E-commerce businesses process large amounts of personal data, including contact details, payment information, and browsing history, requiring data protection. By implementing strong data protection practices and security measures like encryption and access controls, businesses could reduce the risks of breaches and cyberattacks. 

GDPR compliance for e-commerce businesses demonstrates commitment to protecting customer privacy, and encouraging continued customer relationships, giving businesses a competitive advantage over those that are not GDPR-compliant.

Here are seven actionable steps that may help e-commerce businesses navigate GDPR compliance effectively.

Conduct a data audit 

When deciding to work towards GDPR compliance in e-commerce, it is important to start by conducting a comprehensive inventory of data collection processes. 

The steps to carry out the audit could include:

• Identify all personal data categories collected, such as contact details, payment details, and activity logs, and the granular purposes this collection serves. Determining the retention period is important, as the GDPR does not allow indefinite retention.
• Review how and where personal data is collected and stored, whether on cloud servers, local databases, or third-party platforms. Regularly review third parties and minimize retention periods, with clear specifications on when data will be securely deleted. Additionally, document the security measures implemented to protect the data.

Access consent management

Access to customer data can be limited to authorized employees, IT administrators, and secure third-party providers based on a need to know basis.

Consent for cookies can be effectively implemented through a cookie banner, allowing users to manage or withdraw consent anytime. Use clear opt-in mechanisms for newsletters, cookies, and marketing, avoiding pre-checked boxes. Maintain consent logs for audit compliance, ensuring each data use has separate, revocable consent without affecting core services.

Review and update privacy notice

A companies’ privacy notice should be clear, easily understood, and transparent to ensure GDPR compliance and build customers’ trust. The privacy notice should clearly state:

• What data you collect and why (e.g., personal details, payment information, browsing behaviour),
• How data is being used,
• Explain purposes of data collection and processing, and
• How customers can exercise their rights, such as requesting data deletion or correction.

It is important to regularly review and update one’s privacy notice in order to reflect any changes in data collection, processing, or legal regulations to maintain compliance.

Enhance security to protect customer information

With the rise of cyber attacks worldwide, protecting  personal data is an essential aspect of GDPR compliance for e-commerce businesses. Customers trust businesses with sensitive information, payment details, address, and browsing history. Implementing good data security measures will help reduce data breaches. Implementing strong data security measures reduces breaches, while a structured response plan ensures quick recovery and minimizes damage.

To minimize security risks, e-commerce businesses may implement:

• End-to-end encryption: Encrypting sensitive customer data both in transit at rest may prevent unauthorized  access. This ensures that unauthorized individuals cannot read the data, even if intercepted, without the correct encryption key. It could be a standard protocol for all online transactions.
• Multi-factor authentication (MFA): Access control may require additional verification steps, such as one-time passwords (OTP) or biometric authentication. This process will reduce unauthorized logins.
• Regular security audits: This could be conducted to identify vulnerabilities through routine system checks. These assessments may help prevent data leak and ensure GDPR compliance.
• Access control & monitoring: Role-based access control (RBAC) which restricts users based on predefined role, to ensure that only authorised personnel have access to sensitive personal data.

Investing in robust data security could create a security plan which protects customers and also ensures GDPR compliance in all operations.

Offer employees training

Employees are first in line of defence when talking about data protection. Regular comprehensive GDPR training is important for e-commerce businesses. Breaches occur due to human error, such as mishandling sensitive data or falling for phishing scams. The employer is responsible for ensuring that employees are well-trained on data protection and compliance requirements.

Businesses should provide ongoing training and workshops to regularly update the employees knowledge on data protection, evolving threats, and regulatory changes to raise awareness within the organization.

Establish data subject rights procedure

Under the GDPR, data subjects have rights, including access, erasure, rectification, and objection to control of their personal data.

E-commerce must have clear procedures on how to handle and respond to these requests efficiently. GDPR compliance requires a response within one month-delays or non compliance can lead to fines.

To ensure compliance, businesses may:

• Appoint a data protection officer (DPO) according to the European commission or an internal team with the guidance of a DPO to monitor compliance and data protection issues. “It is much easier and cost effective” to appoint an external DPO.
• Create a clear and accessible process for handling data subject requests, such as an email address or request form on the website.
• Implement automated tools to manage and track data subject requests within the required time frame.
• Keep records of all requests to demonstrate compliance if audited.

Review third-party agreements

E-commerce businesses sometimes utilize third-party vendors, such as payment processors, cloud storage providers, and marketing platforms, to handle customer data. Therefore, it’s crucial to ensure these vendors comply with data protection regulations to safeguard customer information and avoid potential risks.

Under the GDPR, having a data protection agreement with a third party vendor is required  to comply with data protection regulations if the vendor processes personal data on your behalf.

Here are steps that could be considered to manage risks associated with third-party vendors:

• Identify all third party vendors that process customer data and assess their data security measures.
• Ensure that all vendors handling personal data have existing supplier agreement, outlining responsibilities, security measures, and data processing activities.
• If a vendor transfers data outside the EU/EEA, ensure they follow GDPR requirements
• Regularly review vendor policies, conduct security audits, and ensure that the vendors comply with GDPR requirements.

