For the data protection professionals, the story opens an even broader discussion of what risks voice and image generation technology bring to the rights and freedoms of individuals.

AI-generated speech and images

In its recent opinion, the Latvian data protection regulator DVI presumed that, when using an image created with the help of AI from scratch (eg, by entering the keywords “children playing”), personal data is not processed as it does not refer to a specific real person. However, there are many cases where the image is created using a photograph or visual description of a specific person. And if such an image is later associated with an identifiable person, its generation and publication may be considered as processing of personal data. Although the use of synthetic images can raise doubts about the veracity of the content, AI-generated visual materials still allows for the provision of the necessary information to the audience while respecting people’s privacy, (eg, fundraising campaigns for children in distress), stipulates the regulator.

Similarly, voice generation technology is taking over our everyday lives. The Liechtenstein data protection commissioner, in its recent interview, reminds us that, for instance, cloned voices can be deceptively similar to genuine ones and can therefore easily be used to mislead third parties, for example, in fraudulent calls or fake audio recordings of politicians, celebrities or even colleagues. Anyone who makes their voice publicly available or works with language professionally is providing potentially valuable training material for AI systems. Thus, it is recommended to provide clear copyright notices and, if necessary, contractually agree to the use by third parties. A general or tacit consent to processing is not sufficient – rather, an explicit, informed consent is required. The data controller may be also obliged to conduct a data protection impact assessment (DPIA) if the data processing is expected to pose a high risk to the rights and freedoms of natural persons.

Stay up to date! Sign up to receive our fortnightly digest via email.

EU AI Code of Practice

The European Commission published the final version of the General-Purpose Artificial Intelligence Code of Practice. The document helps industry comply with the AI Act legal obligations on safety, transparency and copyright of general-purpose AI models. The code was published on July 10, 2025. In the following weeks, Member States and the Commission will assess its adequacy. Additionally, the code will be complemented by Commission guidelines on key concepts related to general-purpose AI models, to be published later in the month. More information on the code is available in this dedicated Q&A.

US child privacy updates

On 1 July in Connecticut, the Act concerning Social Media Platforms and Online Services, Products and Features enters into force. According to a digitalpolicyalert.org analysis, the act expands the Connecticut Data Privacy Act, defining “heightened risk of harm to minors” to include risks such as anxiety disorders, compulsive use, physical violence, harassment, sexual exploitation, unlawful distribution of restricted substances, and unlawful gambling. The act requires owners of social media platforms to incorporate an online safety methodology by 1 January 2026. Data controllers must use reasonable care to avoid such risks, conduct data protection assessments, and implement mitigation plans. Processing of minors’ personal data for targeted advertising, sales, or profiling is prohibited, and precise geolocation data collection requires safeguards. Impact assessments are mandated for profiling-based services, detailing purpose, risks, data categories, and transparency measures.

In parallel, Oregon will begin to regulate the use of minors’ information and sale of users’ location data (regardless of age) with an update to its Oregon Consumer Privacy Act. These revisions will go into effect January 1, 2026. As amended, those subject to the law will not be able to profile or serve targeted advertising to anyone under 16. And Maryland will impose a similar prohibition on the same date, but for information of those under 18, eyeonprivacy.com law blog reports.

Anonymisation

The Asia Pacific Privacy Authorities (APPA) have published an overview of basic anonymisation concepts and practical steps that can be put in place to enable organisations to kickstart their anonymisation journey. Proper anonymisation requires both good knowledge of the data context and competency with the technicalities of anonymisation. Where the data controller does not have the necessary level of skills, they should consider engaging an expert to perform the anonymisation.

It is also recommended to refer to the ISO standard titled ‘Information Security, Cybersecurity and Privacy Protection – Privacy Enhancing Data De-identification Framework’ (ISO/IEC 27559:2022). This standard recognises that anonymisation involves not only the data itself but also the context in which data is shared and used, as well as the governance practices in place.  

Audience consent exemption

The management of a website or mobile application generally requires the use of traffic or performance statistics, which are often essential for the provision of the service. Cookies placed for this purpose may be exempt from consent under certain conditions, states the French CNIL. In order to limit themselves to what is strictly necessary for the provision of the service and thus be exempt from consent, these trackers must:

• be used for a purpose strictly limited to the sole measurement of the audience of the site or application (performance measurement, detection of navigation problems, optimisation of technical performance or its ergonomics, estimation of the power of the servers required, analysis of the content consulted);
• be used to produce anonymous statistical data only.

Conversely, to be exempt from consent, these trackers must not:

• lead to data being cross-referenced with other processing operations or to non-anonymous data being transmitted to third parties;
• allow tracking of the individual’s browsing experience using different applications or browsing different websites. Any solution using the same identifier across multiple sites (for example, via cookies placed on a third-party domain loaded by multiple sites) to cross-reference, split, or measure a unified content reach rate is excluded.

AI system data quality

The Federal Office for Information Security in Germany presented a methodological guide called QUAIDAL (in German), aimed primarily at providers of high-risk AI systems, for which the AI Act defines detailed requirements regarding documentation, data management, and continuous quality assurance. The modular design of the guideline allows project managers and development teams to select appropriate measures to ensure data quality at an early stage and systematically demonstrate their implementation. Furthermore, this modular concept can be flexibly expanded in the future to accommodate new technological developments. 

More from supervisory authorities

Emotion recognition: The Dutch data protection regulator AP notes that organisations are increasingly using AI to recognise emotions in people: the voice can be used to analyse your emotional state during a customer service conversation; your smartwatch measures your stress; or a chatbot that recognises your emotions can therefore respond more empathetically.

However, emotion recognition is based on controversial assumptions about emotions and their measurability. It’s not always clear how AI systems recognize emotions, nor whether the results are reliable. People are also not always aware that emotion recognition is being used, nor are they always aware of the data used. Finally, in education and the workplace, the use of AI systems for emotion recognition is already prohibited under the EU AI Act. 

LLMs and data subject rights: A consultation on processing personal data in large language models in a way that complies with data protection laws has been launched by the German Federal Data Protection Commissioner, running until August 10. Limits on anonymisation, the memorisation of personal information, the dangers of data extraction, and the protection of GDPR data subject rights in AI systems are among the main topics. The results will aid in the creation of compliant methods for handling AI’s memorised personal data, summed up in a digitalpolicyalert.org legal blog. 

EU minors data:  The European Commission publishes guidelines on the protection of minors under the Digital Services Act. These guidelines aim to ensure a safe online experience for children and young people by fostering online platforms accessible to minors (excluding micro and small enterprises). It suggests measures such as setting minors’ accounts to private by default so their personal information, data, and social media content is hidden from those they aren’t connected with to reduce the risk of unsolicited contact by strangers, also – effective age assurance methods, prohibiting the downloading or screenshotting of minors’ content, introducing measures to improve moderation and reporting tools, and much more. 

Data-driven pricing

The Future of Privacy Forum reports that US state lawmakers (eg, a new New York bill) are seeking to regulate various pricing strategies that fall under the umbrella of “data-driven pricing” (often algotithm-based): practices that process user data to continuously inform decisions about the prices and products offered to consumers. They fall under one of the following categories:

• Reward or loyalty program: A company offers a discount, reward, or other incentive to repeat customers who sign up for the program. 
• Dynamic pricing: Rapidly changing the price of a particular product or service based on real-time analysis of market conditions and consumer behavior.
• Consumer segmentation or profiling: A profile is created for a customer based on their personal data, including behavior and/or characteristics, and they are placed within a particular audience segment. 
• Search or product ranking: Altering the order in which search results or products appear, to give more prominence to certain results, based on general consumer data or specific customer behavioral data. 

Age-verification in shops

The French CNIL also considers that the use of “augmented” cameras to estimate the age of customers of tobacco shops in order to control the sale of prohibited products to minors is neither necessary nor proportionate. Currently deployed devices are enabled by default and scan the faces of all people in their field of vision. They then indicate, by a green or red light, whether or not the estimated age of the people exceeds a predetermined age (18 years old, 21 years old or other). The law requires tobacconists to check that their customers are of legal age before selling tobacco or alcohol. However, these devices can only estimate the age of people, without certainty, and they carry a risk of error, like any artificial intelligence system. 

To fulfil their age control obligations, tobacconists must therefore resort to other solutions, such as verification of an identity document or any official document containing the person’s date of birth.

Prohibited AI practices facing privacy enforcement

The Spanish privacy regulator AEPD stated that it can now act against prohibited AI systems that process personal data, regardless of the entry into force of the AI Act.  A series of its sections will come into force as of August 2, 2025 even though the Spanish draft AI law has not yet been approved and the AEPD has not yet been formally assigned as a market surveillance authority. However, the agency’s status as the competent authority for personal data protection remains unchanged. Therefore, although this is not a direct application of the AI Act, the regulator may supervise and act against processing of personal data carried out using prohibited systems. 

In other news

Insurance agency data leak: The personal data protection agency in Croatia has imposed eight new administrative fines totaling 350,500 euros. In particular, following an anonymous report that personal data of more than a million vehicle owners had been “leaked” from the state register the regulator conducted supervisory procedures at several related entities – the Croatian Insurance Bureau, the Croatian Vehicle Center, the Ministry of the Interior of the Republic of Croatia, as well as other legal entities that were associated with the incident.

It was established that the leaked data submitted to the regulator on a USB stick – vehicle owner data, vehicle data, insurance data and data on reduction (bonuses/minimums) matched the database of the Croatian Insurance Bureau. As the data controller, they did not take appropriate organisational and technical measures to protect the personal data of the respondents. Additionally, they did not separately prescribe maximum retention periods for the personal data of the respondents contained in the register. 

