Exploring key aspects of password security involves evaluating password strength to resist brute force attacks and using password managers for secure and unique passwords. It also includes leveraging multi-factor authentication (MFA) to enhance protection and recognizing the risks of using browser-suggested passwords and potential vulnerabilities if the browser or device gets compromised.

How secure is my password?

One of the ways to access the strength of a password is through entropy. Entropy measures password complexity by assessing its randomness, indicating how unpredictable and difficult it is for attackers to guess. Higher entropy, or more randomness, in lay man’s terms means a more secure password. Factors that contribute to higher password entropy include:

• Length: Longer passwords are generally harder to crack.
• Complexity: Including a mix of uppercase and lowercase letters, numbers, and symbols.
• Unpredictability: Avoiding predictable patterns like common words and phrases.

If one is curious about understanding how secure their password is this Password Entropy Calculator helps an individual understand password strength and evaluate their own passwords. A secure password should have high entropy, which makes it resistant to brute-force attacks, where attackers systematically try every possible combination of passwords or keys until they find the correct one.

How password managers enhance security?

According to the German Federal Office for Information Security (BSI), using a password manager is one of the most effective ways to securely store and manage passwords. These standards ensure that the strategies outlined are both robust and reliable, offering a trusted framework for enhancing password security. Password managers are powerful tools for improving password security and convenience. They securely store and manage passwords, making it easier to use complex, unique credentials for each account. This not only enhances security by reducing the risk of weak or reused passwords, but also simplifies the online experience by eliminating the need to remember multiple passwords. Password managers enhance security by:

• Generating strong passwords: Password managers create random, complex passwords that are nearly impossible to crack.
• Secure /storage: Passwords are encrypted and stored securely, reducing the risk of exposure.
• Unique passwords for every account: Using unique passwords for each account limits the damage if one account is compromised (for instance if logging into a service while using public WiFi leads to a third party intercepting an individual’s credentials).
• Automatic filling: Password managers can auto fill login credentials, reducing the risk of phishing attacks by ensuring only the authentic individual can  enter credentials on legitimate sites.

There are many popular password managers that offer both free and premium versions to suit individual or organizational needs. Organizational password management needs often focus on collaboration, centralized control, and compliance with security policies, requiring features like shared vaults, role-based access, and audit trails. In contrast, individual users prioritize personal security, ease of use, and cross-device synchronization to protect their accounts.

How Multi-factor Authentication (MFA) adds an extra layer of security

While strong passwords are essential, they are not reliable. The European Union has emphasised how MFA protects consumer sensitive data, enhances operational resilience, and mitigates cybersecurity risks. Multi-factor Authentication (MFA) adds an extra layer of security by requiring users to provide two or more verification factors to access an account. These factors typically include a combination of at least two of the following:

• Something you know: A password or PIN.
• Something you have [i.e. physically]: A smartphone, hardware token, or security key.
• Something you are: Biometric data, such as fingerprints or facial biometrics.
• Somewhere you are: The location matches the expected location (VPNs).

MFA significantly reduces the risk of unauthorized access, even if a password is compromised. According to Microsoft, MFA can prevent 99.9% of account compromise attacks, making it a crucial component of any security strategy. 

Password security and compliance

Many industries are subject to regulations that require high password security to protect sensitive data such as:

• The General Data Protection Regulation (GDPR): Mandates the protection of personal data for EU residents.
• The Payment Card Industry Data Security Standard (PCI DSS): Requires strong password policies for organizations handling credit card data.
• Health Insurance Portability and Accountability Act (HIPAA): Enforces password security to safeguard patient information.

Failure to comply with these regulations can result in huge fines and legal consequences. Implementing best practices for password security is not just about protection best practices, it’s a compliance necessity.

Are browser-suggested passwords safe?

They are generally safe and convenient because modern web browsers like Chrome, Firefox, and Safari use encrypted storage and advanced algorithms offering built-in password managers that suggest and store passwords. While convenient, there are some risks to consider.

• Limited security features: Browser-based password managers may not offer the same level of encryption and security as dedicated password manager apps.
• Device dependency: If a device is compromised or lost, the stored passwords may be at risk, especially if the device lacks proper security controls.
• Synchronization risks: Attackers could make passwords synced across devices via a cloud service vulnerable if they compromise the cloud account.
• Phishing vulnerability: Phishing websites can exploit auto fill features by cloning legitimate sites.

When choosing to use browser-suggested passwords, ensure an up-to-date browser, use strong device security, and consider enabling MFA for cloud accounts.

Conclusion

Password security is a staple of digital safety and regulatory compliance. Creating strong, unique passwords, using password managers, and enabling multi factor authentication helps individuals and organizations reduce unauthorized access and breaches.

While browser-suggested passwords offer convenience, understanding their limitations and risks is essential. Ultimately, a proactive approach to password security can protect an individual’s data, ensure compliance, and build trust with customers.

Feel free to reach out to TechGDPR for any clarification of technical compliance needs.

The post Password security: how strong passwords work and the tools to simplify appeared first on TechGDPR.

Sign up to receive our fortnightly digest via email.

Legal processes

Digital Services Act: Online services will have new obligations when the application of the EU’s digital services regulation begins as of 17 February. The purpose of the new regulation is to reduce illegal content and increase the transparency of advertising and recommendation systems and the protection of minors. The internet giants have been already supervised and regulated directly by the European Commission since mid-2023, whereas Member States are responsible for the supervision of smaller platforms as of mid-February. 

EU adequacy decisions list: The European Commission successfully concluded its review of 11 existing adequacy decisions. Thus Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay continue to benefit from adequate data protection safeguards. The Commission also monitors the latest arrangements that are in place with the UK, US, Japan and South Korea. 

Regulatory updates

Decentralised clinical trials: To support sponsors in the design of their decentralised clinical research projects, the French data protection regulator CNIL and its state partners are setting up a pilot phase, from January to June 2024. 20 projects will be selected and will receive targeted support. In 2022, the European Commission published the European recommendations on decentralised clinical trials in the wake of the COVID-19 pandemic.  Each application must include:

• a specific question mentioning the decentralised component and summarizing the problem encountered;
• a proposal for a complete scenario for the implementation of the decentralised element of the research project, a summary of the protocol and the information notice for future participants.

DPO evaluation: The EDPB identified areas of improvement to promote the role and recognition of data protection officers. In 2023, thousands of organisations, as well as DPOs were contacted across the EEA, covering a wide range of sectors, and more than 17,000 replies were received and analysed. The majority of the DPOs interrogated declare that they have the necessary skills and knowledge to do their work and receive regular training; they have clearly defined tasks in line with the GDPR and do not receive instructions on how to exercise their duties. They generally have sufficient resources to carry out their tasks and are, in most cases, involved in decisions relating to personal data.

However, the answers provided highlight the significant disparity in resources between the DPOs of large companies and those of small communities: the public officer often carries out his duties alone while the private delegate generally has a team.

Transfer Impact Assessment

A Transfer Impact Assessment must be undertaken by controllers or processors acting as data exporters, with the assistance of the importer, before transferring data from a European Economic Area country to a third country where such transfer is based on an Art. 46 of the GDPR transfer tool. Since the importer has a lot of information needed for this assessment, its cooperation is essential for the realisation of the TIA. To that end, the French data protection authority decided to give indications on how the analysis can be carried out by following the steps set out in EDPB’s recommendations. You can read the draft TIA guide, (in English), here. The consultation on it is open until 12 February. 

(If the country of destination is covered by an adequacy decision by the European Commission, the exporter is not subject to this obligation. The same applies if the transfer is carried out based on one of the derogations listed in Art. 49 of the GDPR).

Cookies and audience measurement

The Spanish data protection authority published a guide on the use of cookies for audience measurement, (in Spanish). The management of a website, or mobile application, by a publisher generally requires the use of traffic or performance statistics. The information processed through the use of cookies for this purpose can be managed directly by the publisher or by a provider who can provide a comparative audience measurement service. In that case, the provider would act as a data processor for one or more publishers. 

Cookies used to obtain traffic or performance statistics may be exempt from consent under certain conditions, (limited strictly to what is necessary for the provision of the service). On the contrary, to be exempt from consent, these cookies or similar technologies must not result in the data being compared with other processing operations or in the data being transmitted to third parties. In addition, they should not allow aggregate tracking of the navigation of the person who uses different applications or browsers, (as is the case with audience measurement offers available on the market).

Similarly, the Austrian data protection authority published a FAQ on cookies and data protection, (in German). In particular, it explains what are “technically necessary” cookies,  how to use industry standards or “cookie consent tools”, and finally how to identify the GDPR-governed roles and responsibilities of a data controller or a processor if cookies are set for your digital services.

More official guidance

Fitness trackers: Such apps and devices are usually connected to the Internet as well as other apps and devices of various kinds. This implies the exponential multiplication of sensitive data processed and shared and the possible risks related to IT security. According to the Italian data protection agency, when using these tools it is therefore always good to adopt some important precautions: 

• always read the information notice carefully, (who and how will process your data);
• minimise data collection, (disable features that are not essential, use a pseudonym, delete data);
• If the connection to other devices is not essential for the device or app to function, do not grant permission, (such as contacts in the address book, photos, agenda or microphone);
• safety first (complex and secure authentication, downloads via official digital services, periodic updates);
• If you don’t use it, turn it off, or uninstall it from your device, and 
• avoid the use of devices and apps by minors unless supervised by an adult. 

Generative AI: Meanwhile the UK Information Commissioner’s Office, (ICO), has launched a consultation series on generative Artificial Intelligence. Generative AI models are being used across the economy to create new content, from music to computer code. The first consultation examines when it is lawful to train generative AI models on personal data scraped from the web. The ICO is seeking views from a range of stakeholders, including developers and users of generative AI, legal advisors and consultants working in this area, civil society groups and other public bodies with an interest in generative AI. The first consultation is open until 1 March.

