Stay tuned! Sign up to receive our fortnightly digest via email.

Personal data gaps in information systems

The Spanish data protection agency AEPD examines the distinction between addressing security by focusing exclusively on information systems or from the perspective of the treatments carried out. Under the GDPR rules, a data controller must evaluate the risks to the rights and freedoms of natural persons whose data is being processed and apply measures to mitigate them. Therefore security focused on processing activities is a broader concept than security focused exclusively on systems. The scope of application of the GDPR is the processing of personal data, understood as processes with an ultimate and specific purpose, while the scope of application of other regulations, such as cybersecurity or artificial intelligence, is oriented to information and communications systems. 

An example that illustrates this difference is the case of access control operations in personal data processing – when third parties use compromised credentials to log into a service or application. Some controllers may incorrectly claim that a breach within the meaning of the GDPR has not occurred since, according to their opinion, the information systems have not been compromised. These controllers understand that the use of valid credentials to log in to the system has not led to a personal data breach in the processing as the system has functioned correctly.

“Consent or Pay” initial guidance

Some businesses are considering giving people a choice between accessing online services without payment if they consent to their personal information being used for personalised advertising or, if they refuse this consent, having to pay to access that service. In principle, data protection law does not prohibit business models that involve “consent or pay”, states the UK ICO. However, some types of access mechanisms aren’t likely to comply with expectations in data protection law for consent to be ‘freely given’. The relevant context may include power imbalance, equivalence, appropriate fees, privacy by design, and information obligation:

“Being upfront and honest with people about what happens to their personal information when they use the service is a good thing.”

More official guidance

Data obtained as part of work duties: The Latvian regulator DVI explains the legality of data processing through information systems that hold personal information and to which access is authorised through employment. We may directly or indirectly come into contact with other people’s data while carrying out our job, including customers, coworkers, and residents.

The organisation that grants its employees access to the systems must ensure, (if technically possible), that the employee accesses only the information necessary to perform the duties of their position. Personal interest or curiosity is no longer an adequate basis for looking into a database. In the case of a data processing infringement, the organisation should anticipate that, as the data controller, they would be the main responsible. 

Automated decisions: The Spanish AEPD has updated guidance on the degree of human intervention in automated decisions, (Art. 22 of the GDPR). Many automated decisions involve some degree of human intervention. However, to be considered as such, it has to be active and not just a symbolic gesture, that is, it has to have a certain degree of relevance and capacity. Evaluating whether human supervision is possible and effective involves evaluating both the system used and the treatment and its context. To carry out this evaluation systematically, it is recommended to objectively assess a person’s participation in the decision process. More details in the original publication (in Spanish). 

Public affairs: As part of their activity, public affairs professionals, (public affairs or lobbying consulting firms, internal departments), collect personal data relating to individuals in sectors such as government, administrative, associative, parliamentary, media actors, etc. To help them comply with the GDPR, several associations representing business and public relations professionals have jointly developed a guide, drafted in consultation with the CNIL, (in French). 

Legal  processes

EU AI Act: The Guardian analyses the practical implications of the upcoming regulations for customers and businesses. The act will soon become law and go into effect gradually over the following three years. Customers will feel more certain that the AI technologies are configured for safe use as a result. Similar to how the GDPR role model worked, the legislation will likewise have an impact outside the EU. However, the EU’s proposed cap on computing power used to train AI models is far lower than equivalent laws in the US. Consequently, European companies could even decide to relocate west to get around EU regulations, warn some tech businesses.

European Health Data Space: EU legislators have struck a provisional agreement on the exchange and access of health data at the union level. Currently, the level of digitalisation of health data in the EU varies from one member state to another. The proposed regulation requires all electronic health record systems to comply with the specifications of the European electronic health record exchange format, ensuring that they are interoperable at the EU level.

Patients still will have the right to opt-out from primary and secondary use of their data or restrict access to it with some exceptions, (eg, scientific research, public interest, vital interests). 

IAB Europe: The CJEU holds, as argued by the Belgian data protection regulator, that a structured character string capturing internet users’ preferences such as IAB Europe’s TC string can be considered personal data. TC String constitutes personal data, in particular, because its purpose is to link advertising preferences to a specific individual. As a sectoral organisation which standardises and prescribes the method for capturing and transmitting user preferences, IAB Europe can be indeed considered a (joint) controller concerning the processing carried out following this method.

Data erasure request

Another ruling by the CJEU states that the supervisory authority of a Member State may order the erasure of unlawfully processed data even in the absence of a prior request by the data subject. Such erasure may cover data collected from that person and data originating from another source if such a measure is necessary to fulfil its responsibility for ensuring that the GDPR is fully enforced. The case relates to the provision of financial support to persons who have been made vulnerable by the COVID-19 pandemic, (in Hungary), and the data breaches committed by a local administration affecting eligible persons who had not applied for the support. 

Bank security failed

The Italian data protection authority Garante fined UniCredit 2.8 million euros and the company responsible for carrying out its security tests 800,000 euros. The violation had occurred due to a massive cyber attack on the mobile banking portal. The attack caused the illicit acquisition of the name, surname, and other identifiers of approximately 778,000 customers and former customers and, for over 6,800 of the customers, it had also led to the disclosure of the portal access PIN. The data was made available in the HTTP response provided by the bank’s systems to the browser of anyone who tried to access, even unsuccessfully, the mobile banking portal. 

More enforcement decisions

Invalid consent in cookie walls: The Danish data protection authority Datatilsynet ruled the use of cookie walls on Berlingske.dk must take place within the framework of the data protection rules. Berlingske’s specific approach is to greet users with a cookie wall when they try to access embedded content, (eg, video players or blog posts). This means that the content is unavailable unless the user accepts the processing of their data for statistical and marketing purposes through the use of cookies. 

European Commission’s use of  Microsoft 365: Following its investigation, the EDPS has found that the European Commission has infringed several key data protection rules when using Microsoft 365.  The Commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are afforded an essentially equivalent level of protection. Furthermore, in its contract with Microsoft, the Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365. More details of the case can be read here. 

Commercial prospecting: The French CNIL fined Foriou company 310,000 euros for using data provided by data brokers for commercial prospecting purposes. It conducts telephone canvassing campaigns to promote the loyalty programs and cards it sells. The misleading appearance of the collection forms implemented by the brokers at the origin of the collection did not make it possible to obtain valid consent from the persons concerned. The size of this fine, which represents approximately 1% of the company’s turnover, was decided in light of the seriousness of the breach. 

Information security audit

Moorfields Eye Hospital NHS Foundation Trust has undergone a consensual data protection audit conducted by the UK’s ICO. The scope areas were determined following a risk-based analysis of the trust’s processing of personal data. The suggestions for improvement included some tips on information security and data sharing, and included the following advice:

• The permanent roles which make up the Information Security function should be filled quickly to ensure that operational responsibility is clearly in place.
• A template letter should be in place to notify data subjects of a data breach which includes all appropriate information including details of the DPO, a description of the likely consequences of the breach and the measures which have been taken.
• Appropriate reviewing processes should be in place for all data-sharing agreements, which include review schedules and review logs.
• The trust should have measures in place to ensure that relevant staff receive appropriate training, and ensure this is periodically refreshed.

Among best practices, the ICO recognised that the trust tests their physical security on-site, with police officers being shown around and then returning at a later date in plain clothes to assess the security, for example by seeing if they can get into secure areas or move around unchallenged without appropriate ID. 

When user login data is made public

The Lithuanian data protection authority VDAI reminds us that upon receiving information about potentially leaked login names and passwords, an organisation, (the data controller), should conduct a preliminary investigation and determine whether there has been a violation of the confidentiality, integrity or availability of personal data. For example, it should establish whether the personal data processed in the organisation’s information systems has been compromised.  

