Upon termination of a processing agreement, the controller is obliged to monitor the deletion of personal data held by the processor. Such was a ruling by the Higher Regional Court of Dresden, Germany, closely looked at by a DLA Piper analysis. The plaintiff was a user of the online music streaming service run by the controller. A data breach at a former external, (non-EU), processor of the controller in 2022, involving the personal data of clients, set off the case (hackers offered this data for sale on the dark web). The controller-processor relationship came to an end several years before the data breach, in 2019. As per the terms of the data processing agreement, the controller had the option to either delete or return the data once processing was complete. However, the controller never exercised this right. 

Stay up to date! Sign up to receive our fortnightly digest via email.

Data subject rights under the DSA

On 21 April, the European Commission established internal regulations limiting certain data subjects’ rights, (information, access, rectification, erasure, and notification of breaches), under the Digital Services Act. It encompasses the personal data of suspects, victims, whistleblowers, informants, witnesses, and staff of undertakings, under the Commission’s supervisory, investigative, enforcement, and monitoring activities. The Commission must publish a data protection notice and inform affected individuals where appropriate. 

TikTok fine

The Irish privacy regulator DPC has fined TikTok 530 million euros after an inquiry into transfers of EEA users’ data to China, (enabling storage and access to it). The inquiry also examined whether providing information to users about such transfers met TikTok’s transparency requirements as required by the GDPR. TikTok first informed the DPC that it did not store EEA user data on servers located in China. However, later on, TikTok informed the DPC that it provided inaccurate information to the Inquiry. Whilst TikTok has informed the DPC that the data has now been deleted, the regulator is considering whether further regulatory action, in consultation with peer EU Data Protection Authorities, may be warranted.

COPPA Rule

On 22 April, the US Federal Trade Commission adopted final amendments to the Children’s Online Privacy Protection Rule to enhance content moderation and data protection for children under 13. The amendments will take effect on 23 June, with full compliance required by 22 April 2026. It introduces a new definition for “mixed audience website or online service.” It also requires operators to implement age screening methods that are neutral and to avoid collecting any personal information before determining the user’s age, with few exceptions.

In the meantime, the first US state, Arkansas, approved the Children and Teens’ Online Privacy Protection Act, which was modelled after the pending federal law known as COPPA 2.0. Consent requirements, data minimisation, targeted advertising restriction, data subject rights, and data security are all applicable to any for-profit operator of a website, online service, or app that targets children or teenagers or knows that it is gathering their data. 

More from supervisory authorities

The Data Act: The European Data Act will take effect on September 12. Manufacturers of internet-enabled devices will then be required to share the data sent by connected devices with third parties, explains the Hamburg data protection authority. Machines, household appliances, and vehicles connected to the internet generate large amounts of data every day. Those wishing to take advantage of the act should familiarise themselves with access rights. Those subject to the obligations of the act must prepare for access requests and develop strategies for protecting personal data and trade secrets. 

To that end, the regulator offers the manual “The Data Act as a Challenge for Data Protection” (in German). 

Multi-device consent: The French CNIL launches a public consultation on its draft recommendation (in French). The guidance concerns actors who plan to collect cross-device consent only when users are authenticated to an account. When a user accesses a website or a mobile app, they express their choices about the use of cookies or other trackers on a device connected to their account. These choices would be automatically applied to all devices connected to their account. This includes, but is not limited to, their smartphone, tablet, computer or connected TV, as well as the browser or app used.   

Children’s code: In the UK, Ofcom issued a draft Protection of Children Code of Practice for search services under the Online Safety Act 2023. Implementing the list of recommended measures set out in this Code will inevitably involve the processing of personal data. The Information Commissioner’s Office has already set out that it expects service providers to take a ‘data protection by design and by default’ approach when implementing online safety systems and processes. Over time, Ofcom might update the Codes to take account of technological developments.

Customer data

What should merchants consider when recording telephone conversations with customers? The Latvian data protection regulator explains. A voice recording becomes personal data when it can be linked to a specific person. Therefore, such data processing must be carried out under the requirements of the GDPR:

• An appropriate and as specific as possible purpose must be defined for such data processing, (eg, improve the quality of the advice or service provided and thus to communicate with customers, as well as possibly to promote sales).  
• The recordings may only be used to achieve the specified purpose and not for other, unrelated purposes.
• A balancing test must be carried out to determine whether such processing would unduly prejudice the customers’ rights to data protection.
• Conversation recordings may only be kept for as long as necessary to achieve the goal. 
• Access to records should be limited to authorised persons whose tasks are directly related to the purpose of processing the records.
• When recording telephone conversations with customers, the merchant must inform them at the beginning of the conversation about the recording.

In parallel, the Estonian data protection agency issued new practical guidance to help online stores protect their customers’ data (in Estonian). It provides advice on ensuring data security, preventing cyber threats, and managing risks for both new and experienced online retailers, highlighting, among other things, the importance of strong authentication, encryption and log management, as well as the need to carefully evaluate cooperation with third-party service providers, data breach response and employee training.

Synthetic data generation

The Spanish AEPD has published the Spanish translation of the Guide to synthetic data generation, prepared by the Singapore data protection authority.  Synthetic data is artificially generated to simulate real data and must retain its essential statistical characteristics to be useful without compromising personal data. Its generation must be carefully planned, falling along a spectrum ranging from completely random data to real data. The guide includes practical case studies on the best practices for generating synthetic data and reducing residual re-identification risks.  

More official guidance

NIST cybersecurity guide: America’s NIST has updated its Privacy Framework, tying it to recent Cybersecurity Guidelines. It is intended to help organisations manage the privacy risks that arise from personal data flowing through complex IT systems. Furthermore, failure to manage these risks effectively can directly affect individuals and society, potentially damaging organisations’ brands, bottom lines and prospects for growth. Following the comment period, (until 13 June), the NIST will consider additional changes and release a final version later this year.

Domestic cameras are not excluded from GDPR: The Liechtenstein data protection agency has supplemented its guide on video surveillance with information on surveillance within one’s own home. This means that data protection does not stop in your living room, at least not if the purpose of data collection is not exclusively for personal or family activities. This is particularly the case if the purpose is to ensure security or perform quality control, for example, the observation of staff or external third parties, (cleaners, gardeners, babysitters, etc.). This applies equally to video surveillance and pure audio recordings. 

Large databases: Art. 5 and 32 of the GDPR require controllers and processors to process personal data in such a way as to ensure an appropriate level of security, in particular regarding the risks of massive data exfiltration, as the French CNIL reminds us. These measures in large numbers can be implemented via the following procedures:

• Secure external access to the information system via multi-factor authentication
• Log, analyse and set limits on the data flows that pass through the information system
• Consider humans as security actors: organise regular awareness-raising sessions adapted to user profiles (employees, developers, managers, subcontractors, etc.)
• Emphasise the data controller obligation to supervise data security with subcontractors.

More content from the CNIL on cybersecurity can be found on this page.

In other news

Apple and Meta fines: The European Commission imposed the first fines under its Digital Markets Act, punishing tech behemoths Apple and Meta for violating the EU’s new digital regulations. Apple was fined 500 million euros for violating the rules governing app stores ( “anti-steering” obligation). In comparison, Meta was fined 200 million euros for its “pay or consent” advertising approach, which charges EU users to use Facebook and Instagram without advertisements.

Worcado AI detector: America’s FTC requires Workado to stop advertising the accuracy of its AI detection products unless it shows that those products are as accurate as the claimed 98%, as independent testing showed the accuracy rate on general-purpose content was just 53%. The company says that its AI Content Detector was developed using a wide range of material, including blog posts and Wikipedia entries, to make it more accurate for the average user. The FTC alleges, however, that the AI model powering the AI Content Detector was only trained or fine-tuned to effectively classify academic content. 

Facial recognition at football matches

The Danish data protection agency has granted FC Copenhagen and the Danish Football Association permission to use automatic facial recognition during international football matches. The purpose is to support the enforcement of the rules on club quarantines and general quarantines in connection with football matches. The technology can therefore be used for access control to Parken Stadium. The impact assessment must be carried out before the processing begins.

Personal data processed as part of the facial recognition system must be transported to and stored encrypted on the server using up-to-date and widely recognised encryption algorithms. This also applies to the use of mobile devices at away matches. 

More enforcement decisions

Proof of consent for marketing calls: The UK’s ICO fined AFK Letters 90,000 pounds for making more than 95,000 unsolicited marketing calls to people registered with the Telephone Preference Service. Between January and September 2023, AFK used data collected through its website and a third-party telephone survey company to make mass marketing calls without being able to demonstrate valid and specific consent from the people contacted. Despite AFK claiming it could not provide evidence of consent because it deleted all customer data after three months, when challenged it was also unable to provide consent records for several calls made within a three-month timeframe. 

User tracking: The Hamburg data protection authority launched a large-scale automated review campaign in mid-April. Most of the 1,000 websites randomly selected comply with data protection regulations; however, deficiencies were identified on 185 local websites. Various third-party web services, (Google Analytics, Google Maps, Google Ads, YouTube, Facebook, Vimeo, MS advertising, Pinterest), were activated immediately upon accessing the site, resulting in users being tracked without the legally required consent. 

Email security analysis tool errors: In Romania, the data protection agency fined BITDEFENDER, (a software company), the equivalent of 10,000 euros. The investigation was initiated following the submission by the company of a personal data breach notification. Due to a programming or implementation error in the update operation of the email security analysis service, a significant amount of customers’ personal data was disclosed to third parties. The operator did not implement appropriate technical and organisational measures and did not carry out periodic testing, evaluation and assessment, including of the continued confidentiality, integrity, availability and resilience of systems and services.

In case you missed it 

Revolut staff tracking: According to The Guardian, the fintech company Revolut has been monitoring employee behaviour and awarding or deducting points on an internal “Karma” system. Revolut’s annual report described the practice as ‘successful’ while also revealing that last year’s profits had more than quadrupled. The 2020-launched system tracks how effectively employees adhere to risk and compliance regulations, awarding and deducting points that eventually impact compensation. After those points are added up at the team level, the ultimate bonus for each employee is either deducted or multiplied.

CJEU knowledge base on data protection: The EU’s top court has published a Fact Sheet document on the Protection of personal data, to present a selection of seminal rulings on the subject and rulings that have made a significant contribution to the development of this case-law. The document relates to sector-specific rules, particularly in the electronic communications sector and criminal law, but also aims to present a selection of judgments dealing with rules which are applicable across multiple areas.

The post Data protection digest 18 Apr – 2 May 2025: data controller obligation to monitor deletion or return of personal data held by the processor appeared first on TechGDPR.

The EDPB has issued an opinion on the interpretation of certain duties of controllers relying on processors and sub-processors, arising from Art. 28 of the GDPR, as well as the wording of controller-processor contracts. In particular, controllers should have information on the identity of all processors and sub-processors etc. readily available at all times, regardless of the risk associated with the processing activity. To this end, the processor should proactively provide the controller with all this information and should keep them up to date at all times. Download the opinion here. 

Stay up to date! Sign on to receive our fortnightly digest via email.

More legal updates

Scaling up user tracking: The EDPB also clarifies the applicability of the ePrivacy Directive to emerging tracking solutions. It explains several key elements, namely ‘information’, ‘terminal equipment of a subscriber or user’, ‘gaining access’ and ‘storage of information’. For instance, information could mean non-personal and personal data, regardless of how this data was stored and by whom, (third party,  user, manufacturer, or any other scenario).

Also, it would be incorrect to interpret that the third party does not require consent to access the user information simply because it did not store it. The consent requirement applies even when a read-only value is accessed, (eg, requesting the MAC address of a network interface via the OS API), etc. It applies to a non-exhaustive list of use cases including URL and pixel tracking, Local processing, Tracking based on IP only, Intermittent and mediated Internet of Things reporting, Unique Identifier.

Legitimate interest assessment: The CJEU’s recent decision, that legitimate interests can cover purely commercial interests, is now being followed by new EDPB guidelines. For processing to be based on legitimate interest, three cumulative conditions must be fulfilled: a) the pursuit of a legitimate interest by the controller or by a third party; b) the need to process personal data for the legitimate interest(s) pursued; and c) the interests or fundamental freedoms and rights of the concerned data subjects do not take precedence over the legitimate interest(s) of the controller or of a third party. The assessment should be done before carrying out the relevant processing activity, with special attention when the data subjects are children.

Consent management in Germany

The German government has tabled a new regulation on cookie consent management. It establishes a recognised consent management service, intended to provide a user-friendly alternative to the multitude of individual decisions that end users have to make through cookie banners. The aim is to strengthen trust in such services through a recognition procedure by an independent body. For providers of digital services, this process offers a way to request and store consent “without having to disturb the end user” by displaying the consent banner each time. Read further technical modalities in the original publication, (in German).

