A multitude of new regulations are either in the ordinary legislative procedure or already in force. These include the Data Act, the Data Governance Act, the Digital Services Act, the Digital Markets Act, the Cyber-Resilience Act, European Health Data Space Regulation, the Artificial Intelligence Act. Data regulations in the European Union (EU) are becoming more complex and challenging for businesses to comply with. The increasing number of administrative burdens and compliance requirements in these regulated areas are a valid concern for businesses. Supervisory enforcement, for enacted regulations will be a wake-up call for organizations that are not prepared. Tech players operating in the EU and authorities overseeing those activities face the similar challenge of adapting to legislative overlap. New fines, new supervisory authorities and new compliance requirements are expected. To better understand this burst of regulation, the EU’s strategic policies must be carefully examined.

What is the EU aiming for?

• The United States (US) and China (CN) have different advantages in the field of technological competitiveness. 
• The US has a strong private sector with abundant financial resources, while CN has a state-sponsored private sector. 
• The EU meanwhile wants to shape its own digital future, and create a competitive Digital Single Market while enforcing European democratic values. In a short span of time, the European Commission has implemented digital transformation policies to become more competitive in the global economy, reduce the carbon footprint that arises from the red-tape bureaucracy and go digital. 
• Better public services and comprehensive scientific research will be strengthened by the re-use of data envisaged in the European Strategy for Data. 

Understanding the distinct European view on data 

Greater productivity for IoT and data-enabled products are also on the list. But greater accessibility to data is needed to enable innovation in a data-driven economy. This explains why data intermediaries are expected to play a key economic role, as envisioned in the Data Governance Act. Making more data available to smaller players will be made possible by creating common European data spaces in strategic sectors. There are multiple underlying reasons for the data spaces, all of which align with the strategic data policies of the European Union.

• The new regulations are in line with the existing strategic objectives, allowing for organizations to get ahead of the game by embracing the EU’s strategic data policies. 
• The industrial data space and co-generated industrial data is part of the Data Act. 
• The common European health data space is also regulated with the upcoming European Health Data Space Regulation. 
• Green Deal data space, financial data space, energy data space, agricultural data spaces, are also mentioned in the “European Strategy for Data”.

EU strategic goals

• The digitalisation of public services and the digital transformation of businesses are of high priority in the 2030 Digital Compass: the European way for the Digital Decade. 
• The Digital Compass goals are consistent with the rising amount of data being created in the EU. 
• The EU is determined to maintain its regulatory norms and standards in its relations with international partners. 
• By 2030, the EU aims to build an interconnected data processing ecosystem conscious of fundamental rights and in full compliance with legal requirements. As stated in the 2030 Digital Compass policy, the EU will continue to promote the ethical use of AI, establish strict cybersecurity and resilience requirements, tackle disinformation and illegal content online, ensure the operational security of digital finance and facilitate transformation of e-government. Respectively, these strategic policies are being covered by the Artificial Intelligence Act, the NIS2 directive and Cyber-Resilience Act, the Digital Services Act, the Digital Operational Resilience Act for the financial sector and European Health Data Space Regulation.

Implications for the future

These new regulations pave the way for the EU to achieve its new industrial strategy of climate neutrality and digital leadership. They help to reduce the carbon footprint and prevent red tape bureaucracy. 

• The digital transformation is essential for a greener EU.
• The reuse of data is also critical. 
• As stated in the EU Strategy for Data, this includes greater productivity and competitive markets, as well as improvements in health and well-being. 

The emergence of data-driven ecosystems can prove itself in the long run but it may take years for the EU to figure out the interplay of new regulations within the existing legal frameworks, the preparation of new guidelines and the appropriate degree of coordination between supervisory authorities. 

The EU will need to ensure that data and data-enabled products and services are available throughout the single market. Considering the EU’s goal of building a legal digital framework and becoming an international market leader, similar regulations may spread over time to different continents through the Brussels Effect. The key intention is to create a European data ecosystem that is respectful of fundamental rights. Whether these strategic intentions will be translated into the regulatory scope as intended remains to be seen. 

The post Making sense of new EU-wide data regulations, the red thread behind the digital single market appeared first on TechGDPR.

Legal processes and redress: cross-border enforcement, Grindr fine, EU Data Governance Act, UK-US data transfers

Cross-border cases: The EDPB and the EDPS welcomed a proposal by the European Commission to complement the GDPR by specifying procedural rules in cross-border cases. The recommendations set by the regulators include harmonisation of complaints admissibility, as well as the consensus-finding process during the preliminary and final stages of an investigation, to minimise the need for agency procedures such as a dispute resolution process. Regarding the amicable settlements of complaints, regulators call on the co-legislators to enable its efficient implementation, particularly in Member States that do not have such procedural laws. 

