Legal processes: CNIL investigation and enforcement, EDPB procedural rules 

The French data protection authority CNIL announced a reform of its corrective procedures: towards simplified investigation and enforcement actions. A simplified procedure was created in particular for less complex cases. This reform will allow the CNIL to respond better to the increasing number of complaints since the GDPR came into force. Right now the CNIL must respond to numerous complaints, (more than 14,000 in 2021), and there is a constant increase in the number of corrective measures it pronounces, (18 sanctions and 135 formal notices issued in 2021). Thus cases that are not very complex or serious will be subject to a simplified sanction procedure: any case will follow the same steps as the ordinary sanction procedure, (for time limits, adversarial procedure), but the implementation methods are simplified:

• The president of the CNIL chooses a restricted committee, (5 members and a chair).
• The president appoints a designated rapporteur, who is in charge of the investigation.
• The chair of the restricted committee, (or a member they appoint), decides alone and no public meeting is organised, unless requested.
• The penalties likely to be pronounced in this context are limited to a fine of a maximum 20,000 euros and an injunction with penalty capped at 100 euros per day of delay. These sanctions cannot be made public.

The ordinary procedure has also been adjusted and clarified on certain points, in particular: a) extended deadlines for submitting observations, b) the possibility for a new rapporteur to use investigative work carried out by a previous rapporteur; c) the possibility for the president of the restricted committee to decide alone that there is no longer any need to proceed with the case, (eg, if the organisation has disappeared since the start of the sanction procedure). Finally, the CNIL can now send formal notices that do not require a written response from the organisations. In this case, the organisation is required to comply within the set deadline, but no longer has to send evidence to the CNIL within this same deadline. Compliance may be verified by other means, for example during a subsequent inspection. The full infographic, (in French), can be found here. 

The EDPB similarly published its latest procedural rules, restating its mission and guiding principles, procedures and working methods as mentioned in the GDPR, the Police and Criminal Justice Data Protection Directive, and other applicable legislative instruments under EU law. The board shall act independently, and apply  appropriate measures to ensure confidentiality when required, and promote cooperation between supervisory authorities and endeavour to operate where possible by consensus. With regard to the processing of personal data by EU institutions and bodies, the board shall appoint a data protection officer.

Among other provisions, the European Commission shall have the right to participate in the activities of the board without voting rights. Additionally, the board may invite external experts, guests or other external parties to take part in a plenary meeting and may set the agenda. The board may also decide to grant a non-EU country data protection authority the status of an observer, if it is in the interest of the board and certain qualitative conditions are met. You can read the full document here.

Official guidance: the use of web fonts, post-pandemic data

The Bavarian data protection authority, (BayLfD), recently published a statement on the use of web fonts, Data Guidance reports. It specified that a website operator, by integrating the external third-party service, acts as a controller within the meaning of the GDPR. They co-decide on the means and purposes of the processing, and let the third-party provider receive personal data from users. The website operator’s responsibility is limited to the collection and transmission of user data. However, a) no data, (eg, IP addresses), may be transmitted to third-party servers before consent has been given, and b) it must be clearly stated which data is being processed, to whom it is being transmitted, and for what purpose. Finally, the safest data protection solution would be to integrate fonts into a website through self-hosting rather than external hosting. 

Meanwhile, the Baden-Württemberg data protection authority, (LfDI Baden-Württemberg), announced as soon as the COVID-19 pandemic is over it will review all pandemic-related restrictions. The regulator will approach healthcare providers, such as test centre operators and pharmacies, but also other companies and public bodies that have stored 3G evidence of their employees and customers. In addition, it will insist on the deletion or blocking of this sensitive data. Additionally, the regulator stated that health information, such as information on employees’ pregnancies or autoimmune diseases, must not be used inappropriately, for example to terminate employment contracts or to deny promotion, Data Guidance reports. 

Investigations and enforcement actions: IAB Europe’s action plan, Frontex cloud, dismissed CCTV footage case

The Interactive Advertising Bureau (IAB) Europe submitted an action plan to comply with the latest investigation and enforcement by Belgium’s data protection authority, (APD), towards the Transparency & Consent Framework (TCF). The submission of the action plan was needed in the two-phase remediation period foreseen in the decision and should enable a version of the TCF with a broader compliance functionality to be rolled out over a 6-month period under the supervision of the APD. The action plan outlines how IAB Europe, in its capacity as managing organisation of the TCF, will deliver in-depth discussions amongst IAB Europe member companies that implement the TCF and convene in the existing TCF working groups and other instances, as well as IAB Tech Lab. These instances are multi-stakeholder, bringing together:

• publishers, 
• ad tech intermediaries, 
• agencies, and 
• consent management platforms.  

However the submission of the action plan is without prejudice to IAB Europe’s appeal of the decision. It contests a number of findings in the decision, in particular the findings that IAB Europe acts as a data controller of the TC String, (digital signals created to capture data subjects’ choices on how their personal data can be processed), and as a joint controller for the dissemination of TC Strings and other data processing done by TCF participants under the OpenRTB protocol.  

The UK Information Commissioner’s Office, (ICO), has found insufficient evidence to prosecute two people suspected of unlawfully obtaining and disclosing CCTV footage from the Department for Health and Social Care, (DHSC). The leaked CCTV images showed the former Secretary of State for Health and Social Care and his former aide engaged in behaviour contravening social distancing rules. The regulator launched a criminal investigation after it received a report of a personal data breach from the DHSC’s CCTV operator, (EMCOR Group plc).  The ICO had a legal duty to carry out an impartial assessment of security within governmental offices. Forensic analysis revealed that the leaked images were most likely obtained by someone recording the CCTV footage screens with a mobile phone. Six phones retrieved during the execution of search warrants did not contain the relevant CCTV footage. The ICO concluded that there was insufficient evidence to charge anyone with criminal offences under the Data Protection Act 2018.