Biometric identification fine: The Spanish AEPD fined sports centre operator SIDECU 160,000 euros for offences including illegal biometric data processing; the amount was eventually lowered to 96,000 euros, according to Data Guidance. Without offering any other options, SIDECU used a face recognition technology as the only way to enter its sports facilities, which violated GDPR Art. 9. In violation of Art. 13, they also did not properly notify members about data processing and did not conduct a data protection impact assessment as mandated by Art. 35. SIDECU was given ten working days to halt the processing.

Political party fine

The Romanian data protection regulator fined the Alliance for the Unity of Romanians Party, AUR, (a right-wing populist political party in Romania and Moldova) approx 25,000 euros following a data leak. One of the notified security breaches targeted the aur.mobi application used and managed by the party, whose vulnerability was exploited by a third party by accessing the application’s source code. Due to a configuration error, at the time of the incident, the following categories of personal data of its users, (supporters/members – individuals who provided personal data in the operator’s application), could be viewed within the application: 

• first and last name, 
• telephone number, e-mail address, residence address, personal id number, 
• date of birth, nationality, citizenship, gender, religion, 
• profession, occupation, field of activity, experience in other fields, studies (institution, specialisation, start and end dates), 
• political experience (party, position, start date, end date), 
• administrative experience (institution, position, start date, end date), 
• foreign languages spoken (language, level).

The investigation found that personal data were processed by the controller for the purpose of informing data subjects about an AUR campaign and for statistical purposes, and that the processed data are not adequate, relevant and limited to what is necessary in relation to the declared purposes.

DPO’s conflict of interest

In Estonia, a county court overturned the decision of the Data Protection Inspectorate, which imposed a fine of 85,000 euros on Asper Biogene for violating data protection requirements. The inspectorate accused Asper of two significant violations in the misdemeanor proceedings. Firstly, the company appointed a sole board member as a data protection specialist, who lacked both the necessary independence and competence to perform this role.  Secondly, Asper Biogene had not implemented sufficient security measures, which allowed unauthorized persons to access the company’s database during a cyber attack in 2023. A large volume of data was downloaded, including special categories. 

The county court agreed that that a member of the board, who manages the company’s activities and decides on the purposes and means of data processing, cannot at the same time independently perform the duties of a data protection specialist. However, the court found that the violation was committed through negligence and took into account the fact that the company had later appointed a competent specialist and implemented additional security measures. The court decided that the fault of the person subject to the proceedings is minor and there is no public interest in the proceedings. The regulator does not agree with these findings and is prepearing an appeal. 

In case you missed it 

Swimming pool surveillance: It’s the height of Summer, and concerns about theft, break-ins, and swimming accidents are increasing. Facilities are therefore increasingly turning to video surveillance and AI. However, not everything that is technically possible is compatible with data protection, explains North Rhine-Westphalia data protection regulator. 

In one example, burglaries in swimming pools regularly occur outside of business hours, so recording must therefore be limited to these times. To prevent unauthorized access during normal business hours, only the entrance area or access barrier may be recorded. Locker break-ins also frequently occur. In these cases, video surveillance may be permitted in a limited capacity. However, changing areas must never be included. Areas subject to video surveillance should be specially marked, for example, by color-coded flooring.

At the same time, operators are increasingly turning to artificial intelligence to prevent swimming accidents. However, their use should not replace existing supervisory measures, but can at best complement them, because AI systems still have a significant error rate.

Traveling with data privacy in mind: Online activity onboard trains requires a few simple precautions to travel with peace of mind, states the French CNIL. A password written on a piece of paper stuck to your computer, a screen visible to other passengers or an unlocked computer when you leave your seat are small seemingly innocuous mistakes that can expose your personal data, your private and professional life and compromise the security of your devices. The essential safeguards can include:

• Always lock your devices when you’re away.
• Decrease the visibility of your ecran to other passengers and use a privacy filter.
• Pay attention while using public Wi-Fi.
• Do not memorise your credentials or other data in the browser.
• Protect your passwords with dedicated tools.
• Stay vigilant against phishing attempts, etc.

The post Data protection digest 3-17 July 2025: AI-generated voice and visuals’ potential to violate people’s rights and freedoms appeared first on TechGDPR.

IAB Europe and Belgium’s data protection authority have each claimed a ‘partial victory’ in the latest court decision over whether the IAB is liable for personal data processing over the online ad tools the industry group provides for the market, Telecompaper reports. The Belgian Market Court has annulled the regulator’s 2022 decision due to procedural irregularities, notably the fact that the regulator failed to adequately justify why it considered TCF (Transparency and Consent Framework) Strings as personal data. Nevertheless, the 250,000 fine against IAB Europe was upheld.

In IAB Europe’s view, the court has rejected that it is a joint controller together with TCF participants for their own respective processing of personal data for digital advertising, in line with the CJEU judgment from 2024. The court upheld only part of the decision, namely that IAB Europe is a joint controller together with TCF participants solely regarding the creation and use of TC Strings by publishers and vendors. The IAB said it has a solution to the concerns expressed by the court that is ready for implementation.

The Belgian regulator takes a different view, believing that the court ruling means that the TC String is personal data within the meaning of the GDPR and that IAB Europe acts as a joint data controller for the processing of user preferences within the TCF. However, the court annulled the decision from 2022 on procedural grounds. The ruling should have a lasting impact on the online ad industry and its real-time bidding systems in the EU, the regulator added. The Irish Council for Civil Liberties has even suggested that tracking-based advertising by Google, Microsoft, Amazon, and X, across Europe, now has no legal basis for personal data processing. 

Stay up to date! Sign up to receive our fortnightly digest via email.

More official guidance

Schools’ data: The education sector processes a lot of personal data: school registrations, an extensive digital work environment, and pedagogical follow-up of students. This data can be subject to data breaches, and news reports show that schools are not spared from these incidents. Over the past five years, the CNIL has only been notified of about thirty data breaches per year in the first and second degrees. However, during its interventions in the field, the regulator noted that this figure does not reflect the daily reality of educational establishments. The CNIL has identified several reasons that may explain this under-declaration:

• It is not always easy to identify what constitutes a “data breach”.
• The procedure to follow in the event of a data breach is sometimes unknown to operational personnel.
• The system of responsibility for processing implemented in the national education sector is complex.

To that end, the French CNIL offers two new guides (in French) for data protection officers, school principals, school heads and administrative staff to help them react in the event of a personal data breach.

GDPR and AI equation: The Swiss data protection regulator FDPIC reminds us that, because of the rapid increase in AI-supported data processing, regardless of future regulations, the data protection provisions already in force must be complied with. In particular, the Federal Data Protection Act, which has been in force since 1 September 2023, is directly applicable to AI-supported data processing. The FDPIC alerts manufacturers, providers and users of such applications that, when developing new technologies and planning their use, they are required by law to ensure that data subjects have the highest possible degree of digital self-determination. 

NIS2 guidance

The European Union Agency for Cybersecurity has developed the European Vulnerability Database as provided for by the NIS2 Directive. The EUVD service now openly provides aggregated, reliable, and actionable information such as mitigation measures and exploitation status on cybersecurity vulnerabilities affecting Information and Communication Technology (ICT) products and services. The aggregated information of the database is displayed through dashboards: for critical vulnerabilities, for exploited ones, and for EU-coordinated ones. The EU Coordinated Vulnerabilities lists the vulnerabilities coordinated by European CSIRTs and includes the members of the EU CSIRTs network.

Cookie consent

The Norwegian data protection authority summarises the main steps for companies to follow in order to meet the requirements for voluntary, explicit, informed, and unambiguous consent. The list also outlines what companies must and should not do. The Norwegian Storting passed a new Electronic Communications Act that came into force on 1 January 2025. The rules set clearer requirements for businesses that use cookies and similar technologies: 

• Provide unambiguous information in the consent box
• Fill out the consent banner with complete information
• Do not make access to the website or service conditional on consent
• Let the user choose which purposes they will consent to or not
• Don’t use pre-ticked boxes or acceptance by inaction
• Don’t make opting out of consent require extra clicks or be more laborious
• Don’t hide the option to decline consent, or give it a lower attention value
• Use clear and simple wording in buttons or similar design solutions
• Make it easy to withdraw consent and inform about this.

More from supervisory authorities

AI literacy: The European Commission has published an AI Literacy Q&A. Art. 4 of the AI Act requires providers and deployers of AI systems to ensure sufficient AI literacy of their staff and other persons dealing with AI systems on their behalf. The implementation plan for organisations may be built on the following steps: 

• In which sector and for which purpose/service is the AI system being used? What are its opportunities and dangers?
• Consider the role of the organisation: is my organisation developing AI systems or just using AI systems developed by another organisation?
• What do employees need to know when dealing with such AI system? What are the risks they need to be aware of, and do they need to be aware of mitigation?

EU Merger: The Commission also seeks feedback on the review of EU merger guidelines dating from 2004 and 2008. It should reflect the economic changes such as digitalisation, globalisation, innovation, as well as the case practice and the case law developed over the past 20 years by the Court of Justice of the EU. Any interested citizen, business or association can contribute by replying to the general public consultation questionnaire available here until 3 September. 

Space systems security: In Germany, the Federal Office for Information Security, in collaboration with representatives of the national information security and space industries, has developed the second part of the Technical Guideline, (BSI TR -03184), on securing space systems. A space system comprises the space and ground segments. The focus of this publication is on the ground segment. Business processes across the entire life cycle of a ground segment, from conception to decommissioning, were considered. It identifies hazards for various future space mission processing and assigns risk management measures. 

GDPR simplification plans

The European Commission has consulted the EDPB and EDPS on a proposal to introduce further exemptions from the GDPR’s obligation to keep records of personal data processing for SMEs. The exemption, which currently applies to companies with fewer than 250 employees, is proposed to be extended to companies with fewer than 500 employees. The EDPB and EDPS shared the opinion that, at this stage, they could express preliminary support to this targeted simplification initiative, bearing in mind that this would not affect the obligation of controllers and processors to comply with other GDPR obligations. In parallel, the EU is already working on finalising a new law to speed up the procedural rules for privacy regulators to coordinate on major GDPR cases in Big Tech. 

