Legal processes: commercial surveillance, sensitive data “by comparison”, workers electronic monitoring, farming data

The CJEU’s recent decision may have a major impact on digital services that use background tracking and profiling to target users with behavioral ads, TechCrunch reports. The EU top court’s decision related to the anticorruption law in Lithuania. It found out that the country’s law covering online disclosure of data contained in the declaration of private interest of directors of institutions receiving public funds, (data concerning the declarant’s spouse, cohabitee, partner, etc.), is contrary to the fundamental rights to privacy and data protection in the EU. The court believes disclosure online of relatives and associates’ names and their significant financial transactions is not strictly necessary for the objective pursued and may constitute highly sensitive data “by comparison”.

It is likely to reveal information of sensitive aspects of the private life of the persons concerned and to make it possible to draw up a particular detailed portrait of them, such as their sex life and sexual orientation, (Art. 9 of the GDPR). Finally, such processing results in this data being freely accessible on the internet to a potentially unlimited number of people. Thus, some privacy law experts suggest the judgement’s broad definition of what constitutes sensitive data, (involving the act of comparison or deduction), potentially covers a wide range of online processing, including online ads, dating and health apps, location tracking and more, concludes TechCrunch. 

In the US, the Federal Trade Commission, (FTC), seeks public comment ahead of ruling on the prevalence of commercial surveillance and data security practices that harm consumers. The Commission invites comment on whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies a) collect, aggregate, protect, use, analyze, and retain consumer data, as well as b), transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive. The permissions that consumers give may not always be meaningful or informed. Studies have shown that most people do not generally understand the market for consumer data that operates beyond their monitors and displays, the FTC states. Many privacy notices that acknowledge such risks are reportedly not readable to the average consumer or a minor. In the end, these practices that nowadays heavily rely on automated systems may have significant consequences for consumers’ wallets, safety, and mental health. 

The EDPS published its opinion on the proposal for a regulation regarding conversion of the Farm Accountancy Data Network into a Farm Sustainability Data Network (FSDN). The proposal aims to regulate the processing of personal data in the context of the collection of individual farm’s economic, environmental and social data as well as the further management and use of such data. The EDPS positively notes that in case individual data will be shared by the Commission or liaison agencies, the data of the farmers and all other individual details obtained would be anonymised or pseudonymised. However the EDPS considers that the proposal does not provide a specific reason of public interest justifying the publication of personal data in identifiable form, even if the data were to be pseudonymised prior to publication. 

The EDPS therefore recommended specifying that only duly anonymised FSDN data may be made publicly available. That being said, the regulator considered it important to preserve a clear distinction between these concepts, as pseudonymous data can still be related to an identifiable individual and therefore qualifies as personal data. Moreover, the EDPS considered that it is not clear whether the proposal refers only to the exchange of data between the national liaison agencies and the Commission or also extends to the sharing of data with the general public or otherwise making it available for reuse. Finally, the interoperability provisions include the need to identify all the IT tools and linked databases, data protection roles and responsibilities and relevant applicable safeguards. Read the full opinion here.

Meanwhile Ontario provided updated guidance on a new legislation which includes an electronic monitoring policy for workers. “Electronic monitoring” may include GPS systems to track employee movement, using sensors to track how quickly an employee performs a task or tracking the websites an employee visits during working hours. The policy must include:

• A statement as to whether or not the employer electronically monitors employees.
• How the employer may electronically monitor employees.
• The circumstances in which the employer may electronically monitor employees; and
• The purposes for which information obtained through electronic monitoring may be used by the employer.
• The date the Policy was prepared, and the date any revisions were made.

Any employer that employs 25 or more people in total across all of its locations in Ontario will be required to have a written policy. When determining whether the 25-employee threshold has been met, an employer must count all employees across all of its locations in Ontario, regardless of the number of hours worked by the employees or if they are full or part-time, including probationary employees, employees on layoff, leave of absence or strike and employees who are trainees.