1. If the processed personal data has not been accessed by unauthorised persons, the data controller still must assess the risks, prevent possible negative consequences, and let users know what action they can take in this situation, (eg, block user accounts whose login data matches the leaked data, generate new temporary passwords and send them to affected data subjects, activate two-factor authentication, etc.) 

2. If the processed personal data has been accessed by unauthorised persons, (eg, illegal logins to user accounts are detected or it is not possible to unequivocally determine that there were no such logins, illegal actions on accounts are detected, etc.),  the organisation must conduct a full investigation, take immediate measures, notify the data subjects, and report to the regulator within 72 hours of becoming aware of the breach. 

As a general precaution, VDAI also advises individuals to take the following precautions in similar situations:

• Change your password to a new and unique one. If you have used the same password on other systems, please change them as well.
• It should consist of at least 12 characters: letters, numbers, at least one capital letter and a special character.
• Do not store your passwords in browsers.
• Watch for news or announcements from your service provider, or authorities.
• Install and regularly update antivirus software on your devices.
•  If you notice any suspicious activity in your account or related systems, notify your service provider immediately.

Big Tech

OpenAI “Sora”: Italian regulator Garante has opened an investigation against OpenAI that in recent weeks has announced the launch of a new AI model, ‘Sora’, which, according to the announcement, can create dynamic, realistic and imaginative video sequences from short text instructions. OpenAI will also have to clarify several issues: 

• how the algorithm is trained; 
• what data is collected and processed to train the algorithm, especially whether it is personal data; 
• whether particular categories of data, (religious or philosophical beliefs, political opinions, genetic data, health, sexual life), are collected, and 
• which sources are used.

Crackdown on mass data collectors: Several recent FTC enforcement actions reflect a heightened focus on pervasive extraction and mishandling of consumers’ sensitive personal data, states an FTC blog post. Taken together, browsing and location data paint an intimate picture of a person’s life, including their religious affiliations, health and medical conditions, financial status, and sexual orientation. None of the underlying datasets at issue in the FTC’s proposed complaints, (against Avast, X-Mode, or InMarket), are alleged to have contained people’s names, social security numbers, or other traditional standalone elements of personally identifiable information. 

What makes the underlying data sensitive springs from the insights they reveal, (eg, through proprietary algorithms), and the ease with which those insights can be attributed to particular people. People also have no way to object to how their data is collected, retained, used, and disclosed when these practices are hidden from them. Moreover, any safeguards used to maintain people’s privacy are often outstripped by companies’ incentives and abilities to match data to particular people. 

The post Data protection digest 3-17 Mar 2024: Personal data gaps in information systems, TC string, mass data collectors appeared first on TechGDPR.

Stay tuned! Sign up to receive our fortnightly digest via email.

Web browsing data for sale

The UK software provider Avast will have to pay 16.5 million dollars to the US Federal Trade Commission, and the business will not be allowed to sell or license any web browsing data for advertising purposes. Avast Limited, a UK-based firm, obtained customer surfing data unjustly through its antivirus software and browser extensions, retained it indefinitely, and sold it without providing consumers with sufficient notice or asking for their consent. The company also did this through its Czech subsidiary. 

Following its acquisition of rival antivirus software supplier Jumpshot, Avast renamed the business as an analytics firm. Jumpshot sold surfing data that Avast had gathered from users between 2014 and 2020 to a range of customers, including marketing, advertising, and data analytics firms as well as data brokers. The business said that before sending the data to its clients, it eliminated identifying information using an algorithm. 

However, according to the FTC, the business did not adequately anonymise user web browsing data that it sold through a variety of products in non-aggregated form. The FTC says, the business did not prohibit some of its data purchasers from using Jumpshot’s data to re-identify Avast users. For instance, Jumpshot allegedly signed a deal with advertising giant Omnicom for a supply of an “All Clicks Feed” for 50% of its clients in the US, UK, Mexico, Australia, Canada, and Germany. 

Americans’ sensitive data

The US seems to have increased regulations on restricted cross-border data transfers due to national security concerns. 

President Biden issued an Executive Order to protect Americans’ sensitive personal data. It will prevent the large-scale transfer of America’s sensitive and government-related data to countries of concern, (reportedly they are China, Cuba, Iran, North Korea, Russia and Venezuela), and prohibit commercial data brokers and other companies from selling biometrics, healthcare, geolocation, financial and other sensitive data to countries of concern, or entities controlled by those governments, intelligence services and militaries. 

The US Justice Department’s National Security Division has already published an Advance Notice of Proposed Rulemaking to provide transparency and clarity about the intended scope of the program. It would include six defined categories of bulk US sensitive data – US persons’ covered personal identifiers, personal financial data, health, precise geolocation data, biometric identifiers, human genomic data, and combinations of those data. The security requirements for certain data classes of transactions would include: 

• basic organisational cybersecurity posture,
• measures against unauthorised disclosure, 
• data minimisation and masking,
• use of privacy-preserving technologies,
• compliance requirements and audits.

The Department of Justice is also considering identifying three classes of restricted data transactions: a) vendor agreements, (including for technology services and cloud services), b) employment agreements, and c) investment agreements. Nonetheless, the order program is without prejudice to the free flow of data necessary for substantial consumer, economic, scientific, and trade relationships that the US has with other countries. 

Other official guidance

The EDPB’s new enforcement action: 31 data protection authorities across the EEA, (DPAs), including 7 German state-level regulators, will participate in the 2024 enforcement action, (mixture of surveys and formal investigations), on implementing the right of access. It is one of the most frequently exercised data protection rights, which DPAs receive many complaints about. In addition, it often enables the exercise of other data protection rights, such as the right to rectification and erasure. To understand how organisations must respond to access requests from individuals, see the EDPB’s latest guidelines on the right of access. 

Generative AI and data protection: In the UK, the House of Lords Communications and Digital Committee has published a report on large language models, (LLMs). These may have personal data in their training sets, drawn from proprietary sources or information online. Safeguards to prevent inappropriate regurgitation are being developed but are not robust. Data protection in healthcare attracts particular scrutiny as some firms are already using the technology on NHS data, which may yield major benefits. 

But equally, models cannot easily unlearn data, including protected personal data. There may be concerns about these businesses being acquired by large overseas corporations involved in, for example, insurance or credit scoring. Clear guidance is needed on how the data protection law applies to the complexity of LLM processes, including the extent to which individuals can seek redress if a model has already been trained on their data and released. Also, data protection provisions have to be embedded in licensing terms.

Consent principle

It is not always necessary for a company or an authority to obtain your consent before they can handle your data explains the Danish data protection authority. This is because consent is only one of several legal bases when it comes to the handling of your data. Storage of your information shall cease when you withdraw your consent, but only the information that is handled or processed based on consent. 

Information where the legal basis is someone else, for example in the case of a commercial contract or employment relationship, can continue to be handled or stored. It is also not needed if you, the data subject, are unable to give consent, for example, to a healthcare facility due to a serious illness. Public authorities can also process your data for specific tasks, such as handling your tax declarations. Private companies might have some legitimate reasons too, (such as for maintaining user services), but they should not violate your interests or rights. 

Finally, a revocation of consent does not have a retroactive effect, and the revocation therefore does not affect the handling of information that took place before.

 Rise in outsourcing contracts in the banking sector

The European Central Bank urges supervised institutions to tackle vulnerabilities stemming from their increasing operational reliance on third-party providers. Most banks outsource certain services to take advantage of lower costs, more flexibility and greater efficiency. Considering the relatively stringent data protection regulations in the EU, it is noteworthy that personal data processing is included in 70% of outsourcing contracts, and over 70 major banks contract these vital services out to companies with headquarters located outside the EU, (eg, cloud services in the US, the UK, and Switzerland). 

