From 2025, people covered by health insurance will be able to use the electronic patient records, (ePA in German), voluntarily and free of charge. This record can digitally gather information about the person’s medical history in a single place. Patients will decide how long someone is granted access to their records. The information includes test results and diagnoses, as well as medical treatment reports or information about recommended treatments. 

Reportedly, the ePA will be subject to test criteria developed by the German Federal Office for Information Security, (BSI). Encrypted data processing will take place in a technically secure and trustworthy environment. No other authority should get access to it. Additionally, the ePA data will be transferred automatically and securely in the case of a change of health insurer. All existing objections and substitutions will be transferred. Patients can also add their information, such as a pain diary or old results that they already have in paper format. 

Stay up to date! Sign on to receive our fortnightly digest via email.

More legal updates

Data scraping on Facebook: In Germany, the Federal Court of Justice ruled on a case from 2021, when data from around 533 million Facebook users from 106 countries was publicly distributed on the Internet. The platform did not take sufficient security measures and enabled the user’s profile to be found using their telephone number, depending on the user’s searchability settings.

Unknown third parties entered randomized sequences of numbers on a large scale via the contact import function and accessed the public data available. The court decided that the plaintiff’s claim for compensation for non-material damage could not be denied. According to the privacy advocacy group NOYB, this decision aligned with the clear provisions in the GDPR, (Art. 82 – Liability and right to compensation), and several CJEU rulings. German courts previously had regularly refused damages in data protection cases. 

NIS2 guidance: ENISA has made available the draft implementing guidance of  cybersecurity risk-management measures complying with the NIS2 Directive. It can be useful not only for regulated service providers but for other public or private actors to maintain compliance, and streamline audits. A mapping table correlates each requirement with European and international standards or frameworks, (ISO/IEC 27001:2022, ISO/IEC 27002:2024, NIST Cybersecurity Framework 2.0, ETSI EN 319 401 V2.2.1 (2018-04), CEN/TS 18026:2024), and with national frameworks. 

In parallel, the Cyber Resilience Act was published in the Official Journal of the EU, setting uniform cybersecurity standards for the development, production and distribution of hardware and software products and remote data processing solutions, placed on the EU market. It also overlaps with other pieces of the EU legislation including the NIS2 Directive, AI Act and DORA, according to a DLA Piper analysis. The Act provides for a transition period of three years ending in December 2027. 

Short-term vehicle rental

The data protection authorities of the Baltic States conducted a joint preventive inspection to assess the compliance of the short-term vehicle rental industry. The main problem was the lack of transparency – companies were unable to provide data subjects with clear and understandable information. Some companies chose an inappropriate legal basis or were unable to sufficiently justify its adequacy.

In some cases, the same legal basis was used for all data processing activities. In some cases, customer data was not deleted according to the established criteria. Finally, in some cases, facial images were processed for customer identification based on the data subjects’ consent, without an alternative option.  

More official guidance

Data protection by design:  Once again the Latvian data protection agency DVI has issued a reminder that when processing personal data, organisations must ensure that their processing complies with the principles of data protection by design and by default. This principle means that the technologies are designed in such a way that the user’s data is processed only to the minimum extent and only for as long as necessary, without requiring the user to take special steps to protect their privacy. 

In a broader sense, such measures include any method or means that an organisation may apply in the process of data processing: data pseudonymisation, user-friendly interface and possibilities for users to control their data processing, implementation of malware detection systems, employee training on the basics of cyber hygiene, establishing privacy and information security management systems, and determination of contractual obligations for processors. 

Data access response: When a data subject access request is made, an organisation must take reasonable steps to comply. This includes identifying all relevant filing systems and databases, as well as using appropriate search parameters that are considered reasonably likely to find information relating to the person. Organisations must be able to demonstrate why they consider the search parameters used to be reasonable and must also be able to explain why any filing systems or electronic databases have not been searched. Otherwise, data subjects will be unable to understand the full extent of the data being used, states the Guernsey data protection authority, based on a recent enforcement case. 

