Stay up to date! Sign up to receive our fortnightly digest via email.

New SCCs initiative

The European Commission started work on new SCCs for data transfer to third-country data importers, (controllers and processors), subject to the GDPR. They will complement the existing clauses for data transfers to third-country importers not subject to the GDPR. Adopted in 2021, the latest set of SCC does not work for importers whose processing operations are subject to the GDPR under Art. 3, as they would duplicate and, in part, deviate from the obligations that already follow directly from the GDPR.  Despite the Commission’s call for action three years ago, SCCs for those specific cases were not introduced, leaving organisations in legal uncertainty, (see Uber’s latest fine). 

The adoption of the new SCCs is planned for the second quarter of 2025. 

Australia privacy reinforcement

The parliament introduced and held its first reading on the amendments to the privacy legislation to introduce a range of measures, including expanding the Information Commissioner’s powers, facilitating information sharing in emergencies or following eligible data breaches, requiring the development of a Children’s Online Privacy Code, providing protections for overseas data transfers, introducing new civil penalties and criminal offences, (for a practice known as ‘doxxing’), and increasing transparency about automated decisions. 

Data disclosure on a party to the contract

The CJEU meanwhile explains the lawfulness of personal data processing in the performance of a contract,  to which the data subject is a party. The case relates to a request of a partner seeking to obtain the contact details of other partners, (parties to the contract), with indirect shareholdings in an investment fund through a trust company. 

The CJEU ruled that disclosure would be justified only if the main subject matter of the contract could not be achieved if that processing were not to occur. If such processing is also necessary for legitimate interests pursued by a controller or third party, it should be strictly necessary to achieve that purpose. While there is a legal obligation for a data controller, it should be foreseeable for those persons subject to disclosure, that the disclosure is proportionate, and meets an objective of public interest.

Dark patterns advisory

The California Privacy Protection Agency issued an enforcement advisory on user interfaces that subvert or impair a consumer’s autonomy, leading to a privacy-averse practice. Businesses should adopt clear and understandable language and offer consumers symmetrical choices to avoid impairing and interfering with consumers’ ability to make their choices. 

More official guidance

Asset deals and data protection: The sale of a company can generally be carried out in two ways, either by transferring shares or by transferring assets and/or economic goods, explains the German Data Protection Conference. While the data processing in the context of a “share deal” is possible without any problems, apart from audit procedures, since only the shares in a company are transferred, the company otherwise continues unchanged as a data controller; the transmission of personal data in the context of an “asset deal” requires a differentiated approach in terms of data protection law. Read the methodology of the latter case in the original paper (in German).

How do you identify a person by phone? The common way is by asking to provide several personal details, such as their first name,  email address, username, etc. In this case, the more data is requested, the more likely it is to identify the person accurately, and at the same time, the greater the intrusion into the person’s privacy. Therefore, the organisation must observe proportionality in its activities.

A better practice would be using a key: a password previously agreed upon by both parties chosen by the customer, or more sophisticated tools such as a secure electronic signature generator, explains the Latvian regulator.   

Data subject notification upon a breach: People who are victims of a data breach often receive insufficient information from a data controller on what exactly happened, when and what information was leaked, and what they can do themselves to reduce the risks, states the Dutch regulator. Also, warning emails, even if sent within a legal time frame, sometimes lack an alarming title or introduction, with the risk that the recipient may simply not read the message. You can examine some recommendations, and sample notification texts, (in Dutch), here. 

Bank data

The Polish UODO imposed a fine of approx. 1 million euros on mBank for failure to notify persons affected by a data leak. An employee of a company processing personal data on behalf of mBank made a mistake and sent customer documents to another financial institution. The documents were returned to the bank, but they had already been opened. The documents included: all sorts of personal information, identification documents, and information on credit and real estate.  

The bank did not notify its customers about the problem, even though after reporting the breach the regulator informed them about the need to take such action. The explanations offered by mBank included the fact that the documents were mistakenly sent to an institution that is also bound by banking secrecy, an entity that the bank cooperates with and which, according to the bank, has the status of a trusted entity. The employees of this institution confirmed that they do not have copies of the documents received in error. 

Microsoft Teams

The Norwegian Data Protection Authority has issued a fine to the University of Agder, (UiA). The university had not implemented suitable measures to safeguard personal data security in its use of Microsoft Teams. In February 2024, an employee at UiA discovered that documents with personal data had been stored in open Teams folders, to which employees had access without an official imperative. 