Conclusion

By implementing these seven actionable steps, e-commerce can mitigate risk, protect customer data, avoid penalties, and build trust.

Hiring an external DPO officer in the absence of an internal data protection team or to advise and provide competent GDPR support to the internal DPO, will ensure  proper compliance in line with the GDPR, and gain a competitive advantage in the market.

The post Seven Actionable Steps to Achieve GDPR Compliance for E-Commerce Businesses appeared first on TechGDPR.

Meta subscription model vs GDPR

Meta platform’s latest announcement of ads-free paid services in Europe is now challenged by the EDPB’s urgent binding decision. At the request of the Norwegian privacy regulator, Meta will soon be banned from using the legal basis of the contract and legitimate interest for tracking and profiling users for ad targeting across the entire EEA. The EDPB takes note of Meta’s new proposal to rely on a consent-based subscription model as a legal basis instead. The lead Irish Data Protection Commission is currently evaluating this together with the concerned supervisory authorities, (who have already expresses serious doubts).

Meta has just announced that it will offer people in the EU, EEA and Switzerland the choice to pay a monthly subscription to use Facebook and Instagram without any ads. Meanwhile, advertisers will be able to continue running personalised advertising campaigns in Europe to reach those who choose to continue to receive a free, ad-supported online service. Meta believes the above subscription model – “pay or agree” is a valid form of consent for an ads-funded service, anticipating the requirements of the European privacy regulators and the recent CJEU ruling. 

Legal processes

America’s AI Action: President Biden issued a comprehensive Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence. The most sweeping actions compel the most powerful AI system developers to disclose their safety test findings and other key information to the US government. It promotes advancing the responsible use of AI in education as well as healthcare and the development of affordable and life-saving drugs. The document also promotes best practices to mitigate harms and maximize benefits of AI for workers and customers. Finally, it emphasizes the responsible government deployment of AI and modernization of the federal AI infrastructure. 

Biden’s Administration will continue to collaborate with Congress to pursue bipartisan legislation for responsible innovation. The US Department of Commerce, along with the National Institute of Standards and Technology and other federal players will be responsible for carrying out the EO’s objectives. 

Draft EU AI Act: Meanwhile, the EDPS issued its opinion on the Artificial Intelligence Act, as discussions between the EU’s co-legislators reach the final stages. It includes the banning of high-risk AI systems with decision-making patterns, such as for automatic recognition of human characteristics and other behavioural signals in public spaces, as well as profiling based on biometric traits. The EDPS is prepared to serve as the EU’s AI Supervisor and welcomes the formation of the European Artificial Intelligence Office. It believes that persons harmed by the usage of AI systems should have the right to file a complaint with competent national data protection authorities. 

Legal redress

Clearview AI escapes punishment: Last year the UK Information Commissioner fined Clearview more than 7.5 million pounds for illegally keeping millions of face pictures. Now the First-tier Tribunal has quashed the enforcement as the company services were only utilised by law enforcement agencies outside the UK. Although Clearview did engage in data processing connected to monitoring people’s behaviour in the UK, the ICO “did not have jurisdiction” to initiate enforcement action or levy a fine. France, Italy and Australia had taken similar action against the firm. Clearview previously had commercial customers, but following a 2020 settlement with the US, the company now only takes clients that carry out criminal law enforcement or national security duties. 

Official guidance

Shoplifting: According to the UK Information Commissioner, more retailers are turning to technology to protect their businesses. Data protection law enables retailers to share criminal offence data as long as it’s necessary and proportionate. Sharing information with a manager of another store in your shopping centre is likely to be appropriate, while wider public disclosures, such as posting it on an online retail-related social media platform, are less likely to be justifiable. 

Consent criteria: Quebec has published guidelines on valid consent criteria, (in French). Consent must be obtained before carrying out any processing activity. It is also essential that the organisation document. Consent must be: evident, free, informed, specific, granular, understandable, temporary, and presented separately from any other information. Subject to exceptions, organisations must obtain consent to reuse data or to disclose it to a third party. Equally, consent can be withdrawn at any time by the data subject. If any above are not respected, the validity of such consent is to be null.

DP Toolkit: Jersey’s data protection authority created a dedicated resource zone. It features a variety of toolkits for small, medium and large organisations as well as financial services, non-executive directors, and non-profit organisations: a blend of infographics, step-by-step guidance, how-to-guides, templates, checklists and videos.

AI Q&A: The French privacy regulator published the first set of guidelines for the use of AI that respects the GDPR. The CNIL confirms the compatibility of AI research and development with the data protection principles. The principle of data minimisation does not prevent the training of algorithms on very large datasets. On the other hand, the data used must, in principle, have been selected to optimise the training while avoiding the use of unnecessary information. In any case, certain precautions to ensure data security are essential. 

