Stay up to date! Sign up to receive our fortnightly digest via email.

Software testing

To help businesses and authorities address a range of security threats, the Danish data protection authority has chosen to include a new position in its list of security measures, (in Danish). It concerns security-focused software testing, which can find flaws in recently created applications. The software’s intended functionality is what the “customer” usually desires. A product could, nonetheless, have unexpected or undesired capabilities.

Unwanted functionality is at the same time unnecessary and thus is generally not used, (creates hidden security issues). People with malicious intentions can also search for unnecessary/unwanted functionalities to misuse. Increasingly complex IT systems and integrations between IT systems increase the likelihood of errors/vulnerabilities, even if there is a focus on security during development. 

Furthermore, a lot of software is created using pre-made components that are either created by other parties or are a part of “developer tools,” and it is unknown how much attention these third parties pay to security needs. Therefore, the only method to guarantee that the new software is designed with a focus on security may be through testing or requirements for the supplier’s testing. Testing documentation can also play a critical role in proving if sufficient precautions have been taken to prevent security breaches.

Whistleblowing and anonymity

The most recent EU whistleblower legislation is explained in Iuslaboris’ blog article using the example of the Netherlands. In particular, midsize employers, (50+ employees), are now also subject to the new and stricter obligations, (of the Dutch Whistleblower Protection Act 2023), regarding internal reporting processes for whistleblowers:

• The employer is generally free to choose an anonymous reporting mechanism, such as specialised software. 
• A report is made anonymously, but it needs to be made to a properly designated officer.
• That officer must then discuss with the reporting person how they wish to communicate during the process.
• If the reporting person’s identity is partially revealed, the officer is responsible for making sure that any parties not involved in the inquiry are not informed. 
• It’s also advisable to explain the breach of anonymity to the individual who filed the report.  
• The reports might be looked into at the group level of the organisation, (even if the parent company is located in another country).

Email management and metadata

IT programs and services for e-mail management, marketed by suppliers in cloud mode, may collect metadata, by default, in a preventive and generalised way. This sometimes places limitations on an employer wishing to modify the basic settings of the program to disable the systematic collection of such data in the work context or to reduce the retention period of the same. The fundamental right to secrecy of the content of the e-mail correspondence, including the external data of the communications and the attached files, protects the essential core of the dignity of individuals and the full development of their personality in social formations. 

Metadata may include the email addresses of the sender and recipient, the IP addresses of the servers or clients involved in the routing of the message, the times of sending, retransmission or reception, the size of the message, the presence and size of any attachments and, in certain cases, details about the management system of the email service used along with the subject of the message sent or received. The same metadata should not be confused with the information in the e-mail messages, (integrated into them although not immediately visible to users), in their “body part”, which remains under the exclusive user control. 

Thus, all data controllers are reminded to verify that the collection and storage of logs take place in compliance with the principles of correctness and transparency and that workers have been adequately informed on the processing of personal data relating to electronic data communications concerning them, (specifying data retention times, any controls, etc).

More official guidance

Data subject requests: The Latvian data protection regulator explains how a data controller should act if a request from a person as a data subject has been received: 

• Verify the data subject’s identity, (additional information can be requested).
• Find out what rights the person intends to exercise when sending the request.
• Develop a request form that formulates possible requests.
• Observe the response deadlines.
• Act accordingly if an unreasonable or disproportionate request is received.
• Take into account the restrictions on the exercise of the rights of data subjects. 
• Document the request processing progress; and 
• Cooperate with the Data State Inspectorate if necessary.  

Information sharing in health emergencies at work: The Guernsey data protection authority explains how to think in advance about sharing workers’ information in a health emergency. It covers any situation where you believe that someone is at risk of serious harm to themselves, or others, because of their mental or physical health. This can include potential loss of life. Also, the same obligations apply to processing information about your workers’ mental or physical health. 

