According to the Norwegian regulator Datatilsynet, Meta will start training its AI service on photos, posts and comments from Facebook and Instagram users in the EEA at the end of May 2025. The purpose of the training is to develop and improve Meta’s generative AI services, based on users’ content and interactions with Meta’s AI services. The training will only include content that is publicly published. Furthermore, Meta will only use photos and posts published by users over the age of 18 to train the AI ​​model. The training includes both historical and future information that is shared publicly. If you do not want your posts and photos to be used to develop Meta’s AI, you can object. If you have both a Facebook and Instagram account, or multiple accounts, the protest applies to all accounts if they are added to the same ‘Account Center’. You do not need to justify your protest. Meta has stated that they accept all objections. 

Stay up to date! Sign on to receive our fortnightly digest via email.

GDPR supervision in Germany to be eased?

According to a DLA Piper analysis, the future German government plans to centralise the country’s data protection supervisory authority structure and to ease the regulatory burden for small and medium-sized companies. Responsibilities and competencies for the private sector in all 16 states are to be bundled into one Federal Commissioner for Data Protection and Information Security (BfDI).

Therefore, there would be no need to report data security breaches to multiple state supervisory authorities where impacted data subjects reside, and data controllers and processors would only need to collaborate with one national supervisory authority. The German plan coincides with the recent announcement of the Commission’s plans to amend or simplify some obligations for small and medium-sized companies, among others, under the GDPR. 

More legal updates

Cloud computing and data sharing in the EU: Before the Data Act starts being applied from 12 September 2025, the Commission is providing guidlines on non-binding Model Contractual Terms (MCTs) for data sharing, and Standard Contractual Clauses (SCCs) for cloud computing contracts. These models (B2B) intend to help especially small and medium-sized companies and other organisations which may lack the resources to draft and negotiate fair contractual clauses.  The Commission also seeks feedback on the preparatory work for the Cloud and AI Development Act and the single EU-wide cloud policy for public administrations and public procurement. The Commission would like to gather different stakeholders’ views on the EU’s capacity in cloud and edge computing infrastructure, especially in light of increasing data volumes and demand for computing resources, both fueled by the rise of computer-intensive AI services. Submissions are open from 9 April to 4 June. 

EU cybersecurity: To strengthen the EU’s resilience against rising cyber threats, the Commission seeks input to evaluate and revise the 2019 Cybersecurity Act. This initiative reflects the Commission’s ongoing commitment to simplifying the rules and facilitate their implementation. Interested parties, including Member State competent authorities, cybersecurity authorities, industry and trade associations, researchers and academia, consumer organisations, and citizens, are invited to give their views on the Have Your Say portal until 20 June. In parallel, the Commission seeks contributions to enhance cybersecurity for hospitals and healthcare providers, as well as for the implementation of the European Digital Health Space, following the publication of the Action Plan in January. This includes citizens, healthcare professionals, healthcare authorities, patients, compliance and data privacy professionals, cybersecurity professionals, organisations, and academia, among others, to share their views. The deadline for contributions is 30 June.

EDPB on blockchain technology

The EDPB has adopted long-awaited guidelines on the processing of personal data through blockchain technologies.  A blockchain is a distributed digital ledger system that can confirm transactions and establish who owns a digital asset  (such as cryptocurrency) at any given time. Blockchains can also support the secure handling and transfer of data, ensuring its integrity and traceability.  Depending on the purpose of processing for which blockchain technology is used, different categories of personal data may be processed. 

The guidelines highlight, among others, the need for Data Protection by Design and by Default and adequate organisational and technical measures.  As a general rule, storing personal data on a blockchain should be avoided if this conflicts with the GDPR (eg, in fulfilling the rights of data subjects regarding data rectification and erasure). The guidlines provide examples of different techniques for data minimisation and for handling and storing personal data. 

Consent management

The Consent Management Ordinance in Germany comes into effect. Effective from April 1, it regulates obligations for trusted consent management service providers. It mandates certain recognised services to store user settings and allows voluntary integration by digital service providers. In addition, it protects data portability rights of users and restricts consent management services from processing personal data beyond the purpose for which it was originally collected and stored. 

Data breach statistics

The Estonian data protection regulator estimates that in the first quarter of 2025, the number of breach reports compared to the same period in 2024 increased by 48%. In January, February and March, organisations notified the agency of a total of 65 data breaches. In 30 cases, the breach involved the public sector or an agency they manage. The most common causes since the start of the year are negligence and human error, technical errors in information systems, and unlawful access to personal data caused by cyberattacks. In particular:

• There were cases where employees abused the access rights granted to them to perform their duties. Requests to view personal data are made both out of curiosity and to distribute it on various social networks or leak it to the press.
• An employee who left an educational institution, being the sole administrator of the school’s Facebook group, refused to transfer the group’s administration rights to the school. He changed the group’s name and smeared his former employer there.
• A popular e-learning environment used in schools was attacked by a cyberattack, in which an attacker, likely using user rights obtained from previous data leaks, (not related to the learning environment), attempted to hijack the accounts of users of the e-learning environment. The environment was not required to use multi-factor authentication.

