CJEU decisions

Automated decision-making: The EU top court identified data processing practices by credit information agencies that contradict the GDPR. While the so-called ‘scoring’ of individuals is permitted only under certain conditions, the prolonged retention of information relating to the granting of a discharge from remaining debts is contrary to the GDPR, (the case refers to SCHUFA, a private company providing credit information for clients in Germany). 

As regards the ‘scoring’ of individuals, the court holds it as an automated individual decision prohibited in principle by the GDPR, in so far as SCHUFA’s clients, such as banks, attribute to it a determining role in the granting of credit. The court also considers that it is contrary to the GDPR for private agencies to keep such data for longer than the public insolvency register. The discharge from remaining debts is intended to allow the data subject to re-enter economic life and is therefore of existential importance to that person. 

Non-material damage: Another decision by the CJEU concludes that the fear of possible misuse of personal data is capable of constituting non-material damage. Nonetheless, courts cannot conclude that the protective measures put in place by the data controller were ineffective if cybercriminals gain unauthorised access to or disclose personal data. The courts must assess the security measures concretely, by taking into account the risks associated with the processing concerned and by assessing whether the nature, content and implementation of those measures are appropriate to those risks. Finally, the controller may be required to compensate the data subjects who have suffered damage, unless they can prove that they are not responsible for that damage. 

EU’s AI act

Agreement reached: On 8 December, the legislative trilogue on the draft AI Act ended and the provisional agreement was reached. AI systems are going to be regulated according to how much risk they pose to society and fundamental rights, including a list of high-risk and prohibited practices, supported by various monetary fine levels. Limited exceptions will be available for law enforcement purposes. General-purpose AI systems will be also subject to transparency obligations, with additional codes of practice imposed on the most powerful models. 

Allocation of GDPR-governed roles: Meanwhile, the German Data Protection Conference demands that the intended AI Act properly allocate responsibilities along the entire AI value chain. This is the only way to protect the fundamental rights of those affected whose data is processed by AI, states the regulator body. Any legal uncertainty in this area would harm citizens, especially small and medium-sized companies, because they must bear the brunt of legal responsibility. The upcoming AI regulation should therefore specify for all those involved – including manufacturers and providers – which requirements they must meet.

EU regulatory updates

Workforce monitoring: The Council and the Parliament have reached a provisional agreement on a proposed directive to improve working conditions for platform workers. In particular, it will help ensure that those workers who have wrongly been classified as self-employed have easier access to their rights as employees under EU law. The proposal also established the first EU rules on the use of algorithm systems in the workplace. 

Digital labour platforms regularly use algorithms for human resources management. As a result, platform workers are often faced with a lack of transparency on how decisions are taken and how personal data is used. Under the new rules, algorithms would be monitored by qualified staff, who enjoy special protection from adverse treatment. The new law also prevents the processing of certain personal data using automated monitoring or decision-making including:

• emotional or psychological state,
• private conversations,
• actual or potential trade union activity,
• racial or ethnic origin, migration status, political, religious beliefs or health status,
• biometric data, other than data used for authentication.

Youth data protection: The Dutch data protection authority objects to a bill that leads to large-scale data collection in youth care. The proposal should enable research into the availability of youth care within municipalities. This includes child protection, assistance to young people with psychological problems and the probation service. However, it needs to be sufficiently clear why a lot of sensitive information from young people and their parents, healthcare providers and municipalities must be shared in such research. The availability of youth care could be investigated in a way that is much less invasive, (eg, random research, distribution of waiting times or development of new statistics). 

European Health Data Space

Pros: Both the Parliament and the Council have agreed on their positions on the European Health Data Space (EHDS). The new legislation would make exchanging and accessing health data at the EU level easier. The proposed regulation aims to improve individuals’ access to and control over their electronic health data, while also enabling certain data to be reused for research and innovation purposes, and to foster a single market for digital health services and products. The new rules aim to make it possible for a Spanish tourist to pick up a prescription in a German pharmacy, or for doctors to access the health information of a Belgian patient undergoing treatment in Italy.

Cons: However, several civil groups and experts have already warned about the privacy shortcomings of the cross-border exchange of electronic health data. The Irish Council for Civil Liberties recommends that the EHDS should specify the legal basis consistent with the GDPR and be specific about the allowed purposes of secondary use of electronic health data. It should also further narrow the categories of health data allowed for secondary use to reduce risks to fundamental rights. Another international consortium of experts believes the proposal significantly reduces transparency requirements, in contrast to the GDPR, as it:

• introduces waivers related to the provision of individual-level information to data subjects;
• disfavors consent as a legal basis for data sharing;
• builds up large datasets which may be extensively used for secondary purposes, that 
• increases the risk of re-identification. 

US privacy updates

FISA 702 short extension: US lawmakers reached a deal to temporarily extend major federal surveillance programs until mid-April, while talks on the future reform of the intelligence powers continue. Section 702 permits the government to conduct warrantless surveillance on any foreign national to gather “foreign intelligence information.” However, communications between Americans and the people under monitoring result in the collection of their data as well. Privacy campaigners warn that reauthorization of the intelligence powers must come with safeguards against abuse.

Opt-out preference signals: Meanwhile the California Privacy Protection Agency has approved a legislative proposal that requires browser vendors to include a feature that allows users to exercise their California privacy rights through opt-out preference signals. Through an opt-out preference signal, a consumer can opt out of the sale and sharing of their personal information with all businesses they interact with online without having to make individualised requests with each business. To date, only a limited number of browsers offer native support for opt-out preference signals: Mozilla Firefox, DuckDuckGo, and Brave. Google Chrome, Microsoft Edge, and Apple Safari—which make up over 90% of the market share—have declined to offer these signals, although these companies are also heavily reliant on advertising business models.

Data subject rights

Right to delete: Every time personal data is processed, the question arises as to how long the data controller may store this data. Art. 5 of the GDPR as a starting point provides principles of purpose limitation, data minimisation and storage limitation. In addition, the data subjects whose personal data has been processed have a right to deletion under Art. 17 of the GDPR, with which they can request the deletion of their data under certain conditions. There are also legal retention and deletion obligations that the person responsible must comply with. The Liechtenstein data protection agency has put together information on its website (in German), that sheds light on the topic both from the side of the data subject and from the side of the person responsible for data processing. 

