Legal processes: EU Digital Strategy, IoT, biometrics policing program, US surveillance ads

The EU Parliament moved on the implementation of the Digital Services Act, (part of the EU Digital Strategy), that regulates platforms for a safer online space for users. MEPs gave the green light to open negotiations with member states. The Parliament introduced several changes to the Commission’s proposal, exempting micro and small enterprises from certain obligations, including on:

• Targeted advertising: more transparent and informed choice for the recipients of digital services, including information on how their data will be monetised. 
• Refusing consent shall be no more difficult or time-consuming than giving consent. 
• If their consent is refused or withdrawn, recipients shall be given other options to access the online platform, including “options based on tracking-free advertising”.
• Targeting or amplification techniques involving the data of minors or special categories of data for the purpose of displaying ads will be prohibited.
• Recipients of digital services and organisations representing them must be able to seek redress for damages.
• Platforms should be prohibited from using user deceiving or nudging techniques.
• Very Large Online Platforms should provide at least one recommender system that is not based on profiling. 

The EU Commission published its latest competition sector inquiry report into the consumer Internet of Things, IoT. Among the main areas of potential concerns are:

• The role of voice assistants and smart devices as intermediaries for data generation and collection, which would allow them to control user relationships. 
• The extensive access to data, including information on user interactions with third-party smart devices and consumer IoT services by providers of voice assistants. 
• The access to and accumulation of large amounts of data allow voice assistant providers to improve their market position. 

The IoT inquiry urges companies to review their commercial practices, as its findings will inevitably add to the ongoing legislative process on the EU Digital Markets Act, (part of the EU Digital Strategy) . Read the report and the staff working document for more detailed information. 

According to Human Rights Watch, Greece’s new biometrics policing program can undermine privacy, create risks of profiling and other abuses. The police reportedly would use hand-held devices to gather biometric information, fingerprints, faces, from people on a vast scale and cross check it against police, immigration, and private sector databases primarily for immigration purposes. Human Rights watch believes that a) the Greek police should use their authority to stop people and require them to show identity documents only when based on a reasonable suspicion that the person is involved in an illegal activity, b) the police should put in place systems to check the validity of identity documents without detaining people or gathering personal biometric data. In 2019 the Greek police signed a contract with Intracom Telecom to help create the “smart policing” program. Since 2020, the Hellenic Data Protection Authority (DPA) has been investigating its lawfulness. The launch of the program was planned for 2021, but has been delayed a couple of times.

The Banning Surveillance Advertising Act was introduced in the US House of Representatives. The draft legislation prohibits advertising networks and facilitators from using personal data to target ads, with the exception of broad location targeting to a recognized place (such as a municipality). The bill also prohibits advertisers from targeting ads based on protected class status information, such as race, gender, and religion, and personal data purchased from data brokers. However, it makes explicit that contextual advertising, which is advertising based on the content a user is engaging with, is allowable. It also provides authorisations for the FTC or the state attorneys general to enforce violations of the Act. Read the full draft law here and detailed section-by-section summaries here. 

Official guidance: Bluetooth security, clinical trials Code of Conduct, the right to access, housing, processor/EU representative

The US National Institute of Standards and Technology, NIST, publishes its updated guide on Bluetooth security. Bluetooth wireless technology is used primarily to establish wireless personal area networks, and has been integrated into many types of business and consumer devices. The Bluetooth specifications define several security modes, and each version of Bluetooth supports some, but not all,  and some – do not require any security at all. The updated NIST guide provides exhaustive information on the security capabilities of Bluetooth and gives step-by-step management, technical and operational recommendations to organizations employing Bluetooth wireless technologies on securing them effectively. 