Official guidance: use of cloud, sports associations, dpo, government data, customer research

The Danish data protection authority has published a questionnaire after recent inspections of the use of the cloud, (in Danish only), by public authorities and private companies. The questionnaire covers most of the points that data controllers must be aware of if they use  cloud solutions. It is divided into four parts:

• know your services,
• know your suppliers,
• supervision of suppliers,
• transfer to third countries.

Furthermore, each part is subdivided into two parts: a) the first part concerns the organisation’s general rules, policies, procedures, etc. to enable the organisation to comply with the relevant data protection rules; b) the second part looks at whether the organisation has followed these policies, etc. with regard to the specific cloud service and provider, and if not, how the organisation ensures compliance with the relevant data protection rules. The questionnaire can be downloaded via this link.

The French regulator CNIL offers amateur sport associations a self-assessment tool to test their compliance with the GDPR. The data subjects in this case include member athletes, athletes of an opposing team, paid or volunteer sports educators, referees, etc. The information collected responds to very different uses: storing the file of members, organizing competitions and tournaments, managing the club’s website, etc. The life cycle of the personal information contained in the files created by sports structures is likely to include 4 stages:

• collection,
• sharing and exchange, 
• reuse, 
• retention and destruction. (You can access the original questionnaire here).

The Dutch data protection authority recommends adjusting the proposal for an amendment of the Reuse of Government Information Act. The proposal, in which the government encourages government institutions to make government data, including personal data, available for reuse, does not set sufficient limits, raising the risk that personal data is shared without the permission or knowledge of the people involved. According to the proposal, that data must also be searchable with software and can be combined with other data. Personal data in the country’s Trade Register and the Land Registry is already public and that is already causing problems. By running an algorithm on it and combining the personal data with other sources, companies can, for example, create profiles of people to sell it.

The Latvian privacy regulator published guidance on the mandatory appointment of a data protection officer. Especially in cases where the economic activity of the company is directly related to the processing of personal data on a large scale, any company is obliged to involve a data protection specialist in the organisation of specific processes:

• for a company whose main activity is related to the profiling of natural persons, with the intention of carrying out an assessment of their creditworthiness;
• for a security company that uses video surveillance of publicly accessible areas as part of its core service;
• for a company that performs customer behavior analysis, (products a customer has viewed, purchased, etc.), in order to send targeted marketing communications;
• to a person who conducts customer research for the purpose of preventing money laundering;
• mobile apps that process user geolocation data for the maintainer;
• for companies that collect customer data as part of loyalty programs;
• for persons who monitor clients’ well-being, physical fitness and health data through wearable devices;
• for companies that process information obtained from devices connected to the IoT, (smart meters, connected cars, home automation devices, etc.).

Another guidance by the Latvian privacy regulator refers to the prevention of money laundering and financing of terrorism and arms proliferation. According to the country’s legislation anyone must conduct customer research before starting a business relationship, as well as during the maintenance of a business relationship. Taking into account the fact that customer research applies not only to legal entities, but also to natural persons, the regulator explains new procedures that determine the licensing of common customer research tools for service providers, as well as the monitoring of their activities. Considering that personal data will be processed in the customer research tool, the privacy regulator has the following rights: 

• re-registration, suspension or cancellation of the service provider’s license;
• inspections of the customer research tool service;
• receiving information and documents free of charge from the service provider, which are necessary for the verification of the operation or for the consideration of the customer complaint received about its operation;
• information erroneously or illegally included in the shared customer research tool be corrected or deleted;
• requiring the service provider of the customer research tool to review its information systems, facilities and procedures and appoint an independent expert.

Investigations and enforcement actions: profiling, video surveillance and geolocation, access codes, privacy notice, reused mail box

The Lower Saxony data protection commissioner has imposed a fine of 900,000 euros on a bank for profiling for advertising purposes. The company had evaluated data from active and former customers without their consent. To do this, it analysed digital usage behaviour and the total volume of purchases in app stores, the frequency of use of account statement printers and the total amount of transfers in online banking compared to the use of branch counters. For this it used a service provider. In addition, the results of the analysis were compared with a credit agency and enriched from there. The aim was to identify customers with an increased inclination for digital media and to prioritise electronic communication channels to contact them. Information was sent to most customers in advance along with other documents. However, these do not replace the necessary consents. The fine is not yet final.