Employment guidance

The UK Information Commissioner’s Office produced an online resource with topic-specific guidance on employment practices and data protection, with two new pieces of guidance now out for public consultation: a) keeping employment records, b) recruitment and selection. Data protection law applies whenever you process your workers’ personal information. The law does not stop you from collecting, holding and using records about workers. It helps to strike a balance between your need to keep employment records and workers’ right to private lives, explains the regulator. 

Additionally, the labour market supply chain can be complex, with end-to-end recruitment processes often involving several organisations. The use of novel technologies in recruitment processes means that organisations are processing increasingly large amounts of information about people – candidates, prospective candidates, employees, contractors, volunteers or gig and platform workers, referees, emergency contacts, and dependants.

UK-US data transfers

The ICO also offers a guide on how to comply with restricted transfers of personal data to the US using Art. 46 of the UK GDPR transfer mechanism. There are a range of reasons why you may wish to use it, including:

• if your US recipient is not certified to the UK Extension to the EU-US data protection framework or the restricted transfer is not covered under your recipient’s certification;
• none of the eight exceptions set out in Art. 49 of the UK GDPR apply to your restricted transfer;
• you are making the restricted transfer under UK Binding Corporate Rules, or
• you or your US recipient uses the Addendum or the International Data Transfer Agreement as the preferred standard transfer mechanism.

You can make restricted transfers to recipients in the US using Art. 46 only if you have first completed a transfer risk assessment. This includes the latest analysis of US laws related to access and use of personal information by US agencies for national security and law enforcement, the circumstances of each transfer, and the commercial practices of you and your recipient. The requirement to complete a transfer risk assessment applies regardless of which mechanism you use or why. 

Investigations

DPO for public services: The Luxemburg data protection regulator CNPD concluded an investigation into the appointment of data protection officers by municipalities. According to article 37.1.a) of the GDPR, any data controller or subcontractor must designate a DPO if “the processing is carried out by a public authority or body, except for courts acting in their judicial capacity”. 4 out of 6 municipalities at the time of the opening of the investigation, (in 2022), either appointed a DPO or communicated the latter’s contact details to the CNPD. No further corrective measures have been taken, as the municipalities have regularised their situation over the course of the investigations.

Enforcement decisions

Google Workspace at school: Meanwhile in Sweden, a penalty fee was issued against a municipality that did not assess the impact of using Google Workspace in 24 of the municipality’s schools since autumn 2020. Among other things, the platform was used for students’ feedback on school assignments. The personal data of nearly 6,000 students and 1,300 employees was processed, without a proper impact assessment conducted, (Art. 35 of the GDPR). In particular, when the student system was put into use, it was supported by an older assessment from 2014, by another municipality, carried out about the use of Google solutions in education, and it was considered satisfactory. 

Employee data requests: The Italian privacy regulator fined Autostrade per l’Italia and Amazon Italia Transport 100,000 and 40,000 euros respectively, for not having given timely and reasoned feedback, not even denial or deferral, to requests for access to their data presented by some employees and former employees. In the first case, the group requested information on the calculation of their pay slips. When asked for explanations by the regulator, the company had not responded so as not to compromise its right to defence in court, as several legal proceedings were underway between the company and the workers regarding the methods of calculating severance pay. 

In the case of Amazon, the authority followed the complaint of a former employee about the company’s failure to respond to a request for data relating to his employment relationship. The company had not responded to the request because it was drawn up in a very broad and generic manner. In both cases, the regulator concluded that the data controller should have responded at least with the reasons not to proceed with the request or ask for more details as in the case with Amazon.

Reprimands

Failed TOMs: Meanwhile in the UK Finham Park Multi Academy Trust was reprimanded in respect of Art. 5 and 32 of the GDPR. An unauthorised third party utilised compromised credentials to access and encrypt Finham Park’s systems. 1843 data subjects were affected by the incident, and the ICO’s investigation found Finham Park did not have adequate account lockout or password policies in place. 

The regulator also reprimanded Bank of Ireland UK for mistakes made on more than 3,000 customers’ credit profiles. It sent incorrect outstanding balances on 3,284 customers’ loan accounts to credit reference agencies, organisations that help lenders decide whether to approve financial products. This inaccurate data could have potentially led to these customers being unfairly refused credit for mortgages, credit cards or loans, or granted too much credit on products they were potentially unable to afford.

Data security

IoB and data protection: In its latest TechSonar report the EDPS explains privacy concerns behind the so-called ‘Internet of Behaviours’ (IoB). It is described as a “network in which behavioural patterns would have an IoB address in the same way that each device has an IP address in the Internet of Things, (IoT)”.  An example could be the use of patients’ and employees’ location data in hospitals during the COVID-19 pandemic to identify the behaviours that spread or mitigate the virus. 

General IoB relies on the collection and processing of data from different IoT devices, such as wearables, smart cameras or Bluetooth and Wi-Fi sensors. Thus, it suffers from transparency and control issues because it often lacks appropriate means to inform its users. Their data collection is seamless and the means to exert control over the processing are limited, states the report. 

Password storage: The Italian data protection regulator and the national cybersecurity agency offer new Password Retention Guidelines, (in Italian). Too often identity theft is caused by the use of computer authentication credentials stored in databases that are not adequately protected with cryptographic functions. Stolen data then is used to illicitly enter entertainment sites, social media and e-commerce portals. They can also allow fraudulent access to forums and websites for paid and financial services. The guidelines are aimed at:

• data controllers or data processors that store the passwords of their users on their systems, which refer to a large number of interested parties, (eg, digital identity providers, email service managers, banks, insurance companies, telephone operators, healthcare facilities),
• subjects who access databases of particular importance or size, (eg, public administration employees), or to 
• types of users who usually process sensitive or judicial data, (eg, healthcare professionals, lawyers, magistrates).