The EDPS issued a reprimand to the European Border and Coast Guard Agency, (Frontex), for moving to the cloud without proper data protection assessment. This constitutes a breach of the data protection legislation, applicable to Union institutions, offices, bodies and agencies. The EDPS found that Frontex:

• moved to the cloud without a timely, exhaustive assessment of the data protection risks and without the identification of appropriate mitigating measures or relevant safeguards for processing;
• failed to demonstrate the necessity of the planned cloud services, as it has not shown that the chosen solution, (Microsoft 365), was the outcome of a thorough process whereby the existence of data protection compliant alternative products and services meeting Frontex’s specific needs were assessed;
• failed to demonstrate that it limited Microsoft’s collection of personal data to what is necessary, based on an identified legal basis and established purposes;
• breached the accountability principle as well as its obligations as a controller and the requirements of data protection by design and by default.

In addition to the reprimand, the EDPS ordered Frontex to review its DPIA, and ROPA.

Data breaches: tax authority, visa service, medical practice, fashion industry, airport temperature checks

The Dutch data protection authority, (AP), has imposed a fine of 3.7 mln euros on the tax authorities  for years of illegal processing of personal data in the Fraud Signalling Facility, (FSV). This was a blacklist on which the tax and customs administration kept records of fraud, with often major consequences for people who were wrongly on the list. 

The UK Home Office’s visa service apologises for an email address data breach. The private contractor running the service sentan  email to applicants containing more than 170 email addresses. Some of the email addresses appeared to be private Gmail accounts, while others belonged to lawyers from a variety of firms.

In the US, Christie Business Holdings Company, (Christie Clinic), a major medical practice in Illinois, informed 500,000 individuals that their personal information was potentially compromised in a data breach. Christie Clinic said the data breach occurred last year, when a third party gained unauthorized access to a single business email account, likely in an attempt to intercept financial transactions.

The fashion industry also has been in breach of privacy lately. Luxury brand Louis Vuitton is facing a class-action lawsuit filed in New York by a customer who alleged its “Virtual Try-On” feature violates the Illinois Biometric Information Privacy Act. The feature is used for eyewear. Users provide an image of their face, which the customer alleged is collected and stored without knowledge or consent. Meanwhile, the UK branch of cosmetics giant Shiseido has reportedly fallen victim to a data breach involving personal details belonging to former and current employees. Some of them have reported being victims of fraud, with their personal data being used to open fraudulent businesses as well as take out bank loans and insurance. 

The Belgian data protection authority fines the airports of Brussels and Charleroi for Covid temperature checks. These airports did not have a valid legal basis to process travellers’ health data. Since data of this type is sensitive, it cannot in principle be processed, except in a very limited number of exceptions, (Art. 9.2 of the GDPR). Processing for reasons of public health or important public interest is part of these exceptions, based on a legal standard that is clear, precise and whose application is foreseeable for the data subjects. The regulator observed shortcomings in terms of the information provided to travellers and the quality of the impact analyses of the existing protocols.

Big Tech: online data brokerage, WhatsApp for work and school

American TV chat show host John Oliver gave 25 minutes to the Data Brokerage industry, personal data and privacy as the “unregulated” sector’s profile rises into the mainstream. He typically uses even more colourful language in his dissection of the problems, that include political interests in using personal data being partially behind the lack of regulation, and potentially life-threatening situations made possible by data abuse. 

With end-to-end encryption built in WhatsApp is testing Communities, a new feature for larger groups tailored for organisations like schools, and work. The Meta Platforms-owned company says it is comparable to other private messaging services like Microsoft Teams and Slack. But before the launch, major changes are coming to WhatsApp’s Groups feature. Group administrators will now have censorship powers over all chat. Communities, once launched, will also have upgraded safeguards like forwarding limits, and a range of anti-abuse tools.

The post Weekly digest April 11 – 17, 2022: France’s CNIL to simplify investigation and enforcement of minor cases appeared first on TechGDPR.

Legal processes and redress: Facebook data transfer hustle, Amazon fine halted, adequacy for South Korea

Despite the CJEU twice declaring that the US does not offer sufficient protection for Europeans’ data from American national security agencies, Facebook, (Meta)’s lawyers continue to disagree, according to internal documents seen by the POLITICO EU newspaper. In July 2020, the CJEU struck down a US-EU data transfer framework, the Privacy Shield, but upheld the legality of another safeguard instrument used to export data out of the EU – Standard Contractual Clauses (SCCs). 

Facebook’s lawyers argue that the EU court ruling relates only to the Privacy Shield data pact, (Art. 45 of the GDPR), and not the SCCs, (Art.46 of the GDPR), the instrument Facebook uses to transfer data to the US. The company also says that changes to US law and practices since the 2020 ruling should be taken into account, namely the US Federal Trade Commission, “carrying out its role as a data protection agency with unprecedented force and vigour.” Finally, the platform’s lawyers note that the 234,998 data requests it received from US authorities in 2020 represents a “tiny fraction” of the total number of users, which Facebook estimates at around 3.3 bln. 

At the same time, Austrian activist and lawyer Maximilian Schrems, who in 2013 started the legal battle against Facebook, states that since the 2020 CJEU judgment the platform has not taken any steps to limit its data transfers. “Instead, it produced a 86 page “Transfer Impact Assessment” under the newly introduced SCCs, coming to the surprising result that the CJEU judgment would not apply to Facebook and transfers could continue as they are”.  Reportedly Facebook’s self-assessment document concluded that relevant US law and practice provided protection of personal data that was essentially equivalent to the level of protection required by EU law.

Also last week:

Luxembourg’s legal judgment halts Amazon’s enormous daily GDPR fine. The Administrative court suspended a 746,000 euro fine the US retailer had to pay each day over suspected data privacy breaches. The court ruled that the data protection regulator’s instructions on how to correct the breaches were too vague. In July the Luxembourg data protection commissioner, where Amazon’s European headquarters is based, hit the company with a record fine after deciding that its processing of customers personal data for targeted advertising purposes did not comply with the GDPR. Amazon argued the ruling lacked merit and would be appealed. As of today, hearings between the two parties are still ongoing.

The European Commission has adopted South Korea’s GDPR-governed adequacy ruling. The agreement allows for the free flow of personal data between the EU and the Republic of Korea, without further authorization or additional transfer tools. The decision also covers transfers of personal data between public authorities. The agreement stands on the adequate protections afforded to individuals in the EU under Korean law when their data is transferred to the Republic of Korea, including additional transparency and onward data transfer requirements agreed by both parties. These rules are now binding and enforceable by the South Korean data protection authority, PIPC, and the court system, Hunton Andrews Kurth LLP reports. Read the full South Korea adequacy decision here, as well as the latest Q&As on the EU adequacy mechanism.