The Luxembourg data protection authority recently issued a 3000 euro fine to an unnamed company for intrusive use of CCTV cameras and failing in their obligation to inform their workers and third-party visitors. The company neither justified not demonstrated how the video surveillance, (installed and operated by subcontractor firms), of the interior of the premises using door cameras was appropriate and necessary to protect the property, (fencing in this case could be a replacement measure), and in particular to prevent burglary. It also considered the psychological pressure that the cameras exerted on employees and third-party visitors, who felt observed at their workstations or meeting tables because of the cameras, which did not indicate if were working, or not.

In another recent case the Luxembourg regulator fined an unnamed company 1500 euros for performing geolocation on its employees while using a vehicle to travel to customers. The following purposes of geolocation were stated by the data controller: geographical tracking, asset protection, optimal fleet management, optimisation of work processes as well as the provision of responses to customer complaints.” Further investigation found out other undisclosed purposes such as: combatting theft, reduction of the number of kilometres driven, justification in the event of a dispute, monitoring and invoicing of services, and finally, monitoring of working time and setting remuneration.

 In the regulator’s opinion, the lack of clear policy, an unidentified legal basis for all the above-mentioned processing, as well as a one-year data retention period, were in violation with the requirements of Art. 5, (lawfulness, fairness and transparency), and Art. 13, (information obligation), of the GDPR. Finally, the employees were unaware that their data could have been transferred to the parent company, situated in a third country. 

In Denmark, citizens’ information was exposed to an unnecessary risk, as Lolland Municipality’s employees were able to disable access codes on phones and tablets. The Danish data protection authority issued a fine of approx. 6000 euros. In 2020 an employee in the municipality had a work phone stolen. Via the phone there was access to the employee’s work email account, which contained information about several citizens’ names, social security numbers, health information and sensitive events. The phone was not protected by a code as it was switched off, so access to its information was unlimited. The municipality stated that over a number of years it had been possible for employees to remove the otherwise mandatory access codes, so that telephones could be used without the use of a code. It had immediately initiated restorative measures in the form of new precautions and changes in the technical set-up of telephones handed out. 

The Romanian data protection authority has fined the CDI Transport Intern si Internazionale, (among the largest passenger transport companies in Romania), 7000 euros after a complaint that the company’s website contained no information regarding the method of collecting personal data. It also failed to inform users of the rights provided for in Art. 15-22 of the GDPR that data subjects benefit from, such as those relating to the purpose of processing and the legal basis, the identity and contact details of the operator, the period for which the data will be stored or the criteria used to establish this period, nor the fact that the operator has the obligation to inform the data subjects in the event of a breach of personal data security.

Finally, the Spanish data protection authority AEPD punished an online teaching institution to the tune of 3000 euros after a claimant, a newly hired tutor, was offered a corporate email box that belonged to the person they were replacing. The organisation stated that the plaintiff started working as an employee to replace another worker in the same field and with the same tasks on sick leave, so that their work was a continuation of those specific teaching activities and tutoring with students, for which it was necessary to have knowledge of all the background and communications between teacher and pupil. It argued that the data to which the plaintiff could have access was needed for the exercise of their duties. The data in the mailbox included pupils’ personal information, but also tax documentation, banking details, invoices, etc. The new tutor was instructed that she could access and delete folders in the inbox if needed. The regulator decided that the basic security measures were not respected in this case. 

