Legal processes: patient rights vs data access rights

The Belgian data protection authority has clarified the right of access and right to rectification regarding medical records under the GDPR and the patient rights legislation. The subject of the complaint was a medical report drawn up post-treatment. The plaintiff’s treating psychologist refused their request for a copy of the final report. After obtaining a copy through their general practitioner, the plaintiff claimed that an incomplete answer was provided by the processing manager because his right to full access to his data under the data protection law was limited. 

In its decision, the regulator stated that the right to information and access, (under the GDPR), and the right of access, (under the Patient’s Rights Law), are not absolute, cms-lawnow.com reports. The limitation in the patient’s rights legislation concerning the right to information and inspection is related to the fact that the information is not communicated, and access is not granted to the patient if this would cause “evidently serious harm to the patient’s health”. Similarly, rectification of data requested by the data subject could undermine the accuracy of the medical diagnosis and even results of the treatment, and would be possible only in the case of incorrect processing of personal data.

Official guidance: EU digital strategy, data transfers to Russia, children’s pictures

The French data protection authority CNIL clarified its position with regard to the EU’s digital strategy, and, namely, the upcoming Data Governance Act and Data Act, following the adopted position of the EDPB and EDPS. In short, this strategy aims to develop a single data market by supporting responsible access, sharing and re-use of data between actors in the data economy, in particular related to the use of connected objects and the development of the Internet of Things, while respecting the values of the EU and in particular data protection. With regard to the rights of access, use and sharing of data provided for by the Data Act, the CNIL and its counterparts ask the co-legislators to ensure:

• additional guarantees for the persons concerned,
• the legality, necessity and proportionality of the obligation to make data available to public sector bodies and EU institutions due to exceptional need, and 
• strict definition of the hypotheses of “public emergency” or “exceptional need”,
• a clear supervision process by data protection authorities.

The EDPB meanwhile has issued a statement on personal data transfers to the Russian Federation. It reiterates that the transfer of personal data to a third country, in the absence of an adequacy decision of the European Commission pursuant to Art. 45 GDPR, is only possible if the controller or processor has provided appropriate safeguards, and on the condition that enforceable rights and effective legal remedies are available for data subjects, (Art. 46 GDPR). Russia does not benefit from an adequacy finding from the European Commission. Therefore, transfers of personal data to Russia must be carried out using one of the other transfer instruments provided for in Chapter V of the GDPR. 

With this in mind, the EDPB notes that, when personal data are transferred to Russia, data exporters under the GDPR should assess and identify the legal basis for the transfer and the instrument to be used among those provided by Chapter V GDPR, (eg, Standard Contractual Clauses or Binding Corporate Rules), or the derogations for specific situations, in order to ensure the application of appropriate safeguards. 

In the midst of summer holiday plans, Norway’s data protection authority Datatilsynet reminds parents and other responsible persons of the proper usage of children’s pictures. The guide is made for both parents and employees at schools, kindergardens or other places where there is a high possibility of taking pictures of children. The data protection check list includes these main provisions:

• Legality: never share photos of other people’s children without the consent of their guardians.
• Images: think about the content and use filters or poorer resolution, it makes the images less interesting to others.
• Quantity: share as few photos as possible.
• Channel usage: be aware of how you share your photos. Dont leave it open to the public. Create closed groups.
• Delete regularly: Take a spring cleaning and delete previous photos you have published on a regular basis.
• Always ask the children: Use questions such as “Do you think it’s okay for me to share this picture with the  family or friends?” Then you make it understandable to them. Respect the answer. 

European Health Data Space

Another joint opinion by EDPB-EDPS clarifies the data protection challenges with regard to the future European Health Data Space. The proposal aims at supporting individuals to take control of their own health data, supporting the use of health data for better healthcare delivery, better research, innovation and policy making, and enabling the EU to make full use of the potential offered by a safe and secure exchange, use and reuse of health data. However, the regulators warn that it may actually weaken the protection of the rights to privacy and to data protection, especially considering the categories of personal data and purposes that are related to the secondary use of data.