In a health emergency, data protection does not act as a barrier to necessary and proportionate information sharing. Where there is a risk of serious harm to the worker, or to others, you should share necessary and proportionate information without delay with relevant and appropriate emergency services or health professionals. You must ensure that your workers are aware of any policy for sharing personal information in a health emergency and that it is available to them.

This policy also could become part of your Data Protection Impact Assessment on the everyday handling of your workers’ health information. 

Meta AI training postponed in the EU/EEA

Meta was scheduled to train and improve its AI applications on users’ content from Facebook and Instagram next week. At the request of the Irish Data Protection Commission, (the lead supervisory authority), this has been postponed until further notice. Earlier this month, Meta announced it would begin using publicly available content from European users of Facebook, Instagram and Threads to train an AI app. The reason for the processing is allegedly legitimate interest, and users could object to using their content if they wished. Numerous complaints about Meta’s new practice were lodged with the European supervisory authorities, including in Norway, Austria, France and others. 

Meanwhile, the Hamburg Data Protection Commissioner, (HmbBfDI), published recommendations regarding AI training with personal data by Meta. Users worldwide should be aware that this cannot be reversed once a large language model has been trained with personal data. Individuals can object to this in the settings on the profile page under the Privacy Policy. Persons who do not have an account with a Meta service may also be affected by the processing of personal data by Meta for AI training purposes, as Meta also uses data from so-called third-party providers. 

In the future, Meta’s AI-supported tools could become available for both users and companies. 

Wikipedia vs GDPR

The Italian privacy regulator Garante recently ruled that the processing of personal data carried out by Wikipedia falls under the GDPR, and the rules on journalistic activity and the expression of thought apply to the published contents. The decision came after the complaint of an interested party whose request for deletion of a biographical article relating to a judicial matter by the Wikipedia Foundation was not satisfied. The regulator ordered the de-indexing of the article.

The US non-profit believes it does not offer a service to users in the EU and is therefore not bound to compliance with the GDPR: it just “hosts” the contents inserted by the community of volunteers. In reality, explains Garante, Wikipedia constantly addresses and verifies the quality standards of the content and creates versions of the site dedicated to users from one or more EU countries.  

More enforcement decisions

Cookies without consent: An Amsterdam court held that LinkedIn, Microsoft and Xandr must cease the placement of cookies without user consent, the Data Guidance reports. The plaintiff visited 52 websites, of which 19 installed cookies on their device either without their knowledge or after it was expressly denied. The website provider bore certain duties even in cases where third parties are accountable for the installation of cookies on the users’ devices. The court decided that the above companies’ partnerships with third-party operators resulted in the cookies in question. They did not, however, prevent third parties from placing cookies without authorisation.

Recruiting company deletion requests: Meanwhile, the Dutch data protection authority has imposed a fine of 6,000 euros on the recruitment company Ambitious People Group. The company did have a method for requests to delete data. Yet in practice, things went wrong several times. The data remained in the database after the people requested their removal. The company also kept approaching these people about vacancies. The data in question included names, home addresses, e-mail addresses, telephone numbers, dates of birth and CVs containing information about education and work experience.

Security gaps: As part of an unsolicited audit by the Lower Saxony data protection authority, 20 companies have closed security gaps in their Microsoft Exchange servers. There is sometimes only a very short period between the release of a security update and the exploitation of vulnerabilities, and sometimes the first waves of attacks on customers’ and employees’ data have already occurred beforehand. Therefore: 

• Anyone who commissions an IT service provider to operate an Exchange server must ensure that the contract also includes regular patching of the server. 
• Companies must ensure that they can patch their servers immediately if critical security vulnerabilities arise.

Data security

Affordable data security: An opinion article by the Estonian data protection regulator suggests that small and medium-sized companies perceive data protection mainly as a source of costs and worries. However, the practice shows that mitigating risks associated with the cyber security aspects of data protection may not be as scary and expensive as it may seem at first glance. Most familiar and valid recommendations for your web security would include: 

• updating the software on your devices and IT infrastructure, (hosting providers offer automated application installation)
• adopting multi-factor authentication, (user log-ins and web hosting control panel),
• auditing accounts, (access control), and
• disposing of unused and unnecessary applications and files on the web server.