The discrepancy has been ongoing since the university adopted Microsoft Teams in August 2018. Around 16,000 registered users were affected. The information includes, among other things, name, social security number, information about exams, the number of exam attempts and special arrangements. In addition, the discrepancy included an overview of refugees associated with the university.

More enforcement actions

Health data: Meanwhile the French CNIL fined CEGEDIM SANTÉ 800,000 euros for processing health data without authorisation. The company publishes and sells management software to community doctors and health centres. Around 25,000 medical practices and 500 health centres use this software. They allow doctors to manage their agenda, patient records and prescriptions. As part of its activity, the company offers a panel of doctors using one of these software programs to conduct studies. This data was not anonymous, but only pseudonymous, so the re-identification of the persons concerned was technically possible.

Live cameras in psychiatric hospitals: America’s FTC reports that surveillance camera company Verkada Inc. failed to provide reasonable security for the personal information it collected, including 150,000 live camera feeds in sensitive areas like psychiatric hospitals, women’s health clinics, elementary schools, and prison cells. These failures allowed a threat actor, in March 2021, to remotely access Verkada’s customer camera feeds and watch them live, without anyone’s knowledge or consent.

Despite the invasive security breach, Verkada remained unaware of the threat actor’s intrusive exploration until the threat actor self-reported the hack to the media.

Invalid cookie banners: Finally the Belgian regulator took action against Mediahuis for several infringements in the use of cookie banners on 4 news sites, (De Standaard, Het Belang van Limburg, Het Nieuwsblad, Gazet van Antwerpen). They do not provide a “refuse all” button on the first information level of the cookie banner and misleading button colours are used. The complaints were filed by the Austrian non-profit privacy rights organization NOYB, which acted as a mandated representative in the case. 

Probabilistic method and GDPR

The ability of machine learning and artificial intelligence to handle uncertainty and make predictions in the field of statistics has led to their widespread adoption. However, the limitations that probabilistic methods present in terms of performance, (false negatives, false positives, prediction errors, etc.), can affect the accuracy and suitability of data processing, states the latest Spanish AEPD blogpost.

In one example, an estimation operation for age verification with an error of 0.01% in a sample of 1000 adults might be acceptable for some purposes. However, in a sample of all types of users in the EU, (450 million inhabitants), an error of 0.01% means making errors with 45,000 people. A significant number of them would be under 18 years of age and this will probably in some cases generate erroneous estimates classifying them as adults.  

Finally, the results obtained with different samples may show how accuracy and effectiveness are strongly influenced by the algorithm, gender, image quality, region of birth, age and the interactions between all these factors. 

Big Data

Privacy ‘paradox’: The Guernsey data protection authority discusses in a blog that while people say they care about privacy, their actions suggest otherwise as they are quick to surrender their personal information online. However, there is no paradox in such behaviour. Privacy is not just synonymous with “secrecy”. It can be also about control and autonomy over one’s personal information. In just one example, a person can value privacy and still click “yes” to share their location with a food delivery app. 

Positively, more companies now embrace the challenge of the realisation that respecting their customers’ privacy is the best way to earn trust. This is why individuals may now be seeing more prompts for permission to access their cameras or address books, offering the choice to say “yes” or “no”. 

AI training: Meta and Google AI training programs are being investigated by the European data protection authorities. The Irish lead regulator DPC commenced a cross-border inquiry into Google’s new foundational AI model Pathways Language Model 2. In question its compliance with the requirement of the Data Protection Impact Assessment, before engaging in the processing of the personal data of EU/EEA data subjects. Meanwhile, Meta and X’s AI training programs are still on hold in the EU. In parallel, the UK Information Commissioner is monitoring the situation with Meta as it is about to resume, in a couple of weeks, the use of UK Facebook and Instagram user data to train generative AI. The company took into account the reprimand from the regulator and has made it simpler for users to object to the processing.

The post Data protection digest 2 – 16 Sep 2024: New SCCs initiative, data asset deals, probabilistic method and GDPR appeared first on TechGDPR.

Stay up to date! Sign up to receive our fortnightly digest via email.

Legitimate interest criteria

A CJEU advocate general clarifies the obligation of the data controller when relying on the legitimate interest legal ground. The mere reference to ‘legitimate interest’, without any indication of precisely what that legitimate interest is, cannot satisfy the GDPR requirements. Such legitimate interest could exist, for example, where there is a relevant relationship between the data subject and the controller,  (eg, the data subject is a client of the controller). 

