Exploring key aspects of password security involves evaluating password strength to resist brute force attacks and using password managers for secure and unique passwords. It also includes leveraging multi-factor authentication (MFA) to enhance protection and recognizing the risks of using browser-suggested passwords and potential vulnerabilities if the browser or device gets compromised.

How secure is my password?

One of the ways to access the strength of a password is through entropy. Entropy measures password complexity by assessing its randomness, indicating how unpredictable and difficult it is for attackers to guess. Higher entropy, or more randomness, in lay man’s terms means a more secure password. Factors that contribute to higher password entropy include:

• Length: Longer passwords are generally harder to crack.
• Complexity: Including a mix of uppercase and lowercase letters, numbers, and symbols.
• Unpredictability: Avoiding predictable patterns like common words and phrases.

If one is curious about understanding how secure their password is this Password Entropy Calculator helps an individual understand password strength and evaluate their own passwords. A secure password should have high entropy, which makes it resistant to brute-force attacks, where attackers systematically try every possible combination of passwords or keys until they find the correct one.

How password managers enhance security?

According to the German Federal Office for Information Security (BSI), using a password manager is one of the most effective ways to securely store and manage passwords. These standards ensure that the strategies outlined are both robust and reliable, offering a trusted framework for enhancing password security. Password managers are powerful tools for improving password security and convenience. They securely store and manage passwords, making it easier to use complex, unique credentials for each account. This not only enhances security by reducing the risk of weak or reused passwords, but also simplifies the online experience by eliminating the need to remember multiple passwords. Password managers enhance security by:

• Generating strong passwords: Password managers create random, complex passwords that are nearly impossible to crack.
• Secure /storage: Passwords are encrypted and stored securely, reducing the risk of exposure.
• Unique passwords for every account: Using unique passwords for each account limits the damage if one account is compromised (for instance if logging into a service while using public WiFi leads to a third party intercepting an individual’s credentials).
• Automatic filling: Password managers can auto fill login credentials, reducing the risk of phishing attacks by ensuring only the authentic individual can  enter credentials on legitimate sites.

There are many popular password managers that offer both free and premium versions to suit individual or organizational needs. Organizational password management needs often focus on collaboration, centralized control, and compliance with security policies, requiring features like shared vaults, role-based access, and audit trails. In contrast, individual users prioritize personal security, ease of use, and cross-device synchronization to protect their accounts.

How Multi-factor Authentication (MFA) adds an extra layer of security

While strong passwords are essential, they are not reliable. The European Union has emphasised how MFA protects consumer sensitive data, enhances operational resilience, and mitigates cybersecurity risks. Multi-factor Authentication (MFA) adds an extra layer of security by requiring users to provide two or more verification factors to access an account. These factors typically include a combination of at least two of the following:

• Something you know: A password or PIN.
• Something you have [i.e. physically]: A smartphone, hardware token, or security key.
• Something you are: Biometric data, such as fingerprints or facial biometrics.
• Somewhere you are: The location matches the expected location (VPNs).

MFA significantly reduces the risk of unauthorized access, even if a password is compromised. According to Microsoft, MFA can prevent 99.9% of account compromise attacks, making it a crucial component of any security strategy. 

Password security and compliance

Many industries are subject to regulations that require high password security to protect sensitive data such as:

• The General Data Protection Regulation (GDPR): Mandates the protection of personal data for EU residents.
• The Payment Card Industry Data Security Standard (PCI DSS): Requires strong password policies for organizations handling credit card data.
• Health Insurance Portability and Accountability Act (HIPAA): Enforces password security to safeguard patient information.

Failure to comply with these regulations can result in huge fines and legal consequences. Implementing best practices for password security is not just about protection best practices, it’s a compliance necessity.

Are browser-suggested passwords safe?

They are generally safe and convenient because modern web browsers like Chrome, Firefox, and Safari use encrypted storage and advanced algorithms offering built-in password managers that suggest and store passwords. While convenient, there are some risks to consider.

• Limited security features: Browser-based password managers may not offer the same level of encryption and security as dedicated password manager apps.
• Device dependency: If a device is compromised or lost, the stored passwords may be at risk, especially if the device lacks proper security controls.
• Synchronization risks: Attackers could make passwords synced across devices via a cloud service vulnerable if they compromise the cloud account.
• Phishing vulnerability: Phishing websites can exploit auto fill features by cloning legitimate sites.