Privacy vulnerabilities of AI systems:  A luslaboris law blog looks at cyber security obligations under the EU AI Act – against model poisoning, model evasion, confidentiality attacks, and model flaws. One example is privacy attacks. Once the AI system is operational bad actors can use legitimate means to obtain personal data. It may be possible for bad actors to ask a large language model many queries which enable the actor to reverse engineer personal data about a particular individual in the aggregate data set. The same techniques can be used to access proprietary or confidential information relating to the AI system’s architecture, enabling attackers to extract sufficient information about an AI system to reconstruct a model. 

Hospital system under attack

BBC News reports that London hospitals are still grappling with the aftermath of a cyber attack that has led to many hours of extra work for their staff. A critical incident was declared on 4 June after a ransomware attack targeted the services provided by pathology firm Synnovis. Healthcare facilities are experiencing significant disruptions to their services, including blood transfusions, and blood sample processing is being done by hand in the labs. The results are added into the system “line by line” after being double-checked. It was also necessary to move some patients who needed emergency surgery to different institutions and cancel other operations.

Privacy research

The Norwegian data protection regulator revealed the results of a nationwide survey on the population’s relationship to privacy. The vast majority of people in the survey have refrained from downloading an app because they are unsure of how their data will be used. Young people are used to giving up large amounts of personal data, and they use a far greater range of services than older age groups do. Most people believe that AI will challenge privacy by collecting too much personal data and using it. There is broad support that the authorities should take an active role in the regulation of artificial intelligence, but fewer believe that this will be possible. 

The post Data protection digest 3 – 17 Jun 2024: software testing, email management, affordable data security appeared first on TechGDPR.

Stay tuned! Sign up to receive our fortnightly digest via email.

Web browsing data for sale

The UK software provider Avast will have to pay 16.5 million dollars to the US Federal Trade Commission, and the business will not be allowed to sell or license any web browsing data for advertising purposes. Avast Limited, a UK-based firm, obtained customer surfing data unjustly through its antivirus software and browser extensions, retained it indefinitely, and sold it without providing consumers with sufficient notice or asking for their consent. The company also did this through its Czech subsidiary. 

Following its acquisition of rival antivirus software supplier Jumpshot, Avast renamed the business as an analytics firm. Jumpshot sold surfing data that Avast had gathered from users between 2014 and 2020 to a range of customers, including marketing, advertising, and data analytics firms as well as data brokers. The business said that before sending the data to its clients, it eliminated identifying information using an algorithm. 

However, according to the FTC, the business did not adequately anonymise user web browsing data that it sold through a variety of products in non-aggregated form. The FTC says, the business did not prohibit some of its data purchasers from using Jumpshot’s data to re-identify Avast users. For instance, Jumpshot allegedly signed a deal with advertising giant Omnicom for a supply of an “All Clicks Feed” for 50% of its clients in the US, UK, Mexico, Australia, Canada, and Germany. 

Americans’ sensitive data

The US seems to have increased regulations on restricted cross-border data transfers due to national security concerns. 

President Biden issued an Executive Order to protect Americans’ sensitive personal data. It will prevent the large-scale transfer of America’s sensitive and government-related data to countries of concern, (reportedly they are China, Cuba, Iran, North Korea, Russia and Venezuela), and prohibit commercial data brokers and other companies from selling biometrics, healthcare, geolocation, financial and other sensitive data to countries of concern, or entities controlled by those governments, intelligence services and militaries. 

