The Bank of England, in its October statement, confirmed that many firms in the financial sector are already using AI, exploring opportunities to use quantum computing, and piloting DLT applications. One example is stablecoins built on DLT networks, which are already being used at scale by individuals and businesses worldwide for faster, cheaper cross-border payments and automated financial contracting. However, the bank admits that key barriers to scaling up blockchain solutions are regulatory frameworks that are not entirely suited to digital assets and cross-border initiatives. Blockchain’s inherent characteristics present unique challenges for GDPR compliance. 

When it comes to handling personal data, blockchains present a significant challenge in respecting data subject rights. Its immutability, for example, contradicts the fundamental “Right to be Forgotten”. The global distribution of blockchain nodes also complicates regulatory supervision. Conducting a Data Protection Impact Assessment (DPIA) is not just a legal requirement for high-risk blockchain-based personal data processing, but is an important step towards responsible innovation. To help organisations meet these requirements, TechGDPR has created a free downloadable Blockchain DPIA Template, which guides users through all required areas of GDPR compliance:

• Description of the processing operations
• Legal basis and necessity assessment
• Identification of risks
• Safeguards and technical measures
• Implementing privacy by design principles
• Data subject rights and governance structures

The pre-designed template includes ready-to-use sections, prompts, and examples, significantly saving time and ensuring that no critical aspect of your DPIA is overlooked.

Stay up to date! Sign up to receive our fortnightly digest via email.

UK Adequacy

The European Data Protection Board, EDPB, has issued its opinion on the adequate protection of personal data by the United Kingdom. In July 2025, the European Commission started the process towards the adoption of its draft implementing decision on the adequate protection of personal data by the UK. It extends the validity of certain parts of the previous adequacy decision until December 2031. In particular, the EDPB asks for the need to further clarify by the Commission recent changes in the UK post-Brexit legislation regarding: 

• removing the direct application of the principles of EU law, including the right to privacy and data protection
• new powers to introduce changes via secondary regulations, which require less Parliamentary scrutiny (eg, on international transfers, automated decision-making)
• changes to the rules governing third-country transfers
• processing exemptions for law enforcement 
• restructuring of the Information Commissioner’s Office 
• safeguards provided by the EU-US Umbrella Agreement, whose privacy and data protection safeguards are incorporated into the UK-US Cloud Act Agreement
• encryption to remain essential for ensuring the security and confidentiality of personal data and electronic communications.

AI Act and the GDPR

The European Parliament has published a study on the Interplay between the AI Act and the EU digital legislative framework, including the GDPR. In particular, the AI Act introduces requirements for fundamental rights impact assessments (FRIAs) in cases that often also trigger data protection impact assessments (DPIAs) under the GDPR. These instruments differ in scope, supervision, and procedural requirements, creating duplication and uncertainty. Transparency and logging obligations are also redundant across both regimes. Moreover, there is ambiguity over how data controllers and AI providers should manage rights of access, rectification, and erasure when personal data becomes embedded in complex AI models. 

In AI contexts, the GDPR-governed “legitimate interests” legal basis is widely regarded as the most relevant and frequently invoked basis, states the report. Meanwhile, consent is often impracticable and contractual or legal obligation bases rarely map neatly onto AI training or deployment scenarios. Finally, the AI Act introduces additional governance layers: the AI Office and the European AI Board at the EU level and the national GDPR supervisory bodies with respect to data protection issues, which produce a potentially overlapping set of competent supervisory bodies. 

Legal updates

Dragi report: The Future of Privacy Forum takes a closer look at the report on European competitiveness issued in 2024 by former Italian Prime Minister Mario Draghi, which calls for simplification of the GDPR, and criticizes “heavy gold-plating” by Member States in GDPR implementation. The Commission is now set to announce a Digital Omnibus package with proposals to quickly reduce the burden on businesses. However, changes to the GDPR fundamental principles could bring any reform into conflict with the TFEU and the Charter and lead to action before the Court of Justice. 

GDPR enforcement: On 21 October, the European Parliament passed the regulation on additional procedural rules regarding the enforcement of the GDPR. The document aims to harmonise the criteria for assessing the admissibility of cross-border complaints and clarifies the rights of complainants and entities under investigation. The regulation establishes the same admissibility standards no matter where in the EU the GDPR complaint was filed. Both complainants and companies involved will have the right to be heard at specific stages of the investigation and will receive preliminary findings to express their views before a final decision is issued. 

Data for research: From 29 October, researchers can request data access from very large online platforms and search engines to study systemic risks. Access to public platform data has been available since the Digital Services Act (DSA) came into force in February 2024. Researchers now have the opportunity to request access to platforms’ internal data and to investigate its impact on society. Since datasets can allow direct or indirect inferences about individual users through their interactions, profiles, or other published content, researchers must comply with the requirements of the GDPR when carrying out their projects.

More from supervisory authorities

DSA and the GDPR: The EDPB has closed the consultation on the guidelines on the interplay between the Digital Services Act and the GDPR. One of its sections examines the limits on automated decision-making that involves the processing of personal data by intermediary service providers. The paper also further examines the transparency of processing and deceptive design patterns prohibited by the DSA when these practices involve personal data.  It also reviews the relationship between profiling restrictions and advertising technology, systematic risk assessments and minors’ data protection.

China privacy updates: China has issued its first national standard for certification of cross-border personal information processing. The standard, which takes effect on March 1, 2026, sets out fundamental principles, security requirements, and obligations for safeguarding individuals’ rights in cross-border data processing. Reportedly, the certification is valid for three years. The applicant may reapply for certification for continual use of such certification six months before its expiration. In general, under the Chinese Personal Information Protection Law (PIPL), a data handler may transfer personal information outside of China if one of the following three conditions (with some exemptions) is met:

• Apply for and pass the security assessment;
• Sign and file the standard contract; or
• Obtain the personal information protection certification.

Hacked emails

Almost one in ten people affected by cybercrime in the previous year experienced unauthorised access to an online account or email. To provide targeted support to consumers in such cases, the German Federal Office for Information Security (BSI) published a guide – Emergency checklist: Hacked account (in German). If a person can no longer log in despite having the correct password, their email account may have been hacked. Changes in settings or attempts to log in from new devices can also be signs. To protect your account, the BSI recommends securing it with either a strong password combined with two-factor authentication or with passkeys. 

IoT security

According to America’s NIST, IoT products often lack product cybersecurity capabilities that their customers, organisations and individuals can use to help mitigate their cybersecurity risks. Manufacturers can help their customers by providing necessary cybersecurity functionality and the cybersecurity-related information they need. To that end, NIST closes public consultations and offers a public draft of Foundational Cybersecurity Activities for IoT Product Manufacturers. This publication describes recommended activities that manufacturers should consider performing before their IoT products are sold to customers. 

GenAI guidance

European Data Protection Supervisor (EDPS) has published its revised and updated guidelines on the use of generative AI and processing of personal data by EU institutions, bodies, offices, and agencies (EUIs), reflecting the fast-moving technological landscape and the evolving challenges posed by generative AI systems. It introduces several key updates, including:

• a refined definition of generative AI for greater clarity and consistency
• a new, action-oriented compliance checklist for EUIs to assess and ensure the lawfulness of their processing activities
• clarified roles and responsibilities, assisting EUIs in determining whether they act as controllers, joint controllers, or processors
• detailed advice on lawful bases, purpose limitation, and the handling of data subjects’ rights in the context of generative AI.

Capita fine

The UK’s privacy regulator, ICO, issued a fine of 14 million pounds to Capita for failing to ensure the security of personal data related to a breach in 2023 that saw hackers steal millions of people’s information, from pension records to the details of customers of organisations Capita supports. For some people, this included sensitive information such as details of criminal records, financial data or special category data. Capita processes personal information on behalf of over 600 organisations providing pension schemes, with 325 of these organisations also impacted by the data breach.

The investigation found that Capita, in its capacity as a data controller, had failed to ensure the security of the processing, as well as lacking the appropriate technical and organisational measures. In particular, Capita did not prevent both privilege escalation and unauthorised lateral movement through the network, and did not effectively respond to security alerts when detected.    

Grindr fine confirmed

On October 21, Norway’s Borgarting Court of Appeal upheld Grindr’s multi-million privacy fine for violating Art. 9 of the GDPR, which forbids the processing of specific categories of personal data. The court decided that sharing a dating app user ID with advertisers revealed sensitive information regarding their sexual orientation. It further stated that consent was invalid since it was combined with service access, giving customers no real option.

Grindr’s multi-page privacy policy was also unclear concerning the extent and beneficiaries of data sharing, according to the Digital Policy Alert legal blog.

In other news

Data security fine: Australian Clinical Labs (ACL) has been ordered to pay AUD 5.8 million for breach of the Privacy Act 1988 following a 2022 cyber incident which impacted the personal information of over 223,000 individuals. This is the first civil penalty under the Privacy Act, DLA Piper law blog reports. The incident occurred within the IT environment of ACL’s subsidiary, Medlab Pathology, which was acquired only 3 months prior. Critical vulnerabilities in the subsidiary’s IT systems were not properly identified before the acquisition, as part of the due diligence process, as ACL intended to fully integrate them into its own IT environment within the following 6 months.

Insurance data security fines: The New York state Attorney General secured a 14.2 million fine from car Insurance companies over data breaches. Eight car insurance companies’ poor cybersecurity allowed hackers to steal driver’s license numbers to fraudulently obtain unemployment benefits, failing to protect the private information of more than 825,000 New Yorkers. These companies allowed people to obtain a car insurance price quote using an online tool. Some of the companies also provided password-protected tools to insurance agents to generate quotes for customers. The investigation found that data thieves were able to exploit a “pre-fill” function in the companies’ online quoting tools.

Electronic identification services fine: In Finland, the Data Protection Ombudsman has imposed an 865,000 euro fine on Aktia Bank for neglecting information security in its electronic identification service. Due to a short-term disruption, some people who logged into various services with Aktia’s bank codes had access to other customers’ highly personal information, as the service mixed up the identification of people. The regulator found that the bank had shortcomings in the planning, implementation and testing of a technical change made to the service.

Patient data breaches

Polish regulator UODO imposed an approximately 10,000 euro fine on Gyncentrum for failing to report a personal data breach. A medical centre specialising in infertility treatment, among other things, sent a communication, the subject line of which indicated the name of a genetic test, to another person, also a patient of the centre (with the same name). The document contained personal data: first name, last name, bank account number, and address. It also included the transfer amount and the name of the test performed, revealing that it was part of an extensive prenatal diagnostic program. The patient herself learned of the incident from another patient at the centre. 

In Guernsey, the Medical Specialist Group (MSG) was also fined 100,000 pounds following a cyber-attack. In 2021, the MSG became aware of a personal data breach after it received suspicious emails indicating that its email server had been accessed by cybercriminals. These vulnerabilities enabled criminals to access and steal e-mails stored on the server, some of which contained sensitive patient health data. These e-mails were subsequently used to facilitate multiple phishing campaigns targeting MSG patients over a series of months. The MSG notified the regulator of this breach. The inquiry found that the company routinely failed to install security updates to its e-mail server over the course of 13 months. This included updates directly related to the breach exploit and other critical vulnerabilities. 

California privacy violations

California’s Attorney General secured a settlement with Sling TV, a streaming service, resolving allegations that the company violated the California Consumer Privacy Act (CCPA) by failing to provide an easy-to-use method for consumers to stop the sale of their personal information and by failing to provide sufficient privacy protections for children. Sling TV is an internet-based live TV service that offers both a paid subscription and a free, ad-supported streaming service. Unlike traditional television, where advertising is based on the content of the programming, Sling TV uses its internet-based platform to deliver highly targeted advertising, using detailed consumer data such as age, gender, location, and income to personalise ads for viewers, often without their awareness.   

In case you missed it

Digital health care: Privacy International suggests that a Digital Health Technology Assessment (dHTA) is needed to make sure that tools developed by the private sector and relied on by public healthcare providers do not harm people and their rights. The Health Technology Assessment (HTA) is a longstanding practice that is used to assess the effectiveness and safety of technological innovations before they can be used in the diagnosis, treatment, management and prevention of health problems.

Thus, there is an overwhelming need for clear and specific rules that engage with the specific needs and challenges of new and emerging practices.

Multi-party computation: An EDPS blog article states that across sectors from health research to financial systems, data sharing continues to drive innovation, yet it also intensifies privacy and compliance challenges, making the balance between access to data and confidentiality increasingly difficult. Secure multi-party computation (SMPC) proposes a way to reconcile these seemingly conflicting goals – enabling organisations to jointly compute insights without revealing their underlying data. Under SMPC, multiple parties can work together to compute a result from their private data without ever exposing that data to one another. Unlike traditional encryption, which protects data only while it’s stored or transmitted, SMPC ensures confidentiality throughout the computation process itself for:

• hospitals improving disease prediction models using patient data,
• banks detecting cross-border fraud patterns,
• governments analysing the impact of social policies,

From a legal perspective, SMPC challenges traditional interpretations of privacy law. Frameworks like the GDPR were not designed with cooperative computation in mind; thus, they must be embedded within transparent governance frameworks and ethical oversight.

The post Data protection digest 19 Oct – 2 Nov 2025: New AI Act and GDPR study & personal data stored on Blockchain appeared first on TechGDPR.

Stay up to date! Sign up to receive our fortnightly digest via email.

LLMs and personal data

The Hamburg Data Protection Commissioner discusses whether Large Language Models store personal data. It distinguishes between an LLM as an AI model, (eg, GPT-4), and as a component of an AI system, (eg, ChatGPT). The mere storage of an LLM does not constitute processing. Thus, data subject rights cannot relate to the model itself. Claims for information, deletion or correction can rather relate to the input and output of an AI system of the responsible provider or operator. 

To the extent that personal data is processed in an LLM-supported AI system, the processing operations must comply with the requirements of the GDPR. This applies in particular to the output of such a system. Similarly, any training that may violate data protection regulations does not affect the legality of using such a model in an AI system. See the full discussion paper here.

The most recent clarifications by the French CNIL on the deployment of Generative AI systems and the official EU AI Compliance Checker might be useful for your organisation. The latter also recommends that you obtain expert legal advice before using AI solutions.

Privacy notice

The UK Information Commissioner encourages people to check how an app plans to use their personal information before they sign up. It is far too easy to just click “agree” when installing a new app. But signing up often involves handing over large amounts of your sensitive personal information, especially with apps that support our health. An organisation that values your privacy will make its privacy notice easy to understand and set out how it will use your personal information, with whom it will be shared, what are the security measures, and whether your data will be deleted when you stop using it. 