Big Data

Data breach notification for telecoms: The US Federal Communications Commission adopted rules to modify 16-year-old data breach notification rules to ensure that providers of telecommunications, interconnected Voice over Internet Protocol, and telecommunications relay services adequately safeguard sensitive customer information. They often collect large quantities of sensitive customer data, including telephone numbers a person has called and mobile phone location data showing the places they have been. The new rules cover certain personally identifiable information that carriers and providers hold concerning their customers and expand the definition of “breach” to include inadvertent access, use, or disclosure of customer information. It will also eliminate the mandatory waiting period to notify customers, after notification to the commission and law enforcement agencies.

Apple push notification data:  Apple says it now requires a judge’s order to hand over information about its customers’ push notifications to US  law enforcement, putting the iPhone maker’s policy in line with rival Google, Reuters reports. Users of smartphones receive push notifications informing them of fresh messages, breaking news, etc. The servers of Apple and Google handle almost all of these alerts. The practice placed the corporations in a unique position to help the government monitoring of users’ usage of certain applications. 

Google location data: Meanwhile Google offers updates on its Location History and new controls coming soon to Maps. For example, when you first turn on Location History, the auto-delete control will be set to three months by default, which means that any data older than that will be automatically deleted. Previously this option was set to 18 months. Also, for users who have chosen to turn Location History on, the timeline will be saved only on their device. Just like before, users can delete all or part of the information at any time or disable the setting entirely.

The post Data protection digest 2 – 17 Dec 2023: scoring of individuals, EU data consolidation, and the ‘Internet of Behaviours’ appeared first on TechGDPR.

Official guidance: Google Analytics, risk assessment tool, work monitoring, privacy policy check-list, machine learning, APIs

The Danish data protection authority, following several other European counterparts’ decisions, concludes that the Google Analytics tool cannot be used legally without implementing several additional measures, (eg, effective pseudonymisation by using proxy servers), in addition to the settings provided by Google.

The Spanish privacy regulator AEPD launched an online tool that helps assess the level of risk of personal data processing. The tool allows an initial and non-exhaustive evaluation to be carried out, which, where appropriate, must be adjusted by each person in charge to determine an accurate risk level for the processing. 

The Latvian data protection authority DVI issued two guides, (in Latvian only), on online tools  to organise remote work meetings and video surveillance of employees performing their work duties. The organisation must determine exactly why data processing during online meetings or workspace is necessary. The purpose of data processing must be determined precisely and realistically, and interact with one of the legal tenets of the GDPR. A privacy notice is to be made available before data processing is started. If the organisation has a data protection specialist, they must be consulted for advice on carrying out the planned processing more appropriately.

Jersey’s privacy regulator has tried to demystify Art.12 of the GDPR – obligation to inform. It concludes that the most direct way to communicate to your data subjects is through writing clear statements. For the best transparency when constructing a robust privacy policy, view the regulator’s privacy policy checklist.

The use of application programming interfaces, (APIs), to share personal data can promote better data protection. The French regulator CNIL launched a draft recommendation on the technical and organisational measures to be applied. It aims to identify the cases in which an API is recommended to securely share personal data or anonymised information, and to disseminate best practices regarding their implementation and use. Data sharing here means the ability of identified reusers or the public to retrieve data held by an organisation, or the ability of data holders to transmit data for reuse by others. 

The EDPS explains 10 misunderstandings about Machine Learning. ML systems adapt autonomously to the patterns found among the variables in the given dataset, creating correlations. Once trained, these systems will use the patterns learned to produce their output. Typically, the training of ML systems requires large amounts of data, depending on the complexity of the task to be solved. However, adding more training data to a machine learning model development process will not always improve the system’s performance. On the contrary, more data could bring more bias. 

Legal processes: general data retention ban, Europol database, sensitive data, digital health infrastructure, commercial practices

In Germany, the Federal commissioner for data protection approved the CJEU preliminary ruling that the country’s general indiscriminate data retention, (IP-addresses, traffic, and location data), violates EU law. The law may only be applied in circumstances where there is a serious threat to national security defined under very strict terms, stated the top court. The retention law came into force after major attacks by Islamists in Europe and cost the country’s internet and telecom industries millions of euros. 

The EDPS is taking legal action as the new Europol Regulation puts the rule of law and EDPS independence under threat. The regulator requested that the CJEU annuls two provisions of the newly amended Europol Regulation, (which came into force on 28 June 2022). These new provisions, (articles 74a and 74b), have legalised Europol’s practice of processing large volumes of individuals’ personal data with no established link to criminal activity retroactively. The EDPS notes that the co-legislators have decided to retroactively make this type of data processing legal, overriding the EDPS Order which requests that Europol deletes concerned datasets. 

The privacy commissioner of Canada, along with his provincial and territorial counterparts, endorsed a resolution that encourages governments to implement a digital health communication infrastructure that would phase out the use of unencrypted email and fax communication in favour of more secure alternatives available to all Canadians. The pandemic has spurred rapid digital advancements in the delivery of services. At the same time, data breaches in the health sector continue, potentially leading to harm including discrimination, stigmatisation, and financial and psychological distress states the regulator.

Meanwhile, US President Joe Biden has initiated a review of foreign investment for national security risks to sharpen focus, among other things, on threats to sensitive data. The executive order instructs the dedicated Committee to consider whether a “covered transaction involves a US business with access to US persons’ sensitive data and whether the foreign investor, for instance in biotechnology or AI, has, or the parties to whom the foreign investor has ties, have sought or had the ability to exploit such information.”  

A CJEU Advocate General suggests a competition authority may consider the compatibility of commercial practice with the GDPR. The non-binding opinion, (ahead of the court’s ruling), refers to Meta’s antitrust probe in Germany. The competition watchdog prohibited the practice of users having first to accept general terms which led to cookie placement, further data sharing with group services, (WhatsApp, Instagram), and linking the data to user accounts for advertising purposes. The freedom of consent in such a dominant position in the Social Media market is also an issue.