When choosing to use browser-suggested passwords, ensure an up-to-date browser, use strong device security, and consider enabling MFA for cloud accounts.

Conclusion

Password security is a staple of digital safety and regulatory compliance. Creating strong, unique passwords, using password managers, and enabling multi factor authentication helps individuals and organizations reduce unauthorized access and breaches.

While browser-suggested passwords offer convenience, understanding their limitations and risks is essential. Ultimately, a proactive approach to password security can protect an individual’s data, ensure compliance, and build trust with customers.

Feel free to reach out to TechGDPR for any clarification of technical compliance needs.

The post Password security: how strong passwords work and the tools to simplify appeared first on TechGDPR.

Stay up to date! Sign up to receive our fortnightly digest via email.

Software testing

To help businesses and authorities address a range of security threats, the Danish data protection authority has chosen to include a new position in its list of security measures, (in Danish). It concerns security-focused software testing, which can find flaws in recently created applications. The software’s intended functionality is what the “customer” usually desires. A product could, nonetheless, have unexpected or undesired capabilities.

Unwanted functionality is at the same time unnecessary and thus is generally not used, (creates hidden security issues). People with malicious intentions can also search for unnecessary/unwanted functionalities to misuse. Increasingly complex IT systems and integrations between IT systems increase the likelihood of errors/vulnerabilities, even if there is a focus on security during development. 

Furthermore, a lot of software is created using pre-made components that are either created by other parties or are a part of “developer tools,” and it is unknown how much attention these third parties pay to security needs. Therefore, the only method to guarantee that the new software is designed with a focus on security may be through testing or requirements for the supplier’s testing. Testing documentation can also play a critical role in proving if sufficient precautions have been taken to prevent security breaches.

Whistleblowing and anonymity

The most recent EU whistleblower legislation is explained in Iuslaboris’ blog article using the example of the Netherlands. In particular, midsize employers, (50+ employees), are now also subject to the new and stricter obligations, (of the Dutch Whistleblower Protection Act 2023), regarding internal reporting processes for whistleblowers:

• The employer is generally free to choose an anonymous reporting mechanism, such as specialised software. 
• A report is made anonymously, but it needs to be made to a properly designated officer.
• That officer must then discuss with the reporting person how they wish to communicate during the process.
• If the reporting person’s identity is partially revealed, the officer is responsible for making sure that any parties not involved in the inquiry are not informed. 
• It’s also advisable to explain the breach of anonymity to the individual who filed the report.  
• The reports might be looked into at the group level of the organisation, (even if the parent company is located in another country).

Email management and metadata

IT programs and services for e-mail management, marketed by suppliers in cloud mode, may collect metadata, by default, in a preventive and generalised way. This sometimes places limitations on an employer wishing to modify the basic settings of the program to disable the systematic collection of such data in the work context or to reduce the retention period of the same. The fundamental right to secrecy of the content of the e-mail correspondence, including the external data of the communications and the attached files, protects the essential core of the dignity of individuals and the full development of their personality in social formations. 

Metadata may include the email addresses of the sender and recipient, the IP addresses of the servers or clients involved in the routing of the message, the times of sending, retransmission or reception, the size of the message, the presence and size of any attachments and, in certain cases, details about the management system of the email service used along with the subject of the message sent or received. The same metadata should not be confused with the information in the e-mail messages, (integrated into them although not immediately visible to users), in their “body part”, which remains under the exclusive user control. 

Thus, all data controllers are reminded to verify that the collection and storage of logs take place in compliance with the principles of correctness and transparency and that workers have been adequately informed on the processing of personal data relating to electronic data communications concerning them, (specifying data retention times, any controls, etc).

More official guidance

Data subject requests: The Latvian data protection regulator explains how a data controller should act if a request from a person as a data subject has been received: 

• Verify the data subject’s identity, (additional information can be requested).
• Find out what rights the person intends to exercise when sending the request.
• Develop a request form that formulates possible requests.
• Observe the response deadlines.
• Act accordingly if an unreasonable or disproportionate request is received.
• Take into account the restrictions on the exercise of the rights of data subjects. 
• Document the request processing progress; and 
• Cooperate with the Data State Inspectorate if necessary.  

