CJEU decisions

Automated decision-making: The EU top court identified data processing practices by credit information agencies that contradict the GDPR. While the so-called ‘scoring’ of individuals is permitted only under certain conditions, the prolonged retention of information relating to the granting of a discharge from remaining debts is contrary to the GDPR, (the case refers to SCHUFA, a private company providing credit information for clients in Germany). 

As regards the ‘scoring’ of individuals, the court holds it as an automated individual decision prohibited in principle by the GDPR, in so far as SCHUFA’s clients, such as banks, attribute to it a determining role in the granting of credit. The court also considers that it is contrary to the GDPR for private agencies to keep such data for longer than the public insolvency register. The discharge from remaining debts is intended to allow the data subject to re-enter economic life and is therefore of existential importance to that person. 

Non-material damage: Another decision by the CJEU concludes that the fear of possible misuse of personal data is capable of constituting non-material damage. Nonetheless, courts cannot conclude that the protective measures put in place by the data controller were ineffective if cybercriminals gain unauthorised access to or disclose personal data. The courts must assess the security measures concretely, by taking into account the risks associated with the processing concerned and by assessing whether the nature, content and implementation of those measures are appropriate to those risks. Finally, the controller may be required to compensate the data subjects who have suffered damage, unless they can prove that they are not responsible for that damage. 

EU’s AI act

Agreement reached: On 8 December, the legislative trilogue on the draft AI Act ended and the provisional agreement was reached. AI systems are going to be regulated according to how much risk they pose to society and fundamental rights, including a list of high-risk and prohibited practices, supported by various monetary fine levels. Limited exceptions will be available for law enforcement purposes. General-purpose AI systems will be also subject to transparency obligations, with additional codes of practice imposed on the most powerful models. 

Allocation of GDPR-governed roles: Meanwhile, the German Data Protection Conference demands that the intended AI Act properly allocate responsibilities along the entire AI value chain. This is the only way to protect the fundamental rights of those affected whose data is processed by AI, states the regulator body. Any legal uncertainty in this area would harm citizens, especially small and medium-sized companies, because they must bear the brunt of legal responsibility. The upcoming AI regulation should therefore specify for all those involved – including manufacturers and providers – which requirements they must meet.

EU regulatory updates

Workforce monitoring: The Council and the Parliament have reached a provisional agreement on a proposed directive to improve working conditions for platform workers. In particular, it will help ensure that those workers who have wrongly been classified as self-employed have easier access to their rights as employees under EU law. The proposal also established the first EU rules on the use of algorithm systems in the workplace. 

Digital labour platforms regularly use algorithms for human resources management. As a result, platform workers are often faced with a lack of transparency on how decisions are taken and how personal data is used. Under the new rules, algorithms would be monitored by qualified staff, who enjoy special protection from adverse treatment. The new law also prevents the processing of certain personal data using automated monitoring or decision-making including:

• emotional or psychological state,
• private conversations,
• actual or potential trade union activity,
• racial or ethnic origin, migration status, political, religious beliefs or health status,
• biometric data, other than data used for authentication.

Youth data protection: The Dutch data protection authority objects to a bill that leads to large-scale data collection in youth care. The proposal should enable research into the availability of youth care within municipalities. This includes child protection, assistance to young people with psychological problems and the probation service. However, it needs to be sufficiently clear why a lot of sensitive information from young people and their parents, healthcare providers and municipalities must be shared in such research. The availability of youth care could be investigated in a way that is much less invasive, (eg, random research, distribution of waiting times or development of new statistics). 

European Health Data Space

Pros: Both the Parliament and the Council have agreed on their positions on the European Health Data Space (EHDS). The new legislation would make exchanging and accessing health data at the EU level easier. The proposed regulation aims to improve individuals’ access to and control over their electronic health data, while also enabling certain data to be reused for research and innovation purposes, and to foster a single market for digital health services and products. The new rules aim to make it possible for a Spanish tourist to pick up a prescription in a German pharmacy, or for doctors to access the health information of a Belgian patient undergoing treatment in Italy.