CJEU ruling

Controller’s (non) strict liability: In one of its recent decisions the CJEU held that a controller will be held liable for a breach committed by a processor intentionally or negligently if the processor was carrying out processing operations on its behalf. However, a processor may be held solely liable if the processor carried out the processing for:

• their purposes; or
• non-compliance with the framework of, or arrangements for, the processing as determined by the controller, or 
• in such a manner that it cannot reasonably be considered that the controller consented to such processing.

The case relates to the development of a COVID-19 mobile application, raising questions of joint controllership between the IT service provider and the Lithuanian Public Health Centre that ordered its creation but did not enter into a contract to proceed with its publication. The app was eventually made available on Google Play, and its privacy policy still referenced the public centre and the service provider as controllers. 

Unsolicited marketing

Food delivery spam: The UK Information Commissioner fined food delivery company HelloFresh 140,000 pounds for 79 million spam emails and 1 million spam texts over seven months. The marketing messages were sent based on an opt-in statement which did not make any reference to the sending of marketing via text. Whilst there was a reference to marketing via email, this was included in an age confirmation statement which was likely to unfairly incentivise customers to agree. Customers were also not given sufficient information that their data would continue to be used for marketing purposes for up to 24 months after cancelling their subscriptions.

“Do not call” register: The UK Commissioner also fined Poxell Ltd 150,000 pounds for making over 2.6 million unlawful marketing calls between March and July 2022. The company made dozens of calls to individuals with dementia and other serious illnesses offering home improvement solutions. The aggressive salesperson failed to identify themselves, allow their number to be displayed to the person receiving the call or provide a contact address or freephone number if asked. After receiving the initial investigation letter, it continued to make unsolicited direct marketing calls until its account was terminated by its communications service provider. 

Customer data deletion: The Danish data protection regulator imposed a fine of approx. 33,000 euros against the Royal Theater for not having laid down rules for deleting customer information for marketing use. The theatre stored information on approx. 520,000 customers and newsletter recipients for marketing purposes, without having set deletion deadlines or established fixed procedures or guidelines for deleting the information. The information was only deleted in cases where individual customers specifically requested deletion or revoked their consent to receive direct marketing. 

Data breaches

Inappropriate coding: The Danish data protection regulator also recommended a record fine of approx. 2 mln euros against Netcompany. As a data controller it had not implemented appropriate security measures in connection with the development of mit.dk. This system enabled users to read and respond to their digital correspondence from the authorities, while also being able to access their medical records and pay bills. Netcompany used inappropriate coding in the component that authenticated mit.dk. users. When mit.dk. was put into operation in March 2022, an error therefore occurred almost immediately when several users logged on and accessed other users’ sensitive information.

Password recycling: Finally, tech giant 23andMe, a DNA-testing company, blames its users for data breaches, Messenger.com reports. The recent October breach exposed the 23andMe accounts of about 6.9 million users. Customers received a letter from the corporation informing them that 23andMe was not responsible for the occurrence. Rather, the incident was a result of users’ failure to safeguard their account credentials: a key that allowed criminal actors to use 23andMe’s DNA Relative matching service was supplied by some customers who recycled passwords that were exposed in prior data breaches that targeted other websites. Due to the data breach, the corporation has been sued many times, with every claim citing inadequately secured customer information.

More enforcement decisions

Electronic payments: The French data protection regulator imposed a fine of 105,000 euros on NS CARDS France. The company publishes the neosurf.com website and the mobile app “Neosurf” which allows you to make online payments after registering for digital services. The company had set a ten-year retention period at the end of which user accounts were deactivated, but not deleted. The account data was therefore kept for an indefinite period. In addition, the ten-year retention period was applied to all user accounts, without sorting out the data to be kept, for example by certain consumer rights. Another failing was the user account password complexity rules were insufficiently robust, (eg, stored in plain text in the database and associated with the users’ email address and ID). 

The regulator also noted the deposit of Google Analytics cookies on the user’s terminal without their consent. NS CARDS France also used a reCAPTCHA mechanism, provided by Google, when creating the account and logging in to the website and mobile application. The collected data was transmitted to Google for analysis but the company did not provide any information to the user and did not obtain their prior consent.

Risk assessment failed: Meanwhile, the Dutch data protection authority imposed a fine of 150,000 euros on International Card Services (ICS). ICS failed to carry out a DPIA before the company started digitally identifying customers in the Netherlands in 2019. Furthermore, the personal information used for identification was sensitive. In addition to customers’ names, addresses, telephone numbers and e-mails, this included a photo that customers had to take of themselves and send via a mobile phone or webcam. ICS then used these photos to compare them with copies of customers’ IDs. 

Data security

Data breach types: The Danish data protection authority focuses on 10 typical breaches of personal data security and comes up with concrete proposals on how they can be avoided, (in Danish). This includes things like auto-complete which causes e-mails to be sent to the wrong recipients, broad access to data on network drives, unauthorised access to data due to poor design, coding errors and insufficient testing, failure to delete data using digital tools, loss/theft of portable devices with unencrypted data, disclosure of data stored in template and form solutions, and more.

My Health My Data: Washington State published a FAQ on the My Health My Data Act. It is the first privacy-focused law in the United States to protect personal health data collected and shared outside the state and under federal healthcare privacy regulations. This concerns information that can identify a consumer’s past, present, or future physical or mental health status. For example, information about the purchase of toilet paper or deodorant is not consumer health data, while an app that tracks someone’s digestion or perspiration is. Regulated entities or small businesses shall:

• publish a separate and distinct link to their consumer health data privacy policy on their homepage;
• secure valid authorisation from a customer to sell their data. 

Consumers have a right to withdraw consent and a right to have their data deleted. The act takes effect on 31 March for regulated entities. Small businesses have until the end of June to comply with new rules.

Big Data

Meta’s “Pay or okay” consent model: Privacy-advocacy group NOYB stated that Meta unlawfully ignores the users’ right to easily withdraw consent. The group has filed a new complaint with the Austrian data protection authority. According to Meta, the Facebook and Instagram service tries to abide by EU regulations requiring users to have the option of whether or not their data may be gathered and used for targeted advertising. Users who agree to be monitored receive a free service funded by advertising income. However, while one click is enough to consent to be tracked, users can only withdraw their consent by switching to a paid subscription, NOYB concludes.

The post Data protection digest 3 – 17 Jan 2024: digital services transparency and risk assessment in the focus of regulators appeared first on TechGDPR.

CJEU decisions

Automated decision-making: The EU top court identified data processing practices by credit information agencies that contradict the GDPR. While the so-called ‘scoring’ of individuals is permitted only under certain conditions, the prolonged retention of information relating to the granting of a discharge from remaining debts is contrary to the GDPR, (the case refers to SCHUFA, a private company providing credit information for clients in Germany). 

As regards the ‘scoring’ of individuals, the court holds it as an automated individual decision prohibited in principle by the GDPR, in so far as SCHUFA’s clients, such as banks, attribute to it a determining role in the granting of credit. The court also considers that it is contrary to the GDPR for private agencies to keep such data for longer than the public insolvency register. The discharge from remaining debts is intended to allow the data subject to re-enter economic life and is therefore of existential importance to that person. 

Non-material damage: Another decision by the CJEU concludes that the fear of possible misuse of personal data is capable of constituting non-material damage. Nonetheless, courts cannot conclude that the protective measures put in place by the data controller were ineffective if cybercriminals gain unauthorised access to or disclose personal data. The courts must assess the security measures concretely, by taking into account the risks associated with the processing concerned and by assessing whether the nature, content and implementation of those measures are appropriate to those risks. Finally, the controller may be required to compensate the data subjects who have suffered damage, unless they can prove that they are not responsible for that damage. 

EU’s AI act

Agreement reached: On 8 December, the legislative trilogue on the draft AI Act ended and the provisional agreement was reached. AI systems are going to be regulated according to how much risk they pose to society and fundamental rights, including a list of high-risk and prohibited practices, supported by various monetary fine levels. Limited exceptions will be available for law enforcement purposes. General-purpose AI systems will be also subject to transparency obligations, with additional codes of practice imposed on the most powerful models. 

Allocation of GDPR-governed roles: Meanwhile, the German Data Protection Conference demands that the intended AI Act properly allocate responsibilities along the entire AI value chain. This is the only way to protect the fundamental rights of those affected whose data is processed by AI, states the regulator body. Any legal uncertainty in this area would harm citizens, especially small and medium-sized companies, because they must bear the brunt of legal responsibility. The upcoming AI regulation should therefore specify for all those involved – including manufacturers and providers – which requirements they must meet.

EU regulatory updates

Workforce monitoring: The Council and the Parliament have reached a provisional agreement on a proposed directive to improve working conditions for platform workers. In particular, it will help ensure that those workers who have wrongly been classified as self-employed have easier access to their rights as employees under EU law. The proposal also established the first EU rules on the use of algorithm systems in the workplace. 

Digital labour platforms regularly use algorithms for human resources management. As a result, platform workers are often faced with a lack of transparency on how decisions are taken and how personal data is used. Under the new rules, algorithms would be monitored by qualified staff, who enjoy special protection from adverse treatment. The new law also prevents the processing of certain personal data using automated monitoring or decision-making including:

• emotional or psychological state,
• private conversations,
• actual or potential trade union activity,
• racial or ethnic origin, migration status, political, religious beliefs or health status,
• biometric data, other than data used for authentication.

Youth data protection: The Dutch data protection authority objects to a bill that leads to large-scale data collection in youth care. The proposal should enable research into the availability of youth care within municipalities. This includes child protection, assistance to young people with psychological problems and the probation service. However, it needs to be sufficiently clear why a lot of sensitive information from young people and their parents, healthcare providers and municipalities must be shared in such research. The availability of youth care could be investigated in a way that is much less invasive, (eg, random research, distribution of waiting times or development of new statistics). 