The legitimate interest criteria need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. Preventing fraud or even direct marketing purposes also can constitute a legitimate interest. However, it should be for the controller to demonstrate that a compelling interest overrides the interests or the fundamental rights and freedoms of the data subject.

AI Act entered into force on 1 August

The EU data protection regulators started to investigate the surveillance authority vested in them by the new law. Large parts of the high-risk AI systems fall within its scope. This covers not just the organisations that use these systems but the whole value chain, including the software, cloud, and security firms that provide AI systems, either by selling them or integrating them into already-existing systems. The data protection authorities are faced with yet another challenge in light of the real-world laboratories that the AI Act establishes to foster innovation. AI developers and users have now until February 2025 to inventory the AI systems they use or sell, as well as the risk category they fall into. Organisations that create or utilise AI that is prohibited must prepare for substantial fines starting in August 2025. 

Weak Children’s Privacy

The UK Information Commissioner’s Office has launched a major review of social media platforms, (SMPs), and video-sharing platforms, (VSPs), as part of the Children’s Code Strategy. It reviewed 34 SMPs and VSPs such as BeReal, Twitch, Threads, WeChat, YouTube Kids, X(Twitter) etc, focusing on the processes young people go through to sign up for accounts with emphasis on information transparency, age assurance, default privacy settings, geolocation and exposure to algorithmic systems. The audited platforms’ full list and non-compliance issues can be seen here. 

More legal processes

Surveillance pricing: The US Federal Trade Commission (FTC) launched a new investigation as reportedly a growing number of grocery stores and retailers may be using algorithms to establish individualised prices. Advancements in machine learning make it cheaper for these systems to collect and process large volumes of personal data, which can open the door for price changes based on your precise location, shopping habits, or web browsing history.  

Hashing and anonymisation: The FTC has also reiterated its long-held view that hashing or pseudonymising identifiers does not render data anonymous: hashes can still be used to identify or target users, and their misuse can lead to harm. While hashing might obscure how a user identifier appears, it still creates a unique signature, (eg, unique advertising ID), that can track a person or device over time and across apps without individual informed consent. 

NIS2: The Hogan Lovells analysis looks at the speed of national implementations of the NIS2 Directive, as the 17 October deadline approaches. So far, not all EU Member States seem to be on track to implement a common level of cybersecurity. Germany only adopted the draft document on 24 July, (the so-called “IT Security Act 3.0”). The legislation largely demands from critical sectors: implemented security risk management systems following the highest standards, (eg, ISO27001), incident reporting, corporate monitoring, training and auditing obligations. For more on the enforcement, personal liability of directors, and geographical scope read the original publication. 

Addictive patterns

The Spanish privacy regulator warns against the use of addictive patterns in its latest study. Often online services implement deceptive and addictive design patterns to prolong the time users stay on their services or to increase the level of engagement and the amount of personal data collected and perform profiling. The adverse impact of addictive strategies is considerably greater when they are used to process the personal data of vulnerable people, such as children. 

However, the enacted Digital Services Act establishes that online services will not design, organise or manage their interfaces in such a way as to deceive or manipulate users, or in such a way as to distort or hinder their ability to make free and informed decisions. So far the European Commission has opened two sanctioning procedures for possible non-compliance with the above requirements against TikTok and Meta. 

More official guidance

Errors in data processing: The Latvian data protection authority explains the most common mistakes by data controllers and how to avoid them. These include: a legal basis is not chosen or is inadequate regarding the purpose of the processing; data subjects are not properly informed, privacy by default is not represented as part of information system management,  ignoring technical and organisational security measures, incidents are not processed and recorded, improper exercise of the data subject requests, lack of core documentation and impact assessments, and poor due diligence of data processors. 

Generative AI: The European AI Office has opened a call for expression of interest to participate in the drawing-up of the first general-purpose AI Code of Practice. The Code of Practice will detail the AI Act rules for providers of general-purpose AI models and general-purpose AI models with systemic risks. These rules will apply 12 months after the entry into force of the AI Act by August 2025. The Code will be prepared in an iterative drafting process by April 2025. 

According to the latest guidance from America’s NIST, one of the primary risks in Gen AI is that such systems may leak or generate sensitive information about individuals, (included in the training data). Also, the integration of nontransparent or third-party components and data may lead to diminished accountability and the possibility of potential errors across the AI value chain. Finally, the GenAI training raises risks to widely accepted privacy principles, including transparency, individual participation, (consent), and purpose specification.