Data brokers

The UK Department for Science, Innovation and Technology closed a call for evidence on data brokers and their impact on national security. This inquiry concerns the activities involved in facilitating access to UK data (including data on UK persons, businesses, infrastructure, etc). This is via data brokerage, where pre-packaged or bespoke datasets can be obtained at speed and scale. To support policy development, the government wanted to identify several main points: a) the definition and services of data brokers, b) national security risks associated with the data broker industry, c) the effectiveness of data brokers’ security and governance frameworks, and d) a breakdown of brokers’ customer base. 

Record year for data breaches

The Australian Information Commissioner stated that businesses and government agencies reported more than 1,100 data breaches to the regulator and the public in 2024 – the highest annual total since mandatory data breach notification requirements started in 2018, and a 25% increase from 2023. Malicious and criminal attacks have been the main source of breaches. Health service providers and the Australian government again reported the most data breaches of all sectors, (20% and 17% of all breaches, respectively), highlighting that both the private and public sectors are vulnerable. The report also shows that the public sector continues to lag behind the private sector in the time taken to identify and notify data breaches, despite some improvements in timeliness.

Road cameras

The Estonian Data Protection Inspectorate sent an appeal to the Ministry of the Interior, drawing attention to the inadequacy of the legal basis for the license plate recognition cameras used in the preventive activities of the Police and Border Guard Board. In the regulator’s opinion, the processing of personal data using these cameras is not based on a sufficiently clear and specific legal basis. The Inspectorate has initiated a supervisory procedure to clarify how data is processed in the police database POLIS and whether it meets data protection requirements. 

In other news

Workers’ data: Bird&Bird research examines the German Federal Labour Court’s judgment to award an employee non-material damages of 200 euros after the employer put additional personal data into the “Workday” HR management software outside the agreed-upon limitations of a completed work agreement. The parties specified which data might be submitted for testing purposes. Because the agreed-upon restrictions had been exceeded, the employer could not rely on the work agreement as the legal basis.

Aggressive telemarketing: The Italian privacy regulator Garante has imposed millions of euros in fines and stringent corrective measures against Acea Energia Spa and a network of agencies and companies. All were involved in a massive system of procurement of contracts for the activation of electricity and gas supplies based on aggressive telemarketing practices and illicit processing of personal data. The investigations revealed significant evidence of illicit activities carried out through the use of lists of users who had recently changed energy suppliers. The call-centre operators contacted these users, mentioning non-existent technical problems in switching between suppliers and, fearing risks of economic damage, induced them to activate a new supply.

Geolocating remote workers: An employer cannot geolocate employees in smart working. This was also stated by the Italian Garante in imposing a fine of 50 thousand euros on a company that detected the geographic position of about one hundred employees during the work activity carried out in agile mode. The investigation revealed that the company monitored its employees to verify the exact correspondence between their geographic location and the address declared in the individual smart working agreement. These checks were then followed by disciplinary proceedings by the company. This all took place in the absence of an appropriate legal basis and adequate information, in addition to the consequent interference in the private lives of employees.

In case you missed it 

NOYB vs Meta AI: The privacy advocacy group NOYB has sent Meta a formal settlement proposal, ‘cease and desist’ letter, over Europe-wide AI training. After this, if the injunctions are filed and won under the new EU Collective Redress Directive, Meta may also be liable for damages to consumers. Damages could reach billions. Meta has announced it will use EU personal data from Instagram and Facebook users to train its new AI systems from 27 May onwards. Instead of asking consumers for opt-in consent, Meta relies on an alleged ‘legitimate interest’ and offers users the possibility to object to the processing before the training has started. 

Facebook data leak compensation: Meanwhile, Facebook users in Germany whose data was affected by the data breach that came to light in 2021 can now join the class action lawsuit filed by the German Federation of Consumer Organisations. This follows a ruling by the Federal Court of Justice in November 2024, according to which the mere loss of control over personal data can justify a claim for damages regardless of any other disadvantages. The court considers an amount of 100 euros to be appropriate for this purpose. In serious cases, for example, when sensitive data such as date of birth, relationship status, or email address has been made public, the consumers can seek compensation of up to 600 euros. Those affected can use a dedicated complaint form to see if participation is an option for them and register the complaint. 

The post Data protection digest 3 – 16 May 2025: ‘divided’ court ruling on IAB Europe, data brokers and national security appeared first on TechGDPR.

According to the Norwegian regulator Datatilsynet, Meta will start training its AI service on photos, posts and comments from Facebook and Instagram users in the EEA at the end of May 2025. The purpose of the training is to develop and improve Meta’s generative AI services, based on users’ content and interactions with Meta’s AI services. The training will only include content that is publicly published. Furthermore, Meta will only use photos and posts published by users over the age of 18 to train the AI ​​model. The training includes both historical and future information that is shared publicly. If you do not want your posts and photos to be used to develop Meta’s AI, you can object. If you have both a Facebook and Instagram account, or multiple accounts, the protest applies to all accounts if they are added to the same ‘Account Center’. You do not need to justify your protest. Meta has stated that they accept all objections. 

Stay up to date! Sign on to receive our fortnightly digest via email.

GDPR supervision in Germany to be eased?

According to a DLA Piper analysis, the future German government plans to centralise the country’s data protection supervisory authority structure and to ease the regulatory burden for small and medium-sized companies. Responsibilities and competencies for the private sector in all 16 states are to be bundled into one Federal Commissioner for Data Protection and Information Security (BfDI).

Therefore, there would be no need to report data security breaches to multiple state supervisory authorities where impacted data subjects reside, and data controllers and processors would only need to collaborate with one national supervisory authority. The German plan coincides with the recent announcement of the Commission’s plans to amend or simplify some obligations for small and medium-sized companies, among others, under the GDPR. 

More legal updates

Cloud computing and data sharing in the EU: Before the Data Act starts being applied from 12 September 2025, the Commission is providing guidlines on non-binding Model Contractual Terms (MCTs) for data sharing, and Standard Contractual Clauses (SCCs) for cloud computing contracts. These models (B2B) intend to help especially small and medium-sized companies and other organisations which may lack the resources to draft and negotiate fair contractual clauses.  The Commission also seeks feedback on the preparatory work for the Cloud and AI Development Act and the single EU-wide cloud policy for public administrations and public procurement. The Commission would like to gather different stakeholders’ views on the EU’s capacity in cloud and edge computing infrastructure, especially in light of increasing data volumes and demand for computing resources, both fueled by the rise of computer-intensive AI services. Submissions are open from 9 April to 4 June. 

EU cybersecurity: To strengthen the EU’s resilience against rising cyber threats, the Commission seeks input to evaluate and revise the 2019 Cybersecurity Act. This initiative reflects the Commission’s ongoing commitment to simplifying the rules and facilitate their implementation. Interested parties, including Member State competent authorities, cybersecurity authorities, industry and trade associations, researchers and academia, consumer organisations, and citizens, are invited to give their views on the Have Your Say portal until 20 June. In parallel, the Commission seeks contributions to enhance cybersecurity for hospitals and healthcare providers, as well as for the implementation of the European Digital Health Space, following the publication of the Action Plan in January. This includes citizens, healthcare professionals, healthcare authorities, patients, compliance and data privacy professionals, cybersecurity professionals, organisations, and academia, among others, to share their views. The deadline for contributions is 30 June.

EDPB on blockchain technology

The EDPB has adopted long-awaited guidelines on the processing of personal data through blockchain technologies.  A blockchain is a distributed digital ledger system that can confirm transactions and establish who owns a digital asset  (such as cryptocurrency) at any given time. Blockchains can also support the secure handling and transfer of data, ensuring its integrity and traceability.  Depending on the purpose of processing for which blockchain technology is used, different categories of personal data may be processed. 

The guidelines highlight, among others, the need for Data Protection by Design and by Default and adequate organisational and technical measures.  As a general rule, storing personal data on a blockchain should be avoided if this conflicts with the GDPR (eg, in fulfilling the rights of data subjects regarding data rectification and erasure). The guidlines provide examples of different techniques for data minimisation and for handling and storing personal data. 

Consent management

The Consent Management Ordinance in Germany comes into effect. Effective from April 1, it regulates obligations for trusted consent management service providers. It mandates certain recognised services to store user settings and allows voluntary integration by digital service providers. In addition, it protects data portability rights of users and restricts consent management services from processing personal data beyond the purpose for which it was originally collected and stored. 

Data breach statistics

The Estonian data protection regulator estimates that in the first quarter of 2025, the number of breach reports compared to the same period in 2024 increased by 48%. In January, February and March, organisations notified the agency of a total of 65 data breaches. In 30 cases, the breach involved the public sector or an agency they manage. The most common causes since the start of the year are negligence and human error, technical errors in information systems, and unlawful access to personal data caused by cyberattacks. In particular:

• There were cases where employees abused the access rights granted to them to perform their duties. Requests to view personal data are made both out of curiosity and to distribute it on various social networks or leak it to the press.
• An employee who left an educational institution, being the sole administrator of the school’s Facebook group, refused to transfer the group’s administration rights to the school. He changed the group’s name and smeared his former employer there.
• A popular e-learning environment used in schools was attacked by a cyberattack, in which an attacker, likely using user rights obtained from previous data leaks, (not related to the learning environment), attempted to hijack the accounts of users of the e-learning environment. The environment was not required to use multi-factor authentication.

