Sign up to receive our fortnightly digest via email.

Children at risk

Last week, the CEOs of Meta, X, TikTok, Snap and Discord were questioned before the US Congress over alleged harms to young users on their platforms – access to drugs and subsequent overdoses, harassment, grooming and trafficking exploitation, leading in some cases to death. Legislators stated that the industry, through its constant pursuit of engagement and profit, failed to adequately invest in trust and child safety. Executives highlighted controls and tools they have introduced to mitigate harm. 

US legislators are pushing forward legal solutions to the existing crisis through the debated Kids Online Safety Act and anti-CSAM legislation, as well as changes to the COPPA rule. Meanwhile in neighbouring Canada, (British Columbia province), some of the measures have just been enforced.

In the EU, a draft Parliament position was adopted by the LIBE Committee at the end of last year, now awaiting further enforcement. The privacy regulators meanwhile warn about present risks to children and their personal information online. For instance, the Guernsey data protection authority recently identified a local Snapchat group that includes children as young as seven, possibly encouraging them to share explicit images of themselves. The police now advise parents:

• to have conversations with their children regarding the reputational and long-term risks associated with sharing personal information via such networks, and 
• ensure children are not using social networks or apps if they’re under the authorised age for those networks/apps, (13 for Snapchat). 

In the UK, the Information Commissioner’s Office also created a toolkit of free resources to promote responsible data sharing to safeguard children and renewed its age assurance opinion, an important part of its world-leading Children’s code, reflecting developments over the past two years. A similar age-assurance design code was passed into law in California in 2022.

Legal updates

Draft AI Act: The draft legislation received a unanimous endorsement from all 27 European Union member states. Negotiations over the shape of the law concluded last December, with the main focus on safeguards for foundation models and the use of facial recognition software. According to Euractiv analysis, the primary opponent of the political agreement was France, which, together with Germany and Italy, asked for a lighter regulatory regime for powerful AI models, that support general-purpose AI systems, (protecting domestic start-ups). Nonetheless, the Parliament insisted on the need for strict guidelines for these models. In April, Parliament will hold its final vote on the law.

German employee data protection: DLA Piper’s legal analysis looks at the data protection provisions relating to employees and other workers in Germany. Currently, it is largely determined by case law, and national legislators are very cautious about using Art. 88 of the GDPR – the adoption of provisions that specify data protection requirements in the employment context. Even more problematic, relevant provisions of the Federal Data Protection Act, (BDSG),  after being clarified by the CJEU last year, did not meet the conditions set out in the GDPR. Read more on the envisaged Single Employee Data Protection Act in Germany, in the original analysis. 

Automated decisions

The Isle of Man data protection commissioner reminds the public of Art. 22 of the GDPR which provides individuals with the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. It is permitted to use such methods only: a) with the explicit consent of the individual; b) if necessary for entering into, or performing a contract between the individual and the data controller; or c) is authorised by law. The controller must also have safeguards in place to allow individuals to obtain human intervention regarding the decision, to contest it in certain cases or to express their point of view. 

AI checklist

The Bavarian data protection authority for the private sector published a draft ‘Data Protection and AI’ checklist, (in German). In addition to a legal basis for the creation of AI models and the operation/use of AI applications, the rights of those affected and other compliance requirements of the GDPR must also be implemented. The data protection risk model must be documented and regularly checked to ensure that it is up-to-date and complete. If necessary, the test points, (see them here), can be checked as part of the control activities by the data protection officer.

Software for schools

The Danish supervisory authority has investigated the use of Google Workspace in Danish schools in 53 municipalities. The report considers that the municipalities have had no reason to forward student data to Google for the development and measurement of services, ChromeOS and the Chrome browser. The data protection authority also reminds the municipalities that they should have found out how Google processes the transmitted personal data before implementing the tools. Municipalities now have to bring the processing in line with the rules:

• Municipalities should no longer pass on personal data to Google for these purposes. This will likely require Google to develop a technical option for the data streams in question to be intercepted.
• Google must itself refrain from processing the information for these purposes.
• The Danish Parliament provides a sufficiently clear legal basis for disclosure for these purposes.

A similar investigation on the use of Google’s teaching platform in schools was conducted in Finland in 2021. The decision does not prohibit the use of the educational platform but states that a legal basis must be defined for the processing of students’ data in Google services.

Purpose limitation

How to comply with the principle of purpose limitation? The Latvian data protection authority explains that when your data is transferred to someone else, it is usually done with the confidence that the data will be used for a specific purpose that is clearly understood by you. The principle of purpose limitation is closely related to other principles established in the GDPR, such as the principle of transparency, because only by knowing the specific purpose of data processing can a person understand what to expect within the scope of their data processing. 

Likewise, determining the exact purpose is related to the principles of data minimisation and storage limitation, because depending on the purpose, the amount of data needed to achieve it can be determined, as well as how long the data needs to be stored. The connection is also with the principle of legality because only the data that is planned to be used to achieve a clearly defined purpose will be able to establish an appropriate legal basis. When concluding processing for a different purpose, the controller must first assess whether this purpose is compatible with the initial processing, including the following aspects:

• the connection between the purposes;
• the context in which data has been collected;
• nature of data;
• the consequences that further processing would have for the data subject;
• the existence of adequate safeguards in both initial and intended subsequent processing operations.

EDPB documentation

The EDPB published a One-Stop-Shop case digest on Security of Processing and Data Breach Notification. The relevant decisions were initially filtered using Art. 32 of the GDPR, (security of processing), as the main legal reference. This article establishes an obligation for both data controllers and data processors to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. The analysis of decisions will provide insights into how regulators interpret these obligations in concrete situations, such as how to protect organisations against hacking, how to ensure meaningful and robust encryption, how to build strong passwords, etc. 

The EDPB has launched a website auditing tool that can be used to help analyse whether websites are compliant with the law. It can be used by both legal and technical auditors at data protection authorities, as well as by controllers and processors who wish to test their websites. The tool is Free and Open Source Software under the EUPL 1.2 Licence and is available for download on code.europa.eu. The source code is available here. 

Enforcement decisions

Prospect data: The French CNIL fined TAGADAMEDIA, (online competition and product testing websites), 75,000 eurost. The data collected by brokers is sent to the company’s partners for commercial prospecting. The prospect questionnaire did not allow free, informed and unambiguous consent to be obtained. The highlighting of the button allowing users to give their consent contrasted to the one allowing users refuse consent, which also featured an incomplete text of reduced size, alongside a strong encouragement for users to agree to the transmission of their data to partners.

Insurance companies: An administrative court in Finland upheld the data protection commissioner’s decisions on the handling of health data by insurance companies. In some situations, insurance companies request personal health information directly from healthcare providers. However, data should be identified and precisely defined, which means only the necessary information from the provider and for the period that is relevant in assessing the insurance company’s liability is required. Also, the insurance applicant’s data from health services cannot be processed before concluding the contract.

Intrusive scientific research: The Italian regulator sanctioned a municipality for conducting two scientific studies, using cameras, microphones and social networks. The projects, financed with European funds, aim to develop technological solutions to improve safety in urban areas. It involved footage from video surveillance cameras already installed in the municipal area, as well as audio obtained from microphones specifically placed on the street. One of the projects also analysed hateful messages and comments published on social media, detecting any negative emotions and processing information of interest to the police. The municipality has not proven the existence of any legal framework for the processing: the data was unlawfully shared with third parties and partners. Furthermore, the anonymisation techniques proved insufficient.

Data breaches

Undetected attacker: America’s FTC’s proposed action against Blackbaud alleges that the company’s failure to implement some basic safeguards resulted in the theft of highly sensitive data about millions of consumers, including Social Security numbers and bank account information. South Carolina-based Blackbaud provides a wide variety of data, fundraising, and financial services to more than 45,000 companies, including nonprofits, foundations, educational institutions, and healthcare organisations. 

In 2020, an attacker purportedly used a Blackbaud customer’s login and password to access certain Blackbaud databases. The attacker rummaged around undetected for three months until Blackbaud finally spotted a suspicious login on a backup server. By then, the attacker had stolen data from tens of thousands of Blackbaud’s customers, which compromised the personal information of millions of consumers. Blackbaud eventually agreed to pay 24 Bitcoin, (valued at about 250,000 dollars), in exchange for the attacker’s promise to delete the stolen data. But Blackbaud hasn’t been able to verify that the attacker followed through. 

Data processor supervision: The Danish data protection authority reported Capio A/S to the police for not having supervised data processors. The private hospital may face a fine of approx 200,000 euros. In particular,  the hospital has not been able to ensure and demonstrate that personal data is processed for legal and reasonable purposes and in a way that ensures sufficient security for the sensitive personal data of the large number of data subjects in question, over several years.

Data security

TOMs: The Swiss data protection authority has revised its guide on technical and organisational security measures, (in English). The guide is primarily intended for people in charge of information systems, whether technicians or not, who are directly confronted with the problem of personal data management. 

Cloud: The French CNIL published factsheets on encryption and data security, (in French). It offers a detailed analysis of the different types of encryption applied to a cloud computing service: encryption at rest, in transit and in-process, and e2ee. The guide also looks at various tools to secure cloud services, (anti-DDoS, WAF, CDN, load balancer), and key vigilance points.

Login: What to do if you detect a credential-stuffing attack? The Lithuanian data protection authority recommends responding quickly and proactively:

• determining whether the attacker managed to use the available accesses,
• blocking potential malicious activity,
• notifying users of an attack and encouraging them to change their passwords,
• notifying the regulator about the personal data security breach that has occurred,
• conducting a thorough incident investigation and implement additional security measures to prevent similar attacks in the future, (2FA, automatic attack detection systems, password policy).

Finally, if the attack is systemic or involves multiple platforms, it is recommended to collaborate with other data controllers in analyzing the incident.

Cybersecurity program: As cybersecurity threats continue to mount, you need to show improvements over time to your CEO and customers. How do you measure your progress and present it using meaningful, numerical details? America’s NIST offers a Draft Guidance on Measuring and Improving Your Company’s Cybersecurity Program. It is aimed at different audiences within an organisation –  security specialists and C-suite and can help organisations move from general statements about risk level toward a more coherent picture founded on hard data. 

Big Tech 

Amazon “stalking” employees: The French data protection authority fined Amazon France Logistique 32 mln euros for putting employees under constant surveillance. The company manages the Amazon group’s large warehouses in France, where it receives and stores items and then prepares parcels for customer delivery. Each warehouse employee is given a scanner to document the performance of certain tasks in real time. Each scan results in the recording and prolonged storing of data used to calculate employee quality, productivity and periods of inactivity, (the “error” margin was set to less than 1.25 seconds or longer than 10 minutes). The company was also fined for video surveillance without information or sufficient security. 

Uber has been fined 10 mln euros by the Dutch data protection authority for violating privacy regulations related to its drivers’ data. Uber failed to specify in its terms and conditions the duration for which drivers’ data is retained and the security measures in place, particularly when transferring data to non-European countries. The fine was imposed following a complaint by over 170 French drivers, which was then forwarded to the French data protection authority and subsequently to the Dutch regulator, as Uber’s European headquarters is in the Netherlands. 

The post Data protection digest 18 Jan – 2 Feb 2024: social media industry grilled over child safety and mental health appeared first on TechGDPR.

Legal processes and redress: gatekeeper obligations, US adequacy decision, Google litigation, UK data protection reform, Quebec privacy laws

Gatekeeper in the EU: The European Commission has designated, for the first time, six gatekeepers – Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft – under the Digital Markets Act. They will now have six months to ensure full compliance with the DMA obligations for each of their designated core platform services. This includes a list of do’s and don’ts: 

• allowing third parties to inter-operate with the gatekeeper’s own services,
• enabling end users to unsubscribe from the gatekeeper’s main platform services as simply as they subscribe to them, 
• giving companies that advertise on a gatekeeper’s platform access to the gatekeeper’s performance measurement tools and information, allowing advertisers and publishers to undertake their independent verification of advertising hosted by the gatekeeper, and
• a ban on tracking end users outside of the gatekeepers’ core platform service for targeted advertising without effective consent having been granted. 

EU-US DPF application: The German Data Protection Conference publishes application instructions for the EU-US Data Privacy Framework. The document contains, on the one hand, information for data exporters, those data controllers and processors who transfer data to the US. On the other hand, individuals can find out what legal protection and complaint options they have. This includes links to numerous materials, for example from the EDPB. At this point, the adequacy decision applies to EU law. However, given the previous adequacy decisions for the US that were declared invalid, many want to know whether the new adequacy decision will suffer the same fate as Safe Harbor and the Privacy Shield. 