Grindr fine confirmed: In Norway, the Privacy Appeals Board has decided on the Grindr case. The board upholds the data protection authority’s decision on an administrative fine of approx. 5,7 million euros. Grindr is a location-based dating app for the LGBTQ+ community. In 2020, the Norwegian Consumer Council complained about the app. The reason was that Grindr shared information about GPS location, IP address, mobile phone advertising ID, age and gender – in addition to an individual being a Grindr user – to several third parties for marketing purposes. The data protection authority concluded that Grindr disclosed personal data about users to third parties for behavioural advertising without a legal basis. 

The case concerns Grindr’s practices in the period from when the GDPR became applicable until 2020 when Grindr changed its consent mechanism. The data protection authority has not assessed the legality of the current practices of Grindr. The board points out, among other things, that the user was not given a free choice to consent to the disclosure of their data during registration in the app, and that the relevant information about data sharing was only included in the privacy policy. Moreover, information revealing that someone is a Grindr user may constitute a special category of personal data.

UK-US adequacy decision: Regulations leading to a UK-US Data adequacy decision were introduced to the UK parliament. The ‘Data Bridge’ will take effect on 12 October. Thus organisations in the UK will be able to transfer personal data to US businesses certified to the “UK Extension to the EU-US Data Privacy Framework” without additional safeguards, such as international data transfer agreements, (the UK version of the EU’s standard contractual clauses or binding corporate rules). Both UK and US organisations will also have to update their privacy policies. In parallel, the US Department of Justice will add the UK as a qualified jurisdiction, whose citizens can seek legal redress under the data privacy framework. 

Data Governance Act applicable since September: It sets up common European data spaces, involving both private and public players, in sectors such as health, environment, energy, agriculture, mobility, finance, manufacturing, and public administration. Both personal and non-personal data are concerned. The act also defines a set of rules for providers of data intermediation services to ensure that they will function as trustworthy organisers of data sharing or pooling. One example might be Deutsche Telekom’s data marketplace in which companies can securely manage, provide and monetise good quality information, to optimise processes or entire value chains.

Official guidance: biometrics, AI transparency, gossip at work

Biometrics and employment: The use of biometric data can be considered excessive on the part of the employer and not by the requirements of regulatory acts, states the Latvian data protection regulator. A desired goal, for example, recording working hours or entering the office – can be achieved with less interference in the employee’s privacy. The biggest “stumbling block” for employers when implementing a biometric data processing system is not security issues only, but how to process data legally. 

Biometric data is a special category of data, the processing of which is permitted for employers only in certain cases, (GDPR Art. 9 exceptions in conjunction with Art. 6 legal bases). For example, if companies plan to use their employees’ fingerprints or face scans to enter the workplace, the processing of biometric data must be based on the employees’ consent, It must be freely given, specific and informed. There should not be a situation where the employee suffers negative consequences because they did not give their consent. 

AI Transparency: The proposed EU AI Act, whose material scope is AI systems, establishes a concept of transparency that differs from the same term established in the GDPR, whose material scope is the processing of personal data. Transparency within the framework of both regulations involves different actors, and is intended for different recipients, explains the Spanish data protection authority. Transparency in terms of the proposed AI is the information on AI systems and their providers and entities that deploy these systems. When AI systems are included in or are a means of processing personal information. data controllers must also comply with the GDPR. 

Typically, personal data processing is implemented through various types of systems, such as cloud systems, communication systems, mobile systems, and encryption systems, and some of them could be AI systems. AI system designers, developers, suppliers and entities deploying it can be data controllers and/or processors in various scenarios. At the same time, the natural persons who could be affected by these systems are not always data subjects as defined in the GDPR. For example, in the case that natural persons are recipients of multimedia content created by an AI ​​system.

Gossip and personal data: There are ongoing examples of employees having unauthorised access to personal data. The Danish data protection authority states that most often it is only discovered when an individual becomes aware that someone is using information about them. It can be really difficult for the data controller to find out when employees use their system access in a way that is not related to work. Abuse of access rights cannot be completely prevented but may depend on systematic rights management, good control procedures and effective enforcement on the part of the data controller. If despite these measures employees snoop on other people’s information, they can be punished with a fine or even reported to the police. 

Enforcement decisions: electronic monitoring, recruitment, data deletion

Electronic surveillance: A privacy fine of approx. 10,000 euros was issued against the University of Iceland due to electronic monitoring. Complaints were made about surveillance cameras inside and outside the university buildings with no visible markings that would indicate that electronic surveillance was in place, (a total of 97 security cameras, 75 indoors and 22 outdoors). There was also a complaint that there had been no presentation of the purpose, nature, scope, location or other aspects of the monitoring, which had been operational for several years.. The institution hosts around 15,000 students and 4,900 employees per year, and hosts hundreds of annual events. 

Certain points were evaluated as in the university’s interest, but in light of the scope of the surveillance camera system, the number of those recorded and the duration of the violation, the decision to impose a fine was reached.  The university claimed that due to repeated break-ins, a decision had been made to increase the use of access cards and number of security cameras. Nothing else was defined about the nature, extent, or other things related to electronic monitoring by the institution. On top of the fine, the regulator also ordered the updating and installation of electronic monitoring signs in buildings and outdoor areas of the university complying with the law.