More from supervisory authorities

AI Privacy Risks and Mitigation: To help developers and users of large language model-based systems handle privacy issues, the EDPB provides a new practical guide. The paper offers organisational and technical measures to maintain data protection following GDPR Art. 25 – Data protection by design and by default, and Art. 32 – Security of processing. The guideline, however, is not meant to replace a Data Protection Impact Assessment (DPIA), following GDPR Art. 35. Instead, by addressing privacy issues unique to LLM systems, it enhances the DPIA process. 

Mobile apps: The French CNIL published a modified version of its recommendations to better protect privacy in mobile applications, adopted in 2024, (in French). It is aimed at professionals working in the mobile application sector in the role of data controllers and processors, namely: a) app publishers; b) app developers; c) software development kit (SDK) providers; d) operating system providers; e) app store providers. This recommendation covers all types of applications, which can be: 

• “native”, (developed in the programming language specific to the operating system in which they are executed); 
• “hybrid”, (developed with languages ​​and technologies from web programming, then transformed into an application using specific tools;
• “progressive web” PWA (dynamic web pages which are presented to the user in the form of apps).

AI public sandbox:  The CNIL has also published the results of its “sandbox” personalised support programme for players who wish to be advised on how to deploy an innovative project: 

• France Travail’s tool, (French unemployment agency), helps its advisors to offer a personalised training course adapted to the needs of job seekers. 
• Nantes Metropole’s Ekonom’IA project: raising awareness among residents about their water consumption levels through an AI program; and 
• The RATP’s, (Paris transport operation company), PRIV-IA project: studying algorithmic processing of images from new video capture technologies (so-called Time-of-flight cameras). 

Emotion recognition under the AI Act

A recent analysis by DLA Piper examines two real-world uses of emotion in AI work environments to highlight the effects of the recently passed EU AI Act. The first case study uses emotion analysis on sales conversations. The global company’s chief revenue officer, who is situated in the US, is trying to implement new software that would enable staff members worldwide to get consistent sales training by comparing the calls made by top performers with those of the lowest performers. 

In the second case study, a busy consulting business wants to use a remote application and onboarding process to broaden its pool of candidates to include people who want to apply for wholly remote positions. The company is eager to implement software that enables interview scheduling through a platform with cutting-edge AI-powered capabilities. One element of the system analyses applicants’ speech tones, facial expressions, and other non-verbal indicators.

In other news

Brute force attack: The UK’s Information Commissioner’s Office has issued DDP Law firm a 60,000 pound fine following a cyber-attack which resulted in highly sensitive and confidential personal information being published on the dark web. The brute force incidents were targeted at an administrator account for a legacy case management system. It was only available online sporadically. At the time of the incident DPP had multi-factor authentication for the purposes of connecting to its network via a VPN. However, the administrator account  did not have MFA due to its role as a service-based account. 

Search services: Sweden’s IMY has received a large number of complaints against search services that publish personal data about the population of Sweden. Many of these complaints concern search services that publish information about violations of the law, such as criminal convictions. IMY is now initiating inspections of two of these search services: Lexbase.se and krimfup.se. In a legal opinion from 2024, the IMY ruled that the authority is competent to review search services that have a so-called certificate of publication. There was also a recent decision from the Supreme Court that it is not compatible with EU law to release large numbers of criminal convictions online . 

Unwanted insurance: The Romanian data protection agency fined the operator Banca Transilvania SA the equivalent of 5,000 euros. Following a complaint from a natural person, the data subject claimed that their data had been processed without consent, within the framework of an insurance policy mandated by the operator Banca Transilvania. It was found that the petitioner, although he terminated his real estate loan contract, was erroneously issued a new insurance policy against natural disasters, accessory to the terminated real estate loan contract.

Employee email accounts

The Maltese regulator IDPC published a set of FAQs on the management of employee email accounts once an employee leaves an organisation. While employers have a legitimate interest to maintain business continuity following an employee’s departure from the organisation, the employer’s operational concerns must be balanced against the data protection rights of outgoing employees and any other individuals involved, as set out in the GDPR. This includes handling work email accounts in a manner that is proportionate, transparent, and respects the confidentiality of any personal correspondence that may be in the account. The most common real life cases include:

• Can an employer set up automatic email forwarding following an employee’s departure?
• Can an employer set up an automatic reply message following an employee’s departure?
• As an employer, what are some general practical steps I can take to manage employee email accounts in a manner that complies with the GDPR?

In case you missed it 

AI assistants: Privacy International questions whether we can trust the developers of AI assistants to protect our privacy and security. AI Assistants need to access apps, data and device services to deliver on their promise to operate as agents capable of doing work for us. This is a significant change from the existing voice assistants: the messaging app Signal will ask to access your contacts to identify people with a Signal account you haven’t talked to; similarly, a navigation app will require access to your phone’s location services and hardware to guide you. 

What makes an AI Assistant different from apps is the level of access they constantly require to function. Prioritising automation as one of the main goals/features of AI assistants means that developers will be tempted to allow processing of your data with the lowest amount of friction possible.  

Opt out from Tesla processing your data: Lastly, a piece from The Guardian examines how Tesla owners may safeguard their data and privacy. Any connected car must track and gather a lot of information about you in order to use any of its capabilities. A detailed picture of your life and movements may be created using these data – sent via GPS trackers, sensors, and other devices. The Guardian studied Tesla’s privacy policy, talked to privacy experts, and even asked the company’s AI chatbot how to share as little data as possible with Tesla. There are some safety measures you can and, in many situations, ought to take if you own a Tesla. However, adjusting these settings so that you share the least possible amount of data with Tesla will shut off access to many of your car’s functions.

The post Data protection digest 3 – 17 Apr 2025: Meta AI training restarts in Europe, virtual assistants vs data privacy appeared first on TechGDPR.

Technical permissions in mobile app are very useful for privacy, explains the French regulator CNIL. They allow users to block access to certain data technically. However, these permissions are not designed to validate users’ consent, within the meaning of the GDPR.  Even when consent is required, a simple request for permission does not always allow for free, specific, informed and unambiguous consent. There may also be exemptions from consent, such as for the functioning of a navigation mobile app, when the data is required for the service. However, the OS supplier requires authorization to access this information. An ideal permissions system in conjunction with a consent management system should allow one to choose without any confusion:

• the degree of processing of the data provided according to the purpose pursued (eg, more or less precise location);
• the material scope of the authorisation, (eg, access to the selected photos rather than the overall media gallery);
• The duration of the authorization is given, (eg, one-time activation of the permission or for a predetermined period). 

Stay up to date! Sign on to receive our fortnightly digest via email.

Non-material damages for US data transfers

The CJEU orders the European Commission to pay damages to a visitor to its ‘Conference on the Future of Europe’ website due to the transfer of personal data to the US without appropriate safeguards. In 2021 and 2022, a German citizen complained that the Commission violated his right to personal data protection when he used the Commission’s EU Login authentication service and chose to sign in with his Facebook account.

His data, including his IP address and information about his browser and terminal, were transferred to recipients in the US, (Meta, Amazon Web Services and CloudFront). According to the JD Supra law blog, while the sum is small, it is the first time an EU court has acknowledged that people can be awarded damages for illicit data transfers without demonstrating significant loss, paving the way for future claims, including class actions. 

More legal updates

“Maximum two complaints per month”: The NOYB privacy advocacy group explains another case, where the CJEU slammed the Austrian data protection authority for discontinuing proceedings against companies. In one example, the authority set the number of complaints that data subjects can file at a maximum of two per month. The CJEU has now made it clear: as long as you do not file abusive complaints, all users have the right to have any GDPR violation remedied by the regulator. NOYB also looked at the EU-wide problem with data protection authorities’ inactivity – statistically many cases wait well up to several years for a decision, (instead of the established 6 months). 

Canada updates: According to an IAPP analysis, the proposed federal privacy law reforms and AI regulation contained in Bill C-27 are in serious jeopardy. Prime Minister Justin Trudeau’s recent resignation has paralysed Parliamentary business. As the country awaits a national election, C-27’s approval in the Senate is delayed. The proposals include enacting the Digital Charter Implementation Act, the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act. 

India updates: The government has released a draft of the Digital Personal Data Protection Rules, (legal text available in English), under the Digital Personal Data Protection Act, (2023), and is currently seeking public feedback and comments, cms-lawnow.com law blog reports. Key rules include: consent obligations, including for children’s data, security safeguards, data breach notification, retention periods, information obligation, data transfers abroad, impact assessments and audits, and the exercise of data subject rights. 

Electronic patient records

On January 15 the “electronic patient record”, (ePA), will start with a pilot phase in Hamburg, Franconia and North Rhine-Westphalia parts of Germany. After the successful completion of the introductory phase, the nationwide rollout is planned for February 15 at the earliest. The use of ePA, was already possible voluntarily. However, from January 15, the Digital Act, (DigiG), stipulates that health insurance companies will create an ePA for all patients who have not explicitly objected to this.

Insured persons should therefore now check whether they want to use it or whether they object to its use completely or partially with an opt-out. The objection can be made at any time, and the health insurance companies must subsequently delete files that have already been created. The ePA brings with it advantages – it facilitates the exchange of medical documents, avoids duplicate examinations and makes it easier for patients to control which data they release to whom. However, there is currently also criticism, particularly regarding data security, (IT experts uncovered security flaws in the ePA at the Chaos Communication Congress at the end of 2024). 

Work agreements and data processing

DLA Piper’s legal blog looks at a CJEU case, where an employer, (in Germany), had initially concluded a temporary agreement with the works council on the use of the software ‘Workday’. It provided, inter alia, that specifically identified employee data could be transferred to a server of the parent company in the US. An employee brought a legal action for access to this information, for the deletion of data concerning him, and for compensation. On this occasion, the CJEU ruled that if employers and works councils agree on more specific rules in a work agreement regarding the processing of employees’ data, these must take into account general data protection principles, including the lawfulness of processing. Furthermore, such a work arrangement is open to judicial scrutiny. Thus, businesses should investigate if other legal bases are applicable.