The ECB discovered that over 10% of contracts concerning essential tasks do not adhere to the applicable requirements. Furthermore, 20% of these non-compliant contracts have not had a rigorous risk assessment during the past three years, and 60% have not undergone an audit.

Starting in 2025, the Digital Operational Resilience Act will go into effect and offer further tools for monitoring important IT service providers, particularly those that ensure the operational resilience of financial institutions.

Illicit marketing

The Italian privacy regulator imposed a fine of over 79 million euros on Enel Energia for serious shortcomings in the processing of personal data of numerous users in the electricity and gas sector, carried out for telemarketing purposes. The case originated from a previous investigation which involved a 1,8 million euro privacy fine on four companies and confiscated databases used for illicit activities. It emerged that Enel Energia had acquired 978 contracts from the above companies, even though these did not belong to the energy company’s sales network. 

Furthermore, the information systems used for customer management and service activation by the company showed serious security shortcomings. Enel failed to put in place all the necessary measures to prevent the unlawful activities of unauthorised actors who for years fueled an illicit business carried out through nuisance calls, service promotions, and the signing of contracts with no real economic benefits for customers. Over time it involved the activation of at least 9,300 contracts.

Meanwhile, in California, a company will pay a 375,000 dollar civil penalty after it violated multiple consumer privacy laws. DoorDash is a San Francisco-based company that operates a website and mobile app through which consumers may order food delivery. To reach new customers, DoorDash participated in marketing cooperatives and disclosed consumers’ personal information as part of its membership without providing notice or an opportunity to opt-out. The other businesses participating in the cooperative also gained the opportunity to market to DoorDash customers. 

Data brokerage

Belgium’s data protection regulator recently fined Black Tiger Belgium, (formerly Bisnode Belgium), a company specialising in big data and data management, a total of 174,640 euros. At the time when the complaints were lodged, Bisnode Belgium operated a consumer database and a company database through which Bisnode Belgium offered “Data quality”, (to improve the quality of its customers’ data), and “Data Delivery”, (to provide data to its customers, especially for the implementation of marketing campaigns). These databases consisted of personal data and user profiles from various external sources. 

The regulator received a complaint based on the so-called ‘right of access’ with Bisnode, which allows anyone to request access to the data it keeps about them at any time. The investigation found that the company under its legitimate interest indirectly collected and processed personal data on a large scale, for a long period, (15 years), without the data subjects being informed individually, clearly and proactively about the processing carried out. The company also lacked records of its processing activities. 

Other enforcement decisions

Student privacy vs teachers’ authority: The Icelandic data protection authority ruled on personal data processing by the University of Iceland. According to the complaint, a teacher had monitored a student through the teaching site in the Canvas learning management system. However, the supervisory authority concluded that there was no electronic monitoring, as the teacher’s assessment of the complainant’s activity in the learning management system was not sustained or repeated regularly. It was also considered that the said processing of personal information had been necessary for the university in connection with statutory tasks entrusted to the university by law. 

However, the complainant was not sufficiently informed of the teacher’s ability to examine their use of the Canvas learning management system and make it the basis for grading. The peer assessment of the complainant’s fellow students in a group project was one of the factors that formed the basis of the grading for the assessment component. The University’s processing therefore failed to comply with the transparency requirements under privacy legislation.

Biometric scanning abuse: In the UK Serco Leisure, Serco Jersey and seven associated community leisure trusts have been issued enforcement notices ordering them to stop using facial recognition technology and fingerprint scanning to monitor employee attendance. The investigation found that Serco and the trusts have been unlawfully processing the biometric data of more than 2,000 employees at 38 leisure facilities. Serco had to record employee attendance to pay workers as per its contractual duties but rejected less invasive options available, including timesheets or electronic cards. Although Serco had indicated that these choices may be abused, it had shown no proof of real, widespread misuse. 

Data security

Password retention guide: Too often identity theft is caused by the use of computer authentication credentials stored in databases that are not adequately protected with cryptographic functions. Stolen data is used to illicitly enter entertainment sites, (35.6%), social media, (21.9%) and e-commerce portals, (21.2%). In other cases, they allow access to forums and websites of paid services, (18.8%), and financial services, (1.3%). As a result, the Italian data protection authority recently developed an FAQ and more detailed guidelines regarding password storage, providing cryptographic functions currently considered the most secure, (in Italian only). 

Cybersecurity core 2.0: America’s NIST has meanwhile released version 2.0 of its landmark Cybersecurity Framework. The agency has finalised the framework’s first major update since its creation in 2014. Now it explicitly aims to help all organisations — not just those in critical infrastructure, its original target audience — to manage and reduce risks. The framework’s core is now organised around six key functions: Identify, Protect, Detect, Respond and Recover, along with CSF 2.0’s newly added Govern function. The CSF is used widely internationally. Versions 1.1 and 1.0 have been translated into 13 languages, and the NIST expects that CSF 2.0 also will be translated by volunteers around the world. 

Federated Learning

The UK Responsible Technology Adoption Unit, in cooperation with the NIST, published a series of analyses about Privacy-Preserving Federated Learning. Organisations often struggle to articulate the benefits of the approach, associated with machine learning that involves training a model without the centralised collection of training data. This can lead to lower infrastructure and network overheads. However, bespoke privacy infrastructure can introduce additional costs. Plus, there are fewer people with the skills and experience required to design and deploy it. 

On the other hand, federated learning allows organisations to use and monetise data assets that would not have previously been accessible. In removing the need for access to the full data, it protects the value of the data for the data owner. Finally, legal consultation is a necessary cost, but in principle PETs can significantly reduce data protection risks, as when used appropriately, differentially private data can be considered anonymised. 

The post Data protection digest 18 Feb – 2 Mar 2024: web browsing data for sale, banking sector outsourcing, cybersecurity core 2.0 appeared first on TechGDPR.

Sign up to receive our fortnightly digest via email.

Children at risk

Last week, the CEOs of Meta, X, TikTok, Snap and Discord were questioned before the US Congress over alleged harms to young users on their platforms – access to drugs and subsequent overdoses, harassment, grooming and trafficking exploitation, leading in some cases to death. Legislators stated that the industry, through its constant pursuit of engagement and profit, failed to adequately invest in trust and child safety. Executives highlighted controls and tools they have introduced to mitigate harm. 

US legislators are pushing forward legal solutions to the existing crisis through the debated Kids Online Safety Act and anti-CSAM legislation, as well as changes to the COPPA rule. Meanwhile in neighbouring Canada, (British Columbia province), some of the measures have just been enforced.

In the EU, a draft Parliament position was adopted by the LIBE Committee at the end of last year, now awaiting further enforcement. The privacy regulators meanwhile warn about present risks to children and their personal information online. For instance, the Guernsey data protection authority recently identified a local Snapchat group that includes children as young as seven, possibly encouraging them to share explicit images of themselves. The police now advise parents:

• to have conversations with their children regarding the reputational and long-term risks associated with sharing personal information via such networks, and 
• ensure children are not using social networks or apps if they’re under the authorised age for those networks/apps, (13 for Snapchat). 

In the UK, the Information Commissioner’s Office also created a toolkit of free resources to promote responsible data sharing to safeguard children and renewed its age assurance opinion, an important part of its world-leading Children’s code, reflecting developments over the past two years. A similar age-assurance design code was passed into law in California in 2022.

Legal updates

Draft AI Act: The draft legislation received a unanimous endorsement from all 27 European Union member states. Negotiations over the shape of the law concluded last December, with the main focus on safeguards for foundation models and the use of facial recognition software. According to Euractiv analysis, the primary opponent of the political agreement was France, which, together with Germany and Italy, asked for a lighter regulatory regime for powerful AI models, that support general-purpose AI systems, (protecting domestic start-ups). Nonetheless, the Parliament insisted on the need for strict guidelines for these models. In April, Parliament will hold its final vote on the law.

