In February, the European Commission published a set of updated technical FAQs on the implementation of the legal provisions of the Data Act, applicable as soon as of 12 September 2025.  It enhances data sharing and enables a fair distribution of data value by establishing clear rules related to the access and use of data within the EU – B2B, B2C, and B2G. The guide elaborates among other things on:

• the definitions of data users, data holders and third parties, as well as 
• cloud and service interoperability requirements, 
• fairness of data-sharing contracts, and 
• enforcement and dispute resolution frameworks. 

The GDPR is fully applicable to all personal data processing activities under the Data Act.  In some cases, the Data Act specifies and complements the GDPR, (eg, real-time portability of data from loT devices). The Data Act also restricts the re-use of data by third parties. In the event of a conflict between the GDPR and the Data Act, the GDPR rules on the protection of personal data will prevail.

Stay up to date! Sign on to receive our fortnightly digest via email.

US data transfers

The Norwegian regulator Datatilsynet answered FAQs about the rules for US data transfers, due to a political situation in Washington. Although we currently have rules that make it easy to transfer personal data to the US, the Data Privacy Framework, the regulator expects that these rules will sooner or later be challenged in the CJEU. An adequacy decision will remain in force until it is revoked by the Commission.

This means that any changes in the US will not automatically result in the lapse of the adequacy decision. At the same time, if it is revoked, there will most likely not be a transition period. It is important to be aware of this when purchasing US services. Also, the use of US cloud services on European soil could be negatively affected if the adequacy decision is lifted. The most important advice for your business is to have an exit strategy for what you will do if you can no longer transfer personal data to the US in the same way as today. 

DORA implementation updates

On 18 February, the European Supervisors, (ESAs) —EBA, EIOPA, and ESMA – published a roadmap to designate critical ICT third-party service providers (CTPPs), such as cloud services and data hosting companies, that are critical to the functioning of financial entities under the Digital Operational Resilience Act. By 30 April, the competent authorities must submit the Registers of Information to the ESAs. These registers will list information regarding all ICT third-party arrangements that the financial entities have submitted to the authorities.

By July, the ESAs will notify the affected ICT third-party service providers if they have been classified as critical, and by the end of 2025 will start overseeing them for non-compliance (risk management, testing, contractual agreements, location requirements, etc).  

Legal updates worldwide

China data audits: With effect from May 1, 2025, Chinese regulators will focus more on the data protection compliance audit requirements under the Personal Information Protection Law, according to DLA Piper’s legal analysis. The measures provide the conditions and rules for both self-initiated and regulator-requested compliance audits regularly, covering the whole data lifetime, (for large and high-risk data processing, they will be conducted every two years), with the possible rectification steps and further enforcement.  

US privacy enforcement: In the past two months, New York state has amended several rules on data breach notification. The amended law requires New York residents to be notified of a data breach, fixing a 30-day deadline for businesses; plus, responsible persons must inform the state’s Attorney General, Department of State, the Police and Financial Services, (only for covered entities), about the timing, content, distribution of the notices, and the approximate number of affected individuals. A copy of the template of the notice sent to affected persons must also be provided. 

Meanwhile, Virginia state passed a bill requiring social media platforms to use commercially reasonable methods, such as a neutral age screen mechanism, to determine whether a user is a minor, (under 16 years of age), and to limit a minor’s use of the platform to one hour per day, per service or application, while allowing a parent to give verifiable parental consent to increase or decrease the daily limit. The amendment goes into effect on January 1, 2026.

Automated decision CJEU ruling

The Top European Court ruled that a data subject is entitled to an explanation as to how any decision was taken in respect of him or her. According to a judgement delivered on 27 February, a data subject is entitled to an explanation as to how a decision was taken in respect of him or her, and the explanation provided must enable the data subject to understand and challenge the automated decision. 

The case refers to a mobile telephone operator in Austria who refused to allow a customer to conclude a contract because of her credit standing. The operator relied in that regard on an automated assessment of the customer’s credit standing carried out by Dun & Bradstreet Austria. The contract would have involved a monthly payment of 10 euros.

Algorithmic discrimination and the GDPR

The European Parliament’s recent research meanwhile states, that one of the AI Act’s main objectives is to mitigate discrimination and bias in the development, deployment and use of high-risk AI systems. To achieve this, the act allows ‘special categories of personal data’ to be processed, based on a set of privacy-preserving conditions, to identify and avoid discrimination. The GDPR, however, is more restrictive in that respect. The legal uncertainty this creates might need to be addressed through legislative reform or further guidance, states the report. 

More from supervisory authorities

DPIA guidance: The Swedish Data Protection Authority IMY has published guidance on impact assessments for activities that process personal data, (in Swedish). The practical guide is intended to facilitate the work of impact assessments and reduce uncertainty about how the various steps are carried out and how the regulations should be understood. It also contains some legal interpretation support, as well as detailed templates for an assessment.

Urban data platforms: As municipalities move towards becoming smart cities or smart regions, more and more systems are being equipped with communication interfaces, states the German Federal Office for Information Security. These include sensors for recording parking spaces, measuring river water levels or smart garbage cans. Urban data platforms, (UDPs), can be used to bundle various information streams and enable efficient decision-making, such as on optimized traffic control, and early warning systems in the event of disasters or urban planning. 

To that end, the regulator has prepared technical guidance, for developers, solution providers and operators of such platforms, (in German). It analyses various existing IT security standards and examines existing UDPs for their vulnerabilities.

Employment records: The UK ICO updated its guidance aimed at employers who keep employment records. The data protection law does not stop you from collecting, holding and using records about workers. It helps to strike a balance between employer needs and every worker’s right to a private life.

The terms ‘worker’ or ‘former worker’ mean all employment relationships, including employees, contractors, volunteers, and gig or platform workers. It can be combined with the other ICO guidance on data protection and employment – in particular, our detailed guidance on workers’ health information and monitoring of workers.

Insurance companies data swaps

The North Rhine-Westphalia Data Protection Commissioner has initiated investigations against ten insurance companies in North Rhine-Westphalia for an illegal exchange of personal data. Specifically, the companies, together with almost 30 other insurers, shared data from customers in international travel health insurance to uncover cases of fraud and identify fraud patterns. Since the insurance companies are based in ten federal states and other European countries, a joint coordinated investigation was launched. To exchange data, the insurers used a closed email distribution list, on which several employees of the companies involved were usually registered. 

Privacy policy

The Latvian DVI looks at the most common shortcomings in privacy policies of the organisations it’s investigated, and asks data controllers to take them into account: 

• Privacy policy is hard to find
• Complex and unclear text
• Not all legal bases and purposes of data processing are listed
• The purpose of data processing is not linked to the legal basis
• Failure to specify the organization’s legitimate interests 
• Unclear information about the storage period
• Failure to specify recipients of personal data 

Finally, there is also a lack of guidance on data subjects’ rights and their implementation, and complicated mechanisms are provided for the implementation of rights. 

Emotion recognition

The Dutch Autoriteit Persoonsgegevens requested feedback on the AI Act’s ban on AI systems that recognize emotions in work or education, (unless for medical or safety reasons). The conditions outlined in data protection legislation must also be fulfilled if emotion recognition is done using personal information. Clarity is required on the definitions of emotions, biometric information, and the boundaries of “workplace” and “educational institutions.” 

In particular, in the GDPR, the definition of ‘biometric data’ is linked to the unique identification of a natural person that is allowed or confirmed by the processing of personal data. AP notes that the definition of the term ‘biometric data’ in the AI Act must be interpreted in the light of the GDPR. The distinction between emotions and physical states and between emotions and easily visible expressions also remains unclear.

In other news

Web browsing data fine: America’s FTC requires Avast to pay 16.5 million dollars, (which will be used to compensate consumers), and prohibit the company from selling or licensing any web browsing data for advertising purposes to settle charges that the company and its subsidiaries sold such information to third parties after promising that its products would protect consumers from online tracking. The FTC alleged Avast sold that data to more than 100 third parties through its Czech subsidiary, unfairly collected consumers’ browsing information through the company’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and consumer consent. 

Refused bank loan: It is not possible to further process the data of a loan applicant if no customer agreement has been concluded with the bank, confirmed the Polish Supreme Administrative Court in its recent judgment. The court agreed with the data protection regulator UODO,  that the processing of data in the scope of creditworthiness assessment and credit risk analysis, related to inquiries that did not end with the granting of a loan, cannot be used, (neither by the bank nor the credit information bureau), in connection with the legitimate interest of the data controller. 

Data security

Location data: The Data Protection Commissioner in North Rhine-Westphalia warns citizens against being too careless with their location data. If people are careless when selecting an app and sharing personal data, they make it easier for third parties to collect location data and resell it to data traders. The data traders could then use the location information in conjunction with the device-specific ID to create individual movement profiles.