The US Justice Department’s National Security Division has already published an Advance Notice of Proposed Rulemaking to provide transparency and clarity about the intended scope of the program. It would include six defined categories of bulk US sensitive data – US persons’ covered personal identifiers, personal financial data, health, precise geolocation data, biometric identifiers, human genomic data, and combinations of those data. The security requirements for certain data classes of transactions would include: 

• basic organisational cybersecurity posture,
• measures against unauthorised disclosure, 
• data minimisation and masking,
• use of privacy-preserving technologies,
• compliance requirements and audits.

The Department of Justice is also considering identifying three classes of restricted data transactions: a) vendor agreements, (including for technology services and cloud services), b) employment agreements, and c) investment agreements. Nonetheless, the order program is without prejudice to the free flow of data necessary for substantial consumer, economic, scientific, and trade relationships that the US has with other countries. 

Other official guidance

The EDPB’s new enforcement action: 31 data protection authorities across the EEA, (DPAs), including 7 German state-level regulators, will participate in the 2024 enforcement action, (mixture of surveys and formal investigations), on implementing the right of access. It is one of the most frequently exercised data protection rights, which DPAs receive many complaints about. In addition, it often enables the exercise of other data protection rights, such as the right to rectification and erasure. To understand how organisations must respond to access requests from individuals, see the EDPB’s latest guidelines on the right of access. 

Generative AI and data protection: In the UK, the House of Lords Communications and Digital Committee has published a report on large language models, (LLMs). These may have personal data in their training sets, drawn from proprietary sources or information online. Safeguards to prevent inappropriate regurgitation are being developed but are not robust. Data protection in healthcare attracts particular scrutiny as some firms are already using the technology on NHS data, which may yield major benefits. 

But equally, models cannot easily unlearn data, including protected personal data. There may be concerns about these businesses being acquired by large overseas corporations involved in, for example, insurance or credit scoring. Clear guidance is needed on how the data protection law applies to the complexity of LLM processes, including the extent to which individuals can seek redress if a model has already been trained on their data and released. Also, data protection provisions have to be embedded in licensing terms.

Consent principle

It is not always necessary for a company or an authority to obtain your consent before they can handle your data explains the Danish data protection authority. This is because consent is only one of several legal bases when it comes to the handling of your data. Storage of your information shall cease when you withdraw your consent, but only the information that is handled or processed based on consent. 

Information where the legal basis is someone else, for example in the case of a commercial contract or employment relationship, can continue to be handled or stored. It is also not needed if you, the data subject, are unable to give consent, for example, to a healthcare facility due to a serious illness. Public authorities can also process your data for specific tasks, such as handling your tax declarations. Private companies might have some legitimate reasons too, (such as for maintaining user services), but they should not violate your interests or rights. 

Finally, a revocation of consent does not have a retroactive effect, and the revocation therefore does not affect the handling of information that took place before.

 Rise in outsourcing contracts in the banking sector

The European Central Bank urges supervised institutions to tackle vulnerabilities stemming from their increasing operational reliance on third-party providers. Most banks outsource certain services to take advantage of lower costs, more flexibility and greater efficiency. Considering the relatively stringent data protection regulations in the EU, it is noteworthy that personal data processing is included in 70% of outsourcing contracts, and over 70 major banks contract these vital services out to companies with headquarters located outside the EU, (eg, cloud services in the US, the UK, and Switzerland). 

The ECB discovered that over 10% of contracts concerning essential tasks do not adhere to the applicable requirements. Furthermore, 20% of these non-compliant contracts have not had a rigorous risk assessment during the past three years, and 60% have not undergone an audit.

Starting in 2025, the Digital Operational Resilience Act will go into effect and offer further tools for monitoring important IT service providers, particularly those that ensure the operational resilience of financial institutions.

Illicit marketing

The Italian privacy regulator imposed a fine of over 79 million euros on Enel Energia for serious shortcomings in the processing of personal data of numerous users in the electricity and gas sector, carried out for telemarketing purposes. The case originated from a previous investigation which involved a 1,8 million euro privacy fine on four companies and confiscated databases used for illicit activities. It emerged that Enel Energia had acquired 978 contracts from the above companies, even though these did not belong to the energy company’s sales network. 