European Health Data Space

Pros: Both the Parliament and the Council have agreed on their positions on the European Health Data Space (EHDS). The new legislation would make exchanging and accessing health data at the EU level easier. The proposed regulation aims to improve individuals’ access to and control over their electronic health data, while also enabling certain data to be reused for research and innovation purposes, and to foster a single market for digital health services and products. The new rules aim to make it possible for a Spanish tourist to pick up a prescription in a German pharmacy, or for doctors to access the health information of a Belgian patient undergoing treatment in Italy.

Cons: However, several civil groups and experts have already warned about the privacy shortcomings of the cross-border exchange of electronic health data. The Irish Council for Civil Liberties recommends that the EHDS should specify the legal basis consistent with the GDPR and be specific about the allowed purposes of secondary use of electronic health data. It should also further narrow the categories of health data allowed for secondary use to reduce risks to fundamental rights. Another international consortium of experts believes the proposal significantly reduces transparency requirements, in contrast to the GDPR, as it:

• introduces waivers related to the provision of individual-level information to data subjects;
• disfavors consent as a legal basis for data sharing;
• builds up large datasets which may be extensively used for secondary purposes, that 
• increases the risk of re-identification. 

US privacy updates

FISA 702 short extension: US lawmakers reached a deal to temporarily extend major federal surveillance programs until mid-April, while talks on the future reform of the intelligence powers continue. Section 702 permits the government to conduct warrantless surveillance on any foreign national to gather “foreign intelligence information.” However, communications between Americans and the people under monitoring result in the collection of their data as well. Privacy campaigners warn that reauthorization of the intelligence powers must come with safeguards against abuse.

Opt-out preference signals: Meanwhile the California Privacy Protection Agency has approved a legislative proposal that requires browser vendors to include a feature that allows users to exercise their California privacy rights through opt-out preference signals. Through an opt-out preference signal, a consumer can opt out of the sale and sharing of their personal information with all businesses they interact with online without having to make individualised requests with each business. To date, only a limited number of browsers offer native support for opt-out preference signals: Mozilla Firefox, DuckDuckGo, and Brave. Google Chrome, Microsoft Edge, and Apple Safari—which make up over 90% of the market share—have declined to offer these signals, although these companies are also heavily reliant on advertising business models.

Data subject rights

Right to delete: Every time personal data is processed, the question arises as to how long the data controller may store this data. Art. 5 of the GDPR as a starting point provides principles of purpose limitation, data minimisation and storage limitation. In addition, the data subjects whose personal data has been processed have a right to deletion under Art. 17 of the GDPR, with which they can request the deletion of their data under certain conditions. There are also legal retention and deletion obligations that the person responsible must comply with. The Liechtenstein data protection agency has put together information on its website (in German), that sheds light on the topic both from the side of the data subject and from the side of the person responsible for data processing. 

Employment guidance

The UK Information Commissioner’s Office produced an online resource with topic-specific guidance on employment practices and data protection, with two new pieces of guidance now out for public consultation: a) keeping employment records, b) recruitment and selection. Data protection law applies whenever you process your workers’ personal information. The law does not stop you from collecting, holding and using records about workers. It helps to strike a balance between your need to keep employment records and workers’ right to private lives, explains the regulator. 

Additionally, the labour market supply chain can be complex, with end-to-end recruitment processes often involving several organisations. The use of novel technologies in recruitment processes means that organisations are processing increasingly large amounts of information about people – candidates, prospective candidates, employees, contractors, volunteers or gig and platform workers, referees, emergency contacts, and dependants.

UK-US data transfers

The ICO also offers a guide on how to comply with restricted transfers of personal data to the US using Art. 46 of the UK GDPR transfer mechanism. There are a range of reasons why you may wish to use it, including:

• if your US recipient is not certified to the UK Extension to the EU-US data protection framework or the restricted transfer is not covered under your recipient’s certification;
• none of the eight exceptions set out in Art. 49 of the UK GDPR apply to your restricted transfer;
• you are making the restricted transfer under UK Binding Corporate Rules, or
• you or your US recipient uses the Addendum or the International Data Transfer Agreement as the preferred standard transfer mechanism.

You can make restricted transfers to recipients in the US using Art. 46 only if you have first completed a transfer risk assessment. This includes the latest analysis of US laws related to access and use of personal information by US agencies for national security and law enforcement, the circumstances of each transfer, and the commercial practices of you and your recipient. The requirement to complete a transfer risk assessment applies regardless of which mechanism you use or why. 

Investigations

DPO for public services: The Luxemburg data protection regulator CNPD concluded an investigation into the appointment of data protection officers by municipalities. According to article 37.1.a) of the GDPR, any data controller or subcontractor must designate a DPO if “the processing is carried out by a public authority or body, except for courts acting in their judicial capacity”. 4 out of 6 municipalities at the time of the opening of the investigation, (in 2022), either appointed a DPO or communicated the latter’s contact details to the CNPD. No further corrective measures have been taken, as the municipalities have regularised their situation over the course of the investigations.

Enforcement decisions

Google Workspace at school: Meanwhile in Sweden, a penalty fee was issued against a municipality that did not assess the impact of using Google Workspace in 24 of the municipality’s schools since autumn 2020. Among other things, the platform was used for students’ feedback on school assignments. The personal data of nearly 6,000 students and 1,300 employees was processed, without a proper impact assessment conducted, (Art. 35 of the GDPR). In particular, when the student system was put into use, it was supported by an older assessment from 2014, by another municipality, carried out about the use of Google solutions in education, and it was considered satisfactory. 

Employee data requests: The Italian privacy regulator fined Autostrade per l’Italia and Amazon Italia Transport 100,000 and 40,000 euros respectively, for not having given timely and reasoned feedback, not even denial or deferral, to requests for access to their data presented by some employees and former employees. In the first case, the group requested information on the calculation of their pay slips. When asked for explanations by the regulator, the company had not responded so as not to compromise its right to defence in court, as several legal proceedings were underway between the company and the workers regarding the methods of calculating severance pay. 

In the case of Amazon, the authority followed the complaint of a former employee about the company’s failure to respond to a request for data relating to his employment relationship. The company had not responded to the request because it was drawn up in a very broad and generic manner. In both cases, the regulator concluded that the data controller should have responded at least with the reasons not to proceed with the request or ask for more details as in the case with Amazon.

Reprimands

Failed TOMs: Meanwhile in the UK Finham Park Multi Academy Trust was reprimanded in respect of Art. 5 and 32 of the GDPR. An unauthorised third party utilised compromised credentials to access and encrypt Finham Park’s systems. 1843 data subjects were affected by the incident, and the ICO’s investigation found Finham Park did not have adequate account lockout or password policies in place. 

The regulator also reprimanded Bank of Ireland UK for mistakes made on more than 3,000 customers’ credit profiles. It sent incorrect outstanding balances on 3,284 customers’ loan accounts to credit reference agencies, organisations that help lenders decide whether to approve financial products. This inaccurate data could have potentially led to these customers being unfairly refused credit for mortgages, credit cards or loans, or granted too much credit on products they were potentially unable to afford.

Data security

IoB and data protection: In its latest TechSonar report the EDPS explains privacy concerns behind the so-called ‘Internet of Behaviours’ (IoB). It is described as a “network in which behavioural patterns would have an IoB address in the same way that each device has an IP address in the Internet of Things, (IoT)”.  An example could be the use of patients’ and employees’ location data in hospitals during the COVID-19 pandemic to identify the behaviours that spread or mitigate the virus. 

General IoB relies on the collection and processing of data from different IoT devices, such as wearables, smart cameras or Bluetooth and Wi-Fi sensors. Thus, it suffers from transparency and control issues because it often lacks appropriate means to inform its users. Their data collection is seamless and the means to exert control over the processing are limited, states the report. 

Password storage: The Italian data protection regulator and the national cybersecurity agency offer new Password Retention Guidelines, (in Italian). Too often identity theft is caused by the use of computer authentication credentials stored in databases that are not adequately protected with cryptographic functions. Stolen data then is used to illicitly enter entertainment sites, social media and e-commerce portals. They can also allow fraudulent access to forums and websites for paid and financial services. The guidelines are aimed at:

• data controllers or data processors that store the passwords of their users on their systems, which refer to a large number of interested parties, (eg, digital identity providers, email service managers, banks, insurance companies, telephone operators, healthcare facilities),
• subjects who access databases of particular importance or size, (eg, public administration employees), or to 
• types of users who usually process sensitive or judicial data, (eg, healthcare professionals, lawyers, magistrates).

Big Data

Data breach notification for telecoms: The US Federal Communications Commission adopted rules to modify 16-year-old data breach notification rules to ensure that providers of telecommunications, interconnected Voice over Internet Protocol, and telecommunications relay services adequately safeguard sensitive customer information. They often collect large quantities of sensitive customer data, including telephone numbers a person has called and mobile phone location data showing the places they have been. The new rules cover certain personally identifiable information that carriers and providers hold concerning their customers and expand the definition of “breach” to include inadvertent access, use, or disclosure of customer information. It will also eliminate the mandatory waiting period to notify customers, after notification to the commission and law enforcement agencies.

Apple push notification data:  Apple says it now requires a judge’s order to hand over information about its customers’ push notifications to US  law enforcement, putting the iPhone maker’s policy in line with rival Google, Reuters reports. Users of smartphones receive push notifications informing them of fresh messages, breaking news, etc. The servers of Apple and Google handle almost all of these alerts. The practice placed the corporations in a unique position to help the government monitoring of users’ usage of certain applications. 

Google location data: Meanwhile Google offers updates on its Location History and new controls coming soon to Maps. For example, when you first turn on Location History, the auto-delete control will be set to three months by default, which means that any data older than that will be automatically deleted. Previously this option was set to 18 months. Also, for users who have chosen to turn Location History on, the timeline will be saved only on their device. Just like before, users can delete all or part of the information at any time or disable the setting entirely.