Excessive recruitment data: Meanwhile the French regulator CNIL fined SAF Logistics 200,000 euros for excessive employee data collection and lack of cooperation. SAF Logistics is an air cargo service whose parent company is located in China. As part of internal recruitment for a position within the parent company, it requested information about the family members of employees such as their identity, contact details, function, employer and marital status, along with sensitive data such as blood type, ethnicity and political affiliations. It also stored extracts from criminal records. When the CNIL requested the company translate the employee questionnaire, which was written in Chinese, the incomplete translation missed ethnicity or political affiliation fields.

Data (non)deletion: The hotel chain Arp-Hansen has been fined approx. 134,000 euros by a court in Denmark, regarding violation of the storage of personal data. The hotel chain did not comply with the erasure deadlines it had set itself, (of 1 year). The Danish data protection authority estimated at the time that approx. 500,000 customer profiles should have been deleted at the time of the inspection visit. The case highlighted which financial statements should be used as a starting point when calculating a fine. The amount was determined after the court considered the hotel chain’s revised and published annual accounts for 2018, which reflected the company’s financial situation during the period of the offence. 

Data security: US healthcare and mergers data

Healthcare data: The US FTC-HHS outlined privacy and security laws and rules that impact consumer health data. Collecting, using, or sharing consumer health information in the US focuses on four primary sources: the Health Insurance Portability and Accountability Act (HIPAA), HIPAA Privacy, Security, and Breach Notification Rules, the FTC Act, and the Health Breach Notification Rule. The publication addresses some of the basic questions. What entities are covered? What do you have to do to maintain the privacy and security of consumers’ health information? and so on. You can also check out the FTC-HHS Mobile Health App Interactive Tool as you design, market, and distribute your mobile health app. 

M&A and data protection: US researchers from the Electronic Privacy Information Center are urging the Department of Justice to include data protection and consumer privacy as factors in the newest Merger Guidelines. In a data-driven economy, businesses’ mass accumulation of personal data can have anticompetitive effects that further undermine consumer privacy and data security. Mergers frequently involve the consolidation of data sets, which can extend a firm’s market dominant position, impact entry for smaller firms, and exacerbate the effects of harmful consumer data practices. As a result of such mergers, there is no meaningful opportunity for firms to compete with better privacy practices.

Big Data: Meta behavioural ads, TikTok minor’s privacy enforcement

Norway case goes to the European level: The Norwegian data protection authority has requested a binding decision from the EDPB in the Meta case. It asked that Norway’s temporary ban on behavioural advertising on Facebook and Instagram be made permanent and extended to the entire EU/EEA. The Norwegian regulator is only authorised to make a temporary decision in this case. The decision expires on 3 November. Earlier this year, the authority found that Meta processes personal data for illegal behavioural advertising and intrusive monitoring of users in the context of the Facebook and Instagram services. For this reason, it imposed a temporary sanction on the company. The regulator also won against Meta in court. Nonetheless, the company continues its activities and has not yet complied with the decision. Meta has submitted several administrative complaints against the Norwegian data protection authority’s decision so far. 

TikTok minors data: The Irish data protection commission adopted its final decision regarding TikTok’s processing of minors’ data and age verification during the registration procedure imposing fines totalling 345 million euros, with an order to bring the processing into compliance. The investigation found: 

• children’s account settings were made public, 
• certain features were enabled, exposing users under the age of 13,
• privacy gaps in the “family pairing” function, 
• misleading “dark patterns” during account creation and video uploading, and
• failure to convey appropriate information to minors.

Interestingly, objections to the draft decision by the Irish regulator were raised by other concerned supervisory authorities, working as part of a cross-border investigation uncovering additional infringements including privacy-intrusive dark patterns. The case ended up at the EDPB for dispute resolution, which obliged the DPC to amend its draft decision to include new findings. 

The post Data protection digest 15 Sep – 1 Oct 2023: cross-border cases get the highest level of attention from regulators appeared first on TechGDPR.

Legal processes and redress: EU data governance, traffic and location data, consumer rights, hospitals

The EU Data Governance Act, approved by the Parliament on April 6, promises to boost data sharing in the EU so that companies and start-ups will have access to more data they can use to develop new products and services. The new draft rules also aim to build trust in data sharing, making it safer and easier as well as ensuring it is in line with data protection legislation. This will be achieved through a range of tools, from technical solutions such as anonymisation and pooling of data to legally binding agreements by the reusers. The rules will enable:

• data collected in some public sector areas to be better used;
• the creation of common European data spaces for important areas: health, environment, energy, agriculture, mobility, finance, manufacturing, public administration, and skills;
• new rules for data marketplaces – usually online platforms where users can buy or sell data – will help new intermediaries be recognized as trustworthy data organizers;
• new rules for companies, individuals, and public organizations that wish to share data for the benefit of society (data altruism).

The Data Governance Act must be formally adopted by the EU countries in the Council before it becomes law. Also to further encourage data sharing, the Commission proposed in February a Data Act that the Parliament is working on.