Cons: However, several civil groups and experts have already warned about the privacy shortcomings of the cross-border exchange of electronic health data. The Irish Council for Civil Liberties recommends that the EHDS should specify the legal basis consistent with the GDPR and be specific about the allowed purposes of secondary use of electronic health data. It should also further narrow the categories of health data allowed for secondary use to reduce risks to fundamental rights. Another international consortium of experts believes the proposal significantly reduces transparency requirements, in contrast to the GDPR, as it:

• introduces waivers related to the provision of individual-level information to data subjects;
• disfavors consent as a legal basis for data sharing;
• builds up large datasets which may be extensively used for secondary purposes, that 
• increases the risk of re-identification. 

US privacy updates

FISA 702 short extension: US lawmakers reached a deal to temporarily extend major federal surveillance programs until mid-April, while talks on the future reform of the intelligence powers continue. Section 702 permits the government to conduct warrantless surveillance on any foreign national to gather “foreign intelligence information.” However, communications between Americans and the people under monitoring result in the collection of their data as well. Privacy campaigners warn that reauthorization of the intelligence powers must come with safeguards against abuse.

Opt-out preference signals: Meanwhile the California Privacy Protection Agency has approved a legislative proposal that requires browser vendors to include a feature that allows users to exercise their California privacy rights through opt-out preference signals. Through an opt-out preference signal, a consumer can opt out of the sale and sharing of their personal information with all businesses they interact with online without having to make individualised requests with each business. To date, only a limited number of browsers offer native support for opt-out preference signals: Mozilla Firefox, DuckDuckGo, and Brave. Google Chrome, Microsoft Edge, and Apple Safari—which make up over 90% of the market share—have declined to offer these signals, although these companies are also heavily reliant on advertising business models.

Data subject rights

Right to delete: Every time personal data is processed, the question arises as to how long the data controller may store this data. Art. 5 of the GDPR as a starting point provides principles of purpose limitation, data minimisation and storage limitation. In addition, the data subjects whose personal data has been processed have a right to deletion under Art. 17 of the GDPR, with which they can request the deletion of their data under certain conditions. There are also legal retention and deletion obligations that the person responsible must comply with. The Liechtenstein data protection agency has put together information on its website (in German), that sheds light on the topic both from the side of the data subject and from the side of the person responsible for data processing. 

Employment guidance

The UK Information Commissioner’s Office produced an online resource with topic-specific guidance on employment practices and data protection, with two new pieces of guidance now out for public consultation: a) keeping employment records, b) recruitment and selection. Data protection law applies whenever you process your workers’ personal information. The law does not stop you from collecting, holding and using records about workers. It helps to strike a balance between your need to keep employment records and workers’ right to private lives, explains the regulator. 

Additionally, the labour market supply chain can be complex, with end-to-end recruitment processes often involving several organisations. The use of novel technologies in recruitment processes means that organisations are processing increasingly large amounts of information about people – candidates, prospective candidates, employees, contractors, volunteers or gig and platform workers, referees, emergency contacts, and dependants.

UK-US data transfers

The ICO also offers a guide on how to comply with restricted transfers of personal data to the US using Art. 46 of the UK GDPR transfer mechanism. There are a range of reasons why you may wish to use it, including:

• if your US recipient is not certified to the UK Extension to the EU-US data protection framework or the restricted transfer is not covered under your recipient’s certification;
• none of the eight exceptions set out in Art. 49 of the UK GDPR apply to your restricted transfer;
• you are making the restricted transfer under UK Binding Corporate Rules, or
• you or your US recipient uses the Addendum or the International Data Transfer Agreement as the preferred standard transfer mechanism.

You can make restricted transfers to recipients in the US using Art. 46 only if you have first completed a transfer risk assessment. This includes the latest analysis of US laws related to access and use of personal information by US agencies for national security and law enforcement, the circumstances of each transfer, and the commercial practices of you and your recipient. The requirement to complete a transfer risk assessment applies regardless of which mechanism you use or why. 

Investigations

DPO for public services: The Luxemburg data protection regulator CNPD concluded an investigation into the appointment of data protection officers by municipalities. According to article 37.1.a) of the GDPR, any data controller or subcontractor must designate a DPO if “the processing is carried out by a public authority or body, except for courts acting in their judicial capacity”. 4 out of 6 municipalities at the time of the opening of the investigation, (in 2022), either appointed a DPO or communicated the latter’s contact details to the CNPD. No further corrective measures have been taken, as the municipalities have regularised their situation over the course of the investigations.