CCTV

The operation of CCTV in gym facilities, on the one hand, should aim to ensure the protection of the facilities in question while on the other hand, it should respect the right of customers and employees to protect their privacy, reiterates the Cyprus data protection authority. CCTV can be permitted at a gym entrance/exit, parking space, reception, (only the cashier), and general perimeter of the gym property. 

It is not allowed in the areas where persons exercise, kitchens, restrooms/ changing rooms, and offices. Audio recording is not allowed under any circumstances. Video material must be accessible only from a device which is located within the premises of the gym and to which only the director and/or an authorised person has access. Access to said material, from a personal device and on an ongoing basis, is not permitted. 

More official guidance

EU-US DPF: The EDPB has published the EU-US Data Privacy Framework FAQ for European individuals and businesses: how to benefit from it, how to lodge a complaint and how this complaint should be handled by the EU and US authorities. It also includes what to do before transferring personal data to a DPF-certified company in the US, (data controllers or processors), and self-certification of US subsidiaries of EU/EEA businesses.

DPIA: Industry professionals and interested parties are invited by the Latvian data protection authority DVI to share their thoughts and provide real-world examples of the Data Protection Impact Assessment. It is a procedure by which, through risk inventory, analysis, and evaluation of prospective outcomes, (identifying severity and likelihood), the organisation can identify potential dangers to natural persons that may occur from planned data processing. The DPIA also includes the identification of measures to prevent possible risks. The draft guidance can be read here, (in Latvian).

AI projects sandbox: The Danish data protection authority has selected two AI projects for examination in its sandbox project. One wants to develop an AI insurance assistant for structuring and summarising accident claims, (to determine the degree of injury more quickly than today). The other one is a public-private innovation to develop a solution that will ease the documentation burden for employees in health and care. 

Social media monitoring

According to Privacy International, social media monitoring, or SOCMINT, is becoming more common and standardised but is still mostly uncontrolled and inconsistent. One of the most vivid examples is fraud investigations by the UK Department for Work and Pensions. Alongside covert surveillance tactics, the department’s staff guide has an entire section on “Open Source Instructions” on the use of publicly available information.

However, such invisible monitoring goes against or beyond individuals’ reasonable expectations and their possibility to anticipate intrusive examination. 

GDPR in practice

The Fundamental Rights Agency recently published the report “GDPR in practice – the experience of data protection authorities”. All the improvement areas directly or indirectly target the availability of human, financial and technical resources. In particular,  underfunded and understaffed authorities are obliged to prioritise complaints handling over other regulatory tasks that the GDPR has entrusted to them – such as promoting awareness and providing advice, undertaking their own investigations and external cooperation. 

SDM 3.0

The German Data Protection Conference published the updated Standard Data Protection Model – a method for data protection advice and testing based on uniform objectives, Data Guidance reports. In particular, the model transfers the legal requirements into technical and organisational measures required by the GDPR, which are detailed in the catalogue of reference measures. The SDM is aimed at both the supervisory authorities and those responsible for processing personal data. 

EHDS

In the next couple of years, patients, healthcare providers, and authorised researchers within the EU will start using the European Health Data Space, for which a DLA Piper legal blog provides the standards on the electronic health record system. Interoperability and the logging component are two essential components of the software that make up this records system. Further requirements for conformity can be read in the original analysis.  

More legal updates

Dark patterns: The Canadian Privacy Commissioner with other counterparts conducted a review of over 1000 websites and apps, and found that nearly all had at least one deceptive design element that potentially violated privacy requirements. This includes complex and confusing language, interface Interference, nagging, obstruction, and forced action, (tricking users into disclosing more personal information to access a service than is necessary). When two or more deceptive design patterns are used together, they can become more effective.  

HBNR: Starting in July, the amendments to the US Health Breach Notification Rule went into effect. These now underscore health apps and similar technologies not covered by Health Insurance Portability and Accountability. HBNR requires vendors of personal health records and related entities to notify individuals, the Federal Trade Commission, and, in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third-party service providers to notify such vendors and related entities. 

Rhode Island became the nineteenth US state overall and the seventh state in 2024 to enact a comprehensive privacy law, The Future of Privacy Forum sums up. The law will take effect starting in 2026. The law includes familiar terminology and core obligations, such as controller/processor responsibilities, rights of access, correction, deletion, portability, express consent for processing sensitive data, and disclosure requirements, but lacks data minimisation requirements or an obligation for controllers to recognize universal opt-out mechanisms. 

Enforcement decisions

Smart cameras in Turin: The Italian regulator Garante sent a request for information to the Municipality of Turin on a new video surveillance system that, reportedly, would also use AI. It would allow municipal police to understand in real-time whether it is necessary to intervene in an emergency or for safety reasons. The Municipality was given 15 days to clarify the advanced features of the camera, and also send a copy of the technical documentation, and the purposes and legal basis of the processing of personal data.

Personal details on the intranet: The Finnish regulator ruled that a company, (a bus operator), did not have the right to publish 300 employees’ personal phone numbers on the intranet. The company argued it is important for drivers to communicate with each other while working. On their work phones they can only call predefined numbers, and sending text messages is blocked. The regulator argued that using a work number between drivers should be a prior communication method. In addition, employees’ data may only be processed by persons whose job duties demand it, such as supervisors or HR. 

Local government data: The UK Information Commissioner issued the London Borough of Hackney council with a reprimand following a cyberattack in 2020 that led to hackers gaining access to and encrypting 440,000 files. The data included residents’ racial or ethnic origin, religious beliefs, sexual orientation, health, economic data, criminal offences, and other data including basic personal identifiers such as addresses. Hackers also deleted 10% of the council’s backup. The systems were disrupted for many months with, in some instances, services not being back to normal until 2022. 

Drugstore visitors’ tracking

The Dutch data protection authority, (AP), has imposed a fine of 600,000 euros on the parent company behind drugstore Kruidvat. The company, (AS Watson BV), tracked millions of visitors of Kruidvat.nl, without their knowledge or permission, and was able to create personal profiles noting which pages they visited, which products they added to their shopping cart and bought, and which recommendations they clicked on.  In the cookie banner on Kruidvat.nl, the boxes to agree to the placement of tracking software were checked by default. Visitors who wanted to refuse them had to go through several steps. 

More data on the use of third-party tracking technologies in the health and care sector can be read here. 

Background checks: The province of British Columbia and the Privacy Commissioner of Canada have joined forces to investigate Certn Inc., a business that provides landlords with tenant screening services. They will look at whether Certn complies with the requirements of both the federal Personal Information Protection and Electronic Documents Act and the Personal Information Protection Act of British Columbia, (where the company is based). In particular, it will look at whether the data it gathers, uses, and discloses for tenant screening is sufficiently accurate, complete, and up to date. 

Data security

Differential privacy: The latest US NIST cybersecurity insights discuss protecting trained models in Privacy-Preserving Federated Learning. The techniques must be combined with an approach for output privacy, which limits how much can be learned about individuals in the training data after the model has been trained. 

Differential privacy is the most robust known type of output privacy. To protect against privacy threats, techniques for differentially private machine learning incorporate random ‘noise’ into the model during training. The training data cannot be later recovered from the model because the random noise prevents the machine from remembering details from the training set.

Global IT outage: A Reuters analysis briefly explains the latest cyber outage when CrowdStrike’s software update caused Microsoft Windows to crash. Companies such as CrowdStrike employ cloud-based solutions for virus scanning, early warning systems for possible cyberattacks, and barriers against hackers accessing company networks without authorisation. This time, a conflict appeared between CrowdStrike code and the Windows operating system’s code, which is why certain PCs crashed even after they were rebooted. 

Big Data

Chromebooks: The Danish data protection authority has assessed that 52 municipalities are now complying with its order from January to stop passing on the personal data of school children for unauthorised purposes to Google. There have been adaptations to the contract that ensure that personal data will only be processed following the instructions of the municipalities. The Danish regulator has also asked for the EDPB’s opinion on a final assessment of the data processing chain in the municipalities’ use of Google’s products, (including for maintenance of infrastructure from the supplier’s side).

Oracle reaches 115 mln privacy settlement in the US. The digital files of hundreds of millions of people reportedly containing where they browsed online, where they did their banking, bought gas, dined out, shopped and used their credit cards were allegedly sold by Oracle directly to marketers. The company also agreed in future not to gather user-generated information from URLs of previously visited websites, or text that users enter in online forms other than on Oracle’s websites. 

The post Data protection digest 5-19 Jul 2024: LLMs and personal data, social media monitoring, differential privacy appeared first on TechGDPR.

Self-determination and AI

Digital self-determination of a user: The Swiss Federal Data Protection Commissioner FDPIC stresses that the current data protection legislation is directly applicable to AI used in the economic and social life of the country. In particular, the Data Protection Act in force since 1 September is directly applicable to all AI-based data processing. To this end,  the FDPIC reminds manufacturers, providers and operators of such applications of the legal obligation to ensure that the data subjects have as much digital self-determination as possible when developing new technologies and planning their use:

• the user has the right to know whether they are talking or writing to a machine, 
• whether the data they have entered into the system is further processed to improve the machine’s self-learning programs or for other purposes, and
• to object to automated data processing or to demand that automated individual decisions be controlled by a human being.

The law also requires a data protection impact assessment in the event of high risks. On the other hand, the use of large-scale real-time facial recognition or global surveillance and assessment of individuals’ lifestyles, otherwise known as “social scoring”, is prohibited.

Legal processes

The Data Act: On 9 November, the European Parliament adopted the text of the European Data Act. Next, it must be approved by the Council. The act makes more data available for use and sets up rules on who can use and access what data for which purposes across all economic sectors in the EU. This law applies to:

• the manufacturers, suppliers and users of products and related services placed on the market in the Union;
• data holders that make data available to data recipients in the Union;
• data recipients in the Union to whom data are made available;
• public sector bodies that request data holders to make it available for the performance of a task carried out in the public interest and the data holders that provide data in response to such a request;
• providers of data processing services offering such services to customers in the Union.

According to the updated text, to promote the interoperability of tools for the automated execution of data-sharing agreements, it is necessary to lay down essential requirements for smart contracts which professionals create for others or integrate into applications.

FISA 702: Meanwhile, the US Congress unveils the Government Surveillance Reform Act. The bill reauthorizes Section 702 of the Foreign Intelligence Surveillance Act for four more years, allowing intelligence agencies to continue to use the powers granted by that law, but with new protections against documented abuses and new accountability measures. For instance, it prevents warrantless searches, ensures foreigners are not targeted for spying on Americans they communicate with and prevents the collection of domestic communications. It also includes a host of reforms to government surveillance authorities beyond Section 702, including requiring warrants for government purchases of private data from data brokers.

EDPB documents

Tracking tools: The EDPB addresses the applicability of Art. 5(3) of the ePrivacy Directive to different tracking solutions. The advent of new tracking technologies to both replace existing tracking tools (due to the discontinuation of third-party cookie support) and generate new business models has emerged as a key data protection problem. The recommendations define four main elements: “information,” “terminal equipment of a subscriber or user,” “gaining access,” and “stored information and storage.” A partial list of use cases includes a) URL and pixel tracking, b) local processing, c) IP-only tracking, d) intermittent and mediated IoT reporting, and e) unique identifier.

Official guidance

Synthetic data: Synthetic data could function as a privacy-enhanced technology, as it allows the application of data protection by design. This synthesis can be performed using sequence modelling, simulated data, decision trees or deep learning algorithms. Creating synthetic data from real personal data would itself be a processing activity subject to the GDPR. It is therefore necessary to consider the regulatory provisions, in particular, the principle of proactive responsibility and the assessment of a possible re-identification risk. In some cases, data sets may be too complex to obtain a correct understanding of their structure or it may be difficult to mimic outliers from real data, undermining analytical value for specific use cases. In such situations, alternative or complementary PETs should be used, such as anonymisation and pseudonymisation. 

Health apps: German data protection body DSK has published a position paper on cloud-based health applications (in German). Since 2020, the Digital Health Applications Ordinance has regulated certain digital health applications to ensure the legal requirements for data protection and data security. However, several other health applications are not covered by these regulations. Thus, the following must be taken into account when using a wide range of health apps: 

• Data processing roles must be clearly defined in each case. Manufacturers, doctors and other medical service providers as well as cloud services come into consideration. 
• The use of application with a privacy-friendly design without the cloud functions and possibly without linking to a user account.
• The app manufacturers or operators must fulfil the rights of data subjects to information, correction, deletion, restriction of processing and data portability.
• The processing must be limited to the necessary extent, and be compatible with the purpose of the application. 
• A data protection legal basis is required for the use of personal data for research purposes.

More from supervisory authorities

Chatbots: The data protection authority of Liechtenstein explains the essence of chatbots – a software-based dialogue system that enables text or voice-based communication. From a technical perspective, there are different types of chatbots, ranging from simple rule-based systems to artificial intelligence AI systems. European data protection authorities are currently dealing with the issue of whether AI-based solutions meet the requirements of data protection law. At the same time, chatbot systems are often offered as cloud services, where GDPR rules will always apply, (legal basis, information obligation, handling of cookies, storage of chatbot data, processing of sensitive data, and data reuse). 

Similarly, the Hamburg Data Protection Commissioner offers a checklist for the use of LLM-based chatbots, (in English). Recommended steps would include internal regulations for employees, involvement of a data protection officer, creation of an organisation-owned account, and no transmission of any personal data to the AI. Overall, the results of a chatbot request should be treated with caution. You can also reject the use of your data for training purposes, and opt-out of saving previous entries.

Explainable AI: A transparent AI system provides insight into how AI systems process data and arrive at their conclusions, providing an understanding of the “reasoning” that led to the conclusions/decisions, explains the EDPS. Greater accountability will lead to a better assessment of the risks that data controllers need to carry out. At the same time, many efforts to improve the explainability of AI systems often lead to explanations that are primarily tailored to the AI researchers themselves, rather than effectively addressing the needs of the intended users. Read the deep dive into the risks of opaque AI systems here. 

Enforcement decisions

Simplified procedures:  The French privacy regulator CNIL has issued ten new decisions under its new simplified sanction procedure, introduced in 2022. Some cases focus on geolocation and continuous video surveillance of employees. The CNIL pointed out that the continuous recording of geolocation data, with no possibility for employees to stop or suspend the system during break times, is an excessive infringement of employees’ right to privacy unless there is special justification. Similarly, the prevention of accidents in the workplace does not justify the implementation of continuous video surveillance of workstations and is neither appropriate nor relevant. 