Official guidance: TTDSG, card-based payments, COVID status checks

The German Data Protection Conference published their guidance, (in German,) on the Telecommunications and Telemedia Act (TTDSG), which entered into force on 1 December. The document, (open for public consultations), offers operators of websites, apps, and smart home applications assistance in the implementation of the new provisions. The same guide also informs citizens of the key changes in the legal framework, and further clarifies the interplay between the TTDSG, the GDPR and the ePrivacy Directive, namely:

• TTDSG goes beyond the scope of the GDPR and establishes the consent requirement for storing/accessing information on or from users terminal equipment, regardless of whether the information relates to a person. 
• cookie, (and similar technologies), user consent can be bundled with the consent for subsequent data processing/transfers, if sufficiently transparent. 
• TTDSG establishes strict requirements for valid consent with a “reject all” option (with some possible exceptions under anti-fraud/IT security requirements).
• The aforementioned requirements are applicable only for data processing within the EEA. There must therefore always be additional examinations where the processing involves the transfer to third countries, especially such as the US, where there is no adequate agreement with the EU. 

The guide also explains the rationale behind the “absolutely necessary” cookies, main services, services provided at the user’s demand and the additional functions/services. In the context of websites, users do not have to accept every access to their terminal equipment, in particular the setting of cookies, just because a website or an app has been actively called up. They must first become aware that there are additional services and functions that require access to the terminal device in order to provide them (measurements or analysis of visitors numbers or A/B testing, etc). Also, cookies for any additional functions, such as for storing products in the shopping cart or making a payment, can regularly only be regarded as absolutely necessary in terms of the time dimension when a corresponding user interaction has taken place (when items are actually placed in the cart, or the payment process has been initiated).

The EDPS’s latest TechDispatch section investigates card based-payments, that nowadays go beyond debit cards or credit cards. Contactless payments using Near Field Communication or Quick Response technologies and cardless payments via smartphone apps are just a few examples of new card-based payment methods. The key takeaways include analysis on:

• payment gateways and processors;
• balancing interests between anonymity and traceability of personal data;
• necessity and proportionality of customer identification;
• processing of special categories of data;
• GDPR-covered roles and responsibilities; 
• data retention and surveillance, automated decision making and profiling;
• data security standards, etc.

In the UK, the Information Commissioner’s office advised organisations about how to look after customers’ personal data when completing COVID status checks. The provisions require data collectors to be clear, open and honest with people about what they are doing with the personal information:

• display your privacy notice on your website, social media or email it alongside any event information, put up posters around your venue’s entrance;
• follow the government guidance to determine whether you should carry out purely visual checks, or a digital scan;
• use only official governmental apps to scan QR codes;
• don’t create any of your own lists or records with your customers’ status;
• make sure staff can answer questions about how data will be used and stored;
• ensure that your staff treat the information that they are checking confidentially;
• keep up-to-date with the latest advice from the government and the ICO.

Investigations and enforcement actions: gamers’ videos, children’s learning data, ex-employee email box

Gaming giant Ubisoft has confirmed an intrusion into its IT infrastructure targeting the popular game Just Dance. The company explained that the incident “was the result of a misconfiguration, that once identified, was quickly fixed, but made it possible for unauthorized individuals to access and possibly copy some personal player data.” However, Ubisoft did not comment about how many people were affected by the incident: “The data in question was limited to ‘technical identifiers’ which include GamerTags, profile IDs, and Device IDs as well as Just Dance videos that were recorded and uploaded to be shared publicly with the in-game community and/or on social media profiles.” Anyone affected by the breach will receive an email from Ubisoft and will be given more information through the company’s support team. The team also urged players to enable two-factor authentication and to reset passwords.

The Icelandic data protection authority has found the City of Reykjavík guilty of multiple violations of the GDPR, following its failure to comply with data protection obligations in processing children’s personal data, DataGuidance reports. The investigation started over one of the City of Reykjavík’s primary schools’ use of the Seesaw Learning app. The regulator found that the City of Reykjavík failed to process personal data in a fair and transparent manner, noting that:

• The processing of personal information was not based on a valid consent. 
• It was possible to identify registered students for longer than necessary. 
• The system processed the personal data of parents and guardians of students in order to direct them to marketing. 
• The personal information of students was transferred to the US and processed there, without sufficient safeguards. 
• The municipality failed to clarify which of the parties was responsible for the processing, demonstrate any existing data processing agreements or to complete DPIA. 

The City of Reykjavík was requested to close the accounts of school children in Seesaw and ensure that all their personal information is deleted from the system, but not before a copy of the information has been handed over to the children or, as the case may be, kept in schools. 

The Belgian Data Protection Authority, (DPA), issued a reprimand to a company following violations of Art. 5, 6 and 13 of the GDPR. The organisation had kept the complainant’s email address and mailbox active, leading to the possibility a third party could read received emails and respond in the complainant’s name, after the complainant’s employment agreement had terminated, DataGuidance reports. The complainant’s email address was still in the company’s system in January 2020, despite the fact that the employment agreement with the complainant had ended in 2019. Furthermore, the complainant had not received information about further use of their mailbox and email address, besides being told that they no longer would have access to it. The Belgian DPA did not issue a monetary penalty in this case, considering publication of the reprimand would constitute a sufficient warning.

Opinion: ICO’s regulatory powers

The UK Information Commissioner’s Office, (ICO), has launched a consultation to gather the views of data controllers, their representatives and the public on how it regulates the laws it monitors and enforces. People will have 14 weeks to comment on three documents:

• The Regulatory Action Policy that reinforces the proportionate and risk-based approach to enforcement, and explains the factors taken into consideration before taking regulatory action such as monetary penalties, stop-processing orders or compulsory audits.
• Statutory Guidance that specifies the ICO’s legal obligations to publish guidance to help organisations navigate the law.
• Statutory Guidance on The Privacy and Electronic Communications Regulations, (PECR), that explains how the ICO enforces the data protection legislation relating to electronic communications like nuisance calls, emails and texts. The guidance focuses on the ICO’s powers to issue monetary penalty notices on a person, or an officer of a body, for data protection failures in respect of the PECR. This is a power that has recently been incorporated into law. 

