A new regulation came into force on 1 January, supplementing the GDPR. It speeds up the work of data protection authorities in enforcement cases that involve multiple countries in the EU/EEA. The regulation provides, among other things, for time limits, stages of investigation, the exchange of information between authorities, and the rights of the parties concerned. In future, data protection authorities will have to issue a resolution proposal on a cross-border case as a rule within 12-15 months. In the most complex cases, the deadline can be extended by 12 months. The regulation will apply from April 2027. 

Stay up to date! Sign up to receive our fortnightly digest via email.

UK Adequacy decision

The European Commission adopted two new adequacy decisions for the UK – one under the GDPR and the other under the Law Enforcement Directive, until 27 December 2031.  In accordance with the new decisions, transfers of personal data from the EU to the UK can continue to take place without any specific framework. Following Brexit, the Commission adopted two adequacy decisions vis-à-vis the UK in 2021. Sunset clauses had been introduced in each of the decisions. The decisions expired in mid 2025, but have been extended until the end of the year. The EDPS has since issued an opinion on these decisions.

More legal updates

US consumer privacy updates: In Kentucky, as well as Indiana, Rhode Island and several other states, GDPR-enhanced legislation related to consumer data privacy took effect on January 1. In Kentucky, in particular, the new legislation establishes the rights to confirm whether data is being processed, to correct any inaccuracies, to delete personal data provided by the consumer, to obtain a copy of the consumer’s data, and to opt out of targeted advertising, the sale of data, or profiling of the consumer along with requirements for entities that control and process their data.

Similarly, in January, new regulations became effective in California regarding a risk-assessment framework for certain high-risk data processing activities, as well as transparency and notice requirements, disclosure of sensitive personal information, data breach reporting, consumer rights requests, and data collection and deletion by data brokers. 

AI use by banks

The Hungarian data protection regulator issued a report on the processing of personal data by AI systems used by banks in Hungary (available in English). Some good practices indicated by the report include:

• AI recognition of images, voices and texts must be reliable, without compromising data security. Principles of data minimisation and storage limitation must be observed.
• The quality of the data used for AI training is important, as well as identifying whether or not the training data needs to be linked to a specific natural person. In many cases, pseudonymisation or anonymisation can be used to mitigate privacy risks before training.
• The use of ‘Shadow AI’ is becoming a new phenomenon. It covers all cases where, in an organisation, users use AI systems in an unregulated, non-transparent, uncoordinated manner from the point of view of the organisation, either for work or for some personal use, using the organisation’s IT infrastructure. 
• In their operations, certain banks under review also use analytical models to analyse and predict creditworthiness and product affinity, the precise classification of which may raise questions. They often operate on a statistical basis, but may also have an AI-based component, and it is necessary to apply the appropriate safeguards. 

More from supervisory authorities

EU Data Act: The French privacy regulator CNIL explained how the EU Data Act is going to reform the EU digital economy, gradually implemented through 2026-2027. The Act sets fair rules on the access and use of personal or non-personal data generated by connected objects. It allows anyone who owns or uses connected products to access the data generated by this object. It also facilitates their sharing with other actors, in particular by prohibiting unfair contractual clauses.

The implementation of this regulation must be done in conjunction with the GDPR. In particular, it provides that in the event of a contradiction between the two texts, it is the GDPR that prevails when personal data is concerned.

Similarly, the Digital Governance Act should be taken into account, which has set up new trusted intermediaries to encourage voluntary data sharing.

Bodycam use: At the end of December, the CJEU ruled in a case regarding a data controller’s obligation to provide information when collecting personal data via a body-worn camera worn by ticket inspectors on public transport. The collection of personal data by means of body-worn cameras constitutes collection directly from the data subject. The information obligation must therefore be respected at the time of collection, Article 13 of the GDPR. The information obligation can operate at several levels, where the most important information is, for example, stated in a warning sign, while the remaining information can be provided in another appropriate (and easily accessible) way.

Disney US settlement

On 31 of December, a federal judge required Disney to pay 10 million dollars to settle FTC allegations that the company allowed personal data to be collected from children who viewed child-directed videos on YouTube without notifying parents or obtaining their consent as required by the Children’s Online Privacy Protection Rule (COPPA Rule). A complaint alleged that Disney violated the COPPA Rule by failing to properly label some videos that it uploaded to YouTube as “Made for Kids”.