AI programming assistants

As AI usage continues to intensify, the use of AI programming assistants has already spread to numerous public and private entities. These tools are being employed at different stages of the software development process – primarily to generate source code, to help developers familiarise themselves with the source code of new projects, or to generate tests and documentation. The French and German Information Security agencies have prepared recommendations (in English) on the risks associated with the use of AI programming with concrete mitigation measures: internal security guidelines, training, instructions on permissible tools and data usage, and risk and success assessments.

More official guidance

Children and the digital environment: The Spanish regulator AEPD stresses the importance of having an age verification system where the burden of proof is on the person who is of the age required to access the content, and never on the minor. The system does not need to verify a specific age or date of birth, but only that the established age threshold has been exceeded. These efforts by default will protect minors from the risks related to accessing adult content, such as contact with people who may put them in danger, the contracting of products and services, the monetisation of their data, the incitement of addictive behaviours that affect their physical or mental integrity and other aspects. 

Data protection audit framework: A new toolkit from the UK Commissioner’s Office helps organisations assess their compliance with some of the key requirements under data protection law. Data controllers, auditors or data protection specialists may use it for various purposes such as for creating a privacy management programme, auditing your existing practices against the ICO’s expectations, improving existing practices, recording, tracking and progress reports, or increasing senior management engagement and privacy awareness across the organisation.

Automated driving: Several data protection authorities in Germany are consulting with Volkswagen AG about new types of data processing. Volkswagen intends to use sequences of sensor and image data of the environment from customer vehicles to further develop driver assistance systems and automated driving functions more quickly and continuously as key technologies for improving road safety. From the fourth quarter of 2024, the company plans to start triggering the extraction of such data and processing it in some vehicle series – initially only in Germany – based on predetermined, narrowly defined scenarios, subject to the consent of vehicle users. 

Enforcement decisions

US hotels fine: America’s FTC is taking action against Marriott and Starwood over multiple data breaches, from 2014 to 2020 impacting more than 344 million customers worldwide. Marriott and Starwood failed to implement appropriate password controls, access controls, firewall controls or network segmentation, patch outdated software and systems, adequately log and monitor network environments and deploy adequate multifactor authentication. In addition to monetary and other penalties, (certify compliance to the FTC annually for 20 years), the companies now must provide a method for consumers to request a review of unauthorized activity in their loyalty rewards accounts and restore any loyalty points stolen by malicious actors.

“Afraid of answering the phone”: The UK Information Commissioner meanwhile issued hefty fines to two companies for predatory marketing campaigns, often targeting elderly people with dementia. These calls were made to people who had explicitly opted out of receiving marketing communications. Some individuals were subjected to repeated phone calls, attempting to pressure them into buying warranties for white goods, such as fridges and washing machines, that they did not need. 

To that end the ICO is encouraging the public to take proactive steps to safeguard their loved ones: a) look out for rogue direct debits being paid for unknown reasons, b) ensure they are registered for the TPS, which provides a free and easy way to opt out of unwanted marketing calls, c) if they are still receiving unsolicited marketing calls despite opting out, report these incidents to the regulator without delay.

‘Deposit and return’ app

The Danish data protection authority has investigated Dansk Retursystem’s app “Pant”, (a deposit and return system for bottles and cans). The app allegedly processed users’ financial information. The investigation showed that it has a built-in component that needs to obtain the user’s account information to pay out money to the right account. But the component, which is made available by a third party, can also collect information about the user’s balances, identity information, transaction history, etc.

If the app’s APIs allow for the processing of more personal data than is necessary for its intended use, the authority can decide to issue a warning for non-compliance. These especially concern APIs and services when an external supplier is used.

Data security

Police access to personal data: The CJEU has ruled that police access to data contained in a mobile telephone is not necessarily limited to the fight against serious crime. The review must strike a fair balance between the legitimate interests relating to the investigation and the fundamental rights. Such access must, moreover, be subject to a prior review carried out either by a court or an independent administrative authority. The data subject must be informed of the grounds on which the authorisation to access their data is based, as soon as the communication of that information is no longer liable to jeopardise the investigations. 

Meta AI avoiding the EU market: Meta has introduced its AI assistant in the UK and Brazil after launching it in the US and Australia. However, because of strict regulations in the EU, services are still not available there. Users must complete an objection form found in the privacy settings of their applications if they would like to prevent Meta from using their Instagram and Facebook posts to train its AI models, The Guardian reports. Users of Meta’s AI products, however, are unable to prevent the Llama model from being trained and improved by their interactions with the AI tools.

Election technologies

Electors’ data: When it comes to elections around the world, we find ourselves in a terrain that is more and more populated by digital technologies, (Biometric Voter Registration, Electronic Voter Identification, and Result Transmission), explains Privacy International. This calls for changing customs and procedures to guarantee free, fair, and transparent elections. Election observers must also learn new techniques and abilities. Use of biometric information should only occur when it is required to properly identify or authenticate voters. It must be kept safe, apart from other information, and not on any publicly accessible record where access may be purchased.

If the digital system fails, backup plans should be in place, such as distributing hardcopy registers to voting locations. No further use of the collected data, including sharing with law enforcement or security agencies, is permitted. The lowest possible access level should be the default setting. Modern encryption and secure data channels should be used for transmission. When there is less than 100% internet coverage across all stations, for example, a backup mechanism, like using satellite phones, should be provided. 

Party political use of personal data: Finally, on a related item, ahead of the recent UK General election NGO The Good Law Project asked its supporters to contact all Britain’s political parties requesting they stop processing their personal data, (eg, political parties can combine the electoral roll with other data for targeting campaigns), and refrain from using it. Every party complied except for Nigel Farage’s Reform Party. The NGO has sent Reform a pre-action protocol letter warning them they are breaking the law.

The post Data protection digest 2 – 16 Oct 2024: knowing your processors and sub-processors, automated driving, election technologies appeared first on TechGDPR.

Stay up to date! Sign up to receive our fortnightly digest via email.

LLMs, data labelling and data protection

A fundamental principle of data protection law is data minimisation. Privacy International however insists that LLMs are being trained through indiscriminate data scraping and generally maximise their approach to data collection. Under data protection laws, individuals have the right to assert control over data related to them. However, LLMs are unable to adequately uphold these rights, as the information is held within the parameters of a model in addition to a more traditional form, such as a database. ‘Regurgitation’ can also lead to personal data being spat out by LLMs. Because training data is enmeshed in LLM algorithms, this can be extracted, (or regurgitated), by feeding in the right prompts. 

PI also investigated digital labour platforms that have arisen to supply data labelling for LLM training. This includes training an AI model against a labelled dataset and is supplemented by reinforcement learning from human feedback. For example, data labellers mark raw data points, (images, text, sensor data, etc.), with ‘labels’ that help the AI model make crucial decisions, such as for an autonomous vehicle to distinguish a pedestrian from a cyclist. It appeared that many such labellers can be completely disconnected from the AI developers, and are often not informed about who or what they are labelling raw datasets for. They are also subject to algorithmic surveillance and unreliable job stability. 

Third-party cookies as a cause of data breaches

JDSupra legal insights look at the disclosure of data through website cookies which may facilitate a data breach in California. In the related court case, the plaintiff claimed that an online counselling service where website users can find and seek therapy violated the California Consumer Privacy Act by allowing tracking software to retarget website users with ads. The court refused to dismiss the data breach claim. Specifically, the simple fact a user visited the website, may qualify as sensitive information because such a visit could mean they must have been seeking therapy.

Concerning whether using retargeting cookies is inherently illegal, the court refrained from rendering a decision.

US Child privacy bill

On 30 July, the Kids Online Safety and Privacy Act was passed by the Senate. KOSPA is a variation of two previously proposed bills: the Kids Online Safety Act, (KOSA), and the amended Child Online Privacy Protection Act, (COPPA 2.0). The act applies to digital platforms, particularly those with more than 10 million active monthly users. The duty of care includes options for minors to protect their data, prohibition of the use of dark patterns, and transparency regarding the use of opaque algorithms, etc. KOSPA now heads to the House, where it will be debated over potential censorship and the possibility of minors lacking access to vital information. 

Oncological oblivion

The Italian data protection authority Garante looks at “the right to be forgotten” in oncology, and whether banks, insurance companies, credit bodies, and employers can ask for information on the oncological pathology of an individual in a remission stage. Also, can a clinically recovered person adopt a child? These and other questions are answered in the FAQs published by the regulator, (in Italian). The aim is to prevent discrimination and protect the rights of people who have recovered from oncological diseases.

Chatbots and customer data

Employees sharing patient or consumer personal information with an AI chatbot have resulted in allegations of data leaks to the Dutch Data Protection Authority, (AP). The majority of chatbot developers store all data entered. Organisations must make clear agreements with their employees about the use of AI chatbots.  They could also arrange with the provider of a chatbot that it does not store the entered data. 

More official guidance

Avoiding outages and system failures: The US Federal Trade Commission insists that many common types of software flaws can be preemptively addressed through systematic and known processes that minimise the likelihood of outages. This includes rigorous testing of both code and configuration and the incremental rollout procedures. For instance, when deploying changes to automatically updating software, vendors could initially deploy it to a small subset of machines, and then roll it out to more users after it’s confirmed that the smaller subset has continued to function without interruption. 

Surveys at schools: The Latvian data protection authority investigates if a teacher can ask students to complete surveys. The educational process has long been not limited to the learning of the subject, but the psychological state of the child too. Answers given in student surveys can be divided into standard, personalised or anonymous forms. However, children often are not able to assess how much private information to give to others. Thus, security requirements, such as data non-disclosure and storage limitations must be applied in most cases.

Additional parent consent should be required if the surveys are related to the organisation of the learning process indirectly.

AI systems transparency: The German Federal Information Security Office, (BSI), published a white paper on the “Transparency of AI systems”. It says that the increasing complexity of the AI “black boxes” systems as well as missing or inadequate information about them makes it difficult to make a visual assessment or to judge the trustworthiness of the outputs. The paper defines the term transparency for various stakeholders from users to developers, and discusses the opportunities and risks of transparent AI systems, both positive, (promoting safety, data protection, avoiding copyright infringements), and negative, (the possible disclosure of attack vectors). 

Uniqlo ‘payroll’ mistake

The Spanish regulator imposed a fine of 450,000 euros, (reduced to 270,000 euros), on the UNIQLO branch in Spain, DataGuidance reports. The complainant, who provided services to UNIQLO, requested their payroll data and received an email containing a PDF document with payroll information on the entire 446-strong workforce. The document contained names, surnames, social security, bank account numbers, and more.

The breach was caused by a human error within the human resources department, but the employee in question had not informed their superior. The regulator confirmed that the negligent action of the employee does not exempt the data controller from liability.

Healthcare IT provider fine

The UK Information Commissioner’s Office has provisionally decided to fine Advanced Computer Software Group 6.09 million pounds. It provides IT and software services to the NHS and other healthcare providers, and handles people’s personal information on behalf of these organisations as their data processor. The decision relates to a ransomware incident in 2022, when hackers accessed several of Advanced’s health and care systems, (with the personal information of 82,946 people), via a customer account that did not have multi-factor authentication. 

More enforcement decisions

Car rental and client’s income: The Italian Garante imposed a one million euro fine on Credit Agricole Auto Bank for the illicit processing of personal and income data of customers who requested financing for the long-term rental of a car. The bank accessed the centralised fraud prevention system, also on behalf of its subsidiary, a car leasing company, despite it not having the necessary authorisation from the Ministry of Finance. 

The complainant contacted the bank to know the reasons behind the denial of the long-term rental and the inclusion of their name on a credit risk list. The bank stated these were due to the client’s negative income situation. Furthermore, the bank did not first acquire the client’s tax return form, an essential document for making a comparison with the information contained in the database. 

Dark patterns in the gambling industry: The Guernsey privacy regulator reviewed 19 online gaming sites for indicators of deceptive designs. In 42% of cases, the analysis was unable to find the website or app’s privacy settings, (in most cases those found were unnecessarily lengthy and complex). Also, it was more difficult to delete an account than it was to create one. In one of the instances, a user made their account deletion request through an on-site chatbot, as they were unable to find the ‘delete account’ option on the site. In another case, the organisation asked that a form be completed and returned to them, along with identity verification documents. Neither the documents nor the form were required to create an account. 

Data security

Lack of encryption: The Danish regulator has reprimanded the Vejen Municipality for insufficient security measures. Three stolen computers with information about children were not encrypted – and the same turned out to be the case with up to 300 other computers in the municipality. The computers were only intended for use by teachers as part of the teaching process. In practice, however, they were also used by teachers to make status descriptions of students, class handovers, etc. The regulator also issued a reminder that encryption of portable devices is a very basic security measure which is relatively easy and not very costly to implement.