In addition to the planned evaluations by the EU Commission, which can result in adjustments or a repeal, there are options for a judicial review of the new adequacy decision. For instance, on 6 September, a French member of parliament, who is also a member of the data protection authority CNIL, requested that the framework be annulled due to the lack of guarantees of a right to an effective remedy for data subjects by US companies, as well as a violation of the GDPR’s minimisation and proportionality principles due to the access and use of EU personal data for the US security purposes. 

Google taken to court: Alphabet’s Google is facing a class action in the Netherlands brought by non-profit organisations, demanding Google stop its constant surveillance and profiling of consumers and the sharing of data in online ad auctions, and also pay damages to consumers. Allegedly, through its services and products, the tech giant:

• Collects users’ online behaviour and location data on an immense scale, without having provided adequate information about it and without users’ consent.
• Through the use of ‘invisible’ third-party cookies, Google continues to collect data through others’ websites and apps, even when someone is not using its products or services. 
• Continually collects users’ physical locations, even when they are not actively using their devices and think they are ‘offline’. 
• Shares users’ data, including highly sensitive data concerning health, ethnicity and political affiliation, with hundreds of parties through its online advertising platform, (a recent study shows that in Europe, the real-time bidding industry exposes people’s data 376 times a day.) 

In total, Alphabet’s Google faces approximately 25 billion euros in damages claims and regulatory administrative fines over its ad tech practices in Europe, Reuters sums up.

UK data protection amendments:  By the end of the year, the UK government will amend the UK’s data protection legislation by updating the ‘fundamental rights and freedoms’ definition, so it will refer to rights recognised under UK law, rather than retained EU law rights. There is no direct equivalent to the right to the protection of personal data in UK law. However, the protection of personal data falls within the right to respect for private and family life under Article 8 of the European Convention of Human Rights, which is enshrined in UK law by the Human Rights Act 1998. Data protection rights are also protected by UK GDPR, and the Data Protection Act 2018 and will continue to be protected by the Data Protection and Digital Information Bill in the UK’s domestic legislation, states the explanatory memorandum. 

Quebec privacy amendments: On 22 September, the latest set of amendments (Bill 64) to Quebec’s Privacy Act will come into force. Some of the major updates include strengthened privacy rights for individuals and several controller requirements, such as a new consent and cookies management framework, privacy policies, risk assessments, rules on automated decisions, cross-border transfers, and monetary penalties. Previously companies were also obliged to designate privacy officers, conduct mandatory breach reporting, and register their biometric information systems while receiving some exceptions to the consent requirement, (under commercial transactions and research and statistical purposes). 

Official guidance: ‘sharenting’, online exams, smart data sandbox, right to object

‘Sharenting’ children’s data: The Italian data protection authority has prepared tips for parents to limit the online dissemination of content concerning their children. The neologism, coined in the US, derives from the English words “share” and “parenting”. It has been a phenomenon that has been under the attention of the Guarantor for some time, especially due to the risks it entails on the digital identity of the minor and therefore on the correct formation of their personality. When something appears on a screen, not only can it be captured and reused without our knowledge by anyone for improper purposes or illicit activities, but it contains more information than we think, such as geolocation data. If you decide to publish images of your children, it is important to at least try to follow some precautions, such as:

• make the minor’s face unrecognizable, (by simply covering the faces with the emoticon “smiley”);
• limit the visibility settings of images on social networks only to people who know each other or who are trustworthy and who do not share without consent in the case of sending via an instant messaging program;
• avoid creating a social account dedicated to the minor;
• read and understand the privacy policies of the social networks on which we upload photographs, videos, etc.

Online proctoring: The use of digital distance learning by public and private higher education institutions is becoming more widespread. With the remote monitoring devices used in this context being intrusive by nature, the French data protection regulator CNIL reiterates the obligations under the GDPR: For instance, institutions organising examinations, as well as any subcontractors, (e.g. remote monitoring solution providers), should assure candidates that their data will not be used for any purpose other than taking and proctoring a remote examination. Also, examination modalities allowing remote validation of skills without the use of remote monitoring devices should be given priority where possible. 

In general, taking proctored exams remotely should be an opportunity for students, not an obligation. In this case, a face-to-face alternative should be offered to candidates, (except in specific cases, such as a health crisis or for institutions that have made distance learning the very essence of their organisation). Students should be informed as soon as possible of the conditions for implementing remote monitoring so that they can make their choice with full knowledge of the facts. Institutions and organisations should ensure that devices used for remote monitoring are compatible with the equipment available to students, that they do not pose security risks to students and that the necessary software can be easily installed and uninstalled. Read the full guidance, (in French), here. 

Smart Data: The UK Information Commissioner’s Office has published the Regulatory Sandbox Final Report for Smart Data Foundry. The sandbox specifically targets projects operating within challenging areas of data protection. Smart Data Foundry’s product is comprised of two parts. The first is the research facility, and the second is the innovation service which provides synthetic data for further research opportunities. There are broadly speaking two approaches to the creation of these synthetic datasets:  

• Using simulation – known as ‘agent-based modelling’ – where data is generated from approximations and predictions of behaviour using characteristics given to a computer-generated population to understand how they would interact. This processing does not use personal data beyond some aggregate information generated from real data to test and improve parameters. This is the synthetic data approach that Smart Data Foundry is already using. 
• Using ‘learning-based’ synthetic data generation to create synthetic doubles of existing datasets utilising differential privacy and modern learning-based approaches which aim to learn all the meaningful patterns in data, and use this learnt knowledge of patterns in the original data to generate new data that exhibit similar patterns, without recreating any input data. 

To understand key data protection considerations in such scenarios, read the full report. 

Right to object to data processing: The right to object gives a person the opportunity to request the termination of the processing of their data if it is processed for the following purposes: a) for legitimate interests of the data controller including marketing, as well as in the case of automated decision-making, b) in the public interest and c) for scientific or historical research and statistics. To exercise your right to object, you should:

• Identify the data controller, (It can be a natural person, company, organisation or state administrative body.)
• Contact the controller in writing, (recommended), and clearly state that you are exercising your right to object to the processing of your data. Please specify which processing operations you object to.
• State the reason. The reason and the characteristics of your special situation require the manager to evaluate the necessary changes in data processing and whether, by continuing data processing, you as a data subject will not have your rights infringed. 
• Wait for the answer. The administrator is obliged to respond to your request within a month. This must either stop the processing of your data to which you have objected or provide a valid reason for continuing the processing.

Enforcement decisions: fertility apps, Chinese academic database, Meta ban in Norway, waste collection and the GDPR

Fertility apps checks: The Information Commissioner’s Office is reviewing period and fertility apps available in the UK as new figures show more than half of women have concerns over data security. A poll commissioned by the regulator revealed women said transparency over how their data was used and how secure it was were bigger concerns than cost and ease of use when it came to choosing an app. The poll showed a third of women have used apps to track periods or fertility. The research also showed over half of people who use the apps believed they had noticed an increase in baby or fertility-related adverts since signing up. While some found the adverts positive, 17% described receiving these adverts as distressing. The ICO is now urging users to come forward to share their experiences through a survey in a call for evidence. 

Chinese academic database: The China Cyberspace Administration announced that the China National Knowledge Infrastructure, (CNKI),  has been fined approx. 6 million euros for illegally collecting and processing personal information. The operators collected users’ personal information without consent on the 14 CNKI-related apps that failed to publicly disclose or state collection and usage rules, did not provide an account cancellation function, and illegally kept their information after the users closed their accounts. CNKI is one of the biggest Chinese academic information gateway websites. It has over 1,600 institutional clients in 60 countries and regions, as well as 32,000 institutional customers from diverse sectors on the Chinese mainland. Top universities, research institutions, government think tanks, corporations, hospitals, and public libraries are among the primary consumers.

Waste disposal and the GDPR: A fine of 45,000 euros was imposed by the Italian privacy agency on a Sicilian municipality for having installed cameras to control the collection of waste. The municipality had appointed two companies, also sanctioned by the guarantor, to purchase, install and maintain fixed cameras, and to collect and analyse the videos relating to violations. The authority’s intervention follows reports from a citizen who complained about receiving some fines for having disposed of unsorted waste incorrectly. 

The monitoring was carried out without the citizens having been adequately informed of the presence of the cameras and the processing of the data. The municipality had placed a sign directly on the dumpster, which was not easily visible and lacked the necessary information. Furthermore, the municipality had not identified the data retention periods and had not appointed, before the start of the processing, the two aforementioned companies as data processors.  

Meta ban confirmed: The Norwegian data protection authority won against Meta in court. In July, the regulator made an emergency decision on a temporary ban on behaviour-based marketing on Facebook and Instagram, which involves very intrusive monitoring of users. The regulator therefore decided on a compulsory fine of approx. 90,000 euros per day if the ban was breached. The penalty was set to start on 14 August. However, Meta has petitioned the Oslo District Court for a temporary injunction. In the ruling, the court stated that the Norwegian data protection authority’s decision was valid and that there was no reason to stop it. In addition to this case, Meta has submitted several administrative complaints against the Norwegian Data Protection Authority’s decision. Those processes are ongoing. 

DNA data and transparency obligations: The US Federal Trade Commission finalised an order with 1Health.io, that settles charges that the genetic testing firm left sensitive genetic and health data unsecured, deceived consumers about their ability to get their data deleted, and changed its privacy policy retroactively without adequately notifying consumers and obtaining their consent. The company failed to keep its promises to only share consumers’ sensitive data in limited circumstances, to destroy customers’ DNA samples shortly after they had been analyzed, to not store DNA results with a consumer’s name or other identifying information, and to remove such data from its servers upon consumers’ request. 

Data security: automotive industry

Automotive cybersecurity: The Federal Office for Information Security in Germany published a report on the status of cybersecurity in the automotive industry. The greatest damage in the automotive industry comes from cybercriminal “double extortion” – ransomware and data leaks. The report contains:

• Assessments of the cybersecurity of production systems and processes.
• Advice on exploiting security vulnerabilities for car theft and unauthorized opening of vehicles.
• Description of attacks on vulnerabilities in the communication protocol or other security mechanisms used to control charging processes between electric vehicles and their charging stations.
• Assessments of new legal regulations and standardization activities.
• Outlook on technological and regulatory developments that will be important in the coming years, (the industry is affected by the EU NIS 2 Directive as a critical sector).

According to the Associated Press’s recent publication, automakers are failing the privacy test, and owners have little or no control over the data collected. The nonprofit Mozilla Foundation’s newest “Privacy Not Included” study states that security requirements are a major worry considering manufacturers’ record of vulnerability to hacking. The minimal privacy criteria were not fulfilled by any of the 25 automobile companies whose privacy notices were assessed in Europe and North America. This outcome is significant for over a dozen other product categories, including fitness trackers, reproductive health applications, smart speakers, and other connected household products. 

Big Tech: ads-free Facebook and Instagram, the Privacy Sandbox

Paid Facebook and Instagram: Meta may allow Facebook and Instagram users in the EU to pay to avoid ads as a response to scrutiny from privacy regulators. Those who pay for the subscriptions would not see ads while Meta would also continue to offer free versions of the apps with ads in the EU. Previously users had effectively agreed to allow their data to be used in targeted advertising when they signed up to the services’ terms and conditions until the lead Irish regulator ruled it could not process personal information in that way. Therefore Meta also proposed offering EU users a new opt-in consent mechanism for receiving targeted ads. Reportedly, it would be updated to offer users a “yes or no” option for opt-ins across its platforms. 

Privacy Sandbox ‘availability’: Finally, the Privacy Sandbox for the Web reaches general availability on Chrome for relevance and measurement APIs. General availability means advertising providers and developers can now scale usage of these new technologies within their products and services, as these are now available for the majority of Chrome users. Google also rolled out new Ad privacy controls in Chrome that allow people to manage how the Privacy Sandbox technologies may be used to deliver the ads they see. These controls allow users to tailor their experience by customising what ad topics they’re interested in, what relevance and measurement APIs they want enabled, and more. Starting in Q4 of 2023, Google will enable the industry to bolster their testing efforts with the ability to simulate the deprecation of third-party cookies for a percentage of its users. Then, in Q1 of 2024, it will turn off third-party cookies for 1 per cent of all Chrome users for effectiveness testing.