German employee data protection: DLA Piper’s legal analysis looks at the data protection provisions relating to employees and other workers in Germany. Currently, it is largely determined by case law, and national legislators are very cautious about using Art. 88 of the GDPR – the adoption of provisions that specify data protection requirements in the employment context. Even more problematic, relevant provisions of the Federal Data Protection Act, (BDSG),  after being clarified by the CJEU last year, did not meet the conditions set out in the GDPR. Read more on the envisaged Single Employee Data Protection Act in Germany, in the original analysis. 

Automated decisions

The Isle of Man data protection commissioner reminds the public of Art. 22 of the GDPR which provides individuals with the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. It is permitted to use such methods only: a) with the explicit consent of the individual; b) if necessary for entering into, or performing a contract between the individual and the data controller; or c) is authorised by law. The controller must also have safeguards in place to allow individuals to obtain human intervention regarding the decision, to contest it in certain cases or to express their point of view. 

AI checklist

The Bavarian data protection authority for the private sector published a draft ‘Data Protection and AI’ checklist, (in German). In addition to a legal basis for the creation of AI models and the operation/use of AI applications, the rights of those affected and other compliance requirements of the GDPR must also be implemented. The data protection risk model must be documented and regularly checked to ensure that it is up-to-date and complete. If necessary, the test points, (see them here), can be checked as part of the control activities by the data protection officer.

Software for schools

The Danish supervisory authority has investigated the use of Google Workspace in Danish schools in 53 municipalities. The report considers that the municipalities have had no reason to forward student data to Google for the development and measurement of services, ChromeOS and the Chrome browser. The data protection authority also reminds the municipalities that they should have found out how Google processes the transmitted personal data before implementing the tools. Municipalities now have to bring the processing in line with the rules:

• Municipalities should no longer pass on personal data to Google for these purposes. This will likely require Google to develop a technical option for the data streams in question to be intercepted.
• Google must itself refrain from processing the information for these purposes.
• The Danish Parliament provides a sufficiently clear legal basis for disclosure for these purposes.

A similar investigation on the use of Google’s teaching platform in schools was conducted in Finland in 2021. The decision does not prohibit the use of the educational platform but states that a legal basis must be defined for the processing of students’ data in Google services.

Purpose limitation

How to comply with the principle of purpose limitation? The Latvian data protection authority explains that when your data is transferred to someone else, it is usually done with the confidence that the data will be used for a specific purpose that is clearly understood by you. The principle of purpose limitation is closely related to other principles established in the GDPR, such as the principle of transparency, because only by knowing the specific purpose of data processing can a person understand what to expect within the scope of their data processing. 

Likewise, determining the exact purpose is related to the principles of data minimisation and storage limitation, because depending on the purpose, the amount of data needed to achieve it can be determined, as well as how long the data needs to be stored. The connection is also with the principle of legality because only the data that is planned to be used to achieve a clearly defined purpose will be able to establish an appropriate legal basis. When concluding processing for a different purpose, the controller must first assess whether this purpose is compatible with the initial processing, including the following aspects:

• the connection between the purposes;
• the context in which data has been collected;
• nature of data;
• the consequences that further processing would have for the data subject;
• the existence of adequate safeguards in both initial and intended subsequent processing operations.

EDPB documentation

The EDPB published a One-Stop-Shop case digest on Security of Processing and Data Breach Notification. The relevant decisions were initially filtered using Art. 32 of the GDPR, (security of processing), as the main legal reference. This article establishes an obligation for both data controllers and data processors to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. The analysis of decisions will provide insights into how regulators interpret these obligations in concrete situations, such as how to protect organisations against hacking, how to ensure meaningful and robust encryption, how to build strong passwords, etc. 

The EDPB has launched a website auditing tool that can be used to help analyse whether websites are compliant with the law. It can be used by both legal and technical auditors at data protection authorities, as well as by controllers and processors who wish to test their websites. The tool is Free and Open Source Software under the EUPL 1.2 Licence and is available for download on code.europa.eu. The source code is available here. 

Enforcement decisions

Prospect data: The French CNIL fined TAGADAMEDIA, (online competition and product testing websites), 75,000 eurost. The data collected by brokers is sent to the company’s partners for commercial prospecting. The prospect questionnaire did not allow free, informed and unambiguous consent to be obtained. The highlighting of the button allowing users to give their consent contrasted to the one allowing users refuse consent, which also featured an incomplete text of reduced size, alongside a strong encouragement for users to agree to the transmission of their data to partners.

Insurance companies: An administrative court in Finland upheld the data protection commissioner’s decisions on the handling of health data by insurance companies. In some situations, insurance companies request personal health information directly from healthcare providers. However, data should be identified and precisely defined, which means only the necessary information from the provider and for the period that is relevant in assessing the insurance company’s liability is required. Also, the insurance applicant’s data from health services cannot be processed before concluding the contract.

Intrusive scientific research: The Italian regulator sanctioned a municipality for conducting two scientific studies, using cameras, microphones and social networks. The projects, financed with European funds, aim to develop technological solutions to improve safety in urban areas. It involved footage from video surveillance cameras already installed in the municipal area, as well as audio obtained from microphones specifically placed on the street. One of the projects also analysed hateful messages and comments published on social media, detecting any negative emotions and processing information of interest to the police. The municipality has not proven the existence of any legal framework for the processing: the data was unlawfully shared with third parties and partners. Furthermore, the anonymisation techniques proved insufficient.

Data breaches

Undetected attacker: America’s FTC’s proposed action against Blackbaud alleges that the company’s failure to implement some basic safeguards resulted in the theft of highly sensitive data about millions of consumers, including Social Security numbers and bank account information. South Carolina-based Blackbaud provides a wide variety of data, fundraising, and financial services to more than 45,000 companies, including nonprofits, foundations, educational institutions, and healthcare organisations. 

In 2020, an attacker purportedly used a Blackbaud customer’s login and password to access certain Blackbaud databases. The attacker rummaged around undetected for three months until Blackbaud finally spotted a suspicious login on a backup server. By then, the attacker had stolen data from tens of thousands of Blackbaud’s customers, which compromised the personal information of millions of consumers. Blackbaud eventually agreed to pay 24 Bitcoin, (valued at about 250,000 dollars), in exchange for the attacker’s promise to delete the stolen data. But Blackbaud hasn’t been able to verify that the attacker followed through. 

Data processor supervision: The Danish data protection authority reported Capio A/S to the police for not having supervised data processors. The private hospital may face a fine of approx 200,000 euros. In particular,  the hospital has not been able to ensure and demonstrate that personal data is processed for legal and reasonable purposes and in a way that ensures sufficient security for the sensitive personal data of the large number of data subjects in question, over several years.

Data security

TOMs: The Swiss data protection authority has revised its guide on technical and organisational security measures, (in English). The guide is primarily intended for people in charge of information systems, whether technicians or not, who are directly confronted with the problem of personal data management. 

Cloud: The French CNIL published factsheets on encryption and data security, (in French). It offers a detailed analysis of the different types of encryption applied to a cloud computing service: encryption at rest, in transit and in-process, and e2ee. The guide also looks at various tools to secure cloud services, (anti-DDoS, WAF, CDN, load balancer), and key vigilance points.

Login: What to do if you detect a credential-stuffing attack? The Lithuanian data protection authority recommends responding quickly and proactively:

• determining whether the attacker managed to use the available accesses,
• blocking potential malicious activity,
• notifying users of an attack and encouraging them to change their passwords,
• notifying the regulator about the personal data security breach that has occurred,
• conducting a thorough incident investigation and implement additional security measures to prevent similar attacks in the future, (2FA, automatic attack detection systems, password policy).

Finally, if the attack is systemic or involves multiple platforms, it is recommended to collaborate with other data controllers in analyzing the incident.