GPS tracking: A court in Slovenia confirmed the decision of the Information Commissioner to restrict the use of GPS tracking of company vehicles, on a systematic, automated and continuous basis. The company did not demonstrate that such GPS tracking is a suitable and necessary measure for the protection of company vehicles and the equipment and documentation contained in them, nor to ensure employee safety or for the enforcement of potential legal claims and defence against them. 

Among other things, the court confirmed that the data obtained by the operator through the GPS tracking of company vehicles constitutes employees’ data, even though it is not recorded and stored in the tracking system itself, as the employees as drivers can be identified with the help of other documents, (eg, travel orders).

AI Grok

X agreed with the Irish Data Protection Commission to suspend the processing of the personal data contained in the public posts of X’s EU/EEA users, (processed between 7 May and 1 August), to train its AI ‘Grok’. The suspension will last while the DPC examines, together with other regulators, the extent to which the processing complies with the GDPR. The agreement was reached after the regulator submitted the case to the country’s Supreme Court.

In June, Meta also agreed with the DPC that it would delay processing EU/EEA user data for its AI tools. However, unlike Meta, X didn’t even notify its users beforehand. To make sure that X’s AI training is properly handled, the privacy advocacy group NOYB has now filed complaints with the data protection authorities in nine countries, (questioning what happened to EU data that had already been ingested into the systems, and how X can effectively distinguish between EU and non-EU data).

The post Data protection digest 3 – 16 Aug 2024: data labelling for LLMs, third-party cookies as a cause of leaks appeared first on TechGDPR.

Stay up to date! Sign up to receive our fortnightly digest via email.

Legitimate interest criteria

A CJEU advocate general clarifies the obligation of the data controller when relying on the legitimate interest legal ground. The mere reference to ‘legitimate interest’, without any indication of precisely what that legitimate interest is, cannot satisfy the GDPR requirements. Such legitimate interest could exist, for example, where there is a relevant relationship between the data subject and the controller,  (eg, the data subject is a client of the controller). 

The legitimate interest criteria need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. Preventing fraud or even direct marketing purposes also can constitute a legitimate interest. However, it should be for the controller to demonstrate that a compelling interest overrides the interests or the fundamental rights and freedoms of the data subject.

AI Act entered into force on 1 August

The EU data protection regulators started to investigate the surveillance authority vested in them by the new law. Large parts of the high-risk AI systems fall within its scope. This covers not just the organisations that use these systems but the whole value chain, including the software, cloud, and security firms that provide AI systems, either by selling them or integrating them into already-existing systems. The data protection authorities are faced with yet another challenge in light of the real-world laboratories that the AI Act establishes to foster innovation. AI developers and users have now until February 2025 to inventory the AI systems they use or sell, as well as the risk category they fall into. Organisations that create or utilise AI that is prohibited must prepare for substantial fines starting in August 2025. 

Weak Children’s Privacy

The UK Information Commissioner’s Office has launched a major review of social media platforms, (SMPs), and video-sharing platforms, (VSPs), as part of the Children’s Code Strategy. It reviewed 34 SMPs and VSPs such as BeReal, Twitch, Threads, WeChat, YouTube Kids, X(Twitter) etc, focusing on the processes young people go through to sign up for accounts with emphasis on information transparency, age assurance, default privacy settings, geolocation and exposure to algorithmic systems. The audited platforms’ full list and non-compliance issues can be seen here. 

More legal processes

Surveillance pricing: The US Federal Trade Commission (FTC) launched a new investigation as reportedly a growing number of grocery stores and retailers may be using algorithms to establish individualised prices. Advancements in machine learning make it cheaper for these systems to collect and process large volumes of personal data, which can open the door for price changes based on your precise location, shopping habits, or web browsing history.  

Hashing and anonymisation: The FTC has also reiterated its long-held view that hashing or pseudonymising identifiers does not render data anonymous: hashes can still be used to identify or target users, and their misuse can lead to harm. While hashing might obscure how a user identifier appears, it still creates a unique signature, (eg, unique advertising ID), that can track a person or device over time and across apps without individual informed consent. 

NIS2: The Hogan Lovells analysis looks at the speed of national implementations of the NIS2 Directive, as the 17 October deadline approaches. So far, not all EU Member States seem to be on track to implement a common level of cybersecurity. Germany only adopted the draft document on 24 July, (the so-called “IT Security Act 3.0”). The legislation largely demands from critical sectors: implemented security risk management systems following the highest standards, (eg, ISO27001), incident reporting, corporate monitoring, training and auditing obligations. For more on the enforcement, personal liability of directors, and geographical scope read the original publication. 

Addictive patterns

The Spanish privacy regulator warns against the use of addictive patterns in its latest study. Often online services implement deceptive and addictive design patterns to prolong the time users stay on their services or to increase the level of engagement and the amount of personal data collected and perform profiling. The adverse impact of addictive strategies is considerably greater when they are used to process the personal data of vulnerable people, such as children. 

However, the enacted Digital Services Act establishes that online services will not design, organise or manage their interfaces in such a way as to deceive or manipulate users, or in such a way as to distort or hinder their ability to make free and informed decisions. So far the European Commission has opened two sanctioning procedures for possible non-compliance with the above requirements against TikTok and Meta. 

More official guidance

Errors in data processing: The Latvian data protection authority explains the most common mistakes by data controllers and how to avoid them. These include: a legal basis is not chosen or is inadequate regarding the purpose of the processing; data subjects are not properly informed, privacy by default is not represented as part of information system management,  ignoring technical and organisational security measures, incidents are not processed and recorded, improper exercise of the data subject requests, lack of core documentation and impact assessments, and poor due diligence of data processors. 

Generative AI: The European AI Office has opened a call for expression of interest to participate in the drawing-up of the first general-purpose AI Code of Practice. The Code of Practice will detail the AI Act rules for providers of general-purpose AI models and general-purpose AI models with systemic risks. These rules will apply 12 months after the entry into force of the AI Act by August 2025. The Code will be prepared in an iterative drafting process by April 2025. 

According to the latest guidance from America’s NIST, one of the primary risks in Gen AI is that such systems may leak or generate sensitive information about individuals, (included in the training data). Also, the integration of nontransparent or third-party components and data may lead to diminished accountability and the possibility of potential errors across the AI value chain. Finally, the GenAI training raises risks to widely accepted privacy principles, including transparency, individual participation, (consent), and purpose specification.

Facial recognition at school

In the UK, an Essex school was reprimanded after using facial recognition technology for canteen payments. The school, which has around 1,200 pupils aged 11-18, failed to carry out a prior assessment of the risks to the children. The school had not properly obtained clear permission to process the students’ biometric information and the students were not allowed to decide whether they did or didn’t want it used in this way.

It also failed to seek opinions from its data protection officer or consult with parents and students before implementing the technology. Instead, a letter was sent to parents with a slip for them to return if they did not want their child to participate in the FRT. Affirmative ‘opt-in’ consent wasn’t sought, meaning the school was wrongly relying on assumed consent.

Emergency calls disabled

In light of the recent global IT outage, BBC articles pay attention to a major incident in Britain from a year ago. BT, (formerly British Telecom), has just been fined 17.5 million pounds for a failure of its emergency call handling service which led to thousands of 999 calls not being connected. The network failure lasted for more than 10 hours. The emergency call handling outage was caused by an error in a file on a BT server, which meant systems restarted as soon as call handlers received a call.

It led to staff being left logged out and calls being disconnected or being dropped as they were transferred to the emergency services. The tech company was not prepared to respond to the problem: instructions on how to solve such an issue were “poorly documented” and staff were unfamiliar with the process.

More enforcement decisions 

French Guiana fine: Finally, the French CNIL decided to impose a penalty on the municipality of Kourou, in the overseas department of French Guiana, (also known as the main spaceport of France and the European Space Agency). The municipality will have to pay 6,900 euros for still not having complied with its obligation to appoint a data protection officer despite the CNIL’s injunction of December 2023. This penalty payment does not close the procedure as the injunction with its penalty payment still runs as long as the municipality has not appointed a data protection officer. A new penalty payment may therefore be ordered.

Human error in an educational ministry: The education minister in Northern Ireland has apologised after the personal details of more than 400 people who had offered to contribute to a review of special education needs were breached, the Guardian reports. According to the education department, 407 persons indicated their interest in attending the end-to-end review of special education needs, (SEN), events around Northern Ireland, and a spreadsheet attachment including their names, email addresses, and titles was accidentally emailed to 174 people. Several people’s remarks were included in the spreadsheet. 174 persons who unintentionally obtained the personal information were requested to remove it and attest to having done so.

Olympics, performance, privacy and AI

The International Olympic Committee determined over 180 potential use cases for AI in the Olympics, with some of them already in use at the Paris venue, according to a fortune.com article. The primary purposes include “enhancing the fairness and accuracy of judging and refereeing through the provision of precise metrics”. In another case, Google was announced as “the official search AI partner of Team USA”.

Finally, event organisers and the French government are also leaning on AI to monitor potential threats, (prompting the French government to temporarily change the law to allow this use of experimental surveillance technology for the Olympics).

Data security

Data breaches and exploitation of APIs: In the US, the Federal Communications Commission settled with TracFone Wireless, (a telecommunications carrier), to resolve data security investigations. The underlying data breaches involved the exploitation of application programming interfaces, (APIs).  They allow different computer programs or components to communicate with one another. Numerous APIs can be leveraged to access customer information from websites, and thus are a common attack vector for threat actors.  The settlement includes a mandated information security program, consistent with standards, identified by the NIST and OWASP; subscriber Identity module, (SIM), changes and port-out protections; annual security assessments by independent third parties, and privacy and security awareness training for employees and certain third parties. 

Big Data

Third-party cookies: Google has officially changed its plans and no longer intends to deprecate third-party cookies from the Chrome Browser, as this transition requires “significant work by many participants and will have an impact on everyone involved in online advertising”. Implementation of the Privacy Sandbox project started in 2019. Now the tech giant is proposing an updated approach that elevates user choice. Google reportedly is discussing this new path with regulators and will engage with the industry soon.

Meta record settlement: Meta has also reached a 1.4 billion-dollar settlement to resolve claims brought by the Texas Attorney General. It aims at stopping the company’s practice of capturing and using the personal biometric data of millions of Texans without authorisation. This settlement is the largest ever obtained from an action brought by a single State. In 2011, Meta rolled out a new feature that it claimed would improve the user experience by making it easier for users to “tag” photographs with the names of people in the photo.

For more than a decade Meta ran facial recognition software on virtually every face contained in the photographs uploaded to Facebook. 

Data centre’s electricity hunger: According to official estimates cited by The Guardian, Ireland’s data centres consumed more power last year than all of the country’s urban households put together. Specifically, Google, which has its European headquarters located in Ireland, stated that its data centres might potentially delay its environmentally conscious goals following a 48% surge in its total emissions last year. This is the outcome of increased demand for cloud services and data processing, which includes advances in artificial intelligence.

The post Data protection digest 20 Jul – 2 Aug 2024: ‘legitimate interest’ criteria, surveillance pricing, Olympics and AI appeared first on TechGDPR.

Stay up to date! Sign up to receive our fortnightly digest via email.

End-to-end algorithmic audit

The EDPB offers a non-binding auditing methodology for AI systems, specifically focused on impact assessment. A socio-technical, end-to-end algorithmic audit (E2EST/AA), should inspect a system in its actual implementation, processing activity and running context, looking at the specific data used and the data subjects impacted. It is designed to inspect algorithmic systems used in ranking, image recognition and natural language processing. An AI system may be composed of several algorithms, and an AI service or product may include several AI systems. 

It is also an iterative process of interaction between the auditors and the development teams. The method provides templates and instructions to guide such interaction, specifying the data inputs that are necessary for auditors to complete the assessment and validate results. In particular, one of them is ‘Model cards’ – documents designed to compile information about the training and testing of AI models, as well as the features and the motivations of a given dataset or algorithmic model. 

Vinted fine

The Lithuanian Data Protection Inspectorate VDAI imposed a 2,385,276 euro fine on Vinted, an online second-hand clothing trade and exchange platform. Violations concern transparency of information, notification and conditions for the data subject rights. VDAI investigated the 2021 and 2022 complaints from applicants forwarded by the French and Polish supervisory authorities regarding the company’s possible improper implementation of their requests for data deletion, (“right to be forgotten”), and the right to access data.

In response to the requests, the company stated that it would not take action because the individuals did not detail their requests following Art. 17 of the GDPR. It was also established that to ensure the platform’s and its users’ safety, the company applied “shadow blocking” without individuals knowing about such processing, (and thus unable to exercise other rights established by the GDPR and their remedies). In addition, the company did not take sufficient technical and organisational measures to ensure and to be able to demonstrate that it took, (or reasonably refused to take), steps regarding the right to access the data. 