Consumers should ideally pick up their smartphone and check the system settings to see which app has been granted access rights. If in doubt, you should revoke permission.

Self-declared GDPR compliance: The Liechtenstein data protection authority asks organisations to be careful with self-declared GDPR compliance of software solutions or cloud services. Instead, it is necessary to check whether the respective service can achieve the determined level of protection with appropriate settings or measures. Security measures in the cloud include encryption mechanisms or regulations on access rights. Under certain conditions, the aforementioned check must be carried out in the form of a data protection impact assessment (DPIA).

Suppose the data stored in the cloud is transferred to a third country outside the EU/EEA area. It must also be checked whether this offers a level of protection equivalent to that in the EU/EEA area or can be ensured through suitable measures and guarantees under the GDPR. In addition, providers of cloud services are usually contracted as data processors, which is why the existence of a legally compliant data processing contract must be observed.

In case you missed it

AI from non-EU countries: A number of European regulators draw attention to the risks associated with the use of AI ​​tools like DeepSeek. Although this model of generative AI is freely accessible on the Internet, the manufacturer did not design it for the European market. Based on current knowledge, it can be assumed that the requirements of the AI Act and the GDPR in particular are not met. Some practical steps can be assumed: 

• Pay attention to the transparency of the provider and appropriate documentation.
• Use a separate, secure IT environment to avoid data leaks.
• If no privacy-preserving measures are known, it is reasonable to assume that none exist (and inform your employees of the risks associated).
• Take into account the AI ​​competence and ban on prohibited AI practices that must be ensured from February following the AI Act. 
• Make sure that the manufacturer of the AI ​​application, if it is also responsible for data protection and is not based in the EU, has appointed a GDPR representative, (otherwise, the effective enforcement of the rights of those affected can become very difficult).

AI in education: The Future of Privacy Forum meanwhile highlights the Spectrum of AI in education in its latest infographics. While generative AI tools that can write essays, generate and alter images, and engage with students have brought increased attention on the students, schools have been using AI-enabled applications for years for predictive or content-generating purposes too, including reasoning, pattern recognition, and learning from experience.

In practice, they often help with: automated grading and feedback, student monitoring, curriculum development, intelligent tutoring systems, school security and much more. 

The post Data protection digest 16 Feb – 2 Mar 2025: Data Act to strengthen EU digital market, vigilance over US data transfers appeared first on TechGDPR.

The Data Act will become applicable in the EU starting on 12 September 2025. In the runup, the European Commission has published an FAQ on the new legislation. Together with the Data Governance Act, it enables a fair distribution of value by establishing clear rules related to the access and use of data within the EU’s data economy. While the Data Act does not regulate the protection of personal data, the GDPR remains fully applicable to all personal data processing activities under the Act. 

This includes the powers and competences of supervisory authorities and the rights of data subjects. Sometimes, it complements the GDPR, (eg, real-time portability of data from Internet-of-Things objects). In other cases, it restricts the re-use of data by third parties, such as for profiling purposes, (unless it is necessary to provide the service to the user). In the event of a conflict between the GDPR and the Data Act, the GDPR rules shall prevail, (see Art. 1(5) of the Data Act).  

Stay up to date! Sign on to receive our fortnightly digest via email.

Corrective powers under the GDPR

The CJEU has ruled that a supervisory authority is not obliged to exercise a corrective power in all cases of breach and, in particular, to impose a fine. It may refrain from doing so where the controller has already taken the necessary measures on their initiative. The case relates to a savings bank in Germany where one of its employees had consulted a customer’s data on several occasions without being authorised to do so. The employee had confirmed in writing that she had neither copied nor retained or shared the data, and the bank had taken disciplinary measures. The data controller nevertheless notified the data protection authority of this breach.

More legal updates

California tech updates: Among over a dozen new bills covering personal data and generative AI, Governor Gavin Newsom signed a bill on training data sources into law. It includes reporting provisions for developers on sources or owners of datasets, a description of data points in them, whether the datasets contain personal information, how the datasets further the intended purpose of the AI system or service, whether the datasets include any data protected by copyright, trademark, or patent and more. Changes will be due on 1 January 2026. 

California has also expanded the definition of personal data to more abstract digital formats, including compressed or encrypted files, metadata, or artificial intelligence systems that are capable of outputting personal information. At the same time, a landmark artificial intelligence safety bill was blocked by the governor after strong opposition from major technology companies. The draft bill required the most powerful AI models to undergo safety testing and other oversight obligations.

Lax social media privacy controls: The Federal Trade Commission has examined the data practices of major social media and video streaming services, revealing they engaged in vast surveillance of consumers to monetize their personal information while failing to adequately protect users online, especially minors. Among other things, companies feed users’ and non-users personal information into their automated systems, including for use by their algorithms, data analytics, and AI, without proper testing and oversight. Meanwhile, data subjects had little or no way to opt out of how their data was used by these automated systems.

Who determines how to secure data?

The Polish Supreme Administrative Court has made a final decision on whether a data controller can use an employee to determine how to secure data. In a related case, the probation officer of a district court lost an unencrypted pendrive with the personal data of 400 people. The analysis of the case showed that the controller had not fulfilled security obligations correctly. 

Before the incident, the controller issued the device and instructed the probation officer to implement security measures on their own. The obligation to register and encrypt the medium was introduced only after the officer lost it. Additionally, employees were only given basic training in data protection, which did not give them enough knowledge on securing digital mediums or calculating the risks of data loss. As a result, the employee decided to protect the data by carrying their drive in a locked bag.

More from supervisory authorities

Data accountability from A to Z: The Luxembourg data protection and cybersecurity authorities have recently developed DAAZ, a GDPR compliance tool that addresses the challenges faced by start-ups and small and medium-sized enterprises, (available in English). The tool comes in response to the personal data protection challenges faced by SMEs in particular, which are often at a disadvantage compared with large organisations in terms of resources and expertise.

Mobile applications: The French CNIL has published the final version of its recommendations to help professionals design privacy-friendly mobile applications. From 2025, these will be the subject of a specific control campaign. According to the latest data, a typical French consumer downloads 30 apps and uses their mobile phone for an average of 3 hours and 30 minutes per day. Among other things, the recommendations include best practices for stakeholders to ensure that users understand whether the requested permissions are really necessary for the application to function.

AI Act and GDPR: Finally, the Belgian regulator published its information guide, (available in English), on the EU AI Act from a GDPR perspective. It includes sections on AI system definition, and data protection principles such as purpose limitation, data minimisation and data subject rights in an AI context. It also emphasizes accountability, security measures and human oversight in AI development. 

Termination of employment

Although former employees have the right to request the deletion of their data, it should be understood that this right is not absolute, according to the Latvian regulator. In one example, the former employer has the right to temporarily retain an e-mail box for a certain period to ensure continuous communication with the company’s customers, (eg, by forwarding e-mails), and access information that is essential to the operation of the company. However, the employer must clearly define for how long this e-mail address will be stored and communicate it to employees. 

This does not mean that the employer can use the information found in the e-mail for other purposes. The principle of purpose limitation should be taken into account here. If an employer recovers, for example, a computer or smartphone used by an employee after the end of the employment relationship, they may discover that private e-mails or other communication channels were accessed on it. If the employee is not logged out of these accounts, the employer has no right of access, despite owning the device.

Data requests via a representative

Finland’s data protection commissioner has stated that a person can make an inspection request for their data with the help of an agent and, for example, ask the organisation to provide the agent with that information. Data protection legislation does not prevent the exercise of data protection rights through another person. An individual who contacted the regulator’s office had asked the Tax Administration to deliver all information about them to their representative’s postal address. However, the Tax Administration refused to provide information to the agent, citing that the information could only be provided to the person directly.

More enforcement decisions

Commercial legitimate interest: Hogan Lovells’ law blog reports that a Dutch court once again has recalled a decision of the data protection authority for its overly strict interpretation that purely commercial interests cannot be legitimate interests under the GDPR. The court ruled in favour of the unnamed company by suspending a 120,000 euro fine, as there was still room for legal discussion. 

The cumulative criteria for a valid legitimate interest, (eg, for direct commercial marketing), requires a careful assessment, including whether the data subject could reasonably expect the data processing. Additionally, the personal data concerned should be strictly necessary for the legitimate interests pursued, and, finally, the fundamental rights and freedoms of the data subject must be preserved. 

Meta fine for password storage in plaintext: The Irish Data Protection Commission has fined Meta Ireland 91 million euros. This inquiry was launched in April 2019, after the company notified the regulator that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems, (eg, without cryptographic protection or encryption). These passwords were not made available to external parties. 