Enforcement decisions

BBVA: Following a complaint by an individual, the Spanish data protection regulator issued a fine of one million euros on Banco Bilbao Vizcaya Argentaria, (BBVA).The complainant, a BBVA client, had lost their purse containing their bank card. Following that, they claimed to have demanded that BBVA block all of their banking products. Third parties reportedly used identity theft to access the complainant’s financial products, take out loans, and transfer money from the complainant’s bank accounts after BBVA allegedly refused to act on the complainant’s request.

Canal+: The French data protection authority CNIL fined CANAL+ group 600,000 euros for poor data practices. In particular its standard forms for the collection of prospect data did not contain any information on the identity of the recipients to whom the data was transmitted. It also failed to inform individuals when creating a MyCanal account and during cold calling calls. The company also did not respond to some access requests. Apart from that, the CNIL found that a subcontracting contract did not include all the information required, and the storage of the company’s employees’ passwords was not sufficiently secure.

Data breaches

Gap Personnel: A UK recruitment company did not have appropriate security measures in place, which resulted in an unauthorised threat actor accessing and exfiltrating individuals’ data, (13,720 UK data subjects), twice within 12 months. Gap was unable to determine the specific cause of the incident but believes it is likely that the threat actor leveraged an insecure script, (PHP file), and performed an SQL injection attack. At the time of the incident, there were four specific vulnerabilities: a) an unsupported version of MySQL, b) an unsupported PHP version, c) poorly written PHP code and d) insufficient logging. 

Optionis: In another similar reprimand, a data controller, (Optionis Group), suffered a ransomware attack, which resulted in the exfiltration of personal data. A reprimand was issued in respect of specific infringements of the UK GDPR, which include lack of multi-factor authentication, an inadequate account lockout policy, and no clear Bring Your Own Device policy.  Aggravating factors were that Optionis took 11 months to notify all individuals of the breach. The company explained that the analysis of the impacted personal data took a considerable amount of time to complete, in particular, due to the size of the dataset. You can read the full decision here. 

Data security

Telehealth: The US Office for Civil Rights released a HIPAA dedicated resource to help health care providers explain to patients, in plain language, the health information privacy and security risks that are present when using remote communication technologies such as video conferencing websites and applications. The HIPAA Rules do not require covered health care providers to educate patients about these risks; however, OCR is sharing this resource to assist providers who would like to explain to patients the privacy and security risks to their protected health information. Some examples of risks include viruses and other malware, unauthorized access, and accidental disclosures. 

Code of Practice for app developers: The UK government published the latest version of its code, which should be used from now on by app store operators and app developers. The UK government has investigated the app ecosystem and found a range of threats relating to malicious and poorly developed apps. In particular, app store operators and developers shall comply with the broader requirements of data protection law, therefore new sections have been added to highlight requirements of particular relevance to the Code of Practice. 

Non-banking financial services: The US Federal Trade Commission has approved an amendment that would require non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lending institutions, to report data security breaches. The amendment will require the FTC to be notified as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers. Such an event requires notification if unencrypted customer information has been acquired without authorization. The notice to the FTC must also include the number of consumers affected or potentially affected.

Big Tech

SolarWinds breach aftershock: The US Securities and Exchange Commission charges SolarWinds and its Chief Information Security Officer with fraud and internal control failures. In 2020, hackers targeted SolarWinds by deploying malicious code into its Orion IT monitoring and management software used by thousands of enterprises and government agencies worldwide. The complaint alleges the software company misled investors about its cybersecurity practices and known risks, in particular, that SolarWinds’ remote access set-up was not very secure and that someone exploiting the vulnerability “could basically do whatever without detecting it”.

In-vehicle monitoring: California enacted legislation that requires vehicle manufacturers to disclose the presence of in-vehicle cameras and prohibits any images or video recordings collected from being used for any advertising purpose, sold, or shared with any third party. The act requires consent to retain at any location other than the vehicle itself or download, retrieve a recording from the operation of an in-vehicle camera by a person or entity other than the user unless for diagnostics, service, repair, or improvement of equipment and systems. The act also provides consumers the right to revoke consent.

London Ulez fines: The Guardian reports that thousands of fines for breaches of London’s ultra-low emissions zone, (Ulez), rules may have been sent unlawfully to EU drivers, according to the Belgian authorities. Since Brexit, UK authorities do not have access to personal data of EU citizens for non-criminal enforcement. However, drivers in several EU countries have received fines, many totalling thousands of pounds, for failing to pay their Ulez charge before driving into London. Some have been penalised mistakenly, and one driver was fined nearly 11,000 pounds after a three-day visit in a hire car. Read the full story here. 

The post Data protection digest 18 – 31 Oct 2023: “Pay or Okay” – Will Meta new subscription model survive the GDPR test? appeared first on TechGDPR.