Investigations and enforcement actions: managing director as a dpo, Klarna bank, caller identification, data processing contract, image publication, legal professional privilege

The Berlin commissioner for data protection BlnBDI has imposed a 525,000 euro fine on a Berlin e-commerce group’s subsidiary due to a conflict of interest on the part of the company’s data protection officer. This person was at the same time the managing director of two service companies that processed data for the group. The DPO thus had to monitor compliance with data processing managed by himself.  

The Swedish privacy protection authority IMY, in cooperation with Germany and Austria, is investigating complaints about Klarna Bank making data rectification or objection to direct marketing difficult. The complainants were asked for identification purposes via an unencrypted email service to provide: their name, date of birth, e-mail address, address, invoice and purchase details,  and sometimes their telephone number.

Vodafone Romania was fined 2000 euros after not checking compliance with the caller identification procedure, which allowed third parties to fraudulently purchase new phones on behalf of some of the operator’s customers. Also, third parties could access data from contracts concluded by customers and data from personal accounts, such as name, address, contact phone number, PUK code, the contact number of the account holder, the SIM ID of the original card, billing and debt details, and data traffic.

In Poland, a personal data breach was reported, (followed by an administrative fine), in a cultural center. The investigation found that the administrator entrusted another entity for processing, without concluding a written contract, for keeping accounting books, records, (in ​​finance, taxes), and documentation storage. The controller did not verify the processor, did not check whether it provided appropriate technical and organisational measures, and did not have any documents confirming the verification of the terms of cooperation. Additionally, any communication with the controller was ineffective.

The Spanish data protection authority AEPD fined a company, (Digitecnia Solutions), for publishing on its website an image of a complainant to illustrate the work they were doing. The image did not allow the complainant to be seen in full, but he can be seen in part. This, together with the fact he appeared linked to Digitecnia, was information that made this person identifiable. All this constituted the processing of the claimant’s personal data, which he was not aware of. 

The Isle of Man information commissioner issued an enforcement notice to Sentient International regarding the company’s refusal to comply with a data subject access request. Sentient decided to restrict the data subject’s right of access, believing that the right of access does not apply to data that consists of information in respect of which a claim to legal professional privilege could be maintained in legal proceedings. The regulator clarified that the rule applies to some documents, but not personal data therein, such as communications that were not made for the dominant purpose of obtaining or providing legal advice. Also,  professional legal privilege cannot be applied retrospectively.

Data security: data put online by hackers, SMEs, IoT, and ZTA in a mobile world

The French privacy regulator CNIL notes a clear increase in data breach notifications, nearly half resulting from ransomware attacks. In some cases, users’ personal data may be put online by hackers. If a violation concerns you, the responsible body must inform you as soon as possible. The CNIL is not able to tell you if a breach impacts your data. Some websites indicate that they hold the data and can tell you whether or not you are concerned. The CNIL advises against using them. 

The German federal office for information security has published a guide on cybersecurity for small and medium-sized enterprises. It offers SMEs an easy-to-understand introduction to improving their cyber security level because information security is the prerequisite for secure digitisation. It starts with the most important basics of IT security – briefly and concisely based on 14 questions. Among other things, it provides information on who is responsible for information security in the company, why patches and updates should be installed regularly, why an anti-virus program is necessary, and why data backup is so important.

Zero trust architecture, (ZTA), is not a new concept, but there is renewed interest in implementing zero-trust principles for an organization’s mobile administrators, states the US NIST. Due to the pandemic, many employees have transitioned to remote/telework options. The portability of mobile devices makes it easier to respond promptly to emails, attend virtual meetings, and use special work apps from anywhere. In this new environment, mobile devices are now another endpoint connected to enterprise resources and can put the entire enterprise at risk if compromised or stolen.

The NIST IoT Cybersecurity Program also released two new documents:

• The final version of Profile of the IoT Core Baseline for Consumer IoT Products. This publication documents the consumer profile of NIST’s IoT core baseline and identifies cybersecurity capabilities commonly needed for the consumer IoT sector (eg, IoT products for home or personal use).
• Workshop report for Building on the NIST Foundations: Next Steps in IoT Cybersecurity. These considerations have broad applicability across IoT product sectors, including the consumer IoT products sector and the industrial IoT sector. 

Big Tech: Uber, Optus, and TAP cyberattacks, World Cup data analysis app

Uber’s EXT contractor had their account compromised by an attacker. The attacker likely purchased the contractor’s Uber corporate password on the dark web after their device had been infected with malware. The attacker then tried logging in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, the contractor accepted one, and the attacker successfully logged in. From there, the attacker accessed other employee accounts which gave the attacker permission to use several tools, including G-Suite, and Slack. 

Sensitive information about TAP Air Portugal’s customers also has been shared on the dark web after a cyberattack. The attackers were booted from the system but not before gaining access to sensitive data, including name, nationality, gender, date of birth, address, email, telephone contact, customer registration date, and frequent flyer number. It is unclear how long the hackers had access to the system. However, the airline has assured its passengers that the breach has not affected their flights. 

Australia’s major telecommunications company Optus experienced a cyberattack that leaked personal data of up to 10 million customers, in one of Australia’s biggest cybersecurity incidents. An offshore-based entity, possibly in Europe, had broken into the company’s customer information database, accessing home addresses, driver’s licenses, and passports. Stolen customer data and credentials may be sold through several forums including the dark web.

World Cup players to get FIFA data analysis app. Players at the finals will be able to browse their performance data on a purpose-built app developed by the governing body which allows footballers of all 32 teams access to analysis and information. The data will be synced with a video of the action to allow a quick assessment of key moments. While such data and metrics are widely available to players with the top clubs and national sides, who employ teams of analysts, the app will ensure teams with fewer resources compete on a level playing field, Reuters reports.

The post Data protection & privacy digest 13 – 26 Sept 2022: Google Analytics clash, caller identification, commercial practices & GDPR appeared first on TechGDPR.