Cybersecurity program: As cybersecurity threats continue to mount, you need to show improvements over time to your CEO and customers. How do you measure your progress and present it using meaningful, numerical details? America’s NIST offers a Draft Guidance on Measuring and Improving Your Company’s Cybersecurity Program. It is aimed at different audiences within an organisation –  security specialists and C-suite and can help organisations move from general statements about risk level toward a more coherent picture founded on hard data. 

Big Tech 

Amazon “stalking” employees: The French data protection authority fined Amazon France Logistique 32 mln euros for putting employees under constant surveillance. The company manages the Amazon group’s large warehouses in France, where it receives and stores items and then prepares parcels for customer delivery. Each warehouse employee is given a scanner to document the performance of certain tasks in real time. Each scan results in the recording and prolonged storing of data used to calculate employee quality, productivity and periods of inactivity, (the “error” margin was set to less than 1.25 seconds or longer than 10 minutes). The company was also fined for video surveillance without information or sufficient security. 

Uber has been fined 10 mln euros by the Dutch data protection authority for violating privacy regulations related to its drivers’ data. Uber failed to specify in its terms and conditions the duration for which drivers’ data is retained and the security measures in place, particularly when transferring data to non-European countries. The fine was imposed following a complaint by over 170 French drivers, which was then forwarded to the French data protection authority and subsequently to the Dutch regulator, as Uber’s European headquarters is in the Netherlands. 

The post Data protection digest 18 Jan – 2 Feb 2024: social media industry grilled over child safety and mental health appeared first on TechGDPR.

Legal processes and redress: US signals intelligence redress mechanism, Google search results removal, California consumer privacy rights, Australia Privacy Act review

The US Office of the Director of National Intelligence, (ODNI), published a directive for implementing the signals intelligence redress mechanism created under the proposed EU-US Data Privacy Framework. It is necessary for the implementation of the US adequacy decision which received a green light from the European Commission just before the end of 2022. The directive governs the handling of redress complaints regarding certain signals intelligence activities and outlines the process by which qualifying complaints may be transmitted by an appropriate public authority in a qualifying state. Additionally, the directive outlines the role of the ODNI Civil Liberties Protection Officer with a given complaint: 

• investigate, review, and, as necessary, order appropriate remediation for a covered violation regarding qualifying complaints; 
• communicate the conclusion of such investigation to the complainant through the appropriate public authority; and
• provide the necessary support to the US Data Protection Review Court.

In Sweden, the Supreme administrative court rejected the appeal in a case between Google and the Swedish privacy regulator IMY. This means that the judgment gains legal force and that Google must pay a 4.5 million euro fine. In 2020, the IMY charged Google for violating the right to have search results removed. When Google delisted search results the site owner was notified of the webpage and data subject concerned via Search Console, previously Webmaster Tools. But informing the site owner meant that the personal data was used beyond its original purpose, and the information notice was misleading users and restraining them from exercising their right to request removal. 

California consumer privacy rights expanded on 1 January, (but will be enforced in July).  In 2020, California voters approved Proposition 24, known as CPRA, amending some of the older CCPA’s consumer protections and therefore expanding business’ obligations. For example, previously employees, job applicants, owners, directors, officers, and contractors were excluded from the definition of “consumer,” and they had limited data subject access rights. These rights include the ability to opt-out of profiling, opt-out of targeted/cross-context advertising, opt-out of automated decision making, and to limit the use and disclosure of sensitive information. The new law establishes annual privacy risk assessments and cybersecurity audits. Civil lawsuits will also be allowed against companies that fail to take appropriate measures, with potential damages between 100 and 750 dollars per consumer, per incident. 

Australian Attorney-General Mark Dreyfus confirmed that the Privacy Act Review has been completed and a final report received by his department. The announcement came shortly after a wave of spectacular data breaches in the Australian corporate sector. The new privacy regime could include a broader definition of personal data, expanded information obligations for organisations, opt-in consent for users, the right to erasure, and increased penalties for serious or repeated data breaches. 

Official guidance: special categories of data, global cookie review, data brokerage, age-appropriate design tests

The Latvia data protection agency DVI issued a reminder of the rules for the legal processing of special categories of personal data. For special categories of personal data, in order to ensure their legal processing, in addition to complying with the general data protection conditions, it is necessary to observe that by default they are prohibited from processing unless there are exceptional permissions or justifications:

• a person’s consent, (eg, to receive commercial notices about price discounts for specific goods or services in a pharmacy);
• social protection rights, (eg, when terminating the employment of a unionised employee, the employer must contact the trade union); 
• vital interests of a person, (eg, in cases where a person is unconscious and it is necessary to find out his blood group, allergies, etc.);
• non-profit activity for political, philosophical, religious, or trade union-related purposes, (the personal data is not disclosed outside the said organisation without the consent of the individual);
• data deliberately made public, (eg, the person has expressed on social networks that they are vegetarian);
• essential public interests, (eg, information about political party donors must be made public);
• preventive or occupational medicine, ( eg, assessment of the employee’s work capacity, health or social care, or treatment);
• public health, (eg, to limit the spread of COVID-19);
• archiving in the public interest, for scientific, historical or statistical purposes.

The French privacy regulator CNIL published guidelines on the commercial use of customer files – data brokerage. Data controllers need to pay attention to the types of data that can be transferred, (only data relating to active customers can be shared), and on obtaining consent from data subjects for the intended transfer, (eg, via an electronic form). The purchaser also must inform the data subjects of the transfer and the source of the data, (the name of the company that sold the customer files,) and obtain the data subjects’ consent if it wishes to use their data for electronic commercial prospecting.

Bird&Bird offers the latest Global Cookie Review – the legal and regulatory landscape relating to the expanding use of cookies and similar technologies, country by country. Such regulations often follow a path set by the EU GDPR and ePrivacy Directive. The report also contains Asia Pacific, Latin American, and South African overviews, where similar regulations are often lacking or can be even divergent on transparency and consent requirements. 

The UK Information Commissioner’s Office has published design tests to support designers of products or services that are likely to be accessed by children or young people. Each test provides a report detailing areas of good practice as well as ways to improve conformity with the Age-Appropriate Design Code. This includes “best interests of the child” standards like age authentication, safe default settings, parental controls, enforcement, and data protection impact assessments.

Investigations and enforcement actions: credit rating by mistake, “dormant” risk assessment, “defaulting” customers error, employees’ email metadata, mass grocery purchases monitoring, and workers’ fingerprinting

The Norwegian data protection authority has notified Recover of its decision to fine the company 20,000 euros. The matter concerns a credit rating performed without a legal basis. The background to the fine is a complaint from a private individual who was subjected to a credit assessment without any form of customer relationship or other connection to the above company. A credit rating is established after compiling personal data from many different sources including a person’s overall financial situation, any payment remarks, debt-to-income ratio, and whether the person has any mortgages/liens.

The Norwegian regulator also has given Statistics Norway notice of a decision that involves a ban on their planned collection of data on the Norwegian population’s grocery purchases. Through the collection of bank data and bank transaction data, the organisation planned to obtain information on what the population buys, and then link that to socio-economic data such as household type, income, and education level. The regulator believes that a legal basis, (societal benefit of consumption and diet statistics), is not clear and predictable enough for this planned processing of personal data. Even if the purpose is to produce anonymous statistics, intrusion into the individual’s privacy will occur. 

Italian regulator Garante fined Areti 1 million euros: thousands of users were mistakenly classified as “defaulting” customers and unable to switch to other suppliers. The misalignment of the company’s internal systems led to incorrect data migration to the integrated information database consulted by suppliers before signing a new contract. As a result, more than 47,000 Areti customers wanting to change energy supplier were denied an account activation and any potential savings deriving from market advantages, because they were incorrectly red-flagged. 