Data security: email aliases, IoT devices

According to the US cybersecurity guru Brian Krebs, one way to protect your email inbox is to get into the habit of using unique email aliases when signing up for new accounts online. You can create an endless number of different email addresses linked to the same account by adding a “+” character after the username section of your email address, followed by a notation relevant to the website you’re signing up at. It is said that many threat actors will remove any aliases from their distribution lists because they believe that these consumers are more concerned with security and privacy than other users and are therefore more likely to report spam to their aliased addresses. Finally, email aliases are so uncommon that finding just a few email addresses using the same alias in a database breach can make it easy to determine which organization was probably hacked and which database was released.

The US Health Sector Cybersecurity Coordination Center published an advisory note for the healthcare sector of the risks posed by Internet of Things devices. Since these devices can collect data that includes personally identifiable information it is important to secure these systems. Ultimately, the goal is to protect the entire system, but there are steps that can be taken to help accomplish this: a) securely store, process, and transfer data, b) keep devices safeguarded, c) update devices to reduce vulnerabilities. To minimize risks from IoT devices you need to:

• Change default router settings: Most people do not rename their router and keep the manufacturer’s default settings. Those settings typically benefit manufacturers more than the user. 
• Pick a strong password: Make sure to use a secure password for each device. 
• Avoid using Universal Plug and Play: It makes it easier to network devices without additional configuration. 
• Keep your software and firmware updated: Firmware keeps you protected with the latest security patches and reduces the chances of cyber-attacks. 
• Implement a Zero Trust Model: A zero trust model assumes that nothing can be trusted in or outside of the network. Only a limited amount of people require access to certain resources to accomplish their jobs. For this strategy to be effective administrators must determine who the users are and what role they play.  

Big Tech: drivers data, cyberattack on NHS software, Meta’s tracking code

Only 28% of drivers have any idea what sort of data they generate, and is collected, when they drive, and they may never have heard of the at least 37 companies that are leading a growing vehicle data market says a report in The Markup. It’s a market with vast amounts of personal data all for sale: by whom, for whom, and with what aim? With the growth of third party vehicle data hubs concentrating data, and the range of data presenting a risk to anonymisation, the report notes a lack of regulation that High Mobility’s CEO and founder Ristro Vahtra warns could be a “privacy hell”. The report also criticises car manufacturers for failing to develop clear screen interfaces like mobile phones for drivers to choose privacy settings, which in some cases are entirely lacking. Legislation tackling this is currently in the committee stage in the US Congress.

UK government agencies along with the National Cyber Security Centre are investigating if patient data was stolen in a severe cyberattack on NHS software supplier Advanced. It was hit by ransomware on August 4th, taking several urgent treatment centres, the 111 phoneline for, among other things, booking a doctor’s appointment, and some mental health facilities offline. The hack could take nearly two weeks to resolve, and updates on the status of the data are awaited, although Advanced says it has “contained” the breach.

When you click on anything you see on Facebook or Instagram, owner Meta has been inserting code into the websites you visit, allowing your navigation to be tracked. That’s according to former Google engineer and privacy activist Felix Krause, who has published new research. It’s unknown how long Meta have been using the tracking code on their in-app browser. Krause built a tool to see how many extra instructions were added to a website by a browser. In most cases none were added, but navigation via Facebook or Instagram added as many as 18 lines of code. This so-called “Javascript injection” is often classified as a “malicious attack”, but there is no suggestion Meta has used it beyond monitoring all user interactions, like every button and link tapped, text selections, or screenshots.

The post Data protection & privacy digest 2 – 15 Aug 2022: commercial surveillance, sensitive data “by comparison”, worker electronic monitoring appeared first on TechGDPR.

Legal processes: Google Analytics case in Austria, EU Parliament breach, French health database, the Irish DPC

The Austrian data protection authority, the DSB, ruled that the use of Google Analytics violates the GDPR. Presented as evidence was a case where an IP address “anonymization” function had not been properly implemented on a health-focused website – netdoktor.at. When implementing GA services, the website had been exporting visitors’ data to the US-based company in violation of Chapter V of the GDPR. While the regulator upheld the complaint against netdoktor it did not find against Google’s US business for receiving/processing the data — deciding that the rules on data transfers only apply to EU entities and not to the US recipients, TechCrunch reports. 