The post Data protection digest 1 – 14 September 2023:  gatekeeper obligations, synthetic datasets, automotive cybersecurity appeared first on TechGDPR.

Legal processes

Financial data: The EDPS discussed recommendations to encourage data sharing to extend the range of available financial services and products, while also giving people or organisations control over the processing of their financial data. Individuals and organisations, according to the proposals, would govern access to their financial data using dashboards offered by financial institutions. Individuals would be able to monitor, limit, or authorize access to their information. Users should be supplied with comprehensive, accurate, and unambiguous information about the financial service provider asking for access to their data. It should also disclose the type of product, payment, or service for which an individual’s data will be utilized, as well as the categories of data required.

Digital Services Act: The Digital Services Act took effect for large online operators serving in the EU on 25 August. 19 platforms and search engines with at least 45 million users must comply with stricter rules concerning data collection, privacy, disinformation, dark patterns, online hate speech and more. This includes a ban on targeted advertising of minors based on profiling, and a ban on targeted advertising using special categories of personal data, such as sexual orientation or religion. Online platforms will be required to redesign their systems and prove they have done so to the European Commission, (including publishing the risk assessments). Additionally, vetted researchers can access the data of those services to conduct analyses on systemic risks in the EU. Smaller platforms will be subject to the same regulation beginning in 2024. They will, however, be supervised by national agencies rather than Brussels. 

Cybersecurity and risk assessment in California: The California Privacy Protection Agency, (CPPA), has published its proposed Cybersecurity and Risk Assessment Audit Regulations. According to the CPPA, official regulation processes for cybersecurity audits, data protection risk assessments, and automated decision-making technologies have yet to begin. These versions are intended to promote board deliberations and public participation. They provide standards for service providers and contractors, assisting organisations in meeting audit compliance. The regulations state that every business that processes personal information that potentially poses a serious risk to customers’ security must conduct an audit, (annually). It also describes the components to be evaluated and the measures to be taken, as summarized by digitalpolicyalert.org. 

EU-US Data Privacy Framework: Almost all transmissions of personal data to US-based companies, if they have committed themselves to the certification mechanism, are covered by the EU-US Data Privacy Framework, explains the Bavarian state data protection commissioner  However, for the transfers of personal data collected in the context of an employment relationship, (‘HR data’), the US business must explicitly state it in its certification. Particular attention must also be paid to onward transfers, for example, if the US processor working for the EU data exporter transmits the personal data to a sub-processor in another third country. The US adequacy decision cannot apply in this situation. 

Official guidance

‘Freedom of Information’ and data protection: Guernsey’s data protection commissioner discusses Freedom of Information requests that caused some of the most extraordinary data breaches recently, (eg, when details of thousands of police and civilian personnel employed by the Police Service of Northern Ireland were released in error). Freedom of Information generally refers to the right of citizens to access information held by public authorities. In reality, this information will often include personal data about individuals, whether that is staff, citizens or other individuals that the public authorities are in contact with. The rights of all individuals must be considered before any disclosure. If you are a data controller, you must understand your legal obligations concerning data subjects’ rights and have appropriate policies and procedures to ensure they are dealt with properly.

Biometric data: Meanwhile the UK Commissioner’s Office is currently consulting on draft guidance on biometric data. This guidance explains how data protection law applies to organisations that use or are considering using biometric recognition systems or vendors of these systems. At a glance:

• You must take a data protection by design approach when using biometric data.
• You should do a data protection impact assessment before you use a biometric recognition system. This is because using special category biometric data is likely to result in a high risk.
• Explicit consent is likely to be the only valid condition for processing available to you to process special category biometric data.
• If you can’t identify a valid condition, you must not use special category biometric data.

Employees’ digital monitoring rules: Digital work tools can record large amounts of data about employees, and therefore monitoring of it is heavily restricted, states the Norwegian privacy regulator. In most cases, the employer does not have the right to monitor the employee’s use of work tools, including the use of the Internet, unless the purpose of the monitoring is to manage the company’s computer network to uncover or clarify security breaches, etc. At the same time, it can be difficult for employers to introduce such measures in particular cases, as many regulations control different aspects of the working environment, and may include trade union approval, transparency obligations, data protection implications, and information security.

Privacy by default: This means that products and services are designed to ensure that a person’s privacy is protected from the outset and that they do not need to take any additional steps to protect their data, explains the Latvian data protection regulator. This approach is designed to minimise possible violations in the process of data acquisition and usage, and unauthorized access and risks that could arise if personal data comes into the possession of a third party. This may include minimal necessary data collection, default settings of the user account, (in “private mode”), limited data retention, (followed by automatic anonymisation or deletion of user data if the account is inactive for a certain period), user control tools, (whether to allow the user profile to be found in search engines, etc), clear information notices, (including all third parties with whom the data may be shared), and security measures, (encryption, regular security audits).

Enforcement decisions

UI Path data leak: The Romanian data protection authority has fined learning platform Uipath SRL approx. 70,000 euros for massive data loss. It did not implement adequate technical and organisational measures to ensure that, by default, personal data cannot be accessed, without the intervention of a person(s), including the ability to ensure the ongoing confidentiality and resilience of processing systems and services, as well as a process for regularly testing, assessing and evaluating the effectiveness of implemented measures. This fact led to the unauthorised disclosure and access to personal data, (user name and surname, the unique identifier, e-mail address, the name of the company where the user was employed, the country and details of the level of knowledge obtained within the courses), of about 600,000 users of the Academy Platform, for about 10 days. This violation is likely to bring physical, material or moral harm to the data subjects, such as the loss of control over their data or the loss of data confidentiality. 

Misconfigured cloud storage: The UK Information Commissioner issued a reprimand to a recruitment company: the organisation misconfigured a storage container, with 12,000 records relating to 3,000 workers, to be publicly accessible without any requirement to authenticate.  The personal data consisted of a variety of different data sets, including names, addresses, dates of birth, passports, ID documents and national insurance numbers. The company has since committed to periodically audit the configuration of cloud services as part of a wider security assessment including access rights, appropriate identity and access controls,  event logging and security monitoring. 

Vklass data leak: The Swedish privacy regulator has been reprimanding the learning platform Vklass for not being able to detect abnormal user behaviour in its learning platform and to track what happened in the system. Multiple complainants alleged that an unauthorized person came across personal data about teachers and students from the learning platform. The reports come from municipal committees and private businesses that conduct school and educational activities. The incident probably occurred because a student wrote a script that automatically saved information from the learning platform in its database and the information was then published openly on a website, which is now closed. 

Edmodo and minors’ consent: Meanwhile in the US, the Federal Trade Commission obtained an order against education technology provider Edmodo for collecting personal data from children without obtaining their parent’s consent and using that data for advertising, in violation of the Children’s Online Privacy Protection Act Rule, (COPPA), and for unlawfully outsourcing its COPPA compliance responsibilities to schools. Among many orders, the provider is obliged to identify the account in question and delete or destroy certain data, (from students under 13 years of age), periodically provide compliance reports to the Commission, permanently refrain from collecting more personal information than reasonably necessary for the child to participate in any activity offered on the online platform, etc.

Data security

High-risk systems: For some so-called “critical processing” IT systems, a data breach would create particularly high risks for people. As a result, they require an adequate level of security. To best support the professionals concerned, the French regulator CNIL submits a recommendation for public consultation, (in French). It specifically targets so-called “critical” treatments, defined by the following two cumulative criteria: a) the processing is large-scale within the meaning of the GDPR, and b) a personal data breach could have very significant consequences either for the data subjects, for state security or society as a whole. 

This includes customer databases and other processing that bring together a large part of the population, such as in the energy, transport, banking or large-scale dematerialised public services, health treatments, etc. Risk scenarios may include attacks by organised criminal organisations or “supply chain attacks”, likely to take place over a long period; the compromise of third-party service providers responsible for IT development, maintenance or support operations; the exploitation of unknown vulnerabilities of software or hardware components, the compromise of persons authorised to access the processing. 

Email security guidance: Guidance by the UK Information Commissioner explains what organisations should, and could do to comply with email security, including several case studies and a checklist. Even if email content doesn’t have anything sensitive in it, showing which people receive an email could disclose sensitive or confidential information about them. In brief: 

• You must assess what technical and organisational security measures are appropriate to protect personal information when sending bulk emails.
• You should train staff about security measures when sending bulk communications.
• You should include in your assessment consideration of whether using secure methods, such as bulk email services or mail merge services, is more appropriate, rather than just relying on a process that uses Blind Carbon Copy.
• If you are only sending an email to a small number of recipients, you could consider sending each one separately, rather than one bulk email. 

Big Tech

Open AI for organisations: Open AI offers its most powerful version of ChatGPT to enterprises. It has longer context windows for processing longer inputs, advanced data analysis capabilities, customization options and more. According to the company, 80 per cent of Fortune 500 companies, (largest US corporations), have registered ChatGPT accounts, as determined by accounts associated with corporate email domains. Businesses have expressed concerns about privacy and security, fearing that their data may be used to train ChatGPT and that the application could mistakenly reveal sensitive consumer information to AI models. According to OpenAI, ChatGPT Enterprise users will have complete rights and ownership over their data, which will not be used for algorithm training. 

‘Algorithmic disgorgement’: At the same time, the US Federal Trade Commission reminds companies of certain obligations when using Generative AI. When offering a generative AI product, companies need to inform customers whether and the extent to which AI training data includes copyrighted or otherwise protected material. Companies should not try to “fool people” into thinking that AI-generated works were created by humans. Companies must ensure that customers understand the material terms and conditions associated with digital products. The regulator also noted that unilaterally changing terms or undermining reasonable ownership expectations can be problematic, etc. Finally, in its enforcement of data protection regulations, the Commission has lately begun to compel “algorithmic disgorgement” – the destruction of not just the illegally obtained data itself, but also artificial intelligence models and algorithms constructed using such data.

The post Data protection digest 15 – 31 August 2023: financial data processing, misconducted learning platforms, and algorithmic disgorgement appeared first on TechGDPR.

EU-US Data Privacy Framework

Effective Immediately: On 10 July, the European Commission’s decision on the adequacy of the level of data protection in the US within the new data privacy framework entered into force. If an American-based business is on the approved list, you can transfer personal data to it as if it were a European (EEA) business. You still have to follow the other rules in the GDPR, for example having a legal basis for processing or a data processing agreement to share personal data with others.

Self-certification: The new data privacy framework enables US organisations to make self-certification submissions and, as applicable, the UK and/or the Swiss extensions and to enable participating organisations to make their annual re-certification submissions, (the self-certified organisations under the invalidated Privacy Shield framework must comply with the updated principles, but they do not need to make a separate submission).

Transfer Impact Assessment: Data transfer to the US by the use of EU standard contractual clauses or binding corporate rules are still possible, providing that a Transfer Impact Assessment is made. In this case, state security services’ ability to access and use transferred personal data is limited and recognised in the Commission’s adequacy decision.

Redress mechanism: The new framework gives European residents a legal remedy and allows them rectification of data collected in an illegal manner. In practice, reportedly, data subjects can file a data breach notification with their national data protection authority, which will be transmitted to the US. The national authority will ensure that the person concerned receives information related to the procedure and the final decision, (either that no breach of US law has been identified or that a breach has been identified and that it has been remedied.) Individuals also will be able to appeal a complaint if needed.

Criticism: Although the new data privacy framework marks a significant step forward, it was criticised by the EDPB and the Parliament as not sufficiently addressing the temporary bulk collection, retention, and dissemination of data by the US intelligence services, the scope of exemptions, the onward transfers, the exercisability of the data subject rights, and the practical functioning of the redress mechanism. Privacy advocacy group NOYB is also ready to newly challenge the framework in court by the end of 2023 or the beginning of 2024. 

Legal processes and redress

Procedural rules: The European Commission proposes a new law to streamline cooperation between data protection authorities when enforcing the GDPR in cross-border cases. For example, it will introduce an obligation for the lead Data Protection Authority to send a ‘summary of key issues’ to their counterparts concerned, identifying the main elements of the investigation and its views on the case. For individuals, the new rules will clarify what they need to submit when making a complaint and ensure that they are appropriately involved in the process. And for businesses, it will clarify their due process rights when a DPA investigates a potential breach of the GDPR. The new law also recognises the importance and the legality of amicable settlement of complaint-based cases. 