The proposal will add yet another layer to the already complex collection of provisions, (to be found both at EU and Member State levels), on the processing of health data. The interplay between those different pieces of legislation needs to be crystal clear. With regards to the scope of the proposal, the EDPB and the EDPS recommend excluding from it wellness applications and other digital applications, as well as wellness and behavioural data relevant to health. Should these data be maintained, the processing for secondary use of personal data deriving from the above applications should be subject to prior consent within the meaning of the GDPR. Moreover, it may fall within the scope of the e-Privacy Directive. Finally, the EDPB and the EDPS urge the co-legislator to ensure legal clarity on the interplay between the data subject’s rights introduced by the proposal and the general provisions contained in the GDPR on data subject’s rights. 

Investigations and enforcement actions: Clearview’s fine, e-commerce program’s security, multi factor logins, land and mortgage register, delivery service data on sale

The Danish data protection agency Datatilsynet expressed serious criticism of Sports Connection, (a webshop), for not having implemented appropriate security measures in connection with a hacker attack, where unauthorized persons collected customers’ payment information. Last year the company reported a breach of personal data security to the authorities. Sports Connection became aware of the unauthorized access when the company discovered that a field had been added to the shopping basket on the webshop, which had not previously been there. Via a security hole in a e-commerce program, a malicious program code was injected, which made it possible to upload a file to the webshop, which meant that the webshop’s check-out page could be tampered with. 

Datatilsynet concluded in this case that Sports Connection, by not updating its e-commerce program to the latest version at the time of the attack, had not taken appropriate organisational and technical measures to ensure a level of security appropriate to the risks. When choosing a response, the agency emphasized that it is a known risk scenario that frequently-used e-commerce platforms are targets for attempts to compromise built-in weaknesses. In addition, the regulator has emphasized that this is the customers’ payment information, which was not secured, and that the company has no documentation on the continuous and adequate upgrade required of its e-commerce program.

The Greek data protection authority made headlines last week by sanctioning the controversial facial recognition firm Clearview AI 20 million euros and prohibiting it from collecting and processing the personal data of people in Greece. It has also ordered the deletion of any data on Greek residents already collected, TechCrunch reports. Their counterparts in France, Italy and UK have already issued similar decisions in the last year. In the US Clearview faced major restrictions too, while in Canada and Australia they also appear to be in breach of local privacy regulations. 

Clearview have scraped hundreds of millions of images of individuals from social media profiles without clear consent. Despite a legal backlash, the company is expanding sales of its facial recognition software to companies mainly serving the police: “Instead of online photo comparisons, the new private-sector offering matches people to ID photos and other data that clients collect with subjects’ permission”. The images are stored as long as customers wish and are not shared with others, nor used to train Clearview’s AI, the company states. 

The Polish privacy regulator UODO imposed an administrative fine on the chief national surveyor, for the failure to report the breach of personal data protection to the supervisory body and the failure to notify the persons whose personal data was disclosed online. Here are some findings of the case:

• for over 48 hours on the website maintained by the Chief Surveyor of the Country, land and mortgage register numbers were visible. With the number it was easily possible to determine data about real estate owners, including names, surnames, parents’ names, or address,
• the data protection office learned about the breach not from the controller, who should report it to the supervisory authority, but from the media,
• the defendant maintained that the land and mortgage register numbers are not personal data, and
• argued that the numbers are also visible on other websites and that the short-term appearance on their website did not carry any risk of violating the rights and freedoms of the data subjects.

In its decision, the regulator returned to the definition of personal data specified in Art. 4 GDPR, according to which personal data is any information about an identified or directly or indirectly identifiable natural person. UODO pointed out that the administrator cannot justify their unlawful activity by the existence of private entities operating websites that allow access to the content of land and mortgage registers. In addition, the assessment of the risk of violating the rights or freedoms of a natural person should be made from the point of view of the interests of the affected person, and not the interests of the controller. The person can then judge for themselves whether, in their opinion, the security incident may have negative consequences for them and take appropriate remedial action. On the other hand, the lack of such a data breach notification not only takes away that possibility, but may have negative consequences for the person.