The complaint was filed by the NOYB privacy foundation based on the “Schrems II” CJEU decision, which invalidates the Privacy Shield framework for EU-US data transfers. The Austrian DSB assessed various measures by Google to protect the data in the US — such as encryption at rest in its data centers — but did not find sufficient safeguards to effectively block US intelligence services from accessing the data. 

Because the Austrian data exporter in the given case has merged with a German company, the DSB will raise a ban on future data transfers with the relevant authority at the new headquarters too. The Dutch data protection authority, the AP, has also warned that the use of Google Analytics may soon not be allowed. The AP is currently investigating two complaints about the use of Google Analytics in the Netherlands. Upon completion of that investigation, in early 2022, the AP will be able to decide on the future of GA. In response to the Austrian decision, Google defended itself in a blog, stating that:

• Organizations use Google Analytics because they choose to do so. They, not Google, control what data is collected and how it is used.
• They retain ownership of the data they collect using GA, and Google only stores and processes this data per their instructions —  to provide them with reports about how visitors use their sites and apps.
• Organizations can, separately, elect to share their Analytics data with Google for one of a few specific purposes, including technical support, benchmarking, and sales support.
• Organizations must take explicit action to allow Google to use their analytics data to improve or create new products and services. Such settings are entirely optional. 
• Organizations are required to give visitors proper notice about the features of GA that they use, and whether this data can be connected to other data they have about them.
• Google offered browser add-ons that enable users to disable measurement by GA on any site they visit, etc.

Meanwhile, the European Parliament was also found to be in breach of EU rules on data transfers and cookie consent. The assembly hired a company to provide mass Covid-19 testing via a dedicated website for members and officials. The page attracted a number of complaints, filed by some MEPs, also with the support of the NOYB, over the presence of third-party trackers and confusing cookie consent banners, among a raft of other compliance issues. In particular, the test booking site was found to be dropping cookies associated with US Google Analytics and digital payments company Stripe, but the parliament failed to demonstrate it had applied any special measures to ensure that any associated personal data transfers would be adequately protected. The European Data Protection Supervisor, which oversees EU institutions’ compliance with data rules, gave the assembly one month to fix the privacy flaw.

EU Commissioner for Justice Reynders refuted the criticism that has been raised against the Irish Data Protection regulator, the DPC. As the lead data protection authority for Big Tech companies that have their EU headquarters in Ireland, the DPC has been subject to criticism over insufficient investigation and cooperation actions. At the end of 2021 some Members of the EU Parliament asked to initiate infringement proceedings against the DPC. In his response Reynders stated that, a) it is too early to come to definitive conclusions as to the efficiency and functioning of the GDPR cooperation mechanism, b) the Commission is taking appropriate actions to monitor the application of the GDPR in EU Member States, and c) there is no evidence that the Irish data protection rules have not been respected by the DPC and that the cooperation mechanism has not been applied correctly.

The French government reportedly decided to withdraw a request for authorization for the Health Data Hub, HDH, to host the main national health database. Without the permission of the French regulator CNIL, the HDH cannot function as intended. The platform makes data available to authorized projects, and the most important criticism relates to its choice to host health data on Microsoft Azure. The CNIL had protested against entrusting the hosting of health data to an US-based company. It had then expressed the wish that the hosting could be reserved for entities coming under the exclusive jurisdiction of the EU. However, there is no designated “cloud of trust” for French public services, as the “Blue” initiative, with Orange and Capgemini, does not exist yet. 

Official guidance: ex officio data erasure, reuse of data by subcontractors, debtor’s data

The EDPB published its recent opinion on whether Article 58(2)(g) of the GDPR could serve as a legal basis for a supervisory authority to order ex officio the erasure of unlawfully processed personal data, in a situation where such a request was not submitted by the data subject. The Board supported the fact that some cases set forth in Art. 17, (‘Right to erasure’), of the GDPR clearly refers to scenarios that the controllers must detect on their own as part of their obligation for compliance.  Thus, the EDPB concludes that Article 58(2)(g) GDPR is a valid legal basis for a supervisory authority to ensure the enforcement of the principles enshrined in the GDPR even in cases where the data subjects are not informed or aware of the processing, or in cases where not all concerned data subjects have submitted a request for erasure.