The complaint alleged that by mislabeling these videos, Disney allowed for the collection, through YouTube, of personal data from children under 13 who viewed child-directed videos and used that data for targeted advertising to children.

More enforcement decisions

TikTok investigations: According to vitallaw.com, the Spanish and Norwegian data protection authorities have issued warnings to TikTok users regarding the company’s transfer of personal data to China, where national laws could require that data be shared with Chinese authorities. TikTok already faces EU fines over violations of the GDPR and was ordered to stop transferring personal data to China. 

So far, TikTok has been granted an interim injunction that allows the company to continue transferring personal data to China until the case is resolved. As a result, regulators are warning users to read the online platform’s notifications and privacy policies, check their privacy settings and think about what they share in the app. It is also recommended that businesses consider whether to continue using TikTok and conduct risk assessments.

PCRM software fine: Finally, the French CNIL has fined Nexpublica 1,700,000 euros for failing to provide sufficient security measures for a tool for managing the relationship with users in the field of social action.  Nexpublica (formerly Inetum Software), specialises in the design of computer systems and PCRM software used in particular by homes for disabled people.

At the end of 2022, Nexpublica customers made data breach notifications with the CNIL, because users of the portal had access to documents concerning third parties. The CNIL then carried out inspections of the company, which revealed the inadequacy of the technical and organisational measures. It is considered that the vulnerabilities found:

• were mostly the result of a lack of knowledge of the state of the art and basic safety principles;
• were known and identified by the company through several audit reports.

Despite this, the flaws were only patched after the data breaches.

The post Data protection digest 3 Jan 2026: Improvements are being made to GDPR enforcement, US consumer privacy, and emerging “Shadow AI” concerns appeared first on TechGDPR.

The Commission presented an EU Action Plan to improve health sector cybersecurity. It will include hospitals, clinics, care homes, rehabilitation centres, various healthcare providers, the pharmaceutical, medical and biotechnology industries, medical device manufacturers, and health research institutions. A significant challenge for the cybersecurity of the health sector is the intersection of information technology (IT) and operational technology (OT), where different security priorities meet as regards data confidentiality, availability and reliability, and where a breach in one area can affect the other. In many cases, IT and OT are at least partly outsourced.

Deficiencies are observed in key areas such as sufficient human resources, organisations’ knowledge of their information and communications technology supply chains, and installation of up-to-date security features in products, (for services like IaaS, PaaS, and SaaS). The sector struggles with basic cyber hygiene and fundamental security measures, as illustrated by the fact that nearly all health organisations surveyed face challenges when it comes to performing cybersecurity risk assessments, while almost half have never performed a risk analysis.

Stay up to date! Sign on to receive our fortnightly digest via email.

Right of access

The EDPB published a one-stop-shop case digest on the right of access. Natural persons’ right to access personal data related to them is enshrined in Art. 8 of the EU Charter of Fundamental Rights and is, therefore, to be considered the most essential data protection right. Art. 15 of the GDPR applies to requests for access submitted after the law became applicable. It can be divided into three components: 

• Confirmation as to whether personal data related to the data subject is processed or not. 
• Access to information related to the data subject if it is processed at the time of the data subject’s access request. 
• Information about the processing and the data subject´s other data protection rights.

The CJEU has also repeatedly stated that the practical aim of the right to access, firstly, is to enable data subjects to verify that the personal data concerning them are correct and processed lawfully. In particular, the right of access is necessary to enable the data subject to exercise their right to rectification, erasure, restriction and objection to processing, as well as the right of action when they suffer damage. 

More EDPB updates

Pseudonymisation: The EDPB also awaits comments on the Guidelines on Pseudonymisation until the end of February. The GDPR does not impose a general obligation to use pseudonymisation. Similarly, the explicit introduction of pseudonymisation is not intended to preclude any other measures. However, data controllers may need to apply pseudonymisation to meet the requirements of EU data protection law, in particular, to adhere to the data minimisation principle, to implement data protection by design and by default, or to ensure a level of security appropriate to the risk. In some specific situations, Union or Member State law may mandate pseudonymisation. 