More from supervisory authorities

AI Privacy Risks and Mitigation: To help developers and users of large language model-based systems handle privacy issues, the EDPB provides a new practical guide. The paper offers organisational and technical measures to maintain data protection following GDPR Art. 25 – Data protection by design and by default, and Art. 32 – Security of processing. The guideline, however, is not meant to replace a Data Protection Impact Assessment (DPIA), following GDPR Art. 35. Instead, by addressing privacy issues unique to LLM systems, it enhances the DPIA process. 

Mobile apps: The French CNIL published a modified version of its recommendations to better protect privacy in mobile applications, adopted in 2024, (in French). It is aimed at professionals working in the mobile application sector in the role of data controllers and processors, namely: a) app publishers; b) app developers; c) software development kit (SDK) providers; d) operating system providers; e) app store providers. This recommendation covers all types of applications, which can be: 

• “native”, (developed in the programming language specific to the operating system in which they are executed); 
• “hybrid”, (developed with languages ​​and technologies from web programming, then transformed into an application using specific tools;
• “progressive web” PWA (dynamic web pages which are presented to the user in the form of apps).

AI public sandbox:  The CNIL has also published the results of its “sandbox” personalised support programme for players who wish to be advised on how to deploy an innovative project: 

• France Travail’s tool, (French unemployment agency), helps its advisors to offer a personalised training course adapted to the needs of job seekers. 
• Nantes Metropole’s Ekonom’IA project: raising awareness among residents about their water consumption levels through an AI program; and 
• The RATP’s, (Paris transport operation company), PRIV-IA project: studying algorithmic processing of images from new video capture technologies (so-called Time-of-flight cameras). 

Emotion recognition under the AI Act

A recent analysis by DLA Piper examines two real-world uses of emotion in AI work environments to highlight the effects of the recently passed EU AI Act. The first case study uses emotion analysis on sales conversations. The global company’s chief revenue officer, who is situated in the US, is trying to implement new software that would enable staff members worldwide to get consistent sales training by comparing the calls made by top performers with those of the lowest performers. 

In the second case study, a busy consulting business wants to use a remote application and onboarding process to broaden its pool of candidates to include people who want to apply for wholly remote positions. The company is eager to implement software that enables interview scheduling through a platform with cutting-edge AI-powered capabilities. One element of the system analyses applicants’ speech tones, facial expressions, and other non-verbal indicators.

In other news

Brute force attack: The UK’s Information Commissioner’s Office has issued DDP Law firm a 60,000 pound fine following a cyber-attack which resulted in highly sensitive and confidential personal information being published on the dark web. The brute force incidents were targeted at an administrator account for a legacy case management system. It was only available online sporadically. At the time of the incident DPP had multi-factor authentication for the purposes of connecting to its network via a VPN. However, the administrator account  did not have MFA due to its role as a service-based account. 

Search services: Sweden’s IMY has received a large number of complaints against search services that publish personal data about the population of Sweden. Many of these complaints concern search services that publish information about violations of the law, such as criminal convictions. IMY is now initiating inspections of two of these search services: Lexbase.se and krimfup.se. In a legal opinion from 2024, the IMY ruled that the authority is competent to review search services that have a so-called certificate of publication. There was also a recent decision from the Supreme Court that it is not compatible with EU law to release large numbers of criminal convictions online . 

Unwanted insurance: The Romanian data protection agency fined the operator Banca Transilvania SA the equivalent of 5,000 euros. Following a complaint from a natural person, the data subject claimed that their data had been processed without consent, within the framework of an insurance policy mandated by the operator Banca Transilvania. It was found that the petitioner, although he terminated his real estate loan contract, was erroneously issued a new insurance policy against natural disasters, accessory to the terminated real estate loan contract.

Employee email accounts

The Maltese regulator IDPC published a set of FAQs on the management of employee email accounts once an employee leaves an organisation. While employers have a legitimate interest to maintain business continuity following an employee’s departure from the organisation, the employer’s operational concerns must be balanced against the data protection rights of outgoing employees and any other individuals involved, as set out in the GDPR. This includes handling work email accounts in a manner that is proportionate, transparent, and respects the confidentiality of any personal correspondence that may be in the account. The most common real life cases include:

• Can an employer set up automatic email forwarding following an employee’s departure?
• Can an employer set up an automatic reply message following an employee’s departure?
• As an employer, what are some general practical steps I can take to manage employee email accounts in a manner that complies with the GDPR?

In case you missed it 

AI assistants: Privacy International questions whether we can trust the developers of AI assistants to protect our privacy and security. AI Assistants need to access apps, data and device services to deliver on their promise to operate as agents capable of doing work for us. This is a significant change from the existing voice assistants: the messaging app Signal will ask to access your contacts to identify people with a Signal account you haven’t talked to; similarly, a navigation app will require access to your phone’s location services and hardware to guide you. 

What makes an AI Assistant different from apps is the level of access they constantly require to function. Prioritising automation as one of the main goals/features of AI assistants means that developers will be tempted to allow processing of your data with the lowest amount of friction possible.  