More official guidance

UK online safety: On 16 December, Ofcom brought into effect new UK online safety regulations. Now digital platforms, especially bigger and riskier ones, (social media firms, search engines, messaging, gaming, dating apps, and file-sharing sites), have three months to complete illegal harm risk assessments and apply necessary safety measures, (from the list of more than 40 safeguards). Among many things, this will include, reporting and complaints duties, better moderation, easier reporting, built-in safety tests, and protecting children. The Act also enables Ofcom to make a provider use, (or in some cases develop), a specific technology to tackle child abuse or illicit content on their sites and apps. 

AI and consumer harm: America’s FTC gathered the latest casework on what companies need to consider when developing, maintaining, using, and deploying an AI-based product. This includes:

• taking necessary steps before and after deploying a product, (by testing, assessing, documenting, and inquiring); 
• preventative measures to detect, deter, and halt impersonation, fraud, abuse and non-consensual imagery;
• avoiding deceptive claims about AI tools that result in people losing money or put users at risk of harm; and, 
• ensuring privacy and security by default, (eg, abiding by legal obligations and not misleading users of a product about the usage of their data for algorithm improvement).  

Video surveillance on a large scale

Depending on the scope and purpose, video surveillance can be divided into three scales: narrow, medium, and wide-scale video surveillance, explains the Latvian regulator. Large-scale video surveillance means that the processing is carried out over a significant area and presents high risks for the processing of personal data at regional, national or transnational levels. The larger the area monitored and the more people visiting it, the higher the risk of data misuse.

If an organisation conducts video surveillance of several separate areas, their total area should be taken into account to determine whether video surveillance is taking place on a large scale. When conducting video surveillance in publicly accessible, but less populated or visited areas, the thresholds for the size of the area and the duration of data retention may be higher to qualify as large-scale. However, if video surveillance involves the processing of biometric data for the unique identification of a person, then it is considered to be the processing of special categories of data.  

Privacy of the art market

An analysis in The Art Newspaper notices that access to historic sales records is becoming more restricted due to increased confidentiality periods at auction houses.

In the EU and the UK, privacy rights are protected through contract, common law and data protection regulations. Thus, the identity of buyers and sellers is protected in several ways, which the auction houses are now restricted from disclosing without the client’s consent. Moreover, the degree to which such data privacy measures can be used to restrict access is still unclear, as the GDPR does not prescribe how long confidentiality clauses can last. 

More enforcement decisions

Genetic and health data breach: The Estonian data protection inspectorate imposed an 85,000 euro fine in connection with an incident that occurred at the end of 2023, in which the Asper Biogene OÜ system was attacked and approximately 100,000 files with people’s data, including genetic and health data, were obtained. However, the decision can still be appealed by the company. Asper Biogene OÜ is primarily engaged in testing for hereditary diseases, developing genetic tests and providing healthcare services, thereby processing health data extensively. 

Frontex case: The EDPS issued a warning to Frontex for a breach of data protection rules. The breach involved Frontex systematically sharing the personal data of suspects in transnational criminal cases with Europol without assessing whether the sharing was necessary. Such sharing can have serious consequences for individuals, who could be wrongly linked to criminal activities in Europe. Frontex stopped the transfer of personal data to Europol shortly after the inquiry and now assesses all information individually before sharing it with the agency. 

Facial recognition: The FTC meanwhile finalised an order against IntelliVision Technologies due to false claims that its AI-powered facial recognition software was free of gender or racial bias. The FTC alleged that IntelliVision lacked evidence that its software had one of the highest accuracy rates on the market and performed with zero gender or racial bias.

The complaint also alleged that IntelliVision did not train its facial recognition software on millions of faces, as it claimed, nor did it have adequate support for its claims that its anti-spoofing technology ensures the system can’t be fooled by a photo or video image.

Data security

DORA is enforceable now: The Digital Operational Resilience Act, (DORA), is an EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. DORA brings harmonisation of the rules relating to operational resilience for the financial sector applying to 20 different types of financial entities and ICT third-party service providers. It covers areas of compliance such as:

• ICT risk management, 
• ICT third-party risk management, 
• Digital operational resilience testing, 
• ICT-related incidents, 
• Information sharing on cyber threats, and 
• Oversight of critical third-party providers.

For resources on implementing and delegated acts, policies and guides click here.

Security updates: Privacy International meanwhile reminds us that the CrowdStrike incident, (malformed update), earlier this year had major implications for governments and businesses across the world. Among many things, it emphasises the importance of security updates, including auto-updates, which are incredibly important to keep our devices running properly and safely. What is needed is for auto-updates to be properly tested before being implemented. Moreover, too often we see companies bundling together security and feature updates, meaning that users cannot install one without the other. That’s a problem, especially if a weaker system for testing feature updates pollutes the process for security updates, or if users are prevented from having the latest security updates installed because they don’t want the features or their device does not support the feature updates.  

Big Tech

US vulnerabilities: The outgoing President Joe Biden has just signed an executive order to address US vulnerabilities following cyber attacks, (by China, Russia, Iran and ransomware criminals), that cost the country billions, the Guardian reports. Among its most notable elements is a mandate for government agencies to install end-to-end encryption for email and video communications, as well as new standards for AI-powered cyber defence systems and quantum computing protections.

The order also requires federal agencies to only purchase internet-connected devices with a “cyber trust mark” from 2027, essentially leveraging government procurement authority to encourage manufacturers to tighten security standards for items like as baby monitors and home security systems.

The post Data protection digest 1-15 Jan 2025: mobile app permissions should work in conjunction with consent requirements – CNIL appeared first on TechGDPR.

The regulator’s name, (VDAI), was indicated by 29% of respondents. 15% of respondents believe that they have encountered unlawful or improper processing of their data in the past year. Almost half of them say they have acted to protect their rights. People who are better informed about various laws and regulations are more confident that organisations ensure their right to personal data protection. 65% of respondents say their employers comply with the requirements. However, generally, trust in companies and institutions has been decreasing. Finally, people with higher incomes and higher positions perceive personal data protection conditions as more favourable, (72% of the top and middle-level managers), as opposed to the unemployed and small entrepreneurs.

The research methodology on citizens’ privacy awareness can be seen here.

Stay up to date! Sign on to receive our fortnightly digest via email.

AI development and deployment

To bridge into the 2025 technological year, the top EU data protection regulator the EDPB adopted an opinion on using personal data to develop and deploy AI models. It looks at a) when and how AI models can be considered anonymous, b) whether and how legitimate interest can be used as a legal basis for developing or using AI models, and c) what happens if an AI model is developed using personal data that was processed unlawfully. It also considers the use of first and third-party data. To that end, the EDPB is currently developing guidelines covering more specific questions, such as web scraping for AI training.

More legal updates

Norway tightens the requirements for consent for the use of cookies and similar technologies from 1 January 2025. The requirements are aligned with the EU GDPR. For consent to be valid under the new Norwegian law, it must be: 

• voluntary
• specifically
• informed
• unambiguous
• given through an active action
• documentable
• possible to withdraw as easily as it was given

The user must also be given accessible and understandable information that allows them to easily understand the consequences of any consent. Until now, for example, it has been sufficient for default browser settings to allow cookies. The requirement for consent does not apply to the technical storage of or access to information, (to transmit communications, or which is strictly necessary to provide a service).

As of 2025, 19 US states have comprehensive consumer privacy laws, (effective between 2024 and 2026). Most of this new legislation protects the personal data of consumers within their states—residents of that state, excluding individuals acting in employment or commercial contexts, explains JDSupra publication. Only the California Consumer Privacy Act, (CCPA), as amended by the California Privacy Rights Act, (CPRA), applies equally to consumers, employees, and business-to-business commercial contacts. In parallel, the California Privacy Protection Agency announces increases for CCPA fines and penalties as of 1 January 2025.

Processors certification

The French CNIL is working on a draft reference framework adapted to data (sub) processors to create a new certification. A public consultation is open until 28 February. A data controller is required to use trusted processors, who provide sufficient guarantees under the GDPR, in the context of a service provided.

They often include: IT service providers, (hosting, maintenance, etc.), software integrators, IT security companies, digital service companies, marketing or communication agencies, etc. To obtain certification for them, it will be necessary to provide proof of compliance with each of the criteria of the standard. The draft evaluation framework is made up of 90 control points which are organised chronologically:

• Contractualisation;
• Preparation of the processing environment, including the security measures;
• Implementation of the processing;
• The end of the treatment.

Website reconstruction

Organisational errors during website reconstruction may result in data being made available, states the Polish data protection regulator UODO. In the related case, a company, (Panek SA), did not implement appropriate security measures, based on the risk analysis.

It did not test the solutions it introduced, nor did it assess their effectiveness. Due to the lack of appropriate communication between the administrator and the processor, an employee of a subcontractor mistakenly placed files with data from the old service on a new page. These files were indexed by Google and thus became available to everyone, (data on 21,453 customers and employees of the company): name, email address, home address, and encrypted passwords. The company that built the website claimed that it had not received information about the functionalities, (not mentioned in the data processing agreement). The company itself emphasized that the incident would not have occurred if not for a server configuration error, for which the company’s IT services are responsible.

More from supervisory authorities

Video surveillance: One of the most common ways for entrepreneurs to protect their property is to install video surveillance cameras. If a company uses cameras to record in a place where people, (customers, employees, passersby) may be present, then it can be considered that the company is processing data and it must take into account the data protection requirements, states the Latvian regulator. The most commonly applied legal basis is the pursuit of legitimate interests. 

This implies the application of the balancing test, whether video surveillance will not significantly infringe on the interests of the observed people. The organisation also must apply appropriate security measures, and inform data subjects, using the information sign, followed by the name of the data controller, contact information, and the purpose of the processing, as well as an indication of where further information can be found.