The European Federation of Pharmaceutical Industries and Associations, EFPIA, confirmed that its GDPR Code of Conduct on Clinical Trials and Pharmacovigilance has progressed to the final phase of review by data protection authorities prior to formal submission to the EDPB for approval. The EFPIA believes that a GDPR Code of conduct will:

• Enable the sector to align on key data protection positions, providing more consistency, clarity and certainty for clinical research. 
• Bring more certainty to third parties (patients, ethical committees and hospitals). 
• Clarify the linkages between the GDPR and other key sectoral legislation such as the Clinical Trials Regulation.
• Respond to the Commission’s policy ambition for the European Health Data Space to improve data governance, etc.

The EDPB adopted guidelines on the right of access that enables individuals to get knowledge on how and why their personal data is processed by organisations. Among others, the guide provides clarifications on the scope of the right of access, the information the controller has to provide to the data subject, the format of the access request, the main modalities for providing access, and the notion of manifestly unfounded or excessive requests. The Guidelines will be subject to public consultation for a period of 6 weeks and made available on the EDPB website once these have been completed.

The Bavarian data protection authority for the private sector, BayLDA, is examining the area of ​​housing management and, in particular, self-disclosure of prospective tenants, the DataGuidance reports. The BayLDA clarified that when contact is made and a viewing appointment is arranged, information about the prospective tenant’s occupation and income is not yet required. Only if the person viewing the flat continues to be interested, it is permissible to ask about the number of people moving in, the prospective tenant’s occupation and income. If at the end of the selection process the landlord would like to conclude a tenancy agreement with the person, then the submission of a self-disclosure from a credit agency may also be requested before the conclusion of the agreement.

The Croatian data protection authority AZOP analyzes the possibility for a processor to perform the role of a controller’s EU representative. The regulator states that in order to ensure that the processor in the given scenario is not in conflict in terms of two duties, it would be advisable to establish processes and practices in the work environment that will promote effective control, management and resolution of conflicts of interest, (eg, open communications and dialogues related to ethics, education of its employees). At the same time, the establishment of these procedures and excessive control of the processor, in terms of the representative’s remit, in practice could be unenforceable and counterproductive, which would result in distrust of the controller. Thus, the regulator concludes that performance of two functions in the same person would represent a possible conflict of interest, and should be prevented.

Data breaches, Investigations and Enforcement actions: aggressive telemarketing, Red Cross, demonstrators, IT solutions’ failed security

The Italian data protection authority, “Garante”, fined Enel Energia, (multinational manufacturer and distributor of electricity and gas), 26,5 mln euros for aggressive telemarketing, consumer data used without consent and failure to comply with the accountability principle. The decision was issued following hundreds of complaints by users who had received unsolicited calls, some of them based on pre-recorded messages. Others had found it difficult to exercise their data protection rights and had encountered problems handling their data in connection with the supply of utility services both on the company’s website and through the app released to manage power consumption. Enel Energia was ordered to bring all processing by its sales network into compliance with suitable arrangements, to implement further technical and organisational measures to handle data subjects’ requests, in particular, the right to object to processing for promotional purposes, and to provide feedback on those requests by no later than 30 days.

A massive cyber-attack targeted Red Cross Red Crescent data on 500,000 people. from files at an external company in Switzerland the ICRC contracts to store data. There is not yet any indication that the compromised information has been leaked or shared publicly. The attack compromised confidential information on highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention. In response the ICRC had to shut down the Restoring Family Links systems. The organisation asks those responsible for the attack not to share, sell, leak or otherwise use this data.

The Portuguese data regulator CNPD fined Lisbon city municipality 1.25 mln euros in a case related to the processing of personal data of participants in demonstrations. The mayor’s office had committed 225 breaches of demonstrators’ personal data between 2018 and 2021, namely, when their details were shared with the embassies of several countries, BBC reports. More than 100 other breaches that occurred since 2012 were not covered as they pre-dated the GDPR. Some of the breaches reportedly could have attracted fines of up to 20 mln each, but the regulator had refrained from imposing these due to the effect of the pandemic on public finances. When the story broke in June 2021, the data protection officer and cabinet in charge of handling protesters’ data was dismissed, and an external audit of the city hall’s data protection policies was ordered to take place, Reuters reports.