Information sharing in health emergencies at work: The Guernsey data protection authority explains how to think in advance about sharing workers’ information in a health emergency. It covers any situation where you believe that someone is at risk of serious harm to themselves, or others, because of their mental or physical health. This can include potential loss of life. Also, the same obligations apply to processing information about your workers’ mental or physical health. 

In a health emergency, data protection does not act as a barrier to necessary and proportionate information sharing. Where there is a risk of serious harm to the worker, or to others, you should share necessary and proportionate information without delay with relevant and appropriate emergency services or health professionals. You must ensure that your workers are aware of any policy for sharing personal information in a health emergency and that it is available to them.

This policy also could become part of your Data Protection Impact Assessment on the everyday handling of your workers’ health information. 

Meta AI training postponed in the EU/EEA

Meta was scheduled to train and improve its AI applications on users’ content from Facebook and Instagram next week. At the request of the Irish Data Protection Commission, (the lead supervisory authority), this has been postponed until further notice. Earlier this month, Meta announced it would begin using publicly available content from European users of Facebook, Instagram and Threads to train an AI app. The reason for the processing is allegedly legitimate interest, and users could object to using their content if they wished. Numerous complaints about Meta’s new practice were lodged with the European supervisory authorities, including in Norway, Austria, France and others. 

Meanwhile, the Hamburg Data Protection Commissioner, (HmbBfDI), published recommendations regarding AI training with personal data by Meta. Users worldwide should be aware that this cannot be reversed once a large language model has been trained with personal data. Individuals can object to this in the settings on the profile page under the Privacy Policy. Persons who do not have an account with a Meta service may also be affected by the processing of personal data by Meta for AI training purposes, as Meta also uses data from so-called third-party providers. 

In the future, Meta’s AI-supported tools could become available for both users and companies. 

Wikipedia vs GDPR

The Italian privacy regulator Garante recently ruled that the processing of personal data carried out by Wikipedia falls under the GDPR, and the rules on journalistic activity and the expression of thought apply to the published contents. The decision came after the complaint of an interested party whose request for deletion of a biographical article relating to a judicial matter by the Wikipedia Foundation was not satisfied. The regulator ordered the de-indexing of the article.

The US non-profit believes it does not offer a service to users in the EU and is therefore not bound to compliance with the GDPR: it just “hosts” the contents inserted by the community of volunteers. In reality, explains Garante, Wikipedia constantly addresses and verifies the quality standards of the content and creates versions of the site dedicated to users from one or more EU countries.  

More enforcement decisions

Cookies without consent: An Amsterdam court held that LinkedIn, Microsoft and Xandr must cease the placement of cookies without user consent, the Data Guidance reports. The plaintiff visited 52 websites, of which 19 installed cookies on their device either without their knowledge or after it was expressly denied. The website provider bore certain duties even in cases where third parties are accountable for the installation of cookies on the users’ devices. The court decided that the above companies’ partnerships with third-party operators resulted in the cookies in question. They did not, however, prevent third parties from placing cookies without authorisation.

Recruiting company deletion requests: Meanwhile, the Dutch data protection authority has imposed a fine of 6,000 euros on the recruitment company Ambitious People Group. The company did have a method for requests to delete data. Yet in practice, things went wrong several times. The data remained in the database after the people requested their removal. The company also kept approaching these people about vacancies. The data in question included names, home addresses, e-mail addresses, telephone numbers, dates of birth and CVs containing information about education and work experience.

Security gaps: As part of an unsolicited audit by the Lower Saxony data protection authority, 20 companies have closed security gaps in their Microsoft Exchange servers. There is sometimes only a very short period between the release of a security update and the exploitation of vulnerabilities, and sometimes the first waves of attacks on customers’ and employees’ data have already occurred beforehand. Therefore: 

• Anyone who commissions an IT service provider to operate an Exchange server must ensure that the contract also includes regular patching of the server. 
• Companies must ensure that they can patch their servers immediately if critical security vulnerabilities arise.