Selling data to competitors: A man in the UK has pleaded guilty and been fined for unlawfully retaining and selling thousands of details of customer records from the car leasing company he worked for. Shortly before he resigned from his role as sales consultant, at Leaseline Vehicle Management Ltd, he sold over 3,600 pieces of personal information he’d taken from the company’s internal customer database. He approached multiple competitor companies with this information, whilst claiming that the data belonged to him.

Data security

Facial recognition: The German Data Protection Conference observes that some authorities are already using biometric facial recognition in public spaces, citing non-specific criminal procedural rules. However, the legal framework and the civil liberties of those affected – potentially all citizens – are not sufficiently taken into account. For this reason, the European legislators have excluded certain applications in the AI Act and set strict limits for others. The regulator calls upon the national legislators to create specific and proportionate legal bases for the use of facial recognition systems in public spaces.  

Minor’s data: Following the UK Ofcom’s publication of the draft Children’s Codes of Practice which are due to come into effect in early 2025, Instagram has changed the way it works for minors, connectedworld.clydeco.com reports. For all under 18s, the new “teen accounts” will activate several privacy settings by default, such as preventing non-followers from seeing their material and requiring them to manually accept new followers.

Also, the only way for 13 to 15-year-olds to change the settings is to add a parent or guardian to their account. Strict guidelines will also be applied to sensitive content to avoid suggesting potentially dangerous material and muting notifications overnight, (“sleep mode”). 

Portability right: A new portability right applies to employees and consumers in Québec, JD Supra law blog reports. The purpose is to allow individuals in private and public sectors to access their data and transfer it to another legally authorised organization of their choice. It only applies to data that has already been digitally stored, and directly provided by the individual. Though the legislation does not specify any particular format. PDFs, pictures, and proprietary formats that call for additional software or costly licensing should be avoided in favour of formats like CSV, XML, or JSON. 

The post Data protection digest 17 Sep – 1 Oct 2024: EU Data Act as an illustration of the GDPR ‘prevail’ principle appeared first on TechGDPR.

Sign up to receive our fortnightly digest via email.

Terms of Service and User Privacy

America’s FTC warns AI developers and other companies that quietly changing terms of service could be unfair or deceptive. While businesses creating AI products have strong financial incentives to utilize user data as fuel for their systems, they also have established policies in place to safeguard users’ privacy. A business that collects user data based on one set of privacy commitments cannot then unilaterally renege on those commitments after collecting users’ data. Some companies may attempt to make these changes and inform users covertly by making retroactive amendments to their terms of service or privacy policy, (eg, to use that data for AI training). 

Last summer, the FTC alleged that a genetic testing company violated the law when the company changed its privacy policy to retroactively expand the kinds of third parties with which it could share consumers’ sensitive data, adding supermarket chains and nutrition and supplement manufacturers, without notifying consumers who had previously shared personal data, or obtaining their consent. Additionally, it did not encrypt that data, restrict access to it, log or monitor access to it, or inventory it, according to the complaints. The company stored it in publicly accessible “buckets” on a cloud storage service with thousands of health reports about consumers and raw genetic data, sometimes accompanied by a first name, despite promising users its security practices would exceed industry-standard security practices. 

Other official guidance

Employment data: The Italian privacy regulator launched the Code of Conduct for employment agencies. The agencies that adhere to the code undertake to process only data strictly necessary for the establishment of the employment relationship and must therefore not carry out investigations into jobseeker’s political, religious or trade union opinions or carry out pre-selections based on information regarding marital status, pregnancy, disability, even if candidates have given their consent. 

Agencies must not obtain information by consulting social profiles intended for interpersonal communication. Online information can be collected only if made available on professional social channels. Furthermore, employment agencies will not be able to acquire the candidate’s professional references from previous employers and communicate them to their clients, without “prior explicit authorization from the candidate”.

Camera systems: The Czech data protection authority has published a new methodology for the design and operation of camera systems, (in Czech). The methodology applies to camera systems, (including security cameras), that record as well as camera systems in online mode, minimum technical and organisational measures for them, and use cases. The methodology is not a legally binding document and it remains the duty of personal data administrators to always proceed following the GDPR and EDPB Guidelines No. 3/2019.

New procedures for GDPR enforcement

MEPs have adopted a draft position laying down additional procedural rules for enforcing the GDPR. It deals with cooperation and dispute resolution mechanisms of the GDPR and introduces deadlines for cross-border procedures and disputes. Concerning amicable settlements, such settlements should require the parties’ explicit consent, and should not prevent a supervisory authority from starting an own-initiative investigation into the matter. The MEP’s position also ensures that all parties to complaint procedures have the right to effective judicial remedies, for example when the regulator does not take necessary actions or comply with deadlines. 

Digital Services Act is now fully applicable 

The DSA has applied to online platforms and search engines with more than 45 million users in the EU since 25 August 2023. From 17 February, it applies to smaller platforms and online intermediaries, (goods, content or services), on the European market. Its main goal is to prevent illegal and harmful activities online and the spread of disinformation. For instance, if you complain about what you suspect is illegal content, the service provider must handle the matter and inform you of its solution. 

Compliance will be supervised by the specialised agencies in the Member States, and certain obligations by consumer protection and data protection authorities. To avoid disproportionate constraints, small companies, (with less than 50 employees and an annual turnover of less than EUR 10 million), and micro-enterprises are exempted from the application of various measures, (transparency reports, internal complaints handling system, etc.). More details on the enforcement framework under the DSA are here. 

More legal updates

Main establishment in the EU: The EDPB clarified the notion of the main establishment under the GDPR rules. A controller’s “place of central administration” in the EU can be considered as a main establishment under Art. 4(16)(a) GDPR only if: 

• it makes the decisions on the purposes and means of the processing of personal data and, 
• it has the power to have such decisions implemented. 

Furthermore, the One-Stop-Shop mechanism can only apply if there is evidence that one of the establishments of the controller in the Union takes decisions on the purposes and means for the relevant processing operations and has the power to have these decisions implemented. This means that, when the decisions on the purposes and means of the processing are taken outside of the EU, there is considered to be no main establishment of the controller in the Union, and therefore the One-Stop-Shop should not apply.

CPRA enforcement: California’s Third District Court of Appeal held that the California Privacy Protection Agency’s authority to enforce its amended privacy regulations should have been effective on July 1, 2023. The decision restores the CPPA’s authority and overturns a lower court ruling. The agency has been vigorously enforcing the statutory rights approved by Californians – Proposition 24, the California Privacy Rights Act of 2020 (CPRA). Some of the new and amended regulations implementing the CPRA, which largely define and clarify how businesses must honour those rights, were previously deemed unenforceable by the lower court.

Video gaming and children’s data

The ICO has carried out an age-appropriate design code audit of Gameforge’s processing of UK children’s data. The majority of their games are rated as suitable for children aged 0-12 years. Gameforge does not collect any user data to confirm their ages or identify child users, and subsequently has chosen to apply safeguards to all users by implementing pseudonymisation of all user account data, and not implementing higher risk processing activities such as location tracking or profiling. Gameforge does not use personal data to promote or market third-party products or services, and Gameforge’s online services do not include any third-party advertising.

As notably good practice, the ICO underlined the high level of qualifications and involvement of the data protection team. In particular, Gameforge has made two DPO-certified members key signatories to the company accounts and new/changed contracts. However, opportunities for improvement were also identified, such as a clearer privacy policy, and DPIA that records consultation and feedback/approval with key stakeholders. An assessment also should be undertaken to consider and document the potential ages of users, which can be achieved non-intrusively by using anonymous or aggregated data such as market research. 

Cookie-banners supervision

The Dutch regulator promised to intensify the checks of websites and explained, one more time, how organisations should set up cookie banners to properly request permission: 

• to provide information in clear text about the purpose;
• not to automatically enable checkboxes;
• give all choices in the first layer, (don’t hide certain choices and don’t make someone make extra clicks);
• not to use a discreet link in the text;
• be clear about withdrawing consent;
• carefully choose the legal basis, (do not confuse consent with legitimate interest).

The Bavarian data protection authority meanwhile checked the cookie banners of hundreds of websites and apps and found numerous violations. Many operators, (around 350 websites), now have to change their pages. The regulator has successfully developed a tool which makes it possible to automatically check websites to see whether, in addition to the “Accept All” option, there is also an equivalent option for not granting consent. The test is initially based on the use of a very common consent management platform, (CMP), but will be expanded to include other CMP providers and thus an even larger number of websites in future iterations.

Enforcement decisions

Data storage periods: The French CNIL fined the company which publishes the pap.fr website, allowing individuals to view and publish real estate ads, 100,000 euros. The company had defined a retention period of ten years for the customer accounts using paid services on the site, against the consumer code on which it relied. The company informed individuals through an incomplete and unclear privacy policy. The password complexity rule was insufficiently robust and passwords and related data were stored unencrypted. All data relating to inactive user accounts was kept unsorted. 