Facial recognition at school

In the UK, an Essex school was reprimanded after using facial recognition technology for canteen payments. The school, which has around 1,200 pupils aged 11-18, failed to carry out a prior assessment of the risks to the children. The school had not properly obtained clear permission to process the students’ biometric information and the students were not allowed to decide whether they did or didn’t want it used in this way.

It also failed to seek opinions from its data protection officer or consult with parents and students before implementing the technology. Instead, a letter was sent to parents with a slip for them to return if they did not want their child to participate in the FRT. Affirmative ‘opt-in’ consent wasn’t sought, meaning the school was wrongly relying on assumed consent.

Emergency calls disabled

In light of the recent global IT outage, BBC articles pay attention to a major incident in Britain from a year ago. BT, (formerly British Telecom), has just been fined 17.5 million pounds for a failure of its emergency call handling service which led to thousands of 999 calls not being connected. The network failure lasted for more than 10 hours. The emergency call handling outage was caused by an error in a file on a BT server, which meant systems restarted as soon as call handlers received a call.

It led to staff being left logged out and calls being disconnected or being dropped as they were transferred to the emergency services. The tech company was not prepared to respond to the problem: instructions on how to solve such an issue were “poorly documented” and staff were unfamiliar with the process.

More enforcement decisions 

French Guiana fine: Finally, the French CNIL decided to impose a penalty on the municipality of Kourou, in the overseas department of French Guiana, (also known as the main spaceport of France and the European Space Agency). The municipality will have to pay 6,900 euros for still not having complied with its obligation to appoint a data protection officer despite the CNIL’s injunction of December 2023. This penalty payment does not close the procedure as the injunction with its penalty payment still runs as long as the municipality has not appointed a data protection officer. A new penalty payment may therefore be ordered.

Human error in an educational ministry: The education minister in Northern Ireland has apologised after the personal details of more than 400 people who had offered to contribute to a review of special education needs were breached, the Guardian reports. According to the education department, 407 persons indicated their interest in attending the end-to-end review of special education needs, (SEN), events around Northern Ireland, and a spreadsheet attachment including their names, email addresses, and titles was accidentally emailed to 174 people. Several people’s remarks were included in the spreadsheet. 174 persons who unintentionally obtained the personal information were requested to remove it and attest to having done so.

Olympics, performance, privacy and AI

The International Olympic Committee determined over 180 potential use cases for AI in the Olympics, with some of them already in use at the Paris venue, according to a fortune.com article. The primary purposes include “enhancing the fairness and accuracy of judging and refereeing through the provision of precise metrics”. In another case, Google was announced as “the official search AI partner of Team USA”.

Finally, event organisers and the French government are also leaning on AI to monitor potential threats, (prompting the French government to temporarily change the law to allow this use of experimental surveillance technology for the Olympics).

Data security

Data breaches and exploitation of APIs: In the US, the Federal Communications Commission settled with TracFone Wireless, (a telecommunications carrier), to resolve data security investigations. The underlying data breaches involved the exploitation of application programming interfaces, (APIs).  They allow different computer programs or components to communicate with one another. Numerous APIs can be leveraged to access customer information from websites, and thus are a common attack vector for threat actors.  The settlement includes a mandated information security program, consistent with standards, identified by the NIST and OWASP; subscriber Identity module, (SIM), changes and port-out protections; annual security assessments by independent third parties, and privacy and security awareness training for employees and certain third parties. 

Big Data

Third-party cookies: Google has officially changed its plans and no longer intends to deprecate third-party cookies from the Chrome Browser, as this transition requires “significant work by many participants and will have an impact on everyone involved in online advertising”. Implementation of the Privacy Sandbox project started in 2019. Now the tech giant is proposing an updated approach that elevates user choice. Google reportedly is discussing this new path with regulators and will engage with the industry soon.

Meta record settlement: Meta has also reached a 1.4 billion-dollar settlement to resolve claims brought by the Texas Attorney General. It aims at stopping the company’s practice of capturing and using the personal biometric data of millions of Texans without authorisation. This settlement is the largest ever obtained from an action brought by a single State. In 2011, Meta rolled out a new feature that it claimed would improve the user experience by making it easier for users to “tag” photographs with the names of people in the photo.

For more than a decade Meta ran facial recognition software on virtually every face contained in the photographs uploaded to Facebook. 

Data centre’s electricity hunger: According to official estimates cited by The Guardian, Ireland’s data centres consumed more power last year than all of the country’s urban households put together. Specifically, Google, which has its European headquarters located in Ireland, stated that its data centres might potentially delay its environmentally conscious goals following a 48% surge in its total emissions last year. This is the outcome of increased demand for cloud services and data processing, which includes advances in artificial intelligence.