Data security

Affordable data security: An opinion article by the Estonian data protection regulator suggests that small and medium-sized companies perceive data protection mainly as a source of costs and worries. However, the practice shows that mitigating risks associated with the cyber security aspects of data protection may not be as scary and expensive as it may seem at first glance. Most familiar and valid recommendations for your web security would include: 

• updating the software on your devices and IT infrastructure, (hosting providers offer automated application installation)
• adopting multi-factor authentication, (user log-ins and web hosting control panel),
• auditing accounts, (access control), and
• disposing of unused and unnecessary applications and files on the web server.

Privacy vulnerabilities of AI systems:  A luslaboris law blog looks at cyber security obligations under the EU AI Act – against model poisoning, model evasion, confidentiality attacks, and model flaws. One example is privacy attacks. Once the AI system is operational bad actors can use legitimate means to obtain personal data. It may be possible for bad actors to ask a large language model many queries which enable the actor to reverse engineer personal data about a particular individual in the aggregate data set. The same techniques can be used to access proprietary or confidential information relating to the AI system’s architecture, enabling attackers to extract sufficient information about an AI system to reconstruct a model. 

Hospital system under attack

BBC News reports that London hospitals are still grappling with the aftermath of a cyber attack that has led to many hours of extra work for their staff. A critical incident was declared on 4 June after a ransomware attack targeted the services provided by pathology firm Synnovis. Healthcare facilities are experiencing significant disruptions to their services, including blood transfusions, and blood sample processing is being done by hand in the labs. The results are added into the system “line by line” after being double-checked. It was also necessary to move some patients who needed emergency surgery to different institutions and cancel other operations.

Privacy research

The Norwegian data protection regulator revealed the results of a nationwide survey on the population’s relationship to privacy. The vast majority of people in the survey have refrained from downloading an app because they are unsure of how their data will be used. Young people are used to giving up large amounts of personal data, and they use a far greater range of services than older age groups do. Most people believe that AI will challenge privacy by collecting too much personal data and using it. There is broad support that the authorities should take an active role in the regulation of artificial intelligence, but fewer believe that this will be possible. 

The post Data protection digest 3 – 17 Jun 2024: software testing, email management, affordable data security appeared first on TechGDPR.

Stay up to date! Sign up to receive our fortnightly digest via email.

Decentralised clinical research

To support sponsors in designing their decentralised clinical research projects, the French data protection authority CNIL with other state agencies set up a pilot project, (from January to September 2024). 20 selected projects will receive targeted support and updated guidance, looking especially at the entire lifecycle of personal data processing: 

• Roles and responsibilities, (oversight of incoming data);
• Informed consent process, (interviews, leaflets, signatures);
• Delivery of investigational products, (safety data, biological sample handling, home visits etc);
• Data collection and management, (defining and handling source data);
• Trial monitoring, (remote access).

In December 2022, the Commission published the European recommendations on decentralised clinical trials. It came after the COVID-19 pandemic, highlighting the importance of digital tools and decentralisation procedures in health research projects.

Meta’s AI virtual assistant under investigation in the EU

Norway’s data protection regulator reports that as of June 26, posts and photos on Facebook, (often of a private nature), and Instagram will be used to develop and improve Meta’s AI assistant service. This won’t include private messages to friends and family. Reportedly, Meta believes that the company does not need to ask for users’ consent since their interest in using the content outweighs the users’ interests and rights. The regulator has already received a complaint and started an investigation into the new practice and expects that there will be more complaints, both in Norway and in Europe. 

At the moment individuals in Norway can only object to it in a dedicated form on Facebook and Instagram if they wish.

Protections against Data Scraping

The Italian data protection authority has issued nonmandatory guidance on how to protect personal data published online by public and private entities in their capacity as data controllers from web scraping. It particularly targets the indiscriminate collection of personal data on the internet, carried out by third parties for training generative AI models. Some concrete measures, (taking into account the latest technology and the costs of implementation, in particular for SMEs) may include: 

• creation of areas, accessible only upon registration, to remove data from public availability;
• the inclusion of anti-scraping clauses in the terms of service of websites; 
• the monitoring of traffic to web pages, to identify any abnormal flows of incoming and outgoing data; 
• the technological solutions made available by the same companies responsible for web scraping, (eg, intervening on the robots.txt file).

