data entry errors, confidentiality breaches, redaction errors, and postal and courier errors.

Big Tech

Russia’s  communications regulator Roskomnadzor has filed cases against US tech firms Google and Meta that could see fines imposed on their annual turnover in Russia, Reuters reports. Russian law allows for companies to be fined between 5% and 10% of annual turnover for repeated violations. Court dates for both companies – neither of which immediately responded to a request for comment – were set for December 24. Russia has increased pressure on foreign tech companies, slowing down Twitter since March and routinely fining others for content violations. Google has paid more than 382,000 euros in fines this year. Google, Twitter and Meta have significantly reduced the number of posts prohibited by Moscow on their platforms. Additionally, Russia demanded that 13 foreign and mostly US tech companies be officially represented on Russian soil by the end of 2021 or face possible restrictions or outright bans.

The UK competition authority the CMA is demanding Facebook sell Giphy citing risks over users’ data. Facebook, the largest provider of social media sites and display advertising in the UK, acquired Giphy in 2020, the largest provider of GIFs. The merger would further increase Facebook’s dominance and Facebook would have benefitted from Giphy’s data collection practices and integration with other services. With the acquisition of Giphy, Facebook could limit the ability of rival apps to compete with Facebook in social media and could demand individuals’ data as a condition for rival companies to use Giphy. In particular, through the acquisition of Giphy, Facebook would potentially be able to:

• obtain users’ personal data processed via Giphy and potentially combine it with the vast amount of data it already processes to profile users and predict their behaviour;
• by modifying Giphy’s API, increase the categories of personal data collected;
• Impose on clients, (including Facebook’s competitors in the social media market), conditions for the use of Giphy, preventing clients from protecting their users’ data;
• Increase its capacity to deliver targeted ads both to Giphy’s users and internet users even outside Facebook’s platform and services through increased tracking.

The Australian Competition and Consumer Commission is also reviewing the Facebook/Giphy merger.

Facebook plans to force more at-risk accounts to use Two-factor authentication. The platform joins Google and others in requiring stronger protections for its most vulnerable users. Facebook’s parent company, Meta, has required since last year that advertising accounts and administrators of popular pages turn on two-factor. “While Meta says that its current initiative applies only to the politicians, activists, journalists, and others enrolled in its Facebook Protect program, this seems like a sort of test for figuring out how to make two-factor authentication as easy as possible for everyone to turn on. Meta is also working to make sure it can help troubleshoot any related issues that may arise for users around the world”, The Wired reports.

The post Weekly digest Nov 29 – Dec 5, 2021: data volunteerism, cookie deluge, remote clinical trials, starling murmuration & privacy appeared first on TechGDPR.

Cold calling individuals is like throwing a rock in a pond with the hope of catching a fish. Obviously, the success rate is high enough to justify manning the phone with a single person all the way up to outsourcing a floor’s worth of call center advisers. But how can you continue making cold calls when you have purchased personal data?

With lots being said about the GDPR signalling death of sales and marketing as we know it, it’s hard to make sense of how much room remains for your organisation to call up an unsuspecting prospect in a compliant way. While you can’t avoid raising suspicion as to where the data subject’s number originated from, there is a wide spectrum of practices ranging from downright non-compliance data collection to the fully-fulfilled duty to inform. Though it is limiting to approach the Regulation with a single use case it remains the best way to avoid opening the floodgates to exceptions. For the purposes of this post, I’ll cite the following example:

Can personal data be sold and bought under the GDPR?

Inheriting personal data sets from a third party with no proper documentation (e.g.: legal basis for initial collection, records of the duty to inform being fulfilled by the initial controller, recorded consent or readily available consent matrix) is a liability for both the personal data broker and the purchaser. At the very least, records of processing activities should establish a trace of the transaction since personal data sold to a third party is a data transfer to a recipient. Additionally, your organisation will need to prove that subjects were informed this transfer would take place or that you informed them within a month of purchasing their personal data that your organisation now processes it. More on this further on. 

Failing to document what information was communicated and what legal base apply violates both the data protection principles of lawfulness and transparency and that of purpose limitation, exposing you to the heaviest of fines: 4% of annual turnover. If your organisation had purchased personal data from a third party source, don’t hide that information. Should your staff turn down a data subject request to know what the origin of that data is, make sure the staff has been trained to recognize the request as a genuine data subject request. Article 14.2.f) makes it compulsory for organisations to inform data subjects if requested as to the source of the data that was not collected from them directly.