The post Data protection digest 20 Jul – 2 Aug 2024: ‘legitimate interest’ criteria, surveillance pricing, Olympics and AI appeared first on TechGDPR.

This is especially true after the GDPR came into effect, as it provides specific requirements for the legal basis of consent, which also applies to the processing of non-necessary cookies. Reason being, that these text files that our devices read and write upon interacting with a website, oftentimes include information that, once associated with your interactions, is categorised as personal data: such as IP addresses, username, unique identifier codes or even email addresses and metadata.  

That is where Consent Management Platforms (CMP) come into play. They can be described as systems by third-party vendors that help controllers manage users’ cookie preferences and help them meet their transparency obligations under data protection laws. It is thus very likely that when anyone visits any website and a cookie pop-up appears, that is managed by a CMP. You might be familiar with some of the following: OneTrust, Quantcast or Cookiebot.

What are dark patterns and how do they relate to cookies? 

A CMP that relies on the IAB Europe Transparency and Consent Framework Policies (IAB TCF) is required to meet several criteria. However, these mostly refer to the need to include the purposes and features of the cookies. Thus, they are provided a relative amount of freedom in terms of design of cookie banners and consent pop-ups. 

Several studies conducted on the standard templates that CMPs offer, show that many of the designs provided actually hide manipulative strategies intended to sway users into providing consent. These designs are often referred to as dark patterns. 

Some common types dark patterns in the context of cookie banners are known as interface interference and sneaking. An example for the former is presenting the “Accept all” option on top of a banner, whilst the “Reject all” option can only be found after scrolling down, also labelled as false hierarchy.

Another example of false hierarchy is drawing attention to the desired choice, in comparison to the opther options. For instance, the “Accept all” option might be brightly colored or stand out from the background. Meanwhile, the “Reject” or “Settings” options, will oftentimes the same color of the background of the cookie banner, rendering it less noticeable.

Meanwhile, sneaking refers to the hiding of the relevant information, usually behind a far less visible and unformatted link. This is commonly designed with a smaller text providing “more options” or “manage settings” in the corner of the banner, which then allows the user to gain more information and finally reject all cookies. 

Read more about other types of dark patterns in the article “The Dark (Patterns) Side of UX Design” from Purdue University, IN.

Does the GDPR or ePrivacy Directive prohibit the use of Consent Management Platforms? 

There is no direct mention of CMPs or dark patterns in the GDPR or the ePrivacy Directive, which directly governs the use of cookies. Nonetheless, one can still draw some conclusions based on the consent requirements under the GDPR. For example: Article 7(4) GDPR states that withdrawing consent should be as easy as providing it. Thus placing the options on unequal level, as for the case of false hierarchy designs, would be a non-compliant approach. Case law also confirms this: The Advocate General in the case of Planet49 specifically mentions that for consent to be valid, the options to reject and accept should be placed “optically on the same footing.”

Despite these academic findings and conclusions, the use of CMPs has but increased since the GDPR came into force. To add to that, data protection authorities deem CMPs an appropriate tool to use when a compliant design is rolled out. Important to note though, is that CMPs cannot be compliant until they start assuming their data controller or joint controller obligations (GDPR Art 24 and 26, respectively). This was highlighted in the recent €250.000 fine awarded by the Belgian supervisory authority to IAB Europe.

Thus, whilst the use of CMPs is not prohibited, it is always best to take into account that not all of their template designs might actually reflect the requirements for valid consent. Therefore, increasing the possibility that the cookie banner will be deemed non-compliant.

What does a compliant cookie banner look like? 

Under the the framework provided by GDPR Article 7 and Recital 32, consent must be “freely given, specific, informed and an unambiguous indication of agreement”. Ideally, a compliant cookie banner should reflect all of those exactly, and should avoid the dark patterns described above, which likely contradict the freely-given nature of consent. 

As a practical example, in 2022, NOYB, the non-profit presided by Max Schrems, the activist of international fame, placed 226 complaints with data controllers over cookie banners rich in dark patterns, arguing that the only compliant option was to outright offer a accept all and reject all button. Therefore, a good starting point would be to ensure both options are provided and equally accessible, by designing the “Accept” and “Reject” buttons to look identical and perhaps even placed side-by-side on the banner.