Opt out from Tesla processing your data: Lastly, a piece from The Guardian examines how Tesla owners may safeguard their data and privacy. Any connected car must track and gather a lot of information about you in order to use any of its capabilities. A detailed picture of your life and movements may be created using these data – sent via GPS trackers, sensors, and other devices. The Guardian studied Tesla’s privacy policy, talked to privacy experts, and even asked the company’s AI chatbot how to share as little data as possible with Tesla. There are some safety measures you can and, in many situations, ought to take if you own a Tesla. However, adjusting these settings so that you share the least possible amount of data with Tesla will shut off access to many of your car’s functions.

The post Data protection digest 3 – 17 Apr 2025: Meta AI training restarts in Europe, virtual assistants vs data privacy appeared first on TechGDPR.

The 23andMe genetic company filed for bankruptcy in the US after struggling with weak demand for its ancestry testing kits and a 2023 data breach that damaged its reputation, Reuters reports. US officials had questioned what would happen to the genetic data collected by 23andMe, although the company’s privacy policies state that the data could be sold to other companies. 23andMe reassured customers that the bankruptcy process will not affect how it stores, manages, or protects customer data. 

Given the uncertainties about the future of the company, the amount of data it has, and the risks inherent in the use of these tests, the French CNIL presents the procedure to follow to have your data permanently deleted in your profile settings. Also, the purchase of a genetic test on the Internet by people residing in France is punishable by a fine of 3,750 euros. Similarly, carrying out a genetic test outside the medical and scientific fields is prohibited and punishable by a fine of 15,000 euros and one year in prison for people or companies offering these tests.

Digital spring cleaning in Germany

Digital documents and paper files containing personal data may only be retained for as long as necessary, reminds the Hamburg data protection authority. At least once a year, taking stock of what’s still stored and whether this data or files will be needed for longer is recommended. Professional data processors handle this automatically. Where no automated routines are in place, deletion must be done manually.

Plus, German companies and authorities should check whether their deletion routines already take into account the new statutory retention periods that will apply from 2025. Specifically, some retention periods have been lowered by federal lawmakers, which means that the impacted data must also be removed sooner. (The Fourth Act to Reduce Bureaucracy). Changes, among other things, have been made to the German Commercial Code and the German Fiscal Code. Accounting paperwork, the most significant case group in practice, must now be kept for eight years rather than the prior ten before being destroyed. You can find more business document retention periods here. 

BCRs approval

The procedure for approving Binding Corporate Rules for controllers and processors for intragroup transfers of EU personal data to non-EU countries is laid out by provisions in Art—47, 63, 64 and 65 of the GDPR. As a result, BCRs are to be approved by the competent supervisory authority in the relevant jurisdiction by the consistency mechanism, under which the EDPB will issue a non-binding opinion on the draft decision by the competent regulator. As the intracompany groups applying for the BCR approval may have entities in more than one Member State, this procedure will involve all the concerned supervisory authorities in those countries from where the data transfers are to take place. To that end, the EDPB has just revised its approval process to shorten the time it takes for a BCR to be approved. 

Privacy policy shortcomings

The Latvian data protection inspectorate DVI conducted a preventive inspection of the privacy policies published on the websites of thirty Latvian-registered merchants whose main activity is related to retail sales by mail order or in online stores. The content of the privacy policies was checked for compliance with the requirements of Art. 13 and 14 of the GDPR. At least some shortcomings were found in each inspected document.

The regulator assumes that it is initially more difficult to prepare such a document because there is not sufficient understanding of its necessity and content. At the same time, it reminds controllers that their responsibility for customers’ data is proven not by a written statement that it processes data appropriately but by clear implementation of the rules. Other shortcomings in the published policies were related to the failure to provide or incorrect provision of information, particularly the contact information of the supervisory authority, the rights of the data subject, information about processors and partners to whom the customer’s data has been transferred, but most often involving incorrectly specified purposes and lawful grounds for data processing. 

Data breach form

The Corporate Data Protection Association, (Switzerland), has published a data breach report template. Data security breaches can trigger various reporting obligations under the Swiss Data Protection Act, the EU’s GDPR, the new Swiss Information Security Act, and the EU NIS2 Directive. The template is intended to contribute to the practical implementation of digital regulatory requirements and can be used freely by companies. The template is initially available in German. An English version is currently being developed.

More from supervisory authorities

Online stores security: The Lithuanian regulator VDAI meanwhile monitored the security measures for personal data processed by online stores and provided some recommendations: a) ensure control over the management of access rights, b) develop and implement effective data deletion, c) use advanced encryption, (during transmission and storage), d) improve management change processes, (eg, implementation of new systems), e) regularly review and update your policies, (using both the latest legal requirements and best practices).

Connected cars: Modern cars act as “chatterboxes on wheels”, collecting information on everything from your daily routines to biometric data. How does this affect the protection of your data? The Danish Datatilsynet advises you to check the privacy settings on your automobile carefully and to be cautious about sharing personal information:

• Unclear consent (Many drivers are forced to accept terms of use that require the sharing of personal data to use the car’s features).
• Data abuse (Data about your driving and location may end up with third-party companies or there is a risk that hackers will gain access).
• Targeted marketing (Car manufacturers can share your data with companies without your full knowledge).
• Negative impact (Worse insurance terms, warranty termination, shutdown of services).