Other official guidance

Data collection: Getting data collection right is a key to your overall GDPR compliance, as once you have understood and complied with the principles of your data collection, the same principles apply throughout the lifecycle of what you do with the data you have, explains the Guernsey data protection authority. It also offers new guidance regardless of the collection method, (in-person interviews, emails, online forms, paper forms, video surveillance, social media activity, phone calls etc). 

Dynamic data security: Data security measures must be viewed as dynamic, as opposed to a static, obligation, according to the Guernsey regulator. In its latest statistical research, the agency found that the long-established trend of emails being sent to the wrong person continues to be the most common reported breach. At the same time, the vast majority of breaches were still discovered by individuals, and not through system auditing or testing. The regulator requests a deeper understanding of the potential associated harms, ranging from “loss of confidentiality” to “emotional distress,” to properly assess the risk of such incidents. 

‘Manage GDPR’:  The Spanish regulator AEPD published a new version of its Manage GDPR tool,(available in English). ‘Gestiona’ targets controllers and processors as well as data protection specialists. It allows managing the records of the processing activities, (ROPA), with up to 500 treatments, in an integrated way, and for different entities. It is now possible to manage the risk with privacy measures that the tool suggests for each identified risk factor. The tool is managed on the user’s device via their browser, without installing any application and storing the information locally. 

Legal processes

Anonymisation standard: The Quebec government enforced the Regulation respecting the anonymisation of personal information. It prescribes that once the purposes for which personal data was used are achieved, organisations, (including the private sector), have two choices: destroy or anonymise it for use only for serious and legitimate purposes. It will largely apply from 2025. 

UK Data Protection reform on hold: The Data Protection and Digital Information Bill falls ahead of a snap UK general election. As UK observers explain, any legislation that did not complete its passage by the end of the ‘wash-up’ on 24 May falls and will need to be reintroduced in the next Parliament. The draft bill was criticised for its flexibility towards data sharing in trade and innovation and state surveillance, threatening the adequacy decision granted by the EU. 

US Privacy and AI legislation: A good chunk of future privacy and AI bills has moved forward through state legislatures this past month. This includes the Maryland Age-Appropriate Design Code and other privacy acts, the Colorado Consumer Protections for AI Act, and the Vermont, Minnesota, and Kentucky Consumer Data Privacy Acts. California’s Bill on AI Accountability was read in the state Assembly, and the House of Representatives subcommittee advanced the American Privacy Rights Act Discussion Draft. 

Worldcoin on pause in Spain

The Worldcoin project committed to freeze its activity in Spain until the end of the year or until the final approval of its processing activities. The data protection authority of Bavaria, where the company has its main establishment in Europe, is progressing and is expected to conclude soon with a final binding decision. Worldcoin uses iris scans for unique identification with plans to expand for wider adoption of a global currency on the blockchain, explains the Techtarget.com article. The iris structure is used to generate a unique identifying code that is saved on the Worldcoin decentralised blockchain to prevent others from replicating the code.

The biometric data is not stored by the scanning device, but is kept in the form of anonymised ‘IrisHash’. 

More enforcement decisions

Failed backup testing: The Danish data protection authority criticised the breakdown of NemID in 2022, where up to 1.5 million users experienced problems logging in to major public services. The data controller followed their emergency procedure to restore the operation with a backup solution. This appeared to be unavailable, and the test to establish the viability of the backup solution was last carried out two years before the collapse. Such tests show whether recovery can be done with existing guides/procedures, that hardware, software, and data can work together, and that recovery can happen quickly enough as the consequences usually increase with time.

Spreadsheet error: In the UK, the Police Service of Northern Ireland is facing a 750,000 pound fine for failing to protect the personal information of its entire workforce. Personal information including surname, initials, rank and role of all 9,483 serving officers and staff was included in a “hidden” tab of a spreadsheet published online in response to a freedom of information request. The error caused several officers to move house, cut themselves off from family members and completely alter their daily routines because of the tangible fear of threat to life. The cause of the data breach was more than trivial as there were insufficient internal procedures and sign-off protocols for the safe disclosure of information.