Additionally, Garante issued a fine to Lazio Regio of 100,000 euros for unlawful monitoring of employees’ email metadata. An internal audit was launched by the region on the suspicion of a possible unauthorised disclosure to third parties of information protected by official secrecy. Metadata was collected in advance and stored for 180 days: date, time, sender, recipient, subject, and size of email. This allowed the region to obtain information relating to employees’ private lives, such as their opinions or contacts. 

No workplace fingerprinting without specific requirements is the ruling from Garante, which fined a sports club 20,000 euros. The authority intervened following a report from a trade union, which complained about the introduction of the biometric system by the company, despite the union’s request to adopt less invasive means of authentication. The company had carried out, for almost four years, the fingerprinting of 132 employees, violating the principles of minimisation and proportionality. It also provided workers with very little information on the characteristics of biometric treatments. 

The Romanian data protection authority completed an investigation at leading retailer Kaufland and issued a fine of 3000 euros. A video recording containing images of a complainant in the parking lot of one of the stores by the commercial chain appeared on the web page of a local newspaper. It turned out that the store manager allowed an employee access to the monitoring room, who captured, with his personal mobile phone, images of the video recordings that were playing and sent them via WhatsApp to a third party. Later, the images were transmitted by posting them by an online publication. As a result, the image and registration number of the car were revealed, with two persons affected by this incident.

The EDPB published a summary on risk assessment and acting in accordance with established procedures. A controller, (in Poland), was notified of a personal data breach that occurred as a result of a break-in at an employee’s apartment and the theft of a laptop. The confidentiality of the personal data was at risk because the stolen computer was only password protected. The controller had kept adequate documentation since the beginning of the application of the GDPR and had performed a risk assessment, but it was only after the data breach occurred that the controller complied with the results of its own risk assessment by encrypting laptop hard drives.

Data security:  zero trust architecture, IoT onboarding, and lifecycle management

The US NIST’s National Cybersecurity Center of Excellence has published a draft practice guide on implementing a zero trust architecture and is seeking the public’s comments on its contents. As an enterprise’s data and resources have become distributed across the on-premises environment and multiple clouds, protecting them has become increasingly challenging. Many users need access from anywhere, at any time, from any device on-premises and in the cloud. Comments from industry participants are welcomed by or before 6 February. 

In parallel, the NIST is also seeking comments on draft guidance on Trusted IoT Onboarding and Lifecycle Management. Scalable mechanisms are needed to safely manage IoT devices throughout their lifecycles, beginning with secure ways to provision devices with their network credentials—a process known as trusted network-layer onboarding. In combination with additional device security capabilities such as device attestation, application-layer onboarding, secure lifecycle management, and device intent enforcement, this could improve the security of networks and IoT devices from unauthorised connections.

Big Tech: face recognition practices by PimEyes, Epic games’ COPPA violations, TikTok apps age rating

The Baden-Württemberg data protection authority announced proceedings against PimEyes, (Face recognition and reverse image search), Data Guidance reports. Recent media reports stated that PimEyes scans the face for individual characteristics on the internet and stores biometric data without proper legal basis, an identified data sharing model, or valid opt-out options. A data subject should be able to agree to the processing of personal data relating to them in an informed and unambiguous manner. In the case of automated retrieval of images on the Internet, these requirements cannot be met. Equally, private company PimEyes cannot undertake police investigative work in the public interest or interfere with the rights of data subjects. Read the original statement here. 

US Video Game Maker Epic will pay a more than half-billion dollar refund over allegations of children’s privacy law, (COPPA), violations, and tricking users into making unwanted charges for in-game items, (eg, costumes and dance moves). Epic’s Fortnite game has more than 400 million users worldwide. The company will be required to adopt strong privacy default settings for children and teens, (parental notice and consent requirements), ensuring that voice and text communications are turned off by default. This is the Federal Trade Commission’s largest refund award in a gaming case and the largest administrative order in its history. 

Finally, Virginia Attorney General joined 14 other state attorneys general to call on Apple and Google to take immediate action and correct their application store age ratings for TikTok. The change will help parents protect their children from being force-fed harmful content online. The current ratings of “T” for “Teen” in the Google Play App store and “12+” in Apple’s App Store falsely represent the objectionable content found and served to children on TikTok. While TikTok does have a “restricted mode” available, it is also aware that many of its users are under 13 and have lied about their age to create a profile.

The post Data protection & privacy digest 16 Dec – 2 Jan 2023: US signals intelligence redress mechanism, “dormant” privacy risk assessment, data brokerage appeared first on TechGDPR.

Legal processes: CNIL investigation and enforcement, EDPB procedural rules 

The French data protection authority CNIL announced a reform of its corrective procedures: towards simplified investigation and enforcement actions. A simplified procedure was created in particular for less complex cases. This reform will allow the CNIL to respond better to the increasing number of complaints since the GDPR came into force. Right now the CNIL must respond to numerous complaints, (more than 14,000 in 2021), and there is a constant increase in the number of corrective measures it pronounces, (18 sanctions and 135 formal notices issued in 2021). Thus cases that are not very complex or serious will be subject to a simplified sanction procedure: any case will follow the same steps as the ordinary sanction procedure, (for time limits, adversarial procedure), but the implementation methods are simplified:

• The president of the CNIL chooses a restricted committee, (5 members and a chair).
• The president appoints a designated rapporteur, who is in charge of the investigation.
• The chair of the restricted committee, (or a member they appoint), decides alone and no public meeting is organised, unless requested.
• The penalties likely to be pronounced in this context are limited to a fine of a maximum 20,000 euros and an injunction with penalty capped at 100 euros per day of delay. These sanctions cannot be made public.

The ordinary procedure has also been adjusted and clarified on certain points, in particular: a) extended deadlines for submitting observations, b) the possibility for a new rapporteur to use investigative work carried out by a previous rapporteur; c) the possibility for the president of the restricted committee to decide alone that there is no longer any need to proceed with the case, (eg, if the organisation has disappeared since the start of the sanction procedure). Finally, the CNIL can now send formal notices that do not require a written response from the organisations. In this case, the organisation is required to comply within the set deadline, but no longer has to send evidence to the CNIL within this same deadline. Compliance may be verified by other means, for example during a subsequent inspection. The full infographic, (in French), can be found here. 

The EDPB similarly published its latest procedural rules, restating its mission and guiding principles, procedures and working methods as mentioned in the GDPR, the Police and Criminal Justice Data Protection Directive, and other applicable legislative instruments under EU law. The board shall act independently, and apply  appropriate measures to ensure confidentiality when required, and promote cooperation between supervisory authorities and endeavour to operate where possible by consensus. With regard to the processing of personal data by EU institutions and bodies, the board shall appoint a data protection officer.

Among other provisions, the European Commission shall have the right to participate in the activities of the board without voting rights. Additionally, the board may invite external experts, guests or other external parties to take part in a plenary meeting and may set the agenda. The board may also decide to grant a non-EU country data protection authority the status of an observer, if it is in the interest of the board and certain qualitative conditions are met. You can read the full document here.

Official guidance: the use of web fonts, post-pandemic data

The Bavarian data protection authority, (BayLfD), recently published a statement on the use of web fonts, Data Guidance reports. It specified that a website operator, by integrating the external third-party service, acts as a controller within the meaning of the GDPR. They co-decide on the means and purposes of the processing, and let the third-party provider receive personal data from users. The website operator’s responsibility is limited to the collection and transmission of user data. However, a) no data, (eg, IP addresses), may be transmitted to third-party servers before consent has been given, and b) it must be clearly stated which data is being processed, to whom it is being transmitted, and for what purpose. Finally, the safest data protection solution would be to integrate fonts into a website through self-hosting rather than external hosting. 