Online dating site: The Italian data protection authority has fined the manager of a well-known online dating site 200,000 euros for violating the personal data of about 1 million members. Registration on the platform, which has about 5 million members worldwide required the insertion of numerous data, (meeting interest, country, region, city of residence, date of birth, e-mail), and photos, which customers uploaded within the public profile or in the reserved area, without being provided with adequate information on the use that would be made of that data. The information also did not contain any indication of the possibility for data subjects to exercise their rights provided for by privacy legislation. 

The owner of the site did not have a specific privacy policy regarding the storage of the data processed, limiting itself to randomly proceeding with the deletion of accounts that are no longer active and the information contained, as well as unsuccessful registration requests. Finally, although the company was required to do so, it had not drawn up a register of processing activities, had not appointed a DPO, nor had it prepared an impact assessment (DPIA). 

Viamedis and Almerys data breach

The French CNIL is conducting investigations into a data breach which has affected Viamedis and Almerys, operators managing third-party payment for numerous complementary health insurance and mutual insurance companies. More than 33 million people are affected. The data concerned civil status, date of birth and social security number, and the name of the health insurer. Data such as banking information, medical data, health reimbursements, postal addresses, telephone numbers and emails are not be affected by the breach. 

Shoplifter identity

The Dutch data protection authority has granted 500 permits for a collective shopping ban. Shopkeepers with such a permit can warn each other in a defined area about shoplifters and people who cause nuisance, sharing their names and photos. Shopkeepers may only share such a ‘blacklist’ with each other under strict conditions. For example, someone from the police, the municipality or the public prosecution service must always be involved.

Big Data

UK health care data: The Good Law Project NGO raises concerns about the lack of transparency in the contract allowing Palantir to run the NHS’s new system – the Federated Data Platform. The organisation has now taken legal action to challenge the NHS’s data governance. Despite the massive scale of redactions in Palantir’s 500+ page contract, the NGO insists no reasons for the secrecy have been given by the public bodies. The NHS has also signed a contract with the biotech IQVIA, to provide “Privacy Enhancing Technology” for the platform. Around three-quarters of the contract is also completely redacted, including a section on personal data protection. 

Pupil surveillance: Privacy International reports that some UK schools have bought and installed sensors in toilets that ‘actively listen’ to pupils‘ conversations to try to detect keywords spoken by pupils. Such sensors do not record or save any conversations but send alerts to staff when triggered. At the same time, some schools are also pairing them with surveillance cameras, so when activated by a vaping sensor they capture students leaving bathrooms. 

Ulez fines: Italy is investigating the case of Italian police allegedly accessing thousands of EU drivers’ data and sharing it with firms collecting fines on behalf of Transport for London, (TfL). Some other Member States have also claimed that a police department that has not been named has abused its authority by providing personal information about EU drivers to Euro Parking Collections. TfL uses this company to levy fines to enforce low and ultra-low emission zones, (Ulez). Due to national regulations permitting the UK to access EU individuals’ data only for criminal offenses and the fact that breaking Ulez guidelines is considered a civil violation, it is believed that the fines have been unlawfully levied since Brexit.

The post Data protection digest 3-16 Feb 2024: Sneakily changing terms of service and privacy policy won’t help your business appeared first on TechGDPR.

Legal processes

Draft AI Act: The long-discussed AI legislation is expected to go through the full European parliamentary vote in mid-June. Reportedly MEPs, after two years of discussions with stakeholders, have finally reached a common political position. However, it will take a few years for it to be enforced: the EU interinstitutional ‘trilogue’ that comes after parliamentary approval may take a while. 

The most rigorous regulations will apply to the high-risk systems that could be used for biometric identification, critical infrastructure management, or by large online platforms and search engines if they create health and safety or fundamental threats for individuals. The framework includes testing, proper documentation, data quality and human oversight. Extra safeguards are promised when such systems are intended to process special categories of personal data, prioritising instead synthetic, anonymised, pseudonymised or encrypted data. 

MEPs also support the idea to put stricter data governance obligations on foundation models, (like ChatGPT), distinguishing them from general-purpose AI. 

MiCA: Meanwhile the Parliament endorsed the EU rules to trace crypto-asset transfers and prevent money laundering, as well as common rules on supervision and customer protection. The “travel rule”, already used in traditional finance, will in the future cover transfers of crypto assets. Information on the source of the asset and its beneficiary will have to follow the transaction and be stored on both sides of the transfer. The rules will not apply to person-to-person transfers conducted without a provider or among providers acting on their own behalf. The end of 2024 or early 2025 will see the full implementation of the framework. 

America’s Innovative tech: The existing legal authorities apply to the use of automated systems and innovative new technologies just as they apply to other practices, states the US Justice Department with its federal partners. The US Constitution and federal statutes prohibit discrimination across many facets of life, including education, criminal justice, housing, lending, and voting. It is illegal for an employer to discriminate against an applicant or employee due to their race, religion, gender, age, pregnancy, disability, or genetic information. The firms are also required to destroy algorithms or other work products that were trained on illegally collected data. 

Case law

Apartment surveillance: The Estonian supreme court explained the possibility of installing surveillance cameras in an apartment building if some owners do not agree. In the given case, drug gang activity in the building was spotted, but one owner contested the cooperative’s decision to install the cameras as an intrusion into his privacy and the risk of monitoring. As CCTV processes personal data, a legal basis is necessary according to the GDPR. If an agreement between the owners cannot be reached, it can be done by a majority vote. In this case, there must be a legitimate interest, which outweighs the interests or fundamental rights of the apartment owners, (eg, a security threat – in the given case).

However, the court stated, if the installation of cameras is decided by a majority vote at the general meeting, then all apartment owners must be given the opportunity to familiarize themselves with the planned conditions, including a privacy notice for the use of cameras before the meeting. In case of violation of this requirement, the decision of the general meeting would be null and void.

Official guidance

SMEs guide: An organisation not only has to process personal data according to the GDPR, but it also needs to be able to demonstrate its compliance. For this purpose, the EDPB published its Guide for SMEs. It applies whenever you process personal data about your staff, consumers, and business partners. Transparency, data minimisation, respect for individual rights and good security practices are basic precautions for both data controllers and processors. The guide contains visual tools and other practical materials. In addition, it contains an overview of handy materials developed for SMEs by the national data protection authorities.

Employer’s guide: The Irish data protection regulator meanwhile published Data Protection in the Workplace instructions. Employers collect and process significant amounts of personal data on prospective, current and former employees. Although not all organisations are required to have a data protection officer, organisations might still find it useful to designate an individual within their organisation to overview the recruitment data processing.  The guide includes explanations and examples of appropriate legal bases, storage periods, fulfilment of data subject requests, employee monitoring technologies, email status, and much more. 

Employees’ photos: The Slovenian data protection agency published its opinion regarding the revocation of consent for the publication of employees’ photos on the employer’s social networks. The processing of the employee’s personal data based on their personal consent is permissible only in exceptional cases, due to the obviously unequal position of the employer and the employee. 

Nonetheless, if the circumstances of the employment relationship do not require the production, publication and continued storage of a photograph, the employer should obtain consent, (and provide all the necessary information stipulated in Art. 13 of the GDPR). In this case, the fact that the photos are made public has no effect on the possibility of revocation of consent to their publication. And refusals or silence of the manager gives rise to the possibility of deposing a complaint with the data protection authority. 

RoPA: A fresh new guide on records of processing activities with some practical examples was issued by the Irish data protection agency. The RoPA should not just be a ‘catch all’ document that refers to other documents; all processing activities should be recorded in sufficient detail, it states. An external reader or an auditor needs to be able to fully comprehend the document. Smaller organisations may not be required to maintain a full RoPA due to their size. However, most organisations will need to record processing activities such as HR and payroll functions. It may be that a simple spreadsheet is sufficient. For more complex organisations, the data controller may opt to use a relational database or one of the RoPA tools available from third-party data protection service providers. 

Online training: During the planning stage of a seminar, explains the Latvian data protection regulator, best practice means writing down and evaluating what kind of data about the event’s visitors is intended to be processed, and for what purposes. Beyond registration data, this can include the participant’s technical data from a device and broadcast and recording of the seminar. The next questions should be what is the applicable legal basis, the types of personal data, and the storage periods necessary to achieve the goal. 

In the case of other (joint) controllers, or processors involved, they must agree among themselves, determine the specific responsibilities and inform the workshop participants. The organizer(s) can include such information in the general privacy policy or develop it separately for each individual seminar. The information must be provided in a concise, transparent, understandable and easily accessible way, (it is considered good practice to have the privacy policy no more than two clicks away from the website’s front page). 