The European Court of Justice confirms that EU law precludes the general and indiscriminate retention of traffic and location data relating to electronic communications for the purposes of combating serious crime. In the related longstanding case in Ireland, a man was sentenced to life imprisonment for murder and appealed, saying the court of the first instance had wrongly admitted traffic and location data of telephone calls as evidence. “The privacy and electronic communications directive does not merely create a framework for access to such data through safeguards to prevent abuse, but enshrines, in particular, the principle of the prohibition of the storage of traffic and location data”, the highest EU court stated. However, it held that EU law does not preclude legislative measures for the purposes of combating serious crime and preventing serious threats to public security for: 

• targeted retention of traffic and location data which is limited, according to the categories of persons concerned or using a geographical criterion; 
• general and indiscriminate retention of IP addresses assigned to the source of an internet connection; 
• general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems; and 
• the expedited retention, (quick freeze), of traffic and location data in the possession of those service providers. Read the full decision by the ECJ here.

The Irish government has approved a draft bill – the General Scheme of Representative Actions for the Protection of the Collective Interests of Consumers. The aim is to permit qualified and designated entities to represent consumers in a representative action, (civil claim), where a trader has infringed consumer rights under one or more of the legislative provisions listed, including the major data protection legislation at EU and national levels – the GDPR, ePrivacy Directive, and the Irish Data Protection Act 2018. You can examine the full draft bill here.

Utah followed California, Virginia, and Colorado in adopting a comprehensive consumer data privacy law, JD Supra News reports.  Utah’s Governor signed the Consumer Privacy Act, which will take effect on December 31, 2023. The consumers include individuals who are Utah residents and are acting in an individual or household context, and not an employment or commercial context. Under the Act, data controllers, (certain entities that conduct business or target consumers in Utah on a big scale), have obligations to, among other things: 

• disclose in a privacy notice various processing activities;
• provide consumers with clear notice and an opportunity to opt out of the processing of sensitive data, including biometric and geolocation data;
• provide consumers with a right to opt out of targeted advertising or the sale of personal data;
• comply with requests from consumers to exercise their other rights to access, obtain a copy of, or delete personal data, and confirm whether a controller processes personal data; and
• maintain reasonable administrative, technical, and physical data security practices. 

However, the law does not create a private right of action and grants exclusive enforcement authority to the Attorney General. 

The Czech Supreme Administrative Court upheld a fine by the national data protection authority imposed on a hospital for insufficient security in the processing of personal data, (Art. 32 of the GDPR). In the landmark decision, the court stated that the hospital in question is a joint-stock company, not a public entity, although it is financed mainly from public health insurance funds and provides its healthcare services in the public interest.

Thus, it can not enjoy the exemption which derives from Art. 83 (7) of the GDPR: “each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State”. In particular, the court rejected the application of the national data protection legislation, which do not allow the imposition of a sanction on a public entity. The full text of the judgment, (in Czech), can be found here.

Official guidance: data processing agreements, digital products security, AI knowledge base

The Danish data protection authority Datatilsynet responded to some questions regarding data transfer provisions in processing agreements, Data Guidance reports. In the given case, a company, (KOMBIT), supplies IT systems to Danish municipalities and uses a subcontractor/processor, (Netcompany), which in turn uses Amazon Web Services, (AWS). According to KOMBIT, the information is generally processed within the EU/EEA, but it also appears from the data processing agreement between Netcompany and AWS that this can be deviated from if it is necessary to comply with the legislation or a binding decision from a public authority in a third country. The question is:

• whether there is an intentional or unintentional transfer to third countries and,  
• whether the municipalities must comply with the requirements for transfers to third countries, and
• whether this gives rise to a question of adequate security of processing.

In the eyes of the Danish regulator, this will be an intentional third-country transfer. Therefore, municipalities must ensure that the rules on transfers to third countries are complied with when or if AWS makes such transfers in accordance with the instructions set out in the data processing agreement.

The EU Commission is holding an open public consultation on the establishment of new horizontal rules for digital products and associated services placed on the internal market, in the view of a new European Cyber Resilience Act, (CRA), Bird&Bird Insights reports. The consultation and call for evidence will be open for stakeholders’ feedback until May 25. The future CRA aims to create:

• baseline cybersecurity requirements for manufacturers and vendors of a wide range of digital products and ancillary services, the absence of which would prevent the tangible product from performing its functions, (wireless and wired, embedded and non-embedded software), and would cover their whole life cycle;
• obligations on economic operators; and 
• provisions on conformity assessment, the notification of conformity assessment bodies, and market surveillance.

The CRA would add to the existing cybersecurity framework, the NIS Directive, the EU Cybersecurity Act, etc. The consultation questionnaire and its outcome can be found here. 

The French regulator CNIL presented a knowledge base, (in French), referring to the Artificial Intelligence concept. The CNIL explains, through various tools and publications, the challenges in terms of data protection and the way in which it acts to support the deployment of solutions that respect the rights of individuals. The project includes:

• a short glossary of AI;
• accessible resources for everyone, (books, films, factsheets, articles);
• guidance for data protection specialists on the application of the GDPR in AI systems, (impact assessment questionnaires, rules on assigning responsibilities, documenting requirements, etc.) 