Meanwhile, the Baden-Württemberg data protection authority, (LfDI Baden-Württemberg), announced as soon as the COVID-19 pandemic is over it will review all pandemic-related restrictions. The regulator will approach healthcare providers, such as test centre operators and pharmacies, but also other companies and public bodies that have stored 3G evidence of their employees and customers. In addition, it will insist on the deletion or blocking of this sensitive data. Additionally, the regulator stated that health information, such as information on employees’ pregnancies or autoimmune diseases, must not be used inappropriately, for example to terminate employment contracts or to deny promotion, Data Guidance reports. 

Investigations and enforcement actions: IAB Europe’s action plan, Frontex cloud, dismissed CCTV footage case

The Interactive Advertising Bureau (IAB) Europe submitted an action plan to comply with the latest investigation and enforcement by Belgium’s data protection authority, (APD), towards the Transparency & Consent Framework (TCF). The submission of the action plan was needed in the two-phase remediation period foreseen in the decision and should enable a version of the TCF with a broader compliance functionality to be rolled out over a 6-month period under the supervision of the APD. The action plan outlines how IAB Europe, in its capacity as managing organisation of the TCF, will deliver in-depth discussions amongst IAB Europe member companies that implement the TCF and convene in the existing TCF working groups and other instances, as well as IAB Tech Lab. These instances are multi-stakeholder, bringing together:

• publishers, 
• ad tech intermediaries, 
• agencies, and 
• consent management platforms.  

However the submission of the action plan is without prejudice to IAB Europe’s appeal of the decision. It contests a number of findings in the decision, in particular the findings that IAB Europe acts as a data controller of the TC String, (digital signals created to capture data subjects’ choices on how their personal data can be processed), and as a joint controller for the dissemination of TC Strings and other data processing done by TCF participants under the OpenRTB protocol.  

The UK Information Commissioner’s Office, (ICO), has found insufficient evidence to prosecute two people suspected of unlawfully obtaining and disclosing CCTV footage from the Department for Health and Social Care, (DHSC). The leaked CCTV images showed the former Secretary of State for Health and Social Care and his former aide engaged in behaviour contravening social distancing rules. The regulator launched a criminal investigation after it received a report of a personal data breach from the DHSC’s CCTV operator, (EMCOR Group plc).  The ICO had a legal duty to carry out an impartial assessment of security within governmental offices. Forensic analysis revealed that the leaked images were most likely obtained by someone recording the CCTV footage screens with a mobile phone. Six phones retrieved during the execution of search warrants did not contain the relevant CCTV footage. The ICO concluded that there was insufficient evidence to charge anyone with criminal offences under the Data Protection Act 2018.

The EDPS issued a reprimand to the European Border and Coast Guard Agency, (Frontex), for moving to the cloud without proper data protection assessment. This constitutes a breach of the data protection legislation, applicable to Union institutions, offices, bodies and agencies. The EDPS found that Frontex:

• moved to the cloud without a timely, exhaustive assessment of the data protection risks and without the identification of appropriate mitigating measures or relevant safeguards for processing;
• failed to demonstrate the necessity of the planned cloud services, as it has not shown that the chosen solution, (Microsoft 365), was the outcome of a thorough process whereby the existence of data protection compliant alternative products and services meeting Frontex’s specific needs were assessed;
• failed to demonstrate that it limited Microsoft’s collection of personal data to what is necessary, based on an identified legal basis and established purposes;
• breached the accountability principle as well as its obligations as a controller and the requirements of data protection by design and by default.

In addition to the reprimand, the EDPS ordered Frontex to review its DPIA, and ROPA.

Data breaches: tax authority, visa service, medical practice, fashion industry, airport temperature checks

The Dutch data protection authority, (AP), has imposed a fine of 3.7 mln euros on the tax authorities  for years of illegal processing of personal data in the Fraud Signalling Facility, (FSV). This was a blacklist on which the tax and customs administration kept records of fraud, with often major consequences for people who were wrongly on the list. 

The UK Home Office’s visa service apologises for an email address data breach. The private contractor running the service sentan  email to applicants containing more than 170 email addresses. Some of the email addresses appeared to be private Gmail accounts, while others belonged to lawyers from a variety of firms.

In the US, Christie Business Holdings Company, (Christie Clinic), a major medical practice in Illinois, informed 500,000 individuals that their personal information was potentially compromised in a data breach. Christie Clinic said the data breach occurred last year, when a third party gained unauthorized access to a single business email account, likely in an attempt to intercept financial transactions.

The fashion industry also has been in breach of privacy lately. Luxury brand Louis Vuitton is facing a class-action lawsuit filed in New York by a customer who alleged its “Virtual Try-On” feature violates the Illinois Biometric Information Privacy Act. The feature is used for eyewear. Users provide an image of their face, which the customer alleged is collected and stored without knowledge or consent. Meanwhile, the UK branch of cosmetics giant Shiseido has reportedly fallen victim to a data breach involving personal details belonging to former and current employees. Some of them have reported being victims of fraud, with their personal data being used to open fraudulent businesses as well as take out bank loans and insurance. 

The Belgian data protection authority fines the airports of Brussels and Charleroi for Covid temperature checks. These airports did not have a valid legal basis to process travellers’ health data. Since data of this type is sensitive, it cannot in principle be processed, except in a very limited number of exceptions, (Art. 9.2 of the GDPR). Processing for reasons of public health or important public interest is part of these exceptions, based on a legal standard that is clear, precise and whose application is foreseeable for the data subjects. The regulator observed shortcomings in terms of the information provided to travellers and the quality of the impact analyses of the existing protocols.

Big Tech: online data brokerage, WhatsApp for work and school

American TV chat show host John Oliver gave 25 minutes to the Data Brokerage industry, personal data and privacy as the “unregulated” sector’s profile rises into the mainstream. He typically uses even more colourful language in his dissection of the problems, that include political interests in using personal data being partially behind the lack of regulation, and potentially life-threatening situations made possible by data abuse. 

With end-to-end encryption built in WhatsApp is testing Communities, a new feature for larger groups tailored for organisations like schools, and work. The Meta Platforms-owned company says it is comparable to other private messaging services like Microsoft Teams and Slack. But before the launch, major changes are coming to WhatsApp’s Groups feature. Group administrators will now have censorship powers over all chat. Communities, once launched, will also have upgraded safeguards like forwarding limits, and a range of anti-abuse tools.

The post Weekly digest April 11 – 17, 2022: France’s CNIL to simplify investigation and enforcement of minor cases appeared first on TechGDPR.

Legal processes: new EU-US data transfer deal, Digital Markets Act, China’s algorithmic rules

The EU and US have announced a new preparatory data transfer deal, seeking to end the legal uncertainty in which thousands of companies found themselves after the CJEU threw out two previous agreements due to America’s governmental surveillance practices, Reuters reports. It will take months to turn the provisional agreement into a final legal deal, as the US will need to prepare their executive order, and then the EU must complete internal consultation in the Commission and within the EDPB. So far the White House has released a fact sheet on the new deal, which addresses the CJEU ‘Schrems II’ decision concerning US law governing signals intelligence activities:

• Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties;
• EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the US Government who would have full authority to adjudicate claims and direct remedial measures as needed; and
• US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards. 

Earlier last week, EU privacy experts raised their concerns over the lack of details of the deal. Austrian privacy activist Max Schrems, who started a long-running dispute with Meta/Facebook, (resulting in the invalidation of the EU-US Privacy Shield data transfer framework), stated: “The final text will need more time, once this arrives we will analyze it in-depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it.”  The legal stance over transatlantic data flows has led, in recent months, to European data protection agencies issuing orders against flows of personal data passing via products such as Google Analytics, Google Fonts, and Stripe, along with long-standing and multilayered complaints against Meta/Facebook, TechCrunch sums up.