The Romanian data protection body ANSPDCP completed an investigation at a delivery company (Delivery Solutions), following a complaint filed by a natural person who reported that the database of the service was for sale online. It was found that personal data belonging to over 26,500 individuals, (information that accompanies the shipment of any package, courier codes, sender name, name and surname of the recipient, telephone number, address, delivery status, type of service, package weight, amount receivable, delivery range), were available for sale on the RaidForums website  and could be accessed via an open link. Delivery Solutions was fined approx. 3,000 for failing to implement adequate technical and organisational measures to ensure a level of security appropriate to the risk of data processing.

Data security: US location, health, and other sensitive data

The US Federal Trade Commission, (FTC), committed to fully enforcing the law against illegal use and sharing of highly sensitive data. “Among the most sensitive categories are  data collected by connected devices, a person’s precise location and information about their health. Smartphones, connected cars, wearable fitness trackers, “smart home” products, and even the browser you’re reading this on are capable of directly observing or deriving sensitive information about users”, the FTC states. 

It goes on to underline the “always on” aspect of connectivity and how intrusive that can be. Even unused, a device is in constant communication with local and national networks. Constant location data can reveal where people work, sleep, socialize, worship, and seek medical treatment. Each user actively generates their own sensitive data, via apps testing their blood sugar, recording sleep patterns, monitoring blood pressure, or tracking fitness. They share face and other biometric information to use apps or device features. Combining location and user-generated health data creates a “new frontier of potential harms to consumers” says the FTC, which concludes, “The marketplace for this information is opaque and once a company has collected it, consumers often have no idea who has it or what’s being done with it.” 

The FTC has additional guidance for businesses on consumer privacy and data security.

Big Tech: Ring’s audio, TikTok presses pause on privacy policy changes

Just a day before it was due to take effect TikTok postponed its new privacy policy, after the Italian data protection agency ‘Garante’ officially warned the Chinese social media giant it breached EU privacy rules. TikTok told users the changes would deliver targeted advertising without seeking their consent for using data on their devices. The Italians have told TikTok they reserve the right to impose penalties if the policy changes are not scrapped. TikTok insists the changes were made in the legitimate interests of the company and its partners, but after consultations with lead regulator Ireland, acting on the Italian ruling, the policy changes have been “paused”, pending analysis by Ireland’s Data Protection Commission.

Amazon’s doorbell camera system Ring is in the spotlight after product testing revealed it recorded audio well beyond the proximity of its location, and a US Senator called for better privacy in the device. Ring rejected the request by Democrat Ed Markey of Massachusetts, but his concerns are shared by security and privacy experts. Markey did not call for a restriction of the microphone range, but to require users to switch it on, and not have it active as a default setting. Ring claimed this might “confuse” customers, and did not rule out Ring’s future use of facial recognition technology when responding to the request that it never be employed. Markey called for support for the  Facial Recognition and Biometric Technology Moratorium Act currently in Congress.

The post Weekly digest 11 – 17 July 2022: patient rights, land registers, user-generated health data, targeted ads & privacy appeared first on TechGDPR.

Official guidance: new SCCs, facial recognition technology, DPOs, children’s data

The European Commission has published questions and answers for the two sets of Standard Contractual Clauses, approved last year for data transfers within and outside of the bloc. These Q&As are based on feedback received from various stakeholders on their experience with using the new sets of SCCs in the first months after their adoption. Here are some of them: 

• Are there specific requirements for the signature of the SCCs by the parties?
• Can the text of the SCCs be changed? 
• Is it possible to add additional clauses to the SCCs or incorporate the SCCs into a broader commercial contract?
• How does the docking clause work in practice? Are there any formal requirements for allowing new parties to accede?
• In which form should instructions by the controller be given to the processor? 
• What happens if the controller objects to changes of sub-processors, in the case a general authorisation to the engagement of sub-processors was given?
• Are there any requirements for filling in the annexes? How detailed should the information be? 
• Are any specific steps needed to comply with the Schrems II judgment when using the new SCCs? Is it still necessary to take into account the guidance of the EDPB?
• Does the data importer have to inform individuals about requests for disclosure received from a public authority? What if the data importer is prohibited from providing this information under its national law?
• Can the SCCs be used to transfer personal data to an international organisation? 