Multi-factor authentication (MFA): The French CNIL publishes recommendations to support users and providers of multi-factor authentication solutions, (in French). In particular, it explains: 

• the conditions under which the use of MFA is appropriate for security needs;
• on compliance with the principles of the GDPR, including a legal basis, data minimisation, the retention periods and the exercise of rights by the data subjects;
• on the determination of the qualification of the actors involved;
• on the choice of modalities, (authentication factors: knowledge, possession, inherence), and their GDPR compliance, etc.

Honda privacy fine

The California Privacy Protection Agency, (CPPA), has issued a decision that requires American Honda Motor Co. to change its business practices and pay a 632,500-dollar fine to resolve claims that the company violated the CCPA. The investigation arose from the Enforcement Division’s ongoing review of data privacy practices by connected vehicle manufacturers and related technologies. Honda violated Californians’ privacy rights by:

• requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit;
• using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way;
• making it difficult for Californians to authorise other individuals or organisations to exercise their privacy rights; and
• sharing consumers’ personal information with ad tech companies without producing contracts that contain the necessary terms to protect privacy.

Human research samples

Finland’s Data Protection Commissioner has requested information from the University of Helsinki on how it has implemented the transfer of data related to human research samples to a Chinese company. The regulator is investigating whether the university protected personal data in the manner required by data protection legislation when the data was transferred to China. According to the University of Helsinki, it has purchased genetic analysis services from the Chinese genetic technology company BGI Group.

No adequacy decision has been made for China, and the European Commission has not yet examined the level of data protection in China, (in connection with the Irish investigation into TikTok). At the moment, personal data can be transferred freely within the European Economic Area. Data can also be transferred directly to a country for which the Commission has made a so-called adequacy decision. These include the US, the UK, Japan and South Korea.

More enforcement decisions

Apple ATT sanction: The French Competition Authority fined Apple for abusing its dominant position due to the implementation of the App Tracking Transparency, (ATT), system. In its competitive analysis, the authority took into account the opinions issued by the data protection regulator CNIL. Since 2021, app publishers who want to track their users for advertising purposes across multiple apps or sites have been required to obtain explicit permission from the user through a partially standardized window designed by Apple. 

The competition authority received complaints from several online advertising trade associations against Apple. The implementation of the agreement appeared to be neither necessary nor proportionate to Apple’s stated objective of protecting personal data due to the constraints weighing on publishers and users. The CNIL had previously considered that the ATT system could be adapted in order to allow actors to obtain valid consent within the meaning of the GDPR and to avoid, in particular, double solicitations.

Software provider fine: The UK’s ICO has fined Advanced Computer Software Group Ltd, (Advanced), 3.07m pounds for security failings that put the personal information of 79,404 people at risk.  Advanced provides IT and software services to organisations, including the NHS and other healthcare providers, and processes people’s personal information on behalf of these organisations. The fine relates to a ransomware incident in August 2022. Hackers accessed certain systems of Advanced’s health and care subsidiary via a customer account that did not have multi-factor authentication. The cyber attack was widely reported at the time, with reports of disruption to critical services and access to patient records.  

Scientific research and data reuse

The EDPB has published a final study on the secondary use of personal data in the context of scientific research, which highlighted the lack of a uniform approach among Member States. The legislation analysed was not limited to the GDPR but included international agreements or documents containing data protection rules, (such as Council of Europe Convention 108+), and ethical standards, (such as the World Medical Association (WMA)’s Declaration of Helsinki, (DH), and EU sectoral legal frameworks, (e.g. on clinical trials, biobanks). 

AI cameras in shops

According to the CNIL, some tobacconists in France have deployed AI-based cameras to estimate the age of customers and avoid the sale of prohibited products to minors. In practice, these cameras scan the person’s face at the time of purchase to assess whether they are a minor or an adult and inform the merchant using a warning light (e.g. a green or red light). The use of these devices pursues a dual objective of public interest: protecting young people and the preservation of public health. However, the fact that this verification is carried out through algorithmic processing of automated image analysis is not trivial and may entail risks for the protection of personal data and the privacy of individuals.

In case you missed it 

US technology risks: The Netherlands’ House of Representatives approved a resolution on risk assessments and exit strategy for US tech corporations’ cloud services on March 18. According to the motion, all government cloud services that are now purchased from American suppliers must go through a risk assessment and, if required, have a written exit strategy that enables them to switch to Dutch or European providers. By the end of 2025, this procedure is expected to be finished.

Outdated IT systems and AI: According to the Guardian newspaper, the UK government’s goal to increase efficiency by integrating AI into every aspect of its operations runs the risk of being hampered by outdated technology, low-quality data, and a shortage of qualified personnel. The cross-party public accounts committee report revealed that over 20 government IT systems were classified as “legacy,” which means outdated and unsupported. A January official strategy for the technology, however, called for the government to “rapidly pilot” AI-powered services, claiming that doing so would boost productivity. 

The post Data protection digest 18 Mar – 2 Apr 2025: 23andMe bankruptcy case, digital spring cleaning appeared first on TechGDPR.