MS Copilot

The Norwegian regulator looked at which assessments the Norwegian University of Science and Technology should make before Microsoft’s AI assistant is put into use. M365 Copilot sits on top of Microsoft’s M365 cloud solution. It is a prerequisite that the organisation carries out all necessary security and privacy assessments relating to the M365 platform itself. Responsibility for the data used in the Copilot rests with the businesses that use the tool. 

In the next step, purposes, tasks and legal bases associated with the personal data processing must be identified. Additionally, there is a requirement to run a multiple impact assessment when using generative AI that processes personal data and logs all interactions. It is therefore important to assess whether other AI solutions, (eg, locally installed), with a lower privacy risk can meet the specific needs. Finally, structured monitoring must also be made for follow-ups and the quality of what the solution produces over time.

Identity card as a loyalty card

The Belgian DPA has imposed a series of corrective measures on Freedelity, a company specialising in the collection and pooling of consumer identity and contact data in partnership with various retailers. Freedelity keeps the electronic identity card number, the municipality of issue and the date of validity of the card, but this data is of no relevance to Freedelity and to the customer’s relationship with the brands. This data is mainly collected through terminals made available to retailers by Freedelity. These vendors store, share and use the customers’ data for marketing and customer relationship management purposes. 

One of the brands requires the acceptance of Freedelity’s terms and conditions to benefit from commercial advantages. Another brand considers that the insertion by a customer of his identity card in a Freedelity terminal amounts to a default consent of the customer to the processing of their data for three distinct purposes. Some brands do not mention, for example, the processing of “data sharing” when asking the consumer for consent. Additionally, the mechanisms put in place by Freedelity and its partners to withdraw consent are not sufficiently accessible or intuitive. 

More enforcement decisions

AI-powered cameras: Cameras equipped with AI offer new methods of analysis to assist professional drivers, notes the French regulator. In most cases, the employer’s legitimate interest appears likely to be concentrated on ensuring the safety of goods and people. The measures implemented should not lead to continuous monitoring of employees during their working hours. Only the data necessary to generate an alert in real-time can be processed.

Neither the images nor the technical data, (timestamp, geolocation, alert type), generated as part of the alert should be retained.

 X’s Grok: The Norwegian authority looks at X’s AI model training on users’ posts, including the generative chatbot Grok. Last summer it became clear that X had trained its AI models with users’ posts without informing them. The function was pre-ticked in the user settings. X paused the processing of EU/EEA citizens’ posts after 1 August for purposes related to AI training. Now, however, X has resumed processing. According to X, they use the separate company xAI as a service provider to process X posts as well as Grok interactions, inputs and results to train and fine-tune their AI.

Platform workers: The Italian Garante has ordered Foodinho, a company of the Glovo group, to pay 5 mln euros for having unlawfully processed the personal data of over 35.000 delivery riders through their digital platform. The authority has prohibited the further processing of biometric data, (facial recognition), of riders used for identity verification.

Also, through direct access to the systems, the company carries out different automated processing of riders’ data, for example, through the so-called excellence system, (a score that allows priority booking of a work shift), and the order assignment system within the shift, or to deactivate or block the account. 

Meta will give users more options

Users of Facebook and Instagram will in future be able to use the services for free and at the same time receive ads based on less personal data than before, (including age, location and gender). The prices for monthly subscriptions also will be reduced. In a low-data environment, Meta plans to introduce ad breaks to allow advertisers to connect with a wider audience. This means that some of the ads will be unskippable for a few seconds. Such practice is already offered by many of Meta’s competitors. The new option will apply in the EU, EEA and Switzerland. 

From chatbots to adbots

Privacy International investigates how AI giants want to monetise their tools to pay for their high costs, and advertising appears to be a component of many of these schemes. Microsoft, for example, is experimenting with formats of advertising through its ads for chat API. Amazon’s latest Rufus shopping chatbot aims to enable the chatbot to proactively recommend products based on what they know of user habits and interests.