Legal processes: use of Google Analytics in France, Privacy Sandbox commitments in the UK

The use of Google Analytics, (GA), is illegal as it threatens the privacy of French website users, concludes the French data protection regulator CNIL. In its latest decision relating to an unnamed French website manager, the CNIL decided that the analytics service developed by Google risks giving US intelligence services access to the website users’ data. GA provides statistics on website traffic. In this context, a unique identifier is assigned to each visitor. This identifier (which constitutes personal data) and the data associated with it is transferred by Google to the US. The CNIL, in cooperation with its EU counterparts, concludes that in the absence of an adequacy decision following the “Schrems II” CJEU ruling such transfer can only take place if appropriate guarantees are provided. Although Google has adopted additional measures to regulate data transfers in the context of the GA functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services. The CNIL ordered an unnamed website manager to bring this processing into compliance with the GDPR, if necessary:

• by ceasing to use the GA functionality under the current conditions, or 
• by using a tool that does not involve a transfer outside the EU, (and only uses anonymous statistical data). 

To go deeper on this topic you can also read the recent unfavorable decision on GA by the Austrian data protection regulator. In its defense, Google also recently posted a statement stressing that the GA tool does not track people or profile people across the internet.

Britain’s competition regulator CMA to keep a close eye on Google as it secures final Privacy Sandbox commitments. The CMA has accepted a revised offer from Google of legally binding commitments relating to its proposed removal of third-party cookies from the Chrome browser known as the Privacy Sandbox proposals. The CMA competition investigation was launched in January 2021 over concerns that the proposals would cause online advertising spending to become even more concentrated on Google, weakening competition and so harming consumers. Google has pledged not to remove third-party cookies until the CMA is satisfied.

The CMA is currently working closely with the UK Information Commissioner’s Office, ICO, to oversee the development of the proposals so that they protect privacy without unduly restricting competition and harming consumers. In one of the examples, Google commits to restricting the sharing of data within its ecosystem to ensure that it doesn’t gain an advantage over competitors when third-party cookies are removed. Google will also engage in a more transparent process than initially proposed, including engagement with third parties and publishing test results, with the option for the CMA to require Google to address issues raised by the CMA or third parties. Read more on the Privacy Sandbox initiative here and the ICO’s latest opinion on Data protection and privacy expectations from the advertising technology sector. 

Official guidance: configuration errors, payment services, EU data flows analysis

The French regulator CNIL published a guide, (in French), on security incidents related to configuration errors within public cloud storage spaces, DataGuidance reports. Malicious scenarios may be caused by a) publicly accessible ‘bucket”; b) overly permissive access rights for users, c) inadequate user authentication mechanisms. To detect unauthorized access, CNIL recommended that available logs should be analyzed, and the Data Protection Officer should be updated in a timely manner in the course of the investigation. If the incident was classified as a personal data breach, CNIL must be notified within 72 hours of discovery. Some essential steps to prevent configuration errors include: 

• knowing your infrastructure, (eg, configure security options: do not rely on default settings, in particular public and private access to containers);
• taking inventory of your cloud resources, (eg, separating the storage of personal and sensitive data from other data);
• limiting access, (eg, strong two-factor authentication for sensitive actions);
• encrypting data and performing regular backups;
• tracing, monitoring, and auditing containers and their security configurations;
• educating users on how to handle data stored in the cloud.

The EU Commission presented a new study estimating the volume of data flowing to main cloud infrastructures across the EU Member States, Iceland, Norway, Switzerland, and the UK. In 2020, the largest data flows came from the health sector, and Germany registered the largest volume of data inflow. Reportedly, by 2030, the flow of data stemming from European enterprises will be 15 times higher than in 2020. Furthermore, a follow-up study has just been started to assess the economic values of data flows within the EU, as well as with third countries such as the US and China. Both studies will complement the upcoming Data Act. It will also feed into the evaluation of EU Regulation of the Free Flow of Non-Personal Data, as well as the Digital Decade policy program. Read the full study and the interactive map here. 

A growing number of  EU payment industry associations co-signed a letter addressed to the EDPB, the European Commission, and the European Banking Authority about the final EDPB Guidelines on the interplay of PSD2, (Payment Services Directive), and the GDPR. Although it clarifies certain aspects of the interplay, other elements remain more worrying and raise new uncertainties, notably:

• the provisions on data minimisation;
• the processing of special categories of personal data;
• a lack of coherence with the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication;
• the risk that national data protection authorities could start taking a differentiated approach to the interpretation of the provisions, resulting in fragmentation across the EU.

Investigations and enforcement actions: IAB Europe/APD row, extensive health data collection, unprotected visa order forms, unsolicited marketing email

The Interactive Advertising Bureau (IAB) Europe has published an FAQ on the Belgian data protection authority, (APD), decision about the Transparency and Consent Framework, and its compliance with the GDPR. The IAB Europe states that:

• There is nothing in the APD’s decision that even remotely suggests that consent pop-ups are illegal or that they should not be employed by the digital advertising ecosystem to comply with the EU data protection rules. 
• The APD only requires IAB Europe to ensure the deletion of personal data collected through TC Strings in the context of a specific mechanism called the “global scope”.
• The APD does not consider the TC String itself to be personal data, as the TC string does not allow for direct identification of the user due to the limited metadata value.
• However, the APD holds that the possibility of CMPs being able to combine TC Strings and the IP address means it is ultimately information about an identifiable user and therefore personal data. 
• The APD’s decision only concerns IAB Europe, not any vendor, publishers, or CMPs, but it does hint at the possibility of an order for a given party to delete TC Strings if they contain personal data collected in breach of Art. 5 and 6 of the GDPR.
• It is unclear if reliance on legitimate interests as a legal ground for the processing of personal data by TCF participants is viable for all TCF purposes or solely for personalized advertising and profiling, etc.

The EDPB published an analysis of the recent decision by the Finnish Data Protection Ombudsman. An administrative fine with reprimand was imposed on the Finnish Motor Insurers’ Centre for the collection of unnecessary patient information. The Data Protection Ombudsman stated that the actions of the data controller violated the principle of data minimization provided for in the GDPR. Namely, the data controller requested unredacted patient records from health care providers in order to settle claims. The controller also collected information on the patients’ health care appointments to determine whether the health care provider charged for visits not related to the examination or treatment of injuries sustained in the claim. Information was also requested in cases where the health care recipient may have omitted information essential for claims handling. The decision by the data protection authority is not final as it is under appeal in the administrative court.