Legal processes and redress

China privacy laws updates: The Chinese Cyberspace Administration has issued administrative measures for personal data compliance audits for public input. In the case of high-risk processing operations or security incidents, the department in charge of personal data protection, (under the new PIPL legislation), may order the organisation to delegate the compliance audit to a professional institution. Similarly, businesses can perform their audits or entrust them to a recognised professional institution. However, no more than three consecutive compliance audits for the same organisation may be performed by the same institution. Companies that process more than one million people’s personal information must complete it at least once a year. 

China has considerably tightened controls on information sharing in recent years, particularly data transfers abroad, on the grounds of national security.

China generative AI: In parallel, China passed innovative legislation to govern generative AI. Interim Measures for the Management of Generative AI Services go into effect on 15 August. They apply to broad public services in China and hold firms accountable for the output of their platforms. The data used to train the systems will have to fulfil certain stringent conditions, not addressed in previous legislation, Deacons lawyers clarify:

• Providers of generative AI must take responsibility for network information security, personal data protection, and produced content quality. 
• Service providers are liable for the created material and are obliged to ban and report unlawful and illegally linked information. 

Technology created in research institutes or destined for export will be excluded. 

Swiss privacy law revised: On 1 September, the revised federal data protection act will come into force. The current law remains in force until 31 August. Major innovations will include criminal aspects of breaches of obligations, reinforced duty for data controllers to provide information to data subjects, data protection impact assessment for high-risk processing both in public and private sectors, fees for private data processors, regulators’ additional duties and powers, and more. 

India comprehensive privacy law: The Digital Personal Data Protection Bill 2023 passed in parliament before receiving presidential assent. It will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.  It will also apply to such processing outside India if it is for offering goods or services in India. Personal data may be processed only for a lawful purpose upon the consent of an individual.  Consent may not be required for specified legitimate uses such as the voluntary sharing of data by the individual or processing by the state. The main criticisms of the bill include:

• The bill exempts data processing on grounds of national security which may lead to data collection, processing, and retention beyond what is necessary. 
• The bill also does not grant the right to data portability and the right to be forgotten. 
• The bill allows the transfer of personal data outside India, except to countries notified by the central government. This mechanism may not ensure adequate evaluation of data protection standards in certain countries.
• The bill does not regulate risks of harm arising from the processing of personal data.

More analyses by PRS Legislative Research Institute are available here. 

Official guidance

Google Analytics: The use of tools like Google Analytics does not only require legal transfers to the United States, (following the announcement of the US adequacy decision by the European Commission), states the Danish data protection authority. In addition to third-country transfers, there are a large number of requirements in the GDPR that must be complied with. Among other things, you need to establish a legal basis for data processing, define data processing roles and conclude data sharing agreements, fulfil data subject rights, and much more.

Rights to data portability and restriction of processing: The wide range of digital services often leads to the desire or need to change a service provider, so it is important to be aware that we have data transfer rights. However, the Latvian data protection agency reminds us that such an option is available only if: a) the personal data processed by the organisation is based on your consent or the concluded contract; b) the information has been provided by the person themself; c) data refers to the person who requests data transfer.

Similarly, a person may face a situation where they need not delete personal data, but limit its processing. A situation may arise when an organisation holds personal data which is either inaccurate or out of date. If a person believes that their data is being processed illegally, they can also ask for its deletion or restriction of processing. There might be cases when the company does not need your personal data, but you need them to keep it, (eg, video surveillance records that a store normally deletes after a certain period of time but agrees to keep separately for police investigation needs). 

Finally, you can always ask to limit the processing of your data if you doubt that the legitimate interests of the controller are more important than your right to data protection. 

Harmful online design: The UK Information Commissioner’s Office and Competition and Markets Authority are calling for businesses to stop using harmful website designs that can trick consumers into giving up more of their data than they would like. It includes:

•  overly complicated privacy controls, 
• default settings that give less control over personal information, and
•  bundling privacy choices together in ways that push consumers to share more data.

Where consumers lack effective control over how their data is collected and used, this can harm consumers and also weaken competition. Lack of consumer control over cookies is a common example of harmful design. 

Parental control and connected devices: The French data protection regulator CNIL has issued an opinion on decrees implementing parental control over means of access to the Internet including the different functionalities that parental control devices will have to integrate on connected devices – smartphones, computers, video game consoles – blocking the download of applications and blocking access to content installed on terminals. Its activation must be offered free of charge, from the first commissioning of the device. They must also integrate the principles of personal data protection by design and by default. The CNIL has recommended two mandatory features, which could be activated according to the maturity of minors, to protect them when browsing the web:

• blacklists to block access to sites or categories of sites previously determined by parents; and
• whitelists to limit browsing to only previously authorized sites (for the youngest category). 

Enforcement decisions

TikTok in the EU: The EDPB settles dispute on TikTok processing of children’s data. The binding decision addresses the objections of the Irish, (lead), supervisory authority regarding the personal data processing of registered minors, (including those under 13 years old). The objections centred on whether there had been an infringement of data protection by design and default about age verification, and other design practices. The binding decision might result in a fine and other reprimands for the social media giant, which will become known in the next few weeks. 

AI at schools:  In Canada, a case detailed by Osler’s lawyers considers the privacy of children in educational institutions when they are exposed to AI tools. In collaboration with a consulting firm, a school district developed an algorithm to target students who were at high risk of dropping out: a machine learning methodology analyses hundreds of types of raw data from a student database to generate a set of predictive indicators. The purpose limitation for such data processing was violated, according to the investigation commission. 