To find answers to these and many other questions, and useful examples, consult the full document by the EC.

The European Data Protection Board welcomes comments on the Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement. More and more law enforcement authorities apply or intend to apply facial recognition technology, (FRT). It may be used to authenticate or to identify a person and can be applied to videos, (eg, CCTV), or photographs. It may be used for various purposes, including searching for persons on police watch lists or monitoring a person’s movements in the public space. FRT is built on the processing of biometric data, therefore, it encompasses the processing of special categories of personal data. Often, FRT uses components of artificial intelligence or machine learning. While this enables large-scale data processing, it also induces the risk of discrimination and false results. FRT may be used in controlled 1:1 situations, but also in huge crowds and important transport hubs. You can download the guidance and leave your comments here. 

The French Ministry of Labour has published the results of the annual study of the profession of data protection officer, carried out with the support of the data protection regulator CNIL. This survey shows the diversification of profiles and the growing importance of the profession of DPO, the appointment of which is compulsory in certain cases. The main findings are as follows:

• a positive professional experience: 58% are satisfied with the exercise of their function and 87% are convinced of the usefulness of their function. They also want to continue their missions with a strong motivation at 67%;
• a diversification of profiles: 47% come from areas of expertise other than law and IT, (+12 points since 2019), for example, administrative and financial profiles or those related to quality or compliance audits;
• decreasing training: 1/3 have not taken any IT and GDPR training since 2016, (+ 7 points), even though more and more of them are neither lawyers nor IT specialists.

This last observation will be studied in particular by the CNIL, which recalls the obligation of data controllers and subcontractors who have appointed a DPO to provide them with the resources necessary to maintain specialized knowledge, (Art. 38.2 of the GDPR). Read the full study, in French, here.

The Irish data protection authority DPC has produced three short guides for children on data protection and their rights under the GDPR. These guides are aimed mainly at children aged 13 and over, as this is the age at which children can begin signing up for many forms of social media on their own. Each of these short guides introduces children to a different data protection right and how to use it. These guides can be read together or separately: 

• Your Data Protection Rights – full guide – is available by clicking here.
• Why are data protection rights important? – click here.
• Knowing what’s happening to your data – click here.
• Getting a copy of your data – click here.
• Getting your data deleted – click here.
• Saying ‘no’ to other people using your data – click here.

Legal processes: concept of personal data

InsidePrivacy.com blog post looked at the recent decision by the EU General Court on whether information not identifying an individual by name constitutes “personal data” under the GDPR. The case concerns an online press release published by the European Anti-Fraud Office, (OLAF), announcing that it had determined that a Greek scientist had committed fraud using EU funds intended to finance a research project.  

The press release included information about the scientist, her gender, the fact that she is young, her occupation, and her nationality. It also included a reference to the scientist’s father and the place where he works, as well as the approximate amount of the grant supplied to the scientist, the granting body, the nature of the entity hosting the project, and its geographical location. The release did not include the scientist’s name, the subject matter of the research, or the project’s name. 

The scientist alleged that someone reading it could use the above-mentioned information to identify her using “means reasonably likely to be used” and even explained how this could be done. However, the court decided that the scientist had not sufficiently proven this allegation. Further, the court held that the information the journalists used to identify the scientist, which fell outside the press release, cannot be attributable to OLAF.  For the court to hold OLAF responsible, the scientist would have had to demonstrate that her identification was a result of the press release and did not result from external or additional information. 