Lastly, when implementing a banner design, consider the more stringent requirements in terms of design, such as the prohibition of pre-ticked boxes, and the requirements around requesting unambiguous consent, rather than accepting scrolling as having accepted the use of cookies. 

To recap, when providing cookies, there are several interests and legal requirements that website operators, as data controllers, need to balance before considering Consent Management Platforms as the ideal solution. Studies have shown that many of the current cookie banner designs provided by these platforms, still place more weight on gaining consent rather than ensuring compliance. This is not surprising, considering that CMPs are in the business of selling software solutions to a problem many marketing teams refuse to fully grasp. 

The existence of “dark patterns” in consent pop-ups is perceived by everyone yet not often discussed. For implementers, it is understandably tempting to place full trust on a CMP’s design and overlook the details and turn on options that actually render their banner non-compliant. However, being mindful of the flaws in the designs that Consent Management Platforms offer, and knowing how to avoid dark patterns, might be the only way to ensure that a cookie banner or consent pop-up is fully compliant with the GDPR, that way, your time and money are not a complete waste.

TechGDPR is a consultancy based in Berlin offering GDPR compliance assessments, DPO-as-a-service retainers and hourly consulting. TechGDPR consultants help assess the vendors you wish to purchase your solutions from, navigate the complexity of international data transfers as well as guide you through the most compliant roll-out of the solutions you have purchased. TechGDPR routinely trains marketing and procurement teams in understanding data protection requirements and offers an online training course for software developers, system engineers and product owners.

The post Consent Management Platforms’ misleading cookie banner designs: how to recognize and avoid dark patterns appeared first on TechGDPR.

Legal processes: UK data protection reform

Last week in the Queen’s Speech it was announced that the UK’s data protection regime will be reformed through the introduction of the Data Reform Bill, dataprotectionlawhub.com reports. The Bill’s purpose is to “create a trusted UK data protection framework that reduces burdens on businesses and boosts the economy.” Reportedly, the main elements of the Bill include:

• a more flexible, outcomes-focused approach to data protection focused on privacy outcomes that will replace the “box tick exercises” required under current data protection law; 
• public bodies will be able to share data to improve the delivery of services, with data protection, ensuring that the personal data of UK citizens is protected to a ‘gold standard’. 

Additionally, the introduction of the Brexit Freedoms Bill in the future will end the supremacy of European law. This would enable the Government to change the position of retained EU data protection law which is currently enshrined under UK data protection law. Taken all together this could undermine the EU’s adequacy decision for data flows with the UK. Read the full governmental proposal here. 

Official guidance: UK AI toolkit, China cross-border processing, CNIL and EDPB’s annual wrap-ups

The UK’s ICO has presented its AI toolkit designed to provide further practical support to organisations to reduce the risks to individuals’ rights and freedoms caused by their own AI systems. It contains advice on a) how to interpret relevant law as it applies to AI, b) recommendations on good practice for organisations, c) technical measures to mitigate the risks to individuals that AI may cause or exacerbate, d)  an AI glossary. This guidance is not a statutory code. There is no penalty if you fail to adopt good practice recommendations, as long as you find another way to comply with the law, the ICO says. 

The guidance covers both the AI and data-protection-specific risks, and the implications of those risks for governance and accountability. Regardless of whether you are using AI, you should have accountability measures in place. However, adopting AI applications may require you to re-assess your existing governance and risk management practices. AI applications can exacerbate existing risks, introduce new ones, or generally make risks more difficult to assess or manage.

Meanwhile, China issued new specifications for cross-border processing of personal Information for multinational corporations, as stipulated in the Personal Information Protection Law (PIPL). In particular, such companies must meet one of the following criteria in order to transfer personal information over a certain scale overseas: 

• Undergo a security review organized by the Cyberspace Administration of China, except where exempted by relevant laws and regulations. 
• Undergo personal information protection certification by a professional institution in accordance with the regulations of the CAC. 
• Sign a contract with a foreign party stipulating the rights and obligations of each party in accordance with standards set by the CAC, etc.

Personal information can include any data points or information that can be used to identify an individual, such as names, phone numbers, and IP addresses. Separately, the PIPL also defines “sensitive” personal information, which is subject to stricter protection requirements:

• Biometric data, (fingerprints, iris recognition, facial recognition, and DNA);
• Data pertaining to religious beliefs or specific identities;
• Medical history;
• Financial accounts;
• Location and whereabouts;
• Any personal information of minors under the age of 14. 