Meta non-compliance under DMA

The European Commission stated Meta’s “Pay or Consent” advertising model failed to comply with the Digital Markets Act. The binary choice forces users to consent to the combination of their data and fails to provide them with a less personalised but equivalent version of Meta’s social networks. In response to regulatory changes in the EU, Meta introduced a binary offer whereby EU users have to choose between a subscription for a monthly fee to an ads-free version, or free-of-charge access with personalised ads.

The possible solution would be for users who do not consent to still get access to an equivalent service which uses less of their data. In case of non-compliance, the Commission can impose fines of up to 10% of the gatekeeper’s total worldwide turnover. Such fines can go up to 20% in the case of repeated infringement. The Commission is also empowered to adopt additional remedies such as obliging a gatekeeper to sell a business or parts of it or banning the gatekeeper from acquisitions of additional services.

Non-material damage under the GDPR

The CJEU has found that the damage caused by a personal data breach is not inherently less serious than a physical injury. In the related case, a data controller managed a trading application in which a data subject opened accounts and entered personal data to do so. In 2020, their data were seized by third parties whose identity and purposes remain unknown. 

An individual requesting compensation under the GDPR must prove not only that the infringement occurred but also that the violation caused them harm; this cannot be automatically assumed. In the event of identity theft, as in the above case, the data must have been misused by a third party. Also, determining the damages payable is up to the legal system of each Member State in each given context. 

Apple AI delayed in the EU

Apple decided to delay the release of three new AI features in Europe due to EU competition regulations requiring competing goods and services to be compatible with its devices. The company is concerned that to meet the interoperability requirements of the Digital Market Act, it may be required to make compromises to the integrity of its devices that endanger user privacy and data security. The features will debut in the US this autumn, but they won’t make it to Europe until 2025. 

More legal updates

US privacy legislation: On July 1, the Florida Digital Bill of Rights, Oregon Consumer Privacy Act, and Texas Data Security and Privacy Act entered into effect, joining California, Colorado, Connecticut, Virginia, and Utah. Among many things, they guarantee consumers rights to access, correct, delete, and opt out of the sale of their data concerning targeted advertising, and certain profiling. There are also provisions relating to data minimisation, children’s data, sensitive data consent, biometric data, and impact assessments. 

Foreign adversaries: On June 23,  the Protecting American’s Data from Foreign Adversaries Act of 2024 entered into effect. It makes it unlawful for a data broker to sell, license, rent, trade, transfer, release, disclose, or otherwise make available specified personally identifiable sensitive data of individuals who reside in the US to North Korea, China, Russia, Iran or an entity controlled by those countries. Sensitive data includes government-issued identifiers, financial account numbers, biometric information, genetic information, precise geolocation information, and private communications.

Minors’ data: To safeguard children’s internet privacy, New York State established new laws. The SAFE For Kids Act defines operators that offer minors an “addictive feed” as a major component of their online or mobile service. Addictive feeds rely on the user’s past interactions, privacy or accessibility settings related to their device, content displayed or blocked by the user, private communication, search inquiries, chronological order etc. The other piece of legislation – the Child Data Protection Act governs, (GDPR-enhanced), processing obligations of relevant minors’ data by operators, processors and third parties. 

More official guidance

Messenger standardised audit: The EDPB offers the Standardised Messenger Audit initiative to inspect any messenger service used within businesses from a data protection perspective. It consists of two documents – the requirement catalogue and the audit methodology. The requirements within this catalogue are formulated in such a way so that a distinction is made between MUST, SHOULD and MAY requirements of the respective data protection principles. It is also closely based on the structure and outline of the GDPR.

Data processor: According to the Latvian data protection regulator, for an organisation to be considered a processor, it must meet two basic conditions – be a separate and independent organisation and process personal data on behalf of the controller. The organisation usually appoints a processor when it needs more knowledge, resources, etc. Finding such a processor would require a feasibility study: compliance of the set of security requirements chosen by the processor with the controller’s wishes and needs, reputation, and responsibility. Finally, the signing of the agreement indicates the readiness of both parties to cooperate. Further guidance can be read here.

Joint controllership: The Bavarian State Data Protection Commissioner publishes new guidance, (in German), on the legal concept where two or more controllers jointly determine the purposes and means of processing. The GDPR requires a clear allocation of responsibilities, including where a controller determines the purposes and means of processing jointly with other controllers or where a processing operation is carried out on behalf of a controller. However, joint responsibility may still seem less “familiar” than the contractual data processing that has always been established. 

DPOs getting into small business

The Data Protection Officer is a profession that is increasingly represented in small enterprises, according to the French data protection regulator CNIL. The regulator came to such a conclusion after a joint survey of 3,625 DPO respondents in the country, including 2,842 internal, 366 shared and 417 external. Certain components, such the age distribution, territorialisation, and contract type, have stabilised, but certain responder characteristics have changed significantly between 2019 and 2024. 57% of respondents now work in structures with fewer than 250 employees, (+19% compared to 2019). Also, 91% are convinced of the social usefulness of the DPO’s function and profession for the protection of customers’, users’ and citizens’ personal data. 

Digital identity

The US NIST meanwhile has launched a collaborative project to adapt its digital identity guidelines to support public benefits programs, such as those designed to help beneficiaries pay for food, housing, medical and other basic living expenses. In response to heightened fraud and related cybersecurity threats during the COVID-19 pandemic, some benefits-administering agencies began to integrate new safeguards such as individual digital accounts and identity verification, also known as identity proofing, into online applications.

However, the use of certain approaches, like those reliant upon facial recognition or data brokers, has raised questions about privacy and data security, (and potential biases that disproportionately impact communities of colour and marginalized groups).

Enforcement decisions

Avanza Bank and Meta Pixel: Sweden’s privacy regulator fined Avanza Bank AB 1,3 mln euros for failing to implement security measures, leading to the unauthorised transfer of personal data of more than half a million data subjects to Meta by accidentally turning on two functions of the Meta Pixel analytics tool. The controller used Meta Pixel to measure the effectiveness of the bank’s Facebook advertising. Two new functions of the analytics tool, the Automatic Advanced Matching and the Automatic Events,(for the recognisable form fields and buttons used on the page), were activated by mistake. 

Avast browsing data: The US Federal Trade Commission will require Avast to pay 16,5 million dollars and prohibit the company from selling or licensing any web browsing data for advertising purposes. The FTC alleged that UK-based Avast Limited, via its Czech subsidiary, unfairly collected consumers’ browsing information through the company’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and consumer consent. 

Car retail software: A cyber outage at a major retail software provider for automobile dealers delayed car sales throughout North America, (approx. 15,000 retail locations), the Guardian reports. CDK, which provides different kinds of software to car dealerships, proactively shut down most of its systems but is working to reinstate its services. 

Cloud banking security

In terms of data security, operational continuity, and regulatory compliance, outsourcing cloud services to outside providers entails serious risks, according to a new analysis by DLA Piper. One example is financial institutions that retain full operational responsibility even when they outsource critical services. This includes risk management, performance monitoring, and vendor selection. To that end, the EU has established two legal frameworks concerning the provision of cloud and ICT services, (DORA, NIS 2), complementing guidelines issued by the European Central Bank.  

Neuro data processing

In addition to privacy and data protection, fundamental rights such as human dignity and physical and mental integrity are jeopardised by certain uses of neuro data, states an EDPS analysis. The use of AI systems may also make technically possible exploitation of neuro data by private entities for workplace or commercial surveillance. Certain uses of neuro data pose unacceptable risks to fundamental rights and are likely unlawful under EU law. 

In other cases, mitigating techniques should always include impact assessments, data minimisation, transparency, accuracy, necessity and fairness of processing, local storage of raw data, efficient anonymisation for re-use and analysis, (eg, controlling specific aspects of a videogame, monitoring concentration in educational environments, managing chronic pain by modifying brain activity, etc).

The post Data protection digest 18 Jun – 2 Jul 2024: end-to-end algorithmic audit, DPOs for small business, Vinted fine appeared first on TechGDPR.

Stay tuned! Sign up to receive our fortnightly digest via email.

Non-material damage under the GDPR

In one of its recent decisions the CJEU clarifies the right to compensation for non-material damage for data subjects. The request was made in proceedings between a natural person and Juris GmbH, concerning compensation for the damage suffered by the claimant as a result of various processing operations involving their personal data which were carried out for marketing purposes, despite the objections he had sent to that company. The CJEU upheld its previous decision, (of 25 January 2024 MediaMarktSaturn, C‑687/21), that infringement of the GDPR which confers rights on the data subject is not sufficient to constitute ‘non-material damage’, irrespective of the gravity of the damage suffered by that person:

“The existence of ‘damage’, material or non-material, or of ‘damage’ which has been ‘suffered’ constitutes one of the conditions for the right to compensation laid down in Art. 82 (1) of the GDPR, as does the existence of an infringement of that regulation and of a causal link between that damage and that infringement, those three conditions being cumulative.” 

At the same time, it is not sufficient for the data controller, in order to be exempted from liability, to claim that the damage in question was caused by the failure of a person acting under his or her authority, within the meaning of Art. 29 of the GDPR. More legal reasoning of the case as well as rules on determining the amount of damages due as compensation for damage can be read in the court ruling. 

 ‘Pay or okay’ consent model

The EDPB adopted a long-awaited Opinion on Valid Consent in the context of Consent or Pay models implemented by Large Online Platforms. In most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they only offer users a binary choice between consenting to the processing of personal data for behavioural advertising purposes and paying a fee. The EDPB underlines that personal data cannot be considered a tradeable commodity, and controllers should consider the need to prevent the fundamental right to data protection from being transformed into a feature that data subjects have to pay to enjoy. 

Thus, controllers should consider also offering a further alternative, free of charge, without behavioural advertising, with a form of advertising involving the processing of less or no personal data. 

GDPR enforcement: new rules, strict deadlines, dispute resolution

On 10 April, the European Parliament adopted amendments to a proposal laying down additional procedural rules relating to the enforcement of the GDPR. In its 2023 work programme, the Commission announced that it would propose harmonising some national procedural aspects to improve cooperation between national data protection authorities. The MEPs amendments include:

• the right of all parties to equal and impartial treatment regardless of where their complaint was lodged;
• their right to be heard before any measure is taken that would adversely affect them, and 
• their right to procedural transparency, including access to a joint case file. 

MEPs want to standardise procedural deadlines for a supervisory authority to acknowledge that they have received a complaint and declare it admissible or inadmissible. Then, the authority would have to determine if the case is a cross-border one, and which authority should be the lead authority. Draft decisions must be delivered within nine months of receiving the complaint, outside of certain exceptional situations.

MEPs also want to clarify the rules involving amicable settlements, (consensual, negotiated resolutions to disputes). However, these do not prevent a DPA from starting its own initiative investigation into the matter. Finally, all parties to complaint procedures have the right to effective judicial remedies, for example when DPAs do not take necessary actions or comply with deadlines. 

FISA Section 702 reauthorisation

Last week the US House of Representatives voted to reauthorise Section 702 of the Foreign Intelligence Surveillance Act, (FISA), which includes a crucial provision allowing for American citizens to be surveilled without a warrant for another two years. The law has made it possible to monitor foreign communications in great detail, but it has also resulted in the gathering of phone conversations and correspondence from US individuals. 

Some privacy protections, such as the ban on sweeping up communications about a target along with communications to or from the target, were maintained. However, other amendments, including a new definition of internet service providers, might broaden FISA’s application. Prior to the statutory expiration of Section 702 on April 19, the measure now goes to the Senate. More analysis by the Lawfare Institute can be read here. 

More legal updates

Child safety online: On 10 April, the European Parliament endorsed certain derogations to the E-Privacy Directive to combat online child sexual abuse. In particular, MEPs adopted a temporary extension that allows the voluntary detection, by internet platforms, of child sexual abuse material, (CSAM), online. The implementation measures follow strict data protection safeguards pursuant to the GDPR, (legal basis for data processing, data retention policies, restricted data transfers, etc.). The derogation will be extended until 3 April 2026 so that an agreement on the long-term legal framework can be reached. The provisional rules will now have to be formally adopted by the Council before they can become law. 

US privacy legislation: Last week, a bipartisan group of lawmakers in Congress announced the Federal Privacy Bill, (APRA), with the likelihood of long months of discussions before the bill’s passage. This comprehensive draft legislation promises clear, national data privacy rights and protections for Americans, boosts data minimisation in the commercial sector and curbs large data holders and brokers, harmonises the existing state data privacy laws, and establishes new enforcement mechanisms and a private right of action for individuals. At the same time, the Federal Trade Commission would still have the authority to provide further recommendations and rules covering a significant portion of the APRA. 

Right of access basics 

The Luxembourg data protection authority has published a new illustrative factsheet, (only available in French), on the right of access. Any individual can ask a private or public entity, (the data controller), whether it holds their personal data and obtain a copy of the data processed. This right allows in particular to check whether the data is correct. The organisations can be asked to provide the categories of data processed, retention periods, explanations on how to exercise your rights, the lawful basis for processing, other recipients of your data, data transfers to third countries, data sources, and explanations on decisions made by automated processing or profiling. 