Complex algorithms: Finally, the EDPB also publishes an opinion piece on AI and effective data protection supervision. This report covers techniques and methods that can be used for the effective implementation of data subject rights, specifically, the right to rectification and the right to erasure when AI systems have been developed with personal data. However, there are several challenges:

• Limited understanding of how each data point impacts the model;
• Stochasticity of training, (random sampling of batches of data from the dataset, random ordering of the batches, and parallelisation without time-synchronisation); 
• Incremental training process, (updates relying on a specific training data point will affect all subsequent updates);
• Stochasticity of learning, (difficult to correlate how a specific data point contributed to the “learning” in the model).

AI prohibitions in the EU

From 2 February, for any organisations that offer or operate AI systems, the first key provisions of the AI Act will apply: the ban on certain AI practices in both public and private sectors, (mass surveillance, social scoring, behavoural and emotional analysis), and obligations to ensure that employees have sufficient AI skills. Additionally, manipulative AI practices that exploit human vulnerabilities are now prohibited. Particular focus is placed on protecting vulnerable groups such as children and adolescents.

From now on, such violations can not only lead to sanctions under the AI ​​Act but also trigger action from data protection authorities. 

More legal updates worldwide

China cross-border transfers: At the beginning of January, the Cyberspace Administration of China released for public consultation the draft certification measures to legitimize cross-border transfers of personal data outside of China, (CBDTs), DLA Piper reports. Chinese law requires data controllers to take one of the following three routes: a) mandatory security assessment; b) Standard Contractual Clauses filing; or c) certification.  

The certification route is available to data controllers inside China and outside the country if they fall under the extraterritorial jurisdiction of the Personal Information Protection Law, (eg, processing data of residents in China to provide products or services to them or analyse or evaluate their behaviour). Regardless of the chosen route, data controllers must implement other compliance measures for CBDTs, including consent requirements, impact assessments, and maintaining records of processing activities. 

US Child privacy: On 16 January, the FTC finalized changes to children’s privacy rules, (COPPA). By requiring parents to opt into targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetising children’s data without active permission. It requires certain websites and online services to proactively obtain verifiable parental consent before collecting, using or disclosing personal information from children under 13, provides the right to require deletion of these data and establishes data minimization and data retention requirements. Entities will have one year from the publication date to come into full compliance.

Open Data

The French CNIL alerts data controllers who use databases freely made available on the Internet or provided by a third party that they must verify that their creation, sharing or re-use is legal. These include such areas as  scientific research, development of artificial intelligence systems, commercial prospecting, as well as data brokers. To initiate and define compliance process data controllers will need to – identify legal basis, inform individuals, minimize data, obtain explicit consent for the processing of sensitive data, maintain up to  date data processing agreements and other core documentation and conduct impact assessments.

SDK and app privacy

Software Development Kit, (SDK), plays a central role in how mobile apps work. The French CNIL has made recommendations on how to integrate SDKs and conduct controls to ensure their compliance with the GDPR. The most popular SDKs offer tools for software error management, audience measurement, ad monetization, notification management, and more. 

The SDK code embedded within the app has the same level of software access as the rest of the code written by the app developer. If permission is granted to the application, all built-in SDKs have, by default, the technical capability to access the data. This access by the SDK can then escape the developer’s control and infringe on the privacy of the users of the application. It is therefore important that the publisher gives clear instructions to the developer as to the process to be implemented for the selection and configuration of the in-app SDKs.

More official guidance

Medical wearables: The Federal Office for Information Security, (BSI), in Germany has published the results of its project on the “Security of wearables with partial medical functionalities“. The project deals with the security of wearables, (marketed in Germany), that use sensors to record health and fitness status. These sensors can be used to measure or calculate heart rate, blood oxygen saturation, sleep patterns, and calorie consumption, among other things. Many of these devices use mobile apps to evaluate sensitive data and create statistics. Vulnerabilities in devices used to record health and fitness data open up a new form of personal cybercrime for criminals. On the one hand, it is conceivable that wearables could be used specifically to attack people who have the appropriate sensors. Targeted attacks could also be made on recovery processes, for example, when sick people adjust their medication based on sensor data. 

Financial apps:  In parallel, the BSI published the technical guidelines on “Requirements for applications in the financial sector” – fintech companies, such as banks, financial service providers or start-ups in the field of financial technology. The aim is to achieve a uniformly high level of security for existing banking apps and payment services – but also for financial services on smartphones or smartwatches. These may include apps that users can use to pay in the supermarket or manage accounts, but also crowdfunding platforms or microcredit initiatives, etc. The guide in German can be found here.