Data security

US financial entities: If your business is covered by the FTC’s Gramm-Leach Bliley Safeguards Rule, an amendment that requires covered companies to report certain data breaches is now in effect. It lists thirteen distinct company categories, including payday lenders, mortgage lenders, finance companies, mortgage brokers, account servicers, cheque cashers, wire transfers, collection agencies, tax preparation organisations, credit counsellors, and other financial consultants. According to the amendment, financial institutions must report to the FTC any security breach involving the personal data of at least 500 customers as soon as feasible, but no later than 30 days after discovery.

Big Data

Microsoft vs schools: Microsoft’s 365 Education services violate children’s privacy by shifting the responsibility to the school administrations, states the NOYB privacy advocacy group. Digital service providers like Microsoft tend to designate educational bodies as data controllers in their Terms and Conditions. However, in practice, the schools have no control over the applications, their design, and data operations. In just one example, they cannot satisfy data access requests by individuals as they don’t hold the necessary data. 

Malware and data stealing: Law enforcement agencies in the US and EU announced massive operations against some of the most influential cybercrime platforms for delivering ransomware and data-stealing malware. They targeted droppers/loaders, (a custom-made program designed to surreptitiously install malware onto a system), deployed through email attachments, hacked websites, or bundled with legitimate software. Droppers are typically used in the initial stages of a breach, and they allow cybercriminals to bypass security measures and deploy additional harmful programs. 

ShinyHunters ransom: Meanwhile Ticketmaster in the US was hit by a data hack that may affect 560m customers, the Guardian reports. Cybercrime group ShinyHunters reportedly demanded 400,000 pounds ransom to prevent data from being sold. The unauthorised access was spotted by a third-party cloud database environment containing the company’s data. Earlier Bank Santander also confirmed being hacked by the same group. ShinyHunters claimed it had the data of 30m customers and staff details, 6m account numbers and balances, and 28m credit card numbers, and is demanding a ransom of 1.6m pounds. 

The post Data protection digest 18 May – 2 Jun 2024: decentralised clinical research, Meta’s new virtual assistant appeared first on TechGDPR.

Legal processes and redress

Court-dismissed fine: A multimillion-euro fine imposed by the Spanish privacy regulator has been overturned by a court decision, according to a publication by Clifford Chance law firm. The AEPD fined Banco Bilbao Vizcaya Argentaria 5 million euros in 2020, the first of many hefty fines for GDPR violations in the country’s corporate sector. In the above case, the AEPD received several complaints about commercial communications. Ultimately, it found that BBVA’s privacy policy, which was applicable to all of its clients and to processing other than the sending of marketing communications, violated the duty of information, and occasionally misused consent and legitimate interest as the basis for processing. However, the decision and fine with regard to BBVA’s privacy and the initial complaints were completely at odds, and the court found that the AEPD had broken the sanctioning procedural rules. 

EU Health Data Space: EU legislators are actively working on safeguards for the upcoming European Health Data Space. This includes promoting patients’ understanding and control of their personal health data. The latest amendments look at the main characteristics of electronic health data categories: patient summary, electronic prescription, electronic dispensation, medical image and image report, laboratory result, and discharge report. Under the Commission’s proposal, researchers, companies, and institutions will require a permit from a health data access body, to be set up in all member states. Access will only be granted to use de-identified data for approved research projects, which will be carried out in closed, secure environments, Sciencebusiness.com publication sums up. 

Iowa privacy legislation: Iowa enacted its new comprehensive privacy law, making it the sixth US state to do so after California, Virginia, Colorado, Utah, and Connecticut. It will take effect in 2025. Anyone conducting business in Iowa or creating goods or services marketed toward Iowans who does one of the following is subject to the law: processes at least 100,000 consumers’ personal data; processes 25,000 consumers’ personal data, and more than 50% of gross revenue is generated from the sale of it. The law does not apply to financial institutions, nonprofit organizations, institutions of higher education, information bearing consumers’ creditworthiness, various research data, protected health information, and more.

Utah minors protection: Utah enacted two laws to limit children’s access to social media, making it the first US state to demand parental consent before children can use Instagram and TikTok. It also makes suing social media companies for damages simpler. To date, US lawmakers have had difficulty enacting stricter federal laws governing online child safety. Under Section 230 of the US Communications Decency Act, media service providers are largely shielded from liability for the content they provide. 