Enforcement decisions

ChatGPT: The temporary ban against Open AI and its Chat GPT has been dropped by the Italian data protection authority. The platform has introduced the required opt-out option for the user’s data processing before running the AI chatbot. A number of European regulators are also moving into action. The French data protection authority has announced the investigation of received complaints, and the German regulators want to know if a data protection impact assessment has been conducted. At the same time, Ireland’s regulator advises against rushing into ChatGPT prohibitions that “really aren’t going to stand up”, stressing it is necessary first to understand a bit more about the technology. 

Record number of cases: The Spanish data protection agency published its 2022 report. 15,128 claims were filed, which represents an increase of 9% compared to 2021 and 47% compared to 2020. This figure rises to 15,822 including cross-border cases from other European authorities and the cases in which the agency acts on its own initiative. The areas of activity with the highest amount of fines imposed have been Internet services, advertising, labour matters, personal data breaches, fraudulent contracting and telecommunications. The main way of resolving claims involves their transfer to the data controller, obtaining a satisfactory response for the citizen in an average of less than 3 months, states the report.

Employee’s dismissal: The Danish data protection authority criticizes an employer who informed the entire workplace that an employee had been dismissed due to, among other things, cooperation difficulties – The employer’s briefing emails went further than what was necessary for the purpose – namely to inform the relevant persons about the resignation. The employer stated that making the reason for the resignation public was to avoid the creation of rumours. However, the Danish regulator found that consideration for the resigning employee weighed more heavily

Security clearance: The Danish authority also decided against a former security guard who complained that his employer, (Securitas), had passed on information about him to the intelligence services in connection with a security clearance without obtaining consent. However, Securitas insists that all on-call employees are informed of the requirement for security clearance, and the complainant had completed an employment form with a declaration of consent, as his application for security approval would have been rejected if the complainant had not completed, signed and consented to it. 

Dark patterns: In Italy, a company that offers digital marketing services was found guilty of having illegally processed personal data. It emerged that in some of the portals owned by the company, “dark patterns” were used which, through suitably created graphical interfaces and other potentially misleading methods, enticed the user to give their consent to the processing of data for marketing purposes and to the communication of data to third parties. In addition, an invitation to click on a link that led to another site to download an e-book had the user’s profile data already recognized and the consent already selected. 

Security evidence logs: For a careless response to a data access request, the Spanish data protection authority fined Securitas Direct Espana 50,000 euros, according to Data Guidance. The complainant used their right of access when their vacation home was robbed for which they had signed a security service contract, The data logs from the alarm system were not provided by Securitas Direct, and those that were sent to the complainant were incomplete, out of order chronologically, and missing the decryption keys The logs produced by the alarm system installed in the complainant’s home, stated the regulator, are considered personal data and are thus subject to the right of access.

Data security

Consumers’ personal data: New York’s Attorney General released a guide to help businesses adopt effective data security measures to better protect personal information.  The guide offers a series of recommendations intended to help companies prevent breaches and secure their data, including:

• maintaining controls for secure authentication,
• encrypting sensitive customer information,
• ensuring your service providers use reasonable security measures,
• knowing where you keep consumer information,
• guarding against automated attacks, and
• notifying consumers quickly and accurately of a data breach, etc.

Cybersecurity of AI: The European Union Agency for Cybersecurity published an assessment of standards for the cybersecurity of AI and issued recommendations to support the implementation of upcoming AI legislation. AI mainly includes machine learning resorting to methods such as deep learning, logic, and knowledge-based and statistical approaches. However, the exact scope of an AI system is constantly evolving both in the legislative debate on the draft AI Act, as well in the scientific and standardisation communities. 

The assessment is based on the observation concerning the software layer of AI. It follows that what is applicable to software could be applicable to AI. However, it does not mean the work ends here. Other aspects still need to be considered, such as a system-specific analysis to cater for security requirements deriving from the domain of application, and standards to cover aspects specific to AI, such as the traceability of data and testing procedures. Meanwhile, some key recommendations include:

• establishing a standardised AI terminology for cybersecurity;
• developing technical guidance on how existing standards related to the cybersecurity of software;
• reflecting on the inherent features of machine learning in AI;
• risk mitigation should be considered by associating software components to AI, reliable metrics, and testing;
• promoting cooperation and coordination across standards organisations’ technical committees.

Big Tech

VLOPs: The first designations of ‘Very Large Online Platforms and Online Search Engines’ under the Digital Services Act, (and the Digital Markets Act), were made public by the European Commission. As the 19 registered entities reach 45 million monthly active users, they will be subject to more regulatory requirements: user rights offerings, targeted advertising opt-outs, restriction on sensitive data and profiling of minors, as well as improved transparency and risk assessment measures. By 4 months after notification, the platforms will have to redesign their services, including their interfaces, recommender systems, and terms and conditions.

Salesforce Community leaks: A large number of businesses, including banks and healthcare, are leaking information from their open Salesforce Community websites, KrebsOnSecurity analysis has discovered  Customers can access a Salesforce Community website in two different ways: through authenticated access, (which requires logging in), and through guest user access, (which doesn’t). It appears that Salesforce administrators may inadvertently give guest users access to internal resources, (payroll, loan amount, bank account information combined with other data), which could allow unauthorised users to gain access to a company’s confidential information and result in possible data leaks.

The post Data protection & privacy digest 18 Apr – 2 May 2023: draft AI legislation finalised, and employers’ compliance in focus appeared first on TechGDPR.

Legal processes and redress

US data transfers: A full parliamentary vote on the upcoming EU-US Data Privacy Framework is planned in the coming weeks. So far, a resolution adopted by Civil Liberties Committee MEPs argues that the European Commission should not grant the US an adequacy decision deeming its level of personal data protection essentially equivalent to that of the EU and allowing for transfers of personal data between the two. However this resolution will not be binding on the European Commission. 

MEPs note that the framework still allows for bulk collection of personal data in certain cases, does not make bulk data collection subject to independent prior authorisation, and does not provide for clear rules on data retention. The transparency and independence of the new redress mechanism for EU data subjects are also under question. Finally, the US Intelligence Community is still updating its practises based on the framework, so an assessment of its impact on the ground is not yet possible, say MEPs. 

CCPA/CPRA: The updated CCPA regulations were approved by the California state and come into effect in three months’ time. These revisions reflect the CCPA’s amendment by the California Privacy Rights Act of 2020, which added new business obligations addressing: consumer rights regarding the sharing, sale, and restriction of sensitive personal data, information notice, user-enabled privacy controls, out-out options, contractor and third-party contract requirements, and more. 

Employees data: In its recent judgement the CJEU ruled out important aspects of data processing in the employment context, interpreting Art. 88 of the GDPR. The preliminary ruling concerns the lawfulness of a system for the live streaming of classes by videoconference introduced in state schools in Hessen, (Germany,) without the prior consent of the teachers. Art. 88 of the GDPR enables the national legislator to enact “more specific regulations” in employee data protection.  However, they should not be general clauses that simply repeat the GDPR’s provisions. 

Instead, they should include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing. For organisations and employers this means that in the absence of valid national provisions GDPR rules must be complied with, including the balancing tests for the appropriate legal basis for employee data processing, (employment contract, legitimate interest or consent). 

In response to the decision, the Hamburg data protection commissioner also stated that Section 23 of the Hessian data protection act does not constitute a ‘more specific rule’, and that the moment had arrived for a new federal employment data protection act. 

Automated employment tools: Meanwhile, on the other side of the Atlantic, the New York City Department of Consumer and Workforce Protection promulgated its final regulations on the Automated Employment Decision Tools Law (AEDTL). Once enforced, it will restrict employers’ ability to use machine learning, statistical modelling, data analytics or AI tools in hiring and promotion decisions within New York City. Employers who use automated employment decision tools must also disclose it to candidates before the tool is used, as well as systematically undergo and disclose independent “bias audits”. Read the full analysis here.

EDPB guidance

A set of updated guidance and studies, along with the annual 2022 report, was published by the EDPB.

National administrative rules: The EDPB conducted a study on national administrative rules applicable when the national supervisory authorities carry out their duties under the One-Stop-Shop, (OSS), procedure. For instance, the requirements for the admissibility of complaints from individuals vary considerably from one country to another. Furthermore, the possibility to reach an amicable settlement between controllers or processors and complainants does not exist in all countries, and there is no clear indication of differing regulations’ impact on the OSS procedure. Finally, there is no convergence regarding the prior notification of forthcoming investigations or exercise of corrective powers. Read more challenges and possible solutions in the original publication.