Selling drivers location and behaviour data

In the US, the FTC is taking action against General Motors over allegations they collected, used, and sold drivers’ precise geolocation data and driving behavior information from millions of vehicles—data that can be used to set insurance rates—without adequately notifying consumers and obtaining their affirmative consent. When consumers bought a vehicle, they were encouraged to sign up for a feature which they were often told would be used to help them assess their driving habits. 

The information notice was confusing and misleading. GM failed to clearly disclose to consumers the types of information it collected, including their geolocation and driving behavior data, such as hard braking, late night driving, and speeding, or that it would be sold to consumer reporting agencies. These consumer reporting agencies used the sensitive information GM provided to compile credit reports on consumers, which were then used by insurance companies to deny insurance and set rates. Additionally, through faulty claims on its websites and in email and social media ads, the company claimed that it deployed reasonable security and that it was in compliance with the previous EU-US and Swiss-US Privacy Shield Frameworks. 

More enforcement decisions

Loan promotion: The UK’s ICO meanwhile fined ESL Consultancy Services Ltd 200,000 pounds for knowingly sending unlawful loan promotion nuisance text messages to people who had not consented to receive them. The regulator found that in 2022 and 2023, ESL used a third party to send marketing text messages without ensuring valid consent was in place to send promotional materials. ESL also took steps to try and conceal the identity of the sender of the messages by using unregistered SIM cards. As a result the ICO received 37,977 complaints. 

Failed internal policies: An investigation of the Romanian supervisory authority revealed that the telecoms operator Vodafone Romania repeatedly  failed to ensure the confidentiality of data belonging to several customers as a result of non-compliance with internal policies. For these acts the operator had to pay an approx. 15,000 euro fine. The data security breach was caused by:

• unauthorised transmission of a picture of a data subject’s invoice to a third party;
• not hiding recipients’ email addresses and not selecting the “BCC” option when informing data subjects of changes;
• sending via WhatsApp by an employee of an authorised representative of the operator, a photo containing a screenshot of data displayed in the app interface.

Failed erasure request: The Romanian regulator also fined Orange Romania approx. 40,000 euros for a failed data erasure request. After an unsuccessful attempt to subscribe to the mobile services offered by the operator, a request was made to delete all personal data. During the correspondence, the operator requested more personal data and no complete and adequate responses were provided to the requests received. Moreover, the operator had excessively collected and stored scanned copies of documents, although they were no longer necessary for the purpose of identification related to the conclusion of a subscription contract. 

Data security

Hosting services: America’s FTC reminds us that a business website is one of the most important sales and marketing tools. It is not only the  virtual storefront, but also a repository for data – yours and your customers. Thus, when you go looking for a web host – the company that’ll store your site on its servers – security is non-negotiable. The recent FTC settlement with GoDaddy, one of the largest web hosting companies in the world, shows what can happen when security slips.

In particular, when the hosting provider neglects to inventory its assets, manage software updates, use multifactor authentication, and appropriately monitor for security threats. 

New security measures listed: The Danish data protection regulator published two new measures in its technical catalogue, both of which deal with ‘secure data transmission’. If two or more parties use external networks, such as the Internet and telecommunications networks, they often do not have the same control and protection as when rising their own networks. In such cases, the parties must assess whether the data transmission should be protected with encryption. However, encryption of data transmission can also be used to protect against “insider threats” or physical intrusion into one’s own networks. During transmission, there may also be a risk that data may become known to unauthorized persons. Validation of sender, recipient and content is thus a preventive measure that reduces the likelihood of data being read by unauthorized parties. At the same time, it can ensure non-repudiation and validation of the sender.

Valio data breach investigation in Finland

The data protection ombudsman is investigating a data security breach targeting Valio’s, (country’s largest milk processor), information network. The attacker had obtained the personnel data of Valio and its subsidiaries operating in Finland, as well as milk purchasing cooperatives. Former employees of Valio have also been targeted. In addition, the breach targeted data in the databases of the Valio Mutual Insurance Company and Valio Pension Fund. The data breach targeted a significantly larger amount of personal data than initially estimated by the data controller. 

Big Tech

Meta AI: Meta began to gradually roll out a new feature that lets its AI tool remember certain details that you share with it in 1:1 chats on WhatsApp and Messenger. The company is also rolling out a greater level of personalisation for Meta AI on Facebook, Messenger and Instagram, (by tracking and memorising details about you, including information about your personal life, ethnicity, health and family).