How to erase data: The Information Commissioner’s analysis states that 14 million UK people, (29%), don’t know how to erase their data from an old device or tech product. Over a quarter of UK adults plan to treat themselves to a new device this Christmas. However, the latest poll found that the average Brit has three unused devices sitting at home. Effective data erasure means that your data can’t be accessed by anybody else, either by mistake or for malicious purposes such as fraud. For example, a factory reset via the settings can adequately erase your personal information from most mobile phones.

Sports industry

The Irish DPC in its latest survey engaged with over 100 clubs across four major sports in terms of participation at a national level.

Notably, 56% of sports clubs do not have a personal data retention schedule. 41% of clubs reported they do not have any data protection policies, including for subject access requests or other data subject rights under the GDPR such as erasure or rectification. Finally, when a club introduces new types of technology, it is recommended to carry out a Data Protection Impact Assessment, (DPIA), to assess and mitigate the risks. But only 9% of the clubs carried it out.

Cookie banners

The Liechtenstein regulator warned website operators on the obligation to obtain consent when using cookies that are not technically necessary or when passing on data to third parties. One of the most frequently observed errors is that many consent management tools do not technically ensure that no further (tracking) scripts are executed and that technically unnecessary cookies are stored in the browser when cookie banners are displayed. For example, when a website is simply accessed, the personal data of the website visitor, (including the IP address), is often already transmitted to third parties.

Customers’ loan applications

Finland’s Data Protection Commissioner fined Sambla Group, a provider of loan comparison services, 950,000 euros because, due to poor data security, information about customers’ loan applications had been accessible to third parties through personal links intended for customers. The links provided access to the loan applicant’s contact information, as well as information on income, housing expenses, marital status and children. The information had been directly accessible to anyone who knew the customer’s web address and had the technical expertise to exploit the security flaws.

More enforcement decision

Data subject request in a foreign language: Data Guidance published an exceptional case concluded by the Spanish AEPD. It decided to punish OK MOBILITY GROUP with a fine of 100,000 euros, (which was lowered to 60,000 euros following voluntary payment and acknowledgement of non-compliance),

for failing to reply to an access request from a data subject, to provide a defined retention period for personal data, and for supplying an incorrect fiscal identification number. A request in German was not viable grounds for non-compliance, because the firm offers its services in Germany and the contract was concluded in German, concluded the AEPD.

Netflix fine: Between 2018 and 2020, Netflix did not provide customers with enough information about their data. Additionally, the information that Netflix did provide was unclear in some areas. The Dutch data protection authority therefore imposed a 4.75 million euro fine on the streaming service. Netflix collects various types of personal data from customers. From email addresses, phone numbers and payment details to data about what & when customers watch. In addition, customers were given too little information when they asked Netflix what data the company collects about them. 

KASPR data scraping fine: The French CNIL issued a 240,000 euro fine on KASPR for collecting the contact details of users on LinkedIn who had chosen to limit its visibility. KASPR markets a paid extension for the Chrome browser that allows its customers to obtain the professional contact details of people whose profiles they visit on LinkedIn. Around 160 million contacts are included in the database set up by the company. The CNIL noted that the fact that people had chosen to make their contact details visible to their 1st and 2nd-level contacts did not amount to authorising KASPR to access and collect their contact details.

Data security

Incident reporting obligation: The Belgian NIS 2 cybersecurity authority issued guidelines for organisations on incident reporting obligations, (available in English, Dutch and French).  An incident under the NIS2 law is defined as “an event compromising the availability, authenticity, integrity or confidentiality of data stored, transmitted or being processed, or of services that networks and information systems offer or make accessible”. 

Also, notification of an event is mandatory when it constitutes a “significant” incident. It could be a) a suspected malicious event, b) an event compromising the availability of data, or c) an event causing or likely to cause material, physical or moral damage affecting other natural or legal persons. Recurring incidents that are linked through the same apparent root cause also belong to this list.

Security risks: As companies depend on accumulating more consumer data to develop products such as artificial intelligence, targeted advertising, or surveillance pricing tools, they may create valuable pools of information that bad actors can target for illicit gain, states the Federal Trade Commission. Its latest analysis looks at systemic causes of risk in several areas through the lens of data management, software development, and product design for humans. In addition, addressing security threats is nontrivial. Security practices that are employed upstream and directed at systemic vulnerabilities of technology, such as implementing data policies and access control, can minimize risk for consumers.

Companies must not only take reasonable measures to secure consumer data but also avoid misrepresenting their security practices.

Big Tech

AI Task Force: The US House Task Force on AI released a comprehensive 253-page report on the rapidly advancing technology. Gen AI systems can generate text, image, video, and audio/voice content. These systems are trained on a large set of existing written, visual, or audio data.

They identify statistical patterns in this training data and then create novel content. The report evaluates AI policy proposals in public administration, education & workforce, agriculture, healthcare and financial services, and small businesses.

A Cambridge University study, meanwhile, warns that AI is about to get into your head like never before. After decades of the ‘attention economy’ dominating, whereby websites sought to hook users for as long as possible to serve them adverts, an ‘intention economy’ is likely to replace it, with AI tools deployed to understand, forecast and manipulate human intentions to sell that data to companies. The report asserts that this emerging new marketplace for ‘digital signals of intent’ could have a huge effect on human aspirations, behaviour, and psychology beyond selling products, and could interfere with free and fair elections, a free press, and fair market competition. 

The post Data protection digest 16-31 Dec 2024: citizens’ privacy awareness is on the rise, yet attitude relies on income and obligations appeared first on TechGDPR.

Updated privacy guidance for not-for-profit has been released by the Office of the Australian Information Commissioner. It includes a discussion on what to consider when engaging third-party providers, such as for fundraising, or software vendors. For instance, when entering into arrangements with third parties, your non-for-profit should take reasonable steps to ensure that the third party’s privacy practices meet the expectations of both your non-for-profit and the wider community, (donors, volunteers, and people who engage with the sector as clients and staff). It is important to read the terms of your agreement carefully, conduct periodic reviews, and ensure the third party deletes any personal information at the end of the contract term. 

Stay up to date! Sign on to receive our fortnightly digest via email.

Consent management in Germany

On 17 October the Bundestag approved the regulation that introduces recognised consent management services to manage decisions made by end users regarding consent or non-consent to a digital service provider, thus relieving them of some of the burden, (of individual decisions that have to be made with cookie consent banners). The integration of recognised consent management services by providers of digital services is voluntary. It now has to be approved by the government and officially published to come into effect. The original regulation, (in German), can be read here.

Clinical research organisations (CROs)

The French CNIL has approved a Code of Conduct intended for clinical research organisations and other service providers ,(CROs), who act as processors on behalf of sponsors. It brings an operational dimension to the requirements of the GDPR. It is supported by the non-for-profit European Clinical Research Federation (EUCROF) and is mandatory for those who adhere to it. 

Among the services offered by CROs that may be covered by the code are the design of the protocol, the selection and contracting with the investigator centers, the collection and hosting of data, their analysis and the production of reports, or archiving or technical support services.

Other legal updates

NIS2 directive takes effect: New regulations to improve the cybersecurity of the EU’s vital networks and entities, (“NIS2”), should have been incorporated into national legislation by the October 17 deadline. According to a DLA Piper analysis, although some Member States such as Croatia, Hungary and Belgium have transposed the directive into national legislation, the majority of EU countries do not yet have the relevant implementing legislation and necessary guidelines for organisations in place. 

Sanction lists: The Swedish IMY has drawn up new regulations that make it permissible for certain companies to handle personal data about violations of the law without seeking permission from the regulator when, among other things, checking their customers against various sanction lists. In particular, companies that operate in the financial sector as well as in the security and defence market may need to check their customers, suppliers and employees, to comply with international export restrictions, and against money laundering and the financing of terrorism.  

Lawful collection of criminal records: The Danish data protection authority investigated Parken Services A/S’ procedures for obtaining information in the recruitment process. In particular, it obtains copies of passports and criminal records from applicants. The regulator found this processing lawful taking into account the special circumstances that apply to Parken Services A/S as an employer, including the very large number of people employed by the company, and the very special risk profile associated with a company servicing large sporting and entertainment events, especially concerning terrorism and crime. 

Worker transfers data to private account without permission

An Ius Laboris law blog post analyses the recent case in the Netherlands where an employee was dismissed because he sent 791 documents from his employer’s server to his personal Dropbox account, shortly after he was told that his fixed-term employment contract would not be extended. The employer had an IT policy that stated that employees could not make copies of the employer’s data or store information from the employer in personal locations.

Additionally, the employer had recently sent an email to all employees reminding them that they were not allowed to take any documents or property from the employer with them at the end of their contract. Read more discoveries of the case in the original publication. 

Commercially available AI

The Office of the Australian Information Commissioner has also issued new AI guidance. AI products should not be used simply because they are available, it says. Robust privacy governance and safeguards are essential for businesses to gain any advantage from AI and build trust and confidence in the community. Similarly, during AI model training, it must be carefully considered whether this will involve the collection, storage, use or disclosure of personal information, either by design or through an overly broad collection of data for training. Do this early in the process to help mitigate any privacy risks. Personal information is a broad category, and the risk of data re-identification needs to be considered. 

More official guidance

Mobile apps design: Apps often ask for permissions that they don’t need to function properly, (geolocation, contacts, camera or mic). It is recommended to accept only those strictly necessary for the function of the service. Apps also collect data about your behaviour, such as which web pages you visit, how long you spend in an app, or which features you use most often. This information may be used for ad personalisation, but you can limit or disable it in the privacy settings of your account. It is also recommended to use temporary accounts or alternate email addresses that are not linked to sensitive data. 