Another fine by the Finnish data protection regulator was imposed on a travel agency for multiple violations of the GDPR. In the given case, a customer suspected the travel agency was not processing the data on the electronic visa order form in compliance with data protection regulations. The customer had also requested the travel agency erase their data from the system, but the company had not fulfilled the customer’s request. The investigation showed that: 

• The travel agency used an unencrypted network connection for its visa application forms, and
• Stored personal data on a public web server. 
• The information entered on the form was saved as a PDF file in the web server’s files folder that was open to access from the internet.
• The information entered on the forms included the customer’s name, contact details, and passport number, which in particular poses a privacy risk. 

The regulator also imposed a fine on the small travel industry group that the travel agency is considered a part of.

Meanwhile, the Spanish data protection authority AEPD fined SegurCaixa Adeslas, (health insurance), 300,000  euros for sending marketing emails to the plaintiff, despite their request for deletion of their data, Data Guidance reports. This happened despite the fact that the given email address was registered in an opt-out list of people not willing to receive marketing communications. SegurCaixa Adeslas however indicated that the marketing emails were sent to insurance agents with which it maintained a commercial relationship, claiming that these insurance agents should be responsible for the activity of promoting and attracting clients. The AEPD found SegurCaixa Adeslas in breach of Art. 6, (unlawful processing), 17, (failed requests of data deletion), and 28, (no formalized data processing agreement with the contracted insurance agents), of the GDPR. 

Data security: IoT products

The US National Institute of Standards and Technology published its latest Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) products. An IoT product and its components must protect data stored and transmitted, (both between IoT product components and outside the IoT product), from unauthorized access, disclosure, and modification. Thus, maintaining confidentiality, integrity, and availability of data is foundational to cybersecurity for IoT products. Customers will expect that data is protected and that protection of data helps to ensure the safe and intended functionality of the IoT product. The document provides some real-world IoT product vulnerabilities and related proposed baseline criteria. Here are some examples:

• Weak data protection in storage and transit creates vulnerabilities within home security cameras allowing adversaries to exfiltrate data. 
• Unencrypted sensitive data is available through a baby monitor, leaving the data vulnerable to access, modification, exfiltration, and misuse.
• Using weak de-identification methods leaves data vulnerable to being reidentified allowing unauthorized access to sensitive data, etc.

Big Tech: Meta annual report, TikTok promises minors privacy, AirTag dilemma, surveillance marketing by YouTube, TikTok & Co

Negotiations between the EU and US over transatlantic data transfers and their associated privacy issues need to succeed said Meta this week in its annual report to the SEC and in press releases. Failure to agree on a new transatlantic data transfer framework that complies with the EU’s GDPR could lead to Facebook and Instagram quitting Europe. Meta added and claimed 70 other companies are concerned about the impact on their business. The SEC report noted other data protection requirements at the federal, state, and international level, along with legislation restricting the collection and use of data from minors could impose limitations on Meta’s business. You can investigate Meta’s annual report here.

A TikTok news briefing revealed the company is conducting twin tests to crack down on adult content arriving on minors’ devices, Reuters reports. The company said one small test would look at how users themselves or their parents or guardians could restrict access, while a ratings approach is being trialled for app creators who want to specify adult content, similar to the film and games industries.

Apple has responded to reports its AirTag device is being used by criminals, especially stalkers, updating software and beefing up online support, according to The Guardian. Any initial user of the device will now be warned tracking people without consent is a crime in many places around the world. Guidance on what to do if you find an unwanted AirTag near you and how to disable it is being added to the website, along with links to two US helplines. Apple says additional measures, like precision detection of stalking AirTags, are on the way.

TikTok and YouTube are by far the biggest collectors of personal data among social media apps according to a report by URL Genius. While YouTube mostly collects data for its own business purposes and sells little to third-party trackers, TikTok sells nearly all its user’s data to third parties, more than three times as much, trailed by Twitter and Telegram. The report says that for users this means it is unclear where all this data goes, how it is used, and whether or not, for example, other online activity or location is being tracked, logged in to TikTok or not. The study added TikTok allowed third-party tracking even when users did not use the opt-in feature. Find many other findings on surveillance marketing in the original study report. 

The post Weekly digest February 7 – 13, 2022: France latest EU member to put pressure on Google Analytics appeared first on TechGDPR.

Legal processes: EU Digital Strategy, IoT, biometrics policing program, US surveillance ads

The EU Parliament moved on the implementation of the Digital Services Act, (part of the EU Digital Strategy), that regulates platforms for a safer online space for users. MEPs gave the green light to open negotiations with member states. The Parliament introduced several changes to the Commission’s proposal, exempting micro and small enterprises from certain obligations, including on:

• Targeted advertising: more transparent and informed choice for the recipients of digital services, including information on how their data will be monetised. 
• Refusing consent shall be no more difficult or time-consuming than giving consent. 
• If their consent is refused or withdrawn, recipients shall be given other options to access the online platform, including “options based on tracking-free advertising”.
• Targeting or amplification techniques involving the data of minors or special categories of data for the purpose of displaying ads will be prohibited.
• Recipients of digital services and organisations representing them must be able to seek redress for damages.
• Platforms should be prohibited from using user deceiving or nudging techniques.
• Very Large Online Platforms should provide at least one recommender system that is not based on profiling. 

The EU Commission published its latest competition sector inquiry report into the consumer Internet of Things, IoT. Among the main areas of potential concerns are:

• The role of voice assistants and smart devices as intermediaries for data generation and collection, which would allow them to control user relationships. 
• The extensive access to data, including information on user interactions with third-party smart devices and consumer IoT services by providers of voice assistants. 
• The access to and accumulation of large amounts of data allow voice assistant providers to improve their market position. 

The IoT inquiry urges companies to review their commercial practices, as its findings will inevitably add to the ongoing legislative process on the EU Digital Markets Act, (part of the EU Digital Strategy) . Read the report and the staff working document for more detailed information. 