Furthermore, the information systems used for customer management and service activation by the company showed serious security shortcomings. Enel failed to put in place all the necessary measures to prevent the unlawful activities of unauthorised actors who for years fueled an illicit business carried out through nuisance calls, service promotions, and the signing of contracts with no real economic benefits for customers. Over time it involved the activation of at least 9,300 contracts.

Meanwhile, in California, a company will pay a 375,000 dollar civil penalty after it violated multiple consumer privacy laws. DoorDash is a San Francisco-based company that operates a website and mobile app through which consumers may order food delivery. To reach new customers, DoorDash participated in marketing cooperatives and disclosed consumers’ personal information as part of its membership without providing notice or an opportunity to opt-out. The other businesses participating in the cooperative also gained the opportunity to market to DoorDash customers. 

Data brokerage

Belgium’s data protection regulator recently fined Black Tiger Belgium, (formerly Bisnode Belgium), a company specialising in big data and data management, a total of 174,640 euros. At the time when the complaints were lodged, Bisnode Belgium operated a consumer database and a company database through which Bisnode Belgium offered “Data quality”, (to improve the quality of its customers’ data), and “Data Delivery”, (to provide data to its customers, especially for the implementation of marketing campaigns). These databases consisted of personal data and user profiles from various external sources. 

The regulator received a complaint based on the so-called ‘right of access’ with Bisnode, which allows anyone to request access to the data it keeps about them at any time. The investigation found that the company under its legitimate interest indirectly collected and processed personal data on a large scale, for a long period, (15 years), without the data subjects being informed individually, clearly and proactively about the processing carried out. The company also lacked records of its processing activities. 

Other enforcement decisions

Student privacy vs teachers’ authority: The Icelandic data protection authority ruled on personal data processing by the University of Iceland. According to the complaint, a teacher had monitored a student through the teaching site in the Canvas learning management system. However, the supervisory authority concluded that there was no electronic monitoring, as the teacher’s assessment of the complainant’s activity in the learning management system was not sustained or repeated regularly. It was also considered that the said processing of personal information had been necessary for the university in connection with statutory tasks entrusted to the university by law. 

However, the complainant was not sufficiently informed of the teacher’s ability to examine their use of the Canvas learning management system and make it the basis for grading. The peer assessment of the complainant’s fellow students in a group project was one of the factors that formed the basis of the grading for the assessment component. The University’s processing therefore failed to comply with the transparency requirements under privacy legislation.

Biometric scanning abuse: In the UK Serco Leisure, Serco Jersey and seven associated community leisure trusts have been issued enforcement notices ordering them to stop using facial recognition technology and fingerprint scanning to monitor employee attendance. The investigation found that Serco and the trusts have been unlawfully processing the biometric data of more than 2,000 employees at 38 leisure facilities. Serco had to record employee attendance to pay workers as per its contractual duties but rejected less invasive options available, including timesheets or electronic cards. Although Serco had indicated that these choices may be abused, it had shown no proof of real, widespread misuse. 

Data security

Password retention guide: Too often identity theft is caused by the use of computer authentication credentials stored in databases that are not adequately protected with cryptographic functions. Stolen data is used to illicitly enter entertainment sites, (35.6%), social media, (21.9%) and e-commerce portals, (21.2%). In other cases, they allow access to forums and websites of paid services, (18.8%), and financial services, (1.3%). As a result, the Italian data protection authority recently developed an FAQ and more detailed guidelines regarding password storage, providing cryptographic functions currently considered the most secure, (in Italian only). 