Telemarketing: The Italian data protection authority has imposed a fine of 70,000 euros on a coffee-producing company for promoting its brand through unwanted phone calls. Furthermore, the purchase order was considered as proof of consent to marketing. Users’ data was acquired in various ways: through the form on the website, through word of mouth from customers, and through contact lists collected by third-party companies, without having acquired the consent of the users. The company will now have to delete data acquired illicitly and activate suitable control measures so that the processing of users’ data occurs in compliance with privacy legislation throughout the entire supply chain.

Similarly, the Czech data protection authority imposed a fine of approx. 326,000 euros for sending commercial communications in favour of third parties. Since 2015, a transport company distributed commercial messages for the benefit of third parties to the email addresses of its customers, without obtaining the prior consent of the recipients, and without the possibility of rejecting these commercial communications in any way. It should be emphasized that the company did not offer its products or services, so it was not entitled to use the so-called “customer exception”, (to offer similar products or services). 

Data breaches

Processor’s obligations: The Danish Data Protection Authority has expressed criticism in a case where a data processor, Mindworking, had not ensured adequate security when developing a web application that was targeted at real estate agents. In particular, it was not secured against unauthorised persons inspecting the source code and thus being able to access personal data on the platform, (linked to a specific property that was for sale). The information could be accessed by users after they had logged in with a username and password. The user could access the information by pressing a function key and activating so-called “Dev tools”. The regulator concluded that the data processor should have carried out relevant tests of the platform before commissioning it, (Art. 32 of the GDPR).

Data security

Data breach: Finland’s data protection authority reminds organizations that they must assess the seriousness of a data security breach from the point of view of the data subjects. As a rule, the data controller must notify the authority if the breach may cause a risk to the rights and freedoms of natural persons, (even if all the information about the incident is not yet completely clear), within 72 hours. Thus, the controller must accurately assess the seriousness of the possible effects on the data subjects affected by the violation. The purpose is to assess the seriousness of the effects on the data subjects, not the consequences on the controller. Data subjects also must be notified of a high-risk situation without undue delay, (even if the high risk is eliminated by measures taken after the breach). 

Password dilemma: Almost everyone uses bad passwords, often unconsciously, states the Dutch data protection authority. The standard password requirements of 8 characters with enforced punctuation and numbers encourage this. These lead to short passwords full of human patterns. People are also very predictable if they try to use long passwords. Instead of something completely random, they quickly choose a year, their favourite sports team or another simple adjustment, such as starting with a capital letter. It is therefore recommended to use long passwords, which are so random that a hacker must try all options to retrieve the password, which are slower, and hence less profitable.

Big Data

DSA and minors’ safety: The European Commission has sent Meta and Snap requests for information under the Digital Services Act, following their designation as Very Large Online Platforms. Companies have until 1 December to provide more information on risk assessments and mitigation measures to protect minors online, in particular about the risks to mental health and physical health, and on the use of their services by minors. Under Art. 74 of the DSA, the Commission can impose fines for incorrect, incomplete, or misleading information in response to a request for information. 

Medical research data reuse: Sensitive health information donated for medical research by half a million UK citizens has been allegedly shared with insurance companies for years according to The Guardian. An investigation found that data was provided to insurance consultancy and tech firms for projects to create digital tools that help insurers predict a person’s risk of getting a chronic disease. UK Biobank, set up in 2002 and described as a ‘crown jewel’ of British science, claims that it only allows access to bona fide researchers for health-related projects in the public interest, whether employed by academic, charitable, or commercial organisations and that participants were promptly informed. Read the full analysis here.

The post Data protection digest 1 – 15 Nov 2023: AI application must ensure digital self-determination of data subjects appeared first on TechGDPR.

Legal processes and redress

Court-dismissed fine: A multimillion-euro fine imposed by the Spanish privacy regulator has been overturned by a court decision, according to a publication by Clifford Chance law firm. The AEPD fined Banco Bilbao Vizcaya Argentaria 5 million euros in 2020, the first of many hefty fines for GDPR violations in the country’s corporate sector. In the above case, the AEPD received several complaints about commercial communications. Ultimately, it found that BBVA’s privacy policy, which was applicable to all of its clients and to processing other than the sending of marketing communications, violated the duty of information, and occasionally misused consent and legitimate interest as the basis for processing. However, the decision and fine with regard to BBVA’s privacy and the initial complaints were completely at odds, and the court found that the AEPD had broken the sanctioning procedural rules. 

EU Health Data Space: EU legislators are actively working on safeguards for the upcoming European Health Data Space. This includes promoting patients’ understanding and control of their personal health data. The latest amendments look at the main characteristics of electronic health data categories: patient summary, electronic prescription, electronic dispensation, medical image and image report, laboratory result, and discharge report. Under the Commission’s proposal, researchers, companies, and institutions will require a permit from a health data access body, to be set up in all member states. Access will only be granted to use de-identified data for approved research projects, which will be carried out in closed, secure environments, Sciencebusiness.com publication sums up. 

Iowa privacy legislation: Iowa enacted its new comprehensive privacy law, making it the sixth US state to do so after California, Virginia, Colorado, Utah, and Connecticut. It will take effect in 2025. Anyone conducting business in Iowa or creating goods or services marketed toward Iowans who does one of the following is subject to the law: processes at least 100,000 consumers’ personal data; processes 25,000 consumers’ personal data, and more than 50% of gross revenue is generated from the sale of it. The law does not apply to financial institutions, nonprofit organizations, institutions of higher education, information bearing consumers’ creditworthiness, various research data, protected health information, and more.

Utah minors protection: Utah enacted two laws to limit children’s access to social media, making it the first US state to demand parental consent before children can use Instagram and TikTok. It also makes suing social media companies for damages simpler. To date, US lawmakers have had difficulty enacting stricter federal laws governing online child safety. Under Section 230 of the US Communications Decency Act, media service providers are largely shielded from liability for the content they provide. 

Online service providers are also not required by federal statutes to use a particular method of age verification. Because of this, some have minimum age restrictions and ask users to enter their birthdate or age before granting access to the content. These restrictions are typically stated in the terms of service. According to Utah legislation, all users must submit age verification before creating a social media account. Minors under the age of 18 must have parental or guardian consent. 

Official guidance

AI white paper: Principles, including safety, transparency, fairness, contestability, and redress will guide the use of AI in the UK, as part of a new pro-innovation national blueprint. Reportedly, Britain has more businesses offering AI goods and services than any other European nation, and hundreds more are being founded annually. Regulators pledge to provide organisations with advice over the coming year, as well as other resources like risk assessment templates. Currently, there is no deadline envisaged in the UK for passing AI legislation. Meanwhile, the EU AI act, which inherited a more risk-based approach and is being discussed by parliamentarians, can be reasonably expected this year. 

Data protection by default: UK privacy regulator the ICO published resources to help UX designers, product managers, and software engineers embed privacy by default. The guidance looks at key privacy considerations for each stage of product design, from kick-off to post-launch when designing websites, apps, or other technology products and services. The ICO has also published videos with experts, technologists, and designers. 

Employment guide: The Danish data protection authority’s guidance on data protection in employment relationships has been revised, (in Danish only). The update includes the acquisition of criminal records and references. The regulator also clarified an employer’s obligation to disclose information, trade union processing activities, workers monitoring needs, the use of IQ and personality tests, and more. In parallel, the Lithuanian regulator is preparing similar guidance for employees, business, and public sector, (in Lithuanian only). 

Joint controllers: What is the difference between joint and independent data controllers? Joint controllers are established when the entities involved in processing perform it for the same or common purposes. Joint management can be established even when the entities pursue purposes that are only closely related or complementary, explains the Slovenian data protection authority. Purposes and means of processing are not always the same for all joint controllers but must be mutually determined via an agreement. They can also be defined by law. Subsequently, joint controllers are jointly and severally liable for damages. 

Suspected data breach: Pursuant to the GDPR, in the event of a personal data breach that is likely to cause a high risk to the rights and freedoms of individuals, the data controller must notify the data subject without undue delay. However, notification is not mandatory if any of the conditions stipulated in Art. 34 (3) of the GDPR are met. Regardless of the above, in case of a suspected breach, (eg, unauthorised disclosure of a large amount of personal data), you have the right to request information from the data controller, (if they processed your data), as to whether your personal data is included in the incident, concludes the Croatian data protection agency.

Enforcement decisions

ChatGPT ban: The Italian supervisory authority Garante has clamped down on ChatGPT. The limitation of the processing of Italian users’ data by OpenAI, the US company that developed and manages the platform, is temporary until it establishes privacy procedures. ChatGPT suffered a data breach on March 20 concerning user conversations and payment information for subscribers to the paid service. Garante noted the lack of information to users and all interested parties whose data is collected by OpenAI, but above all the absence of a legal basis that justified the collection and storage of personal data in order to train the algorithms. 

Additionally, as evidenced by the checks carried out, the information provided by ChatGPT does not always correspond to the real data, thus establishing inaccurate processing of personal data. Finally, the service is aimed at people over 13 but does not use any filter for verifying the age of users and exposes minors to answers that are absolutely inappropriate with respect to their degree of development and self-awareness. OpenAI, which does not have an office in the EU but has appointed a representative in the European Economic Area, must communicate within 20 days on the measures taken.

Wrongful copy: The Greek data protection authority looked into a complaint from a Vodafone subscriber who received a CD containing the conversations of another person  after requesting access to the recorded conversations with the Vodafone call center. Although Vodafone was immediately notified by the complainant, it did not take any investigative steps to confirm the incident, but initially contented itself with the processor’s response that it did not locate the complainant on the phone. It subsequently contacted her to return the CD. Vodafone was ordered to send the correct file and was fined 40,000 euros (Art. 15 and Art. 33 of the GDPR).

Email correspondence: Employees’ right to privacy is unaffected by a legitimate interest in processing personal data for legal defense. The Italian privacy authority fined a company that continued to use an employee’s email account after they had left the firm, viewing the content, and setting up forwarding to a company employee. The former collaborator had gathered references from potential clients they had met at a fair. The company claimed that a legal dispute resulted from the collaborator’s attempt to get in touch with them. Fearing losing relationships with potential customers, the company had not only written to them to explain that the person had been removed, but had also viewed the communications.  

GPS monitoring: Tehnoplus Industry in Romania was fined for a GPS system installed on a company car, without the employee having been informed, or having previously exhausted other less intrusive methods to achieve the purpose of processing – monitoring the service vehicle. Tehnoplus Industry excessively processed the location data related to the complainant even outside working hours. Subsequently, the purpose and the legal basis of this processing and in addition the excessive storage period of the data collected, (over the established 30 days limit); were also unlawful.  

In parallel, the French privacy regulator imposed a fine on Cityscoot for geolocating customers almost permanently in breach of the data minimisation principle. During the rental of a scooter by an individual, the company collected data relating to the geolocation of the vehicle every 30 seconds. In addition, the company kept the history of these trips. None of the established purposes of the processing, (the treatment of traffic offenses, handling customer complaints, user support, and theft management), could justify the monitoring and could have been organised without constant tracking.  

Data security

Cybersecurity tools: The French regulator CNIL has updated its guidance on the security of data protection, (in French). It supports professional actors processing personal data by recalling the basic precautions to be implemented. 17 fact sheets look at the latest recommendations on authenticating users, tracing operations and managing incidents, securing the workplace, guiding IT development, securing exchanges with other organizations, encryption, and much more. 

The European Union Agency for Cybersecurity also releases a tool to help small and medium-sized enterprises assess the level of their cybersecurity maturity. This tool contributes to the implementation of the updated Network and Information Security, (NIS2), Directive. The majority of SMEs are excluded from the scope of the Directive due to their size and this work provides easily accessible guidance and assistance for their specific needs.

Similarly, the UK National Cyber Security Centre launches two new services to help small organisations stay safe online:

• The Cyber Action Plan can be completed online in under 5 minutes and results in tailored advice for businesses on how they can improve their cyber security.
• Check your Cyber Security – which is accessible via the Action Plan – can be used by any small organisation including schools and charities and enables non-tech users to identify and fix cyber security issues within their businesses.

Mobile threat defense: America’s NIST investigates mobile threat defense applications that provide real-time information about a device’s risk level. Like any other app, MTD is installed on a device by a user. The app then finds undesirable activity and alerts users so they can stop or minimize the harm. For instance, it alerts users when it’s time to update their operating systems. Additionally, users of the app can receive alerts when someone is listening in on their internet connection. However, without being integrated with a mobile device management system, MTD applications are only marginally effective in your enterprise environment.  

Big Tech

Child Care apps: In the US childcare facilities are using technology more and more reports edsurge.com which tells the story of a parent who signed her child up for child care. She wasn’t expecting to have to download an app to participate, and when that app began to send her photos of her child, she had some additional questions. Laws like the Family Educational Rights and Privacy Act and the Children’s Online Privacy Protection Act don’t apply in these circumstances, so parents will need to conduct some independent research. The other aspect is that cameras have the potential to make teachers and other classroom employees anxious or otherwise not themselves, she says. They may feel that administrators or parents don’t trust them and make them avoid some activities like dancing. 

You are (not) hired: Reportedly, a third of Australian companies rely on artificial intelligence to help them hire the right person, while there are no laws specifically governing AI recruitment tools. Applicants are often unaware that they will be subjected to an automated process, or if not, on what basis they will be assessed. For instance, AI might say you don’t have good communication skills if you don’t use standard English grammar, or you might have different cultural traits that the system might not recognise because it was trained on native speakers. Another concern is how physical disability is accounted for in something like a chat or video interview. Read more analysis by the Guardian in the original publication. 

Vehicle data: Because data ownership remains undefined under EU law the Commission’s proposed Data Act for fair access to such information, particularly in the vehicles sector, appears to have hit problems. Legislative proposals were expected to regulate a connected car sector estimated to be worth more than 400 billion euros by the end of the decade. Now car services groups warn very few big players are able to access this data, skewing the market, Reuters reports.

The post Data protection & privacy digest 19 Mar – 2 Apr 2023: court-dismissed fine, cybersecurity tools, ChatGPT clampdown appeared first on TechGDPR.

Legal processes and redress: synthetic data for fintech, draft Data Act, DPO dismissals

The UK Financial Conduct Authority, (FCA), issued a statement on synthetic data for beneficial innovation in UK financial markets. It strongly indicated fraud and anti-money laundering as a key use case for synthetic data, in part due to its ability to augment rare patterns of behavior in a dataset. Whilst the data protection legislation places conditions on such data processing, the FCA emphasizes that data sharing between different entities, (eg, access to the real datasets, as well as synthetic transactional datasets with embedded fraud typologies), is possible under the current regulatory framework if at least one lawful basis is met, accompanied by built-in privacy by design, data protection impact assessments, data sharing agreements, and other legal requirements.