Meanwhile, sweeping new digital rules targeting US tech giants will likely come into force in October, EU antitrust chief Margrethe Vestager informed. The rules proposed a year ago in the Digital Markets Act set out a list of dos and don’ts for Amazon, Apple, Meta, Google, Microsoft, and others. Fines for violations will range reportedly from 10% of a company’s annual global turnover to 20% for repeat offenders who could face an acquisition ban. Companies that are designated as online gatekeepers, (intermediation services, social networks, search engines, operating systems, advertising services, cloud computing, video-sharing services, web browsers and virtual assistants), which control access to their platforms and the data generated there will have six months to comply with the new rules:

• additional requirements on the use of data for targeted or micro-targeted advertising and the interoperability of services; 
• gives users the option to uninstall pre-installed software applications, such as apps, on a core platform service at any stage; 
• ensures whistleblowers are able to alert competent authorities to actual or potential infringements of this regulation and protect them from retaliation, etc.

In China, the provisions  on the administration of algorithmic recommendations in the Internet Information Service became effective as of March, Chinalawupdate blog reports. It refers to the application of any algorithmic technology, including without limitation, generation and synthesis, individualized push, sorting and selection, searching and filtering, and scheduling and decision-making, to provide information to users. Among many provisions, it requires:

• algorithmic system and mechanism review, science and technology ethics review,
• user registration, information release review, data security protection,
• anti-telecom network fraud, security evaluation, monitoring, and incident emergency plan,
• informing users about its provision of algorithmic recommendation service, and notifying the public, in an appropriate manner, of the basic principles, the purpose and intention, and the main operation mechanism, 
• providing users with options that are not customized based on the users’ individual characteristics, or the option to conveniently close the algorithmic recommendation service, etc.

Official guidance: workplace monitoring

The Norwegian data protection authority Datatilsynet has issued workplace monitoring guidance, (in Norwegian). These activities must take into account important data protection criteria such as providing information about the treatment to jobseekers and employees, facilitating data subject rights, deleting the information when no longer necessary, and having satisfactory information security and internal control of their data. One of the examples, automatic forwarding of e-mails is considered continuous monitoring of the employee’s use of electronic equipment and is not allowed. Monitoring of an employee’s use of electronic equipment is prohibited, and can only exceptionally take place if the purpose is to administer the company’s computer network or detect or solve security breaches in the network. The guide also contains provisions for background checks during the recruitment process, access to e-mail and other electronically stored materials, and camera surveillance in the workplace.

Data breaches and enforcement actions: online retailer, third party provider, school’s trade union, insurance company

An American online retailer of stock and user-customized on-demand products CafePress to pay half a million dollars for FTC violations, DLA Piper reports. The online platform failed to secure consumers’ sensitive personal data collected through its website and covered up a major breach. This included:

• Storing personal information in clear, readable text.
• Maintaining lax password policies that allowed, for example, users to select the same word, including common dictionary words, as both the password and user ID.
• Failing to log sufficient information to adequately assess cybersecurity events.
• Failing to comply with existing written security policies.
• Failing to implement patch policies and procedures.
• Storing personal information indefinitely without a business need to do so, etc.

In 2019, a major data breach exposed millions of emails and passwords, addresses, security questions, and answers as well as a smaller number of social security numbers, partial payment card numbers, and expiration dates of the customer accounts. This information was later discovered for sale on the dark web. The company patched the vulnerability but allegedly failed to properly investigate the breach and notify the affected customers. Read more analysis of the case by the Workplace Privacy Report article.

The US authentication firm Okta has admitted that hundreds of customers may have been impacted by a prolific hacking group’s attack via a third-party provider, Infosecurity Magazine reports. Ransom group Lapsus shared screenshots, which purportedly showed “superuser” access to an internal Okta desktop in January. The attackers did have access to a third-party support engineer’s laptop for a five-day window. Okta initially said the matter with the sub-contractor was investigated and contained, BBC reports. Similarly, none of Okta’s clients such as Cloudflare, FedEx, Thanet has reported any issues.

Cyprus’s data protection commissioner fined English school 4,000 euros for failure to implement sufficient technical and organisational security measures to prevent a data breach, Data Guidance reports. The investigation related to the unauthorized access and use of the email addresses of the students’ parents and guardians, by the school’s staff union ESSA. In particular, a school professor who was also the president of the ESSA, sent an email to all parents/guardians and to the staff, for purposes other than those for which said email addresses were originally collected, and without the parents/guardians being informed of such use. The regulator ruled that irrespective of the responsibility of the school professor and the ESSA, the English school, as a data controller, did not apply sufficient security measures following Art. 32 of the GDPR. ESSA, as a separate joint controller, was also fined 5,000 euros. 

The Icelandic data protection authority ruled in a case about an insurance company’s processing of personal data following a claim for compensation. There were complaints about the insurance company’s disclosure of the plaintiff’s personal data to an expert who prepared a report on the speed and impact of a traffic incident that the plaintiff had encountered. There were also complaints about the insurance company’s use of the report in question when assessing the claim for compensation against the company. The plaintiff contested that the insurance company was not authorized to administer the further use of the report data and that it did not take care to inform the individuals or obtain their consent. Although the data protection authority concluded that the above processing activities were in accordance with the law, based in particular on a contract (Art. 28 of the GDPR). Since the complainant was not informed or educated about the transfer of the data to the specialist and its processing, the regulator found that the company did not comply with the information and transparency obligations (Art.13 of the GDPR). 

Data security: pseudonymisation in the health sector

The European Union Agency for Cybersecurity has published guidance on deploying pseudonymisation techniques in the health sector. From a cybersecurity point of view, the confidentiality, availability, and integrity of medical data and relevant infrastructure are considered essential in order to be able to provide timely, appropriate, and uninterrupted medical care. This is also highlighted by the NIS Directive which categorizes the health sector as an operator of essential service and calls for minimum security requirements to ensure a level of security appropriate to the level of risks presented. Furthermore, the GDPR distinguishes, in Art. 9, data concerning health as a special category of data, and sets out additional requirements and stricter obligations for processing and protecting such data. Lastly, the Medical Devices Regulation imposes requirements regarding the safety, quality, and security of medical devices in order to achieve a high common level for safety. Case studies in the report include:

• exchanging patient’s health data,
• Clinical Trials,
• patients-sources monitoring of health data. 

Big Tech: data brokers, smartphone health monitoring, China’s crackdown on Bing algorithms

The legal implications of personal data usage by the data brokerage industry has been analysed by the Guardian. A new lawsuit reportedly involves two companies in this vast network: X-Mode, a data broker, and NybSys, one of X-Mode’s customers. The lawsuit claims people’s exact location data was sold through a chain of industry players, rather than the summary or analysis of that information, without knowledge or permission from   X-Mode. Data brokers collect personal data from a variety of sources, including social media, public records and other commercial sources or companies. These firms then sell that raw data, or inferences and analysis based on that data – such as a user’s purchase and demographic information – to other companies, like researchers or advertisers.

Google wants to use smartphones to monitor health, saying it would test whether capturing heart sounds and eyeball images could help people identify issues from home, Reuters reports. The company is investigating whether the smartphone’s built-in microphone can detect heartbeats and murmurs when placed over the chest allowing early detection of heart valve disorders, etc. Google also plans to test whether its artificial intelligence software can analyse ultrasound screenings taken by less-skilled technicians, as long as they follow a set pattern.

Microsoft’s Bing, the only major foreign search engine available in China, said a government agency has required it to suspend its auto-suggest function in the country for a week, Reuters reports. It is a second case for Bing since December, and arrives amid an ongoing crackdown on technology platforms and algorithms from Beijing. Since August, China’s top cybersecurity authorities have published draft rules dictating how internet platforms can and cannot make use of algorithms. These came into effect this month.

The post Weekly digest March 21 – 27, 2022: EU and US reach preliminary data transfer agreement, but experts have doubts appeared first on TechGDPR.