“Stop”, “revoke”, “end”, and “opt-out”: The US Federal Communications Commission proposed guidelines that would allow customers to cancel consent to calls and text messages sent using automated technology “in any reasonable way”, allaboutadvertisinglaw.com reports. This contains texts such as “stop,” “revoke,” “end,” and “opt-out.” Callers and texters would be unable to limit the ways in which customers might cancel consent. Consumers can revoke via text, voicemail, or email to any phone number or email address where they would expect to contact the sender. A request must be fulfilled within 24 hours of being received. The government is also investigating and soliciting feedback on the present exemptions.  

CCPA/CPRA:  Businesses that planned to comply with the amended California Consumer Privacy Act this month will now have until spring 2024. After the California Chamber of Commerce demanded businesses have one year from the adoption of final regulations before enforcement could begin, a state court judge made a last-minute decision to postpone enforcement. 

Minors safety online: On 28 June, the Louisiana Secure Online Child Interaction and Age Limitation Act was signed by the Governor. Notably the act will require social media companies to withhold certain functions from accounts held by Louisiana residents who are minors, including prohibiting direct messaging with unfamiliar accounts and not displaying advertising and suggested groups, products, posts, services or users to the minor. Further, accounts held by minors will not show up in search results of other accounts unless they were already linked through “friending”.

Official guidance

APIs: The French privacy regulator CNIL published technical recommendations on data sharing by Application Programming Interfaces, (in French). All types of sharing of personal data by API, whether open or restricted, and all types of organisations, public or private, are covered by these recommendations. Three categories of actors in API data sharing are defined: data holders, API managers and data reusers. Recommendations are given to each category to guide them towards measures to achieve the desired level of security, but also measures likely to facilitate compliance with data protection principles, (exercise of rights, information obligation). However, it is up to organisations to evaluate their level of risk and apply the appropriate measures.

Google Search: The Danish data protection authority has recently published an advisory on how to have a search result about you deleted from a search engine, (eg, Google or Bing). If you wish to have a search result removed, you must first contact the search engine. This is done most easily through the complaint form. You must specify exactly which search result is in question and why you want the search result in question removed. A number of grounds to the right to erasure are laid down in Art. 17 of the GDPR. If the search engine does not want to remove the search result in question, you still have the option of complaining to the data protection authority, which then assesses whether it is appropriate to investigate the matter.

Research projects: The Danish data protection authority also published new guidance on GDPR-goverened role allocation in research projects, (in Danish). It mainly consists of numerous examples of data controllers, data processors and joint data controllers that can arise in practice. In many cases, legal and professional obligations as well as professional standards could mean that the actor in question is prevented from being able to follow a detailed instruction from a business partner. For example, doctors who test a new surgical method as part of a research project will continue to be bound by their medical oath and are obliged to carry out the surgery in the most responsible manner, possibly without providing information or following an instruction that is relevant and necessary according to the trial protocol. Similarly, a laboratory remains subject to professional standards for the analysis of, for example, blood samples. Read the full instructions here. 

Lessons learned from reprimands: Looking back at the reprimands issued by the UK Information Comissioner’s Office in the past three months, here are three brief lessons for organisations across the public and private sectors to improve their data protection practices:

• Avoid inappropriate disclosure of personal information by having policies in place and training your staff, (redacting documents properly, correct disposal, avoid accidental on-screen display of personal information).
• Respond to information access requests on time, (organisations must respond within one month of receipt of the request. However, this could be extended by up to two months if the request is complex).
• Deployment of any new apps should take a Data Protection by Design and Default approach from the very start.

Case law

Meta and consent: The CJEU decided that competition authorities can rule on GDPR compliance in the undertakings. In the test case, the German cartel office in 2019 ordered Meta to stop collecting users’ data without their consent, calling the practice an abuse of market power. According to Art. 6 of the GDPR, there are six legal bases for processing personal data, one of which is consent, but Meta decided to use only the other five legal bases. The need for the performance of the contract with the user may justify the practice only if the processing is objectively indispensable. The CJEU expressed doubts as to whether personalised content and use of the Meta group’s own services, like Meta Pixel, fulfil this criteria. For companies to be able to use the ‘consent’ lawful processing condition they need to demonstrate that a person has ‘freely given’ that consent. This may be difficult to prove when a company such as Meta holds a dominant position in the market as people have less choice over what platform they can use.

Big Tech

Google’s Privacy Sandbox: Since 2021, different features have been tested as part of Chrome Beta’s Origin Trials. As a result of these tests, and starting 13 March, some of the users of the standard version of Chrome were asked to enable three new targeting and ad measurement tools – the Privacy Sandbox. As part of the Chrome browser, it consists of a set of Google interfaces, (APIs), accessible by site publishers. These interfaces allow the continuation of targeted advertising, avoiding the technical constraints that could emerge with the end of third-party cookies. Google Chrome users included in the experimental phase are randomly selected and are informed by a specific screen when their browser is launched, asking for their consent to participate. A refusal will not affect navigation: it is still possible for users who have agreed to activate these features to reconsider their choice within the Chrome settings in the “Privacy and Security” tab and then “Privacy Sandbox”.

The post Data protection digest 3 – 16 July 2023: can the new EU-US data privacy framework respect the GDPR to the letter? appeared first on TechGDPR.

Legal processes

‘Machine learning is no excuse to break the law’: The US Federal Trade Commission alleged that Amazon, (Alexa voice assistant), kept kids’ data indefinitely to further refine its voice recognition algorithm. If approved by the federal court, on top of a multimillion fine, Amazon will have to delete inactive child accounts and certain voice recordings and geolocation information and will be prohibited from using such data to train its algorithms. Reportedly, Amazon is not alone in seeking to amass data to refine its machine-learning models. 

Similarly, the FTC proposed enforcement against Amazon’s subsidiary, Ring. The allegations say the company compromised its customers’ privacy by allowing any employee or contractor to access consumers’ private videos to train algorithms, among other purposes, without consent, and failing to implement security safeguards.

China SCCs: On 1 June, China’s new Standard Contractual Clauses for the cross-border transfer of personal data went into force. Entities using the SCCs must meet two requirements: a) a data transfer impact assessment must be performed by the data exporter, and b) the data exporter must sign SCC-compliant agreements with overseas recipients of the data. The Chinese SCCs do not distinguish between an exporter or receiver being a controller or a processor, in contrast to the EU SCCs. As an alternative to SCCs, organisations may also be required to undergo a security check by the Cyberspace regulator or certification by recognised institutions. Read more analysis by connectontech.com. 

Montana’s new privacy law and TikTok ban: Montana became the first US state to ban the use of TikTok and prohibit mobile application stores from offering the Chinese app within the state by next year. The ban covers state networks, but also third-party firms conducting business for or on behalf of the state from using applications with ties to foreign adversaries. The state would fine any entity, (an app store or TikTok), 10,000 dollars per day for each time someone “offers the ability” to access the platform or download the app. How these prohibitions will be implemented, though, is still unclear. 

Montana’s Governor also signed a new Consumer Data Privacy Act, joining California, Colorado, Connecticut, Indiana, Iowa, Tennessee, Utah, and Virginia, which already enacted comprehensive consumer privacy laws. The law is scheduled to take effect in October 2024.

Health care data: The US Federal Trade Commission is modernising the Health Breach Notification Rule, clarifying the rule’s applicability to health apps and similar technologies, many of which aren’t covered by HIPAA. Changes will be made to the terms “identifiable health information,” “breach of security,” “health care provider,” and “health care services or supplies,” as well as the information that must be included in the consumer notice, and more. In parallel, to bridge the gap between HIPAA safeguards and health data that is obtained outside of conventional medical settings, Washington enhanced the protection for customers’ identifiable health information by passing the “My Health My Data Act”. 

Official guidance

Generative AI: The US Congressional Research Service published a paper on Generative AI and Data Privacy. Recently the term “general-purpose models”, (GPAI), was created by academics and policymakers to refer to software programs like ChatGPT that can do a variety of tasks. Large language models, (LLMs), which have the ability to detect, predict, translate, summarize, and produce language, are the foundation for many general-purpose AI applications. Duolingo, Snapchat, and other companies have partnered with OpenAI to deploy ChatGPT in their services. However, individuals may not know their data was used to train models that are monetized and deployed across such applications. 

SAR guidance: The UK Information Commissioner’s Office has published new guidance for businesses and employers on responding to Subject Access Requests. Individuals can request the personal information held by their employer, or former employer, such as details of their attendance and sickness records, personal development or HR records. This includes where you got their information from, what you’re using it for and who you are sharing it with. 

Organisations must respond to a SAR from a worker without delay and within one month of receipt of the request. However, you could extend the time limit for responding by up to two months if the SAR is complex or if they have sent you a number of requests. At the same time, the UK GDPR does not set out formal requirements for a valid request. Therefore, a worker can make a SAR verbally or in writing, including by social media. 

Right to object and right to erasure: The EDPB summarises the right to object in connection to the right to be forgotten in complaints from data subjects. Requests to stop processing personal data for marketing purposes and to delete already gathered data are frequently linked. Most of the cases show deficiencies in the internal procedure adopted to deal with such requests, including the accuracy of the procedure and internal communication, the timeframe for processing requests, and the accountability of the system for receiving/tracking complaints.

Workforce monitoring: Employers tend to control employees’ work performance, to keep track of the duration and frequency of the employee’s work, but also of their location and other indicators. As a basic setting, the systematic monitoring of employees using automated means, (cameras, apps), is considered a non-standard solution, states the Latvian data protection authority. It can only be used for short-term employee monitoring, and only if less privacy-intrusive means will not achieve the goal. Such processing must be clearly agreed upon in advance and must be understandable to both parties. Otherwise, this can undermine mutual trust with the employee, and even may contribute to a decline in the quality of work.

Enforcement decisions

Meta/Facebook enforcement: The largest GDPR fine to date of 1,2 bln euros has been issued by the Irish data protection authority on Meta Ireland. Following the “Schrems II” ruling Meta affected data transfers to the US on the basis of the Standard Contractual Clauses in conjunction with additional measures. But they did not prevent fundamental risks to data subjects in view of US state surveillance practices. 

Meta now must return already transferred personal data and stop other illegal processing within the next few months. The decision may have similar effects for any digital service provider subject to US surveillance laws and relying on EU Standard Contractual clauses until the problems have been resolved by the adoption of the upcoming  EU-US Data Privacy Framework by the Commission. 

Charity organisation: The ICO completed an audit of Age UK Wiltshire, (charitable and voluntary sector). AUKW requested an audit in January and submitted an audit questionnaire detailing their data protection compliance concerns. After the investigation, the main areas for improvement were identified: 

• Review and update existing data protection policies and create new policies covering records management, data sharing, DPIA, and information security. 
• Ensure that data protection training is mandatory for all staff, including annual refreshers and specialised seminars. 
• Complete an information audit to help the organisation have an understanding of all of the information that is held and its flows. 
• Create an Information Asset Register, (IAR), to record the information assets identified by the information audit and ensure that the IAR is periodically reviewed.
• Review and update the current subject access requests, (SARs), and policy, including completing identity checks, that are communicated to staff.
• Create and maintain a SARs log as a documented record of all completed and ongoing SARs. 

Video surveillance: The Italian privacy regulator ‘Garante’ imposed a 50,000 euro fine on a clothing company, (with over 160 stores), for having installed video surveillance systems in various company outlets. The company had justified the need to defend against theft and to ensure the safety of employees and corporate assets, and prevent unauthorized access. The investigation showed that all the shops were equipped with at least 3 video cameras, active 24 hours a day, 7 days a week, in the areas reserved for workers and suppliers. In larger outlets, it was up to 27. The fine was issued, taking into account the significant number of employees involved, (over 500), and points of sale, as well as the absence, (or violation), of authorization or agreement with the trade union representatives.

Tax data: The Belgian data protection authority decided to prohibit the transfers of data of Belgian “Accidental Americans” by the Belgian Federal Public Finance Service to the US tax authorities under the intergovernmental FATCA agreement. According to the Belgian data protection regulator, the data processing carried out under this agreement does not comply with all the principles of the GDPR, including the rules on data transfers outside the EU. The regulator also orders the public service to inform in a complete and accessible manner the data subjects of the data processing carried out as part of the FATCA agreement and of its modalities. It also asks to carry out a DPIA.