However, it does not include data that has been anonymised or abstract data that doesn’t contain any specific personal information on individuals, such as aggregated information. Read the full analysis in the original publication. 

The French regulator CNIL published its 2021 activity report, (in French). One of its objectives was to provide legal certainty to all professionals with regard to the GDPR. To support them, it has thus published new sector guides and resources on its website in 2021, in particular for the voluntary associations’ sector, insurance, health and adtech. In 2021 the CNIL received 14,143 complaints and closed 12,522. It carried out 384 checks and the shortcomings noted during some of the investigations led to issuing 135 formal notices and 18 penalties, entailing fines exceeding 214 million euros. 89 of the 135 formal notices concerned cookies, one of the priority themes set by the CNIL for this year. 

The CNIL also carried out 30 new control missions with medical analysis laboratories, hospitals, service providers and data brokers in health, in particular on treatments related to the COVID-19 epidemic. Some of these procedures are still under review. Finally, it paid particular attention to the cybersecurity of the French web by controlling 22 organisations, 15 of which are public. During its investigations, the CNIL noted obsolete cryptographic suites making websites vulnerable to attacks, shortcomings concerning passwords and, more generally, insufficient resources with regard to current security issues.

At the same time the EDPB presented its annual report 2021 with a detailed overview of its work over the last year. In 2021, the EDPB adopted its final version of the recommendations on:

• Supplementary measures following the Schrems II ruling by the Court of Justice of the EU, taking on board the input received from stakeholders during public consultation. 
• Opinions on the UK draft adequacy decisions, under both the GDPR and the Law Enforcement Directive, as well as its opinion on the draft adequacy decision for the Republic of Korea. 
• Guidance documents on other international transfer tools, such as Codes of Conduct, and adopted joint opinions, together with the EDPS, on the new sets of Standard Contractual Clauses, issued by the European Commission for the transfer of personal data to controllers and processors established outside the EEA. 
• Guidelines and recommendations on topics such as personal data breach notifications, connected vehicles and virtual voice assistants, and much more.

In the US, the Network Advertising Initiative, (NAI is the leading self-regulatory association comprised exclusively of third-party digital advertising companies – ed.), issued Best Practices for User Choice and Transparency. The term “dark pattern” was coined in 2010 to refer to “tricks used in websites and apps that make you do things you didn’t mean to do, like buying or signing up for something.” They are also sometimes referred to as “deceptive patterns” or “manipulative designs.” These practices can be dynamic and multifaceted, including a series of tactics and specific design choices in apps and on websites. The guide is intended to help member companies better understand the practice of dark patterns and to implement the highlighted best practices to avoid them, namely:

• to examine the current legal environment at the state and federal levels, (FTC ACT, CCPA and CPRA, Colorado privacy Act, and the GDPR); and 
• to identify best practices and guide companies in maximizing effective and efficient notice and choice mechanisms with respect to collecting consumer data, (Notice and Choice, Exercising Consumer Requests, User Interface considerations).

Pursuant to the GDPR, the NAI quotes the French CNIL that  asserts “the fact of using and abusing a strategy to divert attention or dark patterns can lead to invalidating consent.” Furthermore, in March 2022, the EDPB released a series of its own guidelines on the use of dark patterns in social media platforms, open for public comment. 

Investigations and enforcement actions: IAB Europe case, IKEA Canada internal threat, whistleblowing, community owners

The IAB Europe, (the European-level association for the digital marketing and advertising ecosystem – ed.), withdrew its request for suspension of the execution of the decision issued by the Belgian Data Protection Authority, (APD), on the Transparency & Consent Framework (TCF). The request for suspension had been submitted as part of the appeal to the Belgian Market Court lodged on 4th March. The withdrawal coincides with confirmation that the APD will not take a decision on validation of the action plan submitted by IAB Europe to rectify alleged EU GDPR violations connected with TCF before Sept. 1, the date by which the Market Court is expected to have issued a ruling on the appeal.

IKEA Canada reportedly confirmed a data breach involving the personal information of approximately 95,000 customers. The furniture retailer notified Canada’s privacy regulator saying that some of its customers’ personal information appeared in the results of a “generic search” made by an employee at IKEA Canada between March 1 and March 3 using IKEA’s customer database, but no financial or banking information was involved in the breach. In a letter sent to impacted customers, IKEA Canada said that the data that may have been compromised included customer names, email addresses, phone numbers and postal codes.The IKEA Family loyalty program number belonging to customers may have also been visible. The company already made changes to reinforce its internal policies and no action was needed by customers. 