Enforcement decisions

Google Workspace at school: Meanwhile in Sweden, a penalty fee was issued against a municipality that did not assess the impact of using Google Workspace in 24 of the municipality’s schools since autumn 2020. Among other things, the platform was used for students’ feedback on school assignments. The personal data of nearly 6,000 students and 1,300 employees was processed, without a proper impact assessment conducted, (Art. 35 of the GDPR). In particular, when the student system was put into use, it was supported by an older assessment from 2014, by another municipality, carried out about the use of Google solutions in education, and it was considered satisfactory. 

Employee data requests: The Italian privacy regulator fined Autostrade per l’Italia and Amazon Italia Transport 100,000 and 40,000 euros respectively, for not having given timely and reasoned feedback, not even denial or deferral, to requests for access to their data presented by some employees and former employees. In the first case, the group requested information on the calculation of their pay slips. When asked for explanations by the regulator, the company had not responded so as not to compromise its right to defence in court, as several legal proceedings were underway between the company and the workers regarding the methods of calculating severance pay. 

In the case of Amazon, the authority followed the complaint of a former employee about the company’s failure to respond to a request for data relating to his employment relationship. The company had not responded to the request because it was drawn up in a very broad and generic manner. In both cases, the regulator concluded that the data controller should have responded at least with the reasons not to proceed with the request or ask for more details as in the case with Amazon.

Reprimands

Failed TOMs: Meanwhile in the UK Finham Park Multi Academy Trust was reprimanded in respect of Art. 5 and 32 of the GDPR. An unauthorised third party utilised compromised credentials to access and encrypt Finham Park’s systems. 1843 data subjects were affected by the incident, and the ICO’s investigation found Finham Park did not have adequate account lockout or password policies in place. 

The regulator also reprimanded Bank of Ireland UK for mistakes made on more than 3,000 customers’ credit profiles. It sent incorrect outstanding balances on 3,284 customers’ loan accounts to credit reference agencies, organisations that help lenders decide whether to approve financial products. This inaccurate data could have potentially led to these customers being unfairly refused credit for mortgages, credit cards or loans, or granted too much credit on products they were potentially unable to afford.

Data security

IoB and data protection: In its latest TechSonar report the EDPS explains privacy concerns behind the so-called ‘Internet of Behaviours’ (IoB). It is described as a “network in which behavioural patterns would have an IoB address in the same way that each device has an IP address in the Internet of Things, (IoT)”.  An example could be the use of patients’ and employees’ location data in hospitals during the COVID-19 pandemic to identify the behaviours that spread or mitigate the virus. 

General IoB relies on the collection and processing of data from different IoT devices, such as wearables, smart cameras or Bluetooth and Wi-Fi sensors. Thus, it suffers from transparency and control issues because it often lacks appropriate means to inform its users. Their data collection is seamless and the means to exert control over the processing are limited, states the report. 

Password storage: The Italian data protection regulator and the national cybersecurity agency offer new Password Retention Guidelines, (in Italian). Too often identity theft is caused by the use of computer authentication credentials stored in databases that are not adequately protected with cryptographic functions. Stolen data then is used to illicitly enter entertainment sites, social media and e-commerce portals. They can also allow fraudulent access to forums and websites for paid and financial services. The guidelines are aimed at:

• data controllers or data processors that store the passwords of their users on their systems, which refer to a large number of interested parties, (eg, digital identity providers, email service managers, banks, insurance companies, telephone operators, healthcare facilities),
• subjects who access databases of particular importance or size, (eg, public administration employees), or to 
• types of users who usually process sensitive or judicial data, (eg, healthcare professionals, lawyers, magistrates).

Big Data

Data breach notification for telecoms: The US Federal Communications Commission adopted rules to modify 16-year-old data breach notification rules to ensure that providers of telecommunications, interconnected Voice over Internet Protocol, and telecommunications relay services adequately safeguard sensitive customer information. They often collect large quantities of sensitive customer data, including telephone numbers a person has called and mobile phone location data showing the places they have been. The new rules cover certain personally identifiable information that carriers and providers hold concerning their customers and expand the definition of “breach” to include inadvertent access, use, or disclosure of customer information. It will also eliminate the mandatory waiting period to notify customers, after notification to the commission and law enforcement agencies.

Apple push notification data:  Apple says it now requires a judge’s order to hand over information about its customers’ push notifications to US  law enforcement, putting the iPhone maker’s policy in line with rival Google, Reuters reports. Users of smartphones receive push notifications informing them of fresh messages, breaking news, etc. The servers of Apple and Google handle almost all of these alerts. The practice placed the corporations in a unique position to help the government monitoring of users’ usage of certain applications. 