The Maltese data protection authority, IDPC, issued its decision on the personal data breach suffered by a C-Planet (IT Solutions). In 2020 the regulator was informed about a security incident encountered by the company. The investigation concluded that C-Planet, in its capacity as controller, was processing the personal and special categories of data that were impacted by the breach, in violation of articles 5, 6, 9 and 14 of the GDPR. C-Planet failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Additionally, the controller failed to notify the breach to the regulator within the deadline and to communicate the same to the affected data subjects. The IDPC imposed a proportionate fine of 65,000 euros on the microenterprise, taking into account its turnover, and ordered the erasure of the personal data which had been processed in an unlawful manner.

Data security: C-ITS, Smart Cities, Remote identity proofing

The German Federal Office for Information Security published its Technical Guidance on Cooperative Intelligent Transport Systems, C-ITS, (available in English). Among many provisions it describes trust and privacy management concerning the establishment and maintenance of identities and cryptographic keys. Because links between a vehicle and its user can be either directly or indirectly deduced, the impact on privacy of the road users should be minimized through:

• Pseudonymity: a C-ITS station may use a resource or service without disclosing its identity but can still be accountable for that use. 
• Unlinkability: Unlinkability denotes that a C-ITS station may make multiple uses of resources or services without others being able to link them together. 

Classically, authenticity and integrity are ensured by means of a security architecture with support of a Public Key Infrastructure. In C-ITS pseudonymity and unlinkability are incorporated and balanced with integrity and authenticity by means of separation of duties and commonly changing pseudonym certificates, so-called Authorization Tickets. Read the full C-ITS guide here. 

The German Federal Office for Information Security also published its  recommendations for action on information security in Smart Cities and Smart Regions, (in German). Smart cities and regions also use the potential of digitization for municipal services of general interest, for example in the provision of services in the public interest, such as local public transport or waste disposal. Information security, especially of the underlying municipal  IoT infrastructures, is of crucial importance. The target group is municipal decision-makers and those responsible for operations, such as a chief digital officer of a municipality or a manager for a municipal IoT project. The recommendations are also structured based on the lifecycle of an IoT infrastructure . You can see the full guide here.

Meanwhile the EU agency for Cyber Security, ENISA, published an explainer on Remote identity proofing. Online users expect access to various services anytime and anywhere. The need to securely onboard and prove a customer’s identity remotely is therefore becoming critical for organisations. Identity and technology providers have implemented both active and passive security controls which mostly involve the use of video and operator intervention ((eg, biometric acquisition, liveness checks, ID acquisition, authenticity checks, face comparison). Video allows a greater number of security checks and operators help artificial intelligence to identify any new types of attack. Although many have faith in facial recognition technology, algorithms cannot understand and detect new fraud techniques, (eg, deep fakes), on their own. Therefore, humans are needed to clean and tag data enabling quality training that will result in better performance and the mitigation of adversarial attacks.

Audits: Emailmovers Ltd

Following a test data purchase initiative run by the UK Information Commissioner Office, (ICO), Emailmovers Ltd, (EML), were investigated as serious concerns were identified about their data protection compliance. The investigation resulted in an enforcement notice followed by a consensual audit of the company systems. The checks took one week. The scope of the audit focused on the processing of personal data within EML’s marketing database and covered the following key control areas: governance, sourcing personal data, transparency and lawful basis for processing, data supply and sharing, individual rights. The ICO identified both good practices, (proactive approach,  training, managerial involvement in decision making), and areas for improvement, (defining retention periods, maintaining a record of processing activity and decisions taken, notifying recipients of personal data about the existence and outcomes of individual rights), which can be read in the audit documentation.  