Legal processes and redress: GDPR jurisdictional reach, CNIL’s regulatory win over Google, CJEU case laws summary

A recent UK Court of Appeal decision emphasizes the broad geographic scope of both the EU GDPR and the UK GDPR, but also ongoing uncertainty regarding the jurisdictional reach, according to the JD Supra publication. In the given case, the court had allowed a claim for contravention of the GDPR to be served on various US parties. In particular, the claimant commenced proceedings against a US-based news outlet for a series of articles and social media posts making a number of “unflattering” allegations about the claimant. In deciding whether to grant permission (to serve a claim outside of the UK jurisdiction) the court had to determine whether the claimant’s allegations that the GDPR applied had a real prospect of success. 

Of particular note was the intention of the defendant to offer goods/services to EU/UK individuals when considering whether a data controller has an ”establishment” in the EU/UK. In the given case the platform expressly solicited european subscriptions (available in sterling and euros) and had secured a number of UK/EU subscribers (albeit only 6). However the court stated that the UK Information Commissioner should be invited to participate in the case to assist the court when it comes to make a final determination. You can read more details of the case in the original judgment.

In France, the Council of State confirmed the competence of the CNIL to impose sanctions on cookies outside the one-stop shop mechanism. The decision follows an appeal by Google LLC and Google Ireland Ltd against the 100 mln euros fine imposed by the CNIL in 2020. The case relates to dropping advertising cookies on the users computers through the google.fr webpage and its search engine without prior consent or satisfactory information. In its decision, the CNIL found a couple of violations of national legislation transposing the ePrivacy Directive, (The Data Protection Act). The Council of State noted that the cookies in question were being implemented within the activities of Google France, and the CNIL was competent under the above law. It therefore did not have to refer the case to the Irish Data Protection Authority, which is the lead authority for Google companies under the GDPR’s one-stop shop mechanism. Read the full decision (in French) here. 

The Court of Justice of the European Union, (CJEU), has published a fact sheet on personal data protection, including the EU legal framework and the court’s judgements and opinions in such areas as: a) compatibility of secondary EU law with the right to the protection of personal data; b) processing of personal data within the meaning of ePrivacy Directive; c) main data protection concepts such as lawful processing, controllership; d) transfer of personal data to third countries; e) protection of personal data on the internet, intellectual property rights, user consent; f) the competent supervisory authorities, territorial application of EU legislation, etc.

Official guidance: US surveillance laws, right of access, Connected TV, NRP data, Information security vs IT security 

In Germany the Data Protection Conference has published, (only in German), its expert opinion on US surveillance laws. In particular, for the applicability of Section 702 of the US Foreign Intelligence Surveillance Act (FISA), the term “electronic communication service provider” does not only include classic IT and telecommunications companies, but also companies such as banks, airlines, hotels or shipping service providers. Additionally, it is not necessary in every case for the services to be made available to the public. It may be sufficient, for example, for a company to provide an email service to its employees. Moreover, request arrangements for some datasets may relate to all data in the company, even when the communication service has nothing to do with the main entrepreneurial activity. The report also deals with the questions of whether European companies operating in the US are subject to problematic US law and whether FISA 702 applies extraterritorially. 

The EDPB has published its recently adopted Guidelines on data subject rights – Right of access. The right of access to data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights, and is further developed by more specific and precise rules in Art. 15 of the GDPR. However, the right of access according to data protection law is to be distinguished from similar rights with other objectives, for example the right of access to public documents which aims at guaranteeing transparency in public authorities’ decision-making and good administrative practice. The right of access includes three different components:  

• Confirmation as to whether data about the person is processed or not. 
• Access to this personal data, and  
• Access to information about the processing, such as purpose, categories of data and recipients, duration of the processing, data subjects’ rights and appropriate safeguards in case of third country transfers.

The EDPB guide includes numerous examples and illustrations for data controllers on how to interpret and assess the request, how to answer it, checking limits and restrictions, how to provide access, timing and format, how to deal with requests made by a third party, etc.

The Interactive Advertising Bureau Europe has published its guide to Connected TV (CTV) targeting and measurement solutions. Some contextual flags and metadata segments allow app publishers or CTV channel providers to create identifiers by channel, by genre, or by context for targeting purposes. According to the report, this is still in its infancy but is one of the fastest growing areas across the CTV landscape, (eg, Comscore have already launched more advanced CTV cookie-free audience targeting in Europe based on meta-data, content ID and app bundle IDs). According to the guide, these contextual segments use a “crosswalk between audience behaviours and privacy-friendly contextual signals empowering brands to target CTV content that is the strongest predictor of audience behaviours without user-level identifiers”. Read the full document here.

The transfer and the generalised and undifferentiated automated processing of Passenger Name Record (PNR) data are compatible with the fundamental rights to respect for private life and to the protection of personal data, according to the CJEU Advocate General, (Pitruzzella). By contrast, a generalised and undifferentiated retention of PNR data in a non-anonymised form can be justified only where there is a serious, actual and present or foreseeable threat to the security of the Member States, and only on condition that the duration of such retention is limited to what is strictly necessary. The PNR Directive requires the systematic processing of a significant amount of air passengers data entering and leaving the EU (in the fight against terrorism and serious crime). It also provides Member States with the possibility to apply the directive to intra-EU flights. That is not to forget the importance of an independent supervisory authority in verifying the lawfulness of that processing, conducting investigations, inspections and audits and dealing with complaints lodged by any person concerned. 