Google location data: Meanwhile Google offers updates on its Location History and new controls coming soon to Maps. For example, when you first turn on Location History, the auto-delete control will be set to three months by default, which means that any data older than that will be automatically deleted. Previously this option was set to 18 months. Also, for users who have chosen to turn Location History on, the timeline will be saved only on their device. Just like before, users can delete all or part of the information at any time or disable the setting entirely.

The post Data protection digest 2 – 17 Dec 2023: scoring of individuals, EU data consolidation, and the ‘Internet of Behaviours’ appeared first on TechGDPR.

Legal processes and redress

The EU Whistleblowing Directive is due to be implemented into national law by 17 December. It requires all EU Member States to implement legislation obliging all companies with 50 or more workers to put in place appropriate reporting channels to enable those workers to report breaches of EU law and ensure that those making whistleblowing reports are legally protected against retaliation for having done so. Also, businesses with operations across the EU need to monitor implementation and understand local requirements by the data protection authorities, as there will be variations between jurisdictions, (see the implementation tracker country by country from Bird & Bird LLP). Key areas to address will be ensuring that: 

• reports are handled by the correct people, in accordance with prescribed timescales and with appropriate security and confidentiality;
• required information is given to the whistleblower and to the person investigated;
• there is guidance and training in place to ensure non-retaliation; and 
• there are appropriate retention periods for reports and investigation data. 

How could this be implemented in practice, (Germany example provided), involving work councils, internal codes of conducts, reporting options and controls, is provided in an article by Ius Laboris lawyers.

Uber, Deliveroo and a dozen other two-sided online platforms could be hit by draft EU rules for gig workers. They may have to reclassify some of their workers as employees under a new proposal from the EU Commission meant to boost their social rights. The rules apply to ride-hailing, food delivery apps etc, and require companies to provide information to employees on how their algorithms are used to monitor and evaluate them as well as  allocation of tasks and setting of fees. Employees can also demand compensation for breaches, Reuters reports. The rules place the burden on online platforms to provide evidence that these regulations do not apply to them. Workers can also challenge their reclassification either via an administrative process or in a court. The draft rules will need to be thrashed out with EU member states and EU lawmakers before they can be adopted, with the Commission estimating a 2025 time frame.

In Germany, the administrative court of Wiesbaden issued a preliminary decision prohibiting RheinMain University from using Cybot A/S’s consent management platform Cookiebot by Usercentrics, DataGuidance reports. In particular, the court found that:

• Cookiebot CMP transfers the complete IP address of the end user to the servers of a cloud company whose headquarters are in the US.
• The end user was identifiable from a combination of a key stored in the user’s browser, which identified the website visitor, and the transferred full IP address. 
• This constituted a transfer of personal data to a third country, underlining that this is prohibited in line with the “Schrems II” CJEU judgment. 

Even if the corresponding server is possibly located in the EU, the US group has access to it, so that the US Cloud Act with broad query options for US authorities takes effect. Finally, the university did not ask users’ consent for the data transfer, users were not informed about the possible risks associated with the transfer resulting from the US Cloud Act, and the data transfer was not necessary for the operation of the university’s website.

Official guidance

In Austria, a newly approved Code of Conduct, (available in German only), establishes more legal security for insurance brokers and consultants. In particular, the document, (approved by the data protection authority in accordance with Art.40 of the GDPR), finally clarifies the legal status of the insurance broker as the data controller, who acts independently in the interests of the customer and is not subject to any data protection instructions from an insurance company. In addition, there is now clarity about the justification for data processing with regard to “simple” and “special” categories of personal data. An advantage for all those who want to officially adhere to the Code of Conduct is an objective external monitoring body entrusted with checking compliance.

Data breaches, investigations and enforcement actions

The Dutch data protection authority, AP, imposed a fine of 2.75 mln euros on the tax authorities. For years the tax administration has processed the dual nationality of applicants for childcare allowance in an unlawful, discriminatory and improper manner. The dual nationality of Dutch nationals does not play a role in assessing an application for childcare allowance. Nevertheless, the tax administration kept and used this information. In addition, the tax authorities processed the nationality of applicants indicators to combat organised crime using a system that automatically designated certain applications as high-risk. The data was not necessary for those purposes, and the administration should have deleted the data according to GDPR data minimisation principles. In 2018 the tax administration stopped using these indicators, and by 2020 the dual nationalities of Dutch people were completely removed from its systems. 