Cybersecurity core 2.0: America’s NIST has meanwhile released version 2.0 of its landmark Cybersecurity Framework. The agency has finalised the framework’s first major update since its creation in 2014. Now it explicitly aims to help all organisations — not just those in critical infrastructure, its original target audience — to manage and reduce risks. The framework’s core is now organised around six key functions: Identify, Protect, Detect, Respond and Recover, along with CSF 2.0’s newly added Govern function. The CSF is used widely internationally. Versions 1.1 and 1.0 have been translated into 13 languages, and the NIST expects that CSF 2.0 also will be translated by volunteers around the world. 

Federated Learning

The UK Responsible Technology Adoption Unit, in cooperation with the NIST, published a series of analyses about Privacy-Preserving Federated Learning. Organisations often struggle to articulate the benefits of the approach, associated with machine learning that involves training a model without the centralised collection of training data. This can lead to lower infrastructure and network overheads. However, bespoke privacy infrastructure can introduce additional costs. Plus, there are fewer people with the skills and experience required to design and deploy it. 

On the other hand, federated learning allows organisations to use and monetise data assets that would not have previously been accessible. In removing the need for access to the full data, it protects the value of the data for the data owner. Finally, legal consultation is a necessary cost, but in principle PETs can significantly reduce data protection risks, as when used appropriately, differentially private data can be considered anonymised. 

The post Data protection digest 18 Feb – 2 Mar 2024: web browsing data for sale, banking sector outsourcing, cybersecurity core 2.0 appeared first on TechGDPR.

Official guidance

DPOs duties: The Swedish data protection agency published the results of a coordinated investigation, initiated by the EDPB, on the role and position of data protection officers. It investigated 50 organisations in the public and private sectors. Here are some of the statistics: 

• Several data protection officers have other tasks/roles in addition to the role of data protection officer, which in certain situations can potentially mean a conflict of interest.
• There are differences in how many hours data protection officers spend on skills development around data protection issues.
• There is a wide variation in the number of resources and methodological support needed to complete DPO’s duties.
• The organisations to some extent have different ideas about what should be included in the data protection officer’s mission.

Interestingly, most, but not all, organisations believe that the DPO should participate in the handling of personal data incidents whereas only two-thirds of the organisations believe that the DPO should be consulted in the planning of new personal data processing. 

Sandbox invite for innovative tech: Organisations have until the end of this year to submit expressions of interest in entering the UK Information Commissioner Office’s Regulatory Sandbox in 2024. If you’re part of an organisation that’s tackling complex data protection considerations as you create innovative new products and services, the ICO’s team wants to hear from you. Expressions of interest will be assessed based on whether the product or service being developed is innovative and could provide a demonstrable benefit to the public, whether you’re a start-up, SME or larger organisation, from the private, public or voluntary sectors. 

Server colocation: The Danish data protection authority has considered whether an IT company that provides (server) colocation should be considered a data processor for the organization for which the service is provided. The assessment is negative, in particular, if the supplier of colocation does not have access to the personal data that is processed on the servers. The provision of colocation primarily concerns the provision of a service other than the processing of personal data, in particular physical facilities as well as internet and power supply. However, this is only a starting point. Several circumstances can lead to the colocation company being considered a data processor to a certain extent: 

• the company provides additional services beyond physical facilities,
• the company can and may be tasked with moving, restarting or otherwise handling the servers where the information is processed,
• the company can and may have the task of replacing hard drives, and memory, (firewall, backup services, etc).

AI code of conduct: The Canadian government published a voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems. Generative systems can be adapted by organisations for various uses – such as corporate knowledge management applications or customer service tools. Firms developing and managing the operations of these systems both have important and complementary roles. 

Signatories of this code would develop and apply standards, and share information and best practices with other members of the AI ecosystem, prioritising human rights, accessibility and environmental sustainability. See the measures to be undertaken under the Code of Conduct in the original publication. 

Encryption evaluation tool: The Spanish data protection agency launched the ValidaCripto tool to evaluate encryption systems. Encryption is a procedure by which information is transformed into a seemingly unintelligible set of data, helping to protect the information from a possible personal data breach. The tool runs in the browser, without recording or transmitting any data to the Agency, and allows information to be stored locally and reports to be generated. It has a help section where its operation is explained step by step, from selecting the impact of the encryption system on the treatment, categorising the most critical elements, reviewing the suggested controls and generating follow-up documentation. 