Investigations and enforcement actions: Clearview AI, Uber, unlawful use of an email address, not handling an access request, dummy CCTV cameras

The Information Commissioner’s Office, (ICO), has fined Clearview AI Inc 7,552,800 pounds for using images of people in the UK, and elsewhere, that were collected from the web and social media to create a global online database that could be used for facial recognition. The ICO has also issued an enforcement notice, ordering the company to stop obtaining and using the personal data of UK residents that is publicly available on the internet and to delete the data of UK residents from its systems. The ICO found that Clearview:

• Has collected more than 20 billion images of people’s faces and data from publicly available information on the internet and social media platforms all over the world to create an online database. People were not informed that their images were being collected or used in this way.
• The company provides a service that allows customers, including the police, to upload an image of a person to the company’s app, which is then checked for a match against all the images in the database.
• The app then provides a list of images that have similar characteristics with the photo provided by the customer, with a link to the websites from where those images came from.
• Given the high number of UK internet and social media users, the Clearview database is likely to include a substantial amount of data from UK residents which has been gathered without their knowledge.

Although Clearview no longer offers its services to UK organisations, the company has customers in other countries, so the company is still using the personal data of UK residents. The ICO enforcement action comes after a joint investigation with the Office of the Australian Information Commissioner, which focused on Clearview’s use of people’s images, data scraping from the internet and the use of biometric data for facial recognition. The French regulator CNIL is reportedly also considering a similar fine in the near future. 

Meanwhile, the Italian privacy regulator ‘Garante’ sanctioned Uber for a total of 4,240,000 euros. Uber BV, with a registered office in Amsterdam, and Uber Technologies Inc, with a registered office in San Francisco, are both, (as joint controllers), held responsible for the violations committed affecting over 1.5 million Italian users, including drivers and passengers:

• Unsuitable, unclear, and incomplete presentation meant it was not easy to understand the information given to users.
• Data processing without consent.
• Profiling users, (on the basis of the so-called “fraud risk”, assigning them a qualitative judgment eg; ‘low’), and a numerical parameter, (from 1 to 100).
• Failure to notify the authority was discovered by the ‘Garante’ during inspections carried out at Uber Italy following a data breach made public in 2017. 

The security incident, which occurred before the full application of the GDPR, involved the data of about 57 million users around the world and was sanctioned by the Dutch and UK privacy authorities on the basis of their respective national regulations. The personal information processed by Uber concerned personal and contact data, (name, surname, telephone number, and e-mail), app access credentials, location data, (those that appeared at the time of registration), relationships with other users, (sharing trips, introducing friends, profiling information).

The Icelandic supervisory authority fined HEI medical travel agency for unlawful use of an e-mail address and for not handling an access request. The regulator found out that an employee at HEI had obtained the complainant´s, and several other doctors´ email addresses, by logging into the internal website of the Icelandic Medical Association, with the access of a doctor who was related to the employee. HEI used the mailing list to send a targeted email to doctors, including the complainant. In determining the fine, (approx. 10,700 euros), the regulator considered that even though HEI had considered itself authorized to use the list, there was nothing in the case that proved that the company had ascertained the lawfulness of the processing. Finally, the multinational had not complied with the obligation to notify the Authority of the processing of data for geolocation purposes. 

Meanwhile, the Norwegian regulator Datatilsynet imposed a fine on an unnamed company for automatic forwarding of employee emails, Data Guidance reports. Due to disagreements, the employee’s access to email and computer systems was closed and all emails sent to the employee’s email box were automatically forwarded to an email address managed by the general manager, and the forwarding of emails took place for approximately six weeks. The purpose was to take care of customer relationships, but during the period the general manager handled both work-related and private emails that were sent to the employee’s email box. The regulator found that the employer did not have a legal basis for the automatic forwarding of the employee’s emails under the GDPR, and noted that this is also in conflict with the applicable rules on the employer’s access to email boxes and other electronic material. 

Finally, the Czech office for personal data protection UOOU published its decision on a complaint, in which it decided that the installation of dummy cameras in a workplace did not violate the GDPR, following an investigation. The UOOU detailed it had received a complaint about the installation of a camera system to monitor and control employees. In this context, the UOOU found that the camera system was not functioning but was in fact a dummy camera and thus did not fall within the remit of the GDPR. However, the regulator suggested that the matter should be referred to the competent employment inspectorate for investigation as it may constitute a violation of employment law regulations.