The European Parliament adopted the draft Data Act – new rules for fair access and use of industrial data. It would contribute to the development of new services, in particular in the sector of AI where huge amounts of data are needed for algorithm training. It can also lead to better prices for after-sales services and repairs of connected devices. When companies draft their data-sharing contracts, the law will rebalance the negotiation power in favour of SMEs, by shielding them from unfair contractual terms imposed by companies that are in a significantly stronger bargaining position. Finally, the proposed act would facilitate switching between providers of cloud services, and other data processing services, and introduce safeguards against unlawful international data transfer by cloud service providers.

The CJEU rendered two decisions regarding the procedures for dismissing data protection officers and their potential conflicts of interest, (under the German Federal Data Protection Law), insideprivacy.com reports. In the relevant cases, the DPO also handled other organisational duties in a professional capacity. The data controllers argued that since those positions were incompatible, (chair of the work council in one of the cases), the DPO’s dismissal was appropriate. The former DPO started a legal action which ended up in the EU top court. 

However, the CJEU determined that as long as the national laws do not undermine the goals set for DPOs under the GDPR, EU member states may require that DPOs be dismissed for “just cause”. It is also for the national courts to decide whether a conflict of interest existed taking into account “all the relevant circumstances, in particular the organisational structure of the controller or its processor and in light of all the applicable rules, including any policies of the controller or its processor.”

Official guidance: MS Excel, research projects, free data protection tool, game developers

Bavaria’s data protection authority explains how to avoid data breaches when using Microsoft Excel. It is not uncommon for users to encounter the program intuitively; Contrary to the primary purpose, Excel is often used when the number of columns in Word is not sufficient. However, if there is personal data in an Excel workbook, improper handling of the application can easily trigger a data breach. Excel workbooks can contain multiple worksheets, (the number is only limited by the available memory), even if you don’t work regularly with such “multi-sheet” workbooks yourself. Be especially careful with Excel files created by others, as Excel workbooks can contain invisible worksheets, as well as columns, rows, or even individual cells, comments, and metadata. It is worth remembering:

• before sharing an Excel workbook with personal information, especially before attaching it to an email, make sure that you really want to share everything;
• consider whether the file should be processed further by a recipient, otherwise;
• send a PDF version that can be checked for hidden data before sending;
• if possible, consistently delete the worksheets that are no longer required;
• before creating a new workbook with multiple worksheets, consider whether you can complete the task with multiple single-sheet workbooks;
• consider whether you need Excel for the task to be completed or whether a “simple” resource, (eg, a word processing program), will suffice.

If not careful, an Excel data breach can trigger the reporting obligation under Art. 33 of the GDPR, and the notification obligation under Art. 34 of the GDPR.

Meanwhile, the Danish data protection authority has amended rules for deleting personal data at the end of research projects. Data controllers may have a legitimate need to process information for a period after the end of the investigation, (eg, for the purposes of peer review or countering accusations of scientific misconduct), so data should not always be deleted, anonymised, destroyed or returned at the end of a research project. Personal data can be transferred for storage in an archive in accordance with the rules in archive legislation. In addition, in some research areas, work is done with ongoing coverage of research fields, and building of relationships or data material, where it is not meaningful to talk about a project being “finished”. 

The Finnish data protection authority is promoting its data protection tool available as open source code to increase the data protection expertise of SMEs. You can familiarise yourself with the tool (in English) here. With the initial level test, the respondent can first check how well they control the basic issues of the data protection regulation. The role-mapping test helps the respondent to define what role the company plays in regard to the processing of personal data. Each role also has its own tests. The source code and content of the data protection tool are for free use, to further develop a company or industry-specific privacy tool or to produce new language versions, or even in commercial applications.

Finally, the UK Information Commissioner’s Office offers new guidance to game developers on protecting minors. The recommendations are based on the experiences and findings during a series of voluntary audits, (eg, on Yubo, Facepunch), of game developers, studios and publishers within the gaming industry: 

• The age range of the players and the different needs of children at different ages and stages of development should be at the heart of how you design your games. 
• Designing games to promote meaningful parent/guardian – child interactions, while setting a high level of privacy by default and appropriate parental controls is key.
• It is important to only process children’s personal data in ways that are not detrimental to their health or wellbeing. 
• It is crucial that games do not use nudge techniques to lead children to make poor privacy decisions.
• Bad privacy information design obscures risks, unravels good player experiences, and sows mistrust between children, parents, and game providers.

Investigations and enforcement actions: employee emails monitoring, failed data subject requests at a sports center, HBNR and BIPA violations in the US, student data management

In Austria, the data protection authority finds employer’s monitoring of employee emails unlawful. Several complainants argued that the company, without their consent and knowledge, checked the technical mail server logs of all 6,000 employees for a specific recipient domain. The reason for this control measure was the suspicion of a breach of trade secrets. The data protection authority came to the conclusion that the control measure, which only took place six months after the incident that gave rise to it, was not proportionate due to the lack of a temporal connection and the topicality. Plus, there was no valid consent from the works council. 

The Norwegian data protection authority confirmed its fine of over 900,000 euros to Sats for breach of several provisions in the GDPR. The complaints were related to the company’s failure to comply with clients’ demands for access and deletion. Furthermore, the fitness centre chain lacked the authorisation to process data about the customers’ training history. Sats is the Nordic region’s largest fitness center chain and has its head office in Norway.  Therefore the Norwegian regulators dealt with the case in collaboration with other supervisory authorities under the so called one-stop-shop mechanism.

In the US, the Illinois Supreme Court ruled that fast food chain White Castle System must face claims that it repeatedly scanned the fingerprints of nearly 9,500 employees without their consent, (to access a company computer system), which the company says could cost it more than 17 billion dollars. The Illinois Biometric Information Privacy Act, (BIPA), imposes penalties of 1000 dollars per violation and 5000 dollars for reckless or intentional violations. The law requires companies to obtain permission before collecting fingerprints, retinal scans, and other biometric information from workers and consumers. 

Also in the US, the Federal Trade Commission has taken enforcement action for the first time under its Health Breach Notification, (HBN), Rule against the telehealth and prescription drug discount provider GoodRx Holdings, for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies. The company collects personal and health information about its users, including information from users themselves and from pharmacy benefit managers confirming when a consumer purchases a medication using a GoodRx coupon. 

From 2021 US health apps and smart products that collect or use consumers’ health information must comply with the HBN Rule. It ensures that entities not covered by the Health Insurance Portability and Accountability Act, (HIPAA), face accountability when consumers’ sensitive health information is breached. In the above case, GoodRx also displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the HIPAA.

The French privacy regulator CNIL gave formal notice to two higher education institutions to comply with the GDPR concerning files used for administrative and pedagogical management. Areas of non-compliance include data retention period, student information, use of subcontractors, and data security:

• they had not provided a precise retention period for all processing of students’ personal data, nor have they provided for a purge and archiving system;
• they do not properly inform students about the collection of their data via the various forms they fill out during their schooling;
• they were not able to send the CNIL the duly signed data processing agreements with subcontractors;
• they had no password policy to guarantee a minimum level of security in this area.

Data security: messaging apps

Privacy International issued a guide on communicating with others via messaging apps. Reportedly, there are two main aspects to consider: a) whether it offers end-to-end encryption that protects the content of your communication; and b) whether it collects any information beyond the content of the message, such as location, who you communicate with, and other details referred to as ‘metadata’. For sensitive conversations, it may be sensible to use disappearing messages if offered by your app, (however, it is unclear whether self-destructing messages are also recoverable by mobile phone extraction technology).

The use of E2EE for messaging should always be preferred over text messages, which are completely unencrypted meaning they can be easily read, manipulated in transit, or spoofed. They may also be stored by your telecommunications provider, which may be subject to access requests from governments and law enforcement. For example, Signal uses E2EE not only to encrypt the contents of messages but also to obscure all metadata even from itself. In contrast, both WhatsApp and Telegram store, and can access IP addresses, profile photos, “social graphs”, and more.

Big Tech: Palantir technology ban in Germany, more Tik Tok data centers in Europe

A top German court ruled against the use of software developed by the Palantir Technologies, saying that police use of automated data analysis to prevent crime in some German states was unconstitutional as it infringes on the right to informational self-determination. The US-based technology has so far been employed, among other things, to look into the criminal organisation accused of plotting to overthrow the German government in December, Reuters reports. Palantir says it only offers software for processing data. However, the German Society for Civil Rights, which brought the lawsuit, claimed the software used data from innocent people to form suspicions and could produce errors.

TikTok plans to open two more data centers in Europe, (Ireland), hoping to lessen regulatory pressure on the business. Data migration for TikTok users in Europe will start this year and last until 2024. TikTok hasn’t been subject to the same hefty fines as Google and Meta in the EU. Now TikTok is attempting to reassure governments and privacy regulators that users’ personal information cannot be accessed and that its content cannot be altered by the Chinese government or anyone else working for Beijing. 

The company also reported an average of 125 million monthly active users in the EU, under the brand-new online content rules known as the Digital Services Act. For comparison, Twitter says it has 100.9 million. Alphabet – 278.6 million at Google Maps, 274.6 million at Google Play, 332 million at Google Search, 74.9 million at Shopping, and 401.7 million at YouTube. The Meta Platform claims 255 million on Facebook and about 250 million on Instagram.

The post Data protection & privacy digest 4 – 17 Feb 2023: synthetic data for fintech, MS Excel guide, Palantir technology ban appeared first on TechGDPR.

Legal processes: Microsoft Office 365 cloud services, privacy complaints, lead supervisory authority, NIS2 Directive, Australia data breach penalties

The German Data Protection Conference negatively assessed the data processing agreements for Microsoft 365 cloud services, regarding the requirements of Art. 28 of the GDPR. The regulators came to the conclusion that “no data protection-compliant use of it is possible”. The assessment is based on the “Data Protection Addendum for Microsoft Products and Services”, including the current updated version. The central and recurring question of the series of talks with Microsoft was: in what cases it acts as the processor and in which as the controller. 

• Microsoft does not fully disclose which processing takes place in detail, including subcontracting relationships. In addition, 
• it does not fully explain which processing takes place on behalf of the customer or which for its own purposes. 

During the discussions with Microsoft, the working group was not able to achieve any significant improvements in the drafting of the contracts, (eg, client specific and detailed).The regulators also were not able to identify additional protective measures that could lead to the legality of data export to the US. Many of the services included in MS 365 require the company to access the unencrypted, non-pseudonymized data. You can read the detailed assessment summary in German here.

The Stockholm Administrative Court held that the data protection authority must investigate complaints. This also applies if the authority opened a parallel ex officio investigation into a similar matter and at the same company. In 2019, a data subject filed a complaint in response to Spotify’s answer to an access request with the Austrian authority. The complaint was forwarded to Sweden as the lead supervisory authority for Spotify. After three years of inactivity, the data subject requested a formal decision. 

The EDPB is finalising an updated guidelines on identifying a controller or processor’s lead supervisory authority. The rule is to  determine the location of the controller’s main establishment or single establishment in the EU, (if any), where decisions about the purposes and means of the processing of personal data are taken. This place has the power to have such decisions implemented. However, there can be situations where more than one lead supervisory authority can be identified, in cases where a multinational company decides to have separate decision-making centres, in different countries, for different processing activities. But the most complicated might be so-called “borderline cases”, when, for example, decisions are taken exclusively outside of the EU/EEA. 

The EU has approved the Directive on measures for a high common level of cybersecurity across the EU, (NIS2 Directive). Member states will have 21 months from its entry into force to incorporate the provisions into their national law. The act will repeal the current directive, amending the rules on the security of network and information systems of critical public and private sectors. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation.

In parallel, the UK government is introducing a new mandatory reporting obligation on managed service providers to disclose cyber incidents, alongside minimum security requirements which could see fines of up to 17 million pounds. The announcement was made as the government published its response to a public consultation on amending the NIS Regulation after Brexit.

After several major data leaks in Australia, the Parliament has approved a draconian privacy penalty bill. Companies which fail to take adequate care of customer data will face much higher fines – from the current 2.22 million dollars penalty to whichever is the greater of:

• 50 million dollars;
• three times the value of any benefit obtained through the misuse of information; or
• 30 per cent of a company’s adjusted turnover in the relevant period.

The bill also provides the Australian Information Commissioner with greater powers to resolve privacy breaches and quickly share information about data breaches to help protect customers. The higher penalties and new powers will come into effect the day after it receives Royal Assent ahead of an overhaul of the Privacy Act following a comprehensive review by the Attorney-General’s Department, currently being finalised.

Official guidance: EU-US data transfers, BCR-C, transfer risk assessment, trusted processors, Google Fonts, whistleblowing management

The Hamburg Data Protection Commissioner published its observations on the proposed EU-US Data Privacy Framework. The regulator advised data transfer impact assessments must follow the ruling by the CJEU on lawful EU-US transfers until the proposed framework is finalised. At the current time, nothing decisive has changed in the legal situation in the USA. Joe Biden’s recent Executive Order provides for a transitional period of up to one year. That’s how long the eighteen US secret services have to integrate the guarantees provided for in the legal act into their practical work. This applies in particular to the new requirement to restrict data access to a reasonable level. The same applies to the institutional guarantees through the creation of a complaints body and a data protection court. These committees are still under construction. The ability to work will only be guaranteed in several months.

The UK Information Commissioner’s Office has updated its guidance on international data transfers. This includes a new transfer risk assessment section and a TRA tool. It gives an initial risk level for categories of data, and transfers that significantly increase the risk of either privacy or other human rights breaches. Earlier this year the UK adopted an International Data Transfer Agreement and Addendum that replaced Standard Contractual Clauses for organisations transferring personal data outside of the UK. 

The EDPB has updated recommendations on Controllers Binding Corporate Rules, (BCR-C). The holders are asked to make the changes according to the instructions provided in the document. The GDPR expressly provides for the use of such data transfer policies by a group of undertakings. The BCR approval only covers transfers to third countries or to international organisations, however, groups may design BCR to be used as their global data protection policy. The updated recommendations also bring the existing guidance into line with the requirements in the CJEU’s Schrems II ruling, which invalidated EU-US data transfers. 

The Baden-Wuerttemberg data protection commissioner has presented a Code of Conduct for data processors, to create more legal certainty. By committing themselves to the code, processors make it clear to the outside world that they follow the guidelines and submit to monitoring by a body accredited by the regulator. Those interested can find the Trusted Data Processor code of conduct here. 

Meanwhile, the Hessen data protection authority issued a  warning about the use of Google Fonts. If they are integrated online, the user’s browser loads these fonts when the website is accessed and contacts the Google servers for this purpose. User data is transmitted to Google at this point. If personal data is transferred to a third country, such as the US, the requirements for third-country transfers must also be met. If these requirements cannot be met, the transfer is inadmissible. It is also advisable to self-host Google Fonts locally on your own web server. This applies equally to other font providers.