The UK Information Commissioner’s Office, the ICO, hit broadband ISP and TV operator Virgin Media with a 50,000 pound fine after it sent nearly half a million direct marketing emails to people who had previously opted out. In August 2020 the regulator received a complaint from one of the operator’s customers about the unsolicited email. The message itself took the form of a price notification and attempted to get the customer to opt back into marketing communications. However just one customer complained to the ICO about receiving the spam – but that was enough to spur the regulator into investigating. Even though 6,500 customers decided to opt back into receiving marketing emails as a result of the mailshot, the ICO said this wasn’t enough to ignore UK regulation of Privacy and Electronic Communications. “The fact that Virgin Media had the potential for financial gain from its breach of the regulation, (by signing up more clients to direct marketing), is an aggravating factor”, the ICO stated.

The Norwegian data protection authority, Datatilsynet, has punished the Government Pension Fund, (SPK), with an infringement fee of 99,000 euros. The SPK has collected unnecessary income information about approx. 24,000 people. SPK had obtained income information from the tax administration since 2016. They themselves revealed that part of the information was data that should not have been collected, as it was not necessary for post-settlement disability benefits. The information was obtained through a predefined data set from the tax authority. Until 2019, SPK did not have routines for reviewing and deleting the surplus information that was collected, violating basic principles for data processing including special categories of personal information.

Artificial Intelligence

More and more companies will become engaged in developing and building AI systems but also in using already deployed AI systems. Therefore, potentially all companies will need to deal with the underlying legal issues to ensure accountability for AI systems sooner or later, says analysis by Bird and Bird LLP. One of these accountability requirements will often be the need to conduct a Data Protection Impact Assessment. DPIAs for AI systems deviate from similar assessments relating to the development and deployment of common software, which results from some peculiarities lying in the inherent nature of AI systems and how they work. The main points to consider are:

• Distinguishing between DPIAs for AI system development/enhancement (eg, training the algorithm) and for AI system deployment for productive use (eg, CVs of candidates are rejected based on the historical data fed into an algorithm).
• Taking a precise, technology-neutral approach to catching the essential characteristics of AI, (eg, systems with the goal of resembling intelligent behaviour by using methods of reasoning, learning, perception, prediction, planning or control).

The most important aspects of DPIAs for AI systems development/enhancement should include: controllership, purpose limitation, purpose alteration, necessity, statistical accuracy, data minimization, transparency, Individual rights, and data security risk assessment. Data controllers (providers of the AI system or the customers that deployed it) may also voluntarily decide to conduct DPIAs as an appropriate measure to strengthen their accountability, safeguarding the data subject’s rights. This may ultimately help to also win customer trust and maintain a competitive edge. 

Opinion

The Guardian publishes thoughts by a former co-leader of Google’s Ethical AI team Timnit Gebru:

“When people ask what regulations need to be in place to safeguard us from the unsafe uses of AI we’ve been seeing, I always start with labor protections and antitrust measures. I can tell that some people find that answer disappointing – perhaps because they expect me to mention regulations specific to the technology itself.” In her opinion, the incentive structure must be changed to prioritize citizens’ well-being. To achieve that, “an independent source of government funding to nourish independent AI research institutes is needed, that can be alternatives to the hugely concentrated power of a few large tech companies and the elite universities closely intertwined with them.”

Individual rights

Monitoring of workers’ personal data via entrance control systems – is featured by the Social Europe website. In tracking entrance to and exit from the workplace and ensuring its safety, electronic control systems, in which limited and non-sensitive data belonging to workers are uploaded, will be more in compliance with legal instruments than biometric systems. Biometric entrance-control systems should therefore be a last resort and limited to access to exceptional areas which require high security or in particular areas where highly confidential information is kept. As the article sums up, the EU’s GDPR does not directly regulate the monitoring of workers by electronic and biometric entrance-control systems. The provisions of such monitoring can be found in specific national legislation, but also in Council of Europe’s Recommendation CM/Rec (2015)5, on the processing of personal data in the context of employment, and Opinion 2/2017 of the Article 29 Working Party. 