However, the right of access is not an absolute right. The organisation may refuse to provide you with data about third parties in some cases or a confidentiality obligation may be imposed by law. The organisation must respond to the request within one month including the justifications for refusal or possible delays in providing information. If the organisation does not respond, does not meet deadlines or you are not satisfied with its response, you can submit a complaint to the data protection authority. 

AI development and data protection guide

The French data protection authority CNIL has published its first recommendations on the development of artificial intelligence, in a way that respects personal data. The recommendations, (in French only), concern the development of AI systems involving the processing of personal data, (Machine Learning, general purpose AI, systems that are trained “once and for all” or continuously). The points addressed in the initial recommendations make it possible to:

• determine the applicable legal regime;
• define a purpose;
• determine the legal qualification of the actors;
• define a legal basis;
• perform tests and verifications in case of data reuse;
• carry out an impact assessment if necessary;
• take data protection into account when making system design choices;
• take data protection into account in the collection and management of data.

More official guidance

Legal basis for customer health data processing: When obtaining data from a person about their health condition, their explicit consent is required – confirms an administrative court in Poland. In the related case, a law firm contacted people injured in traffic accidents to represent them against insurance companies in courts in order to obtain compensation and pensions, as well as reimbursement of treatment and rehabilitation costs. The company obtained information about potential customers based on, among other things, press releases, online publications or content available on social media, as well as information provided or disseminated by organisations engaged in charitable activities. 

Subsequently, when meeting prospective clients, a representative of the law firm received only oral consent to the processing of personal data ahead of a possible conclusion of a contract with these persons but did not record or register it in any way. Also, the collection of this data was not necessary to perform the contract, because the persons from whom the data was obtained were not yet customers. However, this data was processed for other purposes, (eg. examining the profitability of concluding a contract with a potential customer and possibly establishing contact with such a person again). 

Recruitment data: The Latvian data protection regulator reminds us that an employer must avoid excessive data processing when selecting applicants. For example, a job advertisement should indicate as specifically as possible what information the employer expects from the candidate, and develop its own CV form. Also, after submitting their data, applicants as data subjects have the right to submit information requests asking for clarification on various aspects related to the processing of their personal data, so the employer must ensure that it is able to respond to such requests. Finally, there must be established procedures for how information obtained during the selection process, including applicants who are not hired, is stored and deleted. 

In the event that, after data collection, the employer concludes that data processing could also be carried out for a purpose different from that originally collected, the employer must assess whether this purpose is compatible with the initial processing, and also ensure that the applicant is informed. If the employer chooses to use the services of recruitment companies to find suitable employees, it is important to determine the role of such service providers and if the company is considered a data processor, an agreement on the data processing must be concluded. 

Avast non-anonymised data fine

Internet security company Avast has contested a fine of approx 13 mln euros from the Czech data protection agency over transferring the non-anonymised data of 100 million users to its subsidiary Jumpshot in 2019. Although Avast stated that it used robust anonymisation techniques, it was proven that at least some of the data subjects using its antivirus program and browser extensions could be re-identified. Moreover, the purpose of processing this data was not (only) to create statistical analyses, as Avast stated. 

In fact, the pseudonymised Internet browsing history was linked to a unique identifier. Jumpshot, among other things, presented itself as a company that made data available to “marketers,” providing them with insight into online consumer behaviour and offering “atomic-level” tracking of user journeys. The decision, (a cross-border case under the EU one-stop-shop procedure), comes after a 16.5 million fine from the US Federal Trade Commission and restrictions on selling user data for advertising. Avast, now part of Gen Digital, faces challenges both in the Czech Republic and the US.

Other enforcement decisions

Biometrics abuse in the workplace: In the UK, dozens of companies including national leisure centre chains are reviewing or pulling facial recognition technology and fingerprint scanning used to monitor staff attendance after a clampdown by the Information Comissioner’s Office. In February, the regulator found that the biometric data of more than 2,000 employees had been unlawfully processed at 38 centres managed by Serco Leisure. The ICO’s latest recommendations require companies to consider alternative and less intrusive options rather than biometrics scanning to meet their staff management objectives. In light of the ICO decision, a number of other leisure centre operators, like Virgin Active and 1Life, are either reviewing or stopping the use of similar biometric technology, according to The Guardian.  

Ransom attack on a healthcare system: Italian privacy regulator Garante issued fines on several technical and administrative entities, (in the Lazio region), in proceedings opened after a cyber attack on a regional healthcare system back in 2021. The ransomware was introduced into the system through a laptop used by an employee. It blocked access to many health services, preventing, among other things, management of reservations, payments, collection of reports or registration of vaccinations. Local health authorities, hospitals and nursing homes were unable to use some regional information systems, through which data on the health of millions of patients is processed, for a period of time that ranged from a few days to a few months. 

Outdated systems and inadequate management of the data breach failed to mitigate the negative consequences of the attack – from the inability to determine which of the servers were compromised by the IT service provider, to the inability to avoid further propagation of malware targeting numerous healthcare facilities under the umbrella of the data controller, (the regional administration). 

Audit methodology

The UK ICO conducted a consensual data governance audit of East Surrey College, (ESC). The recommendations by the regulator not only provided the ESC with independent assurance of compliance but also could serve as guidance for other organisations concerning:

• Data Governance and Accountability, (creating a privacy culture; comprehensive and up-to-date data maps and ROPA; training needs analysis).
• Records Management, (eg, creating a local-level asset register alongside the ROPA; correct use of attachments, encryption and the security of personal data in transit).
• Data Sharing, (reviewing, updating and creating data sharing policies, procedures and registers; documenting and appropriately justifying the lawful basis for sharing personal data;  data sharing agreements containing sufficient detail;  documenting and regularly reviewing technical and organisational security arrangements with data sharing parties, etc). 

Data security

Underestimated risks to data subjects: The Dutch national data protection agency AP claims that an excessive number of Dutch organisations that suffer from cyberattacks neglect to notify individuals that their personal information has been compromised. Approximately 70% of the time, organisations underestimate the likelihood of an attack. Therefore, the individuals whose personal information was compromised are unable to defend themselves against potential fraud or other crimes committed by online criminals.  They often target IT suppliers that manage large amounts of personal data. However, the organisations contacting them generally remain responsible if anything happens to this data. 

Countering cyber threats: An organisation that takes security measures seriously will not only be able to protect its data but will also be a trusted partner and a role model for others. The Estonian privacy regulator reiterates some simple but important recommendations on how to safely handle personal data in everyday work: 

• data encryption and pseudonymisation for long-term data storage;
• strong password rules or at least two-factor authentication;
• monitoring system activity and detecting unusual activity or requests;
• an incident response plan that is reasonable and clear;
• regular training or testing so that employees recognise scams and phishing emails;
• security audits, testing; 
• involvement of the data protection specialist;
• implementation of the information security standards;
• authorised processor due diligence.

The post Data protection digest 3 – 17 Apr 2024: non-material damage dilemma when losing control of your data appeared first on TechGDPR.

Self-determination and AI

Digital self-determination of a user: The Swiss Federal Data Protection Commissioner FDPIC stresses that the current data protection legislation is directly applicable to AI used in the economic and social life of the country. In particular, the Data Protection Act in force since 1 September is directly applicable to all AI-based data processing. To this end,  the FDPIC reminds manufacturers, providers and operators of such applications of the legal obligation to ensure that the data subjects have as much digital self-determination as possible when developing new technologies and planning their use:

• the user has the right to know whether they are talking or writing to a machine, 
• whether the data they have entered into the system is further processed to improve the machine’s self-learning programs or for other purposes, and
• to object to automated data processing or to demand that automated individual decisions be controlled by a human being.

The law also requires a data protection impact assessment in the event of high risks. On the other hand, the use of large-scale real-time facial recognition or global surveillance and assessment of individuals’ lifestyles, otherwise known as “social scoring”, is prohibited.

Legal processes

The Data Act: On 9 November, the European Parliament adopted the text of the European Data Act. Next, it must be approved by the Council. The act makes more data available for use and sets up rules on who can use and access what data for which purposes across all economic sectors in the EU. This law applies to:

• the manufacturers, suppliers and users of products and related services placed on the market in the Union;
• data holders that make data available to data recipients in the Union;
• data recipients in the Union to whom data are made available;
• public sector bodies that request data holders to make it available for the performance of a task carried out in the public interest and the data holders that provide data in response to such a request;
• providers of data processing services offering such services to customers in the Union.

According to the updated text, to promote the interoperability of tools for the automated execution of data-sharing agreements, it is necessary to lay down essential requirements for smart contracts which professionals create for others or integrate into applications.

FISA 702: Meanwhile, the US Congress unveils the Government Surveillance Reform Act. The bill reauthorizes Section 702 of the Foreign Intelligence Surveillance Act for four more years, allowing intelligence agencies to continue to use the powers granted by that law, but with new protections against documented abuses and new accountability measures. For instance, it prevents warrantless searches, ensures foreigners are not targeted for spying on Americans they communicate with and prevents the collection of domestic communications. It also includes a host of reforms to government surveillance authorities beyond Section 702, including requiring warrants for government purchases of private data from data brokers.

EDPB documents

Tracking tools: The EDPB addresses the applicability of Art. 5(3) of the ePrivacy Directive to different tracking solutions. The advent of new tracking technologies to both replace existing tracking tools (due to the discontinuation of third-party cookie support) and generate new business models has emerged as a key data protection problem. The recommendations define four main elements: “information,” “terminal equipment of a subscriber or user,” “gaining access,” and “stored information and storage.” A partial list of use cases includes a) URL and pixel tracking, b) local processing, c) IP-only tracking, d) intermittent and mediated IoT reporting, and e) unique identifier.

Official guidance

Synthetic data: Synthetic data could function as a privacy-enhanced technology, as it allows the application of data protection by design. This synthesis can be performed using sequence modelling, simulated data, decision trees or deep learning algorithms. Creating synthetic data from real personal data would itself be a processing activity subject to the GDPR. It is therefore necessary to consider the regulatory provisions, in particular, the principle of proactive responsibility and the assessment of a possible re-identification risk. In some cases, data sets may be too complex to obtain a correct understanding of their structure or it may be difficult to mimic outliers from real data, undermining analytical value for specific use cases. In such situations, alternative or complementary PETs should be used, such as anonymisation and pseudonymisation. 

Health apps: German data protection body DSK has published a position paper on cloud-based health applications (in German). Since 2020, the Digital Health Applications Ordinance has regulated certain digital health applications to ensure the legal requirements for data protection and data security. However, several other health applications are not covered by these regulations. Thus, the following must be taken into account when using a wide range of health apps: 

• Data processing roles must be clearly defined in each case. Manufacturers, doctors and other medical service providers as well as cloud services come into consideration. 
• The use of application with a privacy-friendly design without the cloud functions and possibly without linking to a user account.
• The app manufacturers or operators must fulfil the rights of data subjects to information, correction, deletion, restriction of processing and data portability.
• The processing must be limited to the necessary extent, and be compatible with the purpose of the application. 
• A data protection legal basis is required for the use of personal data for research purposes.

More from supervisory authorities

Chatbots: The data protection authority of Liechtenstein explains the essence of chatbots – a software-based dialogue system that enables text or voice-based communication. From a technical perspective, there are different types of chatbots, ranging from simple rule-based systems to artificial intelligence AI systems. European data protection authorities are currently dealing with the issue of whether AI-based solutions meet the requirements of data protection law. At the same time, chatbot systems are often offered as cloud services, where GDPR rules will always apply, (legal basis, information obligation, handling of cookies, storage of chatbot data, processing of sensitive data, and data reuse). 

Similarly, the Hamburg Data Protection Commissioner offers a checklist for the use of LLM-based chatbots, (in English). Recommended steps would include internal regulations for employees, involvement of a data protection officer, creation of an organisation-owned account, and no transmission of any personal data to the AI. Overall, the results of a chatbot request should be treated with caution. You can also reject the use of your data for training purposes, and opt-out of saving previous entries.

Explainable AI: A transparent AI system provides insight into how AI systems process data and arrive at their conclusions, providing an understanding of the “reasoning” that led to the conclusions/decisions, explains the EDPS. Greater accountability will lead to a better assessment of the risks that data controllers need to carry out. At the same time, many efforts to improve the explainability of AI systems often lead to explanations that are primarily tailored to the AI researchers themselves, rather than effectively addressing the needs of the intended users. Read the deep dive into the risks of opaque AI systems here. 