AI: taxonomy and business models

The European Institute of Innovation and Technology published two reports on Artificial Intelligence business models and taxonomy in Europe. Both reports give in-depth recommendations on how to streamline knowledge, experience and expertise in AI deployment as well as connect, share and encourage an open innovation environment with policy leaders, industrial experts and innovator communities, (AI application providers, infrastructure providers and adopters). The trust ecosystem on Ethical AI includes but is not limited to such dimensions: 

• human agency and oversight;
• technical robustness and safety (Including resilience to attack and security, fall back plan and general safety, accuracy, reliability and reproducibility); 
• privacy and data governance (Including respect for privacy, quality and integrity of data, and access to data); 
• transparency (Including traceability, explainability and communication); 
• diversity, non-discrimination and fairness (Including the avoidance of unfair bias, accessibility and universal design, and stakeholder participation), and more.

Big Tech: Apple AirTags, Google’s age-appropriate policy

Police across the US are reporting cases where stalkers have used Apple AirTags to target their victims, according to the Guardian. Paired with the FindMy app, the attachable coin-sized gadget was designed so you would never lose anything again, but slipped into a bag or coat pocket it is the perfect tracking device for criminals. Other international police forces have also reported similar abuse of the AirTag, and associated car theft. While the AirTag’s several anti-abuse features mean it is less dangerous than other stalkerware available, an additional problem is the inconsistency of police response. A 2021 Norton report claims stalkerware is growing fast, jumping in 2020 and the first half of last year.

Google has fallen foul of the rules of the UK’s Children’s code, introduced last September, which sets online services 15 privacy and design standards to protect minors. Google said it would immediately improve enforcement of an age-sensitive ad policy after Reuters reported age-sensitive advertising for high-risk financial instruments, adult toys and alcohol was evading Google’s filters and safeguards. Campaigners 5 Rights Foundation, which reviewed Reuters findings, say all tech companies should do more to ensure compliance with the new rules and consumers should beware of “safety washing” as there were still too many cases, indicating companies had yet to get serious about implementing changes.

The post Weekly digest January 17 – 23, 2022: EU Digital strategy, smart transport and cities, AI taxonomy, Bluetooth security appeared first on TechGDPR.

Legal processes and redress: EU Intelligent transport, Oracle and Salesforce court victory, discriminating AI in DC, privacy in Ukraine

The European Commission revised its Intelligent Transport Systems (ITS) Directive to advance smart mobility. The aim is to stimulate the faster deployment of new, intelligent services, by proposing that certain crucial road, travel and traffic data is made available in digital format. ITS applies information and communication technologies such as journey planners, eCall, and automated driving in transport. Since 2010, the ITS Directive has been the tool to ensure the coordinated deployment of such systems across the EU, based on European specifications and standards. The revision includes:

•  an extension in the Directive’s scope to multimodal information (apps to find and book journeys that combine public transport, shared car, or bike services),
• communication between vehicles and infrastructure to increase safety and mobility,
• the collection of crucial data and the provision of essential services such as real-time information services informing the driver about accidents or obstacles on the road,
• updated obligations under the GDPR, and in consultation with the EDPS, on the security of personal data and the need for controllers to comply with their obligations, 
• using anonymisation as one of the techniques for enhancing individuals’ privacy. Read the full text of the proposal here, and the Annex here.

A Court in the Netherlands says a billion euro claim against Oracle and Salesforce is not admissible. The Privacy Collective, (TPC),  foundation filed a lawsuit against tech giants in 2020 for violations of the GDPR. The two US-based companies reportedly collected data from at least 10 million Dutch internet users for advertising purposes, and created a personal profile of each web surfer that they could trade. TPC claimed 500 and 600 euros respectively per victim from Salesforce and Oracle. The latter is also said to have leaked data.  On the internet, TPC appealed to the public in a case under the Mass Damages in Collective Action Settlement Act. By clicking on an icon with the text ‘support with 1 click’, internet users were able to support the claim. The initiative received 75,000 statements.

According to the court, however, it is not possible to determine with these ‘likes’ whether the foundation really stands up for enough injured parties. No contact details are registered for the internet users who ‘clicked’. In addition, TPC is unable to maintain contact with its supporters, which is an important condition of the law. TPC is considering an appeal.