Entities outside the EEA: Another study by the EDPB looks at the enforcement of GDPR obligations against entities established outside the EEA, (California, the UK and China). It aimed to analyse the possibilities available to enforce supervisory authorities’ investigative and corrective powers against third-country controllers/processors that fall under the scope of the GDPR but are not willing to cooperate with regulators and did not designate an EEA representative. This included the possibility to summon third-country controllers/processors to appear before the SA’s office, or in the SA’s national courts or tribunals, choice of jurisdiction and additional restrictive measures. 

Right of access: The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights and Art. 15 of the GDPR, says the EDPB’s latest guidance. The overall aim of the right of access is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data so that they can be aware of and verify the lawfulness of the processing and the accuracy of the processed data. This will make it easier – but is not a condition – for the individual to exercise other rights such as the right to erasure or rectification. 

Personal data breach notification: The EDPB considers that complying with the notification requirement has a number of benefits. When notifying the supervisory authority, controllers can obtain advice on whether the affected individuals need to be informed. Breach notification should be seen as a tool for enhancing compliance. At the same time, failure to report a breach to either an individual or a supervisory authority may mean a possible sanction applicable to the controller. Controllers and processors are therefore encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach.

Lead supervisory authority: The EDPB has noticed that there was a need for further clarifications, specifically regarding the notion of main establishment in the context of joint controllership and taking into account the concepts of controller and processor in the GDPR. Correct identification of the main establishment is in the interests of controllers and processors because it provides clarity in terms of which supervisory authority they have to deal with in respect of their various compliance duties under the GDPR. 

The most complex situations are when it is difficult to identify the main establishment or to determine where decisions about data processing are taken. This might be the case where there is cross-border processing activity and the controller is established in several Member States, but there is no central administration, or none of the EEA establishments is taking decisions about the processing.

Other official guidance

Generative AI risks: The UK privacy regulator the ICO poses eight questions about generative AI that developers and users need to answer. The EU legal backlash on ChatGPT is just the beginning of the journey states the analysis, and organisations developing or using generative AI should be considering their data protection obligations from the outset, taking a data protection by design and by default approach. This isn’t optional – if you’re processing personal data, it’s the law, (data protection law still applies when the personal information that you’re processing comes from publicly accessible sources):

• Are you a controller, joint controller or processor? 
• What is your lawful basis for processing personal data? 
• How will you comply with individual rights requests? 
• How will you limit unnecessary processing? 
• How will you mitigate security risks? 
• Have you prepared a Data Protection Impact Assessment? 
• Will you use generative AI to make solely automated decisions? 
• How will you ensure transparency? To know more, here’s the ICO publication. 

AI-assisted employment: Meanwhile the Spanish data protection authority AEPD explains how to apply AI tools for employment activities. In essence the data controller decides when designing the programme whether or not to include an additional operation of human supervision on the results produced by the AI ​​system. AI systems will form part of the nature of data treatment when they have been included in some of the necessary operations for this explicit purpose. This may include AI systems implemented locally or in the cloud, mobile systems, outsourced data processors, etc. Therefore, the fact that decision-making is automated is not a feature of the AI ​​system itself. 

For example, the procedure to guide candidates to complete an application form where they would include their CVs could be implemented using a chatbot. In addition, the number of applications, and therefore the number of CVs, could be so large that the manager could decide to use an AI system for the automatic selection of the most interesting CVs, according to certain criteria that the manager should also establish. The manager could go further and implement the evaluation of the candidates through another AI system that performs and evaluates the tests for the previously selected candidates. 

Sports industry: A large amount of personal data including special categories is generated in digitised sports, states the German federal data commissioner. If these are not so comprehensively anonymised that it is impossible to trace them back to individual athletes, data protection rules on purpose limitation, storage limitation, lawfulness data minimisation, transparency, and data security apply. This extends to all bodies and organisations that process athletes’ personal data – coaches, associations, doping agencies, sports facility operators, scientific institutes, doctors, laboratories, consultants, agents, and sometimes also sponsors, betting shops or even manufacturers of hardware and software.

Investigations and enforcement decisions

Data breach statistics: The Guernsey data protection agency ODPA published the latest personal data breach statistics: Nearly 10 million people were reported to be affected by 38 personal data breaches from January to March. Reportedly, the majority of those were customers of a UK-based company which was the victim of a large cyber-attack. Although the company is not based locally, it reported the breach to data protection regulators in all jurisdictions where its customers are based. Additionally, the most striking examples of personal data breaches involved:

• people using personal email accounts to send work-related information, (email providers are outside the control of the organisation meaning usual security policies do not apply and the organisation does not know what its data is being used for),
• accounts shared by couples or devices, (the boundaries of your personal life and your job intersect in a way that is not helpful for you or your workplace, which means information could fall into the wrong hands.)

Failed data subjects’ right of access: Following a complaint the Spanish AEPD fined Banco Bilbao Vizcaya Argentaria, or BBVA, 84,000 euros, according to Data Guidance. Despite ceasing to be a client of BBVA in 2012, the complainant discovered in 2021 that there were two debts registered in their name in the Bank of Spain’s Risk Information Center. Regarding the use of the right of access, the AEPD explained that BBVA had asked the complainant for additional details in order to recover the recordings, which constituted an unfair burden on the data subject for the fulfilment of their request. 

In another recent enforcement decision by the AEPD, the claimant requested access to the images from the video surveillance system located at a commercial centre. Unable to find a way to make a request in person, the claimant submitted one via electronic means of communication, (using the company’s marketing email address). This email address is not related to the processing of personal data nor was the means of contact enabled for the exercise of any rights. However, the company responded only to state that such access was not possible, except when there is a prior complaint, or when requested by the police or authorised personnel. The regulator found that the right of access of the complainant to their personal data was not respected, as established in Art. 15 of the GDPR.

Data security

Established cooperation: A long-term relationship between a controller and a processing entity does not guarantee data security, states the Polish privacy regulator UODO. In the related case, the verification of the competence of the processor was not formalized, because it consisted of conducting an interview, and the services provided by the entity, (a file depositary service), did not raise objections from the controller. The explanations of both the controller and the processor indicated that these entities only applied the controller’s internal regulations, (the Personal Data Protection Policy). The lack of any risk analysis resulted in the selection of inadequate measures.

The mere signing of a contract for entrusting the processing of personal data without proper assessment of the processing entity cannot be considered as fulfilment of the data security obligation. The determinant for such an assessment cannot be only long-term cooperation and the use of the services of a given processor. In the opinion of UODO, positively assessed cooperation may only be a starting point when verifying whether the processing entity provides sufficient guarantees for the implementation of appropriate technical and organisational measures. 

Certifying employees’ qualifications: The Hungarian data protection agency NAIH publishes detailed recommendations on how to handle documents certifying employees’ qualifications according to the data protection requirements. The employer may require the employee to present a document in its legitimate interest. The employer can also keep their own, internal records of the education of each employee, the date and the method of proof of education. However, “objective evidence”, (as defined in ISO 9000:2015 Quality management systems), needs to be supported by documented information.

A copy of a document certifying education or training does not have the power to prove that it is an authentic copy of a valid public document, so it is not suitable for establishing the authenticity of the data contained therein, and it may include additional unnecessary personal information.

Instead, the organisation may prepare a note or protocol stating that the given employee presented the original documents certifying their education, the relevant data of which is now recorded by the organisation, (eg, serial number of the document, date of qualification).

Tracking pixels: The Norwegian data protection authority encourages businesses to review their websites for tracking pixels or other tracking technologies. Recent media reports revealed that a large number of European online pharmacies have shared customers’ personal data through tracking technologies. For website users this is potentially a major privacy risk, while for the websites it poses a significant legal and reputational risk. The regulator now encourages all Norwegian websites to review for tracking pixels and other tracking technologies. Unless the business has assessed the tools, has an overview of data flow and is confident that their use is in line with privacy rules, the trackers should simply be removed. 

Cyber ​​risks management: The German Federal Office for Information Security updated its manual on ‘Management of Cyber ​​Risks’. It is dedicated to a comprehensive corporate culture that takes cyber security into account at all times, aiming to increase the resilience of companies. As cyber ​​security starts with senior management, IT managers need the necessary support and the right understanding on the part of company management. The guide formulates six basic principles that support management and supervisory boards when considering cyber risks:

• Understanding cyber security as a component of company-wide risk management.
• Understanding and closely examining the legal implications of cyber risks.
• Ensuring access to cyber security expertise and regular exchange.
• Implementing suitable frameworks and resources for cyber risk management.
• Preparing risk analysis based on business risk appetite, goals and strategies.
• Encouraging company-wide collaboration and sharing of best practices.

Big Tech

Meta binding decision: The EDPB adopted a dispute resolution concerning a draft decision of the Irish data protection authority DPC on the legality of data transfers to the US by Meta Ireland for its Facebook service. The decision will be announced soon and may constitute an order on blocking Facebook’s transatlantic data flows. The Irish regulator shall adopt its final decision, addressed to Meta Ireland, on the basis of the EDPB binding decision and taking into account the EDPB’s legal assessment, at the latest one month after the EDPB publishes its decision. 