Automated rejection of credit card application: Berlin’s supervisory authority imposed a 300,000 euro fine against a bank after a lack of transparency over the automated rejection of credit card applications, according to the EDPB summary. A Berlin-based bank offered a credit card on their website. Using an online form, the bank requested various data about the applicant’s income, occupation and personal details. Based on the information requested and additional data from external sources, the bank’s algorithm rejected the application without any particular justification. Even when asked by the complainant, the bank only provided blanket information about the scoring procedure, detached from the individual case. However, it refused to tell him why it assumed poor creditworthiness in his case. 

Biometric ID checks: Mobile World Congress’s organizer received a 200,000 euro fine in Spain for doing inadequate biometric ID checks at the 2021 venue. For the “in-person” option, the organizer requested a complainant to upload passport details, including photographs that were transferred to a service provider in a third country for facial recognition security purposes. However, the legal basis for it was verified from consent to legal obligation in different notices. Plus, neither the privacy policies nor the email communications provided clear information on data transfers to a third country. Additionally, the organiser’s DPIA failed to assess risks or the proportionality and necessity of the system implemented, (called BREEZZ).

Doctissimo fine: Following a complaint by the Privacy International association, the French privacy regulator fined the doctissimo.fr website 380,000 euros. It mainly offers articles, tests, quizzes and discussions related to health and well-being for the general public. The regulator noted infringements concerning the duration of data retention, the collection of health data via online tests, the security of data as well as the ways cookies were deposited on user’s terminals. Additionally, the company processes personal data with other entities, in particular for the marketing of advertising spaces on the website. These relationships of joint responsibilities were not framed by any contract.

Google Analytics: The Finnish data protection commissioner has issued a notice to the meteorological institute about the transfer of personal data to the US via website tracking technologies. The institute had not defined or applied the legal basis for the transfer of data in the use of reCAPTCHA and Google Analytics services. Nor had it suspended data transfers without delay after the CJEU’s “Schrems II” decision, even though it no longer had a valid basis. The institute has taken steps to remove the tools and services from its website. The order also includes the deletion of data that had been transferred illegally to the US. 

Data security

Mobile device management: Mobile devices make it easier for employees to complete their job from home, at the workplace, or while on the road. In order to reduce an organisation’s risk profile, it is critical to manage security and device health. The US NIST explains the benefits of Mobile Device Management when an employee’s personal or corporate-owned device can be enrolled into an MDM solution to apply enterprise configurations, manage enterprise applications, and enforce compliance. To learn more about how to use standards-based, commercially available products to meet security and privacy needs you can download the latest guidance by NIST here and here. 

De-identification: The Government of Canada publishes instructions on de‑identification as a privacy‑preserving technique. Although the pseudonymisation of data is a step toward anonymisation, it still permits re-identification. The acceptable risk level must be determined based on the context. it is always preferable that privacy experts work together with data specialists. For instance, there are activities that increase the risk of re‑identification, such as integrating datasets or data matching, so it is important to continually assess privacy and re‑identification risks, even after applying privacy safeguards. 

Big Tech

NHS data sharing: According to the Guardian, NHS trusts are sharing sensitive data about patients’ health conditions, medical appointments, and treatments with Facebook without their knowledge and despite promises to never do so. An Observer investigation revealed a monitoring feature, (Meta Pixel), on the websites of 20 NHS trusts that has been collecting medical and patients’ browsing data for years and sharing it with the tech giant. The information contains specific details such as sites viewed, buttons pressed, and keywords searched, and matched to the user’s IP address. This included patients who visited hundreds of NHS webpages about HIV, self-harm, gender identity services, sexual health, cancer, children’s treatment and more.

Microsoft cookies: Microsoft Ireland revised its cookie policy for the Bing search engine in France after it received a reprimand from the country’s data protection agency CNIL for privacy violations, govinfosecurity.com reports.  In December the CNIL fined the company 60 million euros for a deceptive cookie policy that it claimed made it impossible for Bing users to stop data collection. CNIL gave Microsoft three months to comply with its cookie policy or risk further penalties of 60,000 euros per day.  In particular, Microsoft needed to obtain French Bing users’ consent to enable cookies used to combat advertising fraud.

The Privacy Sandbox: Google announced the next stages of Privacy Sandbox – General availability and supporting scaled testing. In Q1 of 2024, it plans to deprecate third-party cookies for one per cent of Chrome users. This will support developers in conducting real-world experiments that assess the readiness and effectiveness of their products without third-party cookies. This will follow the introduction in Q4 of 2023 of the ability for developers to simulate Chrome third-party cookie deprecation for a configurable percentage of their users. 

The post Data protection digest 17 May – 1 June 2023: amassing data for machine learning is ‘no excuse for breaking the law’ appeared first on TechGDPR.

Therefore, it is important to understand GDPR compliance. In most cases, the company that posts its vacancy and embarks on the recruitment process will be considered the data controller. This will make them responsible for adhering to several obligations.

Notably, here are some specific and recurrent instances, in the course of recruitment, headhunting and hiring, where a controller should look closely at the GDPR to make sure it is implementing the most appropriate and compliant solution. 

Legal bases: which is the most appropriate?

The lawfulness principle of the GDPR, first introduced in Article 5, requires that data is processed in a lawful manner, meaning that it must rely on at least one of the legal bases listed in the following Article 6. Not all legal bases are, however, always going to be applicable or the most appropriate choice, especially when dealing with candidates sourced online or applicants. The same holds true for current employees.

The imbalance of power when relying on consent

The European Data Protection Board (EDPB) acknowledges in their guidelines 05/2020 on consent, that there is a clear imbalance of power between an employer and their employee. Undeniably, the same is to be considered between a potential employer, and a prospective employee, or applicant. Although there is no dependency yet, one can still argue that an employer has a stronger bargaining position over a candidate that wishes to work for them. Therefore, the EDPB generally advises against the use of consent as a legal basis for processing activities carried out in this context. That is because, it would be difficult to prove that consent is freely given, as required by definition in Article 4 of the GDPR. In practice, it is likely that a candidate would feel obliged to provide their consent to any use of their data, as they might assume it gives them a better chance to get the job.

Legitimate interest is a good option, but comes with requirements

Instead, relying on legitimate interest might be preferable. However, the controller must still be mindful that it will also come with requirements. Based on Article 6 of the GDPR, the legitimate interest of the controller, cannot override the interests or fundamental rights and freedoms of the data subject. Which means that to begin with, the organization will have to, first and foremost, identify what the specific legitimate interest pursued is. Generally, sourcing individuals online, perhaps on professional social networking platforms, to find suitable candidates for a specific position, can be in the interest of growing a team and overall bettering an organization. However, merely identifying the interest is not enough. One would have to also balance this interest with the rights and freedoms of the data subject, also known as a balancing test, by performing a legitimate interest assessment.

Performance of a contract can be relied upon, but with limitations

Similarly, the legal basis of necessity for the performance of a contract might actually be the most appropriate for the processing of data of individuals who apply for an open position. Specifically, when interpreting the Article 6(1)(b) provision: in order to take steps at the request of the data subject prior to entering a contract. However, this might require strict adherence to the definition. It would have to be a contract that the data subject has requested. Therefore, for processing activities in the context of online recruitment and headhunting, it is unlikely that this legal basis can be relied upon. Instead, as mentioned above, legitimate interest might be the only option.

Online recruitment and the duty to inform

On the topic of online scouting and headhunting, there are further legal obligations that controllers need to be mindful of, when processing personal data for this purpose. Those being, depending on how these activities are carried out, the requirements of Article 14.

Reaching out to the candidate in due time

First and foremost, it is crucial to actually contact the candidate, if their data has been processed. In fact, Article 14 requires this communication to be done within a reasonable period after obtaining the personal data and at the latest within one month. That time-frame should also serve as a retention period for the data processed for this purpose, should the candidate not respond, for example. 

The communication should also require all the information to ensure that the transparency principle is met. Therefore, ideally the candidate should be directly informed, or at the very least be provided with a specific privacy notice indicating all the information required by Article 14 e.g. the identity of controller, the purpose of processing, the categories of data processed, etc…

Honoring data protection principles and data subject rights

Needless to say, the controller should adhere to the other principles of the GDPR. Notably, data minimization, by processing only the information that is strictly required to source the ideal candidate.

Furthermore, a controller should also inform candidates of and be mindful of data subject rights. Specifically ensuring that mechanisms are in place to allow for candidates to exercise them, and ensuring that the data be processed for a specific purpose, so once that has been fulfilled, the data should no longer be processed. In practice: if the data is only processed to reach out to potential candidates, and they reject the offer but do not expressly request the data to be erased, their personal information should still be erased, unless it serves another explicitly indicated purpose.

Processing special categories of data in recruitment

In accordance with Article 9 of the GDPR, special categories of data include the following: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data and data related to sex life or sexual orientation.  As a general rule, processing data that falls under these categories is prohibited. However there are exceptions. Related to the context of hiring potential employees, two might be particularly relevant: explicit consent from the data subject and necessity to carry out legal obligations and exercising specific rights of the controller or the data subject in the field of employment and social security and social protection law, based on national law provisions.

How does this apply to recruitment?

There are several reasons. For example: a potential  employer might wish to request information about a candidate’s disability to make relevant adjustments, perhaps for interviews and, if relevant, for the work moving forward. Furthermore, many companies have established equal opportunity programs, dedicated for specific minorities and/or in a certain field. Alternatively, they wish to monitor whether they meet equal opportunity requirements. Some organizations might even get recognition for ensuring high standards for diversity e.g. Stonewall Top 100 employers in the UK, Human Rights Campaign Corporate Equality Index. However, in order to monitor those metrics and ensure diversity, they process special categories of data, such as race, disability (health data) and sexual orientation. 

Explicit consent or national law obligation?

As mentioned before, using explicit consent might be an issue, because it is hard to truly guarantee that it is freely given in this context. Especially when applying for an equal opportunity program, it is unlikely that the applicant has any choice but to disclose the relevant information, as that will be the deciding factor as to whether they meet the criteria to enter into the program. 

Instead, one can rely on the second exception, related to national legal obligations. In many countries, laws that ensure the equal treatment of minorities and penalize discrimination at work, often also include articles or sections that require positive action, in the field of employment. For example, in Germany, positive action is required by §5 of the Equal Treatment Act (AGG). In the UK, where the UK GDPR applies, this is provisioned in Article 159 of the Equality Act 2010. 

Organizations are left free to decide how to implement this, but this freedom has gradually led to defining metrics and equal employment opportunities. Since this is a way to exercise a legal right of the data subject, and a legal obligation of the controller, one could preferably rely on this exception, rather than explicit consent. 

In fact, best practice would be to rely on the national legal obligation exception where such exceptions apply, but request data subject’s explicit consent, which gives them the option not to reveal this information e.g. prefer not to say.

In conclusion…

Under the GDPR, controllers must process personal data of candidates and applicants lawfully. Not all legal bases are equally applicable: in the context of recruitment, relying on legitimate interest or performance of a contract might be more reliable than relying on the applicant’s consent, although those also have their rules and limitations too. 

Furthermore, a controller must ensure to note and follow the obligation to contact candidates that it scouts online, and keep in mind the one month deadline to get in touch.

Lastly, controllers might wish to get acquainted with national legal obligations in the scope of equal employment, as legal obligations in those frameworks provide them with a legal basis to process special categories of data, for the purpose of promoting diversity in the workplace. 

TechGDPR is a consultancy based in Berlin offering GDPR compliance assessments, DPO-as-a-service retainers and hourly consulting. TechGDPR consultants help assess the vendors you wish to purchase your solutions from, navigate the complexity of international data transfers as well as guide you through the most compliant roll-out of the solutions you have purchased. TechGDPR routinely trains product development, HR, marketing, sales and procurement teams in understanding data protection requirements.  It offers an online training course for software developers, system engineers and product owners.

The post Understanding GDPR Compliance in Recruitment appeared first on TechGDPR.

Legal processes: threshold for cookies, advertising claims’ mediation, China’s outbound transfers

The EDPB approved a minimum threshold for the use of cookies and subsequent processing of the data collected. No cookies that require consent can be set without positive action expressed by the user, or purely on the grounds of the data controller’s legitimate interest. The absence of refuse options, visible and accessible at any time, on any layer of the banner, constitutes an infringement. The limitations, such as for strictly necessary technical cookies, must be indicated. Any confusing information, designs and colours are not acceptable.