The Italian privacy regulator ‘Garante’ fined ISWEB and Perugia Hospital 40,000 euros each for GDPR violations in relation to the whistleblowing system, following an ex officio investigation, Data Guidance reports. ISWEB is an IT company that provides and manages the whistleblowing application used by numerous clients, including Perugia Hospital. The ‘Garante’ found that ISWEB had failed to regulate the relationship with the hosting service provider, noting that ISWEB had engaged the hosting service provider both to carry out processing in its capacity as data controller, and for the processing carried out in its capacity as a data processor on behalf of its clients, including the Hospital. The ‘Garante’ noted that the aggravating factors for the administrative fine were: a) the nature, subject, and purpose of the processing; b) the high degree of confidentiality required by sector regulations in relation to the identity of the data subjects in cases of whistleblowing; c) the fact that no whistleblowing reports were available in the system at the time of the investigation; d) ISWEB had not regulated in any way the relationship with the hosting service provider.

At the same time, the Spanish data protection authority imposed a fine of 500 euros on community owners. In particular, the decision states that the Presidency of the Community of Owners had placed a list of debtors on three community bulletin boards, including the claimant. Moreover, the decision noted that the location of the respective bulletin boards is inside the portals and that all the boards are locked, but exposed to viewing by third parties outside of the community. 

Data security: cybersecurity for regulated industries

EU countries and lawmakers agreed last week to tougher cybersecurity rules for regulated industries such as energy, transport and financial firms, digital providers and medical device makers amid concerns about cyber attacks by state actors and other malicious players under the scope of NIS 2 Directive, proposed by the Commission in December 2020.  Medium and large companies are required to assess their cybersecurity risk, notify authorities and take technical and organisational measures to counter the risks, with fines of up to 2% of global turnover for non-compliance. EU countries and the EU cybersecurity agency ENISA can also assess the risks of critical supply chains under the rules. 

The political agreement reached by the European Parliament and the Council is now subject to formal approval by the two co-legislators. Once published in the Official Journal, the Directive will enter into force 20 days after publication and Member States will then need to transpose the new elements of the Directive into national law. Member States will have 21 months to transpose the Directive into national law.

Big Tech: Twitter’s ‘Data Dash’ game, Clearview AI settlement and future fine, EU biometrics, Zoom’s user emotion detection 

Twitter has rolled out a new web video game to make it easier for users to understand its privacy policy, TechCrunch reports.  The goal of the game, which is called Data Dash, is to educate people on the information that Twitter collects, how the information is used and what controls users have over it: “Once you start the game, you’ll be asked to pick the language in which you would like to play. After that, you’ll have the option to select a character. The game is played by helping a dog, named Data, safely navigate “PrivaCity” by dodging ads, steering clear of spammy DMs and avoiding Twitter trolls.”

According to Reuters, France’s data privacy regulator is about to trigger the process of fining US-based Clearview AI, a facial recognition company the regulator had ordered to stop amassing data from people based in the country. The start of a formal penalty process would indicate that CNIL suspected Clearview of failing to comply with its order within the two-month deadline it had set. 

Meanwhile, under a settlement filed in an Illinois state court in Chicago, Clearview AI will stop granting paid or free access to its database to most local private businesses and individuals, as well as police. However, Clearview AI, based in New York, can still work with federal government agencies, including immigration authorities, as well as state government agencies outside Illinois. The case was brought by the American Civil Liberties Union in 2020. Clearview AI repeatedly violated the Illinois Biometric Information Privacy Act by scraping photos taken from the internet, including from social media platforms, Reuters reports.

The European Digital Rights group and 52 other organisations called for banning remote biometric identification systems in public locations, Biometric Update and IAPP News report. They called the technology, like facial recognition, one of the greatest threats to fundamental rights and democracy that destroys the possibility of anonymity in public. They have called for amendments to Article 5(1)(d) of the AI Act to extend the scope of the prohibition to cover all private as well as public actors. 

And nearly 30 civil society groups wrote a letter to Zoom’s CEO calling on the company to cease use of software that detects users’ emotions, The Hill and IAPP News reports. The letter came in response to reports of Zoom beginning to roll out post-meeting sentiment analysis for hosts: “Facial expressions are incredibly variable from culture to culture and nation to nation, making creating an algorithm that can judge them equally difficult.” The groups also launched an online petition demanding Zoom to drop the technology.

The post Weekly digest May 9 – 15, 2022: UK data protection reform, and dark patterns invalidating consent appeared first on TechGDPR.