Data security

How do Sim Swapping attacks work and what can you do to protect yourself? The European Union Agency for Cybersecurity, ENISA, has taken a technical deep dive into the subject. Since 2017 such attacks have usually targeted banking transactions, but not exclusively. They also hack the cryptocurrency community, social media and email accounts. In a SIM swapping attack, the attacker will convince the telecom provider to do the SIM swap, using social engineering techniques, pretending to be the real customer, claiming that the original SIM card is for example damaged or lost. Specific circumstances may open the opportunity for attackers, which can be:

• Weak customer authentication processes;
• Negligence or lack of cyber training or hygiene;
• Lack of risk awareness.

More information for the public is available in the ENISA Leaflet “How to Avoid SIM-Swapping”.

How long would it take a computer to hack your exact password? The latest chart by Statista website illustrates that a password of 8 standard letters contains 209 billion possible combinations, but a computer is able to calculate this instantly. Adding one upper case letter to a password dramatically alters a computer’s potential to crack a password, extending it to 22 minutes. Having a long mix of upper and lower case letters, symbols and numbers is the best way to make your password more secure. A 12-character password containing at least one upper case letter, one symbol and one number would take 34,000 years for a computer to crack.

Big Tech

Twitter is reviewing a controversial policy that penalizes users who share images of other users without their consent, The Guardian reports. The company has launched an internal review of the policy after making several errors in its enforcement. The platform now allows users to report other users who tweet “private media that is not available elsewhere online as a tool to harass, intimidate, and reveal the identities of individuals”. If a review concludes the complaint has merit and the image wasn’t used for a journalistic or public interest purpose, those accounts are deactivated. Some activists say the broad nature of the new rules makes them ineffective and ripe for abuse against the most vulnerable groups, while some reporters, photographers and journalists are concerned that they do not take into account unreasonable expectation of privacy in public spaces, and would undermine “the ability to report newsworthy events by creating nonexistent privacy rights”.

A Virginia federal court granted Microsoft’s request to seize 42 US-based websites run by a Chinese hacking group, IAPP reports. Microsoft, which has been tracking the hacker group known as Nickel since 2016, is redirecting the websites’ traffic to secure Microsoft servers to “protect existing and future victims.” Microsoft’s Corporate VP of Customer Security and Trust said Nickel targeted organizations in 29 countries, using collected data “for intelligence gathering from government agencies, think tanks, universities and human rights organizations.”

Several Amazon services – including its website, Prime Video and applications that use Amazon Web Services (AWS) – went down last week for thousands of users in the US and EU. Amazon’s Ring security cameras, mobile banking app Chime and robot vacuum cleaner maker iRobot were also facing difficulties. Amazon said the outage was probably due to problems related to application programming interface, which is a set of protocols for building and integrating application software. The huge trail of damage from a network problem came from a single region “US-EAST-1” and underscored how difficult it is for companies to spread their cloud computing around, Reuters reports. With 24% of the overall market, according to research firm IDC, Amazon is the world’s biggest cloud computing firm. Rivals like Microsoft, Alphabet’s Google and Oracle are trying to lure AWS customers to use parts of their clouds, often as a backup. 

Russia blocks popular privacy service Tor, ratcheting up internet control, Reuters reports. Russia has exerted increasing pressure on foreign tech companies this year over content shared on their platforms and has also targeted virtual private networks, (VPN), and other online tools. The Tor anonymity network is used to hide computer IP addresses to conceal the identity of an internet user. Tor also allows users to access the so-called “dark web”. Tor, which says its mission is to advance human rights and freedoms, has more than 300,000 users in Russia, or 14% of all daily users, second only to the US.

Recently uncovered software flaw could be “most critical vulnerability of the last decade”, the Guardian reports. The problem is in “Log4Shell”, which was uncovered in an open-source logging tool in Apache software ubiquitous in websites and web services. The flaw was reported to Apache by AliBaba on November 24th, and disclosed by Apache on December 9th. Reportedly it allows hackers password-free access to internal systems and databases. The open source logging tool is a standard kit for cloud servers, enterprise software, and across business and government. Few computer skills are needed to steal or obliterate data, or install malware by exploiting the bug. It will be days before the full extent of damage is known.

The post Weekly digest December 6 – 12, 2021: whistleblowers, gig-workers, cookiebots, software flows, DPIA for AI appeared first on TechGDPR.