The forms for written responses are available here.

Big Tech: Google and Meta fines in Russia, Meta/Giphy deal, Alibaba-cloud, tech buzzwords 2021

A Moscow court on Friday said it was fining Alphabet’s Google about 90 mln euros for what it said was a repeated failure to delete content Russia deems illegal, the first revenue-based fine of its kind in Russia. The court also fined Meta more than 20 mln euros on the same grounds. Russia’s communication watchdog Roskomnadzor said that Facebook and Instagram failed to remove two thousand pieces that violate Russian laws whereas Google keeps 2,600 pieces of banned content. Moscow has also demanded that 13 foreign and mostly US technology companies, which include Google and Meta, be officially represented on Russian soil by January 1 or face possible restrictions or outright bans.

Facebook owner Meta has appealed against the UK’s ruling that it must sell its animated images platform Giphy. The company does not support the finding that buying Giphy in 2020 constituted a threat to its rivals or could impact competition in display advertising. It is the first time the British regulator, the CMA, has blocked a major digital acquisition. Half of the traffic to Giphy’s huge library of looping videos comes from Facebook, Instagram and WhatsApp. Its GIFs are also popular with users of TikTok, Twitter and Snapchat. The CMA was concerned Meta could limit access or force rivals to provide more user data. Meta argued it would not change the terms of access for competitors, nor collect additional data from the use of GIFs, which have no online tracking mechanisms such as pixels or cookies. Meta also pointed out that Giphy has no presence, employees, offices or revenues in Britain. The CMA noted that UK users look for 1 billion GIFs a month on Giphy, and 73% of the time they spend on social media was on Meta’s Facebook, Instagram and WhatsApp.

Chinese regulators suspended an information-sharing partnership with Alibaba Cloud Computing, a subsidiary of e-commerce conglomerate Alibaba Group, over accusations it failed to promptly report and address a cybersecurity vulnerability. Reportedly Alibaba Cloud did not immediately report recently discovered vulnerabilities in the popular, open-source logging framework Apache Log4j2 to China’s telecommunications regulator, but notified the US based Apache Software Foundation. In response the Chinese government suspended partnership with the cloud unit, to be reassessed in six months. This latest measure highlights Beijing’s desire to strengthen control over key online infrastructure and data in the name of national security. The Chinese government has also asked state-owned companies to migrate their data from private operators such as Alibaba and Tencent to a state-backed cloud system by next year.

Finally, to end the year, Reuters tech team published a guide to 2021’s tech buzzwords. So, if you’re still drawing a blank as 2021 wraps up – metaverse, web3, social audio, NFTs, tech decentralization, DAOs, “stonks”, gameFI, altcoin, FSD beta, fabs and net zero are all made crystal clear in this quick guide for everyone whose digital lexicon may be in need of an upgrade. 

The post Weekly digest December 20 – 26, 2021: Facebook data transfer hustle, guide on Germany’s TTDSG, contactless payments, tech buzzwords appeared first on TechGDPR.

Legal processes and redress

The EU Parliament Internal Market and Consumer Protection Committee has adopted its position on the Digital Markets Act (DMA). The document sets not-to-do rules for companies with “gatekeeper” status and significant market capitalization in the EU, (online intermediation services, social networks, search engines, operating systems, online advertising services, cloud computing, and video-sharing services). It says, among other measures, that a gatekeeper shall, “for its own commercial purposes, and the placement of third-party advertising in its own services, refrain from combining personal data for the purpose of delivering targeted or micro-targeted advertising”, (eg, A/B testing), except if there is a clear, explicit, renewed, informed consent, in line with the GDPR. In particular, personal data of minors shall not be processed for commercial purposes, marketing, profiling and behaviourally targeted advertising. If a gatekeeper does not comply with the rules, the Commission can impose fines of not less than 4% and not exceeding 20% of its total worldwide turnover in the preceding financial year”.

The EU Commission presented a proposal on transparency and targeting of political advertising and electoral rights. The proposed rules would require any political advert, such as on the Facebook platform, to be clearly labelled and distinguished from organic contents, and include information such as who paid for it and how much. Political targeting and amplification techniques would need to be explained publicly in unprecedented detail and would be banned when using sensitive personal data without explicit consent of the individual. The rules on political adverts must be approved by both the EU Parliament and Council, and are likely to enter into force by 2024.

The CJEU ruled on “inbox advertising” for the purposes of direct marketing. The display in the electronic inbox of advertising messages in a form similar to that of a real email gives “a likelihood of confusion that could lead a user who clicks on the link corresponding to the advertising message to be redirected, against his or her will, to an internet site displaying that advertisement”. In the related case two competing electricity suppliers distributed advertisements, via an advertising company, consisting of displaying banners in the email inboxes of users of a free email service. Those messages were not visually distinguishable in the list from other emails in the user’s account except for the fact that the date was replaced by the word “advertising”.

The Court reiterated that the  “ePrivacy” Directive protects subscribers against intrusion into their privacy by unsolicited communications, automated calling machines, telefaxes, emails, or SMS. However such communication would be compatible with recipients’ prior consent. An email service is offered to users in the form of two categories, namely, a free email service funded by advertising and, second, a paid-for email service, without advertising. Thus, it is important to determine whether the user concerned, having opted for the free email service, was duly informed of the precise means of distribution of such advertising and in fact consented to receiving advertising messages.

Official guidance

Stiffening anti-Covid measures by governments across the EU lead to employers being authorised to collect employees’ vaccination status data. In Germany,  recent legislation obliges employers to monitor compliance with the so-called 3G/2G rules on a daily basis by means of verification checks, and they must also document them on a regular basis. Employees are required to provide proof of their vaccination, recovery, or testing status upon request. The law explicitly states that employers may process employees personal data for the above purposes. The federal data protection regulator, the BfDI, supports the introduction of a legal basis for such queries in the workplace. Nevertheless, the law, in its opinion, does not provide enough protective measures for the data of the employees concerned. There are no pseudonymisation measures and no obligation of the inspecting person to maintain confidentiality. In the opinion of the BfDI, it would be sufficient to check employees’ data for access control and then delete it after or at the end of the respective day. Finally, the law does not specify the purpose of storing these, soon to be very large, amounts of data.