The Swedish privacy authority, IMY, published a blogpost, (in Swedish), on differences between Information security and IT security. Although information today is to a very large extent produced and provided via IT systems, information security concerns all types of information, including, for example, information in paper format. Information security is usually divided into two legs: administrative security and technical security. Data protection is often associated with various technical measures such as firewalls, encryption and the like, but administrative security is at least as important:

• Technical security is typically divided into two parts: physical and IT security. Physical security is things like alarms, code locks to office rooms, safes to protect sensitive information stored on IT equipment or in paper format. IT security is about everything from VPN connections and antivirus to intrusion detection and backup.
• Administrative security is about ensuring that there are appropriate policies, routines and instructions in place that describe how information should be handled in the organization, for example how employees should handle information, but also how to manage permissions to different IT systems. 

Data breaches, investigations and enforcement actions: failed proof of consent, multi factor authentication, encryption

The Spanish data protection agency AEPD has punished Garlex Solutions, (an energy supply consultancy), with a 15,000 euro fine over insufficient legal basis for data processing. The claimant received a phone call by the claimed entity with an offer to “renew” an electricity supply contract. She subsequently received an SMS with a link to an electricity supply contract with Aldro Energia, in which their personal data appeared. The claimant stated it was obtained and processed without their consent. The defending party said that the claimant was contacted with the objective of offering very good conditions for the supply of electricity by Aldo Energia, for which the defendant is a contracted marketer. The usual procedure is to explain the offer and only if the person is interested and provides their data, is the link to a pre-contractual deal sent. The AEPD ruled against, as the burden of proof always lies with a data controller, the claimed entity could not provide documentation proving that it had the consent of the claimant to use her personal data and send her a pre-contract. Even if the company obtained the claimant’s data, it did not obtain her consent for its treatment and therefore incurs a violation of Art. 6 of the GDPR. 

Datatilsynet issued the notification of an approx 200,000 euro fine to the Storting – Norway’s parliamentary administration for not implementing two-factor authentication, DataGuidance reports. In 2020, the Storting was exposed to data breaches, but since then has not implemented appropriate technical and organizational measures to achieve a sufficient level of security. The attackers had downloaded data, including personal information from email accounts, about elected representatives and the Storting’s employees, including, among other things, bank and account information, date of birth, as well as health information. Possible consequences for those affected by the attack could be the misuse of identity, the misuse of payment cards and the use of information for extortion. The Norwegian regulator believes that if two-factor authentication had been carried out at an earlier stage, the chance of a successful attack would have been considerably smaller. The Storting has three weeks to provide feedback with their views on the case and then Datatilsynet will assess the feedback and make a final decision.

The Swedish IMY issued administrative sanction fees totaling 180,000 euros against the Uppsala Region after finding that the regional and hospital boards had not taken appropriate security measures when handling sensitive personal data. The IMY has received two reports of personal data incidents including sensitive personal data sent without encryption to recipients in and outside Sweden. This concerns emails with patient data that have been sent automatically to the relevant healthcare administrations within the region, and manually – to researchers and doctors within the region, as well as the storage of patient data in the hospital’s e-mail server. The investigations also show that the processing of personal data in both cases took place in violation of the region’s own guidelines, and also indicate shortcomings in the organizational measures to protect the data against unauthorized access. 

New York’s Attorney General announced a 600,000 dollar agreement with EyeMed Vision Care that resolves a 2020 data breach that compromised the personal information of approximately 2.1 mln consumers nationwide, including tens of thousands in New York state. EyeMed experienced a data breach in which attackers gained access to an EyeMed email account with sensitive customer information. The compromised information included consumers’ names, mailing addresses, Social Security numbers, identification numbers for health and vision insurance accounts, medical diagnoses and conditions, and medical treatment information. The intrusion permitted the attacker access to emails and attachments with sensitive customer information dating back six years prior to the attack. The attacker also sent approximately 2,000 phishing emails from the compromised email account to EyeMed clients, seeking login credentials for their accounts. The investigation found that EyeMed had failed to implement:

• multi factor authentication for the affected email account, (the account was accessible via a web browser and contained a large volume of consumers’ sensitive personal information);
• adequate logging of its email accounts, which made it difficult to investigate security incidents.

Data security: DP Engineering

The EU Agency for Cybersecurity, ENISA, published its report on Data Protection Engineering. The document can be perceived as part of data protection by Design and by Default. It aims to support the selection, deployment and configuration of appropriate technical and organizational measures in order to satisfy specific data protection principles as set out in Art. 5 of the GDPR. The guide helps with the selection of the anonymization and pseudonymisation schemes, data masking and privacy-preserving computations, access, storage, transparency, intervenability and user control tools, connection with the DPIA, and privacy enhancing technologies. The report provides conclusions and recommendations for relevant stakeholders.