Who becomes a data controller when outsourcing an internal whistleblower scheme? In various scenarios an external supplier can handle reports from whistleblowers via a) direct contact, b) an available  IT platform, or c) a combination of both. In the case of direct contact, the subcontractor gets a level of independence and decision-making, and both parties would act as data controllers, (unless the employer provides very strict instructions to the supplier). However, the supplier can become a processor in relation to the operation, (hosting), of the IT platform, and there may be a need for a data processing agreement. 

Enforcement actions: M&A customer data, retention periods, account ownership, consent forms, data brokers, consent layers, misleading and incomprehensible commercial prospecting

The Italian regulator Garante fined the Douglas perfume chain 1.4 mln euros: the data of millions of customers was kept for many years. The company was born in 2019 having incorporated three companies in the sector. Douglas decided to keep the data of almost 3.3 million customers of the previous companies,without requesting their consent. The company will have to destroy data dating back more than 10 years and delete or pseudonymise the more recent files, properly secure them, and inform the customers. It will have to change the setting of the Douglas app, clearly distinguishing the contents of the privacy information. Customers must be allowed to express free and specific consent for the various activities, (marketing of the company, marketing of third parties and profiling).

The French CNIL imposed a fine of 800,000 euros on Discord Inc. also with regard to retention periods and the security of personal data. This US “voice over IP” service offers instant messaging, in which users can create servers, text, voice and video rooms. The company did not have a written data retention policy: there were 2,47 mln accounts of French users who had not used their account for more than three years. Discord’s password management policy was not robust, (only six characters including letters and numbers), and when a user logged into a voice room closed the app window by clicking the “X” icon, they were  just putting the app in the background and staying connected. 

The CNIL also sanctioned EDF 600,000 euros for commercial prospecting practices. The standard prospect data collection forms were made available by a data broker. However , the EDF was not able to communicate to the CNIL the list of partners receiving the data, whereas such a list must be made available to individuals at the time of giving their consent. Finally, the measures put in place by EDF with its data brokers to ensure that consent was validly given were insufficient. At the time of the audits, the EDF did not check the consent forms used and it did not conduct due diligence on data brokers.

The Spanish AEPD fined online banking service Bankinter 80,000 euros for violating security obligations. The complainant had access to the data of a third party alongside their personal data, whilst accessing their monthly statement on Bankinter’s website. The incident occurred due to an error in managing the ownership of the accounts. The AEPD also fined BBVA 80,000 euros for violating the integrity and confidentiality principle: the claimant had requested a certificate of ownership for their account from the bank, however they received a copy of a third party contract. Moreover, it took BBVA too long to remove the link to the file, so the claimant could not access, download or view the document.

The Danish data protection authority Datatilsynet criticised JP/Politik’s consent procedure. It gave visitors three options, (Necessary only, Customize Settings and Accept all). From the “first layer” it appeared that JP/Politiken processed personal data for statistical and marketing purposes. In the “second layer”, which the visitor could access by clicking on Customize Settings , the visitor could select the processing purposes preferences. However, the regulator assessed that visitors who clicked on Accept all did not receive information about all processing purposes.

The Italian competition authority AGCM fined Enel Energia and partner agencies over 5 million euros for unfair commercial practices. Various complaintants received misleading messages disseminated by an answering machine and call centre operators, which were intended to induce consumers to sign a contract with Enel Energia. In most cases, the consumers involved had never provided their consent, and some had been contacted despite their telephone numbers being in the Do Not Call register. 

The Italian Garante also issued a similar fine to the one above against Vodaphone. In this case, a woman over 80 was offered a contract at a speed of 200 words per minute for 6 minutes, in a so-called “vocal order“, (contract concluded directly by telephone). The offer was judged to be incomprehensible, even after repeated listening. The fine of 500,000 euros imposed on Vodafone was calculated taking into account the aggravating circumstances of having committed other telemarketing violations in the previous three years. 

Data security: public WI-FI, World Cup apps, M&A due diligence

Ahead of the festive season, America’s NIST reminds consumers of secure use of public Wi-Fi networks. They are wireless local area networks that are available to the public and do not require a password. Unfortunately, many public Wi-Fi hotspots and access points do not provide encryption. Networks that lack data-in-transit protections are at risk of unauthorised eavesdropping taking place to access sensitive information. Employees can use public Wi-Fi to work remotely from numerous public places such as hotels, airports, and coffee shops. If information is compromised, it may lead to serious harm, financial loss, or reputational damage for an organisation. To mitigate this threat, individuals or enterprises should be mindful of using secure connections to websites and resources:

• a virtual private network (VPN) solution can ensure all communication to and from their applications is encrypted prior to leaving the device.
• Websites that use Hypertext Transfer Protocol Secure (HTTPS), which is HTTP transmitted over Transport Layer Security.

Visitors to the World Cup in Qatar are asked to pay close attention to their digital security. Two apps are required to attend the festivities. They are advised to use a telephone that they do not use for anything else. No other personal data, such as telephone numbers, image or sound files should be stored on this device. After using the apps, the operating system and all content on the phone used should be completely deleted.

The Starwood/Marriott data security breach in Canada provides an important signal for parties to M&A transactions and for all organisations that handle personal information. After the two hotel chains merged Marriott delayed measures to improve the security of the Starwood networks as they were due to be decommissioned. Then Marriott discovered a breach of the Starwood network involving unauthorized access to approximately 339 million customer records. The regulator concluded that Marriott failed to perform an ongoing assessment of the security safeguards in breach of the PIPEDA requirement. Class action lawsuits also were commenced against Marriott in Canada and the US. 

Big Tech: Meta Ireland “data scraping”, Amazon Prime subscriptions, Voodoo gaming apps, Google location tracking

The Irish data protection commission concluded an inquiry into Meta Platforms Ireland, data controller of the “Facebook” social media network, imposing a 265 million fine and a range of corrective measures. The regulator commenced the inquiry after media reports into the discovery of a collated dataset of Facebook personal data that had been made available on the internet. The scope of the inquiry concerned an examination and assessment of data security measures of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools. There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU.

A recent class action filed in Washington alleges that Amazon used dark patterns to make cancelling customers’ Prime subscriptions more difficult. Amazon’s deceptive cancellation interface effectively prevents Prime subscribers from ending their memberships, leads to further subscription fees, and allows the company to continue collecting, retaining, and using the personal data of misdirected subscribers.

The UK ICO published the Age Appropriate Design Code audit report for Voodoo mobile gaming apps. Among high priorities, Voodoo does not have an accurate understanding of the age demographics of the players, (users are asked to confirm that they are 16 or over via a self-declared age-gate). Younger users are not provided with age-appropriate prompts, information messages, or explanations. There has not been a documented assessment of serving a high volume of advertising at minors, and no consent options were provided.

Finally, Google agreed  to a 391.5 million settlement in most US states over misleading location tracking practices, the biggest of its kind. The confusion arose around the Location History setting and the extent to which users could limit Google’s location tracking by adjusting their account and device settings, CNN reports. Location data collected by Google could be used to target advertising and build profiles on internet users; or disclose highly sensitive information to law enforcement.

The post Data protection & privacy digest 9 – 30 Nov 2022: Microsoft 365 non-compliance, Meta “data scraping” fine, Amazon Prime class action appeared first on TechGDPR.

Legal processes: US hosting provider in the EU, Google Fonts, IAB Europe, California Age-Appropriate Design Code, new Swiss privacy law

In Germany, a public procurement chamber’s decision to ban hospitals’ digital discharge management to store data in Luxembourg was overturned by a higher regional court. Two public hospitals in Baden-Württemberg agreed to send data to a Luxembourg branch of a US hosting provider. The Karlsruhe court, however, overturned the decision that the use of the services of the Luxembourg subsidiary of a US company would be accompanied by an inadmissible data transfer to a third country: “The latent risk of access by government and private bodies outside the European Union, (here the US), is sufficient for this assumption.” In this case specific guarantees offered by one of the bidders to store and process data only in Germany convinced the court sufficient safeguards would apply. This decision is final.

According to TechnikNews, Google Fonts are presently the subject of a veritable tsunami of GDPR claims in Austria and Germany. Many website owners have received letters and emails from data protection lawyers informing them of data breaches and requesting a “settlement.” Without the customer’s permission, the website operator is said to have “forwarded the client to a business of the US Alphabet Inc.”, (owners of Google). The claims could potentially refer to one Munich Regional Court decision that supported a lawsuit in the “Google Fonts” issue. Google sees it differently, according to its own privacy policy: although a request from the user’s browser to Google takes place, IP addresses are not protocoled. Furthermore, “the use of the Google Fonts API is not authenticated and the Google Fonts API does not set any cookies or protocol them.” See more technical analysis in the original publication.

The Belgian Market court referred the IAB Europe Ruling on the Transparency & Consent Framework to the CJEU. In an interim ruling, the court has decided to refer preliminary questions to the CJEU on how the concept of data controllership in the GDPR as it pertains to this ruling, is to be interpreted and on whether a TC String, (a digital signal containing user preferences), can be considered as “personal data” under the GDPR. The referral to the EU top court means a final judgment is unlikely until 2023. IAB Europe disputes the initial decision by the Belgian supervisory authority APD, that it acts as a controller for the recording of TC Strings and as a joint controller for the dissemination of TC Strings and other data processing done by TCF vendors under the OpenRTB protocol. It also challenges the APD’s assessments on the validity of legal bases established by the TCF, which were done in the abstract, without reference to the particular circumstances surrounding the data processing.

California approved its own version of the Age-Appropriate Design Code. If the state governor signs the bipartisan bill, (AB-2273), into law, online services that violate its provisions could face fines as high as 7,500 dollars per affected child. This includes social media, the gaming industry and other online services likely to be accessed by children under age 18. They shall take all of the following actions:

• complete and implement a DPIA,
• estimate the age of child users with a reasonable level of certainty, or
• apply the privacy and data protections afforded to children to all consumers and configure all default settings,
• provide any privacy information, using language suited for the age group,
• do not use the child’s data in a way that the business knows, or has reason to know, is materially detrimental to their physical or mental health, or well-being,
• do not profile a child by default, (unless sufficient safeguards are in place, or it is necessary for the performance of the contract and is in the best interest of the child),
• do not collect, sell, share, or retain personal information that is not necessary to provide an online service, product, or feature with which a child is actively and knowingly engaged, etc.

In Switzerland, a new data protection law will enter into force on 1 September 2023, according to the recent decision of the Federal Council. The one-year grace period leaves sufficient time for the economic community to implement the new law. The reviewed legislation is adapted to technological advances and the rights of individuals vis-à-vis their data, as well as transparency on how it is collected. Some private data controllers are relieved of certain obligations relating to the duty to inform when personal data is communicated. The modalities of the right of access are simplified thanks to the removal of the obligation to document the reasons for refusing, restricting or deferring disclosure. The data security requirements are reinforced, (eg, a one-year retention period for data processing logging records), due to critical feedback during the consultation period. Swiss legislators claim the new modernized law guarantees adequate privacy levels and safe cross-border transfers. The EU has recognised Switzerland’s level of data protection since 2000. This recognition is currently being reviewed. 

Official guidance: PETs, GDPR implementation, secondary use of health data, decentralised AI, employees’ digital activities, token access, privacy notice

The UK ICO issued draft guidance on Privacy-enhancing technologies, (PETs). These could be software and hardware solutions, methods or knowledge to achieve specific privacy or data protection functionalities or to protect against risks to the privacy of an individual or a group of natural persons. The guide answers questions on:

• How can PETs help with data protection compliance? (data protection by design and by default, data minimisation, robust anonymisation or pseudonymisation solutions)
• What are the different types of PETs? (derive or generate data that reduces or removes the identifiability of individuals, hide or shield data, split datasets or control access to certain parts of the data, etc)
• A detailed description of some PETs, their residual risks, and implementation considerations with practical examples, (Homomorphic encryption, Secure multiparty computation, Private set intersection, Federated learning, Trusted execution environments, Zero-knowledge proofs, Differential privacy, Synthetic data, Reference table).

The Dutch Ministry of Justice published a review of the implementation of the GDPR at the national level. The GDPR is based on open standards, such as necessity and proportionality. The experts recommend the concretisation and specific interpretation of those standards, special sectorial legislation, codes of conduct and guidelines for the practice of data protection law. After studying some cases, the researchers could not clearly understand how the country’s data protection regulator AP determines the size of fines. Therefore a more transparent method of setting and imposing penalties can lead to greater understanding and acceptance by the organisations under supervision. The investigation also raises issue with the obligation to report data breaches and lack of enforcement capacity by AP in the case of unreported data breaches. 

A Polish law blog is looking at the secondary use of electronic health data in the EU. The draft Regulation on the European Health Data Space allows for certain reuse of both personal and non-personal health data collected in the context of primary use. Apart from public interest or statistical and scientific purposes, the advanced purposes include training, testing, and evaluation of algorithms, including in medical devices, AI systems, or digital health applications. Some categories of data are described in general terms, which would allow new types of data to be included in these categories and in the future may include :

• “electronic data related to insurance status, professional status, education, lifestyle, wellness and behavioural data relevant to health”, or 
• “data impacting on health, including social, environmental or behavioural determinants of health.”

Additionally, national health data access bodies will be able to grant access to additional categories of electronic health data entrusted to them by the national laws or based on voluntary cooperation with data holders, ( the “data altruism” principle as per the EU’s Data Governance Act). At the same time, the processing of such electronic data must avoid risks, (eg, insurance exclusion, targeted advertising, access to data by third parties, unauthorised medical products or services), causing harm to natural persons.

The Swedish privacy agency IMY is starting a pilot project to create in-depth legal guidance in matters relating to decentralised AI. IMY’s pilot project is being carried out with Sahlgrenska University Hospital and Region Halland. The project is part of a larger strategic initiative led by AI Sweden: information-driven care where AI helps to tailor decisions at the individual and system level and develop more advanced and accurate diagnoses and treatments. Decentralised AI is a way to avoid collecting large amounts of data to train algorithms centrally and instead produce models that are trained locally. The trained algorithms are then returned to a central point where insights are aggregated. 

Is the boss watching you? The Norwegian data protection authority Datatilsynet issued an in-depth monitoring and control of employees’ digital activities report. It states that:

• More than half of employees have an insufficient overview of what information the employer collects, (digital work tools record such large amounts of information that it can be challenging for employees to keep track).
• The employer has the opportunity to collect large amounts of information about employees’ digital activities, (eg, Google, Microsoft and Zoom have built-in additional functions that allow the employer to monitor the employee’s activities).
• Software designed to monitor employees can be very intrusive.
• Several employees see signs that the employer monitors visits to websites, or access to e-mail or PC/screen recording, activity log, audio recording, and GPS tracking.
• The spread of monitoring tools aimed at employees who work from home, (while Portugal has already prohibited remote worker monitoring).