The Spanish data protection agency AEPD announced a mediation system to expedite the resolution of advertising claims, (in Spanish). It has approved the modification of the Autocontrol Code of Conduct ‘Data processing in advertising activity’ , which includes out-of-court procedures to resolve individual’s complaints more quickly. Advertisers must respond within a maximum period of 15 days, proposing the actions they deem pertinent for mediation. The maximum duration of the procedure will be 30 days.

The Cybersecurity Administration of China has published guidelines on outbound data transfers of personal and important data from China to other jurisdictions, whitecase.com reports. Organisations must comply with these guidelines by 1 March or risk administrative, civil and criminal penalties. In certain cases the measures include security assessments and approval from the state before engaging in outbound data. Outbound data transfers in this case include:

• an entity in China actively sends data to a recipient in another jurisdiction, or 
• permits a person or entity outside China to access data generated in the course of the data processor’s operations in China;
• multinational intragroup transfers of data, and 
• operating centralised document management systems for global operations, with servers hosted outside China. 

Official guidance: consent evidence, data storage periods and deletion, TOMs, training, recruitment data

Denmark’s privacy regulator explained the balance between consent evidence requirements and data minimisation. The data controller should be able to demonstrate that the data subject has given consent. However, the rule only applies as long as the data processing is ongoing. After the end of the processing activity, (eg, the data subject has withdrawn their consent), ​​there is no obligation to demonstrate that evidence. Moreover, the data controller has a duty to delete personal and additional data without undue delay after consent withdrawal, (unless needed for claims to be established or defended and only for a short period of time).

The Portuguese privacy regulator CNPD published a guidance on technical and organisational security measures, aimed at data controllers and processors. The CNPD lists a set of TOMs that must be considered by organisations in their risk prevention and minimisation plans, (in Portuguese). The list is dynamic and not exhaustive due to rapid technological changes and is therefore subject to updates whenever necessary. The increasing number of security incidents in the past year revealed that if organisations had been equipped with adequate security measures, the risks would have been lower and the impact on the rights of data subjects smaller. 

The GDPR states that the organisation, (controller), is obliged to limit the storage of personal data with the intention that the data is not stored longer than is necessary to achieve its purpose. The Latvian privacy regulator DVI explains how to determine the data storage period, and what to do when it is expired. The organisation must have internal procedures in place in order to determine:

• that the purpose has been achieved, and the data cannot be further used for any other unrelated purpose ,(eg, if the deadline specified in the regulatory act has been reached, or the loss of the legal basis);
• the frequency with which the purposes of the data processing and their justifications will be reviewed;
• how to receive a signal that personal data has expired, and
• how to inform data subjects of these periods, (or the criteria that were taken into account to determine them), in the privacy policy. 

In the end, data must be deleted completely, without possibility of recovery. The deletion procedures must include finding persons responsible, location of the data, deletion follow-up, informing processors and other controllers, and the data subjects.

The Latvian regulator also issued a reminder of the importance of data protection training. It is necessary to familiarise employees with the framework created in the organisation for data protection and processing: cyber security, specific industry regulations, employee liabilities for violations, data breach responses, and reviewing procedures. A desired outcome would be: a customer is asked to provide his personal data for identification; if the client has questions about why this is necessary, the employee should be able to reasonably answer it and indicate that more detailed information is available in the privacy policy. 

A recruitment process necessarily involves the processing of a significant amount of personal data about candidates. The rise of new technologies has multiplied recruitment channels, (social networks, personalised advertising, specialized search engines), and communication tools used (videoconferencing, chatbots, mobile applications). It has also led to the creation of databases of a large volume allowing the use of artificial intelligence or the use of tools to assess the “soft skills” of candidates. In this context, the French regulator CNIL offers a guide and a set of practical sheets, Q&As, to support recruitment stakeholders in their compliance, (in French). 

Investigations and enforcement actions: game developers, spy pixels, psychometric tests, unwanted membership, Covid-related algorithms, email security

The UK’s ICO published Age Appropriate Design Code Audit, (AADC), of Facepunch Studios, a games developer. Facepunch does not require a user account, although some gameplay data and device information is collected in-game. Facepunch also share some personal data of users with third parties in order to operate parts of or functions within their games or services. The audit concluded that Age assurance measures in place should be improved, by assessing and reliably determining the actual ages of current UK child users, regularly monitoring the effectiveness of the third-party age gate used, and assessing which elements of an online service are appealing to or likely to be accessed by children. Where actual user ages are not established with certainty, the AADC standards should be applied to all users. 

The Danish data protection authority criticized Vækstfonden, (Denmark’s investment fund), for using spy pixels in its newsletters. As with the processing of personal data using cookies on websites, the use of spy pixels requires a processing basis according to the GDPR. Spy pixels were to analyze which articles the recipients clicked on in order to optimize the organisation and sending of the newsletters. But they had not observed the obligation to provide information regarding the processing. Vækstfonden has stated that they have changed suppliers for sending out newsletters and that the fund has updated its privacy policy. 

Spain’s AEPD fined Thomas International 40,000 euros for processing of sensitive data, Data Guidance reports. The complaint concerned a psychometric test provided by Agroxarxa, which was run by Thomas International. Though Agroxarxa stated that candidates were not required to provide sensitive personal data, the psychometric test requested it, adding that its provision was required by the HR department of Agroxarxa. Thomas International provided the same questionnaire to all clients that used its services, allowing for the processing of sensitive personal data even when not requested by the client.

In the US, the Federal Trade Commission is sending payments totaling more than 973,000 dollars to 17,064 people who lost money after NutraClick automatically enrolled them in unwanted membership programs for supplements and beauty products and misled consumers about when they had to cancel trial memberships to avoid monthly charges.

The Italian privacy authority has sanctioned three local health authorities, who, through the use of algorithms, had classified patients in relation to their Covid-related complications risks. Data of the patients had been processed in the absence of a suitable regulatory basis, without providing the interested parties with all the necessary information, (in particular on the methods and purposes of the processing), and without having previously carried out an impact assessment. 

Ireland’s privacy regulator fined a nursing homes operator. The credentials of a user account at a nursing home were captured on a fake website via a phishing email. This allowed the bad actor to set up email forwarding of all inbound emails to a third-party email account. Adequate technical and organisational measures could have included appropriate encryption of data being transferred over external networks, suitable phishing training, and regular testing of the safeguards. 

Meanwhile, the Swedish privacy regulator fined an insurance company for sending sensitive personal data via e-mail without sufficient protection. The email was only encrypted in transit. The encryption ended before the message had reached the final recipient and there was thus a risk that unauthorised persons could read the message in plain text after the encrypted transmission had ended.

Data security: ISO 31700 Privacy by Design, AI Risk Management Framework by NIST, taxonomy of ICT incidents, mobile data

The International Organisation for Standardisation has finally published the long-awaited ISO 31700. It establishes high-level requirements, (and use cases), for privacy by design to protect privacy throughout the lifecycle of a consumer product, including data processed by the consumer. This includes consumers’ personally identifiable information and other data processed, (collected, used, accessed, stored, and deleted), or intentionally not collected or processed by the organisation and by the digital goods and services within the digital economy. The preview document is available here.

America’s NIST published an AI Risk Management Framework. AI systems and the contexts in which they are deployed are frequently complex, making it difficult to detect and respond to failures when they occur. AI risk management can drive responsible uses and practices by prompting organisations and their internal teams who design, develop, and deploy AI to think more critically about context and potential or unexpected negative and positive impacts. Core concepts remain human centricity, social responsibility, and sustainability.

In Italy, the National Cybersecurity Agency offered a new taxonomy of incidents on ICT assets, subject to mandatory notification. After initial access, execution, installation & lateral movements, it talks about “Actions on objectives”, which refers among other things to: collecting from within the network confidential and sensitive data or detecting their presence outside the systems authorised to process them; exfiltrating data from within the network to external resources or manipulating, degrading, disrupting, or destroying systems, services, or data. 

Could your phone be leaking data that you are not aware of? asks the US NIST. It goes on to explain how control of the data may be lost due to unauthorized or unwarranted transmission of data to an external source. Mobile data leaks can also occur when mobile device privacy settings or applications are misconfigured. This includes personally identifiable information, financial and health data, video and audio files, information about the way an individual uses the Internet, and location tracking data. Thus, organisations have to:

• Manage mobile device settings;
• Preserve confidentiality, by employing data in transit protection;
• Keep mobile operating system and applications up to date;
• Apply zero trust principles;
• Separate work from personal information, by deploying a Bring Your Own Device;
• Apply App vetting to identify security and privacy risks;
• Apply Mobile Threat Defense solutions that monitors for device-, app-, and network-based attacks.

Big Tech: the Digital Services Act’s deadline, Replika AI chatbot ban

The European Commission has published non-binding guidance to help very large online platforms and search engines within the scope of the Digital Services Act, (DSA), to comply with their requirement to report user numbers in the EU, at the latest by 17 February, and at least once every six months afterwards, (for small businesses and start-ups the info must be provided on the request of authorities). In the nearest future very large online platforms and search engines will be subject to additional obligations, such as making a risk assessment and taking corresponding risk mitigation measures on users’ rights online. 

Replika, an AI chatbot company, is not allowed to use the personal information of Italian users, according to Italy’s data protection agency, which cites risks to children and emotionally fragile individuals. The US-based start-up offers users personalised avatars that talk and listen to them. The lack of an age-verification mechanism, such as filters for minors or a blocking mechanism if users do not explicitly state their age, was one of many issues that the Italian regulator highlighted. Additionally, the processing of personal data by the company is illegal because it cannot be justified by a contract that a minor is unable to sign.

The post Data protection & privacy digest 19 Jan – 3 Feb 2023: threshold for cookies, spy pixels, consent evidence, data storage and deletion appeared first on TechGDPR.

Ad Tech: Meta personalised ads, technical identifier system in App Store, IAB Europe’s consent mechanism

Meta has a few months to reassess the valid legal basis for how Facebook and Instagram use personal data to target advertising in the EU after the media giant was issued fines totaling 390 million euros. It related to a 2018 change in terms of service at Facebook and Instagram following the implementation of the GDPR where Meta sought to rely on the so-called “contract” legal basis for most of its data processing operations. Services would not be accessible if users declined to press the “I agree” button. The final decision states that Meta cannot use a contract as a legal basis for processing data on the grounds that the delivery of personalised ads is not necessary to fulfil Facebook’s contract with its users.

The final decision came under pressure from many privacy regulators in the EU/EEA, (under the one-stop-shop mechanism). In particular, the lead Irish regulator DPC disagreed with a number of counterparts and took the side of Meta that Facebook and Instagram services include, and indeed appear to be premised on, the provision of a personalised service that includes personalised or behavioural advertising. This reality is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the terms of service. When it became clear that a consensus could not be reached, the regulators referred the dispute to the EDPB who later issued a binding decision.

Finally, the DPC was criticised for not freshly investigating all Facebook and Instagram data processing operations directed by the EDPB in its binding decision. The DPC believes that EDPB does not have a general supervision role akin to national courts in respect of independent national authorities and it is not for the EDPB to instruct and direct an authority to engage in an open-ended investigation. The DPC is now considering bringing an action for annulment before the CJEU in order to set aside the EDPB’s directions. 

The French privacy regulator CNIL fined Voodoo, a smartphone game publisher, 3 mln euros for using an essentially technical identifier for advertising without the user’s consent. The investigation showed: 

• When Voodoo offers an application on the App Store, Apple provides an ID for vendor technical identifier system, (IDFV), allowing the publisher to track users’ use of its applications. 
• An IDFV is assigned for each user and is the same for all applications distributed by the same publisher. 
• By combining it with other information from the smartphone, the IDFV tracks people’s browsing habits, including the game categories they prefer, in order to personalise the ads seen by each of them.
• When opening a game application, a first Apple-designed page, (App Tracking Transparency or ATT), is presented to the user in order to obtain their consent to the tracking of their activities on the applications downloaded on their phone. 
• When the user refuses the “ATT solicitation”, a second window is presented by Voodoo indicating that advertising tracking has been disabled while specifying that non-personalised advertisements will still be offered. 

During its checks, however, the CNIL found that when a user expresses their refusal to be the subject of advertising tracking, Voodoo still reads the technical identifier associated with this user and always processes information related to their browsing habits for advertising purposes, therefore without their consent. 

Similarly, the CNIL sanctioned Apple Distribution International with 8 mln euros for not having obtained the consent of French iPhone users, (using App Store), before depositing identifiers used for advertising purposes. Identifiers pursuing several purposes, including for advertisements broadcast, were by default automatically read on the user’s device without obtaining consent. 