Data security: data leaks doubled due to cyber-attacks

The Dutch data protection authority AP again measured an explosive increase in the number of reports of data leaks caused by cyber-attacks. This number almost doubled in 2021 compared to the previous year. In total, the AP received almost 25,000 data breach reports last year. Of this, 9% was caused by cyber-attacks. Last year it was 5%. The AP also noticed that in the case of ransomware, affected organisations first restore the systems, and only much later inform the people. As a result, the damage can become even greater, because the victims can only protect themselves against the consequences much later. 

The AP also saw that organisations that have paid a ransom to get their data back after a ransomware attack often do not inform victims about the data breach. They state that by paying a ransom to the hackers, personal data was prevented from being distributed further because hackers have made commitments about this. However, paying a ransom does not guarantee that the hackers will actually remove the data and never sell it on. Finally, during cyber attacks, data is often stolen that organizations have collected unnecessarily or have kept for too long. 

As a result, “even if only names and e-mail addresses have been stolen, these data can be used in combination with previously leaked information to gain access to user accounts at, for example, banks or webshops. Criminals can also abuse this type of data to carry out new spam and phishing attacks in a very targeted manner”.

Big Tech: Clearview AI increased sales, Twitter settlement over targeted ads and user data

Facial recognition firm Clearview AI is expanding sales of its facial recognition software to companies, having previously mainly served the police, according to Reuters. Meanwhile, a number of EU regulators accused Clearview of breaking privacy laws by collecting online images without consent, and the company this month settled with US rights activists over similar allegations. Clearview AI uses publicly available photos on social media platforms to train its tool, which the company says is of high accuracy. The new private-sector offering matches people to ID photos and other data that clients collect with subjects’ permission. It is meant to verify identities for access to physical or digital spaces. Reportedly, a company selling visitor management systems to schools had signed up for Clearview services as well. 

Meanwhile, the US Department of Justice reached an agreement with Twitter that includes a fine of 140 million euros and an order for the social network to better respect the privacy of personal data. Authorities accuse the platform of deceiving its users from 2013 to 2019 by hiding that it was using their personal data to help companies send them targeted advertising. During that period, more than 140 million Twitter users gave phone numbers or email addresses to the US-based service to help secure accounts with two-factor authentication, regulators said. “Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” the FTC chair Lina Khan stated. Twitter also falsely said it complied with the EU-US and Swiss-US Privacy Shield Frameworks at the time, which barred companies from using data in ways that consumers do not consent to.

The post Weekly digest May 23-29, 2022: All you need to know about new sets of SCCs in Q&A appeared first on TechGDPR.

Legal processes: crypto-asset transfers, Belgian DPA’s independence

EU lawmakers backed tougher rules for tracing transfers of bitcoin and other cryptocurrencies, Reuters reports. Now the EP as a whole should vote on it during the plenary session in April. Companies that make crypto-asset transfers would need to collect details of senders and recipients to help authorities to prevent money laundering, terrorist financing, and other crimes. Under the new requirements agreed by MEPs:

• Providers would have to verify that the source of the asset is not subject to restrictive measures and that there are no risks of crime.
• All transfers will have to include information on the source of the asset and its beneficiary, information that is to be made available to the competent authorities. 
• The rules would also cover transactions from so-called unhosted wallets, (a crypto-asset wallet address that is in the custody of a private user). 
• No minimum thresholds and exemptions for low-value transfers.
• Technological solutions should ensure that the transfers can be individually identified. 

However, the rules would not apply to person-to-person transfers conducted without a provider, such as bitcoin trading platforms, or among providers acting on their own behalf. Currently, there are no rules in the EU allowing crypto-asset transfers to be traced or the provision of information on the originator/beneficiary.