“Turn off the microphone, (on your smartphone), turn on privacy”, says the Italian regulator Garante, which offers suggestions to avoid “prying listeners”. Smartphone sensors – and microphones in particular – can remain active even when we are not using our device. In this way they could be used to collect information, which can also be used for different purposes by third parties: for example for marketing activities. Apps which, among the access permissions requested at the time of installation, also include the use of the microphone, are a widespread phenomenon. “Too often, as users, we grant these permissions without thinking too much and without informing ourselves sufficiently about the use that will be made of our data.” The regulator has now launched an investigation on the other most downloaded apps.

For several years, several digital stakeholders have been developing alternatives to third-party cookies for targeted advertising. The French regulator CNIL’s guide explains the basics behind “necessary” first-party cookies, “behavioural” third-party cookies, and alternative techniques used to bypass the growing restrictions against tracking made by browsers, such as “fingerprinting”, “single sign-on”, “unique identifiers” or  “cohort based targeting”. The CNIL reminds developers that these technologies must always be compliant with the data protection legal framework, the GDPR and ePrivacy Directive, regarding consent and the rights of data subjects to protect their communications and terminal equipment. In particular, the operations necessary for the constitution of an individual or group profile and the provision of targeted advertising, require the prior consent of the user, whether or not personal data are processed, insofar as they are not directly part of the service requested by the user. In order to ensure that the use of these technologies respects users’ privacy the CNIL asks for a minimum set of rules:  

• enabling users to keep control over their personal data;
• exercisability all data subjects’ rights, through user-friendly interfaces;
• non-processing of sensitive data;
• determining responsible(s) (data controller/processor) for the implementation of these techniques within the ad tech supply chain.

Data breaches, investigations and enforcement actions

SmarterSelect, a US-based company that provides software for managing the application process for scholarships, exposed the personal data of thousands of applicants because of a misconfigured Google Cloud Storage bucket, TechCrunch reports. The data spill, discovered by a cybersecurity company, contained 1.5 terabytes of data collected by a number of programs that offer financial support to students. The data included documents such as academic transcripts, resumes and invoices for approximately 1.2 million applications to funding programs. These files contained name, email address, phone number, student photos, Social Security numbers, parents’ education and income, the students’ performance at school, and personal experiences like living in a foster home or abusive situations, descriptions of poverty etc. The company acknowledged the warning before revoking public access to the bucket in October. It’s not known whether SmarterSelect has notified those affected, nor whether it has alerted the relevant state attorney general.

The Spanish data protection authority the AEPD fined Vodafone España 50,000 euros for violation of national legislation on Information Society Services and Electronic Commerce. The complainant issued claims with the AEPD against continuous receipt of promotional communications from Vodafone to the complainant’s phone number. The sending of promotion communications had continued a year after the complainant exercised their right to cancellation of services and deletion of their data, which Vodafone did not adequately respond to.The aggravating factors to the violation were:

• the intentional nature of the infringement;
• the duration of the offence;
• the repetitive nature of the infringement; and
• the nature and amount of damage caused to the complainant, as he/she had to proceed with the claim to the AEPD twice. 

The Spanish regulator has also fined Unión Financiera Asturiana 9,000 euros for violation of Art. 6 of the GDPR, following the unlawful processing of a complainant’s personal data in the course of business activities. Unión Financiera had wrongfully processed the claimant’s personal data instead of blocking it, as they had requested, thus processing the personal data of the complainant without a legal basis. The company did not verify the data processing had been cancelled, simply indicating to the claimant that the data was blocked without detailing the actions taken, and later claimed that there had been no intention by the claimant to request the deletion of their personal data. This prompted the claimant to raise a complaint with the AEPD, DataGuidance reports.

Certification scheme for cloud services

The EDPB adopted a letter to The European Union Agency for Cybersecurity, ENISA, concerning the European Cybersecurity Certification Scheme for Cloud Services’ (EUCS) compatibility with the Schrems II decision. In the letter, the regulator reiterates that the final certification scheme should be consistent with the obligations, including specific criteria for encryption and key management, to ensure protection against threats represented by access from authorities not subject to EU legislation and not offering an adequate level of personal data protection. As an illustration, the EDPB included in the letter its latest Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

Big Tech

Italy’s antitrust regulator the AGCM has fined Alphabet’s Google and iPhone maker Apple 10 mln euros each for “aggressive practices” linked to the commercial use of user data. The authority stated the two tech groups did not provide “clear and immediate information” on how they collect and use the data of those who access their services. Both Google and Apple said they disagreed with the antitrust decision and that they would appeal against it. The watchdog added that when users set up their account with Google, the system was designed in such a way that the terms and conditions on data usage were set up to be accepted. In the case of Apple, users do not have a choice on the issue, the antitrust regulator added. The fine is the maximum amount the watchdog can apply in these cases, the regulator said.

WhatsApp is rewriting its privacy policy as a result of a huge data protection fine earlier this year. Following an investigation the Irish data protection commissioner issued a 225 mln euro fine – the second-largest in history involving the GDPR – and ordered WhatsApp to change its policies. WhatsApp is appealing against the fine, but is amending its policy documents in Europe and the UK to comply. Previously WhatsApp users complained about an update to the company’s terms that many believed would result in data being shared with parent company Facebook, which is now called Meta. Many thought refusing to agree to the new terms and conditions would result in their accounts being blocked. The new privacy policy contains substantially more information about what exactly is done with users’ information, and how WhatsApp works with Meta.