As a result, the sponsored chatbot outputs can be far more invasive because they can be based on far more intimate information collected over time about the user and how they behave and react. 

The post Data protection digest 16-30 Nov 2024: Electronic patient records as a holistic picture of your health? appeared first on TechGDPR.

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

Essentially, data controllers need to consider data protection throughout the core of their organisational activities. As such, those who work to create technologies involved in data processing must consider the implications of their software in the context of the GDPR. While Data Protection by Design and Data Protection by Default are separate concepts, they are complementary. Implementing Data Protection by Design makes achieving Data Protection by Default much easier, with the reverse being true as well.

Building privacy into the heart of data processing operations and systems is part of Privacy by Design, while ensuring that the data subject’s rights are protected as a matter of standard operations is part of Privacy by Default. These concepts have been in existence since long before the GDPR came into fruition, but under the GDPR became important requirements. 

Achieving Privacy by Design and Privacy by Default is not a simple process when one’s main focus is developing and delivering products. As such, familiarity is of the essence. 

What are the most important considerations involved with these concepts, and how may data processors implement them? 

What is Privacy by Design? 

The concept of Privacy by Design was created by Ann Cavoukian in the 1990s and presented in her 2009 “Privacy by Design: The Definitive Workshop.” As Cavoukian stated, the concept of privacy by design encompasses more than just technology. Rather, Privacy by Design dictates that privacy is taken into account throughout the design process and operations of broader organisations and systems. There are seven foundational principles which constitute the basis of Privacy by Design:

1. Measures are proactive rather than reactive. They anticipate risks and try to prevent them from occurring, rather than allowing for invasions of privacy and minimising them after the fact. These measures are woven into the culture of an organisation. 
2.  Privacy is protected by default. Personal data is protected without requiring the data subject to act. In practice, the most intrusive privacy features of an app, such as geolocation tracking when that is not called for by the user, are turned off when the product is first installed or better yet, every time the app is launched.
3. Privacy is embedded into the design of systems and organisations. It is not an afterthought, but an essential part of a system’s functionality.  Designing for privacy can be quite costly so planning for it rather than redesigning to accommodate it, is a wise cost management strategy.
4. Privacy is not implemented to the detriment of other interests, but rather to accommodate all legitimate interests with full functionality. 
5. Privacy is extended throughout the lifecycle of all the data collected.  
6. Data processing activities are visible and transparent. The business practices and technologies involved are clear to both users and providers.  
7. Measures for privacy are user-centric: the interests of data subjects are at the forefront of operations. 

Cavoukian stresses that ensuring privacy does not come at the cost of other critical interests, but rather ought to complement other organisational goals. 

But how does a team implement these foundational principles into their technological design?

Methods of Implementing and Measuring Data Protection by Design for Technology Developers

The European Data Protection Board adopted guidelines for Data Protection by Design and by Default on 20 October 2020. These guidelines clarify how to implement the requirements of Article 25 in organisations that process personal data. 

Certain concepts, such as pseudonymisation, noise addition, substitution, K-anonymity, L-Diversity, T-closeness, and differential privacy, can help increase the privacy of an individual data subject, or give key information about the privacy of a data set. As a result, individuals working to achieve Privacy by Design should think about these methods as tools they can use, though not as absolute methods in and of themselves. 

• Pseudonymisation replaces direct identifiers, such as names, with codes or numbers, which allows data to be linked to an individual without the individual themself being identified. This data is still within the scope of the GDPR. Truly anonymous data is not considered personal data, and thus its processing does not fall under the scope of the GDPR. However, anonymous data, that is, data which cannot be linked back to a data subject, is different from pseudo-anonymous data in that pseudo-anonymous data has the potential to be re-linked to a data subject, even if in a difficult or indirect way. Thus, pseudo-anonymous data is still subject to the requirements of the GDPR. 
• Noise addition is often used in conjunction with other anonymisation techniques. In this technique, attributes which are both confidential and quantitative are added to or multiplied by a randomised number. The addition of noise still allows for the singling out of an individual’s data, even if the individual themself is not identifiable. It also allows for the records of one individual to be linked, even if the records are less reliable. This linkage can potentially link an individual to an artificially added piece of information. 
• Substitution functions as another method of pseudonymisation. This is where a piece of data is substituted with a different value. Like the addition of noise, substitution ought to be used in conjunction with other data protection measure in order to ensure the data subjects’ rights are protected. 