The use of artificial intelligence to determine access to credit and other important life opportunities has been targeted by the District of Columbia, Venable LLP reports. DC’s Attorney has introduced the “Stop Discrimination by Algorithms Act of 2021, which may be considered through January 1, 2023. The proposed legislation add civil rights protections to protect communities from alleged harm caused by algorithmic bias by:

• prohibiting using algorithms that produce biased and unfair results;
• performing annual audits, reporting the results and needed corrective steps;
• documenting how their algorithms are built, how the algorithms make determinations, and how all of the determinations are made;
• disclosing to all consumers about their use of algorithms to reach decisions, what personal information they collect, and how their algorithms use it to reach decisions;
• adverse action (if businesses make an unfavorable decision based on an algorithm, they must provide a more in-depth explanation);
• dispute and corrections opportunity to prevent negative decisions based on inaccurate personal information.

The bill would apply to individuals, legal entities, service providers that make or rely on algorithmic eligibility determinations or algorithmic information availability determinations. Read more about the coverage, key definitions and the enforcement of the Algorithms Act in the original publication.

In 2021 almost 4000 people applied to the Ukrainian Parliament’s Commissioner for Human Rights to protect their right to privacy, which is twice as many as last year. Individuals, (mostly legal professionals, representatives of human rights and public organizations, people with disabilities, etc), asked for the protection of their personal data in connection with:

•  activities of debt collection companies and macrofinancial institutions, and
•  publication of personal data in messengers, social networks and on the official websites of public authorities and local governments.

During the implementation of measures to repay overdue debt, collectors resort to insults and psychological pressure against debtors, but also members of their families, friends or acquaintances. For that reason, the law on consumer protection in settlement of overdue debts which came into force last year. At the same time, the draft law “On Personal Data Protection” and the draft Law “On the National Commission for Personal Data Protection and Access to Public Information” were registered in the Ukrainian Parliament. The legislators aim to implement both drafts within the next few months to be able to launch the data privacy reform by 2023 as part of the integration to the EU Digital Single Market, implementation of the EU-Ukraine Association Agreement, and the wider government digital agenda.

Official guidance: China’s automotive sector, employment data and asylum seekers fingerprints in the EU

China’s latest data protection implementation rules include new data guidance for the automotive industry, analyzed by Paul Hastings LLP. It became one of the first set of industry-focused implementation rules of the new Data Security Law, and the Personal Information Protection Law. The auto industry provisions elaborated on:

• Automotive Data, which included personal information data and important data involved in the process of automobile design, production, sales, maintenance, etc. 
• Automotive Data Processors – manufacturers, components and parts suppliers, software suppliers, dealers, maintenance organizations, and mobility service companies, ride-hailing and sharing services.
• Personal Information and sensitive personal information (eg, vehicle trajectory, driving habits, audio, video, images, biometric identification).
• Important Data (eg, geographical information, vehicle flow, personal information involving more than 100,000 subjects).

Key Principles in automotive data processing are:

• all automotive data must be processed inside vehicles unless it is absolutely necessary to send it out;
• unless a driver makes a specific selection otherwise, the default setting should be non-collection each time the driver drives the vehicle;
• the coverage and resolution of cameras and radars, among others, should be determined according to the requirements for data accuracy of the functions and services provided;
• principle of desensitization (data processors are required to apply anonymization and de-identification during processing, if possible).

The Gibraltar data protection authority published fresh guidance on data protection in the employment context, (in English). The document provides general guide on the legitimate expectations of employees with regards to the processing of their personal data by employers, as well as the legitimate interest of employers in deciding how best, within the boundaries of data protection law, to run their organisations:

• The obligations of the employer of accountability and implementation of appropriate security measures to protect employee personal data.
• Recruitment and selection recommendations in relation to personal data in areas such as ‘advertising and applications’, ‘interview notes’, ‘vetting’ and ‘retention’. 
• Employment records and the responsibility of the employer to appropriately notify employees of the personal data processing activities. 
• Monitoring in the workplace.
• Remote working and the risks presented regarding the security of personal data. 
• Compatible, administrative infrastructure that allows adequate data protection.