Workplace monitoring: The UK Commissioner’s Office has published guidance to ensure lawful monitoring in the workplace. Monitoring can include tracking calls, messages and keystrokes, taking screenshots, webcam footage or audio recordings, or using specialist monitoring software to track activity. If an organisation is looking to monitor workers, it must take steps including: 

• Making workers aware of the nature, extent and reasons for monitoring.
• Having a clearly defined purpose and using the least intrusive means to achieve it.
• Having a lawful basis for processing workers’ data – such as consent or legal obligation.
• Only keeping the information which is relevant to its purpose.
• Carrying out a data protection impact assessment for any monitoring that is likely to result in a high risk to the rights of workers.
• Making the personal information collected through monitoring available to workers if they make a subject access request.

Legal processes

EU-US DPF tried in court: The EU General Court rejected the request for interim suspension of the EU-US data Privacy Framework but has yet to examine the substance of the case. The request was introduced by a French member of parliament, who is also a member of the French data protection authority CNIL, requesting that the framework be annulled due to the lack of guarantees of a right to an effective remedy for data subjects by US companies, as well as a violation of the GDPR’s minimisation and proportionality principles due to the access and use of EU personal data for US security purposes. He also observed that the wording of the DPF ruling, which is currently only available in English, should be translated into the EU’s official languages. 

Delete Act: California’s Governor signed the Delete Act into law. It revises the California Consumer Privacy Act by making it easier for residents to submit universal requests to registered data brokers for deletion of personal data. According to the Guardian analysis, Californians already have the right to request that their data be destroyed under current state privacy regulations, but doing so requires filing a request with each corporation.  The revised measure emphasizes that all data brokers must register with the privacy protection agency, and mandates it to create a simple and cheap means for Californians to request that all data brokers in the state remove their data through a single page, regardless of how that information was obtained. 

Consumer profiling: The EDPB-EDPS published a joint contribution to the public consultation on the draft template relating to the description of consumer profiling techniques. Under the new Digital Markets Act, designated gatekeepers now shall submit to the European Commission independently audited descriptions of any techniques for profiling consumers that they apply to or across their core platform services. The regulators wonder whether the Commission should expect to receive detailed audited descriptions of profiling techniques for each of the core platform services of the gatekeeper. 

The regulators are also concerned that the template alone would not provide sufficient safeguards against low-quality or otherwise unreliable audits on behalf of gatekeepers. The EDPB and the EDPS underline that any approval or statement from the European Commission on how a gatekeeper processes personal data for consumer profiling or how it informs consumers about profiling techniques does not automatically mean that the gatekeeper is complying with the GDPR, which is for supervisory authorities to verify.

Health research in France: The CNIL has adopted two new reference methodologies to allow public and private bodies, (in addition to healthcare institutions and their federations, as well as healthcare manufacturers), except insurers, to process data from the main database of the National Health Data System. The data controller should indicated in their protocol:

• the components of the main database concerned by the access request;
• the target population;
• the targeting period;
• the data or categories of data required;
• the historical depth of the data;
• the requested access period. 

As there are many ways to access these data, any controlled environment that meets the conditions set in new methodologies may host the data as part of the research projects concerned.

Enforcement decisions

Case studies book: The Irish data protection authority published detailed case studies, (based on 126 real cases), illustrating how data protection law is applied, how non-compliance is identified and how corrective measures have been imposed, from the past five years. It concentrates on such topics as access request complaints, the accuracy of personal data, cross-border cases, data breach notifications, unauthorised disclosure, direct marketing, objection to processing, the right to be forgotten, and much more. 