When the data was initially obtained, students and their parents were not informed and hence did not consent to the use of the data to build predictive indications of dropout risk. Even though the information was used for a purpose that was compatible with the school board’s goals of ensuring academic achievement, the regulator ordered the school to delete the tool’s existing output. It also requested that the school board do a privacy impact study before deploying the Tool. More information on the case may be found in the original publication. 

Police data leak: According to BBC News, the Northern Ireland Police Service has apologised for inadvertently disclosing the personal information of all 10,000 of its personnel. In response to a Freedom of Information request, the organisation provided the identities of all police and civilian staff, as well as their locations and functions. The FOI request requested a breakdown of all employee levels and grades from the PSNI. However, in addition to publishing a table indicating the number of personnel holding jobs such as constable, the PSNI also released a spreadsheet. This contained the surnames, initials, and other information of over 10,000 officers.

Carbon copy and sensitive data: The UK Commissioner’s Office has reprimanded two Northern Irish organisations for disclosing people’s information inappropriately via email. Both the Patient and Client Council and the Executive Office disclosed personal details by using inappropriate group email options. In the first case, the organisation sent an email to 15 people, each of whom had lived experience of gender dysphoria, using the carbon copy (cc) option. The people who received the email could reasonably infer that the other recipients also had experience of gender dysphoria, given their inclusion in the email. In the second case, following the report of the historical institutional abuse inquiry, the organisation sent an e-newsletter to 251 subscribers using the ‘to’ field. People included in the email were likely to be victims and survivors, as the newsletter content was tailored to survivors who were wishing to engage, or who were already engaging with the compensation scheme.

DDoS attack: The UK Information Commissioner also issued a reprimand to My Media World/ Brand New Tube. An unauthorised third party gained access to ITS’s systems and exfiltrated the personal data of 345,000 UK data subjects. The company has been unable to determine the specific cause of the incident concluding on separate occasions that a server misconfiguration and a DDoS attack were responsible for the access to their systems. The company also did not have any evidence of appropriate technical and organisational measures to protect users’ data. The nature of the data affected included the names, email addresses and passwords of users. The organisation must now ensure they have:

• appropriate contracts in place with any third-party providers which set out the roles and responsibilities of each party, 
• maintained records of processing activities, and
• regular scans and testing of their environment, record outcomes and address any issues promptly. 

More security best practices recommended to organisations by ICO can be found here and here. 

Data security

Connected beacons: Connected tags, which have been around for several years, make it possible to locate and find the objects to which they are attached. While technology is useful for finding lost objects, states the French data protection regulator, many media stories show that they can be misused to track the location of people without their knowledge. Only the owner can detect the beacon and therefore track its movements. However different measures have been put in place by manufacturers of connected beacons to allow you to detect them in case of doubt.

If you have an iPhone, you’ll get a notification when an AirTag you don’t own moves with you for a period of time. A feature will then allow you to connect to the AirTag to make it ring. If you have the latest version of Android, you will automatically receive a notification when a separate AirTag from its owner moves at the same time as you for a while. If you do not have a smartphone, the AirTag will beep its position if it is too far from its owner for a certain time. 

The use of a connected beacon to follow a person without their consent is a criminal offence, punishable by one year’s imprisonment and a fine of 45,000 euros. More information on how to detect and disable the tags is in the original publication. 

Big Tech

Meta compulsory fine: The Norwegian data protection authority has imposed a compulsory fine on Meta – approx. 90,000 euros per day. The background is that Meta does not comply with the Norwegian data protection authority’s ban on behaviour-based marketing on Facebook and Instagram. However, Meta has petitioned the Oslo district court for a temporary injunction against the ban. 

The ban does not prohibit personalised marketing on Facebook or Instagram as such. Meta can, for example, target marketing based on information that users enter on their profile, such as place of residence, gender and age, or interests that users themselves state that they want to see marketing about. The decision also does not prevent Meta from showing behaviour-based marketing to users who give valid consent to it.

Google user tracking: A US court denied Google’s request to dismiss a lawsuit alleging that the company violated the privacy of millions of individuals by secretly tracking their internet usage, Reuters reports. The plaintiffs claimed that Google’s analytics, cookies, and applications allowed the Mountain View, California-based business to follow their activities even when they used Google’s Chrome browser in “Incognito” mode and other browsers in “private” mode. Since June 2016, Google users have been covered by the case. It demands at least 5000 euros in damages for each user. 

Connected vehicles: Finally, the California privacy protection agency announced a review of data privacy practices by connected vehicle manufacturers and related technologies. These vehicles are embedded with several features including location sharing, web-based entertainment, smartphone integration, and cameras. Data privacy considerations are critical because these vehicles often automatically gather consumers’ locations, personal preferences, and details about their daily lives. They’re able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle. 

The post Data protection digest 31 July – 14 August 2023: privacy laws development, AI evaluations at school, and security of connected devices appeared first on TechGDPR.