Meanwhile, the Belgian data protection authority approved IAB Europe’s action plan for its Transparency and Consent Framework – a widely used approach to collecting and managing consent for targeted advertising cookies in the EU. A year ago, a Belgian regulator fined the company 250,000 euros for multiple violations of the GDPR including the absence of a legal basis for processing. The measures proposed in the action plan stem directly from the assumption that:

• The TC String, (a digital marker containing user preferences), should be considered personal data, and 
• IAB Europe acts as a (joint) controller for the dissemination of TC Strings and other data processing done by TCF participants. 

Both of these assumptions have been referred to the CJEU by the Belgian Market Court for a preliminary ruling, and such a referral was explicitly asked for by the Belgian authority itself in the course of the proceedings.

Legal processes and redress: administrative and civil remedies, data subject access rights

The CJEU has ruled that administrative and civil remedies provided for by the GDPR may be exercised concurrently with and independently of each other. Given that the parallel exercise of administrative and civil remedies could give rise to contradictory decisions, (eg, when the supervisory authority refuses a request from an individual and the latter brings the appeal to the court), a Hungarian court asked the CJEU whether one of those remedies might take priority over the other. The EU top court stipulated that it is for each Member State to ensure, through adopting the procedural rules, that the concurrent and independent remedies provided for by the GDPR do not call into question the effective remedy before a court or tribunal. 

The CJEU also confirms a broad definition of data subject access rights, (DSARs): data controllers must reveal the specific recipients of any data they shared unless it is impossible or excessive to do so. The court emphasized that DSARs are necessary to exercise other rights under the GDPR, such as the right to rectification, erasure, and restriction of processing. The related case concerns an individual’s request to a postal and logistical services company to disclose the identity of recipients to whom the company had disclosed, (sold), the individual’s personal data. At the same time, the access right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. 

Investigations and enforcement actions: failed data access requests and health-related data consent

The Italian privacy regulator fined I-Model, (promoter and web agency specialised in the selection and management of personnel for events and communication), 10,000 euros for failure to adequately respond to access requests and unlawful processing, Data Guidance reports. After receiving confirmation from I-Model that the personal data in its files had been deleted, the complainant continued to receive job offers from the company. I-Model gave a formal response to the complainant’s requests for deletion of personal data on two occasions, merely stating that it had removed the data from the mailing list, but, in fact, continuing to store and process the data without a legal basis. 

The Finnish data protection commissioner fined an unnamed company 122,000 euros for not having consent in accordance with the GDPR to process data on body mass index and maximum oxygen uptake capacity. The company had asked for consent to process health-related data in general but had not specified the data it collected and processed and for what purposes. The disciplinary board paid special attention to the fact that the large-scale processing of health data is a key part of the company’s core business. Importantly, the company’s service is also available in other EU and EEA countries, which is why the issue was discussed in cooperation between supervisory authorities. One of the complaints had been initiated in another Member State. 

The Finnish regulator also imposed a penalty of 750,000 euros on the debt collection company Alektum. It had not responded to requests regarding a data subject’s rights. The company also complicated and slowed down the investigation by avoiding the supervisory authority. As a result, several complainants did not get access to their own data and did not have the opportunity, for example, to correct it or monitor the legality of the processing. Any organisation is obliged to respond to requests regarding the rights of the data subject within one month. If there are many requests or they are complex, a data controller can state that it needs an additional time of up to two months. In the case of one complainant, Alektum explained the non-response by saying that it no longer processed the data subject’s personal data. Even then, the company should have responded to the request.

Official guidance: AI supervision and transparency requirements, Privacy by Design as an international standard, EU whistleblowing scheme report

The Norwegian data protection authority has published an experience report on how you can get information about the use of Artificial Intelligence. Transparency requirements related to the development and use of AI are normally divided into three main phases:

• development of the algorithm,
• application of the algorithm,
• post-learning, and improvement of the algorithm.

The GDPR requirements for information are general and basically the same for all phases. But there are also requirements that only become relevant for certain phases. For example, the requirement to inform about the underlying logic of AI will usually only be relevant for the application phase. The full guidance, (in Norwegian), is available here. 

In parallel, the Dutch data protection authority is starting a new unit, which should give a boost to the supervision of algorithms. During 2023 it will identify the risks and effects of algorithm use, (cross-sectoral and cross-domain). Where necessary, collaborations will be deepened further with the other supervisors, (eg, on transparency obligations in the various laws, regulations, standards, and frameworks), preventing discrimination and promoting transparency in algorithms that process personal data. 

Denmark’s data protection authority looked at the newly approved EU whistleblowing scheme. During the first year of implementation, two out of three reports concerned data protection, (eg, regarding insufficient security of data processing, and monitoring of employees). That is partly because the national data protection authority was mandated to receive and process reports regarding breaches of EU law in a number of areas, including public tenders, product safety, environmental protection, food safety, reports of serious offenses, or other serious matters, including harassment. Nonetheless, many people associate the scheme with data protection only. All cases concluded in 2022 were completed within the deadlines, with an average time frame of 27 days.

Finally, the International Organisation for Standardisation is about to adopt ISO 31700 on Privacy by Design for the protection of consumer products and services. ISO 31700 is designed to be utilised by a whole range of companies — startups, multinational enterprises, and organisations of all sizes. It features 30 requirements and guidance on:

• designing capabilities to enable consumers to enforce their privacy rights, 
• assigning relevant roles and authorities, 
• providing privacy information to consumers, 
• conducting privacy risk assessments, 
• designing, establishing, and documenting requirements for privacy controls, 
• lifecycle data management, and 
• preparing for and managing a data breach. 

However, it won’t initially be an obligatory standard.

The post Data protection & privacy digest 3 – 17 Jan 2023: personalised ads dilemma: contract as a legal basis, in-apps tracking via technical identifiers appeared first on TechGDPR.

This is especially true after the GDPR came into effect, as it provides specific requirements for the legal basis of consent, which also applies to the processing of non-necessary cookies. Reason being, that these text files that our devices read and write upon interacting with a website, oftentimes include information that, once associated with your interactions, is categorised as personal data: such as IP addresses, username, unique identifier codes or even email addresses and metadata.  

That is where Consent Management Platforms (CMP) come into play. They can be described as systems by third-party vendors that help controllers manage users’ cookie preferences and help them meet their transparency obligations under data protection laws. It is thus very likely that when anyone visits any website and a cookie pop-up appears, that is managed by a CMP. You might be familiar with some of the following: OneTrust, Quantcast or Cookiebot.

What are dark patterns and how do they relate to cookies? 

A CMP that relies on the IAB Europe Transparency and Consent Framework Policies (IAB TCF) is required to meet several criteria. However, these mostly refer to the need to include the purposes and features of the cookies. Thus, they are provided a relative amount of freedom in terms of design of cookie banners and consent pop-ups. 

Several studies conducted on the standard templates that CMPs offer, show that many of the designs provided actually hide manipulative strategies intended to sway users into providing consent. These designs are often referred to as dark patterns. 

Some common types dark patterns in the context of cookie banners are known as interface interference and sneaking. An example for the former is presenting the “Accept all” option on top of a banner, whilst the “Reject all” option can only be found after scrolling down, also labelled as false hierarchy.

Another example of false hierarchy is drawing attention to the desired choice, in comparison to the opther options. For instance, the “Accept all” option might be brightly colored or stand out from the background. Meanwhile, the “Reject” or “Settings” options, will oftentimes the same color of the background of the cookie banner, rendering it less noticeable.

Meanwhile, sneaking refers to the hiding of the relevant information, usually behind a far less visible and unformatted link. This is commonly designed with a smaller text providing “more options” or “manage settings” in the corner of the banner, which then allows the user to gain more information and finally reject all cookies. 

Read more about other types of dark patterns in the article “The Dark (Patterns) Side of UX Design” from Purdue University, IN.

Does the GDPR or ePrivacy Directive prohibit the use of Consent Management Platforms? 

There is no direct mention of CMPs or dark patterns in the GDPR or the ePrivacy Directive, which directly governs the use of cookies. Nonetheless, one can still draw some conclusions based on the consent requirements under the GDPR. For example: Article 7(4) GDPR states that withdrawing consent should be as easy as providing it. Thus placing the options on unequal level, as for the case of false hierarchy designs, would be a non-compliant approach. Case law also confirms this: The Advocate General in the case of Planet49 specifically mentions that for consent to be valid, the options to reject and accept should be placed “optically on the same footing.”

Despite these academic findings and conclusions, the use of CMPs has but increased since the GDPR came into force. To add to that, data protection authorities deem CMPs an appropriate tool to use when a compliant design is rolled out. Important to note though, is that CMPs cannot be compliant until they start assuming their data controller or joint controller obligations (GDPR Art 24 and 26, respectively). This was highlighted in the recent €250.000 fine awarded by the Belgian supervisory authority to IAB Europe.

Thus, whilst the use of CMPs is not prohibited, it is always best to take into account that not all of their template designs might actually reflect the requirements for valid consent. Therefore, increasing the possibility that the cookie banner will be deemed non-compliant.

What does a compliant cookie banner look like? 

Under the the framework provided by GDPR Article 7 and Recital 32, consent must be “freely given, specific, informed and an unambiguous indication of agreement”. Ideally, a compliant cookie banner should reflect all of those exactly, and should avoid the dark patterns described above, which likely contradict the freely-given nature of consent. 

As a practical example, in 2022, NOYB, the non-profit presided by Max Schrems, the activist of international fame, placed 226 complaints with data controllers over cookie banners rich in dark patterns, arguing that the only compliant option was to outright offer a accept all and reject all button. Therefore, a good starting point would be to ensure both options are provided and equally accessible, by designing the “Accept” and “Reject” buttons to look identical and perhaps even placed side-by-side on the banner.

Lastly, when implementing a banner design, consider the more stringent requirements in terms of design, such as the prohibition of pre-ticked boxes, and the requirements around requesting unambiguous consent, rather than accepting scrolling as having accepted the use of cookies. 

To recap, when providing cookies, there are several interests and legal requirements that website operators, as data controllers, need to balance before considering Consent Management Platforms as the ideal solution. Studies have shown that many of the current cookie banner designs provided by these platforms, still place more weight on gaining consent rather than ensuring compliance. This is not surprising, considering that CMPs are in the business of selling software solutions to a problem many marketing teams refuse to fully grasp. 

The existence of “dark patterns” in consent pop-ups is perceived by everyone yet not often discussed. For implementers, it is understandably tempting to place full trust on a CMP’s design and overlook the details and turn on options that actually render their banner non-compliant. However, being mindful of the flaws in the designs that Consent Management Platforms offer, and knowing how to avoid dark patterns, might be the only way to ensure that a cookie banner or consent pop-up is fully compliant with the GDPR, that way, your time and money are not a complete waste.

TechGDPR is a consultancy based in Berlin offering GDPR compliance assessments, DPO-as-a-service retainers and hourly consulting. TechGDPR consultants help assess the vendors you wish to purchase your solutions from, navigate the complexity of international data transfers as well as guide you through the most compliant roll-out of the solutions you have purchased. TechGDPR routinely trains marketing and procurement teams in understanding data protection requirements and offers an online training course for software developers, system engineers and product owners.

The post Consent Management Platforms’ misleading cookie banner designs: how to recognize and avoid dark patterns appeared first on TechGDPR.

Official guidance: data subject complaints, new business, identity cards, traffic licenses, TCF/OpenRTB, education platforms, insolvency claims, data sent by mistake, dpos

The UK Information Commissioner’s Office offers a brief guide on how to deal with data subject complaints, (your staff, contractors, customers), when you are a small business. The main steps are as follows: 

• Respond as soon as possible, in plain language, to let the customer know you’ve received their data protection complaint and are looking into it. 
• Let them know when they can expect further information from you and give them a point of contact. Include information about what you’ll do at each stage.
• Send them a link to a complaints procedure, (if there is one). 
• Check the complaint has come from an appropriate person. 
• Check all the details of their complaint against the information you hold.
• Ask for additional information if necessary. 
• Update them so they know you’re working to resolve the issue. 
• Record all your actions, due dates, and 
• Keep copies of relevant documents and conversations.