Online service providers are also not required by federal statutes to use a particular method of age verification. Because of this, some have minimum age restrictions and ask users to enter their birthdate or age before granting access to the content. These restrictions are typically stated in the terms of service. According to Utah legislation, all users must submit age verification before creating a social media account. Minors under the age of 18 must have parental or guardian consent. 

Official guidance

AI white paper: Principles, including safety, transparency, fairness, contestability, and redress will guide the use of AI in the UK, as part of a new pro-innovation national blueprint. Reportedly, Britain has more businesses offering AI goods and services than any other European nation, and hundreds more are being founded annually. Regulators pledge to provide organisations with advice over the coming year, as well as other resources like risk assessment templates. Currently, there is no deadline envisaged in the UK for passing AI legislation. Meanwhile, the EU AI act, which inherited a more risk-based approach and is being discussed by parliamentarians, can be reasonably expected this year. 

Data protection by default: UK privacy regulator the ICO published resources to help UX designers, product managers, and software engineers embed privacy by default. The guidance looks at key privacy considerations for each stage of product design, from kick-off to post-launch when designing websites, apps, or other technology products and services. The ICO has also published videos with experts, technologists, and designers. 

Employment guide: The Danish data protection authority’s guidance on data protection in employment relationships has been revised, (in Danish only). The update includes the acquisition of criminal records and references. The regulator also clarified an employer’s obligation to disclose information, trade union processing activities, workers monitoring needs, the use of IQ and personality tests, and more. In parallel, the Lithuanian regulator is preparing similar guidance for employees, business, and public sector, (in Lithuanian only). 

Joint controllers: What is the difference between joint and independent data controllers? Joint controllers are established when the entities involved in processing perform it for the same or common purposes. Joint management can be established even when the entities pursue purposes that are only closely related or complementary, explains the Slovenian data protection authority. Purposes and means of processing are not always the same for all joint controllers but must be mutually determined via an agreement. They can also be defined by law. Subsequently, joint controllers are jointly and severally liable for damages. 

Suspected data breach: Pursuant to the GDPR, in the event of a personal data breach that is likely to cause a high risk to the rights and freedoms of individuals, the data controller must notify the data subject without undue delay. However, notification is not mandatory if any of the conditions stipulated in Art. 34 (3) of the GDPR are met. Regardless of the above, in case of a suspected breach, (eg, unauthorised disclosure of a large amount of personal data), you have the right to request information from the data controller, (if they processed your data), as to whether your personal data is included in the incident, concludes the Croatian data protection agency.

Enforcement decisions

ChatGPT ban: The Italian supervisory authority Garante has clamped down on ChatGPT. The limitation of the processing of Italian users’ data by OpenAI, the US company that developed and manages the platform, is temporary until it establishes privacy procedures. ChatGPT suffered a data breach on March 20 concerning user conversations and payment information for subscribers to the paid service. Garante noted the lack of information to users and all interested parties whose data is collected by OpenAI, but above all the absence of a legal basis that justified the collection and storage of personal data in order to train the algorithms. 

Additionally, as evidenced by the checks carried out, the information provided by ChatGPT does not always correspond to the real data, thus establishing inaccurate processing of personal data. Finally, the service is aimed at people over 13 but does not use any filter for verifying the age of users and exposes minors to answers that are absolutely inappropriate with respect to their degree of development and self-awareness. OpenAI, which does not have an office in the EU but has appointed a representative in the European Economic Area, must communicate within 20 days on the measures taken.

Wrongful copy: The Greek data protection authority looked into a complaint from a Vodafone subscriber who received a CD containing the conversations of another person  after requesting access to the recorded conversations with the Vodafone call center. Although Vodafone was immediately notified by the complainant, it did not take any investigative steps to confirm the incident, but initially contented itself with the processor’s response that it did not locate the complainant on the phone. It subsequently contacted her to return the CD. Vodafone was ordered to send the correct file and was fined 40,000 euros (Art. 15 and Art. 33 of the GDPR).

Email correspondence: Employees’ right to privacy is unaffected by a legitimate interest in processing personal data for legal defense. The Italian privacy authority fined a company that continued to use an employee’s email account after they had left the firm, viewing the content, and setting up forwarding to a company employee. The former collaborator had gathered references from potential clients they had met at a fair. The company claimed that a legal dispute resulted from the collaborator’s attempt to get in touch with them. Fearing losing relationships with potential customers, the company had not only written to them to explain that the person had been removed, but had also viewed the communications.  