To help employers comply with the privacy regulations when performing worker monitoring, which legal basis or software to choose from, and notorious infringement cases, see the original guidance, (in Norwegian).

The French supervisory authority CNIL has published a guide on individual login tokens or token access. A mechanism frequently integrated into authentication procedures, it allows a secure connection to a personal space, an account or office documents. In addition, tokens are often used in a two-factor authentication procedure to reduce the risk of account spoofing. An access token materialized as a link can be considered continuous access to personal data accessible from the Internet. This “gateway” is a vulnerability whose security risk is exploitable by malicious actors. Certain principles can reduce the likelihood that this will occur:

• Log the creation and use of tokens and define a purpose-based validity period.
• Generate an authentication link that contains no personal data or variables with easily understandable and reusable content, such as hashed content.
• Impose a new authentication if the token allows access to personal data or if the token has an insufficiently limited lifespan.
• Limit the number of accesses such as single or temporary use depending on the intended purposes.
• In the context of a data transfer between two services, using an access token to establish the connection between the two services must also be limited in time.
• Restrict the use of the token to certain services or resources by avoiding its reuse.
• Automatically delete, temporarily or permanently, access to the requested resource in case of suspicious intensive requests.
• Users should be able to choose how to transmit their remote access token, (email, SMS, postal sending, phone call).

The Latvian data protection authority DVI published a simple yet essential reminder of what is a privacy notice. The first step in controlling personal data is awareness of the organisation’s planned activities. Even before starting data processing, the organisation must provide information, and the person whose data they intend to process has the right to get acquainted with:

• information about the organisation and its contact information;
• the data protection specialist and their contact information;
• purposes and legal basis for obtaining the personal information;
• if the processing is based on legitimate interests, a description of these interests;
• recipients of personal data, their categories, if any;
• a reference to how personal data will be protected in case of transfer to a third country or an international organisation;
• the period for which the information will be stored or, if this is not possible, how this period will be determined;
• on the exercise of other personal rights – access to personal data, its correction or deletion, restriction of processing, the right to object, the right to data portability;
• if the processing is based on consent – the right to withdraw it at any time, and how this will affect the lawfulness of processing before withdrawal;
• the right to submit a complaint to the supervisory authority;
• whether the provision of personal data is required by law or a contract;
• whether it is a prerequisite for concluding a contract;
• whether the person is obliged to provide personal data and what the consequences may be in cases where such data are not provided;
• there is automated decision-making, including profiling – meaningful information about the logic involved, as well as consequences of such processing to the person.

Investigations and enforcement actions: Instagram fine, Sephora settlement, research data processing, worker video and audio surveillance, costs of data protection

Ireland’s data protection commissioner will fine Instagram 405 million euros for breaking the GDPR by improperly handling the data of youngsters using the platform. The parent company of Instagram, Meta, has already declared that it will appeal against the ruling. Although it may seem like a sizable figure, it is not the largest fine a corporation has ever been required to pay under the GDPR. The inquiry, which began in 2020, concentrated on young users between the ages of 13 and 17 who had access to business accounts, which made it easier for the user’s phone number and/or email address to be made public. Instagram unveiled additional measures to keep teenagers safe and secure after updating its settings over a year ago.

The California Consumer Privacy Act’s first initial enforcement agreement: French cosmetics company Sephora will pay a fine of 1.2 million dollars and adhere to several compliance requirements. According to the attorney general, Sephora violated several laws by failing to inform customers that it was selling their personal information, only honoring user requests to opt out via user-enabled global privacy controls, and failing to remedy these violations within the allotted 30-day period. Sale in this case means Sephora disclosed or made available consumers’ data to third parties, (ad networks and analytics companies), through the use of online tracking technologies such as pixels, web beacons, software developer kits, third-party libraries, and cookies, in exchange for monetary or other valuable consideration. The case also signals a significant increase in risk for businesses operating in California ahead of the California Privacy Rights Act’s implementation in January 2023.

The Danish data protection authority has completed an inspection of the Southern Denmark Region with a focus on the processing of personal data in the health research area. It selected three research projects as the inspection subject for “processing basis” and “responsibilities and roles”. The regulator requested a copy of the data processing agreements, documentation for any supervision of the data processors, and the guideline “Conclusion of data processing agreements and supervision of data processors” which was listed on the region’s list of policies. At the end of the revision, the regulator stated that the data controller would not be able to meet the above requirements by simply entering into a data processing agreement with the data processor. The data controller must therefore also carry out minor or major supervision to ensure that the entered data processing agreement is complied with, including ensuring the data processor has implemented the agreed technical and organizational security measures. For instance in two cases the region entered into data processing agreements with three different data processors in 2018 and 2020, and the agreements have not been subsequently updated.

Following a complaint from an employee, the Spanish data protection regulator AEPD punished Muxers Concept 20,000 euros. An audio recording device was found in the corporate locker room hidden behind ceiling tiles, and an alleged video surveillance camera and sound recorder were found in the employee restrooms. Even recording employees’ interactions with clients is considered disproportionate to guarantee compliance with labor laws. All surveillance and control measures must be reasonable to the purpose pursued, which is to provide security and comply with labor rights. As a result, the AEPD determined that Muxers had violated Art.6 of the GDPR by performing data processing without a legal basis.

Meanwhile, the EDPB has published an overview of resources made available by EU member states to the data protection supervisory authorities, (SAs), in the last years – financial and human. It shows that the SAs need more staff to contribute more effectively to the GDPR cooperation and consistency procedures, to educate and to conduct more investigations, especially linked to complaints and security breaches. The SAs need more staff to be able to act more proactively, conduct on-site investigations, and to be able to conduct further examination of the growing number of complaints or breach notifications as only basic processing of them is currently possible in many cases. They also need more resources to develop information systems, increase their national and European communication, and to deal with the new tasks related to evolutions in EU regulations. In some cases, the staff salaries were reported to be too low compared to the salaries of the private sector in the same field. 

Data security: data medium destruction, internet-connected appliances, credential theft

Germany’s Federal commissioner for data protection BfDI published a guide on destroying data mediums, (in German). The destruction of data carriers is a technical and organisational measure to ensure data security, and in particular to prevent unauthorised third parties from gaining knowledge of personal data. The responsible body, following international standards, must first classify the processed personal data, or the data carriers storing them for protection requirement and define appropriate protection classes, (from normal to a very high level). The higher the security level, the greater the effort required for an attacker to be able to restore and take note of the destroyed data carriers or the personal data stored on them. Additionally, there are different specifications for various material supports, (such as paper, microfilm, magnetic hard drives, optical data carriers, and semiconductor memories), that must be observed when destroying a data carrier. 

According to a European Commission document seen by Reuters, internet-connected smart appliances like refrigerators and TVs will have to adhere to stringent cybersecurity regulations or face fines or expulsion from the EU. Following high-profile events where hackers damaged businesses and demanded astronomical ransoms, worries about cybersecurity threats have increased. Through September, the EU executives will make its Cyber Resilience Act plan public. Manufacturers will have to evaluate the cybersecurity risks associated with their products and implement the necessary measures. After becoming aware of concerns, the organisations must report events to ENISA, the EU’s cybersecurity agency, within 24 hours and take action to resolve the flaws. Distributors and importers will have to confirm that the goods adhere to EU regulations. National surveillance authorities will have the power to “prohibit or restrict that product from being made available on its national market” if businesses fail to comply.

US cybersecurity expert Brian Krebs looks into how phishers have such incredible success stealing one-time passcodes and remote access credentials from employees using text messages. In one of the examples, a deluge of SMS phishing messages targeting workers at commercial staffing agencies that offer outsourcing and customer assistance to hundreds of businesses started to appear in mid-June 2022. The emails instructed recipients to click a link and log in to a phishing page that looked like the authentication page for their workplace. The one-time password for multi-factor authentication was then requested from those who had already submitted their credentials. The phishers behind this scam sent text messages pushing employees to click on links to freshly registered domains that frequently incorporated the name of the target organization in order to learn details about an impending change in their work schedule. The phishing websites used a Telegram instant chat bot to relay any provided credentials in real-time, enabling the attackers to log in as that employee at the legitimate employer’s website.

Big Tech: UK Children’s code use cases, SpongeBob app vs COPPA, fingerprints in a school WC

The ICO’s groundbreaking Children’s code was fully rolled out in the UK in September 2021, requiring online services including websites, apps, and games to provide better privacy protections for children. Some changes over the past year included:

• Facebook and Instagram limited targeting by age, gender, and location for those under 18.
• Facebook and Instagram asking for people’s date of birth at sign-up, preventing them from signing up if they repeatedly entered different dates and disabling accounts where people can’t prove they’re over 13. 
• Instagram launched parental supervision tools, along with features like Take A Break to help teens manage their time on the app.
• YouTube has turned off autoplay by default and turned on take a break and bedtime reminders by default for those under 18s.
• Google has enabled anyone under 18 (or their parent/guardian) to request to remove their images from Google image search results, location history cannot be enabled by Google accounts of under 18s, and they have expanded safeguards to prohibit age-sensitive ad categories from being shown to these users.
• Nintendo only allows users above 16 years of age to create their own accounts and set their own preferences.

In the US, the Children’s Advertising Review Unit, (CARU), has found Tilting Point Media, owner and operator of the SpongeBob: Krusty Cook-Off app, in violation of the COPPA and CARU’s Self-Regulatory Guidelines for Advertising and Children’s Online Privacy Protection. As the operator of a mixed audience child-directed app, Tilting Point must ensure that no personal information is collected, used, or disclosed from users under age 13, or that notice is provided, and verifiable parental consent is obtained before such collection, use, or disclosure. Tilting Point does have an age screen on its app, however it did not prevent CARU from using the app as a 10-year-old child, agreeing to Tilting Point’s terms of service and privacy policy, and consenting to the processing of the data to receive “personalized” advertising. The app’s non-declinable privacy policy and terms of service provide that the user must be at least 13 years old to use the company’s product, but the age gate does not prevent a child from checking those boxes and playing the game.

In Australia, a Sydney high school is requiring students to scan their fingerprints if they wish to use the WC. Some parents say they weren’t asked for consent to take their children’s fingerprints, and one mother has requested that her daughter’s fingerprints be deleted from the system. The education department offered biometric technology to stop vandalism and anti-social behaviour in the toilets. It also stated, “The use of this system is not compulsory. If students or parents prefer, students can also access the toilets during those times by obtaining an access card from the office”. Issues surrounding biometric data and consent have not been extensively tested in the Australian courts. Other schools across New South Wales have used the technology for several years for students to mark their attendance. Yet New South Wales state police cannot conduct forensic procedures such as obtaining fingerprints without a person’s informed consent or court order. 

The post Data protection & privacy digest 30 Aug – 12 Sep 2022: the US hosting provider in the EU, Google Fonts claims, Children’s Code appeared first on TechGDPR.

Official guidance: credential stuffing, patient privacy, use of drones

The latest report from international data protection and privacy authorities has identified credential stuffing as a significant and growing cyber threat to personal information. A credential stuffing attack is a cyber-attack method that exploits an individual’s tendency to use the same credentials (e.g. username/email address and password combination) across multiple online accounts. The attacks are automated and often large-scale, using stolen credentials (e.g. that are leaked in connection with data breaches and made available on the ‘dark web’), to unlawfully access users’ accounts on unrelated websites. 

Successful credential stuffing attacks may result in fraud or other means of financial loss, as attackers may, for example, make purchases using the compromised account or transfer funds to their own account. Upon establishing a secure foothold, an attacker may attempt to obtain further access to data and systems through the harvesting of other visible or accessible credentials. Such attacks may also be used to cause intangible harm such as reputational damage by spreading disinformation or making false statements about an individual whilst using their compromised account. 

The guidance by international privacy authorities provides measures to detect, prevent and/or mitigate the risk from credential stuffing (guest checkouts, strong passwords and usernames, and their alternatives, multi-factor authentication, secondary passwords and pins, device fingerprinting, identifying leaked passwords, rate-limiting, account monitoring and lockout, incident response plans and user notifications, and more).

The US Department of Health issued guidance to protect patient privacy in wake of the Supreme Court decision where the right to safe and legal abortion was taken away. In general, the guidance addresses:

• how federal law and regulations protect individuals’ private medical information, (known as protected health information or PHI), relating to abortion and other sexual and reproductive health care – making it clear that providers are not required to disclose private medical information to third parties; and

• the extent to which private medical information is protected on personal cell phones and tablets, and provides tips for protecting individuals’ privacy when using period trackers and other health information apps.

According to recent reports, many patients are concerned that such apps on smartphones may threaten their right to privacy by disclosing geolocation data which may be misused by those seeking to deny care. The guidance also addresses the circumstances under which the Health Insurance Portability and Accountability Act, (HIPAA), permits disclosure of PHI without an individual’s authorisation. It explains that disclosures for purposes not related to health care, such as disclosures to law enforcement officials, are permitted only in narrow circumstances tailored to protect the individual’s privacy and support their access to health care. 

Switzerland’s data protection commissioner FDPIC issued an annual 2021-2022 report, noting widespread indifference towards protecting citizens’ data and a growing disregard for privacy. The deficiencies in processing sensitive personal data that have become more frequent on health platforms, and the tendency, now also perceptible in Europe, to discredit the public’s right to encrypt their data as an abuse of freedoms, are evidence of this development. In relation to freedom of information, the FDPIC continues to see an increase in the number of requests for access and for mediation, which poses problems in meeting the legal deadlines in view of the pandemic-related backlog of work. You can read the detailed report here. 

The Irish data protection commission issued a guide on the use of drones. Similar to body-worn cameras drones can effectively turn into a mobile surveillance system and are highly likely to capture the personal data of passers-by, (data subjects). These guidelines have been developed for drone operators for purposes other than public law-related use and also to answer queries from the perspective of data subjects. Regardless of the nature, (professional or recreational), of your activity, under EU law regulating unmanned aircraft, the collection of information related to an identifiable person through the operation of a data collection system mounted on a drone potentially constitutes personal data processing. 

When buying your equipment, you must check whether the device has been produced with data protection obligations in mind. For example, in order to comply with data minimisation, data collection systems mounted on drones should be capable of being switched on and off when appropriate and their visual angle limited in accordance with your purposes. In order to comply with the transparency principle, the drone should have adequate signaling such as lights or buzzers. It is also your responsibility to ensure that appropriate security of processing: check whether the video footage is stored on the device itself, on a portable storage medium, or on a cloud storage service, and take steps to mitigate any additional risk of loss or theft of personal data, such as encrypting data before it is transferred from the device to cloud storage.