Legal processes and redress

The Council of Europe strengthens its legal arsenal on disclosure of electronic evidence between governments and with service providers. A Second Additional Protocol to the “Budapest Convention“ will extend the rule of law further into cyberspace. As of today, the increasing complexity of obtaining electronic evidence that may be stored in foreign, multiple, shifting or unknown jurisdictions and the powers of law enforcement are limited by territorial boundaries. As a result, only a very small share of cybercrime that is reported is leading to court decisions. The Protocol provides a legal basis for disclosure of domain name registration information and for direct co-operation with service providers for subscribers’ personal information and traffic data, (excluding anonymised data), an effective means to obtain subscriber information and mutual assistance tools along with personal data protection safeguards. The latter stipulates each party to a request shall provide notice to the individual whose personal data has been collected, with regard to: 

• the legal basis for and the purpose(s) of processing, (eg, the important public interest  for investigation of criminal offences); 
• any retention or review periods of recipients or categories of recipients to whom such data is disclosed; 
• and access, rectification and redress available. 

However, once made public at trial, an individual’s data passes into the public domain. In these situations, it is not possible to ensure confidentiality or DP safeguards for the investigation or proceedings for which the material was sought. The text should be opened for signature in May 2022.

Similarly, the CJEU’s Advocate General Opinion reiterates that general and indiscriminate retention of traffic and location data relating to electronic communications is permitted, but only in the event of a serious threat to national security. It must not include the prosecution of offences, including serious ones. Namely, national legislation which requires electronic telecommunications undertakings to retain traffic data on a general and indiscriminate basis for investigating market manipulation and abuse is contrary to EU law. Moreover, the time limit imposed on that storage does not remedy the issue, since, apart from the situation justified by the defence of national security, the general storage of electronic communications entails serious interference with fundamental rights to private and family life and the protection of personal data, irrespective of the duration of the period for which access to this data is requested. 

The Hanover Administrative Court saw an important decision on extensive data collection, Data Guidance reports. It dismissed an action by an online mail-order pharmacy against the Lower Saxony data protection authority. The regulator had instructed the plaintiff to refrain from collecting customers’ dates of birth unless the information was required in relation to the drug ordered, and to avoid using gender-specific titles based on information collected during the ordering process. The plaintiff had agreed to insert the option ‘no information’ into the order form in relation to titles but argued as they were obliged to provide age-appropriate advice a corresponding query on date of birth had to be made in the ordering process. The court found that the ordering process in question only related to products that could be purchased without a prescription, and as such, questions regarding a customer’s date of birth during the ordering process should be omitted. 

The EDPB has published its statement on the EU Digital Services Package and Data Strategy. The EU Commission has presented several legislative proposals, most notably the Digital Services Act, the Digital Markets Act, the Data Governance Act, the Regulation on a European approach for Artificial Intelligence, and proposal for a Data Act. The EDPB draws attention to a number of overarching concerns: lack of protection of individuals’ fundamental rights and freedoms; fragmented supervision; and risks of inconsistencies. The EDPB considers that, without further amendments, the proposals will negatively impact the fundamental rights and freedoms of individuals and lead to significant legal uncertainty that would undermine both the existing and future legal framework.

Official guidance

The EDPB adopted Guidelines on the interplay between Art. 3 and Chapter V of the GDPR. By clarifying the interplay between the territorial scope of the GDPR and the provisions on international transfers, it aims to assist controllers and processors in the EU in identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers. In particular, the guidelines specify three cumulative criteria that qualify processing as a transfer: 

• the data exporter, (a controller or processor), is subject to the GDPR for the given processing; 
•  the data exporter transmits or makes available personal data to the data importer, (another controller, joint controller or processor); 
• the data importer is in a third country or is an international organisation.

The processing will be considered a transfer, regardless of whether the importer established in a third country is already subject to the GDPR. However, the EDPB considers that collection of data directly from data subjects in the EU at their own initiative does not constitute a transfer.

Finland’s data protection ombudsman reminds data controllers that event log data stored in connection with personal data breaches in the information system must be kept as part of the documentation obligation. The Data Protection Officer may request log information to process a breach notification. Log files refer to chronologically recorded records of events and their causes in data networks, applications, systems, and data content. For example, it can capture all login sessions to a network, along with account lockouts, failed password attempts, etc.

Meanwhile, the French regulator CNIL published, (in French), recommendations on the implementation of logging measures. The purpose of logging tools in the context of multi-user systems is to ensure traceability of access and actions by various people accessing the information systems and, more specifically, the processing of personal data implemented within the organization. The data thus collected and processed by these tools contain information on the persons administering or accessing the resources, such as the user identifier, the date and time of access, the identifier of the equipment used, etc. In general it is always recommended to save logging data for access, creation, modification and deletion actions when processing personal data. 

The CNIL also publishes its guidance on why and how to appoint a data protection officer, and what resources should be given to this person to do their job. Today nearly 30,000 professionals in France perform this function, (natural and legal persons combined), for 80,000 organisations that have appointed a DPO. Of these, the public administration, education and health sectors are the most represented.