With Tesla’s latest Full Self-Driving release, it’s asking drivers to consent to allowing it to collect video taken by a car’s exterior and interior cameras in case of an accident or “serious safety risk”. Tesla has gathered video footage as part of FSD before, but it was only used to train and improve its AI self-driving systems. According to the new agreement, however, Tesla will now be able to associate video to specific vehicles. “By enabling FSD Beta, I consent to Tesla’s collection of VIN-associated image data from the vehicle’s external cameras and Cabin Camera in the occurrence of a serious safety risk or a safety event like a collision,” the agreement reads. The new policy and footage data likely covers the automaker’s liability in case someone tries to blame a crash or incident on the system, when driver error may be to blame. Despite the name, FSD is not an autonomous system. Tesla’s instructions tell drivers to remain alert and prepared to retake control of critical functions at any given time.

Google has pledged more restrictions on use of data from its Chrome browser. Britain’s competition regulator the CMA has been investigating Google’s plan to cut support for some third-party cookies – an initiative called the “Privacy Sandbox” – because it is worried it will impede competition in digital advertising. Google has said its users want more privacy when they are browsing the web, including not being tracked across sites. Other players in the $250 billion global digital ad sector, however, have said the loss of cookies in the world’s most popular browser will limit their ability to collect information for personalising ads and make them more reliant on Google’s user databases. Google agreed earlier this year to not implement the plan without the CMA’s sign-off, and said the changes agreed with the British regulator will apply globally.

Chinese regulators have pressed ride hailing giant Didi Global Inc to devise a plan to delist from the New York Stock Exchange due to concerns about data security. China’s Cyberspace Administration, (CAC), has asked the management to take the company off the U.S. bourse due to worries about leakage of sensitive data. In July the CAC ordered app stores to remove 25 mobile apps operated by Didi – just days after the company listed in New York. It also told Didi to stop registering new users, citing national security and the public interest. Didi, which has about 377 million annual active users in China, provides 25 million rides a day to users in the country who sign into its app with a phone number and password. Its apps also offer other products such as delivery and financial services. Reportedly Didi is preparing to relaunch its ride-hailing and other apps in China by the end of the year in anticipation of the end Beijing’s cybersecurity investigation into the company.

The post Weekly digest November 22 – 28, 2021 “Privacy, DP, and Compliance news in focus” appeared first on TechGDPR.

Legal processes and redress

The Administrative Court of Dusseldorf clarified a non-retroactive applicability of the GDPR. In 2016, charges were brought against the plaintiff, a decades-long civil servant for the police and secret services, for tax evasion followed by an alleged disclosure by the court of details of the investigation to the press. The plaintiff had filed a complaint with the local data protection authority, the DSG NRW. It explained that existing data protection laws were only applicable to the courts where they perform administrative tasks. Thus, the inadmissible disclosure of court files falls within the scope of case-law. In 2019 the plaintiff decided to bring an action seeking the enforcement of the GDPR to the court, based on Art.78 – Right to an effective judicial remedy against a supervisory authority. The DSG NRW decision was upheld with further explanations that, despite a data protection breach being manifestly present, the legal redress would be time-barred. Data protection proceedings of the plaintiff were no longer pending at the time of the entry into force of the GDPR, and neither the GDPR nor the old law contain transitional provisions, and would require specific legislative validation.

Quebec’s Bill 64 and the new requirements for cross-border transfers of personal information are explained in McCarthy Tétrault’s latest blog series. The previous Private Sector Act specified that transferring personal information to third parties was permissible without prior consent if was essential for the original business purposes. The new rules include: conducting a prior privacy impact assessment, a PIA, establishing through a written contract the scope of the mandate, the purposes for which the third party would use the information, the categories of persons who would have access, and data subject rights to objection. The definition of Bill 64’s “adequate protection” in the country of destination remains ambiguous in comparison to PIPEDA’s “comparable level of protection” and the GDPR’s “adequacy decision”. The document also makes no distinction between international and inter-provincial transfers, and does not clarify the frequency at which businesses should conduct PIAs.

The US Court of Appeals 2nd Circuit decided when trivial data breaches of personally identifiable information, PII, are not actionable. To have standing, the plaintiff must primarily establish an “injury in fact.” The court identified three factors courts should consider; whether the PII had been exposed as the result of a targeted attempt to obtain that data, whether any portion of the dataset had already been misused, and whether the type of data that had been exposed is so sensitive that there is a high risk of identity theft or fraud. The decision was inspired by McMorris v. Carlos Lopez & Associates, where former employees brought a class action after an employer accidentally emailed 65 employees a spreadsheet containing social security numbers, home addresses, dates of birth, telephone numbers, educational degrees, and dates of hire for approximately 130 current and former employees. The spreadsheet was not shared with anyone outside the company or otherwise taken or misused by third parties. Read more details in the analysis by Thompson Coburn.

A similar dismissed case of a trivial low-level data breach in the UK was explained by Blake Morgan. In Rolfe & Ors -v- Veale Wasbrough Vizards LLP, it was confirmed that it is not sufficient for claimants to merely establish that there had been a data breach; claimants must go further and establish that they have suffered a material or non-material loss as a result of the data breach which is more than merely trivial. The claim arose from solicitors sending a letter containing some personal information to the incorrect recipient who immediately notified the solicitors and subsequently deleted the e-mail.

In Australia, a draft bill that increases privacy breach penalties was released, inviting industry submissions within the next month. Under the draft bill, the maximum penalties applicable to companies for serious or repeated privacy breaches will increase to whichever is higher: 10 million dollars, three times the value of any benefit obtained through the misuse of the information, or 10% of the corporate group’s annual Australian turnover. It also enables the introduction of an online privacy code, covering a wide scope of organisations to regulate social media services, large online platforms and data brokerage services.

The US Federal Trade Commission announced a newly updated rule that strengthens financial institutions’ data security safeguards, following recent data breaches and significant harm to consumers, including monetary loss, identity theft, and other forms of financial distress. The updated Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders to develop, implement, and maintain a comprehensive security system to keep their customers’ information safe. Institutions must also explain their information sharing practices, specifically the administrative, technical, and physical safeguards the financial institutions use to access, collect, distribute, process, protect, store, transmit, dispose of, or otherwise handle customers’ secure information. In addition, financial institutions will be required to designate a single qualified individual to oversee their information security program and report periodically to an organization’s board of directors, or a senior officer in charge of information security.