The French regulator CNIL published a new guidance for subcontractors: the reuse of data entrusted by a data controller (in French). A processor processes personal data on behalf of the controller. In this context, he only follows the instructions of the data controller and cannot, in principle, use the data for his own account. Sometimes, however, a subcontractor wishes to reuse the data, often with the aim of improving its services or products or designing new services and products. Such reuse is only possible under several conditions:

• national or European law may require them to do so;
• the controller may authorize its subcontractor to reuse the personal data for its own account. The processor then becomes responsible for this new processing;
• the subsequent  processing must be compatible with the purpose for which the data was initially collected – the “compatibility test”, (when the processing is not based on the consent of the data subject, eg, ex-subcontractor is allowed to reuse data for the purpose of improving its cloud computing services, but must not us it for commercial prospecting);
• the existence of appropriate safeguards, which may include encryption or pseudonymisation;
• the authorization of the initial controller must be established in writing, including in electronic format;
• the initial controller must inform data subjects;
• ex-subcontractors must ensure the compliance of the processing (encryption, pseudonymisation, minimisation, retention periods, legal basis, data subject rights, etc.)

The Lithuanian data regulator VDAI, has issued a recommendation on the processing of debtors’ personal data. The following personal data is usually processed in the administration of debts: name, surname, payer’s code, date of birth, address and other details. Debt recovery procedures involve financial consequences for individuals, and such processing of personal data is often very sensitive. The cases investigated by the VDAI show that there are sometimes misunderstandings between debtors, creditors or debt collection companies. There are a number of cases where complaints are declared unfounded and terminated, such as the transfer of the debtor’s personal data to a processor for legal recovery where consent is not required. VDAI also noted that the exercise of the data subject’s rights does not imply a debt review. Finally, the exercise of data subjects’ rights does not affect the debtors’ contractual obligations to the creditor, (VDAI does not have the power to decide on debt calculation methods, the existence or absence of debt etc). 

Data breaches, investigations and enforcement actions: DPO role, Europol data, IT security, credit default information, outsourced marketing

The Luxembourg data protection authority, (CNPD), fined an unnamed company for multiple violations of the GDPR, including the activity of the Data Protection Officer. The company failed to provide evidence that the DPO was appropriately involved in all matters relating to the protection of personal data, (Art. 38, 39 of the GDPR), DataGuidance reports. Although the DPO reported to company management:

• there were two hierarchical layers between them and the management, and therefore, direct access was not guaranteed;
• there was no proof that statements mentioning the formal reporting of the DPO’s activities on a quarterly basis were actually issued;
• the company did not have a formalised control plan specific to data protection. This meant that the DPO could not exercise their objective of controlling the compliance of the data controller.

Read the full decision, (available in French), which includes 11 control objectives for a valid DPO position. 

The Finnish data protection ombudsman ordered Bisnode Finland, which provided digital business information services & credit and risk management, to rectify its credit information register. The investigation referred to processing of data on payment defaults following an individual’s complaint that the company had refused to remove from its credit register default entries based on judgments in civil cases, DataGuidance reports. In particular, the regulator stated that data based on final judgments in civil cases should not have been included as a default entry in the credit information register, since only information that adequately reflects a person’s ability or willingness to pay may be used as credit information. The regulator found the company in breach of Art. 25 of the GDPR, (‘Data Protection by Design and by Default’), as well as the Credit Information Act.