In January this year the DPC, also instructed by the EDPB, ordered Meta to pay a hefty fine for making users accept targeted ads and was directed to bring its processing operations into compliance with the GDPR within a period of 3 months. The EDPB also directed the DPC to conduct a fresh investigation of all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed. However, the DPC stated that EDPB is not entitled to instruct and direct a national authority to engage in a new “open-ended and speculative” investigation.

TikTok privacy fine: Finally, the UK fined TikTok 12.7 million pounds for misusing children’s data. More than one million British children under 13 were estimated to be on TikTok in 2020, contrary to its terms of service. As a result, personal data belonging to children was used without parental consent. TikTok  “did not do enough” to check who was using their platform and take sufficient action to remove the underage children. Since the conclusion of the investigation of TikTok, the ICO has published a statutory Children’s Code to help online services, such as apps, gaming platforms and web and social media sites, that are likely to be accessed by children. 

The post Data protection & privacy digest 3 – 17 Apr 2023: US data transfers and AI tools occupy EU appeared first on TechGDPR.

Legal processes: EU-US privacy framework, DMA, CCPA/CPRA, right to be forgotten

The Baden-Württemberg data protection commissioner warns that Joe Biden’s executive order with regard to the EU-US privacy framework is an important step, but it creates legal ambiguity. It addresses the requirements of the CJEU’s “Schrems II” judgment by adapting, among other things, the extensive access to EU residents data in the context of US national security and the complaints and appeals procedure. Nonetheless, it represents an internal instruction to the government and subordinate authorities and is not a law that has been passed by parliament, and is not legally enforceable, especially for EU citizens. In addition, it is not clear how the executive order relates to other existing US regulations such as the Cloud Act. Other ambiguities are as follows:

• The legal concept of proportionality differs in the EU, so that it remains unclear when, from the US’s point of view, access for national security remains permissible.
• Significant requirements are placed on the filing of a complaint by EU data subjects, so that it is still possible to filter out “undesirable” complaints.
• The newly created Data Protection Review Court, (an appeal body for complainants), will be set up by order of the Minister of Justice, which may contradict its judicial independence.
• The CJEU not only demanded legal remedies against state spying, but also the end of surveillance without cause, (the system change demanded by the court does not exist at present).

The European Commission will now have to decide whether there is equivalent protection of personal data in the US. The draft decision is expected in spring 2023. More legal research on the topic is promised by the NOYB privacy foundation, whose founder Max Schrems started the legal battle in 2013. 

Where various controllers rely on the single consent of a data subject, it is sufficient that the data subject contacts any one of them, states the CJEU’s recent ruling. The controller of personal data must, by means of appropriate technical and organisational measures, inform the other controllers that have provided the data or have received such data of the withdrawal of the consent of the data subject. Equally, the controller is required to take reasonable steps to inform third parties such as internet search engine providers of a request for erasure. The case related to Telenet, a Belgium telephone service operator, which passes on the contact details of its subscribers, (with their consent), to providers of directories, including Proximus. One of Telenet’s subscribers asked not to be included in directories published by Proximus and third parties; nonetheless, their contact details appeared online.  

The EU Digital Markets Act, (DMA), entered into force on 1 November. The new regulation will put an end to unfair practices by companies that act as gatekeepers in the online platform economy. In many cases the rules intercept and reinforce fundamental privacy and data protection concepts, such as:

• Provide business users with access to the data generated by their activities on the gatekeeper’s platform.
• Ban on tracking end users outside of the gatekeepers’ core platform for the purpose of targeted advertising, without effective consent having been granted.
• The interoperability obligation to ensure that the levels of service integrity, security and encryption offered by the gatekeeper will not be reduced, (eg, text messages/audio/video calls between individual or group users). End users will equally have the choice to use or refuse such an option, where their provider has decided to interoperate with a gatekeeper.

The DMA will also facilitate direct actions for damages by those harmed by the conduct of non-complying gatekeepers. After the entry into application on 2 May 2023, potential gatekeepers will have to notify their core platform services to the Commission within 2 months if they meet the quantitative thresholds.

The California privacy regulator released modified proposed regulations for compliance with the California Consumer Privacy Act, as amended by the California Privacy Rights Act. It also seeks public comments on the improved text until 21 November. The adaptations relate to:

• the notice of collections, (on how to disclose third parties that the business allows to collect personal information from the consumer),
• right to limit the use/disclosure of sensitive personal information, (without the purpose of inferring characteristics about a consumer),
• limits to responding to consumer requests due to “disproportionate effort”,
• requests to correct personal information,
• data minimisation, (business’s collection, use, retention or sharing of personal information must be reasonably necessary and proportionate to achieve the relevant purposes).

Official guidance: anonymisation for SMEs, data breach reporting, direct marketing, employment practices, DP icons, dark commercial patterns

The Spanish data protection agency AEPD has published a basic anonymisation guide, (in Spanish), for data controllers, data processors and data protection specialists. It is especially aimed at serving SMEs and startups when they have to deal with the anonymisation of small data sets. The document explains the difference between the concepts of anonymisation, de-identification, and re-identification. The guide is complemented by a free tool, (downloadable via this link), for organisations to transform simple data sets by applying anonymisation techniques.

The AEPD has also launched a tool which aims to help data controllers decide whether to report a personal data breach to the supervisory authority, following Art. 33 of the GDPR, (available in English). This tool can also be used by data protection officers, data processors, or consultants to obtain adequate information with which to advise controllers. Once finished, the data provided during the process are deleted, and the AEPD does not have access.

The UK privacy regulator ICO updated its guidance on direct marketing using electronic mail. The Privacy and Electronic Communications Regulations 2003, (PECR), takes its definition of direct marketing from the UK Data Protection Act 2018 and covers the sending of electronic mail for direct marketing purposes to particular individuals. The guide does create a few exceptions for: a) some types of online advertising, (eg, advertisements placed on websites not using cookies or similar technologies), b) direct marketing using social media, (eg, advertising messages shown on news feeds), and c) mail sent for administrative or customer service purposes, (if they do not contain any promotional content). Read the full guidance here.

The ICO also released a draft guidance on employment practices: information about workers’ health, (sickness and injuries, disability, drug tests, health monitoring, etc). It is some of the most sensitive personal information you might process about your workers. Data protection law applies whenever you process information about your workers’ health. Notably, the term ‘worker’ relates to all employment relationships, whether this includes employees, contractors, volunteers, or gig and platform workers. 

The Baden-Württemberg data protection authority in Germany released free-of-charge data protection icons, aimed at making privacy notices by data controllers clearer and easier to understand. For example, data subjects can see at a glance on which legal grounds data processing is based. The icons can be downloaded here.

The OECD has published a paper on dark commercial patterns. These practices are commonly found in online user interfaces including cookie consent notices. Many consumer and data protection authorities have taken enforcement actions and consumer organisations have filed complaints about their use, states the OECD. However, enforcement cases to date predominantly relate to a limited set of dark patterns commonly recognised by regulators. This indicates possible gaps in the law, available evidence, or enforcement capacity.

Investigations and enforcement actions: learning records, bank cards’ contactless data, HTTP protocol, employee login information, adult domains

The ICO has issued a reprimand to the Department for Education (DfE), following the prolonged misuse of the personal data of up to 28 million children. An investigation found that the DfE’s poor due diligence meant a database of pupils’ learning records was ultimately used by Trustopia, an employment screening firm, to check whether people opening online gambling accounts were 18. At the time of the breach, 12,600 organisations had access to the learning records service database, including schools, colleges, higher education institutions, and other education providers. This allowed organisations to verify a number of functions including the academic qualifications of potential students or check eligiblity for funding. Trustopia had access to the database for two years and had carried out searches on 22,000 learners for age verification purposes. Trustopia has never provided any government-funded educational training.

The US FTC is taking action against the online alcohol marketplace Drizly, (an Uber subsidiary), and its CEO over allegations that the company’s security failures led to a data breach exposing the personal information of about 2.5 million consumers. In 2018, a Drizly employee posted company cloud computing account login information on the software development and hosting platform GitHub. As a result of this security breakdown, hackers were able to use Drizly’s servers to mine cryptocurrency until the company changed its login information for its cloud computing account.

The FTC is also taking action against education technology provider Chegg Inc. for its lax data security practices that exposed sensitive information about millions of its customers and employees. Chegg allegedly failed to fix problems with its data security despite experiencing four security breaches since 2017.  Notably multiple Chegg employees fell for a phishing attack, and a former Chegg contractor used login information the company shared with employees and outside contractors to access one of Chegg’s third-party cloud databases containing the personal information of approximately 40 mln customers).The FTC’s proposed order requires the company to bolster its data security, limit the data the company can collect and retain, offer users multifactor authentication to secure their accounts, and allow users to access and delete their data.