The worst scenario on your call-center floor is for an agent to downplay that request and respond that the subject’s phone number was communicated by their line manager. You may need to review your processes, knowledge base and staff training as to how to handle data subject requests. You would be surprised how many people use built-in or third party app call recorders on their phones

While you can sell and purchase personal data, you have to be very clear about it. Unlike the CCPA, the GDPR does not make it a requirement to disclose that the data will be sold, instead it makes it a requirement to disclose who will be receiving it.

In that respect, the CCPA more explicitly acknowledges the commercial uses of personal data. It makes it a requirement to disclose such uses, to provide subjects to opt their data out of the sale. To that respect, it allows for slightly more traceability in the data supply chain than the GDPR does. Keep in mind that small print at the end of a 10-page privacy policy will not impress authorities. Requirements of concision and clarity can be found in Article 12.1.

Can our organisation cold call data subjects?

Yes, it can.

Central to data protection is your duty to inform. Fulfilling it puts your organisation in line with GDPR’s principle of lawfulness, fairness and transparency (GDPR Art.5.1).

It is likely that the applicable legal basis for processing personal data in your case is legitimate interest. Yet having determined an applicable legal base is not compliant unless the purpose and the legal base are formally communicated to the data subject.

Can data subjects refuse to be the target of your direct marketing?

Yes, under Article 21.1 of the GDPR, an individual has the Right to Object. While, typically this right designed to put the burden of proof on the controller that its processing of personal data is done in the controller’s legitimate interest, the data subject also has the right to outright object to the use of data for direct marketing. This means that your company will have to mark the personal contact data to prevent it from being used for that purpose. This is one of the only technical and organisational measures explicited in the GDPR. Apply it if the data is nonetheless required to serve other purposes such as the performance of a contract. Should the data serve no other purpose, the best practice principles of data minimization and purpose limitation dictate the complete deletion of the personal data.

As hinted above, do not expect the data subject to officially formulate a deletion or objection request via your data protection officer. Treat their request on the phone as officially as you can. Which naturally increases expectation on staff compliance training.

Must I perform my duty to inform during the call?

Where the CCPA does not makes it compulsory for organisations to disclose having transferred or sold their data unless the subject requests to know, the GDPR makes it a requirement to inform proactively about the transfer of personal data to a third party or recipient.

While a strict reading of the GDPR might lead you to believe that you should read your complete privacy policy on the phone, in reality the situation is not that extreme but needs to be broken down at little.

If, prior to the call, you have collected the contact information from the data subject, you will have already informed them, and collected consent (if such is your legal basis), on the purpose of processing. On the call itself, you might be inclined to remind the data subject of the legal base on which you are currently operating but there is no GDPR provision making this a requirement other than building trust and plain courtesy.

If you have not collected data from the data subject but amassed their contact details from a different source, or third party, then, you should inform data subjects of your full identity and contact details, what data you have collected, under what legal base(s) you have done so, what retention period governs that data processing and what rights the data subjects can exercise. GDPR. Art.14.3a) sets the duty to inform time frame to within a reasonable period after obtaining the personal data and no more than one month.

Should you place a call to the data subject before having informed them of the above, you should understandably be prepared to read this information out to them and facilitate the exercise of their data subject rights (GDPR Art.12).

A full list of elements your communication should include is available in Articles 12 to 14.

What if the data subject actually consents to their data being used when on call?

Technically, you could record the call to document consent but consent for that form of data collection -audio recording- would first be needed. Recording a call is nothing short of collecting biometric and personal data and, in many cases, transferring that data to servers or cloud services across the Atlantic. If your cloud provider is not listed under the EU-US / Swiss-US Privacy Shield and no other legal instrument allows for that transfer, the call recording would fail the compliance test on many levels.

A best practice often witnessed involves sending an opt-in email immediately after the call which recaps the essence of your phone conversation, what you agreed to share, the data the subject consented to disclosing and which were the purposes stated. You might want to consider including the date at which the conversation took place in the body of the text, i.e.: not relying on the email client’s automated time stamp.

Yes, your organisation can sell or purchase persona data and place cold calls.

The GDPR only prohibits both forms of personal data processing unless they are done unlawfully.
Unlawful data processing in the case of direct unsolicited marketing by phone is characterized by depriving data subjects of their rights, violating data protection principles of fairness, transparency and accountability, failing to inform them upon acquisition or collection of their data, depriving them of information when you first come in contact with a subject’s personal data and not supporting them in the exercise of their rights. If you have these items under control, you’re good to proceed with a fair degree of confidence in your compliance.

If you need help with reviewing your data protection practices, your data flows, your compliance documentation and call center staff or management training, get in touch.

TechGDPR specialises in digitised environments and products including AI, machine-to-machine / IoT transactions and Blockchain applications. We offer consulting packages, hourly support, staff training and workshops.

The post Personal data and cold calling under the GDPR appeared first on TechGDPR.