Means of measuring the privacy of data 

• K-anonymity, a type of aggregation, is a concept that is based around combining datasets with similar attributes such that the identifying information about an individual is obscured. This helps to determine the degree of anonymity of a data set. Essentially, individual information is lumped in with a larger group, thereby hiding the identity of the individual. For example, an individual age could be replaced with an age range, which is called generalisation. By replacing specificity with generality, identifying information is harder to obtain. Suppression is another method of achieving better k-anonymity. This is where a certain category of data is removed from the data set entirely. This is best-suited in cases where the data in that category would be irrelevant in regards to the purpose of the data processing. It is important to note, however, that k-anonymity itself does not guarantee that sensitive data will be protected. 
• L-diversity is an extension of k-anonymity. It provides a way of measuring the diversity of sensitive values in a dataset. Essentially, l-diversity requires each of the values of sensitive attributes within each group to be well-represented. In doing so, l-diversity helps to guarantee that a data set will be better protected against re-identification attacks. This is a helpful consideration in cases where it is possible for attributes in k-anonymised data sets to be linked back to an individual.
• T-closeness expands on l-diversity and is a strategy of anonymisation by generalisation. T-closeness creates equivalent classes which are similar to the initial distribution of attributes in a data set and is beneficial in situations where a data set must be kept as close as possible to its original form. Like k-anonymity and l-diversity, t-closeness helps to ensure that an individual cannot be singled out in a database. Additionally, these three methods still allow for linkability. What l-diversity and t-closeness do which k-anonymity cannot, is provide the guarantee that inference attacks against the data set will not have 100% confidence. 
• Differential privacy aims to ensure the privacy rights of an individual data subject are protected by ensuring the information someone obtains from the output of data analysis is the same with or without the presence of the data of an individual. This allows for data processing without an individual’s information being singled out or the individual being identified. Differential privacy provides privacy through a specific type of randomisation. The data controller adds noise to the data set, with differential privacy revealing how much noise to add. 

Privacy Design Strategies

Researchers have identified eight privacy design strategies, divided into two groups: data-oriented strategies and process-oriented strategies. Data-oriented strategies include: minimise, hide, separate, and abstract. These strategies focus on how to process data in a privacy-friendly manner. Process-oriented strategies include: inform, control, enforce, and demonstrate. These strategies focus on how an organisation can responsibly manage personal data. Article 5 of the GDPR identifies the basic principles to follow when processing personal data: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality. These principles help guide the strategies, which can be exemplified by the concepts and methods of pseudonymisation, noise addition, substitution, k-anonymity, l-diversity, t-closeness, and differential privacy. These methods and processes of measuring privacy should stand as part of larger efforts to work to implement data protection into the fabric of data processing operations. 

How can technology developers learn more about Privacy by Design and Default?

Data Protection by Design and Data Protection by Default are fundamental concepts to adhere to under the GDPR. Teams which keep these concepts in mind at every level of their organisations will keep the rights of data subjects at the forefront of their operations, and thus go further in working towards GDPR compliance. Technology developers have a special role in making sure that their products have the capacity to be used in a GDPR compliant manner, and thus should have extensive familiarity with these concepts. Those interested in learning more about GDPR compliance, from the perspective of what a technology developer should consider, can participate in TechGDPR’s Privacy & GDPR Compliance Course for Developers. This course delves into what individuals working in technology development need to know about data protection so they can better understand their own duties and responsibilities under the requirements of the GDPR. 

The post Privacy by Design for Technology Development Teams appeared first on TechGDPR.