The Belgian data protection authority, (DPA), is concerned about legal developments that could threaten its independence. These include a preliminary draft law to amend the current DPA law, and the lack of resources allocated to it. The opinion has been forwarded to the Court of Audit, the Council of State, the European Commission and the other European supervisors assembled in the EDPB. The draft law notably introduces:

• parliamentary interference in the internal organisation of the DPA and in the setting of its priorities,
• the renewal of the mandate of its members conditional on a positive evaluation by the House of Representatives. 

Finally, the GDPR requires that every supervisor has the necessary resources at their disposal to perform their tasks. However, the DPA’s requests for additional human and financial resources, substantiated by the Court of Audit and an external study, have so far been largely ignored. The DPA points out that the gap with its European counterparts is therefore widening. Read the full opinion here.

Data security: EU institutions, Russian technology risks

EU bodies must step up their cybersecurity preparedness, according to the European Court of Auditors’s special report. Significant cybersecurity incidents in EU institutions increased more than tenfold between 2018 and 2021. It can take weeks if not months to investigate and recover from them. One example was the cyberattack on the European Medicines Agency, where sensitive data was leaked and manipulated to undermine trust in vaccines. So far there is no legal framework for information security and cybersecurity in EU bodies. They are not subject to the broadest EU legislation on cybersecurity, the 2016 NIS directive, or to its proposed revision, the NIS2 directive. There is also no comprehensive information on the amount spent by EU bodies on cybersecurity. To this end, the auditors recommend that binding cybersecurity rules should be introduced, and the amount of resources available to the CERT-EU and the ENISA should be increased.

The UK National Cyber Security Center, the NCSC, has updated its guidance on the use of Russian technology products and services following the invasion of Ukraine. The experts state they have not seen and do not expect the massive global cyber attacks that some had predicted. However, the NCSC has previously seen Russia acting against UK interests, and also acting through proxy compromises to get to UK entities (eg, SolarWinds Orion software, and UK telecoms networks). Additionally, Russian law already contains legal obligations on companies to assist the Federal Security Service, and the pressure to do so may increase in a time of war, the NCSC believes. 

The NCSC advises certain organisations to specifically consider the risk of Russian-controlled parts of their supply chain, (public sector, high-profile organisations, services related to critical national infrastructure, etc), if you contract directly with a Russian entity, or it just so happens that the people who work for a non-Russian company are located in Russia: “You may choose to remove Russian products and services proactively, wait until your contract expires, (or your next tech refresh), or do it in response to some geopolitical event. Alternatively, you may choose to live with the risk”. Finally, the ongoing global sanctions could mean that Russian technology services, (and support for products), may have to be stopped at a moment’s notice. Read the NCSC guides to improve security for enterprises, and for individuals. 

Official guidance: DPO compliance provisions

The Polish data protection authority UODO refreshes its inspection report, (in Polish), on compliance provisions relating to designation, position and tasks of the DPO. In most cases, the verification of the reported cases did not provide grounds for the application of corrective powers for undertakings. Only in a few cases did the regulator find irregularities in the scope of a conflict of interest, or failure to consult the DPO on data processing operations. Several cases of violations related to the performance of a DPO‘s function required the UODO to take corrective actions, including the issuing of an order to appoint a DPO as well as an administrative fine. The regulator has also published 27 DPO-related self-audit questions to be directed to controllers and processors, both in the public and private sectors.

Investigations and enforcement actions: facial recognition system, agile development environment, Klarna bank fine

The Danish data protection agency has made a decision in a case concerning the use of a facial recognition system to control access to the company’s facilities. Based on the information provided by FysioDanmark Hillerød, (physiotherapeutic treatment), the regulator assessed that the system – which was based on the data subject’s consent – could be used. However, the regulator warned the company that it would probably be in breach of the GDPR if it used the system without the consent of customers. Furthermore, the agency warned that it would probably be in breach if the company did not ensure that the system was not used with persons who had not given their consent.