Starting a new business? The Jersey data protection regulator offers a quick guide on customer information, employee details, contact or payment details for suppliers and contractors, and other data points you’ll need to take responsibility for when getting a new business venture off the ground. The measures may include training your staff, limiting administrative rights, minimising data collection and storage, locking sensitive data, drafting a privacy policy, regular software updates and more. But even simple actions like turning off the ‘auto-complete’ function for email addresses or avoiding email forwarding may save you from personal data breaches. 

Financial institutions, for a range of services such as setting up and maintaining a bank account, electronic banking services, granting a loan or even a transfer order, make copies of our identity documents. The Polish data protection authority UODO assumes that such copying is not allowed in any situation. For instance, the country’s banking law allows processing information contained in identity documents, but this does not give the right to make copies. In many cases, it is enough to show an identity document for inspection. On the other hand, anti-money laundering and financing of terrorism legislation entitles financial institutions to make copies of identity documents. Before applying financial security measures, institutions must assess whether it is necessary to process the personal data of a natural person contained in the copy of the identity card for these purposes. According to the principles of purpose limitation and data minimisation, personal data must be collected for specific, explicit and legitimate purposes, using relevant criteria and limited to what is necessary for the purposes for which they are processed.

The Hungarian data protection authority NAIH issued a notice on data management related to the reading of the bar code on traffic licenses at filling stations. According to the submissions received by the regulator, in order to sell fuel at the official price, a fuel provider reads bar codes on vehicle registrations, (or records the registration number of the vehicle), and stores it in its system. The data is then forwarded for tax control purposes. In relation to data management, information was not available for customers at the filling stations, and the employees were not able to provide any meaningful information. The NAIH started an ex-officio investigation into the lawfulness of the processing, and to see if the tax authority and fuel providers had complied with Art. 13 of the GDPR. 

The Latvian data protection authority DVI recently issued a series of recommendations, (in Latvian), including:

• To evaluate the use of TCF and OpenRTB systems. Following the Belgian regulator’s decision, the transparency and consent system created by IAB Europe and the real-time bidding system were recognised as non-compliant. The decision stipulates that personal data obtained through TCF must be deleted immediately. This means that organisations using the tools, (website/app operators, advertisers and online ad technology companies), must stop using the tool, (unless it uses non-personal data).
• What to do if another person’s data has been received by mistake, (Do not open, do not publish, use minimal research to identify the sender, who should be notified, let the sender solve this situation himself, etc.).
• Safe use of online platforms used during the educational process.
• The processing of personal data by insolvency administrators in the register of creditors’ claims, and
• Functions and tasks of a data protection specialist.

Legal processes: EU Data Act, Quebec Bill 64, California privacy laws, China cross-border transfers

The Czech Presidency of the EU Council brought more clarity on the proposed Data Act, namely the part that refers to public sector bodies’ access to privately held data, Euractiv.com reports. Public authorities might request data, including the relevant metadata, if its timely access is necessary to fulfil a specific task in the public interest, (eg, local transportation, city planning and infrastructural services). At the same time, safeguards for requests involving personal data have been added, as the public body will have to explain why the personal data is needed and what measures are taken to protect it. The top priority should be anonymisation, or at least aggregation and pseudonymisation, of collected data.

In Quebec, the first amendments from Bill 64, (modernises data protection legislative provisions), to the Quebec Privacy Act and the Quebec IT Act will come into force on 22 September. They create obligation for a person carrying on an enterprise to protect personal information and automatically designates the person exercising the highest authority within the enterprise as the main responsible. Other provisions create mandatory reporting of confidential incidents, biometric information database registration no later than 60 days before it is put in service, notification of any processes used to verify/confirm an individual’s identity based on biometric data, and allow disclosure of personal data necessary for commercial transactions, (eg, mergers, leasing).

In California a new privacy rights act, the CPRA, will take effect on 1 January 2023, while the new California privacy protection agency is consulting on draft regulations, with special attention on the draft American Data Privacy and Protection Act and its possible preemptive effect on California privacy laws. Other key regulatory issues include data processing agreements, programs on exercising data subjects rights, data minimisation and valid consent requirements, and prohibition of  “dark patterns”.

China will enforce cross-border data transfer rules starting from 1 September. Consequently, many critical industries like communication and finance or transportation will face additional checks under the countries’ latest cybersecurity, data security and personal information protection legislation. Companies seeking to transfer personal data on 100,000 or more people, (10,000 or more for sensitive data), handle the personal data of 1 million or more people, as well as operators that transfer the personal information of at least 100,000 cumulative individuals a year will undergo security reviews. Business will have to explain to government investigators the purpose of transfer, the security measures in place, and the laws and regulations of the destination country. More details on the new regulatory framework can be found in this guidance (by KPMG China).

Enforcement actions: commercial prospecting, employee’s consent, smart TV reset, Chromebook ban, PHI disposal, medical results without encryption

A famous French hotel group was slapped with a 600,000 euro fine from the privacy regulator CNIL for carrying out commercial prospecting without the consent of customers, when making a reservation directly with the staff of a hotel or on the website. The consent box to receive the newsletter was prechecked by default. Also a technical glitch prevented a number of people from opposing the receipt of such messages for several weeks. As the processing in question was implemented in many EU countries, the EDPB was asked to rule on the dispute concerning the amount of the fine. The CNIL was then asked to increase the sum so that the penalty would be more dissuasive.

Guernsey’s data protection authority has issued a reprimand, (recognition of wrongdoing), to HSBC Bank’s local branch for inappropriate reliance on consent. An employee felt obliged to consent to providing sensitive information about themselves in connection with what they believed was a possible internal disciplinary matter. They then made a formal complaint. The authority’s opinion is that reliance on “consent” where a clear imbalance of power exists is inappropriate, as it is difficult for employers to demonstrate that consent was freely given. Whilst in this case the controller ceased processing as soon as concerns were raised, they nonetheless continued to use consent as justification for the processing. How to manage data protection in employment? See in Guernsey’s latest guide.

The Danish data protection authority expressed serious criticism of retailer Elgiganten A/S that had a returned television stolen during a break-in at their warehouse, which had not been reset to zero for the plaintiff’s personal data. This meant that a third party gained access to the TV and thus to information from streaming services that the plaintiff was logged into, as well as the browsing history. Before the break-in, the company had carried out a risk assessment for theft of their products and assessed the risk to be high, so the warehouse was secured by locks, a high wall, surveillance cameras and motion sensors. The burglar gained access by simply punching a hole in the wall. 

The Danish data protection authority is maintaining its ban on Chromebook use by a Helsingør municipality, on the grounds of high risks for individuals. The regulator stated that the decision does not prohibit the use of Google Workspace in schools – but the specific use of certain tools in the municipality is not justifiable regarding children’s information. The Municipality assessed that Google only acts as a data processor, but in the opinion of the regulator, it acts in several areas as an independent data controller, processing personal data for its own purposes in the US. 

The Danish regulator ruled that the municipality cannot reduce the risk to an acceptable level without changes to the contract basis and the technology the municipality has chosen to use. Although the decision specifically relates to the processing of personal data in Helsingør Municipality, the regulator encourages other municipalities to look at the same areas in relation to unauthorised disclosure and transfers to unsafe third countries.

The recent HIPAA settlement, (over 300,000 dollars), offers lessons on data disposal and the meaning of Protected Health Information, (PHI), workplaceprivacyreport.com reports. A dermatology practice reported a breach last year when empty specimen containers with PHI labels were placed in a garbage bin on the practice’s carpark. The labels included patient names and dates of birth, dates of sample collection, and name of the provider who took the specimen. The workforce should have been trained to follow disposal policies and procedures. These requirements can include: shredding, burning, pulping, or pulverizing records so that PHI is rendered essentially unreadable; store labelled prescription bottles in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI. 

The Belgian data protection authority also fined a laboratory 20,000 euros for insufficient security measures, DPIA, and privacy policy (Art. 5, 12-14, 32 and 35 of the GDPR), Data Guidance reports. Namely:  

• the laboratory webpage allowed doctors to remotely consult the medical results of patients without employing any encryption;
• the laboratory failed to conduct a DPIA for the large-scale processing of health data;
• while rejecting that the health data had been processed on a large-scale, it had failed to clarify what criteria they were using to determine this;
• the laboratory failed to include a privacy policy on their webpage related to the  maintenance of the abovementioned medical results.

Data security: cyber security breaches landscape, personal data bought by FBI, social engineering on healthcare

The UK government published an in-depth qualitative study with a range of businesses and organisations which have been affected by cyber security breaches. The findings help businesses and organisations understand the nature and significance of the cyber security threats they face, and what others are doing to stay secure. It also supports the government to shape future policy in this area. The guide also contains 10 practical case studies on: understanding the level of existing cyber security before a breach, determining the type of cyber attack , understanding how businesses and organisations act in the immediate, medium, and long-term aftermath of a breach, etc.

Top US Democrats in Congress demand the FBI and Department of Homeland Security detail their alleged purchases of Americans’ personal data, Gizmodo.com reports. They suspect federal law enforcement agencies of using commercial dealings with data brokers and location aggregators to sidestep warrant requirements in obtaining Americans’ private data. Reportedly data points may include, among others, records of internet browsing activity and precise locations. The demand includes the release of of documents and communications between the agencies and data brokers with whom they may have dealings or contracts.

The US Health Sector Cybersecurity Coordination Center published guidance on the impact of social engineering on healthcare. Social engineering is the manipulation of human psychology for one’s own gain. “A social engineer can manipulate staff members into giving access to their computers, routers, or Wi-Fi; the social engineer can then steal Protected Health Information, (PHI), Personal Identifiable Information, (PII), or install malware posing a significant threat to the Health sector”, says the study. It also answers the questions on phases, types of social engineering attacks, (eg, tailgating, vishing, deepfake software, smishing, baiting and more), the personality traits of a social engineer, data breaches and steps to protect your organisation.

Big Tech: US mobile carriers, Google location data, Cambridge Analytica settlement, TikTok iOS app, Oracle class action

The US Federal Communications Commission will investigate mobile carriers’ compliance with disclosure to consumers how they are using and sharing location data, Reuters reports. Top mobile carriers like Verizon, AT&T, T-Mobile, Comcast, Alphabet’s Google Fi and others were requested to detail their data retention and privacy policies and practices. Recent enforcement of anti-abortion legislation in many states also raised concern that the police could obtain warrants for customers’ search histories, location and other information that would reveal pregnancy plans. Last month Google responded to this by promising to delete location data showing when users visit an abortion clinic.

The Federal Court of Australia ordered Google to pay 60 million dollars for misleading consumers about the collection and use of personal location data. Google was guilty of misleading and deceptive conduct, breaching Australian Consumer Law. The conduct arose from representations made about two settings on Android devices – “Location History” and “Web & App Activity”. Some users spotted that the Location History default setting changed from from “off” to “on”. Another misleading practice was telling some users that having the Web & App Activity setting turned “on” would not allow Google to obtain, retain or use personal data about the user’s location.

Facebook agreed to settle a lawsuit seeking damages for allowing Cambridge Analytica access to the private data of tens of millions of users, The Guardian reports. Facebook users sued the tech giant in 2018 after it emerged that the British data analytics firm, connected to former US president Donald Trump’s successful 2016 campaign for the White House, gained access to the data of as many as 87 million of the social media network’s subscribers. Reportedly, if owner Meta had lost the case it could have been made to pay hundreds of millions of dollars.  

Reportedly, when you open any link on the TikTok iOS app, it’s opened inside their in-app browser. While you are interacting with the website, TikTok subscribes to all keyboard inputs, (including passwords, credit card information, etc.), and every tap on the screen, like which buttons and links you click. Such discovery was made by a software engineer Felix Krause. You can read more technical analysis of the most popular iOS apps that have their own in-app browser in the original publication. 

Finally, the Irish Council for Civil Liberties, (ICCL), started a class action against Oracle in the US for its worldwide surveillance machine. Oracle is an important part of the tracking and data industry. It claims to have amassed detailed dossiers on billions of people, and generates over 42 billion dollars in annual revenue. Oracle’s dossiers may include names, addresses, emails, purchases online and in the real world, physical movements, income, interests and political views, and a detailed account of online activity. For example, one database included a record of a man who used a prepaid debit card to place a 10 euro bet online. Oracle also coordinates a global trade of people’s dossiers through the Oracle Data Marketplace, claims the ICCL. You can view the full complaint here.

The post Data protection & privacy digest 16 – 29 Aug 2022: data subject complaints, inappropriate reliance on consent & Smart TV reset appeared first on TechGDPR.