According to Human Rights Watch, Greece’s new biometrics policing program can undermine privacy, create risks of profiling and other abuses. The police reportedly would use hand-held devices to gather biometric information, fingerprints, faces, from people on a vast scale and cross check it against police, immigration, and private sector databases primarily for immigration purposes. Human Rights watch believes that a) the Greek police should use their authority to stop people and require them to show identity documents only when based on a reasonable suspicion that the person is involved in an illegal activity, b) the police should put in place systems to check the validity of identity documents without detaining people or gathering personal biometric data. In 2019 the Greek police signed a contract with Intracom Telecom to help create the “smart policing” program. Since 2020, the Hellenic Data Protection Authority (DPA) has been investigating its lawfulness. The launch of the program was planned for 2021, but has been delayed a couple of times.

The Banning Surveillance Advertising Act was introduced in the US House of Representatives. The draft legislation prohibits advertising networks and facilitators from using personal data to target ads, with the exception of broad location targeting to a recognized place (such as a municipality). The bill also prohibits advertisers from targeting ads based on protected class status information, such as race, gender, and religion, and personal data purchased from data brokers. However, it makes explicit that contextual advertising, which is advertising based on the content a user is engaging with, is allowable. It also provides authorisations for the FTC or the state attorneys general to enforce violations of the Act. Read the full draft law here and detailed section-by-section summaries here. 

Official guidance: Bluetooth security, clinical trials Code of Conduct, the right to access, housing, processor/EU representative

The US National Institute of Standards and Technology, NIST, publishes its updated guide on Bluetooth security. Bluetooth wireless technology is used primarily to establish wireless personal area networks, and has been integrated into many types of business and consumer devices. The Bluetooth specifications define several security modes, and each version of Bluetooth supports some, but not all,  and some – do not require any security at all. The updated NIST guide provides exhaustive information on the security capabilities of Bluetooth and gives step-by-step management, technical and operational recommendations to organizations employing Bluetooth wireless technologies on securing them effectively. 

The European Federation of Pharmaceutical Industries and Associations, EFPIA, confirmed that its GDPR Code of Conduct on Clinical Trials and Pharmacovigilance has progressed to the final phase of review by data protection authorities prior to formal submission to the EDPB for approval. The EFPIA believes that a GDPR Code of conduct will:

• Enable the sector to align on key data protection positions, providing more consistency, clarity and certainty for clinical research. 
• Bring more certainty to third parties (patients, ethical committees and hospitals). 
• Clarify the linkages between the GDPR and other key sectoral legislation such as the Clinical Trials Regulation.
• Respond to the Commission’s policy ambition for the European Health Data Space to improve data governance, etc.

The EDPB adopted guidelines on the right of access that enables individuals to get knowledge on how and why their personal data is processed by organisations. Among others, the guide provides clarifications on the scope of the right of access, the information the controller has to provide to the data subject, the format of the access request, the main modalities for providing access, and the notion of manifestly unfounded or excessive requests. The Guidelines will be subject to public consultation for a period of 6 weeks and made available on the EDPB website once these have been completed.

The Bavarian data protection authority for the private sector, BayLDA, is examining the area of ​​housing management and, in particular, self-disclosure of prospective tenants, the DataGuidance reports. The BayLDA clarified that when contact is made and a viewing appointment is arranged, information about the prospective tenant’s occupation and income is not yet required. Only if the person viewing the flat continues to be interested, it is permissible to ask about the number of people moving in, the prospective tenant’s occupation and income. If at the end of the selection process the landlord would like to conclude a tenancy agreement with the person, then the submission of a self-disclosure from a credit agency may also be requested before the conclusion of the agreement.

The Croatian data protection authority AZOP analyzes the possibility for a processor to perform the role of a controller’s EU representative. The regulator states that in order to ensure that the processor in the given scenario is not in conflict in terms of two duties, it would be advisable to establish processes and practices in the work environment that will promote effective control, management and resolution of conflicts of interest, (eg, open communications and dialogues related to ethics, education of its employees). At the same time, the establishment of these procedures and excessive control of the processor, in terms of the representative’s remit, in practice could be unenforceable and counterproductive, which would result in distrust of the controller. Thus, the regulator concludes that performance of two functions in the same person would represent a possible conflict of interest, and should be prevented.

Data breaches, Investigations and Enforcement actions: aggressive telemarketing, Red Cross, demonstrators, IT solutions’ failed security

The Italian data protection authority, “Garante”, fined Enel Energia, (multinational manufacturer and distributor of electricity and gas), 26,5 mln euros for aggressive telemarketing, consumer data used without consent and failure to comply with the accountability principle. The decision was issued following hundreds of complaints by users who had received unsolicited calls, some of them based on pre-recorded messages. Others had found it difficult to exercise their data protection rights and had encountered problems handling their data in connection with the supply of utility services both on the company’s website and through the app released to manage power consumption. Enel Energia was ordered to bring all processing by its sales network into compliance with suitable arrangements, to implement further technical and organisational measures to handle data subjects’ requests, in particular, the right to object to processing for promotional purposes, and to provide feedback on those requests by no later than 30 days.

A massive cyber-attack targeted Red Cross Red Crescent data on 500,000 people. from files at an external company in Switzerland the ICRC contracts to store data. There is not yet any indication that the compromised information has been leaked or shared publicly. The attack compromised confidential information on highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention. In response the ICRC had to shut down the Restoring Family Links systems. The organisation asks those responsible for the attack not to share, sell, leak or otherwise use this data.

The Portuguese data regulator CNPD fined Lisbon city municipality 1.25 mln euros in a case related to the processing of personal data of participants in demonstrations. The mayor’s office had committed 225 breaches of demonstrators’ personal data between 2018 and 2021, namely, when their details were shared with the embassies of several countries, BBC reports. More than 100 other breaches that occurred since 2012 were not covered as they pre-dated the GDPR. Some of the breaches reportedly could have attracted fines of up to 20 mln each, but the regulator had refrained from imposing these due to the effect of the pandemic on public finances. When the story broke in June 2021, the data protection officer and cabinet in charge of handling protesters’ data was dismissed, and an external audit of the city hall’s data protection policies was ordered to take place, Reuters reports.