Spain’s AEPD fined Burwebs S.L and Techpump Solutions, (owners of various internet domains with adult content), 75,000 euros and 525,000 euros respectively for multiple violations of the GDPR, Data Guidance reports. In the case of Burwebs, the AEPD found:

• All personal data of registered users is stored indefinitely.
• No provision regarding the consent of holders of parental authority or guardianship on profiles of minors registered as users.
• The process for opening an account on the domains does not employ additional data or procedures to confirm the applicant’s identification in addition to the supporting papers initially used.
• Privacy policy does not inform users of the possibility of revoking consent at any time before the initial provision of consent, and fails to inform users of the period for which their personal data will be retained.
• The total absence of “privacy by design”.
• Records of processing activities does not list all the procedures, (eg, retention of unregistered user data).
• In addition to cookie walls that block access to websites and require users to approve relevant cookies, its applicable webpages lack information on the usage of cookies. 

In the case of Techpump Solutions, the AEPD found identical data processing violations to the above case, plus:

• Transfers of personal data to companies within the same group occurring, despite the privacy policies claiming that such a process will not occur. 
• Indefinite storage of the personal data of those who used the relevant webpages, until website users request the withdrawal of consent. 
• No clear or affirmative consent mechanism exists to acquire user personal data.  
• The majority of the company resides outside of Spain, and the information in its privacy policy is in English, a foreign language for the target audience. 
• Frequent collection of personal information, including IP addresses, without explaining the circumstances to users.

Both companies were given one month to apply all the corrective measures.

The Greek data protection authority has fined four banks, (Eurobank, National bank,  Alfa Bank, and Piraeus), 20,000 euros each for the retention on the chip of customers’ Mastercards information on their last 10 transactions. The data can be read “contactless”. The banks, without informing clients, issued replacement cards with the feature. 

A 15,000 euro fine by the Italian privacy regulator Garante was issued against a company for not having adequately protected customer data. The access to the company’s website dedicated to “online services” took place via the “http” network protocol, not encrypted and not secure. Various data was passed through this channel, including authentication credentials, names, social security numbers, e-mail addresses, telephone numbers, and billing data. The company violated important principles of “privacy by design”, and “integrity and confidentiality” of the data processing. 

Data security: crucial TOMs, digital footprint, cybersecurity and privacy annual report by NIST

America’s NIST has published its latest Cybersecurity and Privacy Annual Report. It is organised into eight key areas: cryptographic standards and validation, cybersecurity measurement, education and workforce, identity and access management, privacy engineering, risk management, trustworthy networks, and trustworthy platforms. The NIST conducted research and demonstrated practical applications in several key priority areas, including post quantum cryptography, cybersecurity in supply chains, zero trust, and control systems cybersecurity. The NIST also initiated research in some new areas, including exploring the cybersecurity of genomics data.

The UK ICO warned that organisations are leaving themselves open to cyber attacks by ignoring crucial technical and organisational measures like updating software and training staff, (Art. 32 of the GDPR). The warning comes with a 4.4 million pound fine to Interserve Group. An employee forwarded a phishing email, which was not quarantined by the system, to another employee who opened it and downloaded its content –  data of up to 113,000 current and former employees was encrypted and rendered unavailable. 

The Latvian DVI explains a digital footprint and how to protect it. A user can leave it either actively or passively, but once shared, the digital footprint is relatively permanent. It can determine a person’s digital reputation, which is now as important as a person’s offline reputation. Cybercriminals can also use your digital footprint for purposes such as phishing or creating a fake identity. In one of the examples, the active digital footprint is formed when a credit card of a specific service provider is used, while the passive digital footprint is formed by analysing the flow of money in the account and the purposes for which one spends one’s financial resources. Thus:

• Remember to carefully familiarise yourself with the privacy policies of the websites where you intend to consume the offered goods or services. Additionally, 
• Every time you sign in to a third-party website using, for example, your Facebook credentials, you give that company permission to obtain your user data — potentially putting your personal information at risk. 
• Perform regular searches for your name and related personal information in search engines.
• Enforce the privacy settings of your online accounts, and minimise the amount of personal data shared, (eg, location). 
• Regularly update software. 

Big Tech: TikTok employees’ access to data, Medibank’s refusal to pay ransom, Amazon’s Alexa recording

TikTok informed its EU users that their data can be accessed by employees outside the continent, including in China – to ensure their experience of the platform is “consistent, enjoyable and safe”. The other countries where European user data could be accessed by TikTok staff include Brazil, Canada and Israel as well as the US and Singapore, where European user data is stored currently, The Guardian reports.

Medibank, Australia’s biggest health insurer, said no ransom payment will be made to the criminal responsible for a recent data theft, (around 9.7 million current and former customers). The company believes there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published. Plus, paying a ransom could encourage the hacker to extort customers directly, hurting more people.  Australian companies have been hit by a string of cyber attacks in recent weeks prompting the government to think about significant increases in penalties for repeated or serious privacy breaches, with amendments to privacy laws. 

Finally, Amazon must produce millions of documents in response to discovery requests in a potential class action over the marketing of its Alexa-enabled devices, Bloomberg Law reports. Plaintiffs allege that Amazon sold its Alexa-enabled devices to consumers using unfair and deceptive advertising, and illegally record conversations. The plaintiffs need discovery concerning Amazon’s intent in marketing Alexa devices, complaints received by the company, and how Alexa-enabled devices function. Amazon estimated it would have to produce 4.4 million documents in response to the plaintiffs’ requests.

The post Data protection & privacy digest 25 Oct – 8 Nov 2022: EU-US privacy framework ambiguity, data breach reporting, right to be forgotten appeared first on TechGDPR.

Territorial applicability

The territorial applicability of the GDPR is outlined in Article 3 and is conditional on three criteria:

1. the location of the controller/processor
2. the offering of services to individuals in the EU/EEA (through targeting them)
3. the monitoring of the behavior of data subjects in the EU.

Human Resources (HR) data also includes personal data (i.e name, email address, physical address, bank account, …) and hence the processing of these data falls under the scope of the GDPR. 

According to GDPR Art. 3.1

This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

When a company is located in the EU/EEA and its employees or contractors are also located in the EU/EEA, Art.3.1 of the GDPR applies. Therefore, any handling of employees personal data should be performed in a GDPR compliant manner. This can range from setting the legal bases for the processing to adhering to the data protection principles (GDPR Art. 5) and ensuring the exerceseability of the employees rights (Articles 15-21 GDPR). 

The situation becomes less clear when the company is located outside of the EU/EEA but has employees located in the EU/EEA. GDPR Art. 3.2 regulates the extraterritorial effect of the GDPR and foresees that when a company is not established in the EU, it will fall under the GDPR only if:

1. it offers services to data subjects based in the EU/EEA (through targeting them and not incidentally)
2. it monitors EU-based data subjects behavior.

The EDPB has stressed in its 03/2018 Guidelines on the territorial scope of the GDPR that employment doesn’t constitute an offering of service. Indicatively, one can read from its example of a US company processing personal data of its employees while they were on a trip in the EU for human resources purposes:

“In this situation, while the processing activity is specifically connected to persons on the territory of the Union (i.e. employees who are temporarily in France, Belgium and the Netherlands) it does not relate to an offer of a service to those individuals, but rather is part of the processing necessary for the employer to fulfil its contractual obligation and human resources duties related to the individual’s employment. The processing activity does not relate to an offer of service and is therefore not subject to the provision of the GDPR as per Article 3(2)a.”

It is possible however that an employer monitors its employees. This could include, among others, 

1. Application usage monitoring, 
2. CCTV monitoring, 
3. email monitoring and, 
4. geolocation through company-issued equipment. 

In this case, any personal data of employees located in the EU, collected through this monitoring activity, will fall under the GDPR even if the employer (controller) is located outside of the EU/EEA and has no subsidiary in the EU/EEA, under the GDPR Art. 3.2. 

Concluding applicability of the GDPR for HR data for non EU companies

We can therefore conclude that if the company doesn’t monitor its employees based in the EU/EEA, then any processing of their personal data for HR related purposes (issuing of payroll, insurance, drafting of their employment contracts) will not fall under the scope of the GDPR. This seems also to be in line with the EDPB 3/2018 Guidelines on the extraterritorial effect of the GDPR.

If the company is located outside the EU/EEA and has no EU/EEA based employees or contractors then any employee personal data processing even through monitoring would fall outside the scope of the GDPR.

The post GDPR and HR data for non EU-companies appeared first on TechGDPR.