Big Tech: WhatsApp privacy policy, Google’s legal fails and victories, Big data & media sector

Consumer complaints have prompted the EU Commission to give WhatsApp until the end of February to clarify changes to its privacy policies. It is unclear if the new rules infringe EU consumer protection laws. Spearheaded by the European Consumer Organisation, (BEUC), the complaint adds WhatsApp has been unfairly pressuring users to sign up to the new policies, which include sharing some data with Facebook and other companies under the Meta umbrella. When the privacy update was announced it was condemned worldwide, with some abandoning the service for other platforms like Telegram and Signal.

Plaintiffs struggling with California’s voluminous Invasion of Privacy Act in an attempt to bring a class action against Google have had their hopes definitively dashed. A Federal judge has denied them any further route forward under another of the Act’s many articles. Two claims were dismissed, notably ruling a users’ disabling of Google tracking their browsing activity via a button did not contractually oblige Google to do so, as the act of clicking did not unilaterally create a contract between Google and the user, despite the possibility, the judge noted, that the consumer might assume it did. More details in the article by Jurist.org.

Meanwhile Arizona just got hotter for Google, where a judge has ruled in favour of the state’s Attorney General, and will send a lawsuit to jury trial, according to Reuters. Lawyers for parent company Alphabet tried to get the case, which focuses on allegations Google deceived clients with misleading smartphone location tracking settings, thrown out of court. Four other state Attorney Generals have launched similar lawsuits, building on the Arizona case, which was filed in 2020.

The UK Department for Digital, Culture, Media & Sports has also published an analytical report on how user data shapes the media sector. It appears that upstream providers of digital devices, several large tech companies, are able to exert control over how data can be shared, accessed and used by other organisations, including media businesses. Here are some examples from the report:

• Currently, many media businesses rely on third party cookies to gather data on user behaviour beyond their own website/app.
• Google’s announcements, (and subsequent delays), of their intention to restrict use of third party cookies via their services is of great concern to many media organisations. Google’s ‘Privacy Sandbox’ will likely end up driving more business in Google’s own direction. 
• Social media and tech platforms host and distribute a huge amount of the content that press publishers produce. When this happens, these host/distributor platforms have access to first party user data. The publishers, unless the consumer is asked for additional consent, do not.
• Some TV organisations felt that data about their shows and viewers was being ‘ringfenced’ by the companies who control the operating systems on TVs—the TV manufacturers and large tech firms. The companies, such as Amazon, Google or Apple, were perceived to have a huge amount of control both over what people see and what data is available to the other media providers whose content is watched on them. 
• Smart speakers and third-party listening platforms were creating a barrier to data access by traditional radio groups, etc. Read the full report here.

The post Weekly digest January 24 – 31, 2022: GDPR jurisdictional reach, US surveillance laws, DP Engineering appeared first on TechGDPR.

Legal processes: Google Analytics case in Austria, EU Parliament breach, French health database, the Irish DPC

The Austrian data protection authority, the DSB, ruled that the use of Google Analytics violates the GDPR. Presented as evidence was a case where an IP address “anonymization” function had not been properly implemented on a health-focused website – netdoktor.at. When implementing GA services, the website had been exporting visitors’ data to the US-based company in violation of Chapter V of the GDPR. While the regulator upheld the complaint against netdoktor it did not find against Google’s US business for receiving/processing the data — deciding that the rules on data transfers only apply to EU entities and not to the US recipients, TechCrunch reports. 

The complaint was filed by the NOYB privacy foundation based on the “Schrems II” CJEU decision, which invalidates the Privacy Shield framework for EU-US data transfers. The Austrian DSB assessed various measures by Google to protect the data in the US — such as encryption at rest in its data centers — but did not find sufficient safeguards to effectively block US intelligence services from accessing the data. 

Because the Austrian data exporter in the given case has merged with a German company, the DSB will raise a ban on future data transfers with the relevant authority at the new headquarters too. The Dutch data protection authority, the AP, has also warned that the use of Google Analytics may soon not be allowed. The AP is currently investigating two complaints about the use of Google Analytics in the Netherlands. Upon completion of that investigation, in early 2022, the AP will be able to decide on the future of GA. In response to the Austrian decision, Google defended itself in a blog, stating that:

• Organizations use Google Analytics because they choose to do so. They, not Google, control what data is collected and how it is used.
• They retain ownership of the data they collect using GA, and Google only stores and processes this data per their instructions —  to provide them with reports about how visitors use their sites and apps.
• Organizations can, separately, elect to share their Analytics data with Google for one of a few specific purposes, including technical support, benchmarking, and sales support.
• Organizations must take explicit action to allow Google to use their analytics data to improve or create new products and services. Such settings are entirely optional. 
• Organizations are required to give visitors proper notice about the features of GA that they use, and whether this data can be connected to other data they have about them.
• Google offered browser add-ons that enable users to disable measurement by GA on any site they visit, etc.