The Maltese data protection authority, IDPC, issued its decision on the personal data breach suffered by a C-Planet (IT Solutions). In 2020 the regulator was informed about a security incident encountered by the company. The investigation concluded that C-Planet, in its capacity as controller, was processing the personal and special categories of data that were impacted by the breach, in violation of articles 5, 6, 9 and 14 of the GDPR. C-Planet failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Additionally, the controller failed to notify the breach to the regulator within the deadline and to communicate the same to the affected data subjects. The IDPC imposed a proportionate fine of 65,000 euros on the microenterprise, taking into account its turnover, and ordered the erasure of the personal data which had been processed in an unlawful manner.

Data security: C-ITS, Smart Cities, Remote identity proofing

The German Federal Office for Information Security published its Technical Guidance on Cooperative Intelligent Transport Systems, C-ITS, (available in English). Among many provisions it describes trust and privacy management concerning the establishment and maintenance of identities and cryptographic keys. Because links between a vehicle and its user can be either directly or indirectly deduced, the impact on privacy of the road users should be minimized through:

• Pseudonymity: a C-ITS station may use a resource or service without disclosing its identity but can still be accountable for that use. 
• Unlinkability: Unlinkability denotes that a C-ITS station may make multiple uses of resources or services without others being able to link them together. 

Classically, authenticity and integrity are ensured by means of a security architecture with support of a Public Key Infrastructure. In C-ITS pseudonymity and unlinkability are incorporated and balanced with integrity and authenticity by means of separation of duties and commonly changing pseudonym certificates, so-called Authorization Tickets. Read the full C-ITS guide here. 

The German Federal Office for Information Security also published its  recommendations for action on information security in Smart Cities and Smart Regions, (in German). Smart cities and regions also use the potential of digitization for municipal services of general interest, for example in the provision of services in the public interest, such as local public transport or waste disposal. Information security, especially of the underlying municipal  IoT infrastructures, is of crucial importance. The target group is municipal decision-makers and those responsible for operations, such as a chief digital officer of a municipality or a manager for a municipal IoT project. The recommendations are also structured based on the lifecycle of an IoT infrastructure . You can see the full guide here.

Meanwhile the EU agency for Cyber Security, ENISA, published an explainer on Remote identity proofing. Online users expect access to various services anytime and anywhere. The need to securely onboard and prove a customer’s identity remotely is therefore becoming critical for organisations. Identity and technology providers have implemented both active and passive security controls which mostly involve the use of video and operator intervention ((eg, biometric acquisition, liveness checks, ID acquisition, authenticity checks, face comparison). Video allows a greater number of security checks and operators help artificial intelligence to identify any new types of attack. Although many have faith in facial recognition technology, algorithms cannot understand and detect new fraud techniques, (eg, deep fakes), on their own. Therefore, humans are needed to clean and tag data enabling quality training that will result in better performance and the mitigation of adversarial attacks.

Audits: Emailmovers Ltd

Following a test data purchase initiative run by the UK Information Commissioner Office, (ICO), Emailmovers Ltd, (EML), were investigated as serious concerns were identified about their data protection compliance. The investigation resulted in an enforcement notice followed by a consensual audit of the company systems. The checks took one week. The scope of the audit focused on the processing of personal data within EML’s marketing database and covered the following key control areas: governance, sourcing personal data, transparency and lawful basis for processing, data supply and sharing, individual rights. The ICO identified both good practices, (proactive approach,  training, managerial involvement in decision making), and areas for improvement, (defining retention periods, maintaining a record of processing activity and decisions taken, notifying recipients of personal data about the existence and outcomes of individual rights), which can be read in the audit documentation.  

AI: taxonomy and business models

The European Institute of Innovation and Technology published two reports on Artificial Intelligence business models and taxonomy in Europe. Both reports give in-depth recommendations on how to streamline knowledge, experience and expertise in AI deployment as well as connect, share and encourage an open innovation environment with policy leaders, industrial experts and innovator communities, (AI application providers, infrastructure providers and adopters). The trust ecosystem on Ethical AI includes but is not limited to such dimensions: 

• human agency and oversight;
• technical robustness and safety (Including resilience to attack and security, fall back plan and general safety, accuracy, reliability and reproducibility); 
• privacy and data governance (Including respect for privacy, quality and integrity of data, and access to data); 
• transparency (Including traceability, explainability and communication); 
• diversity, non-discrimination and fairness (Including the avoidance of unfair bias, accessibility and universal design, and stakeholder participation), and more.

Big Tech: Apple AirTags, Google’s age-appropriate policy

Police across the US are reporting cases where stalkers have used Apple AirTags to target their victims, according to the Guardian. Paired with the FindMy app, the attachable coin-sized gadget was designed so you would never lose anything again, but slipped into a bag or coat pocket it is the perfect tracking device for criminals. Other international police forces have also reported similar abuse of the AirTag, and associated car theft. While the AirTag’s several anti-abuse features mean it is less dangerous than other stalkerware available, an additional problem is the inconsistency of police response. A 2021 Norton report claims stalkerware is growing fast, jumping in 2020 and the first half of last year.

Google has fallen foul of the rules of the UK’s Children’s code, introduced last September, which sets online services 15 privacy and design standards to protect minors. Google said it would immediately improve enforcement of an age-sensitive ad policy after Reuters reported age-sensitive advertising for high-risk financial instruments, adult toys and alcohol was evading Google’s filters and safeguards. Campaigners 5 Rights Foundation, which reviewed Reuters findings, say all tech companies should do more to ensure compliance with the new rules and consumers should beware of “safety washing” as there were still too many cases, indicating companies had yet to get serious about implementing changes.

The post Weekly digest January 17 – 23, 2022: EU Digital strategy, smart transport and cities, AI taxonomy, Bluetooth security appeared first on TechGDPR.