Asylum seekers and migrants arrested at the EU’s external borders are required to give their fingerprints. This data is kept in the Eurodac file. The EU Agency for Fundamental Rights publishes, in collaboration with multiple data protection authorities, a guide intended to better inform people about the use made of their fingerprints, (now available in all EU languages). EU law requires giving the following information:

• it is an obligation to give fingerprints,
• ten digital fingerprints, the gender, the country fingerprinting, the place and date of the asylum application (if applicable). No other personal data is stored,
• in case more personal data is collected by the authorities, name or age, migrants should be informed about the importance of providing accurate data,
• the fingerprints are kept for 10 years, (if an asylum seeker), or for 18 months, (if an irregular migrant). After that data is automatically deleted,
• only competent asylum and immigration authorities can access the data,
• Indicate that the police and the Europol can access the data under strict conditions,
• communicate why fingerprints are collected and the person’s rights.

The information given must be concise, transparent, comprehensible and in an easily accessible format, written in clear and plain language, adapting to the needs of vulnerable persons, such as children. Where necessary the information should be provided orally in a language that the person understands. Also, a copy of the personal data collected is provided. This helps to exercise the right to access and the right to delete and correct the data.

Data breaches, investigations and enforcement actions: Slimpay, JP Morgan Securities, BBVA

French regulator CNIL sanctioned Slimpay with a fine of 180,000 euros for having insufficiently protected users’ personal data and not having informed them of a data breach. Slimpay offers recurring payment solutions to its customers. During 2015, it carried out an internal research project, during which it used the personal data contained in its databases. When the research project ended in 2016, the data remained stored on a server, without special security measures and was freely accessible from the Internet. It was not until 2020 that Slimpay became aware of the data breach, which affected approximately 12 mln people. Persons affected by the data breach are located in several countries of the EU, so cooperation was needed between the supervisory authorities of four countries – Germany, Spain, Italy and the Netherlands.

The US Securities and Exchange Commission, (SEC), announced that JP Morgan Securities agreed to pay 125 mln dollars to resolve charges that it failed to safeguard written communications of its employees. Its employees, including supervisors and managing directors, regularly used non-company messaging tools such as Facebook’s WhatsApp, text messages and personal email accounts to discuss company business. The company admitted that none of these records were preserved by the firm as required by the federal securities laws. JPMS further admitted that these failures were firm-wide and that practices were not hidden within the firm. The fine is the largest the SEC has ever leveled against a firm for record-keeping violations, beating the previous record of 15 mln, imposed on Morgan Stanley in 2006.

The Spanish data protection authority, the AEPD, fined Banco Bilbao Vizcaya Argentaria, (BBVA), 60,000 euros for insufficient legal basis for data processing. The claimant was receiving constant messages on his mobile phone from BBVA about defaults, appointments, etc. The claimant demanded deletion of the number, however it was not spotted in the client database. The investigation found that the text messages were an error on the part of the team in charge of carrying out functional tests of the tool designed to send notifications from the Bank to its clients. The team believed wrongly that said number did not exist or was not operational and therefore no one was going to receive such fictitious notices.

Audits: Oxford Health NHS Foundation Trust

The UK Information Commissioner’s Office published the Oxford Health NHS Foundation Trust data protection audit report. A major NHS health trust provides physical & mental health and social care for people of all ages in the UK. Its services are delivered at community centres, hospitals, clinics and people’s homes. With an overall reasonable assurance level, the executive summary proposes some areas of improvement : 

• The Trust’s Records of Processing Activity requires upgrading. The evidence provided was more of a data flow map and therefore is not fully in line with the requirements of Art. 30 of the UK GDPR. The requirements include having a record of the name and contact details of the data controller, description of the categories of individuals and recipients of personal data, retention schedules and a description of the technological and organisational security measures in place.
• The Trust has a Data Protection Officer in place who also holds other positions and responsibilities. The Trust needs to consider if these additional roles and responsibilities pose a conflict of interests or a demand on their time, which could impact on their duties as DPO. 
• There is no Information Sharing Agreement (ISA) log to record vital information pertaining to current ISAs.
• There is a lack of specialised training for staff with data sharing roles and those that deal with children’s data.  
• There is no dedicated Information Sharing policy or procedure to provide guidance on ad hoc disclosures as well as the assurances that all ISAs include effective incident management procedures.