Learning environments: The Estonian regulator emphasized the obligation of educational institutions and their learning environments to maintain the appropriate technical and organisational measures. This includes reviewing the documents and personal data entered into online environments and their retention periods, creating a system for monitoring data retention periods and deleting data at the end of a period, and ensuring that employees are informed of data protection conditions. 

It is also important that the data can be partially deleted so that it does not prevent the further processing of other data, (eg, making the data non-personal and storing it for archiving, scientific and historical research or statistical purposes). 

Work emails backup: The Italian Garante fined a company 80,000 euros for carrying out backups during the employment relationship. The complaint was filed by a commercial agent who realised that the company, during their collaboration, used software to back up emails, preserving both their contents and access logs to the emails and the company management system. The information collected was then used by the company in litigation. This also allowed the company to reconstruct the collaborator’s activity, thus incurring a form of control prohibited by the workers’ statute.

More enforcement decisions

LinkedIn fine: The Irish Data Protection Commission fined LinkedIn Ireland 310 million euros. The inquiry examined LinkedIn’s processing of personal data for behavioural analysis and targeted advertising of users who have created LinkedIn profiles. LinkedIn did not validly rely on consent to process third-party data of its members for behavioural analysis and targeted advertising. Similar validity issues applied to the legitimate interest and contractual processing of first-party personal data. 

Health data breach: The New York Attorney General secured 2.25 million dollars from a health care provider AENT for failing to protect the medical data of 200,000 New York patients. AENT failed to adequately monitor the third-party vendors responsible for their cybersecurity functions. As a result, those vendors did not install critical security software updates promptly, adequately log and monitor network activity, properly encrypt consumers’ private information before and after any attacks, utilise multi-factor authentication for all remote access, or otherwise maintain a reasonable information security program. Finally, AENT’s data storage devices continued to host unprotected private information months after two ransomware incidents occurred. Read more insights on massive health data breaches in the US here.

Pinterest: Privacy advocacy group NOYB filed a complaint against the social media platform Pinterest, including its visual mood board used for finding ideas and inspiration. Advertisers, on the other hand, use the platform to push their products to consumers. Pinterest’s business model is also based on personalised advertising and the associated user tracking. The platform allegedly uses people’s data without asking for their consent.

Pinterest claims to have a legitimate interest and enables tracking by default. 

Data security

Ransomware: In 2023, there were more ransomware attacks in the Netherlands than previously. The AP counted at least 178 successful attacks. The number of affected organisations runs into hundreds. Millions of people’s data were affected, from emails and phone numbers to copies of passports, bank account numbers, and passwords. The AP notes that while cybercriminals sometimes target one specific company in a certain sector, they also regularly attack IT suppliers that manage data on behalf of a range of companies from all sectors. 

Google Analytics: The Saxony Data Protection Commissioner discovered the illegal use of Google Analytics on 2,300 out of the 30,000 websites it examined, (compliance improved significantly throughout the inspections). Data was collected without the visitors having previously consented to the setting of analytics cookies and/or the establishment of server connections to Google Analytics. A significant number of consent banners often did not do what the settings promised users. Services were executed and cookies were set even though the settings indicated “off”. Many of the website administrators were unaware of this. 

Mobile surveillance: The Krebs-on-Security law blog reports on a recent ad data surveillance case. The Delaware-based Atlas Data Privacy Corp. invoked a lawsuit against Babel Street, a technology company that allows customers to use a real-time finder at and around nearly any location on a map of the world, and view a time-lapse history of all mobile devices seen coming in and out of the specified area.

Babel Street consumes location data and other identifying information, (built into all Google Android and Apple mobile devices), that is collected by many websites and makes this available to dozens and sometimes hundreds of ad networks that may wish to bid on showing their ad to a particular user, the analysis states. 

The post Data protection digest 17 – 31 Oct 2024: clinical research service providers, non-for-profit, commercially available AI appeared first on TechGDPR.

When does the GDPR apply?

The GDPR applies when public or private organization process personal data. These assume one of two distinct roles, either as a data controllers and data processors. When discussing role distribution in supplier or customer relationships, we label one or the other as data controller or processor, respectively. However, one logically determines this at the level of a single processing activity.

The law is extremely clear about the territoriality, targeting and offering of goods and services. Thus, the GDPR applies to your non-EU company if: 

1. you establish a company or a subsidiary in the EU.
   No matter your product or service, your employees are people too and their data is protected by law. This places you under data controller obligations.
2. you provide goods and services (for a fee or not) to people in the EU.
   Since processing their personal data is a requirement to provide said goods and services, you are under data controller obligations.
3. you provide processing services (SaaS, PaaS) to a company to which the GDPR applies by virtue of the above points.
   The GDPR becomes applicable when handling personal data for a company established in the EU. In this case you likely assume data processor obligations.

Supplying services to end users

Beyond the letter of the law, your sales teams faces demanding questions from client procurement teams and end users alike. This is the case whether you offer B2B, B2B2C or B2C goods and services. Sales teams need to understand what procurement teams asked of them. At the very least, it communicates a sense of preparedness. In practice, they should only occasionally forward less obvious questions to the tech, product or legal teams.

Your internal or external data protection officer (DPO) or chief privacy officer (CPO) should sit comfortably astride legal and tech. If they do, have them train sales to reduce back and forth communication. These individuals see data processing from the technical perspective of data flows. Importantly, they understand risk from the perspective of risk to the data subject.

Leveraging privacy

Being able to address data subject requests (DSRs) in a timely manner, ensures you remain a contender in your client’s procurement shortlist. Some clients operate in a highly regulated field so compliance is crucial to them. Others show high ethical drive and understand non compliance as a risk to their operations. For clients who don’t care, your common relationship will deteriorate at the first privacy pinch from data subject requests. Pressure will come from their own vertical relationships in the supply chain, or enquiries by supervisory authorities.

If your business enjoys a direct relationship with people in the EU, you likely assume a data controller role. This is the case with the provision of B2C goods and services. The full requirements of transparency, security and accountability apply, so do the performance of data subject rights. Subjects are savvier now about exercising their rights. You can expect their privacy experience with you to make it onto social media if they don’t trust your practices.

Supplying services to other organizations

When supplying SaaS or PaaS solutions, the B2B / B2B2C scenario likely makes you a data processor. The requirements for security and accountability apply to both controllers and processors. Yet, transparency obligations are fulfilled by the data controller. This is done through their own channels or via a notice your platform allows them to provide to their end-users. However, your ability to be forthcoming with demonstrations immediately satisfy your customers’ expectation that you are set up to help them demonstrate how they comply.

Transparency is not the only obligation you will help your customer fulfil. Say you provide a platform that corporate customers can use to create user retail experiences. They remain responsible for collecting proof of consent to the data processing resulting from triggering your platform features (e.g. shopping cart memory or reward schemes). Your platform being the front-end of user interaction for your customers, ask yourself whether your platform

• provides your customers with consent collection mechanisms, collecting proof of consent and allowing for user revocation of consent;
• provides APIs to push data from your platform to your customer’s ERP, therefore triggering data transfers and access right management;
• helps generate records of processing activities that satisfy GDPR Article 30 requirements;
• helps generate a privacy notice based on the factual data processing caused by the user’s choice of features.

Engaging a non-compliant SaaS solution remains the data controller’s statutory responsibility. Yet remember that their DPO and legal counsels can be powerful show-stoppers when signing procurement contracts. No one appreciates manual work, much less when it involves getting it from the less responsive solutions providers out there.

Are employees people too?

You bet they are. Tunnel vision is frequent when focusing on exporting your product. Yet, when setting up a subsidiary to manage staff locally or remotely contracting staff in the EU, the data you process about them for employment and project management purposes is subject to regulation. Job boards and recruiting agencies allow you to tap into talent but the nature of the services you use may vary. Yet your obligations on the underlying data remain those of transparency, lawfulness and retention.

When onboarding and during the employment lifecycle, employees yield and generate tons of personal data. Some of that data may be highly sensitive, such as that associated with sick leave and disabilities. Remember that your HR systems may not be contracted in the EU and likely plug into other tools. That is often the case with payroll management, training and employee development. As you would expect, this tool landscape comes with additional challenges for complex organizations sharing services across multiple jurisdictions. Due diligence should take place before onboarding a tool and continuously while feature testing.

What about applicants?

No evidence suggests that merely looking at profiles on LinkedIn triggers GDPR obligations. The GDPR refers to that data as publicly available. However, the moment you make use of a third party tool or structure information, requirements are triggered. This customarily takes the form using spreadsheet trackers for driving applicants through a conversion funnel or sharing them for assessment. Not all applicant tracking software is created equal. Identifying a supplier based in the EU does not guarantee that its compliance is up to par. At the very least, you should expect them to know what compliance you need their solution to offer. 

Don’t take their word for it, challenge their assertions and document their response.

What does it take for non-EU companies to become compliant?

How is compliance defined and measured?

At its heart, compliance is about developing and maintaining the ability to demonstrate awareness of risk and risk control. Note that in data protection we do not measure risk in financial terms, nor in terms of corporate reputation. We see privacy risk through the lens of impact to the data subject. However, whether you rely on staff that is good at understanding ISO norms or legal officers good at interpreting legal provisions, your compliance essentially relies on whether your product owners understand:

• what data they need (data);
• what they are doing with it (purpose);
• to whom they have provided access to -e.g. through APIs- (recipients);
• where it comes from (source & confidentiality),
• how they legitimize its handling (legal basis), and
• what rights can be exercised against that data (DSRs).

This inventory is not established in a week. Not unless employees actually speak to one another and have nothing else on their plate. Needless to say, the inventory is never perfect. Worse, it is often erected on erroneous assumptions. For instance, ruling too quick on what is not personal data or failing to register the implementation of an API as triggering a processing activity. Have you ever had an awkward discussions with partner procurement teams?