The post Data protection digest 2 – 17 Dec 2023: scoring of individuals, EU data consolidation, and the ‘Internet of Behaviours’ appeared first on TechGDPR.

Legal processes and redress

Electronic evidence: The European Parliament voted to adopt new rules on the exchange of electronic evidence by law enforcement authorities to make cross-border investigations more effective. It will allow national authorities to request evidence directly from service providers in other member states, (“production orders”), or ask that data be stored for up to 60 days. Evidence can consist of content data, (text, voice, images, video or sound), traffic data, (timestamps, protocol and compression details, and information about recipients), or subscriber data. Currently, the exchange depends on various bilateral and international agreements on mutual legal assistance, resulting in a fragmented landscape and, often, lengthy procedures. However, authorities can refuse the requests when they have concerns about media freedom or fundamental rights violations in the requesting member state. 

From MiCA to MiCAR: The Market in Crypto Assets Regulation has been published in the Official Journal of the EU and will apply in all EU Member States through 2024. The new rules cover issuers of utility tokens, asset-referenced tokens and so-called ‘stablecoins’. It also covers service providers such as trading venues and the wallets where crypto-assets are held. It ensures that crypto transfers, as is the case with any other financial operation, can always be traced and suspicious transactions blocked. Information on the source of the asset and its beneficiary will have to “travel” with the transaction and be stored on both sides of the transfer.

In addition to the MiCAR, the EU financial digital package contains a Digital Operational Resilience Act, (DORA), that covers crypto-asset service providers as well, and a proposal on distributed ledger technology, (DLT) pilot regime for wholesale uses.

Draft AI Act: The European Parliament also adopted its negotiating position on the Artificial Intelligence Act, and is ready to discuss the final form of the law with the Council and the Commission. MEPs have enlarged the list of AI systems with an unacceptable level of risk to people’s safety and would therefore be prohibited to include: 

• “real-time” remote biometric identification systems in publicly accessible spaces;
• “post” remote biometric identification systems, with the only exception for serious crime law enforcement;
• biometric categorisation systems using sensitive data, (gender, race, ethnicity, etc.);
• predictive policing systems, (based on profiling, location or past criminal behaviour);
• emotion recognition systems in law enforcement, border management, the workplace, and educational institutions; and
• untargeted scraping of facial images from the internet or CCTV footage to create facial recognition databases. 

MEPs added exemptions for research activities and AI components provided under open-source licenses. The so-called regulatory sandboxes, or real-life environments will be established by public authorities to test AI before it is deployed, along with an individual’s  right to complain and receive information.

CJEU Opinion

Data subject rights: A CJEU Advocate General’s opinion states that a data subject must have available judicial recourse against an independent supervisory authority where they exercise their rights through that authority. In the related case, an individual was refused by the Belgian National Security Authority a ‘security clearance certificate’ because he had participated in various demonstrations in the past. He asked the national supervisory body for police information, (“OCIP”), to identify the controllers responsible for the data processing at issue and to order them to provide him with access to all the information concerning him. The OCIP replied that it had carried out all necessary checks without providing any further details. Unsatisfied with that answer, the individual brought an action against the OCIP. 

The opinion clarifies that in the above case, the level of information provided by the supervisory authority to the data subject on the outcome of the check may not always be restricted to the minimum information that all necessary verifications have been carried out, but may vary depending on the circumstances of the case applying the principle of proportionality. Read more legal reasoning on the case in the original opinion. 

Official guidance

UK Children’s Code: The latest evaluation report shows that a fifth of UK children are familiar with the code and a third are aware of data privacy due to the implementation of the Children’s Code, (a statutory code of practice since 2020). The code applies to any ISS provider, (including ed-tech products and services), that processes the data of children in the UK, including some organisations that are not based in the UK. For the supervision and enforcement phase, there were initial resource challenges around the integration of Children’s code activities into ‘business as usual’. Also, there could have been greater external expectation management around supervision and enforcement activities, as these were only possible once the transition period ended. Key skill gaps identified included technology professionals lacking awareness of:

• how ISS providers operate as well as supporting technology (eg; age assurance technology);
• the importance of communication and engagement policies, as without them  knowledge and experience embedded within the organisation is lost when a project or phase finishes. Read the full report here.  

Input data for triage algorithms: The Spanish data protection authority examined the performance of a running algorithm that could be compromised by inaccurate input data. Their analysis looked at the triage algorithms of the emergency health system, which must optimize resources in order to save lives. The authority suggests assessment of the algorithm used in the triage processing should just be a part of the wider assessment, including factors such as data gathering operations, data checking, human involvement and the way in which decisions are executed, reviewed and contested. 

A lack of definition of the input data could lead to errors or biases that are not part of the algorithm itself. Thus, the accuracy principle should be implemented for the input data, the output data, and even in the intermediate data of the whole processing activity. The precise definition of every input data, (gathered both directly and indirectly), and its semantics, must be set up “by design” and properly documented. Even more importantly, the value range, (“yes/no”, “0 to 10” or “high/medium/low”), should be defined and assessed in the context of the processing. 

Explainable AI: The latest analysis by the EDPS states that modern AI models often work as opaque decision-making engines, truly black boxes reaching conclusions with little transparency or explanation on how a given result is obtained. Explainable AI, or XAI, focuses on developing AI systems that can not only provide accurate predictions and decisions. Individuals using XAI would be able to understand the reasoning behind an automated decision and to take the appropriate, and informed, course of action. Obtaining clear information about the behaviour of AI also has an impact on the ability of its users, such as data controllers and processors, to evaluate the risks that this tool may pose to individuals’ rights to data protection and privacy.  

DSARs: Guernsey’s data protection authority has published new guidance on ‘data subject access requests, (for data controllers and individuals). One of the most commonly-used rights is the right of access, also sometimes referred to as a ‘subject access request’, or ‘data subject access request’. This is where individuals ask what personal data a controller holds about them and why. An individual can also request information about the reasoning behind any automated decisions, such as a computer-generated decision to grant or deny credit or assess performance at work, (except where this information is a trade secret). In short, a DSAR is when an individual asks you:

• what do you know about me?
• what do you think about me?
• what do you think you know about me?
• what are you doing with all this information? 

Another guidance for individuals who may wish to make a DSAR contains information about how to make one, what you should receive back, and what to do if you’re not happy with what you receive.

CCTV: Another comprehensive guidance from the Guernsey regulator looks at CCTV use by data controllers, (with exceptions for household, journalistic, and artistic activities). It is based on seven principles that require you to do the following: 

• Be clear about how personal information is used, for what purpose and on what legal basis.
• Use personal information only for specific, explicit and legitimate purposes.
• Collect no more information than is needed.
• Make sure personal information is accurate and kept up to date. 
• Keep information for no longer than necessary. 
• Keep information secure. 
• Be responsible and accountable for how personal information is used.

Loyalty programs: What rules should an entrepreneur follow when creating customer loyalty programs? A loyalty program is an additional service and the initial legal basis, which is the performance of the contract, is not applicable. The customer must give their consent to the processing of their personal data for one or more specific purposes. If the entrepreneur includes customer data transfer to other partners as part of the loyalty program, then the customer must not only be informed about it but also their consent must be obtained. 

There should be no direct or indirect pressure on the client. The entrepreneur must also take into account that the customer has the right to withdraw their consent to the processing and demand it cease, along with the deletion of all their personal data that is no longer necessary for the performance of the contract.

Enforcement decisions

Wildcat telemarketing and confiscated databases: The Italian data protection authority confiscated databases, for the first time, at two call centre companies allegedly conducting illegal and unregulated telemarketing activities. The operation was conducted by the finance branch of the Special Privacy Protection and Technological Fraud Unit in collaboration with the military. Four companies were fined between 200,000 and 800,000 euros in the operation. The sanctioned companies, through the acquisition of specific illegally-produced lists, contacted tens of thousands of subjects without their having ever given the necessary consent for the processing of their data for marketing purposes, proposing offers from various energy companies.

Clairvoyance consultations: The French privacy regulator has imposed a 150,000 euro fine against KG COM. It collected data excessively, including sensitive data, without prior and explicit consent, and did not sufficiently ensure data security. KG COM operates several websites offering clairvoyance consultations via an online dialogue interface, (chat), or by telephone. The investigation found that: 

• it systematically recorded all telephone calls between teleoperators and prospects;
• it kept health data relating to sexual orientation without obtaining consent; 
• it kept customers’ banking data beyond the time strictly necessary to carry out the transaction, (while the legal basis for the retention of bank data for anti-fraud purposes is a legitimate interest, this does not apply to retention for subsequent purchases, for which the company should have obtained consent);
• it systematically recorded all conversations for the purposes of service quality  control, proof of contract subscription and potential judicial requisitions;
• it implemented insufficiently strong passwords for user accounts and failed to secure access to them by using HTTP instead of HTTPS;
• it also used a mechanism to encrypt banking data that was vulnerable.

Spotify fine: The Swedish privacy authority has reviewed how Spotify handles customers’ right to access their personal data, and sanctioned the company to the tune of around 5 mln euros. Spotify has divided the customers’ personal data into different layers. One layer contains the customer’s contact and payment details, which artists the customer follows and the listening history for a certain period of time. If the customer wants more detailed information, for example, all technical log files relating to the customer, it has also been possible to request these from another layer. 

The regulator believes that although Spotify releases personal data the company processes when individuals request it,  the company does not inform customers clearly enough about how this data is used by the company. Often the individual receiving sufficient information is a prerequisite for exercising other rights; for example, the right to have incorrect information corrected or removed. 