Enforcement decisions

Simplified procedures:  The French privacy regulator CNIL has issued ten new decisions under its new simplified sanction procedure, introduced in 2022. Some cases focus on geolocation and continuous video surveillance of employees. The CNIL pointed out that the continuous recording of geolocation data, with no possibility for employees to stop or suspend the system during break times, is an excessive infringement of employees’ right to privacy unless there is special justification. Similarly, the prevention of accidents in the workplace does not justify the implementation of continuous video surveillance of workstations and is neither appropriate nor relevant. 

Telemarketing: The Italian data protection authority has imposed a fine of 70,000 euros on a coffee-producing company for promoting its brand through unwanted phone calls. Furthermore, the purchase order was considered as proof of consent to marketing. Users’ data was acquired in various ways: through the form on the website, through word of mouth from customers, and through contact lists collected by third-party companies, without having acquired the consent of the users. The company will now have to delete data acquired illicitly and activate suitable control measures so that the processing of users’ data occurs in compliance with privacy legislation throughout the entire supply chain.

Similarly, the Czech data protection authority imposed a fine of approx. 326,000 euros for sending commercial communications in favour of third parties. Since 2015, a transport company distributed commercial messages for the benefit of third parties to the email addresses of its customers, without obtaining the prior consent of the recipients, and without the possibility of rejecting these commercial communications in any way. It should be emphasized that the company did not offer its products or services, so it was not entitled to use the so-called “customer exception”, (to offer similar products or services). 

Data breaches

Processor’s obligations: The Danish Data Protection Authority has expressed criticism in a case where a data processor, Mindworking, had not ensured adequate security when developing a web application that was targeted at real estate agents. In particular, it was not secured against unauthorised persons inspecting the source code and thus being able to access personal data on the platform, (linked to a specific property that was for sale). The information could be accessed by users after they had logged in with a username and password. The user could access the information by pressing a function key and activating so-called “Dev tools”. The regulator concluded that the data processor should have carried out relevant tests of the platform before commissioning it, (Art. 32 of the GDPR).

Data security

Data breach: Finland’s data protection authority reminds organizations that they must assess the seriousness of a data security breach from the point of view of the data subjects. As a rule, the data controller must notify the authority if the breach may cause a risk to the rights and freedoms of natural persons, (even if all the information about the incident is not yet completely clear), within 72 hours. Thus, the controller must accurately assess the seriousness of the possible effects on the data subjects affected by the violation. The purpose is to assess the seriousness of the effects on the data subjects, not the consequences on the controller. Data subjects also must be notified of a high-risk situation without undue delay, (even if the high risk is eliminated by measures taken after the breach). 

Password dilemma: Almost everyone uses bad passwords, often unconsciously, states the Dutch data protection authority. The standard password requirements of 8 characters with enforced punctuation and numbers encourage this. These lead to short passwords full of human patterns. People are also very predictable if they try to use long passwords. Instead of something completely random, they quickly choose a year, their favourite sports team or another simple adjustment, such as starting with a capital letter. It is therefore recommended to use long passwords, which are so random that a hacker must try all options to retrieve the password, which are slower, and hence less profitable.

Big Data

DSA and minors’ safety: The European Commission has sent Meta and Snap requests for information under the Digital Services Act, following their designation as Very Large Online Platforms. Companies have until 1 December to provide more information on risk assessments and mitigation measures to protect minors online, in particular about the risks to mental health and physical health, and on the use of their services by minors. Under Art. 74 of the DSA, the Commission can impose fines for incorrect, incomplete, or misleading information in response to a request for information. 

Medical research data reuse: Sensitive health information donated for medical research by half a million UK citizens has been allegedly shared with insurance companies for years according to The Guardian. An investigation found that data was provided to insurance consultancy and tech firms for projects to create digital tools that help insurers predict a person’s risk of getting a chronic disease. UK Biobank, set up in 2002 and described as a ‘crown jewel’ of British science, claims that it only allows access to bona fide researchers for health-related projects in the public interest, whether employed by academic, charitable, or commercial organisations and that participants were promptly informed. Read the full analysis here.

The post Data protection digest 1 – 15 Nov 2023: AI application must ensure digital self-determination of data subjects appeared first on TechGDPR.

Official guidance

Website analytics: There are many website analytics and tracking tools on the market notes the Norwegian data protection regulator, but that doesn’t necessarily mean it’s legal to use them on your website. Be prepared to follow the GDPR, even if you do not know the name or identity of those visiting your site. The analysis tools collect a lot of information, which either alone or in combination can constitute personal data. If you currently have an analysis tool that collects information that you do not use for anything, you are breaking the law:

• You must have a legal basis for processing. 
• There are many requirements for user consent to be valid. The mere existence of the cookie banner is not enough.
• Choose tools that promise to only process personal data on your behalf and as you decide. 
• On some websites, the visitors’ behaviour can in itself reveal special categories of personal data, (eg, mental health care).
• Many service providers have offices or subcontractors in countries outside the EU/EEA. You must check this before using the tool. 
• Make sure you provide honest and easily understandable information to the visitors, and respect their data subject rights.

Health care data aggregation: The French data protection regulator published recommendations for actors in the digital health sector, (in French). The sandbox projects included federated learning between several health data warehouses, a diagnostic aid solution in oncology, anonymous statistical indicators of populations in medical research, and a therapeutic game. The GDPR states that data processing in the field of health must be implemented in the public interest, and can only be mobilised by public entities, or legal entities entrusted with a public service mission. 

Thus, commercial projects, (start-ups), should be based on their legitimate interests. People’s consent in many cases was also ruled out as the companies are not in a position to collect it, particularly for the reuse of data from healthcare establishments. Finally, whenever non-anonymous data is exported, an ad hoc risk analysis must be performed to determine the necessary security measures. Continuity of security measures outside of the workplace should be ensured as much as possible. 

Customer location data: More retailers and companies are transferring their loyalty programs to mobile applications. These often demand access to the customer’s location-related data to personalise offers for each customer, taking into account their habits and other information. Regardless of the legal basis applied by the merchant for the data processing, (both consent and legitimate interest are possible), the customer has all the rights specified in the GDPR. Completely ceasing the loyalty program if the customer withdraws consent only to the processing of geolocation data will not comply with regulatory requirements. Therefore, when developing an application, it is necessary to take into account different possible levels of the loyalty program, granular consent, and withdrawal.

EdTech development: The French regulator also published a summary of the main recommendations, (in French), based on the “sandbox” project in the EdTech sector. That included actors developing a portfolio of learning skills, a communication solution in the school context, creating a warehouse of learning traces with a view to their publication and analysis and providing a “ personal cloud ” for students connected to their digital workspace. During the “sandbox” support, among other things, the technical architecture of solutions was analysed with the data controllers and their subcontractors. It has to be noted that:

• State establishments, (eg, primary schools), do not have a legal personality; teachers and directors are acting as agents of the administration of national education. 
• When onboarding a technical solution, the Ministry of national education must be considered as the only data controller, (in joint controllership with the municipality). 
• The company offering technical solutions would become a subcontractor. 
• For processing operations that pursue “school” purposes the legal basis of the ” mission of public interest ” has been considered the most appropriate to establish.
• Other treatments may demand individual, (eg, parental) consent. 
• Only authorised subcontractors and recipients of pupils’ data are allowed. 
• Information notices must be adapted to different age groups, and more generally to the degree of maturity of the pupils concerned. 

Legal processes and redress

Non-material damage under the GDPR: The Dublin District Court awarded 2000 euros compensation to a plaintiff regarding the use of CCTV footage of him by his employer, which led to victimisation from colleagues, serious embarrassment, and loss of sleep. As part of a meeting involving quality control and other managers and supervisors, CCTV video was displayed to various personnel. The plaintiff was not present at the meeting and found out afterwards that the tape had been utilised. The company’s data protection policies regarding CCTV were not clear or transparent, and no legitimate interest assessment about the remote control of the workers was carried out. Read more details of the case in the original analysis by the Irish lawyers. 

US state privacy legislation: The most recent comprehensive state consumer data privacy law has been passed in Oregon. The law has some unique provisions despite being similar to consumer data privacy laws passed in different states. It applies to nonprofit organisations, has broad definitions of covered data, (including categories of sensitive and biometric data, as well as derived data), a smaller HIPAA, (protected health information), carveout, and grants Oregon residents the right to request a list of the third parties to whom controllers disclosed their data, opt-out options and more. Meanwhile, the Colorado Privacy Act has been enforceable since 1 July, making Colorado the third state after California and Virginia to pass a comprehensive privacy law to protect its residents.

COPPA 2.0: Amendments to the Children’s Online Privacy Protection Act, (and the Kids Online Safety Act), have been approved by a Senate Committee. It would close a loophole allowing companies to abuse minors’ data with little accountability, making it harder for the regulator to prove violations. It would be unlawful for a digital service or connected devices directed at children or teens, to collect, use, disclose to third parties, or compile their data for profiling and targeted marketing unless the operator has obtained consent from the relevant minor, (“verified parental consent”). The operators must also treat each user as a child or minor unless content is deemed to be directed to mixed audiences.

Enforcement decisions

Security measures: Open Bank was fined 2.5 million euros by Spain’s data protection regulator for failing to implement a framework to permit encrypted communication. In order to comply with anti-money laundering legislation, the complainant was asked to confirm the origin of funds received in their bank account. However, the only possibility was to provide the information by email, (rather than through a secure direct channel). The information requested by Open Bank is classified as ‘financial data,’ which requires the implementation of strengthened safeguards. The regulator decided that Open Bank did not implement a data protection strategy from the start, neither before nor during treatment.

In another recent example, the Polish regulator punished a firm to the tune of almost 9000 euros for losing employees and contractors’ personal data in a ransomware attack. The organisation failed to complete a risk assessment, notify the regulator of the breach within 72 hours of becoming aware of it, and notify the data subjects affected by the breach. The regulator also claimed that the company did not comply fully throughout its inquiry. In particular, the company’s communication was frequently inconsistent.

Non-registration with the regulator: Guernsey’s data protection authority is to pursue legal action for failure to register. It is a legal requirement for any organisation, (including sole traders) that handle people’s personal information during the course of their business activities – even if this is just names and addresses – to register with the Guernsey regulator.  If you are not sure if you need to register, there are three clear criteria:

• You, (whether a sole trader, organisation, business, charity, landlord, business association etc.), are established in the Bailiwick of Guernsey.
• You are working with personal data, (any information that may identify individual people, such as staff members, your clients, your business contacts, your service users, your tenants etc.), either as a ‘controller’ or a ‘processor’.
• The activity you are performing is not part of your personal/household affairs.

Non-cooperation with the regulator:  According to Data Guidance, the Polish data protection authority fined a company 8000 euros for failing to cooperate, (Art. 58 of the GDPR). The regulator received a complaint alleging that the firm had improperly shared personal information with a third party. The regulator sent the business several letters demanding further information, including the legal basis and purpose of processing. The organisation, however, did not react to any of the letters. 

Reimbursement app: A one million euro fine was imposed by the Italian privacy regulator on Autostrade per l’Italia (ASPI) for having illegally processed the data of around 100,000 registered users of the toll reimbursement app, called Free to X. The critical issues of the service – which allows the total or partial refund of the cost of the motorway ticket for delays due to construction sites – had been reported by a consumer association. The authority has ascertained that Autostrade plays the role of data controller and not of data processor, as erroneously indicated in the documentation that governs the relationship between Aspi and the company Free to X which created and manages the app.

Meta behavioural ads:  The Norwegian data protection authority has prohibited Meta from adapting advertising based on monitoring and profiling of users in Norway. The decision comes shortly after the CJEU stated that Meta’s data practices still do not take place legally. When Meta decides which ads you get to see, they also decide which content you don’t get to see. This affects freedom of expression and information in society. There is a danger that behaviour-based marketing reinforces existing stereotypes or that it can lead to unfair discrimination between different groups. Behaviour-based targeting of political advertisements is particularly problematic.

Medical data anonymisation for research: The Italian regulator fined a company for processing the health data of numerous patients collected from around 7000 general practitioners without adopting suitable anonymisation techniques. The GPs adhering to the international health research initiative had to add to their management system “Medico 2000” a function, (“data extractor” add-on), aimed at automatically anonymising patient data and transmitting them to the above company. But in fact, the tool only pseudonymised data assigned to the patients. There was also the erroneous attribution of the role of the data controller to GPs, and therefore the absence of a legal basis for data processing by the company. 

Data security

Videoconferencing tool: The EDPS has found that the use of Cisco Webex videoconferencing and related services by the CJEU meets the data protection standards under Regulation 2018/1725 applicable to EU institutions, bodies, offices and agencies. However, the decision is not a general endorsement nor certification of data protection compliance of the videoconferencing services provided by any Cisco Webex entity.  

With regard to technical safeguards, the court confirmed that support information is encrypted in transit, while case attachments are encrypted both in transit and at rest, in order to secure personal data from accidental loss and unauthorised access, use, alteration, and disclosure. The keys for encryption are managed by Cisco. 