For organizations making use of the ISO27001 security management cookbook. The 27701 extension is the cherry on top to help demonstrate, to customers and authorities, the organization is serious about compliance. Serious enough that it allows a third party to independently audit its compliance management system (ISMS and PIMS respectively). 

What do you need in order to demonstrate compliance?

You’ll need Records of Processing Activities (RoPA) to start with. That will put everyone on the same page; from your tech teams, to your legal teams, your product owners, your sales and procurement teams. It will allow you to update your privacy notices, enter (and exit!) sales discussions comfortably. You’ll need to review all your 3rd party contracts to identify where Data Processing Agreements (DPAs) and international transfer mechanisms are missing. You may also need to perform impact assessments based on whether your activity is blacklisted.

You might need to drop vendors with appalling documentation or those refusing to provide it. For instance, consent management platforms will lur your into thinking you don’t process personal data. If you are not willing to change suppliers, then maintain a list of vendors to deprecate for compliance issues and communicate it to upper management. You’ll need robust security documentation, and a fair share of training and awareness raising at all levels of the organization. Perhaps least discussed but most wanted on your compliance journey, is an organizational appetite for change management.

Much like that of ISO27001, whether your company is EU or non-EU-based, what helps you demonstrate GDPR compliance is the amount of available, relevant, readable, useful [and used !] documentation that demonstrate accountability. Compliance and product teams are already getting creative with MS copilot, allowing it to read through emails, repositories and spreadsheets. Are your ready to let an algorithm adjudicate on your company’s compliance and leave you none the wiser? AI is likely to become an audit support tool in first and second party audits. It is however unlikely to replace the auditor’s judgement and decisional independence any time soon for third party audits that rely on market-leading certification bodies.

The post Embracing the GDPR as a non-EU company appeared first on TechGDPR.

The EDPB has issued an opinion on the interpretation of certain duties of controllers relying on processors and sub-processors, arising from Art. 28 of the GDPR, as well as the wording of controller-processor contracts. In particular, controllers should have information on the identity of all processors and sub-processors etc. readily available at all times, regardless of the risk associated with the processing activity. To this end, the processor should proactively provide the controller with all this information and should keep them up to date at all times. Download the opinion here. 

Stay up to date! Sign on to receive our fortnightly digest via email.

More legal updates

Scaling up user tracking: The EDPB also clarifies the applicability of the ePrivacy Directive to emerging tracking solutions. It explains several key elements, namely ‘information’, ‘terminal equipment of a subscriber or user’, ‘gaining access’ and ‘storage of information’. For instance, information could mean non-personal and personal data, regardless of how this data was stored and by whom, (third party,  user, manufacturer, or any other scenario).

Also, it would be incorrect to interpret that the third party does not require consent to access the user information simply because it did not store it. The consent requirement applies even when a read-only value is accessed, (eg, requesting the MAC address of a network interface via the OS API), etc. It applies to a non-exhaustive list of use cases including URL and pixel tracking, Local processing, Tracking based on IP only, Intermittent and mediated Internet of Things reporting, Unique Identifier.

Legitimate interest assessment: The CJEU’s recent decision, that legitimate interests can cover purely commercial interests, is now being followed by new EDPB guidelines. For processing to be based on legitimate interest, three cumulative conditions must be fulfilled: a) the pursuit of a legitimate interest by the controller or by a third party; b) the need to process personal data for the legitimate interest(s) pursued; and c) the interests or fundamental freedoms and rights of the concerned data subjects do not take precedence over the legitimate interest(s) of the controller or of a third party. The assessment should be done before carrying out the relevant processing activity, with special attention when the data subjects are children.

Consent management in Germany

The German government has tabled a new regulation on cookie consent management. It establishes a recognised consent management service, intended to provide a user-friendly alternative to the multitude of individual decisions that end users have to make through cookie banners. The aim is to strengthen trust in such services through a recognition procedure by an independent body. For providers of digital services, this process offers a way to request and store consent “without having to disturb the end user” by displaying the consent banner each time. Read further technical modalities in the original publication, (in German).

AI programming assistants

As AI usage continues to intensify, the use of AI programming assistants has already spread to numerous public and private entities. These tools are being employed at different stages of the software development process – primarily to generate source code, to help developers familiarise themselves with the source code of new projects, or to generate tests and documentation. The French and German Information Security agencies have prepared recommendations (in English) on the risks associated with the use of AI programming with concrete mitigation measures: internal security guidelines, training, instructions on permissible tools and data usage, and risk and success assessments.

More official guidance

Children and the digital environment: The Spanish regulator AEPD stresses the importance of having an age verification system where the burden of proof is on the person who is of the age required to access the content, and never on the minor. The system does not need to verify a specific age or date of birth, but only that the established age threshold has been exceeded. These efforts by default will protect minors from the risks related to accessing adult content, such as contact with people who may put them in danger, the contracting of products and services, the monetisation of their data, the incitement of addictive behaviours that affect their physical or mental integrity and other aspects. 

Data protection audit framework: A new toolkit from the UK Commissioner’s Office helps organisations assess their compliance with some of the key requirements under data protection law. Data controllers, auditors or data protection specialists may use it for various purposes such as for creating a privacy management programme, auditing your existing practices against the ICO’s expectations, improving existing practices, recording, tracking and progress reports, or increasing senior management engagement and privacy awareness across the organisation.

Automated driving: Several data protection authorities in Germany are consulting with Volkswagen AG about new types of data processing. Volkswagen intends to use sequences of sensor and image data of the environment from customer vehicles to further develop driver assistance systems and automated driving functions more quickly and continuously as key technologies for improving road safety. From the fourth quarter of 2024, the company plans to start triggering the extraction of such data and processing it in some vehicle series – initially only in Germany – based on predetermined, narrowly defined scenarios, subject to the consent of vehicle users. 

Enforcement decisions

US hotels fine: America’s FTC is taking action against Marriott and Starwood over multiple data breaches, from 2014 to 2020 impacting more than 344 million customers worldwide. Marriott and Starwood failed to implement appropriate password controls, access controls, firewall controls or network segmentation, patch outdated software and systems, adequately log and monitor network environments and deploy adequate multifactor authentication. In addition to monetary and other penalties, (certify compliance to the FTC annually for 20 years), the companies now must provide a method for consumers to request a review of unauthorized activity in their loyalty rewards accounts and restore any loyalty points stolen by malicious actors.

“Afraid of answering the phone”: The UK Information Commissioner meanwhile issued hefty fines to two companies for predatory marketing campaigns, often targeting elderly people with dementia. These calls were made to people who had explicitly opted out of receiving marketing communications. Some individuals were subjected to repeated phone calls, attempting to pressure them into buying warranties for white goods, such as fridges and washing machines, that they did not need. 

To that end the ICO is encouraging the public to take proactive steps to safeguard their loved ones: a) look out for rogue direct debits being paid for unknown reasons, b) ensure they are registered for the TPS, which provides a free and easy way to opt out of unwanted marketing calls, c) if they are still receiving unsolicited marketing calls despite opting out, report these incidents to the regulator without delay.

‘Deposit and return’ app

The Danish data protection authority has investigated Dansk Retursystem’s app “Pant”, (a deposit and return system for bottles and cans). The app allegedly processed users’ financial information. The investigation showed that it has a built-in component that needs to obtain the user’s account information to pay out money to the right account. But the component, which is made available by a third party, can also collect information about the user’s balances, identity information, transaction history, etc.

If the app’s APIs allow for the processing of more personal data than is necessary for its intended use, the authority can decide to issue a warning for non-compliance. These especially concern APIs and services when an external supplier is used.

Data security

Police access to personal data: The CJEU has ruled that police access to data contained in a mobile telephone is not necessarily limited to the fight against serious crime. The review must strike a fair balance between the legitimate interests relating to the investigation and the fundamental rights. Such access must, moreover, be subject to a prior review carried out either by a court or an independent administrative authority. The data subject must be informed of the grounds on which the authorisation to access their data is based, as soon as the communication of that information is no longer liable to jeopardise the investigations. 

Meta AI avoiding the EU market: Meta has introduced its AI assistant in the UK and Brazil after launching it in the US and Australia. However, because of strict regulations in the EU, services are still not available there. Users must complete an objection form found in the privacy settings of their applications if they would like to prevent Meta from using their Instagram and Facebook posts to train its AI models, The Guardian reports. Users of Meta’s AI products, however, are unable to prevent the Llama model from being trained and improved by their interactions with the AI tools.

Election technologies

Electors’ data: When it comes to elections around the world, we find ourselves in a terrain that is more and more populated by digital technologies, (Biometric Voter Registration, Electronic Voter Identification, and Result Transmission), explains Privacy International. This calls for changing customs and procedures to guarantee free, fair, and transparent elections. Election observers must also learn new techniques and abilities. Use of biometric information should only occur when it is required to properly identify or authenticate voters. It must be kept safe, apart from other information, and not on any publicly accessible record where access may be purchased.

If the digital system fails, backup plans should be in place, such as distributing hardcopy registers to voting locations. No further use of the collected data, including sharing with law enforcement or security agencies, is permitted. The lowest possible access level should be the default setting. Modern encryption and secure data channels should be used for transmission. When there is less than 100% internet coverage across all stations, for example, a backup mechanism, like using satellite phones, should be provided. 

Party political use of personal data: Finally, on a related item, ahead of the recent UK General election NGO The Good Law Project asked its supporters to contact all Britain’s political parties requesting they stop processing their personal data, (eg, political parties can combine the electoral roll with other data for targeting campaigns), and refrain from using it. Every party complied except for Nigel Farage’s Reform Party. The NGO has sent Reform a pre-action protocol letter warning them they are breaking the law.

The post Data protection digest 2 – 16 Oct 2024: knowing your processors and sub-processors, automated driving, election technologies appeared first on TechGDPR.