Investigations and enforcement actions: unsecured visa applications, failed data deletion, unauthorised disclosure, accidental alterations of customer data

The Dutch data protection authority, (AP), has fined the Foreign affairs ministry 565,000 euros for potentially breaching the privacy of people making visa applications over a number of years, DutchNews.nl reports. The AP identified the ministry as a data controller and stated that its visa information system is not secure enough, and there is a risk of unauthorised access and changes to files. Sensitive information, such as fingerprints, name, address, the purpose of the trip, nationality, and photo could have been accessed because of inadequate physical and digital security. Also, people applying for visas were not given proper information about the way their data is shared with third parties. In addition, the AP imposed an extra fine, subject to periodic penalty payments, for fixing the security provision, (50,000 euros every two weeks), and the information obligation, (10,000 euros per week).

The Irish supervisory authority fined Bank of Ireland Group 463,000 euros for violating Art. 32-34 of the GDPR. This inquiry was opened after 22 personal data breach notifications in 2018-2019. The notifications related to the corruption of information in the Group’s data feed to the Central Credit Register, a centralised system that collects and securely stores information about loans. The incidents included unauthorised disclosures and accidental alterations of customer personal data. The decision considered as a preliminary issue whether the incidents met the definition of a “personal data breach” under the GDPR, and found that 19 of the incidents reported did meet the definition. Additionally:

• the group failed to issue communications to data subjects without undue delay in circumstances where the personal data breaches were likely to result in a high risk to data subjects’ rights and freedoms; and
• the group failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of customer data in the centralised register. 

Meanwhile, the Danish data protection agency Datatilsynet assessed that Danske Bank has not been able to document that they have deleted personal information in accordance with the data protection rules, and therefore set the bank a fine of approx. 1,3 mln euros. In 2020 the regulator initiated a case after the bank itself had stated that they had identified a problem with the deletion of unneeded personal data. It has emerged that in more than 400 systems there were no rules laid down for deletion and storage of personal data, and that no manual deletion of personal data had been carried out. These systems process the personal data of millions of people. At the same time, the regulator emphasized Danske Bank’s active participation in the disclosure of the case and its continuous attempts to align its practices with legal requirements and minimize the risks for data subjects.

Data security: UK cybersecurity survey, US law enforcement outreach

The UK Department for Digital, Culture, Media & Sport published the latest cyber security breaches survey. It is an annual survey detailing the cost and impact of cyber breaches and attacks on businesses, charities, and educational institutions. Here are some key findings:

• Cyberattacks are becoming more frequent with organizations, (businesses and charities), reporting more breaches over the last 12 months.
• Almost one in three businesses and a quarter of charities suffering attacks said they now experience breaches or attacks at least once a week.
• Data shows two in five businesses use a managed IT provider but only 13 percent review the security risks posed by their immediate suppliers.

Four out of five senior managers in UK businesses now see cyber security as a ‘very high’ or ‘fairly high’ priority, a significant rise since 2021. Read the full survey here.

A Guardian article reveals that very little data is secret from US law enforcement that has multiple ways to obtain personal data, either openly, or covertly. It was reported last week that hackers obtained the information of some Apple and Meta users by forging an emergency legal request, (explained in the previous digest), one of several mechanisms by which law enforcement agencies can demand that tech companies hand over data such as location and subscriber information. US law enforcement requests include gag orders, meaning the company cannot notify users that their information has been requested for six months or more. There are a few types of legal requests and other legal ways that have recently sparked concern among activists and experts:

• geofence warrants,
• keyword search warrants,
• administrative subpoenas,
• cell-tower dumps, 
• inter-agency data sharing at the local, state, and federal levels, or from companies like Palantir, 
• location and purchase history data from data brokers,
• surveillance tech companies like Clearview AI and Voyager, etc.

Big Tech: Google complaint in Germany, China surveillance, Clearview expansion, Mailchimp data breach, banned apps on Google Play

Google in Germany is facing a legal complaint in which the North Rhine Westphalia consumer’s office says Google’s cookie banners violate data protection rules, Reuters reports. The office maintains refusing cookies requires more steps than consenting to them on Google’s search engine websites. The company says it is soon changing its consent banner and cookie policy Europe-wide to comply with regulations.

Using publicly available documents Reuters has identified an explosion in software using AI in China to crunch big surveillance data and rising demand from police and civil authorities around the country for the equipment. Vast quantities of data used to require human input to organize. The new software is built around the “one person, one file” concept, facilitating the tracking of individuals. Since 2016’s first patent application at least 28 firms have entered the market for file archiving and image clustering algorithms for facial recognition, extracting data from social media, and details on relatives, social circles, vehicle records, marriage status, and shopping habits.