Audits

College group: The UK Information Commissioner’s Office has conducted a consensual audit of the Chichester College Group concerning its data protection measures. Various areas requiring improvement were found, as the college group does not have a complete and fully documented information governance, (IG), policy and framework:

• the flow of information between the senior management team, the data protection office, the audit and risk committee and other key IG committees and groups have not been finalised,
• implementation of a process that ensures information risks need to be fully documented and managed throughout the organisation,
• there is no ongoing compliance monitoring of staff who are involved in the processing of personal information,
• the group must ensure that an appropriate written contract is in place with each of its data processors,
• a central record of data processor contracts and a data processor procurement, due diligence and compliance process need to be finalised,
• the group must ensure that an appropriate written contract is in place with each of its data processors.

Data security

Mobile applications: Users of mobile applications, before installing or starting to use mobile applications, should familiarize themselves with the privacy notices and rules of use of such applications, as well as carefully evaluate the requested collection of personal data or the permissions granted, states the Lithuanian data protection authority. The mentioned information must be available, (on the website that offers the app and on the app itself), to the user even before entering their personal data, granting permissions or creating accounts. Before using mobile applications, it is important to assess what goals are being pursued. For example, when using applications for direct communication, it is possible to restrict access to photos, and the device’s camera.

It is important to note that access to mobile applications may be restricted during application installation or at any other time chosen by the user. For example, restricting access to location data is also relevant if the location functionality is not needed by the user at that time. Similarly, it is advisable not to grant permission to the contacts saved on the user’s mobile device for social networking, dating, and messaging mobile applications, but to add specific persons selected by the user to such an application separately.

2FA: The Office of the Privacy Commissioner in New Zealand recommended all firms use two-factor authentication to secure the information they store. Any firm should exercise caution by implementing 2FA wherever applicable, as this would be a particularly valuable mitigating argument when defending against regulatory fines and other legal ramifications that may result from a data breach. In this scenario, what is appropriate is determined by the organization’s size as well as the scope and sensitivity of the personal information it has.

Big Tech

MOVEit cyberattack: According to the Guardian, British Airways, Boots, the BBC, Ofcom, Transport of London and others are probing the potential theft of personal information from employees following a cyber-attack. It targeted MOVEit software used by Zellis, a payroll provider. Zellis stated that a “small” number of its clients were affected by a vulnerability in the company’s file transfer technology. Microsoft’s threat intelligence team blamed the MOVEit assaults on a group known as Lace Tempest. Names, surnames, employee numbers, dates of birth, email addresses, first lines of home addresses, and national insurance numbers might have been among the information compromised in the hack. 

Airdrop and Bluetooth restrictions in China: Meanwhile, China is developing new guidelines to govern file-sharing systems such as Airdrop and Bluetooth. Service providers would be required to prevent the spread of harmful and unlawful material, maintain records, and report their discoveries. The Chinese Cyberspace Administration has produced draft regulations on “close-range mesh network services” and initiated a month-long public consultation. When conducting inspections, service providers would also be required to offer data and technical support to the authorities, including internet regulators and police. Users must also register their true names. Furthermore, features and technologies that have the potential to mobilise public opinion must be subjected to a security evaluation before they may be implemented.

The post Data protection digest 2 – 16 June 2023: rules on electronic evidence, explainable AI, and wildcat telemarketing appeared first on TechGDPR.

Legal redress

Pseudonymised (non-personal) data processing: In the instance of SRB v. EDPS, the European General Court ruled that pseudonymised data communicated by one party with another would not be regarded as personal data in the recipient’s hands if that party lacks a legal way to obtain the extra, identifiable information. The lawsuit resulted from the Single Resolution Board, (SRB), decision to conduct a shareholder poll in the case of Banco Popular Español, as part of which it shared the results with a consulting firm. In order to guarantee that replies could not be traced back to specific respondents, SRB pseudonymised the data. The decoding key that might identify specific responses from the alphanumeric codes was not given to the consulting company.

Additionally, the court did not rule out that personal views or opinions may constitute personal data. However, such a conclusion must be based on a case-by-case examination. View the court’s ruling here.

Right to GDPR compensations: The CJEU has recently published a number of rulings related to data subject rights. In one case, Österreichische Post collected information on the political affinities of the Austrian population, using an algorithm. Following lawsuits for compensation from upset citizens who did not consent to that, the Austrian supreme court asked the CJEU whether mere infringement of the GDPR is sufficient to confer that right and whether compensation is possible only if the non-material damage suffered reaches a certain degree of severity. It also asked what are the EU-law requirements for the determination of the amount of damages. 

The EU top court responds that mere infringement of the GDPR does not give rise to a right to compensation. However, there is no requirement for the non-material damage suffered to reach a certain threshold of severity. The court notes that the GDPR does not contain any rules governing the assessment of damages. It is therefore for the legal system of each Member State to prescribe the detailed rules. 

“Copy” of personal data definition: The CJEU also ruled that the right to obtain a ‘copy’ of personal data means that the data subject must be given a faithful and intelligible reproduction of all those data. The Court notes that the term ‘copy’ does not relate to a document as such, but to the personal data which it contains and which must be complete. That right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain those data. 

The case relates to the CRIF in Austia, (a business consulting agency that provides, at the request of its clients, information on the creditworthiness of third parties). It sent the applicant in question a summary of his personal data undergoing processing. However, the individual had expected a copy of all of the documents containing his data, such as emails and database extracts. After the Austrian data protection authority rejected his complaint, the applicant went to court. 

CJEU opinions

Data controllers’ strict liability: A non-binding opinion by a CJEU Advocate General limits the strict liability of data controllers for GDPR fines: they may only be imposed on intentional or negligent conduct, (‘mens rea’). The referring court wanted to know whether the state agency could be fined on the simple basis that it breached the obligations imposed on it by virtue of being a controller, (strict liability), or whether an element of fault in committing the relevant breach is required. 

The case concerns the Lithuanian Public Health Centre in the design and deployment of a mobile application for tracking COVID-infected people. After funding for the project failed the state agency asked the app developers, (initially defined as joint controllers), not to use the LPHC details or any association with them in the mobile product. However it continued to be available for download by the public unaltered. To that end, the data protection authority decided to impose a fine on both entities in their capacity as joint controllers. 

The CJEU’s opinion confirmed that an entity which initiates the development of a mobile application can only be regarded as the ‘controller’. Furthermore, the absence of any agreement or even coordination between joint controllers cannot exclude a finding that the controllers are ‘joint controllers’.

Concept of lawful “data processing”: In the above case, the referring court also called for clarification as to whether the fact that the unlawful processing of personal data was not done by the controller itself but by a processor affects the ability of supervisory authorities to impose a fine on the controller.

The CJEU reasoned that a controller may be fined even though the unlawful processing is carried out by a processor. That possibility is open for so long as the processor acts on the controller’s behalf. However, if the processor uses personal data outside of, or contrary to, the lawful instructions of the controller, then the controller cannot be fined. 

The concept of ‘processing’ encompasses a situation in which personal data is used during the testing phase of a mobile application, unless such data has been anonymised in such a way that the data subject is not, or no longer, identifiable. 

Official guidance

Direct marketing: Effective direct marketing relies on you having a positive relationship with individuals you are marketing to and that is usually rooted in them having consented to you contacting them, states the latest guidance by the Guernsey data protection authority. The document answers the questions on how to obtain people’s consent in a lawful way, while being able to pursue commercial communication and inform people about what you are doing; explains lawful processing conditions under consent and legitimate interest; looks at the dangers of soft opt-in and automated calling systems and silent calls; and provides options for stopping direct marketing. See the full guidance (in English) here.

Client databases: The Latvian data protection agency also looks at client databases. Customer personal data permeates almost every aspect of business, from the delivery address of an order to the use of customer data to creating a company’s marketing campaign. Whether you only store a customer’s first name, last name and email address, or a personal identification number and bank details, you need to make sure that customer information is kept as correct and as secure as possible. The main principles to be followed are:

• Determine the purpose for which the database is being created  (eg, administration of fees, sending news, ensuring access).
• Evaluate and decide exactly what personal data is required from the client, and don’t collect or store personal data just because you think it might come in handy someday, (eg, if you plan to send information only to e-mail, you do not need to ask the customer for a phone number).
• The information included in the customer database must also be accurate and must be updated as necessary, (eg, inaccurate data may allow the service to be used by a person who has not paid for it).
• The necessary technical and organisational requirements must be implemented, (eg, limit personnel who can access customer information, maintain employee training, and if you transfer personal data, ensure that it is encrypted).

Enforcement decisions

Concept of warning and expansion of investigation periods: Spain has modified its law on the protection of personal data and clarified that a warning should not be considered a sanction, but rather an appropriate measure, of a non-punitive nature, included within the corrective powers of the supervisory authorities. Additionally, the increase and greater complexity, (including a one-stop-shop mechanism), of the issues addressed by the data protection agency in the sanctioning procedures show the need to extend some of the resolution deadlines. In particular, for this reason, the modification contemplates an increase from nine to twelve months in the maximum duration of disciplinary procedures, and from twelve to eighteen months in previous investigation actions.

TikTok fine: The UK Information Commissioner’s Office has issued a 12,7 million pound fine to TikTok Information Technologies UK Limited and TikTok Inc, for a number of breaches of data protection law, including failing to use children’s personal data lawfully. Whilst TikTok purports to rely on, in part, a contractual necessity as its lawful basis for processing the personal data of children under 13, the Commissioner considers that the legal test for contractual necessity is not met in this case. In addition, TikTok failed to make reasonable efforts to ensure that consent was given or authorised for underage child users of its video-sharing platform or to prevent children under 13 from accessing its services. Read the full list of TikTok’s infringements in the original decision.

Information obligation: The Romanian data protection agency fined Libra Internet Bank for not fulfilling its data subject rights obligation. It was found that a response sent to a plaintiff by e-mail did not contain information about the possibility of filing a complaint before a supervisory authority and introducing a judicial appeal for the bank’s refusal to communicate a copy of a requested video recording, thus violating the provisions of Art. 12 in conjunction with Art. 15 of the GDPR. On the same occasion, the regulator noted that the data controller did not present evidence to show that it had adopted measures to facilitate the exercise of the right of access.