Legal processes: criminal activity data

After the amended Europol Regulation entered into force on 28 June, the EDPS expressed its concerns that the amendments weaken the fundamental right to data protection. The new document “expands the mandate of Europol with regard to exchanges of personal data with private parties, the use of artificial intelligence, and the processing of large datasets”, the EDPS states. Consequently, data relating to individuals that have no established link to criminal activity may be treated in the same way as the personal data of individuals with a link to criminal activity. Putting in place strong safeguards, says the regulator, is crucial since the impact of the amended Regulation on personal data protection is further aggravated by the fact that the EU Member States have the possibility to retroactively authorise Europol to process large data sets already shared with Europol prior to the entry into force of the amended Regulation. 

Investigations and enforcement actions: bulk emails, sales prospecting calls, unnecessary cookies, unauthorised logins

The UK Information Commissioner’s Office issued a monetary penalty to an NHS foundation trust. It used Outlook to send bulk emails to 1,781 Gender Identity Clinic service users. The accident happened despite the fact that the trust had in place some measures including a suite of policies. In particular, the “Email, Text and Internet Use Procedure” states: “To avoid inadvertently sharing other people’s email addresses, recipients should be selected in the ‘Bee’ box, not the ‘To’ box”. Data security and protection training was available to all staff with measures in place to update this at timely intervals. Here are some facts of the case:

• The trust’s intention was to send a bulk email relating to an art competition to approximately 5,000 patients. 
• The distribution list was extracted from the trust’s electronic patient record system using a specific set of search criteria which ensured recipients were active patients and had consented to be contacted by email in certain circumstances. 
• The output report produced from the system was then manually split into batches of around 1,000 addresses each. 
• In two batches the email addresses were copied from the output report and entered into the “To” field instead of the “Blind carbon copy” field. The recipients of each email could therefore see the email addresses of the other recipients of that email. 
• Four of the emails were returned as undeliverable and so potentially 1,777 emails were delivered and opened. 
• The staff member who sent the email noticed the error straight away and attempted, albeit unsuccessfully, to recall both the emails. They also contacted the trusts’ Information Management and Technology Service Desk to report the breach. 

The French Council of State validated the 2020 sanction pronounced by the state privacy regulator CNIL against Amazon. In December 2020, the CNIL imposed a fine of 35 million euros against the company, in particular for having placed advertising cookies on the computers of users of the sales site “Amazon.fr” without prior consent or satisfactory information, (in violations of Art. 82 of the Data Protection Act (transposing the “e-Privacy” directive). In addition, the CNIL noted that when users went to the “Amazon.fr” site after clicking on an advertisement published on another website, the same cookies were deposited but without any banner being displayed. Finally, the Council of State considers that the size of the fine imposed by the CNIL is not disproportionate with regard to the seriousness of the breaches, the scope of the processing and the financial capacity of the company.

The CNIL also issued a fine of 1 mln euros against TOTALENERGIES ÉLECTRICITÉ ET GAZ. The regulator has received several complaints concerning the difficulties encountered by people when dealing with a French energy producer and supplier, their requests for access to their data, and opposition to receiving sales prospecting calls. The company offered, on its website, a subscription form for an energy contract in which the user acknowledged giving his consent for the use of his personal data in order to subsequently receive commercial offers, without having the possibility of opposing it. Therefore, by completing this form, the user,  had no means of opposing the reuse of his data for commercial prospecting purposes for similar products or services.

In 2020 Norway’s parliament the Storting was exposed to data breaches, and in January this year, the Norwegian data protection authority Datatilsynet announced a fine of approx 200,000 euros for a lack of security measures. The regulator assessed Storting’s comments and maintains the notified fine. The data breach was related to an unauthorized login to the email accounts of an unknown number of Storting representatives and employees in the administration and group secretariats. The regulator has placed particular emphasis on the fact that the Storting had not established two-factor authentication or similar effective security measures to achieve adequate protection.

Data security: mobile devices at work

America’s NIST’s publication explains how to organise enterprise mobile data security and avoid getting hacked. According to the agency, most phishing attempts come by email, while other attacks—including text messages — are also on the rise. Ultimately, phishing attacks are not just limited to laptops or desktops, mobile phones can be the target of phishing attacks as well. 

URL filtering, multi-factor authentication and mobile threat defense can help protect against phishing attacks. In environments that use multi-factor authentication, if a phishing attacker successfully gains a user’s password, they can still be denied access to enterprise information because they do not have the second factor required for authentication. For more information on phishing protection and other mobile device security and privacy enhancements for your organisation, refer to NIST publication on corporate-owned personally-enabled mobile devices and personal mobile devices to perform work-related activities.

Big Tech: misconfigured data storage containers, French “trusted cloud” in partnership with Google

According to Reuters, the US supermarket chain Wegmans agreed to pay 400,000 dollars and upgrade its security practices over a data breach that exposed the personal information of more than 3 million consumers nationwide. Reportedly, the company was accused of storing customer information in cloud storage containers hosted on Microsoft Azure that were left open because they had been misconfigured, leaving the data vulnerable to hackers. “Customers’ email addresses and Wegman’s account passwords were exposed for about 39 months, while customers’ names, mailing addresses, and data tied to their driver’s license numbers were exposed for about 30 months”, states the article quoting the New York Attorney General Letitia James.

Meanwhile, French defense company Thales has introduced a new firm within its group – S3NS in partnership with Google Cloud to offer state-vetted cloud computing services for the storage of some of the country’s most sensitive data, Reuters reports. The new company is the result of a government plan under which France acknowledged US technological superiority. Some of France’s biggest banks and healthcare organisations are among 40 potential customers of the new company. S3NS will offer from the second half of 2024 its “trusted cloud” that will ultimately combine full performance, services and applications of Google Cloud technology while allowing protection against extraterritorial foreign laws and in compliance with the requirements of the “Trusted Cloud” label of France’s Information Systems Security Agency.

The post Weekly digest 27 June – 03 July 2022: credential stuffing, misconfigured cloud storage, mobile devices at work, drones & privacy appeared first on TechGDPR.

Legal processes: UK data protection reform

Last week in the Queen’s Speech it was announced that the UK’s data protection regime will be reformed through the introduction of the Data Reform Bill, dataprotectionlawhub.com reports. The Bill’s purpose is to “create a trusted UK data protection framework that reduces burdens on businesses and boosts the economy.” Reportedly, the main elements of the Bill include:

• a more flexible, outcomes-focused approach to data protection focused on privacy outcomes that will replace the “box tick exercises” required under current data protection law; 
• public bodies will be able to share data to improve the delivery of services, with data protection, ensuring that the personal data of UK citizens is protected to a ‘gold standard’. 

Additionally, the introduction of the Brexit Freedoms Bill in the future will end the supremacy of European law. This would enable the Government to change the position of retained EU data protection law which is currently enshrined under UK data protection law. Taken all together this could undermine the EU’s adequacy decision for data flows with the UK. Read the full governmental proposal here. 

Official guidance: UK AI toolkit, China cross-border processing, CNIL and EDPB’s annual wrap-ups

The UK’s ICO has presented its AI toolkit designed to provide further practical support to organisations to reduce the risks to individuals’ rights and freedoms caused by their own AI systems. It contains advice on a) how to interpret relevant law as it applies to AI, b) recommendations on good practice for organisations, c) technical measures to mitigate the risks to individuals that AI may cause or exacerbate, d)  an AI glossary. This guidance is not a statutory code. There is no penalty if you fail to adopt good practice recommendations, as long as you find another way to comply with the law, the ICO says. 

The guidance covers both the AI and data-protection-specific risks, and the implications of those risks for governance and accountability. Regardless of whether you are using AI, you should have accountability measures in place. However, adopting AI applications may require you to re-assess your existing governance and risk management practices. AI applications can exacerbate existing risks, introduce new ones, or generally make risks more difficult to assess or manage.

Meanwhile, China issued new specifications for cross-border processing of personal Information for multinational corporations, as stipulated in the Personal Information Protection Law (PIPL). In particular, such companies must meet one of the following criteria in order to transfer personal information over a certain scale overseas: 

• Undergo a security review organized by the Cyberspace Administration of China, except where exempted by relevant laws and regulations. 
• Undergo personal information protection certification by a professional institution in accordance with the regulations of the CAC. 
• Sign a contract with a foreign party stipulating the rights and obligations of each party in accordance with standards set by the CAC, etc.

Personal information can include any data points or information that can be used to identify an individual, such as names, phone numbers, and IP addresses. Separately, the PIPL also defines “sensitive” personal information, which is subject to stricter protection requirements:

• Biometric data, (fingerprints, iris recognition, facial recognition, and DNA);
• Data pertaining to religious beliefs or specific identities;
• Medical history;
• Financial accounts;
• Location and whereabouts;
• Any personal information of minors under the age of 14. 

However, it does not include data that has been anonymised or abstract data that doesn’t contain any specific personal information on individuals, such as aggregated information. Read the full analysis in the original publication. 

The French regulator CNIL published its 2021 activity report, (in French). One of its objectives was to provide legal certainty to all professionals with regard to the GDPR. To support them, it has thus published new sector guides and resources on its website in 2021, in particular for the voluntary associations’ sector, insurance, health and adtech. In 2021 the CNIL received 14,143 complaints and closed 12,522. It carried out 384 checks and the shortcomings noted during some of the investigations led to issuing 135 formal notices and 18 penalties, entailing fines exceeding 214 million euros. 89 of the 135 formal notices concerned cookies, one of the priority themes set by the CNIL for this year. 

The CNIL also carried out 30 new control missions with medical analysis laboratories, hospitals, service providers and data brokers in health, in particular on treatments related to the COVID-19 epidemic. Some of these procedures are still under review. Finally, it paid particular attention to the cybersecurity of the French web by controlling 22 organisations, 15 of which are public. During its investigations, the CNIL noted obsolete cryptographic suites making websites vulnerable to attacks, shortcomings concerning passwords and, more generally, insufficient resources with regard to current security issues.

At the same time the EDPB presented its annual report 2021 with a detailed overview of its work over the last year. In 2021, the EDPB adopted its final version of the recommendations on:

• Supplementary measures following the Schrems II ruling by the Court of Justice of the EU, taking on board the input received from stakeholders during public consultation. 
• Opinions on the UK draft adequacy decisions, under both the GDPR and the Law Enforcement Directive, as well as its opinion on the draft adequacy decision for the Republic of Korea. 
• Guidance documents on other international transfer tools, such as Codes of Conduct, and adopted joint opinions, together with the EDPS, on the new sets of Standard Contractual Clauses, issued by the European Commission for the transfer of personal data to controllers and processors established outside the EEA. 
• Guidelines and recommendations on topics such as personal data breach notifications, connected vehicles and virtual voice assistants, and much more.

In the US, the Network Advertising Initiative, (NAI is the leading self-regulatory association comprised exclusively of third-party digital advertising companies – ed.), issued Best Practices for User Choice and Transparency. The term “dark pattern” was coined in 2010 to refer to “tricks used in websites and apps that make you do things you didn’t mean to do, like buying or signing up for something.” They are also sometimes referred to as “deceptive patterns” or “manipulative designs.” These practices can be dynamic and multifaceted, including a series of tactics and specific design choices in apps and on websites. The guide is intended to help member companies better understand the practice of dark patterns and to implement the highlighted best practices to avoid them, namely:

• to examine the current legal environment at the state and federal levels, (FTC ACT, CCPA and CPRA, Colorado privacy Act, and the GDPR); and 
• to identify best practices and guide companies in maximizing effective and efficient notice and choice mechanisms with respect to collecting consumer data, (Notice and Choice, Exercising Consumer Requests, User Interface considerations).

Pursuant to the GDPR, the NAI quotes the French CNIL that  asserts “the fact of using and abusing a strategy to divert attention or dark patterns can lead to invalidating consent.” Furthermore, in March 2022, the EDPB released a series of its own guidelines on the use of dark patterns in social media platforms, open for public comment. 

Investigations and enforcement actions: IAB Europe case, IKEA Canada internal threat, whistleblowing, community owners

The IAB Europe, (the European-level association for the digital marketing and advertising ecosystem – ed.), withdrew its request for suspension of the execution of the decision issued by the Belgian Data Protection Authority, (APD), on the Transparency & Consent Framework (TCF). The request for suspension had been submitted as part of the appeal to the Belgian Market Court lodged on 4th March. The withdrawal coincides with confirmation that the APD will not take a decision on validation of the action plan submitted by IAB Europe to rectify alleged EU GDPR violations connected with TCF before Sept. 1, the date by which the Market Court is expected to have issued a ruling on the appeal.

IKEA Canada reportedly confirmed a data breach involving the personal information of approximately 95,000 customers. The furniture retailer notified Canada’s privacy regulator saying that some of its customers’ personal information appeared in the results of a “generic search” made by an employee at IKEA Canada between March 1 and March 3 using IKEA’s customer database, but no financial or banking information was involved in the breach. In a letter sent to impacted customers, IKEA Canada said that the data that may have been compromised included customer names, email addresses, phone numbers and postal codes.The IKEA Family loyalty program number belonging to customers may have also been visible. The company already made changes to reinforce its internal policies and no action was needed by customers. 

The Italian privacy regulator ‘Garante’ fined ISWEB and Perugia Hospital 40,000 euros each for GDPR violations in relation to the whistleblowing system, following an ex officio investigation, Data Guidance reports. ISWEB is an IT company that provides and manages the whistleblowing application used by numerous clients, including Perugia Hospital. The ‘Garante’ found that ISWEB had failed to regulate the relationship with the hosting service provider, noting that ISWEB had engaged the hosting service provider both to carry out processing in its capacity as data controller, and for the processing carried out in its capacity as a data processor on behalf of its clients, including the Hospital. The ‘Garante’ noted that the aggravating factors for the administrative fine were: a) the nature, subject, and purpose of the processing; b) the high degree of confidentiality required by sector regulations in relation to the identity of the data subjects in cases of whistleblowing; c) the fact that no whistleblowing reports were available in the system at the time of the investigation; d) ISWEB had not regulated in any way the relationship with the hosting service provider.

At the same time, the Spanish data protection authority imposed a fine of 500 euros on community owners. In particular, the decision states that the Presidency of the Community of Owners had placed a list of debtors on three community bulletin boards, including the claimant. Moreover, the decision noted that the location of the respective bulletin boards is inside the portals and that all the boards are locked, but exposed to viewing by third parties outside of the community. 