The Danish data protection agency published a new guiding text with reference to use cases, (in Danish), on data responsibility between private suppliers and public authorities. It emphasizes the importance of defining data processor and controller roles. While some cases are classical, (eg, an IT provider acts solely on instructions from a public authority), others can be more complex, namely, when private individuals are suppliers to public authorities. It is thus the content of the parties’ contractual agreement, including which service is to be provided, that is decisive for the role of the supplier. If, for example, receiving and storing information so as to fulfill an agreement without this treatment in itself having been agreed would mean the supplier would be independently responsible for the processing of the data.

Data breaches, investigations and enforcement actions

Known across the EU the Vinted platform – the online clothing sales marketplace,  is under scrutiny by several data protection authorities. A significant number of complaints concerning vinted.com, operated by Lithuanian company Vinted UAB have arrived on the desks of supervisory authorities from France, Lithuania and Poland, who are cooperating to investigate this website’s GDPR compliance. Today the website operator requires a scan of an identity card in order to unblock funds received from sales on a user’s account. The legal justification for this may be an issue, as are procedures and criteria to block an account and the corresponding retention periods. 

Cyprus’s regulator has fined WS WiSpear Systems,  end-to-end WiFi surveillance solutions for the intelligence and public safety markets),  925,000 euros for violating the principle of lawful, fair, and transparent processing, (Art 5. of the GDPR). The company had collected Media access Control addresses and International Mobile Subscriber Identity data from various devices, in the context of testing and presentation of technologies, without the knowledge of users of these devices. The case highlights how data collected in combination with the geographical location of devices at different times can lead to the identification of device users, DataGuidance reports.  

Spanish regulator the AEPD punished a couple of companies: an ambulatory health care service whose doctors accessing their former patients medical records, a natural gas and electricity trader company for  unexpected changes in customer contracts, (on behalf of a tenant), in a prima facie example of identity theft, and a Spanish multinational telecommunications company for violating national Information Society Services and Electronic Commerce law for direct marketing communications to a customer without their consent.

Polish data protection regulator the UODO has fined a bank for not reporting the violation and not fully informing people about a data breach, as well as an unsatisfactory level of cooperation. A courier company happened to lose bank correspondence with personal data, including names, surnames, registration addresses, bank account details, and identification numbers given to the bank’s customers. The bank considered that the risk of negative consequences for the persons affected was moderate, and therefore decided not report the breach to the supervisory authority or comply with the GDPR obligation to notify the data subjects.

Opinion

If a company is the victim of a data breach it is required to identify and notify an unknown number of individuals impacted by the breach. In order to determine which individuals to notify, the company must identify which documents contain protected information, extract data on impacted individuals from those documents and use that data to determine who to notify and by what means. This process requires a large and complex data review of documents from sources with varying degrees of uniformity and accessibility—ranging from scanned hard copy files to spreadsheets containing data for thousands of individuals. A Mayer Brown LLP article examines the pros and cons of using technology that could be used in the data review project, comparing traditional text recognition, and relatively new pattern recognition software driven by artificial intelligence.

Big Tech

Meta, which already uses end-to-end encryption on its WhatsApp product, is delaying rolling out the same feature on Facebook and Instagram messages until 2023. Messenger already has encrypted video and voice calls. Originally planned for next year, the delay is due to fears it could provide anonymity to abusers and terrorists. The opposition has been especially fierce in the UK, where leading children’s charity the NSPCC insists private messaging is “the frontline of child sexual abuse online”, and the Interior Minister says the social media behemoth’s encryption plans are “simply unacceptable”.

At the same time Meta denies that its Facebook and Instagram platforms are gathering browsing data from under-18s,  the Guardian reports. The platforms’ parent company had announced in July that it would allow advertisers to target young users based on three categories only – age, gender and location – rather than a range of options including their personal interests. However, research by a trio of campaign groups states that Facebook and Instagram have retained the use of software, known as conversion APIs, that gathers details of teens’ web browsing activities. Their study set up fake accounts for a 13-year-old and two 16-year-olds. Campaigners were able to view the data harvested by the company’s software across the platforms as the “users” visited sites such as local newspapers and clothing retailers, clicked on buttons, searched for items or put products in baskets.

The Shanghai Consumer Council has publicly questioned Chinese tech giant Tencent Holdings over how it is handling data collection and personalised ads on super app WeChat amid Beijing’s intensified regulatory scrutiny and the roll-out of the new privacy law. The Council requested clarity on whether Tencent has stopped collecting user data, or whether it would continue collecting the data but not use it, if users opt out of personalised ads. The council also queried Tencent’s statement in its privacy policy about collecting data for “other services” while complying with relevant laws and regulations.

Mozilla has released the latest edition of its “Privacy Not Included shopping guide”, aiming to provide Christmas shoppers with a list of how the most popular items handle privacy issues. Mozilla researchers spent over 950 hours examining 151 popular connected gifts in the US, identifying 47 that had what they called “problematic privacy practices.” The researchers sought to figure out whether items had cameras, microphones or location tracking features as well as any other tools that collected data on users. Mozilla also examined whether devices used encryption or forced users to have strong passwords. The report notes that because of privacy laws passed in California, many companies have added sections specifically governing those that live in the state. But many companies have no privacy policy at all or make it difficult to find and hard to read.

The post Weekly digest November 15 – 21, 2021 “Privacy, DP, and Compliance news in focus” appeared first on TechGDPR.