Grocery data: The Norwegian data protection authority has taken a decision to ban Statistics Norway’s planned collection of data from the population’s grocery purchases. Through bank data and bank transaction data, Statistics Norway would have information on what a significant proportion of the population buys for groceries. This in turn could be linked to socio-economic data such as household type, income and level of education. No sufficient legal basis for such intrusive processing of personal data exists. Even if the purpose of the collection is anonymous statistics for societal benefit, the intervention in the individual’s privacy will have already occurred once the personal information was collected, (from private actors). Finally, citizens have no real opportunity to oppose such a collection, other than by using cash as a means of payment.

Debt collection data: Croatia’s privacy regulator issued an administrative fine of over 2 million euros on the debt collection agency. The data controller didn’t inform its data subjects, in an accurate and clear manner, about the processing of their personal data. In addition, it did not conclude a data processing agreement with the service of monitoring consumer bankruptcy. The debt collecting agency also did not apply appropriate technical and organisational measures while processing quite sensitive personal data, so it would probably never have noticed a data breach. 

Data security

Encryption pros and cons: The Spanish data protection agency has published a guide for the supervision of cryptographic systems as a security measure in data protection. Encryption is a procedure by which information is transformed into an apparently unintelligible data set using various techniques. The GDPR mentions it as a measure that is part of the conditions for the compliance of the treatment and as an aid to mitigate the risks in the event of a possible breach of personal data. However, if not well designed it can give a  false sense of security, that relaxes the application of other complementary measures, in particular, privacy by design. The document also proposes a list of controls to facilitate the data protection specialist in selecting those that could be the most appropriate in validating the encryption system. Read the full guide, (in Spanish), here.  

Password hurdle: Reportedly, the average internet user has between 70 and 80 passwords for a wide variety of services, explains the Slovenian data protection agency base on recent research. Considering that a strong password is (at least) 12 characters long, complex and of course unique, it is extremely difficult to remember them all. 

Password managers also offer effective management and safe storage of passwords. In this case, it is important to have a very strong master password, which is also the only one we need to remember. Two-factor authentication solves two of the most common problems: short, weak, and repeated passwords are no longer so problematic since access to the service requires an additional unique code that is obtained over the phone. 

Finally, most information security experts do not recommend saving passwords in browsers. The reason is primarily the rapid spread of Trojan horses that specialize in stealing user data. Nothing helps if we have long and unique passwords, because the virus simply copies them and sends them to attackers.

International data transfers

US data transfers: The European Parliament has rejected the draft US adequacy decision during the plenary vote. However the resolution is not binding, MEPs concluded that the EU-US Data Privacy Framework fails to create essential equivalence on the level of protection, and calls on the Commission to continue negotiations with its US counterparts to provide the adequate level of protection required by Union data protection law as interpreted by the CJEU. MEPs call on the Commission not to adopt the adequacy finding until all the recommendations – on safeguards against American intelligence activities, and practical deployment of the redress mechanism for individuals are fully implemented. 

To that end, a parliamentary group from the Civil Liberties Committee visits the US capital this week to meet with members of the House of Representatives and Senators working on privacy, and cybersecurity issues, including sponsors of different federal privacy acts – the Federal Trade Commission, US Courts administration, Department of State, the Data Protection Review Court, the Office of the Director of National Intelligence, NGOs, and think-tanks. 

UK privacy reform: According to govinfosecurity.com, the Information Commissioner gave assurances to UK lawmakers considering changes to the country’s national privacy legislation that they won’t jeopardize the adequacy decision made with the EU in 2021. The Data Protection and Digital Information Bill was once again proposed this spring by the Conservative government as an alternative to the GDPR that is more pro-innovation and less bureaucratic. External observers, however, are less certain, citing rulings by the ECHR that British mass intelligence collecting infringed private communications. 

Supporting documents assessing the impact of the Data Protection and Digital Information Bill can be seen here.

The post Data protection & privacy digest 3 – 16 May 2023: data processing roles and obligations elaborated by EU top court appeared first on TechGDPR.

Official guidance: first European data protection seal, GDPR harmonisation rules, data breach notification, children’s data protection, artistic and literary works

The EDPB approved the very first GDPR certification seal, (see the detailed opinion here). Europrivacy became the first certification mechanism that demonstrates compliance. It was developed through the European Research Programme Horizon 2020 and is continuously updated by the European Centre for Certification and Privacy in Luxembourg and its International Board of Experts. Companies and services can use the certification scheme to increase the value of their businesses and trust in their services. They can use Europrivacy to:

• assess the compliance of their data processing activities,
• select data processors,
• assess the adequacy of cross-border data transfers,
• assure citizens and clients of the adequate processing of their data.

The scheme applies to a wide variety of data processing activities while taking into account sector-specific obligations and risks, such as AI, IoT, blockchain, automated cars, smart cities, etc. It is supported by a ledger-based registry of certificates for authenticating delivered certificates and for preventing forgery. The GDPR certification seal has an innovative format for criteria, which is both human and machine-readable. It is also aligned with ISO standards and can be easily combined with the certification of security of information management systems (ISO/IEC 27001). 

The EDPB is also asking the European Commission for clarification and harmonisation of rules on procedures that still differ in each European Member State. This includes clarity about the rights of people making a complaint, criteria for handling complaints, the scope and nature of the documents that must be shared in complex investigations, deadlines for handling cases, how to close cases, investigative powers, and the publication of decisions. Additionally, complaints can sometimes be resolved in a non-contentious way, for example after the intervention of the SA has facilitated the exercise of a data subject’s rights. However, the current lack of harmonisation regarding amicable settlements creates challenges. 

To support children, their parents and educators in the digital world, the French regulator CNIL provides practical sheets, games, and videos, in clear and straightforward language, (in French only). This includes a digital vocabulary for children explaining what terms like IP address, cookies or paywalls mean, but also teaches children the right reflexes when doing things such as subscribing to a social network,(“TacoTac”), downloading online games on parents’ devices, sharing “funny” images/videos of people online, and much more. 

Latvia’s data protection authority DVI explains the principles of data processing within artistic and literary expression, as creators’ final results may contain other people’s data. An artist or writer, when evaluating the result of their work and before making it available to the general public, must conclude that it:

• It was created within the framework of the artist’s right to freedom of speech and expression.
• The right to privacy and data protection of natural persons whose data is included in the artistic or literary object is not threatened.
• Does not threaten the interests of the data subject, which are more important than the interest of the public to get to know the creation.
• It would not be desirable to publish works, (eg, photos), in which natural persons are depicted offensively, or which may cause personal injury, moral or other harm, thereby infringing the right to privacy of that person.
• If the involved natural persons are informed about the planned purpose, it must be expressed clearly, without hidden intentions. 

The EDPB is seeking public comments on updated guidelines on personal data breach notification under the GDPR. Back in 2017, Working Party 29 adopted the document, which was endorsed by the EDPB. The new one is a slightly updated version of those guidelines. In particular, the EDPB noticed that there was a need to clarify the notification requirements concerning personal data breaches at non-EU establishments. The paragraph concerning this matter has been revised and updated. Any reference to the WP29 Guidelines on Personal data breach notification should, from now on, be interpreted as a reference to these EDPB Guidelines.

Legal processes:  test databases, MiCA draft regulation, bank AML monitoring, debt information collection

The CJEU delivered judgment related to retention and purpose limitation principles: creation and long retention of a database to carry out tests and correct errors, and compatibility of such processing with the purposes of initial collection. The request was made in proceedings between ‘Digi’, one of Hungary’s main internet and television providers, and the country’s data protection regulator NAIH, concerning a Digi test database breach, (by an ethical hacker). Digi had not deleted the test database, with the result that a large amount of personal data had been stored without any purpose for almost 18 months. However, data copied into the test database had been lawfully collected to conclude and perform the subscription contracts. On the request of the Budapest High court, the CJEU clarified that:

• Processing of a database set up for testing and error correction is not exempt from the legitimate expectations of those customers as regards the further use of their data, (such errors are liable to be harmful to the provision of the contractually provided service). 
• It is not apparent that all or part of that data was sensitive or that the subsequent processing had harmful consequences for subscribers or was not accompanied by appropriate safeguards.
• At the same time, a database created for testing and correcting errors should not be kept for a period exceeding what is necessary to carry out those tests and to correct those errors. 

The final text proposal for a Regulation on Markets in Crypto-assets (MiCA) has been endorsed by the European Council, and now awaits formal approval in the European Parliament. MiCA attempts to provide a harmonised framework for the protection of holders of digital assets, including their data. Currently some crypto-assets fall outside of the scope of EU financial services legislation. There are no rules, other than AML rules, for services related to these unregulated crypto-assets, including for the operation of trading platforms for crypto-assets, the service of exchanging crypto-assets for funds or other crypto-assets, or the custody of crypto-assets. The lack of such rules leaves holders exposed to risks, in particular in areas not covered by consumer protection rules. 

The proposed regulation states that the issuing, offering, or seeking admission to trading of crypto-assets and the provision of crypto-asset services could involve the processing of personal data. Any processing of personal data under this regulation should be carried out by applicable Union law on the protection of personal data. Furthermore, crypto-assets shall not be considered to be offered for free where purchasers are required to provide or to undertake to provide personal data to the offeror. Also, regarding the transfer of personal data to a third country, the European Banking Authority shall apply Regulation 2018/1725 (‘on the protection of natural persons concerning the processing of personal data by the Union institutions’). 

The Dutch data protection authority, (AP), is concerned that a new anti-money laundering law opens the door to unprecedented mass surveillance by banks. Part of the proposal is to monitor all bank transactions of all Dutch account holders in one centralized database, using algorithms. In addition, banks must start exchanging customer data with each other. In many cases this monitoring could be outsourced to an algorithm-capable third party. Combined, the risks associated with this system are disproportionate to the purpose of the bill, believes the AP. For instance, this system could lead to people losing access to their bank accounts completely wrongly. Banks are already required to carry out individual checks on people or companies that may be laundering money or financing terrorism. And they must report unusual transactions to the authorities. 