The court also took organisational measures to limit or avoid transfers of personal data outside of the EU/EEA: in case Cisco needs to have remote access to the court’s Cisco Webex infrastructure, the DPO of the court, in collaboration with the court network engineers, shall analyse the possible risks for the data subjects and decide on the legitimacy of this access.

Ryanair facial recognition: Privacy advocacy group NOYB filed a complaint against Ryanair, alleging that the airline is violating customers’ data protection rights by using facial recognition to verify their identity when booking through online travel agents. The airline outsources this process to an external company named GetID. This means that customers have to entrust, (by consenting to it), their biometric data to a company they have never heard of or had a contract with. Passengers can avoid it by showing up at the airport at least 2 hours before departure or submitting a form and picture of their passport or national ID card in advance. 

Big Tech

Alexa child accounts and geolocation: The US Federal Trade Commission will require Amazon to overhaul its deletion practices and implement stringent privacy safeguards to settle charges the company violated the Children’s Online Privacy Protection Act and deceived parents and users of the Alexa voice assistant service about its data practices. Amazon claimed it retained children’s voice recordings in order to help it respond to voice commands, allow parents to review them, and improve Alexa’s speech recognition algorithm. 

Among many requirements, Amazon will have to implement a process to identify inactive Alexa child profiles. Following the identification of any inactive child profile, the company shall delete any personal information, (voice recordings and geolocation information), within 90 days, unless the parent requests that such information be retained. Misrepresenting the privacy policies related to geolocation and children’s voice information will also be prohibited.

Amazon Go shops: A recent class action against Amazon in New York over its cashier-less Amazon Go shops was voluntarily terminated for unspecified reasons. Previously, the complaint claimed that Amazon acquired biometric data from customers in violation of a New York City Biometric Identifier Information Statute. According to the complainant, Amazon scanned customers’ hands and illegally uses technologies such as computer vision, deep learning algorithms, and sensor fusion to measure customers’ bodies to identify and monitor where they walked in the shop and what they purchased. The lawsuit demanded 500 dollars for each infraction of the legislation.

Worldcoin biometric verifications: Members of the public in selected locations worldwide are being encouraged to have their eyes scanned as part of a cryptocurrency initiative that tries to identify humans from AI systems via biometric verification. The Worldcoin protocol operates by providing biometrically verified individuals with a digital identity in the form of a Worldcoin token, which promises to be the first crypto token to be issued globally and freely to people simply for being genuine individuals. Users will also receive access to the app, which will allow them to make global payments, purchases, and transfers utilizing digital and traditional currencies. The UK Information Commissioner’s Office commented on the situation: 

• The organisation must conduct a data protection impact assessment before starting any processing that is likely to result in high risks, such as processing special category biometric data. 
• Where they identify high risks that they cannot mitigate, they must consult the regulator.
• The organisation also needs to have a clear lawful basis to process personal data. Where they are relying on consent, this needs to be freely given and capable of being withdrawn without detriment.

The post Data protection digest 17 – 30 July 2023: guide on website analytics, health care data sharing, and COPPA 2.0 appeared first on TechGDPR.

Legal processes and redress

US data transfers: A full parliamentary vote on the upcoming EU-US Data Privacy Framework is planned in the coming weeks. So far, a resolution adopted by Civil Liberties Committee MEPs argues that the European Commission should not grant the US an adequacy decision deeming its level of personal data protection essentially equivalent to that of the EU and allowing for transfers of personal data between the two. However this resolution will not be binding on the European Commission. 

MEPs note that the framework still allows for bulk collection of personal data in certain cases, does not make bulk data collection subject to independent prior authorisation, and does not provide for clear rules on data retention. The transparency and independence of the new redress mechanism for EU data subjects are also under question. Finally, the US Intelligence Community is still updating its practises based on the framework, so an assessment of its impact on the ground is not yet possible, say MEPs. 

CCPA/CPRA: The updated CCPA regulations were approved by the California state and come into effect in three months’ time. These revisions reflect the CCPA’s amendment by the California Privacy Rights Act of 2020, which added new business obligations addressing: consumer rights regarding the sharing, sale, and restriction of sensitive personal data, information notice, user-enabled privacy controls, out-out options, contractor and third-party contract requirements, and more. 

Employees data: In its recent judgement the CJEU ruled out important aspects of data processing in the employment context, interpreting Art. 88 of the GDPR. The preliminary ruling concerns the lawfulness of a system for the live streaming of classes by videoconference introduced in state schools in Hessen, (Germany,) without the prior consent of the teachers. Art. 88 of the GDPR enables the national legislator to enact “more specific regulations” in employee data protection.  However, they should not be general clauses that simply repeat the GDPR’s provisions. 

Instead, they should include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing. For organisations and employers this means that in the absence of valid national provisions GDPR rules must be complied with, including the balancing tests for the appropriate legal basis for employee data processing, (employment contract, legitimate interest or consent). 

In response to the decision, the Hamburg data protection commissioner also stated that Section 23 of the Hessian data protection act does not constitute a ‘more specific rule’, and that the moment had arrived for a new federal employment data protection act. 

Automated employment tools: Meanwhile, on the other side of the Atlantic, the New York City Department of Consumer and Workforce Protection promulgated its final regulations on the Automated Employment Decision Tools Law (AEDTL). Once enforced, it will restrict employers’ ability to use machine learning, statistical modelling, data analytics or AI tools in hiring and promotion decisions within New York City. Employers who use automated employment decision tools must also disclose it to candidates before the tool is used, as well as systematically undergo and disclose independent “bias audits”. Read the full analysis here.

EDPB guidance

A set of updated guidance and studies, along with the annual 2022 report, was published by the EDPB.

National administrative rules: The EDPB conducted a study on national administrative rules applicable when the national supervisory authorities carry out their duties under the One-Stop-Shop, (OSS), procedure. For instance, the requirements for the admissibility of complaints from individuals vary considerably from one country to another. Furthermore, the possibility to reach an amicable settlement between controllers or processors and complainants does not exist in all countries, and there is no clear indication of differing regulations’ impact on the OSS procedure. Finally, there is no convergence regarding the prior notification of forthcoming investigations or exercise of corrective powers. Read more challenges and possible solutions in the original publication.

Entities outside the EEA: Another study by the EDPB looks at the enforcement of GDPR obligations against entities established outside the EEA, (California, the UK and China). It aimed to analyse the possibilities available to enforce supervisory authorities’ investigative and corrective powers against third-country controllers/processors that fall under the scope of the GDPR but are not willing to cooperate with regulators and did not designate an EEA representative. This included the possibility to summon third-country controllers/processors to appear before the SA’s office, or in the SA’s national courts or tribunals, choice of jurisdiction and additional restrictive measures. 

Right of access: The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights and Art. 15 of the GDPR, says the EDPB’s latest guidance. The overall aim of the right of access is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data so that they can be aware of and verify the lawfulness of the processing and the accuracy of the processed data. This will make it easier – but is not a condition – for the individual to exercise other rights such as the right to erasure or rectification. 

Personal data breach notification: The EDPB considers that complying with the notification requirement has a number of benefits. When notifying the supervisory authority, controllers can obtain advice on whether the affected individuals need to be informed. Breach notification should be seen as a tool for enhancing compliance. At the same time, failure to report a breach to either an individual or a supervisory authority may mean a possible sanction applicable to the controller. Controllers and processors are therefore encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach.

Lead supervisory authority: The EDPB has noticed that there was a need for further clarifications, specifically regarding the notion of main establishment in the context of joint controllership and taking into account the concepts of controller and processor in the GDPR. Correct identification of the main establishment is in the interests of controllers and processors because it provides clarity in terms of which supervisory authority they have to deal with in respect of their various compliance duties under the GDPR. 

The most complex situations are when it is difficult to identify the main establishment or to determine where decisions about data processing are taken. This might be the case where there is cross-border processing activity and the controller is established in several Member States, but there is no central administration, or none of the EEA establishments is taking decisions about the processing.

Other official guidance

Generative AI risks: The UK privacy regulator the ICO poses eight questions about generative AI that developers and users need to answer. The EU legal backlash on ChatGPT is just the beginning of the journey states the analysis, and organisations developing or using generative AI should be considering their data protection obligations from the outset, taking a data protection by design and by default approach. This isn’t optional – if you’re processing personal data, it’s the law, (data protection law still applies when the personal information that you’re processing comes from publicly accessible sources):

• Are you a controller, joint controller or processor? 
• What is your lawful basis for processing personal data? 
• How will you comply with individual rights requests? 
• How will you limit unnecessary processing? 
• How will you mitigate security risks? 
• Have you prepared a Data Protection Impact Assessment? 
• Will you use generative AI to make solely automated decisions? 
• How will you ensure transparency? To know more, here’s the ICO publication. 

AI-assisted employment: Meanwhile the Spanish data protection authority AEPD explains how to apply AI tools for employment activities. In essence the data controller decides when designing the programme whether or not to include an additional operation of human supervision on the results produced by the AI ​​system. AI systems will form part of the nature of data treatment when they have been included in some of the necessary operations for this explicit purpose. This may include AI systems implemented locally or in the cloud, mobile systems, outsourced data processors, etc. Therefore, the fact that decision-making is automated is not a feature of the AI ​​system itself. 

For example, the procedure to guide candidates to complete an application form where they would include their CVs could be implemented using a chatbot. In addition, the number of applications, and therefore the number of CVs, could be so large that the manager could decide to use an AI system for the automatic selection of the most interesting CVs, according to certain criteria that the manager should also establish. The manager could go further and implement the evaluation of the candidates through another AI system that performs and evaluates the tests for the previously selected candidates. 

Sports industry: A large amount of personal data including special categories is generated in digitised sports, states the German federal data commissioner. If these are not so comprehensively anonymised that it is impossible to trace them back to individual athletes, data protection rules on purpose limitation, storage limitation, lawfulness data minimisation, transparency, and data security apply. This extends to all bodies and organisations that process athletes’ personal data – coaches, associations, doping agencies, sports facility operators, scientific institutes, doctors, laboratories, consultants, agents, and sometimes also sponsors, betting shops or even manufacturers of hardware and software.

Investigations and enforcement decisions

Data breach statistics: The Guernsey data protection agency ODPA published the latest personal data breach statistics: Nearly 10 million people were reported to be affected by 38 personal data breaches from January to March. Reportedly, the majority of those were customers of a UK-based company which was the victim of a large cyber-attack. Although the company is not based locally, it reported the breach to data protection regulators in all jurisdictions where its customers are based. Additionally, the most striking examples of personal data breaches involved:

• people using personal email accounts to send work-related information, (email providers are outside the control of the organisation meaning usual security policies do not apply and the organisation does not know what its data is being used for),
• accounts shared by couples or devices, (the boundaries of your personal life and your job intersect in a way that is not helpful for you or your workplace, which means information could fall into the wrong hands.)

Failed data subjects’ right of access: Following a complaint the Spanish AEPD fined Banco Bilbao Vizcaya Argentaria, or BBVA, 84,000 euros, according to Data Guidance. Despite ceasing to be a client of BBVA in 2012, the complainant discovered in 2021 that there were two debts registered in their name in the Bank of Spain’s Risk Information Center. Regarding the use of the right of access, the AEPD explained that BBVA had asked the complainant for additional details in order to recover the recordings, which constituted an unfair burden on the data subject for the fulfilment of their request. 

In another recent enforcement decision by the AEPD, the claimant requested access to the images from the video surveillance system located at a commercial centre. Unable to find a way to make a request in person, the claimant submitted one via electronic means of communication, (using the company’s marketing email address). This email address is not related to the processing of personal data nor was the means of contact enabled for the exercise of any rights. However, the company responded only to state that such access was not possible, except when there is a prior complaint, or when requested by the police or authorised personnel. The regulator found that the right of access of the complainant to their personal data was not respected, as established in Art. 15 of the GDPR.

Data security

Established cooperation: A long-term relationship between a controller and a processing entity does not guarantee data security, states the Polish privacy regulator UODO. In the related case, the verification of the competence of the processor was not formalized, because it consisted of conducting an interview, and the services provided by the entity, (a file depositary service), did not raise objections from the controller. The explanations of both the controller and the processor indicated that these entities only applied the controller’s internal regulations, (the Personal Data Protection Policy). The lack of any risk analysis resulted in the selection of inadequate measures.

The mere signing of a contract for entrusting the processing of personal data without proper assessment of the processing entity cannot be considered as fulfilment of the data security obligation. The determinant for such an assessment cannot be only long-term cooperation and the use of the services of a given processor. In the opinion of UODO, positively assessed cooperation may only be a starting point when verifying whether the processing entity provides sufficient guarantees for the implementation of appropriate technical and organisational measures. 