The Danish business authority announced that in future it will not prioritize supervision of the consent rules for simple statistics cookies. It justifies the change by recognising that cookies are a necessity for websites, and that the current negotiations in relation to a new regulation on e-data protection indicate that simple statistics cookies for traffic measurement are exempt from consent requirements.

The Danish data protection agency concurs that there may be a need for data controllers to collect and use information for statistical purposes in order to improve their website. However, the rules of the GDPR still apply whenever personal data about website visitors is collected and processed – for statistical or any other purposes. This means that the data controller – e.g. the owner of the website – must ensure that there is a legal basis for the processing of personal data. This also applies to any subsequent processing of data that takes place either at a data processor or when transferred to other independent data controllers.

Official guidance

The German federal data protection authority, the BfDI, clarified how the COVID-19 vaccination status of employees should be processed by employers. Employers generally may not process the “vaccination status” date of their employees without express statutory authorization – not even in the context of the pandemic. The “vaccination status” data is a special category of data pursuant to Art. 9 of the GDPR. Only in individual cases is processing of the “vaccination status” data possible, on the basis of legal requirements, namely, in the health care sector, daycare facilities for children, in the event of a possible infection and subsequent quarantine due to state-required pandemic control requirements, or on the basis of freely given and recorded consent. If the vaccination status is to be stored, no copies of vaccination cards or comparable certificates, (original or copy), may be included in the personnel file. It is sufficient if it is noted that these have been presented in each case.

There were clarifications on CCTV use on private property from Cyprus’s privacy commissioner. While the GDPR does not apply to personal or household activities, the scope of any recording should not go further than the perimeter of said private property. Also any complaints should be made to the police, as the data protection office does not have the power to enter a private property to examine any footage. Visible signs should state that CCTV is in use, explain why, and include a contact number for an operator. If CCTV is installed by a building’s management committee, then it becomes the principal data controller. CCTV may be installed in building entrances and exits, outside lift doors, and over tills and payment points only as long as the camera is only pointed towards them. Cameras can also be installed in building parking areas if the management committee deems it necessary. Finally, CCTV is not allowed in toilets, corridors, lobbies, inside lifts, and indoor or outdoor areas of cafes, bars and restaurants.

Denmark’s data protection agency has published guidance on the use of personal data for testing IT systems, available in Danish. Depending on the circumstances, it may be reasonable and necessary to use personal information when developing and testing IT systems. For example, it will be acceptable to use personal information in connection with final integration tests with other, (external), IT systems, or where there is significant difficulty in creating accurate anonymised test data, in particular because it can be difficult to reflect all the errors and irregularities that may occur in a production environment. In addition, it may be reasonable to use a limited amount of personal information in connection with troubleshooting and error correction. Sometimes it may even be unsafe to put a system into its final production stage without having first tested it with production data, including personal. However, such testing would require a risk assessment for the data subjects, (eg employees, customers and citizens), and appropriate security measures in accordance with the risk assessment.

Some other important guidance published by regulators in the EU and abroad includes:

• The most common mistakes made by the communities working on draft codes of conduct, by the Polish data protecting authority, UODO. These include the lack of clear justification of the purpose of the code, or the entity applying for approval of the code does not represent the majority of the sector, or a draft code’s scope of consultations is too narrow, not including, for example, data subjects.
• Guidelines on political campaigns were set by Malta’s IDPC, including the legal bases for door-to-door canvassing, postal and telephony communication, as well as online canvassing, and opting out from direct advertising.
• China’s draft guidance on identifying important data sets out the identification principles as well as a list of important data. One of them divides data into three classes, namely public data, personal information, and legal person data, and five levels according to their importance – public, internal, sensitive, important and core. Entities in the industrial and telecom sectors are also required to first divide the data into different types – research data, production operation data, management data, operation maintenance data, business service data and personal information, and then divide data into levels and classes.
• The European Data Protection Supervisor offers ever-so-simple guidance on protecting your personal information from phishing attacks. Suitable even for a young audience, it encourages you to STOP if you receive a suspicious message or email, THINK before you click on any links or attachments contained in the message, and LOOK for clues such as how the email or message is phrased, the time at which the email or message was sent, the list of recipients of the email, the sender’s number or email address, or the tone of the message if there is a sense of urgency.
• California’s Attorney General has provided consumers and businesses with tips on how to defend against cyber threats. The recommendations emphasise complexity – from creating strong passwords, limiting personal information shared online, checking on privacy settings on your device, to encryption, employee training and wifi network security.

Enforcement actions

Spain’s data protection authority, the AEPD, has issued its third-largest fine after finding flaws in the consent acquisition language used by CaixaBank. The investigation also uncovered that Caixabank requested information about an individual from the solvency file, even though the individual had no ongoing contracts with the bank. The individual was also included in the bank’s marketing campaigns for a pre-granted credit, without proper legal basis or consent and adequate information about the data processing, including profiling. The aggravating factors for the significant fine were the volume of the business and the duration and severity of the negligence.

The AEPD also fined a data controller – Servicios Logísticos Martorell, 16,000 euros for implementing a biometric identification system without carrying out a DPIA beforehand. A workers union complained that a company had implemented a biometric identification system to control its 520 workers’ access using their fingerprints, a system that was used along with a card reader system. The union argued that the workplace was so big that employees had a 20 minute walk to reach their work station, so they needed an additional control system to determine when they really accessed their post. The company argued that the biometric system is more reliable than using cards, since people could use another worker’s card.

The Dutch data protection authority, the AP, has rejected the license application of a Dutch association of small and medium enterprises to keep a blacklist of possible fraudsters and share that blacklist with companies from different sectors. The AP may grant such licenses only when it is necessary for the data to be shared, and sufficient safeguards have been put in place, such as implementing a data collection and sharing protocol. Similarly, the AP rejected a license application for Fraudehelpdesk, a governmental initiative that helps victims of fraud find their way to the right authorities, for not having an implemented protocol in place. “In the event of a data breach, telephone numbers, e-mail addresses and other personal data of suspected perpetrators, whose crime was not proven, can roam the internet. If you are known as a fraudster, even if this is unjustified, you could be fired, for example. Then it may be difficult to get a loan or to rent a home”

The Czech data protection authority, the UOOU, has published an overview of data breaches inspections for the first half of 2021. In one of the complaints, a former insurance company employee stated that the IT department did not fill out an exit checklist at the end of any employee’s contract. This checklist includes the data access revocation, infringing Art. 32 (2) of the GDPR by failing to sufficiently consider the risks of unauthorized access to the data, which could have led to unauthorized disclosure of personal information. In another case, a company operating an online store used cookies illegally. When a user decided to obtain more information about the processing of personal data before granting consent, and clicked on the link “Personal data”, this triggered uninformed consent to the processing of personal data through cookies.