Google has banned dozens of apps from its Google Play store after finding embedded software that secretly harvested user’s data, including location and personal identifiers, IAPP News reports. The code, developed for Android and used in millions of devices worldwide, was developed by Measurement Systems, which reportedly has links to a Virginia defense contractor.

Major email marketer Mailchimp has reported a data breach after hackers exploited a weakness in an internal customer support and account administration tool, TechCrunch says. A social engineering attack led to 300 client accounts being hacked, with 102 losing audience data, with customers from cryptocurrency and finance sectors being targeted. Mailchimp says it detected the breach quickly and has taken steps to ensure it won’t happen again.

Controversial facial recognition startup Clearview AI is looking to expand beyond providing services to police forces, AP News reports. In March it reportedly offered its services for free to the Ukrainian military to help identify casualties and prisoners with images scraped from the Russian social media website VKontakte, and it is now going to offer a new “consent-based” product using algorithms, and not its 20 bln image library, to banks and other private businesses for identity verification purposes.

The post Weekly digest April 4 – 10, 2022: EU data governance, digital products security, US law enforcement outreach & privacy appeared first on TechGDPR.

Legal processes and redress

The EU Commission approved the political agreement reached between the EU Parliament and EU Member States on a European Data Governance Act. Three-way negotiations have now concluded, paving the way for final approval of the legal text. The Data Governance Act will create the basis for a new system of data governance in accordance with EU rules, the GDPR, and consumer protection and competition rules. More data will be available and exchanged in the EU, across sectors and Member States. It aims to boost data sharing and the development of common European data spaces, such as manufacturing or health, as announced in the European strategy for data. The regulation includes:

• increasing trust in data sharing in order to lower costs, 
• allowing novel trustworthy data intermediaries for data sharing,
• facilitating the reuse of certain data held by the public sector, (eg, health data for clinical research of rare or chronic diseases),
• allowing users control over the data they generate, (eg, data volunteerism, when companies and individuals make their data available for the wider common good under clear conditions).

On 1 December, a new law regulating data protection and privacy in telecommunications and telemedia came into effect in Germany, (TTDSG). It contains updated provisions on digital legacy, privacy protection for terminal equipment and consent management. For example, it aims to stem the cookie deluge and give website visitors more control over the data the website collects. It also intends to provide more clarity in the regulatory jungle of  the GDPR, the ePrivacy Directive, the German Telemedia Act, and the German Telecommunications Act, Herbert Smith Freehills LLP reports. Other key takeaways for companies from the TTDSG are:

• All technologies, except those that are “strictly necessary”, may only be activated on the basis of having obtained explicit consent, (eg, marketing cookies, local storage or other storage locations on users’ devices). 
• The scope of application of the consent management platforms has been extended, (eg, storage of information that is not personal data is also subject to consent).
• The TTDSG also applies to apps, messenger services, smart home devices, and the IoT.

EU Member States may allow consumer protection associations to bring representative actions against infringements of the GDPR, according to a CJEU Advocate General. Those actions must be based on infringements of data subject rights derived directly from the regulation. In the related case, the Federation of German Consumer Organisations complained that Facebook Ireland made free games supplied by third parties available in the platform’s App Centre without clear information to users on data processing purposes. The GDPR does not preclude national legislation which allows consumer protection associations to bring legal proceedings on the basis of unfair commercial practices and consumer protection. In the AG’s view, ”Member states may provide for the possibility for certain entities to bring – without a mandate from the data subjects and without there being a need to claim the existence of actual cases affecting named individuals – representative actions designed to protect the collective interests of consumers, provided that an infringement confers subjective rights on data subjects”.

The Irish Council for Civil Liberties, the ICCL, has launched a formal complaint against the EU Commission before the European Ombudsman. This complaint  has two components:

• The Commission has failed to properly monitor the application of the GDPR, and
•  has neglected to act against Ireland’s failure to properly apply the GDPR. 

The ICCL revealed that 98% of Ireland’s major cross-border cases remain unresolved. As a result, EU enforcement against Google, Facebook, Microsoft, Apple, and other Big Tech is paralysed. The Data Protection Commissioner is the “lead supervisory authority” under the GDPR for Big Tech firms who have their European headquarters in Ireland. No other enforcer in the EU can intervene if the Irish regulator takes the lead role. The ICCL has repeatedly alerted the Irish Government about its responsibilities, and has testified on this point in Parliament. 

Official guidance

The French CNIL has published updated recommendations on Remote quality control of clinical trials taking into account the current Covid-19 crisis. Quality control, or monitoring, consists of verifying the completeness and accuracy of data transmitted by investigation centers to sponsors in order to ensure the reliability of the study results. In particular it consists of verifying, by a clinical researcher of the sponsor account, source documents, (medical files, laboratory analysis reports), and comparing it to the observational data collected by the investigator. Data confidentiality takes a key role in the process, as the person in charge of quality control should only have access to the personal data necessary to perform checks.