Certifying employees’ qualifications: The Hungarian data protection agency NAIH publishes detailed recommendations on how to handle documents certifying employees’ qualifications according to the data protection requirements. The employer may require the employee to present a document in its legitimate interest. The employer can also keep their own, internal records of the education of each employee, the date and the method of proof of education. However, “objective evidence”, (as defined in ISO 9000:2015 Quality management systems), needs to be supported by documented information.

A copy of a document certifying education or training does not have the power to prove that it is an authentic copy of a valid public document, so it is not suitable for establishing the authenticity of the data contained therein, and it may include additional unnecessary personal information.

Instead, the organisation may prepare a note or protocol stating that the given employee presented the original documents certifying their education, the relevant data of which is now recorded by the organisation, (eg, serial number of the document, date of qualification).

Tracking pixels: The Norwegian data protection authority encourages businesses to review their websites for tracking pixels or other tracking technologies. Recent media reports revealed that a large number of European online pharmacies have shared customers’ personal data through tracking technologies. For website users this is potentially a major privacy risk, while for the websites it poses a significant legal and reputational risk. The regulator now encourages all Norwegian websites to review for tracking pixels and other tracking technologies. Unless the business has assessed the tools, has an overview of data flow and is confident that their use is in line with privacy rules, the trackers should simply be removed. 

Cyber ​​risks management: The German Federal Office for Information Security updated its manual on ‘Management of Cyber ​​Risks’. It is dedicated to a comprehensive corporate culture that takes cyber security into account at all times, aiming to increase the resilience of companies. As cyber ​​security starts with senior management, IT managers need the necessary support and the right understanding on the part of company management. The guide formulates six basic principles that support management and supervisory boards when considering cyber risks:

• Understanding cyber security as a component of company-wide risk management.
• Understanding and closely examining the legal implications of cyber risks.
• Ensuring access to cyber security expertise and regular exchange.
• Implementing suitable frameworks and resources for cyber risk management.
• Preparing risk analysis based on business risk appetite, goals and strategies.
• Encouraging company-wide collaboration and sharing of best practices.

Big Tech

Meta binding decision: The EDPB adopted a dispute resolution concerning a draft decision of the Irish data protection authority DPC on the legality of data transfers to the US by Meta Ireland for its Facebook service. The decision will be announced soon and may constitute an order on blocking Facebook’s transatlantic data flows. The Irish regulator shall adopt its final decision, addressed to Meta Ireland, on the basis of the EDPB binding decision and taking into account the EDPB’s legal assessment, at the latest one month after the EDPB publishes its decision. 

In January this year the DPC, also instructed by the EDPB, ordered Meta to pay a hefty fine for making users accept targeted ads and was directed to bring its processing operations into compliance with the GDPR within a period of 3 months. The EDPB also directed the DPC to conduct a fresh investigation of all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed. However, the DPC stated that EDPB is not entitled to instruct and direct a national authority to engage in a new “open-ended and speculative” investigation.

TikTok privacy fine: Finally, the UK fined TikTok 12.7 million pounds for misusing children’s data. More than one million British children under 13 were estimated to be on TikTok in 2020, contrary to its terms of service. As a result, personal data belonging to children was used without parental consent. TikTok  “did not do enough” to check who was using their platform and take sufficient action to remove the underage children. Since the conclusion of the investigation of TikTok, the ICO has published a statutory Children’s Code to help online services, such as apps, gaming platforms and web and social media sites, that are likely to be accessed by children. 

The post Data protection & privacy digest 3 – 17 Apr 2023: US data transfers and AI tools occupy EU appeared first on TechGDPR.

  Legal processes and redress

DPOs enforcement action: The EDPB launches coordinated enforcement action on the designation and position of data protection officers. DPOs across the EU will be sent questionnaires, with the possibility of further formal investigations and follow-ups. According to the Portuguese data protection agency, it will ask DPOs to voluntarily participate in the action and they do not have to identify themselves or the organisation concerned. The Spanish privacy regulator says it will analyse the practices of tens of thousands of public and private sector entities, (education, banking, health, security, financial solvency, etc.) 

The questions will be related, among others, to the designation, knowledge, and experience of the data protection officers, their tasks, and resources. Special attention will be paid to the independent and effective performance of the tasks of the DPO, and their possible conflict of interest, (where they exercise additional functions of compliance officers, IT managers, etc.), explains the Bavarian data protection supervisor. The requirement for DPOs to report directly to the highest management level of the controller or processor, and their operating conditions, (based on organisational charts, annual reports, etc), also will be checked.

UK Data Protection reform resumes: The Data Protection and Digital Information Bill was reintroduced in the House of Commons. Followed by a rapid change in the UK government last summer, the reading of the old document did not occur as expected. Much of the new bill is the same as the withdrawn one. The new document also followed a detailed co-design process with industry, business, privacy, and consumer groups. It would reduce burdens on companies and researchers and boost the economy by 4,7 billion pounds over the next decade. The research briefing on the draft reform bill is available here. 

Creditworthiness and profiling risks: The CJEU’s Advocate General suggests that the automated establishment of the ability of a person to service a loan constitutes profiling under the GDPR. In the related case, a German company governed by private law, (SCHUFA), provided a credit institution with a score for the citizen in question, which served as the basis for a refusal to grant credit. The citizen requested SCHUFA erase the entry concerning her and to grant her access to the corresponding data. The latter merely informed her of the relevant score and of the principles underlying the calculation method, without informing her of the specific data included, arguing that the calculation method is a trade secret. Other related cases concerned the lawfulness of the storage of citizen data from public registers, (on discharge from remaining debts), by credit information agencies.

Official guidance

Data subject access rights: The Latvian data protection agency DVI explains what the right to access your data means. Every natural person has the right to obtain accurate information about their data, (or a copy of it), held by an organisation. For example, a person participated in a job interview and has not passed the rounds of applicant selection. In order to find out whether or not the company has stored personal data, the person can contact the company and ask, and if this is the case, demand an explanation for what purpose it is processed. The individual must first contact the organisation using the communication channels or methods specified in the privacy policy. The request should be as clear as possible, and include:

• identifying information of the requester, (the organisation has the right to additional information, so the person can be identified correctly);
• an indication whether the information is desired for all data or for a specific case;
• an indication of the period for which information is to be provided;
• precise requests referring to all or any of the above questions.

The organisation may refuse the request if it was already answered or it is disproportionally large, unidentified, or the information is covered by other regulatory acts. But if the organisation does not respond to the request within a month, and does not provide the information, (or the reasons for refusal), the person has the right to file a complaint with the data protection authority. 

Dematerialised receipts: The French privacy regulator CNIL looked at dematerialised receipts that merchants can offer you in place of traditional printed ones. You still must have the choice of whether or not to receive it, (via email, sms), as dematerialisation is not provided for by law. The dematerialised receipts allow the merchant to collect and reuse your data for advertising: but they must respect your rights by asking for your consent or by allowing you to opt out. If a merchant offers the retrieval your receipt by scanning a QR code with your smartphone, only the technical data necessary to establish the connection between the devices should be collected. Finally, the creation of a loyalty or online account is not mandatory to obtain your receipt. 

User and Entity Behavior Analysis: UEBA techniques have a multitude of applications that always have something in common: recording user behavior in the past, then modeling this behavior in the present, and, if possible, predicting what it will be like in the future. According to the Spanish privacy regulator AEPD, techniques used online collect massive amounts of data and almost always apply machine learning or AI. Users are always people, entities can be animals, vehicles, mobile devices, sensors, etc. The application of these techniques depends on the specific application domain, since it may be interesting to analyse the individual behavior of people or their behavior from a social perspective in three main domains: 

• service and marketing optimisation; 
• cybersecurity; 
• health and safety.

When personal data is processed, the principles established in the GDPR are mandatory, including transparency, data minimisation, and purpose limitation. But in many cases, users are not informed about the types of techniques that are being used, the depth of the treatment, the scope of data sharing, or the potential impact that a data breach may have.

Algorithmic fairness: The UK privacy regulator ICO decided to update its guidance to help organisations adopt new technologies while protecting people and vulnerable groups. New content was added on AI and inferences, affinity groups, special category data, as well as things to consider as part of your DPIA. The updated guidance explains the differences between fairness, algorithmic fairness, bias, and discrimination. It also explains the different sources of bias that can lead to unfairness and possible mitigation measures. There is a new section about data protection fairness considerations across the AI lifecycle, from problem formulation to decommissioning. Technical terms are also explained in the updated glossary.

Enforcement decisions

Irish queries: The Irish data protection authority DPC in its 2022 report stated that the most frequent GDPR topics for queries and complaints were: access requests, fair-processing, disclosure, direct marketing, and right to be forgotten, (delisting and/or removal requests). At the same time, breach notifications were down 12% on 2021 figures. The most frequent cause of breaches reported arose as a result of correspondence inadvertently being misdirected to the wrong recipients, at 62% of the overall total. Where possible the DPC endeavored to resolve individual complaints informally – as provided for in the Data Protection Act 2018. Overall, the DPC concluded 10,008 cases in 2022 of which 3,133 were resolved through formal complaint handling. 

Medical research data: The French privacy regulator CNIL reminds two medical research organisations of their legal obligations – to carry out an impact assessment on data protection and to properly inform individuals. Health research must be authorised by the CNIL or comply with a reference methodology. These methodologies require a DPIA to be carried out before starting the research. A single analysis may cover a set of processing operations that present similar risks, (eg, similar projects, using the same IT tools). 

Information notices provided by the two organisations also did not specify the nature of the information collected or its retention period, contact details of the data protection officer or the procedures for appealing to the CNIL. Finally, an information notice stated that the data was anonymised, which was not the case since the identity of the patients was only replaced by a three-digit “patient number” and a “patient code” composed of two letters corresponding to the first initial of the name and surname of the person concerned.

Political affiliation data: In Romania, a political party was fined following a data breach notification. The data stored in an operator’s server hosting an application became subject to a phishing attack. It was found that the operator did not implement adequate technical and organisational measures to ensure an appropriate level of security, such as the encryption/pseudonymisation of personal data stored, which led to the loss of the confidentiality of the data processed by accessing unauthorised use of personal data such as name, surname, personal number code, e-mail, telephone number, and political affiliation data.

Non-conformant data breach notice: The Norwegian data protection authority Datatilsynet imposed a fine of approx. 220,000 euros on the US company Argon Medical Devices for breaching the GDPR. In July 2021, Argon discovered a security breach that affected the personal data of all their European employees, including in Norway. Argon believed that they did not need to report the security breach until after they had a complete overview of the incident and all its consequences. The US company sent a notice to the Norwegian regulator only in September 2021, long after the 72-hour deadline for reporting a breach under the Art. 33 of the GDPR. The security breach concerned personal data that could be be used for fraud and identity theft.

Data Security

PETs: The OECD offers guidance on emerging privacy-enhancing technologies – digital solutions that allow information to be collected, processed, analysed, and shared while protecting data confidentiality and privacy. This often includes zero-knowledge proofs, differential privacy, synthetic data, anonymisation, and pseudonymisation tools, as well as homomorphic encryption, multi-party computation, federated learning, and personal data stores. However, the majority of these tools lack standalone applications, have limited use cases, and are still in the early stages of development.

Big Tech

Meta and Dutch users: Facebook Ireland acted unlawfully when processing the personal data of Dutch users, states an Amsterdam court. Between 2010 and 2020, users’ personal information was processed illegally for marketing purposes. Additionally, it was distributed to third parties devoid of legal justification and without properly informing users about it. Also, consent was not obtained before processing sensitive personal data for advertising purposes, such as sexual orientation or religion. This concerned both information voluntarily provided by users and information that Facebook Ireland collected by observing users’ online browsing patterns outside the Facebook service. 

Meta tracking tools: According to the Austrian data protection authority DSB, the use of Facebook’s tracking tools (Login and Meta Pixel) is a violation of both the GDPR and the “Schrems II” ruling. As a result of US surveillance laws requiring companies, like Facebook, to disclose users’ information to the authorities, the CJEU determined in 2020 that using US providers violates the GDPR.  According to the NOYB foundation, which launched the complaint, numerous websites track users using Meta tracking technology to display personalised ads. Websites using this technology also send all user data to US multinationals. And while the EU-US Data Privacy Framework is waiting for approval from the European Commission, the US government continues bulk surveillance of EU users. 

Meta’s WhatsApp settlement in the EU: The European Commission and the European network of consumer authorities have closed their investigation into Meta’s messaging app WhatsApp following a complaint made by the BEUC, (the European Consumer Organisation). WhatsApp has committed to better explain the policy changes it intends to make and to give users a possibility to reject them as easily as to accept them. Unfortunately, this will only apply to future changes to the app. However, the complaint identified multiple breaches of consumer and data subject rights since 2021 including aggressive commercial practices, and unclear and misleading terms of use and notices to its users. 

The post Data protection & privacy digest 4 – 17 March 2023: position of DPOs, user behavior analysis, creditworthiness and profiling appeared first on TechGDPR.