Data security: cybersecurity for regulated industries

EU countries and lawmakers agreed last week to tougher cybersecurity rules for regulated industries such as energy, transport and financial firms, digital providers and medical device makers amid concerns about cyber attacks by state actors and other malicious players under the scope of NIS 2 Directive, proposed by the Commission in December 2020.  Medium and large companies are required to assess their cybersecurity risk, notify authorities and take technical and organisational measures to counter the risks, with fines of up to 2% of global turnover for non-compliance. EU countries and the EU cybersecurity agency ENISA can also assess the risks of critical supply chains under the rules. 

The political agreement reached by the European Parliament and the Council is now subject to formal approval by the two co-legislators. Once published in the Official Journal, the Directive will enter into force 20 days after publication and Member States will then need to transpose the new elements of the Directive into national law. Member States will have 21 months to transpose the Directive into national law.

Big Tech: Twitter’s ‘Data Dash’ game, Clearview AI settlement and future fine, EU biometrics, Zoom’s user emotion detection 

Twitter has rolled out a new web video game to make it easier for users to understand its privacy policy, TechCrunch reports.  The goal of the game, which is called Data Dash, is to educate people on the information that Twitter collects, how the information is used and what controls users have over it: “Once you start the game, you’ll be asked to pick the language in which you would like to play. After that, you’ll have the option to select a character. The game is played by helping a dog, named Data, safely navigate “PrivaCity” by dodging ads, steering clear of spammy DMs and avoiding Twitter trolls.”

According to Reuters, France’s data privacy regulator is about to trigger the process of fining US-based Clearview AI, a facial recognition company the regulator had ordered to stop amassing data from people based in the country. The start of a formal penalty process would indicate that CNIL suspected Clearview of failing to comply with its order within the two-month deadline it had set. 

Meanwhile, under a settlement filed in an Illinois state court in Chicago, Clearview AI will stop granting paid or free access to its database to most local private businesses and individuals, as well as police. However, Clearview AI, based in New York, can still work with federal government agencies, including immigration authorities, as well as state government agencies outside Illinois. The case was brought by the American Civil Liberties Union in 2020. Clearview AI repeatedly violated the Illinois Biometric Information Privacy Act by scraping photos taken from the internet, including from social media platforms, Reuters reports.

The European Digital Rights group and 52 other organisations called for banning remote biometric identification systems in public locations, Biometric Update and IAPP News report. They called the technology, like facial recognition, one of the greatest threats to fundamental rights and democracy that destroys the possibility of anonymity in public. They have called for amendments to Article 5(1)(d) of the AI Act to extend the scope of the prohibition to cover all private as well as public actors. 

And nearly 30 civil society groups wrote a letter to Zoom’s CEO calling on the company to cease use of software that detects users’ emotions, The Hill and IAPP News reports. The letter came in response to reports of Zoom beginning to roll out post-meeting sentiment analysis for hosts: “Facial expressions are incredibly variable from culture to culture and nation to nation, making creating an algorithm that can judge them equally difficult.” The groups also launched an online petition demanding Zoom to drop the technology.

The post Weekly digest May 9 – 15, 2022: UK data protection reform, and dark patterns invalidating consent appeared first on TechGDPR.

Legal processes and redress: DPO dismissals, Connecticut privacy draft law, EU Health Data Space

Ius Laboris blogpost explains when data protection officers have special protection from dismissal. Art. 38(3) of the GDPR expressly states that they shall not be dismissed or penalised by the controller or the processor for performing their tasks. It establishes an additional guarantee for DPOs who cannot be dismissed for the mere performance of their duties. Therefore, an additional guarantee must be put in place for this type of employees, (this would be the case in a situation such as the comparison here between DPOs and employees appointed as members of an organisation’s workers’ representatives). Spanish law does not specifically provide this option to DPOs. However, in 2021, the Labour Chamber of the High Court of Justice of Madrid analysed the remedies for DPOs in the event of unfair dismissal. In particular, if they are entitled to choose between reinstatement in their job or an unfair dismissal severance payment if there are no valid grounds to support their dismissal. In the end, the Spanish court authourised both treatments. Read more on DPO dismissals here. 

Meanwhile in the US, Connecticut legislators from both chambers passed an major act on personal data privacy and online monitoring, (SB 6). It is now currently under consideration by the State Governor. If the bill becomes law, it will go into effect on July 1, 2023, making Connecticut the fifth state to enact a comprehensive data privacy law, JD Supra News&Insights reports. SB 6 would apply to individuals or entities that conduct business in Connecticut and control or process personal data during the preceding year of at least either: a) 100,000 consumers, excluding personal data controlled or processed solely for completing a payment transaction, or b) 25,000 consumers who derived more than 25% of their gross revenue from selling personal data. It also protects sensitive data, like minors or ethic origins, citizenship and immigration status, but with a number of exceptions under the HIPAA or FCRA. 

Its main principles and obligations on data controllers include: 

• Data Minimization 
• Duty to Avoid Secondary Use
• Security Practices
• Consent
• Privacy Notices
• Non Discrimination 
• Data Protection Assessments

And for data processors: 

• Data Processing Agreements
• Data Subject Request
• Duty of Care (assisting the controller)
• Data Protection Assessments
• Confidentiality
• Subcontractors

According to Reuters, the European Commission wants to make health data easier to access by 2025 for patients, doctors, regulators and researchers in a bid to improve diagnoses, cut unnecessary costs from duplication of medical tests and boost medical research. Electronic prescriptions are also estimated to lead to large savings by reducing errors in dispensing medicines, as many states still use paper prescriptions. Under the plan:

• Healthcare providers would be required to produce electronic health data that are interoperable.
• Data generated from patients’ health records and wellness apps would be pooled in compatible formats, and 
• made accessible to patients, regulators and researchers under strict rules to protect privacy. (eg, anonymised health records for analysts and data professionals)
• Stronger cybersecurity is also planned.

In parallel, last week the European Commission announced that it had launched the European Health Data Space, (EHDS), one of the central building blocks of a strong European Health Union. The EHDS builds further on the GDPR, proposed Data Governance Act, draft Data Act and NIS Directive. It complements these initiatives and provides more tailor-made rules for the health sector. The EHDS will make use of the on-going and forthcoming deployment of public digital goods in the EU, such as Artificial Intelligence, High Performance Computing, cloud and smart middleware. In addition, frameworks for AI, e-Identity and cybersecurity, will support the space.

Official guidance: UK regulators’ work plan, opinion on Data Act, athletes’ data, treatment of health data

The UK government promises to bring together the major regulators tasked with regulating digital services in 2022-2023: the Competition and Markets Authority (CMA), the Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO), and the Office of Communications (Ofcom). Their key priorities, among many, will be:

• Protecting children online: This includes a joint working framework to support the oversight of Ofcom’s Video Sharing Platform regulatory framework and the ICO’s Age Appropriate Design Code regime, as well as joint research on age assurance.
• Promoting competition and privacy in online advertising: This includes the CMA and ICO working together to review: Google’s emerging proposals to phase out third-party cookies; and Apple’s App Tracking Transparency and Intelligent Tracking Prevention features.
• Developing a clear articulation of the relationships between competition and online safety policy.
• Continuing to develop the understanding of end-to-end encryption, etc. Read the full workplan here.

The EDPS and EDPB published their joint opinion on the proposed Data Act. The draft law aims to establish harmonised rules on the access to, and use of, data generated from a broad range of products and services, including connected objects, (‘Internet of Things’), medical or health devices and virtual assistants. It also aims to enhance data subjects’ right to data portability under Art. 20 of the GDPR. The EDPB and EDPS urged legislators to ensure that data subjects’ rights are duly protected, namely:

• The access, use and sharing of personal data by entities other than data subjects should occur in full compliance with all data protection principles.
• Products should be designed in such a way that data subjects are offered the possibility to use devices anonymously or in the least privacy-intrusive way possible. 
• Clear limitations regarding the use of the relevant data for purposes of direct marketing or advertising; employee monitoring; calculating, modifying insurance premiums; credit scoring. 
• Limitations on the use of data should also be provided to protect vulnerable data subjects, in particular minors.
• Defining the legal basis of emergency or “exceptional need” in which public sector bodies and EUIs should be able to request data.
• Designating national data protection authorities as coordinating competent authorities under the Data Act.

Meanwhile, the EU Parliament adopted a set of proposals to develop AI in the long term. The report warns that the EU needs to act fast to set clear standards based on EU values, otherwise the standards will be set elsewhere. As AI technologies depend on available data, sharing of data in the EU needs to be revised and extended. Full integration and harmonisation of the EU digital single market will help cross-border exchange and innovation. Other measures include: 

• Digital infrastructure should be strengthened, ensuring access to services for everyone. 
• The deployment of broadband, fibre and 5G should be supported and key emerging technologies such as quantum computing should be a priority. 
• The EU should support the development of AI skills so that people have the skills needed for life and work. 
• The military and security aspects of AI also need to be tackled: the EU should cooperate internationally with like-minded partners to promote its human-centric, EU-value based vision, says the report. Learn more about AI road map and a special commitee report here. 

The Spanish data protection authority AEPD has added a news section to its website on health and data protection, (in Spanish). The knowledge base  is made up of seven sections that range from general information on the treatment of health data and how to exercise the right of access to medical records to issues related to medical research and clinical trials or personal data breaches.The objective is to have a systematised compendium of legislation, criteria, doctrine and precedents. In 2021, 680 health-related claims were registered by AEPD, an increase of 75% compared to 2020. Additionally, in the second half of 2021, 15% of the breach notifications received by the regulator  were made by data controllers whose main activity sector is healthcare or in the field of health.

Data protection in sport and the legal implications of collecting athletes’ data was analysed by Australian lawyers from Holding Redlich. Data collection in sport is not new. It has long been commonplace to record athletes’ data, particularly things like heart rate, to understand the body and ultimately increase performance. “What is changing though is the type of data that can be collected, the technological advances, the ease at which it can be collected and the ways in which the data can be stored and manipulated” states the article. Additionally, data collection is no longer limited to the time an athlete is actually training, with variety of sources and data types proliferating. It is therefore important to oblige sporting organisations to:

• account for and govern collection and use, (including disclosure), of personal information;
• collection should be based on the principle of  ‘reasonably necessary’, (it depends on whether there is a clear connection between the information collected and the organisation’s functions or activities.)
• ensure integrity of and an athlete’s ability to correct their personal information;
• provide the rights of individuals to access their personal information, and make a complaint;
• require a higher level of privacy consideration for sensitive athlete’s data;
• contracts with athletes should include clauses or a well-drafted privacy policy that govern the collection and use of data and that these clauses should be sufficiently broad, etc.

Data breaches, investigations and enforcement actions: abortion clinic visits, shareholders data, alarm services footage

US data broker company SafeGraph may be selling the location data of people who have visited health clinics that provide abortion services, according to IAPP News reports. The data sets, (location data from ordinary apps installed on peoples’ phones), reportedly show where groups of patients came from, how long they stayed at the clinic and where they went afterwards. Sometimes app users don’t even know that their phone—be that via a prayer app, or a weather app—is collecting and sending location data to third parties. The company then calculates where it believes a visitor lives by their US Census block. Additionally, there are concerns vigilante activity and harassment of patients by anti-abortion activists could increase due to the availability of such location data. Read the full investigation on the topic by Vice here.

The Norwegian data protection authority has reprimanded seafood company Mowi for failing to disclose all information required by the country’s pricacy legislation to the company’s shareholders. This is personal data that Mowi has collected directly from the company’s share managers. In Norway and other European countries, you can buy shares in listed companies via a bank that acts as the manager of the shareholding. This means that the company does not necessarily know who its shareholders are. However, the Public Limited Liability Companies Act gives the company the right to be informed by the nominee who the underlying owner of the shares is. When the company obtains such information from the manager, personal information is processed. The company must therefore provide the relevant shareholders with all the information required, (so that whoever buys shares via his bank is aware of the fact that his data can be shared with the company he bought shares in).

The Swedish privacy regulator IMY initiated an inspection of the alarm company Verisure. In the mass media information has emerged that claims that employees at the alarm company in connection with incoming alarms shared security footage and images among themselves in various ways without it being justified. The pictures were saved on employees’ own hard drives, and IMY has also received complaints from customers regarding Verisure’s processing of personal data. 

The inspection will find out what has happened but also will see what technical security measures the company has in the form of authorization controls and logs, and what instructions are given to the employees on how images may be handled. It will establish what routines are followed when alarms are received, in which situations the customers’ cameras are activated, what rules and routines exist for taking pictures and saving pictures on the employee’s hard drive, and finally, is the information that has appeared in the media correct.

Data security: passwordless standards

‘Your Phone May Soon Replace Many of Your Passwords’, says US cybersecurity guru Brian Krebs in his latest blogpost. Apple, Google and Microsoft announced they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services: “Apple, Google and Microsoft already support these passwordless standards, (e.g. “Sign in with Google”), but users need to sign in at every website to use the passwordless functionality. Under this new system, users will be able to automatically access their passkey on many of their devices — without having to re-enroll every account — and use their mobile device to sign into an app or website on a nearby device”. Experts predict the changes should help repel many types of phishing attacks and ease the overall password burden on Internet users, says the article.

Big Tech: bank consumer data, competition and privacy on digital platforms

The Bank for International Settlements, central bankers’ umbrella organisation, has published a paper calling for consumer and companies control of their digital data. The paper notes consumers are mostly unaware of the value of their data and should be freely able to opt in or out at will from data collection, in a transparent safeguarded data governance system. Citing the experience of India’s Data Empowerment Protection Architecture, the paper says such a system need not be expensive and can operate at scale. Read the full text here. 

How much does competition trump privacy where personal data is concerned? How much does this issue figure in the minds of regulators, keen to support business, and civil society groups, (CSG), concerned with protecting freedoms? This is particularly true for digital platforms, such as social media platforms, search engines, digital entertainment, or online retailers. The way in which market dominance is traditionally measured does not always capture the extent of these companies’ market power,  as their products and services are often ‘free’ to consumers.  Privacy International took input from 10 International regulatory authorities and around three times that from civil groups, and has published the findings in a report. This trend is fuelled by the increasing reliance of many sectors of the economy on data, particularly personal data. 

Access to personal data is perceived as an increasingly valuable capability in the digital economy and its acquisition at vast scales is what allows big tech companies to make billions of dollars each year via targeted advertising. Among its main conclusions is that competition and personal data considerations are part and parcel of the way both regulators and CSGs work, and this is not specific to a legal jurisdiction or location. You can read the full report here. 

The post Weekly digest May 2 – 8, 2022: DPO dismissals, shareholders, athletes privacy, passwordless future & more appeared first on TechGDPR.