In the current sanitary context, the CNIL had previously considered that it was not necessary to file a request for their authorization if remote monitoring was implemented. It was the responsibility of data controllers and their subcontractors to document the solutions they chose during this period and to be able to demonstrate that they presented sufficient guarantees for the rights and freedoms of the persons concerned. However, all studies initiated as of January 1 will require the filing of an authorization request with the CNIL. Also, for ongoing studies, the information note must be updated and submitted to the persons concerned, (directly, by post, or in a call), with documentation of the patient’s non-objection in their medical file. Thus, the medical file of a person who has objected cannot be subject to remote quality control.

“Two protections are better than one!” The CNIL has also published its guidance on Two-factor authentication: “Banking, e-commerce, electronic messaging, social networks: everyone has personal accounts on many websites. Each of them contains personal data , some of which are particularly sensitive”. In Two or Multi-factor authentication “what you know”, (a username/password), can be combined with “what you have”, (a single use code, a USB token, a smart card). Since the end of 2019 banks and payment service providers in the EU have had to implement multi-factor authentication for most remote actions, (adding beneficiary of transfers, ordering checkbooks, change of address). The CNIL recommends activating multi-factor authentication each time a service offers it, even if vulnerabilities remain to certain sophisticated attacks such as real-time phishing, the interception of SMS messages containing authentication codes or SIM swapping.

Data breaches, investigations and enforcement actions

The UK Information Commissioner’s Office, (ICO), fined EB Associates Group 140,000 pounds for over 107,000 illegal pension cold calls. The Government banned the practice in 2019 to try and stop people being scammed out of their life savings. The ICO has ordered EB Associates to stop making further illegal calls or face court action. EB Associates did not have the valid consent – freely given, specific and informed – to instigate the making of these calls. Instead, EB Associates contracted the lead generators, (and paid up to 750 pounds for the referrals), to make the calls, knowing the cold calling ban was in place, in order to try and bypass the law.

The ICO has also fined the Cabinet Office 500,000 pounds for disclosing the postal addresses of the 2020 New Year Honours recipients online. The Cabinet Office failed to put appropriate technical and organisational measures in place to prevent the unauthorised disclosure of people’s information. In 2019 the Cabinet Office published a file on the governmental website containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list. People from a wide range of professions as well as celebrities across the UK were affected. After becoming aware of the data breach, the Cabinet Office removed the web link to the file. However, the file was still cached and accessible online to people who had the exact webpage address. The personal data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times.

The Italian regulator Garante sanctioned a public transportation company over remote monitoring of workers. An employee complained about the monitoring of staff through the telephone management system of the call center dedicated to customer care. The company had justified the use of these technological tools with the need to verify the quality standards and manage any complaints, specifying that it had informed the workers and trade unions. Following an inspection, it emerged that the employees had not in fact been adequately informed. Furthermore, this system was not limited to the management of telephone calls, but also allowed the recording, replaying of telephone calls and the storage for an unspecified time of other information, such as the duration of the telephone calls, numbers contacted, date and time of the call. Considering the collaboration offered by the company, and immediate deactivation of the system, the authority applied a fine of 30,000 euros.

Spanish regulator AEPD imposed a fine of 20,000 euros on a business support services company for violating Art. 5 of the GDPR – the unlawful use of fingerprints in changing rooms and toilets. The investigation was initiated following a claim against the installation of fingerprint readers for workplace entrances and exits. Fingerprints fall into a special category, biometric data pursuant to Art. 4 of the GDPR. The use of fingerprints to access changing rooms and toilets was a repeated and continuous unjustified interference in the rights and freedoms of employees, DataGuidance reports.

Romanian regulator ANSPDCP sanctioned a call center, (data processor), 2,000 euros in violation of  Art. 29 and 32 of the GDPR. The investigation was initiated as a result of a notification of  a personal data breach which was transmitted by an operator, (data controller). The personal data processing security breach was due to a call center employee erroneously attaching to an operator’s client an excel file containing the data of that operator’s customers who had Internet Banking services. The breach led to unauthorized disclosure or unauthorized access of certain personal data, such as e-mail address, username, user ID, telephone number, customer name and customer code, of 11,169 individuals. It was established that the call center, as the person authorized by the operator, did not take appropriate measures to ensure that any person acting under its authority and having access to personal data did no processing except at the specific request of the data controller.

In Lithuania, the data protection inspectorate, (VDAI), punished car rental company Prime Leasing UAB 110,000 euros for violating Art. 32 of the GDPR – obligation to ensure the security of the processing of personal data. The company’s customers complained that personal data had been disclosed on a public forum website. Furthermore, the data was actually obtained from an unprotected database backup. Prime Leasing did not assess the risk associated because it claimed it was unaware that the file existed in its infrastructure. The VDAI found that the data of around 110,302 users had been disclosed including names, addresses, telephone numbers, emails, personal identification numbers, type of payment card, the last four digits of payment cards, and payment cards dates of validity. According to the inspectorate, the confidentiality of personal data stored in the file should have been protected by at least one of the following basic security measures: 

• authenticated access to the file only for the company’s employees; 
• connecting to the repository only from the company’s internal computer network; 
• storage of the file after encryption, (entrusting the encryption keys only to authorized company employees), or proper monitoring of information resources.