GPS monitoring: Tehnoplus Industry in Romania was fined for a GPS system installed on a company car, without the employee having been informed, or having previously exhausted other less intrusive methods to achieve the purpose of processing – monitoring the service vehicle. Tehnoplus Industry excessively processed the location data related to the complainant even outside working hours. Subsequently, the purpose and the legal basis of this processing and in addition the excessive storage period of the data collected, (over the established 30 days limit); were also unlawful.  

In parallel, the French privacy regulator imposed a fine on Cityscoot for geolocating customers almost permanently in breach of the data minimisation principle. During the rental of a scooter by an individual, the company collected data relating to the geolocation of the vehicle every 30 seconds. In addition, the company kept the history of these trips. None of the established purposes of the processing, (the treatment of traffic offenses, handling customer complaints, user support, and theft management), could justify the monitoring and could have been organised without constant tracking.  

Data security

Cybersecurity tools: The French regulator CNIL has updated its guidance on the security of data protection, (in French). It supports professional actors processing personal data by recalling the basic precautions to be implemented. 17 fact sheets look at the latest recommendations on authenticating users, tracing operations and managing incidents, securing the workplace, guiding IT development, securing exchanges with other organizations, encryption, and much more. 

The European Union Agency for Cybersecurity also releases a tool to help small and medium-sized enterprises assess the level of their cybersecurity maturity. This tool contributes to the implementation of the updated Network and Information Security, (NIS2), Directive. The majority of SMEs are excluded from the scope of the Directive due to their size and this work provides easily accessible guidance and assistance for their specific needs.

Similarly, the UK National Cyber Security Centre launches two new services to help small organisations stay safe online:

• The Cyber Action Plan can be completed online in under 5 minutes and results in tailored advice for businesses on how they can improve their cyber security.
• Check your Cyber Security – which is accessible via the Action Plan – can be used by any small organisation including schools and charities and enables non-tech users to identify and fix cyber security issues within their businesses.

Mobile threat defense: America’s NIST investigates mobile threat defense applications that provide real-time information about a device’s risk level. Like any other app, MTD is installed on a device by a user. The app then finds undesirable activity and alerts users so they can stop or minimize the harm. For instance, it alerts users when it’s time to update their operating systems. Additionally, users of the app can receive alerts when someone is listening in on their internet connection. However, without being integrated with a mobile device management system, MTD applications are only marginally effective in your enterprise environment.  

Big Tech

Child Care apps: In the US childcare facilities are using technology more and more reports edsurge.com which tells the story of a parent who signed her child up for child care. She wasn’t expecting to have to download an app to participate, and when that app began to send her photos of her child, she had some additional questions. Laws like the Family Educational Rights and Privacy Act and the Children’s Online Privacy Protection Act don’t apply in these circumstances, so parents will need to conduct some independent research. The other aspect is that cameras have the potential to make teachers and other classroom employees anxious or otherwise not themselves, she says. They may feel that administrators or parents don’t trust them and make them avoid some activities like dancing. 

You are (not) hired: Reportedly, a third of Australian companies rely on artificial intelligence to help them hire the right person, while there are no laws specifically governing AI recruitment tools. Applicants are often unaware that they will be subjected to an automated process, or if not, on what basis they will be assessed. For instance, AI might say you don’t have good communication skills if you don’t use standard English grammar, or you might have different cultural traits that the system might not recognise because it was trained on native speakers. Another concern is how physical disability is accounted for in something like a chat or video interview. Read more analysis by the Guardian in the original publication. 

Vehicle data: Because data ownership remains undefined under EU law the Commission’s proposed Data Act for fair access to such information, particularly in the vehicles sector, appears to have hit problems. Legislative proposals were expected to regulate a connected car sector estimated to be worth more than 400 billion euros by the end of the decade. Now car services groups warn very few big players are able to access this data, skewing the market, Reuters reports.

The post Data protection & privacy digest 19 Mar – 2 Apr 2023: court-dismissed fine, cybersecurity tools, ChatGPT clampdown appeared first on TechGDPR.