The Danish data protection agency also criticised a data controller who did not check whether personal data had been stored by mistake in IT environments. In the related case, an employee of the Danish Health and Medicines Authority, (HMA), in violation of internal guidelines and procedures, had stored a data set – containing pseudonymised personal information – in a development environment, (Microsoft Azure DevOps), where they were not allowed to be stored. The data set contained pseudonymised confidential data about citizens which could be “decoded” by trusted employees, regardless of whether they had a work-related need for it. The HMA did not discover it until a year later. 

The regulator found that the HMA had not complied with the rules on processing security. The agency emphasized that data controllers must generally establish controls – either manual or automatic, and it is not sufficient to have guidelines and procedures without regularly checking whether they are followed in practice. The regulator also emphasized that this was a so-called “agile development environment”, where there is a known risk that personal data will be stored by mistake.

Meanwhile, Sweden’s data protection authority fined Klarna bank approx 724,000 euros for several breaches of the GDPR, namely:

• it has continuously changed the information provided on how the company handles personal data;
• did not provide information on the purpose for which and on the basis of which legal basis personal data was processed in one of the company’s services;
• provided incomplete and misleading information about who were the recipients of different categories of personal data when data was shared with Swedish and foreign credit information companies;
• did not provide information as to which countries outside the EU/EEA personal data were transferred to, or on where and how the individual could obtain information on the protection measures that applied to the transfer to third countries;
• provided insufficient information about the data subjects’ rights, including the right to delete data, the right to data portability and the right to object to how one’s personal data is processed.

Data breaches: “emergency data requests”

Hackers increasingly are using compromised US government and police department email accounts to obtain sensitive customer data from mobile providers, ISPs and social media companies, KrebsOnSecurity, (in-depth security news and investigation blog), warns. At issue are forged “emergency data requests,” (EDRs). Tech companies usually require a search warrant or subpoena before providing customer or user data, but any police jurisdiction can use an EDRs to request immediate access to data without a warrant, provided the law enforcement entity attests that the request is related to an urgent matter of life and death. In the recent example, fraudulent EDRs were a tool used by members of LAPSUS$, the data extortion group that recently hacked Microsoft, NVIDIA, Okta and Samsung. Also tracked were the activities of a teenage hacker from the UK who was reportedly arrested multiple times for sending fake EDRs.   

Big Tech: TikTok class action, Chrome’s Privacy Sandbox, interoperability vs end-to-end encryption

A case filed in 2019 against TikTok has finally been settled, the Chinese giant and its Musical.ly offshoot agreeing a 1,1 million dollar deal with the US District Court for the Northern District of Illinois. The case, a class action, claimed the plaintiffs’ rights under the Children’s Online Privacy Protection Act had been violated by TikTok and Musical.ly tracking, collecting, and disclosing personally identifiable data of users under 13 without parental consent.

Alphabet’s Chrome is rolling out the next stage of testing for its Privacy Sandbox, appealing to developers to get on board and send feedback, and offering support. APIs are key, and global testing of Topics, FLEDGE and Attribution Reporting APIs is immediately available on Chrome Canary. Industry associations are also being encouraged to contribute. Chrome will also be testing updated Privacy Sandbox settings and controls, allowing people more visibility and management of the use of their personal preferences.

Trouble ahead for Europe’s new Digital Markets Act predicts an analyst in The Guardian. In privacy terms there’ll be limits on large companies, (45 million users or 10,000 business users), combining personal data from various sources for targeted advertising, and most critically, an insistence that the largest messaging systems become “interoperable’. Resolving the major technical problems preventing this could see end-to-end encryption abandoned, which in security terms raises many issues and may actually facilitate abuse. 

Instead of a challenge some are seeing interoperability as an opportunity, like Twitter-financed Bluesky. It is developing a new operating standard for social media, based on an open protocol. New board member and Twitter co-founder Jack Dorsey says the idea could take years to become a reality, but would offer social media users greater control and choice. The company has made its first key hires and is developing a prototype.

The post Weekly digest March 28 – April 3, 2022: EU crypto-asset transfers to be traced and identified, with some exceptions appeared first on TechGDPR.