The Danish data protection agency published, (only in Danish), a Christmas calendar with 24 “doors” on data protection and security breaches. The first week of December cards included cases relating to health data, webshops and bank hacking, followed by the latest analytics and infographics. Many more doors to open before Christmas Eve!

Opinion

The importance of cybersecurity risk management in private equity, (PE), is analysed by Ropes & Gray LLP:

“As PE firms can potentially hold large amounts of personal data from their portfolio companies, they are not immune from cyber risk. Indeed, the GDPR permits national authorities to fine “undertakings” as a whole, which means that parent companies may be fined for infringements of their subsidiaries.”

According to the analysis, this is a result of the commercial reality stemming from increasing competition limiting the time available to conduct pre-deal due diligence. As a result, cyber due diligence for competitive auctions usually takes place post-deal. As a recent example, in 2020, the UK data protection authority fined Marriott 18.4 mln pounds for a cyber-attack stemming from a vulnerability in the data processing systems of Starwood, a company Marriott acquired in 2016. Thus, PE firms should test their resilience against realistic mock scenarios they or their portfolio companies might be subject to, such as a supply chain compromise or extortion-based attack.

Data security

What can starling murmuration teach us about better managing data privacy? Analysis by Gilbert + Tobin lawyers from Australia: “It is not just a pretty stunt; rather, it is an illustration of how optimal outcomes can be produced when intelligence is aggregated and utilised at a group level, an emerging concept known as swarm intelligence”.

Following the theory, machine learning techniques are applied on information sharing across a secure, decentralised, and privacy-preserving network to enable intelligence to develop at a group level. Individual systems upload insights and knowledge they produce to a common network, which incrementally refines a core model that all participants have the benefit of using, (eg, the data is locally stored and only the insights are shared and used centrally.)  Read more revelations and a case study on medical applications in the original publication. 

Human error is the leading cause of serious data breaches, according to a new report released by New Zealand’s Office of the Privacy Commissioner, (OPC). Since reporting of serious privacy breaches became a legal requirement in the country a year ago, the OPC has seen a nearly 300% increase in privacy breach reporting compared to the same 11-month period the year before. Human error has been the leading cause of serious privacy breaches during this period, (61%), with email error accounting for over a quarter of those breaches. Other types of privacy breaches in human error reporting were accidental disclosure of sensitive personal information, data entry errors, confidentiality breaches, redaction errors, and postal and courier errors.

Big Tech

Russia’s  communications regulator Roskomnadzor has filed cases against US tech firms Google and Meta that could see fines imposed on their annual turnover in Russia, Reuters reports. Russian law allows for companies to be fined between 5% and 10% of annual turnover for repeated violations. Court dates for both companies – neither of which immediately responded to a request for comment – were set for December 24. Russia has increased pressure on foreign tech companies, slowing down Twitter since March and routinely fining others for content violations. Google has paid more than 382,000 euros in fines this year. Google, Twitter and Meta have significantly reduced the number of posts prohibited by Moscow on their platforms. Additionally, Russia demanded that 13 foreign and mostly US tech companies be officially represented on Russian soil by the end of 2021 or face possible restrictions or outright bans.

The UK competition authority the CMA is demanding Facebook sell Giphy citing risks over users’ data. Facebook, the largest provider of social media sites and display advertising in the UK, acquired Giphy in 2020, the largest provider of GIFs. The merger would further increase Facebook’s dominance and Facebook would have benefitted from Giphy’s data collection practices and integration with other services. With the acquisition of Giphy, Facebook could limit the ability of rival apps to compete with Facebook in social media and could demand individuals’ data as a condition for rival companies to use Giphy. In particular, through the acquisition of Giphy, Facebook would potentially be able to:

• obtain users’ personal data processed via Giphy and potentially combine it with the vast amount of data it already processes to profile users and predict their behaviour;
• by modifying Giphy’s API, increase the categories of personal data collected;
• Impose on clients, (including Facebook’s competitors in the social media market), conditions for the use of Giphy, preventing clients from protecting their users’ data;
• Increase its capacity to deliver targeted ads both to Giphy’s users and internet users even outside Facebook’s platform and services through increased tracking.

The Australian Competition and Consumer Commission is also reviewing the Facebook/Giphy merger.

Facebook plans to force more at-risk accounts to use Two-factor authentication. The platform joins Google and others in requiring stronger protections for its most vulnerable users. Facebook’s parent company, Meta, has required since last year that advertising accounts and administrators of popular pages turn on two-factor. “While Meta says that its current initiative applies only to the politicians, activists, journalists, and others enrolled in its Facebook Protect program, this seems like a sort of test for figuring out how to make two-factor authentication as easy as possible for everyone to turn on. Meta is also working to make sure it can help troubleshoot any related issues that may arise for users around the world”, The Wired reports.

The post Weekly digest Nov 29 – Dec 5, 2021: data volunteerism, cookie deluge, remote clinical trials, starling murmuration & privacy appeared first on TechGDPR.