The Norwegian data protection authority Datatilsynet responded to the government’s proposal to extend the debt information scheme to also include mortgage-secured debt. The regulator recognizes that banks and other creditors need to process information about existing mortgages and car loans in connection with the assessment of a loan application. However, the proposal conflicts with the data minimisation principle, states Datatilsynet. Banks and other credit institutions already have access to information about mortgages and car loans. It appears that the real purpose of the proposed extension of the debt information scheme is to make the creditors’ collection of information about mortgage-secured debt more efficient. This needs to be done in a more privacy-friendly way, and the regulator also points out that citizens’ debt information is attractive for both public and commercial actors, increasing the risk of purpose slippage.

Investigations and enforcement actions: lost DSAR, generic responses to DSARs, whistleblowing reports management, Clearview AI fine, Zoetop data leak

The Italian privacy regulator Garante fined BPER Banca 10,000 euros for violating Art. 12 and 17 of the GDPR. The complainant asked the bank, via email, to delete his professional account from a job application database. This email was acknowledged by the company, which asked him to repeat the request accompanied by identity documents, which the bank duly received at the same email address. However, this last communication was not followed by any effective action by the person in charge, (HR planning and development service), following an internal misunderstanding: changes in the company’s e-mail system generated some problems in communication flows between the various corporate functions. The account deletion request was finally fulfilled when the complainant’s lawyer sent a registered letter presenting alleged pecuniary and non-pecuniary damage due to the non-cancellation. However, the company noticed that some of the applicant’s data would still need to be processed for administrative, accounting, operational and organizational reasons. Other statutory retention periods would also apply for other litigation, or administrative/judicial proceedings. 

Garante also imposed a 10,000 euro fine on Clio S.r.l for violating Art 5, 6, and 30 of the GDPR, and in connection with similar decisions issued against the Municipality of Ginosa and Acqua Novara.VCO, Data Guidance reports. Clio supplies and manages on behalf of various public and private entities an application used for the acquisition and management of whistleblowing reports. Garante found that Clio had failed to regulate the relationships with various customers, who acted as data controllers, as a result of which Clio had carried out data processing activities in the absence of an appropriate legal basis. In addition, Clio had failed to keep a register of the processing activities carried out on behalf of the data controllers. Garante however noted the collaborative behavior of Clio in the course of the investigation.

The Croatian data protection authority AZOP recently issued a negative statement on a generic response to data subject access requests, (in this case, the location of stored data), by a telecoms provider. The complainant received a generic notice listing the category of data collected along with the legal bases, and was told that any information on the processing of data, (collected with his consent), could only be obtained from the point of sale. Since the applicant was not satisfied with the generic answer, he repeated his inquiry on the same day in greater detail, specifically about where his data was stored, but he did not receive an answer from the company. 

The French regulator CNIL imposed a penalty of 20 million euros, (the maximum financial penalty under Art. 83 of the GDPR), on CLEARVIEW AI and ordered the company to stop collecting and using, without any legal basis, the data of people in France and to delete data already collected. CLEARVIEW previously was given two months to comply with the formal notice and justify it to the CNIL. However, it did not provide any response. CLEARVIEW scrapes photographs from a wide range of websites, including social media, that can be consulted without logging into an account, and extracts accessible images and videos from distribution platforms. Through this collection, CLEARVIEW creates, expands, and markets access to its search engine in which an individual can be searched for using images. The company offers this service to law enforcement agencies. CLEARVIEW boss Hoan Ton-That stated to the media that his company had no clients or premises in France and was not subject to EU privacy law, adding that his firm collected “public data from the open internet” and complied with all standards of privacy.

The New York Attorney General secured 1.9 million dollars from an e-commerce retailer, Zoetop, (owner of SHEIN and ROMWE), for failing to properly handle a data breach that compromised the personal information of tens of millions of consumers. Zoetop was targeted in a cyberattack. Worldwide, 39 million SHEIN account credentials were stolen, including the credentials of more than 375,000 New York residents. Attackers stole credit card information and personal information, including names, email addresses, and hashed account passwords. Zoetop did not detect the intrusion and was later notified by its payment processor that its systems appeared to have been compromised. Zoetop also represented, falsely, that it had seen no evidence that credit card information was taken from the systems.

Data security: data breaches, software support practices, password management

A quick reminder from the Latvian data protection authority DVI was published on what constitutes a data breach and how to report it. Breaches can be classified according to three well-known information security principles:

• Confidentiality incident, (hackers have found a security “hole” in the organisation’s information system and retrieved the personal data of customers).
• Integrity incident, (due to an incorrectly organized SQL queue, the integrity of records of a customer database stored in the cloud has been lost. As a result, the new records are assigned to inappropriate reference fields and related information of one customer is attributed to another customer).
• Availability incident, (due to the organisation’s incorrect backup copy policy, the existing database is overwritten with a half-year-old backup copy, without the possibility of restoring to a more current version of the database).

An organisation must therefore have developed and implemented an internal procedure for determining whether a breach has occurred, as well as a procedure for assessing the risks arising. If it is determined that it is likely that the breach could reasonably pose risks to the rights and freedoms of a natural person: the organisation must notify the supervisory authority within 72 hours. If, however, the notification takes place later, the reasons for the delay must be explained. Finally, the causes of the breach must be thoroughly investigated and measures must be taken to prevent repeated breaches in the future.

Privacy International looked into the software support practices for 5 of the most popular smart devices, (smartphones, personal computers, gaming consoles, tablets, and smart TVs), and concluded that they fail to meet the expectations of the vast majority of consumers. The majority of EU consumers surveyed expect their connected devices to receive security updates for a much longer period than what manufacturers currently offer. This is also the case when software updates, including security updates, are provided for a period that is shorter than the product’s expected life cycle. And when it comes to accessibility of information, only a few companies appeared to have detailed policies online. It is therefore critical that software remains up to date for a long time to ensure a device is secure and reduce risks to consumers’ privacy and security, stated PI.

In the context of increasing compromises of password databases, the French CNIL updates its recommendation to take into account the evolution of knowledge and allow organisations to guarantee a minimum level of security for this authentication method. According to a 2021 Verizon study, 81% of global data breach notifications are related to a password issue. In France, about 60% of notifications received by the CNIL since the beginning of 2021 are related to hacking and a large number could have been avoided by following good password practices, (two-factor authentication or electronic certificates). 

If operations relating to password management are entrusted, in whole or in part, to a subcontractor, roles and responsibilities must be precisely defined and formalised and the level of security required and the security objectives assigned to the processor must be clearly defined, taking into account the nature of the processing and the risks it is likely to generate. Finally, if simple software publishers are not subject to the legal framework for data protection, users must comply. In this sense, the documentation of password management software must specify in detail the modalities of generation, storage, and transmission of passwords.

Big Tech: human behaviour that leads to data breaches, Australia data leaks, Meta’s Pixel tracking tool, AI hiring tools, speech to identify mental health problems

London-based cybersecurity company OutThink has raised 10 million dollars in early-stage investments as it looks to help organisations identify human behaviour that can lead to data breaches. The company, which claims human behaviour is the source of 91% of data breaches, uses machine learning, natural language processing, and applied psychology to identify, understand and manage the attitudes, intentions, and sentiments of individuals.

Australia envisages increased penalties for data breaches following major cyberattacks. Australia’s telco, financial, and government sectors have been on high alert since Optus, the country’s second-largest telco, disclosed a hack that saw the theft of personal data from up to 10 million accounts. The attack was followed by a data breach at health insurer Medibank Private, which covers one-sixth of Australians, including medical diagnoses and procedures. Australia’s Woolworths Group also said its online retailer MyDeal identified that a “compromised user credential” was used to access its systems that exposed data of nearly 2.2 million users, Reuters reports. 

At least 47 proposed class actions have been filed since February claiming that Meta Platforms Inc.’s Pixel tracking tool sent the plaintiffs’ video consumption data from online platforms to Facebook without their consent, in violation of the federal Video Privacy Protection Act, a Bloomberg Law analysis of court dockets found. Almost half of the new cases were filed in September alone. The complaints allege they knowingly disclosed protected information by allowing Meta’s embedded Pixel code to share a digital subscriber’s viewing activity and unique Facebook ID with the social media platform.

AI hiring tools do not reduce bias or improve diversity, Cambridge University researchers say in a study of the evolving technique the BBC called “pseudoscience”, reporting on the study. In particular, claims one of the research team, these tools can’t be trained to only identify job-related characteristics and strip out gender and race from the hiring process, because the kinds of attributes we think are essential for being a good employee are inherently bound up with gender and race. Some companies have also found these tools problematic, the study notes. For instance, a German public broadcaster found wearing glasses or a headscarf in a video changed a candidate’s scores. 

Finally, software that analyses snippets of your speech to identify mental health problems is rapidly making its way into call centers, medical clinics, and telehealth platforms, putting privacy activists on alert, according to Axios news. Unlike Siri and Alexa, vocal biomarker systems analyse how you talk — prosody, pauses, intonation, pitch, etc. — but not what you say. While the voice sample is run through a machine-learning model that uses a capacious database of anonymized voices for comparison, it may increase systemic biases towards people from specific regions, backgrounds, or with a specific accent.

The post Data protection & privacy digest 12 – 24 October 2022: first GDPR certification seal, test databases, password management appeared first on TechGDPR.