Big Tech: China’s low-carbon data clusters, Arsenal fan tokens, the death of Blackberry, racial bias on Airbnb, Zoom latest acquisition

China has approved plans to build four mega clusters of data centres in the country’s north and west with the aim of supporting the data needs of Beijing and major coastal cities. The move comes as energy-hungry data centres located in China’s east have found it difficult to expand due to limits imposed by local governments on electricity consumption. The four new locations can use their energy and environmental advantages (wind and solar). However, their distant locations have meant the centres have struggled to provide the near-instantaneous retrieval demanded by coastal clients with little tolerance for delays. Meanwhile, a new marine economy development plan encouraged major coastal cities such as Guangzhou, Shenzhen and Zhuhai to relocate high energy-consuming data centres to underwater locations to save energy used for cooling.

Britain’s advertising watchdog, the ASA, warned Arsenal FC on Wednesday over ads for its “fan tokens,” a type of cryptocurrency embraced by soccer clubs as coronavirus pummelled their revenues. ASA said ads posted on Arsenal’s website and on Facebook were misleading as they did not make clear the risk of trading crypto, potential tax implications or that the tokens are not regulated in the UK: “The tokens, which can be traded on exchanges like other cryptocurrencies, are prone to wild swings in price and often have little connection to on-field performance.” Fan tokens allow supporters of soccer and other sports clubs to vote on minor decisions such as songs played at matches after a goal is scored, or images used on social media. Arsenal believes that fan tokens were designed to boost participation by supporters, and were “materially different” to other cryptocurrencies used as a means of payment. More than 40 clubs from Europe to South America have launched fan tokens. The largest one, launched by Paris Saint-Germain, reportedly has a total value of 49 mln dollars, versus bitcoin’s 929 bln.

Legacy BlackBerry devices loose text, call, and data functionality on January 4th, the Verge reports. Whether on Wi-Fi or cellular, there’ll be no guarantee you can make phone calls, send text messages, use data, establish an SMS connection, or even call 911. The company has experienced a slow decline since its dominant era in the late 2000s, when its QWERTY keyboards and reputation for security gave it a 50% market share in the US, but its parent company has pivoted to selling cybersecurity software.

Airbnb announced that it’s changing the way guest profiles are displayed in its app, for Oregon residents only, the Verge reports. Airbnb hosts who are based in Oregon will now see a potential guest’s initials, rather than their full name, until after they’ve confirmed the booking request. The change aims to prevent racial discrimination among hosts, by stopping them from gleaning a guest’s race from their name. The announcement follows a voluntary settlement agreement that Airbnb reached in 2019 with three Portland-area women. A 2016 study also found that Airbnb guests with names that sounded Black were 16% less likely to have bookings confirmed than guests with names that sounded white.

Zoom gets bigger on virtual events with its latest acquisition, the CNET website reports. The videoconferencing company announced the acquisition of event solutions assets from Liminal. Due to the pandemic, events have increasingly gone online, demanding more from video teleconferencing apps like Zoom. Those apps have needed to expand the features of their products or rely on third-party services like the ones Liminal provided. Liminal offered apps like ZoomISO and ZoomOSC individual video outputs and enhanced sound controls. Liminal’s products will remain available through its site. However, as Zoom expands on those tools and builds something similar into the platform, there will no longer be a need for them as separate add-ons.

The post Weekly digest Dec 27 – Jan 2, 2022: Intelligent transport, Oracle and Salesforce court victory, the death of Blackberry, fan tokens appeared first on TechGDPR.