Individual rights

A group of 850 professional footballers in the UK challenged use of their personal data. In the opinion of Herrington Carmichael, “Professional athletes’ performance statistics and attributes have become intrinsic to the sports industry. This information is passed through a multitude of platforms, giving information to clubs on potential player transfers and opponents and it is widely published in the media sphere.” The footballers are arguing that the unchallenged use of their personal data by the firms contravenes their data protection rights under the UK’s GDPR. They do not consent to the sharing of their data which may be used for illegitimate purposes by betting companies, scouting platforms or even video game manufacturers. Moreover, it can be damaging if the data being shared about them is inaccurate. They could miss out on transfers which are not only important for their personal careers but the sports industry as a whole. Collectively the group have claimed compensation for the misuse of their personal data from dozens of firms and demand an annual fee for any firms’ future uses of their personal data.

Opinion

Telemedicine and personal health data exploitation is analysed by Privacy International. The provision of real-time, video-based health consultations, as well as health monitoring software with elements of machine learning capabilities, wireless sensors, etc has become widely used by health professional and patients. As an example, during the pandemic everyday communications technologies, such as FaceTime or Skype, were widely accepted and used by nationwide public health services in the US and the EU. Data collected by these applications varies, and ranges from concrete data points, (eg, heart rate, glucose, blood oxygen levels), to video footage. One of the biggest security concerns stems from the fact that the tools, in terms of design, functionality or security, are controlled by a third party, not the healthcare actors.

European legal challenges for manufacturers of connected vehicles regarding personal data are explained in a nutshell by Bird&Bird:

“It could be that different pieces of information, such as vehicle service information, which on the surface don’t appear to constitute personal data, can be collated and linked to an individual via, for example, a Vehicle Identification Number. The consequence of this is that the CV manufacturer as the data controller might be under an obligation to divulge this data in response to data access requests which can be time consuming. There is a solution known as “tokenisation” which involves anonymising the data irreversibly.”

The EU regulator the EDPB has recently published draft Guidelines on the processing of personal data in the context of CVs and mobility related applications. CV manufacturers must abide by the GDPR obligations in full, including privacy notices to car users, guarantees of data security and minimisation during repair or performing data-driven after sales services.

Big Tech

Canada’s Office of Privacy commissioner published observations following the joint statement by a number of data protection authorities on global privacy expectations of video teleconferencing companies, such as Microsoft, Google, Cisco and Zoom. They should include multilayer visual and audible contextual and timely privacy notices, the ability to opt out of attendance or engagement reports, virtual and blurred backgrounds, user consent prior to host unmuting audio or activating video, transparency on third party contractors, and data center location. Whenever possible users should be able to choose which locations and jurisdictions their personal information is routed through and stored, contractual measures should exist to ensure that information is adequately protected when shared with third parties, including in foreign jurisdictions, along with end-to-end encryption, and limitation of the secondary use of data.

China’s market regulator proposed a long list of responsibilities it said it wanted the country’s internet platforms to uphold, in the latest effort by Beijing to establish an oversight framework for its technology sector. Super large platforms are defined as those having more than 500 million users, a wide range of business types, and a market value of more than 1 trillion yuan, (13 billion euros), a description that would apply to the likes of Alibaba Group, Tencent Holdings and Meituan. Customers data should not be obtained without users’ consent and should be transparent when using big data to recommend products. China’s top internet regulator also published draft guidelines that will subject companies with more than 1 million users in the country to a security review before they can send user-related data abroad. Companies that have already sent abroad, or intend to send abroad, the personal information of more 100,000 users or “sensitive” personal information belonging to 10,000 users, would also be bound by the requirement

Meanwhile in the US, an executive at TikTok, owned by Beijing-based internet technology company ByteDance, faced tough questions during the video-sharing app’s first appearance at a congressional hearing, saying it does not give information to the Chinese government and has sought to safeguard U.S. data. Lawmakers were concerned about TikTok’s data collection, including audio and a user’s location, and the potential for the Chinese government to gain access to the information. An executive testified that TikTok’s U.S. user data is stored in the United States, with backups in Singapore. Senators also voiced concerns that TikTok, rivals of YouTube and Snapchat, have algorithms that can be harmful to young people.

The Apple privacy updates, which began rolling out in April and prevent advertisers from tracking iPhone users without their consent, has had investors in digital ad companies on edge for fear that reduced access to data would upend the nearly 100 bln dollars mobile ad market. Ad businesses such as Snap’s or Facebook’s rely on direct response advertising, an industry term that refers to ad sellers and buyers who use information such as what devices consumers are using and what they are searching for, to place ads in front of interested audiences with the aim of quickly generating sales or website visits. Twitter is likely to be spared because the social networking site is mainly used for brand advertising, and Google is also shielded from the iPhone privacy changes because much of its usage comes from desktops, and promoted results placed on Google searches are not dependent on iPhone data.

While everyone is buzzing about Facebook’s rebranding and transition to the future Metaverse, last week privacy experts once again reminded us of the increasing regulatory lash on Meta: “Regulators the world over are seeking to exercise greater restrictions on what the FB platform can do, with a UK watchdog fining it 70 mln dollars for withholding information related to an ongoing antitrust oversight of its acquisition of GIF-sharing platform Giphy. In Ireland, regulators want to fine the company 38 mln dollars for breaching GDPR data collection policies. And in the US, Congress is increasingly discussing the prospect of amending protections given to social media platforms and reforming antitrust laws and data privacy regulations that affect Facebook.”

The post Weekly digest October 25 – 31, 2021 “Privacy, DP, and Compliance news in focus” appeared first on TechGDPR.