Official guidance: smart contracts, DPOs, AI risk management, GDPR cooperation

The Spanish data protection authority AEPD analyzed smart contracts. Smart contracts are algorithms that are stored in a blockchain and that execute automated decisions. The very nature of the smart contract, when applied to data of natural persons, falls within the scope defined by Art. 22 of the GDPR. This refers to the right of an interested party not to be subject to decisions based solely on automated means, including profiling, when those decisions have legal effects on them or significantly affect them, and that the interested party can challenge that automated decision. It also establishes three exceptions to said prohibition: explicit consent, the conclusion or execution of a contract between the interested party and a data controller, or the existence of an enabling law. In any of the cases, it is necessary to identify a person responsible for the execution of the said smart contract. The most famous use case is the one known as the DAO Fork of Ethereum. 

A new practical guide for Data Protection Officers was published by the French data protection authority CNIL, (available in English). The spirit of the GDPR is to make the DPO the “orchestra conductor” of the management of personal data in the organization which designates them. The hierarchical position of the DPO must bear witness to this, and their resources must be adapted so that they can fully accomplish their job and their role of compliance coordinator. They should not work in a vacuum but be fully integrated into the operational activities of their organization, in conjunction with the CISO and the IT department, etc. The DPO guide is divided into 4 chapters: 

• the role of the DPO; 
• designating the DPO; 
• the exercise of the DPO’s tasks; 
• CNIL’s support for the DPO. 

Each theme is illustrated by concrete cases and frequently asked questions related to the subject being dealt with.

The US NIST seeks comments on the draft AI risk management framework, (AI RMF), and offers guidance on AI bias. It is intended for voluntary use and to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems. It aims to provide a flexible, structured, and measurable process to address AI risks throughout the AI lifecycle. Similarly, bias in AI can harm individuals. The NIST researchers thus recommend widening the scope of where we look for the source of these biases — beyond the machine learning processes and data used to train AI software to the broader societal factors that influence how technology is developed. AI can make decisions that affect whether a person is admitted into a school, authorized for a bank loan, or accepted as a rental applicant. AI systems can exhibit biases that stem from their programming and data sources, (eg, machine learning software could be trained on a dataset that underrepresents a particular gender or ethnic group). Read the full draft AI RMF and guidance on AI bias here.

The EDPB adopted a couple of new guides last week:

• on Art. 60 of the GDPR, (provides a detailed description of the GDPR cooperation between Supervisory Authorities, (SAs), and helps them to interpret and apply their own national procedures in such a way that it conforms to and fits in the cooperation under the one-stop-shop mechanism). 
• on dark patterns in social media platform interfaces, (gives concrete examples of dark pattern types, presents best practices for different use cases, and contains specific recommendations for designers of user interfaces that facilitate the effective implementation of the GDPR), and
• the toolbox on essential data protection safeguards for enforcement cooperation between EEA and third-country SAs, (covers key topics, such as enforceable rights of data subjects, compliance with data protection principles, and judicial redress).

Legal processes: cyberattack disclosure in the US

New US cyber security incident reporting mandates have been signed into law, making it a legal requirement for operators of critical national infrastructure, (CNI), to disclose cyberattacks to the government. Namely, it will require CNI owners within the US to report substantial cyber attacks to the Cybersecurity and Infrastructure Security Agency, (CISA),  within 72 hours, and any ransomware payments made within 24 hours. It enables CISA to subpoena organizations that fail to do so, with the threat of referral to the US Department of Justice for non-compliance. CISA has not said how it will use data gleaned from breach reports but has been seeking to build its capabilities and work more closely with the private sector on a voluntary basis. The CISA lists 16 broad sectors spanning health, energy, food, and transportation as critical to the US, although the new legislation is yet to spell out precisely which companies would be required to report cyber incidents. 

Data breaches and enforcement actions: insufficient TOMs, ransomware, unwanted marketing calls, Irish/Meta fine

The Danish data protection authority Datatilsynet criticized Kombit, (IT/project organization), for violating Art. 32 of the GDPR, following data breaches reported by 30 municipalities, Data Guidance reports. An error occurred in the platform used by the municipalities, where a user could access another user’s files, which included personal data if the latter was not logged out of their computer. The IT company had not complied with the rules on data security, namely: no sufficient testing of the platform was carried out in connection with the change of the code implemented, (development of a change to the login solution in the platform), and it applied for insufficient access right controls. Additionally, Kombit along with another company could not agree on what tests could be expected to be performed in connection with the code changes, and whether another company was acting as a sub-processor or not.

The UK Information Commissioner’s Office, (ICO), announced fines totalling approx 482,000 euros to five companies responsible for over 750,000 unwanted marketing calls targeted at older, vulnerable people. Companies, (Domestic Support Ltd, Home Sure Solutions, Seaview Brokers, UK Appliance Cover, UK Platinum Home Care Services), were calling people to sell insurance products or services for large household appliances, such as televisions, washing machines, and fridges. In the UK live marketing calls should not be made to anyone who has registered with the Telephone Preference Service unless they have told the caller that they wish to receive such calls from them. The ICO also issued these companies with enforcement notices that require them to immediately stop making these predatory calls.

The ICO also fined a law firm approx 116,784 euros for contravening Art. 5 and Art. 32 of the GDPR by failing to process personal data in a manner that ensured appropriate security of the personal data, GDPRHub reports. Tuckers Solicitors, a limited liability partnership of solicitors, was the data controller. In 2020, they became aware that their systems were hit by a ransomware attack and reported the data breach to the ICO on the same day. Here are some facts and findings from the case:  

• The attack had resulted in the encryption of numerous civil and criminal legal case bundles stored on an archive server. 
• Backups were also encrypted by the attacker.
• Although the firm’s GDPR and Data Protection Policy required two-factor authentication where available, it was not using the same for remote access. 
• The firm installed the patch after months of its release, during which the attacker could have exploited the vulnerability. 
• The firm moved its servers to a new environment and the business was now back to running as normal, albeit without the restoration of the compromised data.
• The proper encryption could have mitigated the damage, (however it would not have prevented the ransomware attack).

The ICO held that multi-factor authentication was a low-cost measure that could have substantially supported Tuckers in preventing access to its network. The firm also should not have been processing sensitive personal data on an infrastructure containing known critical vulnerabilities without appropriately addressing the risk.

Ireland’s data protection authority, (DPC), imposed a 17 mln euro fine on Facebook parent Meta Platforms after an inquiry into 12 data breach notifications from 2018. The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data. Given that the processing under examination constituted “cross-border” processing, the DPC’s decision was subject to the co-decision-making process outlined in Art. 60 of the GDPR and all of the other European supervisory authorities were engaged as co-decision-makers. While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, a consensus was achieved through further engagement between the DPC and the supervisory authorities concerned. Ireland regulates Meta and a number of other large US tech giants because their EU headquarters are in the country. The DPC, which has a number of ongoing investigations into Meta, last year fined its WhatsApp subsidiary a record 225 mln euros.

Data security: password managers

An analysis by the Guardian looks at password managers for convenience and enhanced online safety. The article argues that long and complex passwords are more secure but difficult to remember, leaving many people using weak and easy-to-guess credentials. Password manager apps can resolve this problem by creating long and complex credentials for you, and remember them the next time you log in: “Password managers keep your details secure by encrypting your logins so they can only be accessed when you enter the master password.” Yet reportedly only about one in five people in the UK use one. Some other findings by UK experts are:

• Never create a virtual book or document on your computer, which could be viewable if your device is hacked.
• Password managers should be backed by two-factor authentication, whereby you are asked for something such as a one-time code in addition to a password when you log in using a new device.
• A security key is an option – a token you can insert into your device to double-secure high-risk accounts such as email. 
• Authenticator apps are another option. These generate a unique code for you to enter into the site and are very straightforward to use.
• Apple Keychain and the Google Chrome Password Manager lack the features of “full-service” ones. 
• Physical password books aren’t a bad idea, as long as you create strong, unique logins, and the book is kept somewhere secure and doesn’t leave the house.

DPIA: Zoom case

Zoom is making changes to the privacy agreements for all education and enterprise users in Europe in collaboration with SURF, (the ICT service provider for Dutch education and research).  It has removed the privacy risks identified in the DPIA from 2021 by making changes to the software, making processor agreements, and promising future changes. These contractual and technical adjustments are described in the new recently published DPIA. They include:

• Data location solutions, (all personal data be processed in the EU by the end of the year). 
• Data Subject Access Requests: Zoom to use two self-service tools for enterprise and education account administrators. 
• Clarifying the data protection role of Zoom and its customers, (universities and government organizations).
• Clarified and minimized customer personal data retention practices. 
• Privacy by design and default.
• Updated Data Transfer Impact Assessment, and much more.

Big Tech: all-new GA, apps leaking sensitive data, Tesla’s facial and optical tracking

The all-new Google Analytics 4 will be the first data measurement tool released by the company with privacy designed “at its core”, an upgrade on the privacy features in the recent Analytics 360 tool, which will be retired, along with Universal Analytics. The company says IP addresses will no longer be stored, which could ease compliance in international markets, and the EU GDPR requirements for data transfers.

Are your apps leaking sensitive user data? A study revealed that 2113 apps had vulnerabilities in their Firebase back end because of cloud misconfigurations, IAPP News reports. Certain apps had tens of millions of downloads and included popular e-commerce, social audio platform, logo design, bookkeeping sites, and even a dating app. Lost data included user names, passwords, phone numbers, bank details, and some 50,000 chat messages. A separate study also found that 14% of Android and iOS apps using public cloud back ends had similar privacy issues due to misconfigurations.

Integral to Tesla’s autopilot and full self-driving features is the fact that software looks at your eyes while you look at the road, using facial and optical tracking to check your driving. Now a driver in Illinois has filed a proposed class action against Tesla Inc. for recording and storing biometric data without informed consent, illegal under Illinois’s Biometric Information Privacy Act, (BIPA). The suit also claims Tesla failed to make its data retention policy public, and failed to inform customers where facial recognition data was stored. Damages of 5000 dollars per BIPA violation are being sought.

The post Weekly digest March 14 – 20, 2022: smart contracts, AI bias, password managers & privacy appeared first on TechGDPR.