Meanwhile, the European Parliament was also found to be in breach of EU rules on data transfers and cookie consent. The assembly hired a company to provide mass Covid-19 testing via a dedicated website for members and officials. The page attracted a number of complaints, filed by some MEPs, also with the support of the NOYB, over the presence of third-party trackers and confusing cookie consent banners, among a raft of other compliance issues. In particular, the test booking site was found to be dropping cookies associated with US Google Analytics and digital payments company Stripe, but the parliament failed to demonstrate it had applied any special measures to ensure that any associated personal data transfers would be adequately protected. The European Data Protection Supervisor, which oversees EU institutions’ compliance with data rules, gave the assembly one month to fix the privacy flaw.

EU Commissioner for Justice Reynders refuted the criticism that has been raised against the Irish Data Protection regulator, the DPC. As the lead data protection authority for Big Tech companies that have their EU headquarters in Ireland, the DPC has been subject to criticism over insufficient investigation and cooperation actions. At the end of 2021 some Members of the EU Parliament asked to initiate infringement proceedings against the DPC. In his response Reynders stated that, a) it is too early to come to definitive conclusions as to the efficiency and functioning of the GDPR cooperation mechanism, b) the Commission is taking appropriate actions to monitor the application of the GDPR in EU Member States, and c) there is no evidence that the Irish data protection rules have not been respected by the DPC and that the cooperation mechanism has not been applied correctly.

The French government reportedly decided to withdraw a request for authorization for the Health Data Hub, HDH, to host the main national health database. Without the permission of the French regulator CNIL, the HDH cannot function as intended. The platform makes data available to authorized projects, and the most important criticism relates to its choice to host health data on Microsoft Azure. The CNIL had protested against entrusting the hosting of health data to an US-based company. It had then expressed the wish that the hosting could be reserved for entities coming under the exclusive jurisdiction of the EU. However, there is no designated “cloud of trust” for French public services, as the “Blue” initiative, with Orange and Capgemini, does not exist yet. 

Official guidance: ex officio data erasure, reuse of data by subcontractors, debtor’s data

The EDPB published its recent opinion on whether Article 58(2)(g) of the GDPR could serve as a legal basis for a supervisory authority to order ex officio the erasure of unlawfully processed personal data, in a situation where such a request was not submitted by the data subject. The Board supported the fact that some cases set forth in Art. 17, (‘Right to erasure’), of the GDPR clearly refers to scenarios that the controllers must detect on their own as part of their obligation for compliance.  Thus, the EDPB concludes that Article 58(2)(g) GDPR is a valid legal basis for a supervisory authority to ensure the enforcement of the principles enshrined in the GDPR even in cases where the data subjects are not informed or aware of the processing, or in cases where not all concerned data subjects have submitted a request for erasure.

The French regulator CNIL published a new guidance for subcontractors: the reuse of data entrusted by a data controller (in French). A processor processes personal data on behalf of the controller. In this context, he only follows the instructions of the data controller and cannot, in principle, use the data for his own account. Sometimes, however, a subcontractor wishes to reuse the data, often with the aim of improving its services or products or designing new services and products. Such reuse is only possible under several conditions:

• national or European law may require them to do so;
• the controller may authorize its subcontractor to reuse the personal data for its own account. The processor then becomes responsible for this new processing;
• the subsequent  processing must be compatible with the purpose for which the data was initially collected – the “compatibility test”, (when the processing is not based on the consent of the data subject, eg, ex-subcontractor is allowed to reuse data for the purpose of improving its cloud computing services, but must not us it for commercial prospecting);
• the existence of appropriate safeguards, which may include encryption or pseudonymisation;
• the authorization of the initial controller must be established in writing, including in electronic format;
• the initial controller must inform data subjects;
• ex-subcontractors must ensure the compliance of the processing (encryption, pseudonymisation, minimisation, retention periods, legal basis, data subject rights, etc.)

The Lithuanian data regulator VDAI, has issued a recommendation on the processing of debtors’ personal data. The following personal data is usually processed in the administration of debts: name, surname, payer’s code, date of birth, address and other details. Debt recovery procedures involve financial consequences for individuals, and such processing of personal data is often very sensitive. The cases investigated by the VDAI show that there are sometimes misunderstandings between debtors, creditors or debt collection companies. There are a number of cases where complaints are declared unfounded and terminated, such as the transfer of the debtor’s personal data to a processor for legal recovery where consent is not required. VDAI also noted that the exercise of the data subject’s rights does not imply a debt review. Finally, the exercise of data subjects’ rights does not affect the debtors’ contractual obligations to the creditor, (VDAI does not have the power to decide on debt calculation methods, the existence or absence of debt etc). 

Data breaches, investigations and enforcement actions: DPO role, Europol data, IT security, credit default information, outsourced marketing

The Luxembourg data protection authority, (CNPD), fined an unnamed company for multiple violations of the GDPR, including the activity of the Data Protection Officer. The company failed to provide evidence that the DPO was appropriately involved in all matters relating to the protection of personal data, (Art. 38, 39 of the GDPR), DataGuidance reports. Although the DPO reported to company management:

• there were two hierarchical layers between them and the management, and therefore, direct access was not guaranteed;
• there was no proof that statements mentioning the formal reporting of the DPO’s activities on a quarterly basis were actually issued;
• the company did not have a formalised control plan specific to data protection. This meant that the DPO could not exercise their objective of controlling the compliance of the data controller.