“My AI” fine: the UK Information Commissioner has issued a preliminary enforcement notice against Snap and its generative AI chatbot “My AI”. The investigation provisionally found Snap failed to adequately identify and assess the risks to several million ‘My AI’ users in the UK including children aged 13 to 17. If a final enforcement notice were to be adopted, Snap may be required to stop processing data in connection with ‘My AI’. Snap launched the ‘My AI’ feature for UK Snapchat+ subscribers in February, with a rollout to its wider Snapchat user base in the UK in April. The chatbot feature, powered by OpenAI’s GPT technology, marked the first example of generative AI embedded into a major messaging platform in the UK. As of May Snapchat had 21 million monthly active users in the UK.

Employee geolocation data: The Italian data protection authority fined Shardana Working 20,000 euros following a complaint by three individuals employed by the company. The company is responsible for reading gas, electricity and water meters. The three workers, to verify the correctness of their pay slips, had asked the company to provide the information used to process mileage reimbursements and the monthly hourly salary, as well as the procedure for establishing the compensation due.

In particular, they had asked to know the data collected through the company smartphone on which a geolocation system had been installed which allowed workers to identify the route to take to reach the meters. The regulator found that Shardana Working had not adequately informed the employees of the data processed through the GPS installed on their smartphones. Even if the company deemed that it could not fully respond to the employees’ requests, it should have at least indicated the specific reasons why it could not comply with the access requests. 

Dismissal based on geotracking: A similar instance occurred recently in France, according to the Ius Laboris legal blog. The highest civil court in France has intervened in an employee discharge based on geolocation data from his work car.  An employee of an equipment rental firm was fired for making unnecessary trips. The geolocation process had been declared to the French Data Protection Agency CNIL to locate employee vehicles and ensure the safety of goods and people on site. The employee had been informed of this. The Supreme Court, on the other hand, held that the trial judge should have evaluated whether the company’s geolocation system was also intended, as stated to the regulator, to monitor the employee’s professional activities and working hours, and if the employee had been told about such a purpose. 

Electronic ticketing: The Greek data protection authority carried out an extraordinary on-site inspection at the Athens Urban Transport Organization, (OASA), examining the protection of personal data processed in the framework of the automatic fee collection system, a system also referred to by the term “electronic ticket”. A total fine of 50,000 euros and a compliance order referred to the determination of the data retention times for the various processing purposes, (of 20 years), the anonymity of travel card holders and their movements, (eg, of employment categories), and a review of the personal data impact assessment and other documentation, (not available at the time of the audit). 

Big Data

Biometric surveillance: According to The Guardian, dozens of cross-party MPs and privacy campaigners in the UK have joined a campaign calling for an “immediate stop” to the use of live face recognition monitoring by police and commercial companies. Live face recognition has lately been used by British police at large-scale public events such as King Charles’ coronation. The announcement follows the policing minister’s announcement of government intentions to make UK passport images searchable by police: to link data from the police national database, the Passport Office, and other national databases to allow officers to identify a match with the “click of a button.” 

Google user data:  Google will give users in the EU better choice as to how Google processes their data according to commitments undertaken by the company. This is the result of proceedings conducted by the Bundeskartellamt, (German Federal Cartel Office), based on the new instrument under competition law, which allows intervention when competition is threatened by large digital companies. Commitments concern situations where the company would like to combine personal data from one Google service with personal data from other Google or non-Google sources or cross-use these data in Google services that are provided separately. 

Such an obligation already results from the new Digital Markets Act.  Relevant core platform services listed in the Commission’s designation decision are thus not covered by the commitments, (Google Shopping, Google Play, Google Maps, Google Search, YouTube, Google Android, Google Chrome and Google’s online advertising services). However, Google’s commitments provided to the Cartel Office do concern data processing across services involving more than 25 other services (including Gmail, Google News, Assistant, Contacts and Google TV).

The post Data protection digest 2 – 17 October 2023: DPOs duties and methodology should be clarified – latest study appeared first on TechGDPR.