A municipality in Norway was fined more than 500,000 euros over a lack of security measures. It was subjected to a serious attack in 2021. As a consequence, employees no longer had access to most of the municipality’s IT systems, the data had been encrypted and backups deleted. Approximately 30,000 documents were lost, containing some very sensitive information about the municipality’s residents and employees. The deficiencies are related to both log and log analysis, securing backup and lack of two-factor authentication or similar security measures. The firewall was inadequately configured for logging, and a lot of internal traffic was never logged. Servers were not configured to send logs to central log reception and also lacked logging of important events. Furthermore, the municipality lacked protection of backup copies against intentional and unintentional deletion, manipulation and reading, etc.

The Italian regulator Garante fined a telecommunication company, (OMNIA24), 100,000 euros for multiple violations of the GDPR. The infringements included outsourced marketing activities, methods of collection of consent and the source of the data, Data Guidance reports. It also turned out that OMNIA24’s inadequate response to individuals’ requests to access their personal data constituted a further violation of the GDPR. The investigation determined the main reason was the failure to qualify the data processor/controller roles between the business associates, which had led to an inability to guarantee the facilitation of data subjects’ rights.

Europol was ordered to erase data concerning individuals with no established link to a criminal activity. The EDPS admonished Europol in 2020 for the continued storage of large volumes of data with no Data Subject Categorisation (DSC), which poses a risk to individuals’ fundamental rights. While some measures have been put in place by Europol since then, Europol has not complied with the EDPS’ requests to define an appropriate data retention period to filter and to extract the personal data permitted for analysis under Europol Regulation. Europol said the decision impacts its ability to analyze complex and large datasets at the request of EU law enforcement. The current Europol Regulation does not contain an explicit provision regarding a maximum time period to determine the DSC. In its decision the EDPS sets this period at six months. However, Europol’s work frequently entails a period longer than six months, as do the police investigations it supports. 

Individual rights: Covid data in police investigations

Police in Germany are being slammed for using COVID-19 tracking data to identify witnesses as part of an investigation, IAPP news reports. Police and local prosecutors in Mainz successfully appealed to the civic health authorities and used data from the contact tracing Luca health application. The police used app logs of an individuals’ length of time at a location along with their name, address and phone number, to gather information about 21 people who may have been witnesses to a death at a local restaurant. The company that developed the Luca app, culture4life, condemned the abuse of Luca data collected to protect against infections. It added that it had received regular requests for its data from the authorities which it routinely rejected.

Big Tech: Clearview AI for FBI, YouTube fake news, Facebook/Meta competition lawsuit

In the US the FBI has signed a contract to subscribe to controversial facial recognition technology developed by Clearview AI. The company has been criticised for its policy of trawling social media platforms for pictures of people and storing them without their knowledge. The report by CyberScoop identifies more than 20 other federal agencies currently partnering with facial recognition technology contracts. Last year Clearview was found in breach of privacy rules in Canada, Australia and the UK. Finally last month the French Regulator CNIL slapped the company with an order to delete French users data.

A global coalition of fact checking organisations has fired a broadside at YouTube for being a “major conduit” of fake news. More than 80 groups signed an open letter saying YouTube allowed the “weaponization” of extremism and was not doing enough to filter out disinformation. The letter did suggest four remedial steps: a commitment to funding independent research into disinformation campaigns on the platform; providing links to rebuttals inside videos distributing disinformation and misinformation; stopping its algorithms from promoting repeat offenders; and doing more to tackle falsehoods in non-English-language videos.

Facebook/Meta is facing the first class action lawsuit of its kind in the UK for breach of competition rules. The plaintiffs, a competition lawyer and litigation fund, are seeking more than three billion dollars for all the millions of UK Facebook users in compensation for paying an “unfair price”, i.e. surrendering unfettered use of their personal and private data, in exchange for Facebook’s market-dominant services. If you were domiciled in the UK from 1 October 2015 to 31 December 2019 you could be in for a windfall even if you used Facebook just once, unless you opt out of the lawsuit.

The post Weekly digest January 10 – 16, 2022: Does the use of Google Analytics by EU entities violate the GDPR? appeared first on TechGDPR.