Read the full decision, (available in French), which includes 11 control objectives for a valid DPO position. 

The Finnish data protection ombudsman ordered Bisnode Finland, which provided digital business information services & credit and risk management, to rectify its credit information register. The investigation referred to processing of data on payment defaults following an individual’s complaint that the company had refused to remove from its credit register default entries based on judgments in civil cases, DataGuidance reports. In particular, the regulator stated that data based on final judgments in civil cases should not have been included as a default entry in the credit information register, since only information that adequately reflects a person’s ability or willingness to pay may be used as credit information. The regulator found the company in breach of Art. 25 of the GDPR, (‘Data Protection by Design and by Default’), as well as the Credit Information Act.

A municipality in Norway was fined more than 500,000 euros over a lack of security measures. It was subjected to a serious attack in 2021. As a consequence, employees no longer had access to most of the municipality’s IT systems, the data had been encrypted and backups deleted. Approximately 30,000 documents were lost, containing some very sensitive information about the municipality’s residents and employees. The deficiencies are related to both log and log analysis, securing backup and lack of two-factor authentication or similar security measures. The firewall was inadequately configured for logging, and a lot of internal traffic was never logged. Servers were not configured to send logs to central log reception and also lacked logging of important events. Furthermore, the municipality lacked protection of backup copies against intentional and unintentional deletion, manipulation and reading, etc.

The Italian regulator Garante fined a telecommunication company, (OMNIA24), 100,000 euros for multiple violations of the GDPR. The infringements included outsourced marketing activities, methods of collection of consent and the source of the data, Data Guidance reports. It also turned out that OMNIA24’s inadequate response to individuals’ requests to access their personal data constituted a further violation of the GDPR. The investigation determined the main reason was the failure to qualify the data processor/controller roles between the business associates, which had led to an inability to guarantee the facilitation of data subjects’ rights.

Europol was ordered to erase data concerning individuals with no established link to a criminal activity. The EDPS admonished Europol in 2020 for the continued storage of large volumes of data with no Data Subject Categorisation (DSC), which poses a risk to individuals’ fundamental rights. While some measures have been put in place by Europol since then, Europol has not complied with the EDPS’ requests to define an appropriate data retention period to filter and to extract the personal data permitted for analysis under Europol Regulation. Europol said the decision impacts its ability to analyze complex and large datasets at the request of EU law enforcement. The current Europol Regulation does not contain an explicit provision regarding a maximum time period to determine the DSC. In its decision the EDPS sets this period at six months. However, Europol’s work frequently entails a period longer than six months, as do the police investigations it supports. 

Individual rights: Covid data in police investigations

Police in Germany are being slammed for using COVID-19 tracking data to identify witnesses as part of an investigation, IAPP news reports. Police and local prosecutors in Mainz successfully appealed to the civic health authorities and used data from the contact tracing Luca health application. The police used app logs of an individuals’ length of time at a location along with their name, address and phone number, to gather information about 21 people who may have been witnesses to a death at a local restaurant. The company that developed the Luca app, culture4life, condemned the abuse of Luca data collected to protect against infections. It added that it had received regular requests for its data from the authorities which it routinely rejected.

Big Tech: Clearview AI for FBI, YouTube fake news, Facebook/Meta competition lawsuit

In the US the FBI has signed a contract to subscribe to controversial facial recognition technology developed by Clearview AI. The company has been criticised for its policy of trawling social media platforms for pictures of people and storing them without their knowledge. The report by CyberScoop identifies more than 20 other federal agencies currently partnering with facial recognition technology contracts. Last year Clearview was found in breach of privacy rules in Canada, Australia and the UK. Finally last month the French Regulator CNIL slapped the company with an order to delete French users data.

A global coalition of fact checking organisations has fired a broadside at YouTube for being a “major conduit” of fake news. More than 80 groups signed an open letter saying YouTube allowed the “weaponization” of extremism and was not doing enough to filter out disinformation. The letter did suggest four remedial steps: a commitment to funding independent research into disinformation campaigns on the platform; providing links to rebuttals inside videos distributing disinformation and misinformation; stopping its algorithms from promoting repeat offenders; and doing more to tackle falsehoods in non-English-language videos.

Facebook/Meta is facing the first class action lawsuit of its kind in the UK for breach of competition rules. The plaintiffs, a competition lawyer and litigation fund, are seeking more than three billion dollars for all the millions of UK Facebook users in compensation for paying an “unfair price”, i.e. surrendering unfettered use of their personal and private data, in exchange for Facebook’s market-dominant services. If you were domiciled in the UK from 1 October 2015 to 31 December 2019 you could be in for a windfall even if you used Facebook just once, unless you opt out of the lawsuit.

The post Weekly digest January 10 – 16, 2022: Does the use of Google Analytics by EU entities violate the GDPR? appeared first on TechGDPR.