The changes so far only concern users in the US and Canada. The new policy promises to ”only remember certain things you tell it in personal conversations, (not group chats), and you can delete its memories at any time”. 

DeepSeek data whereabouts: Italy’s data protection regulator Garante is requesting answers from, (and temporarily blocks), the Chinese AI model DeepSeek, supposedly a low-cost and open-source alternative to US rivals, over its usage of personal data. What information has been collected, from which sources, for what purposes, on what legal basis, and whether it is stored in China? Other reports claim DeepSeek spreads misinformation, bans political prompts, and how the Chinese state might exploit users’ data. 

Open AI meanwhile warns that Chinese startups are ‘constantly’ using its technology to develop competing products. The company is reviewing allegations that DeepSeek used the ChatGPT maker’s AI models to create a rival chatbot, through a technique known as “distillation” – boosting the performance of smaller models by using larger, more advanced ones to achieve similar results, summed up in this Guardian article.

The post Data protection digest 16-30 Jan 2025: The intersection of information and operational technologies in the health sector appeared first on TechGDPR.

Stay up to date! Sign up to receive our fortnightly digest via email.

Legitimate interest criteria

A CJEU advocate general clarifies the obligation of the data controller when relying on the legitimate interest legal ground. The mere reference to ‘legitimate interest’, without any indication of precisely what that legitimate interest is, cannot satisfy the GDPR requirements. Such legitimate interest could exist, for example, where there is a relevant relationship between the data subject and the controller,  (eg, the data subject is a client of the controller). 

The legitimate interest criteria need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. Preventing fraud or even direct marketing purposes also can constitute a legitimate interest. However, it should be for the controller to demonstrate that a compelling interest overrides the interests or the fundamental rights and freedoms of the data subject.

AI Act entered into force on 1 August

The EU data protection regulators started to investigate the surveillance authority vested in them by the new law. Large parts of the high-risk AI systems fall within its scope. This covers not just the organisations that use these systems but the whole value chain, including the software, cloud, and security firms that provide AI systems, either by selling them or integrating them into already-existing systems. The data protection authorities are faced with yet another challenge in light of the real-world laboratories that the AI Act establishes to foster innovation. AI developers and users have now until February 2025 to inventory the AI systems they use or sell, as well as the risk category they fall into. Organisations that create or utilise AI that is prohibited must prepare for substantial fines starting in August 2025. 

Weak Children’s Privacy

The UK Information Commissioner’s Office has launched a major review of social media platforms, (SMPs), and video-sharing platforms, (VSPs), as part of the Children’s Code Strategy. It reviewed 34 SMPs and VSPs such as BeReal, Twitch, Threads, WeChat, YouTube Kids, X(Twitter) etc, focusing on the processes young people go through to sign up for accounts with emphasis on information transparency, age assurance, default privacy settings, geolocation and exposure to algorithmic systems. The audited platforms’ full list and non-compliance issues can be seen here. 

More legal processes

Surveillance pricing: The US Federal Trade Commission (FTC) launched a new investigation as reportedly a growing number of grocery stores and retailers may be using algorithms to establish individualised prices. Advancements in machine learning make it cheaper for these systems to collect and process large volumes of personal data, which can open the door for price changes based on your precise location, shopping habits, or web browsing history.  

Hashing and anonymisation: The FTC has also reiterated its long-held view that hashing or pseudonymising identifiers does not render data anonymous: hashes can still be used to identify or target users, and their misuse can lead to harm. While hashing might obscure how a user identifier appears, it still creates a unique signature, (eg, unique advertising ID), that can track a person or device over time and across apps without individual informed consent. 

NIS2: The Hogan Lovells analysis looks at the speed of national implementations of the NIS2 Directive, as the 17 October deadline approaches. So far, not all EU Member States seem to be on track to implement a common level of cybersecurity. Germany only adopted the draft document on 24 July, (the so-called “IT Security Act 3.0”). The legislation largely demands from critical sectors: implemented security risk management systems following the highest standards, (eg, ISO27001), incident reporting, corporate monitoring, training and auditing obligations. For more on the enforcement, personal liability of directors, and geographical scope read the original publication. 

Addictive patterns

The Spanish privacy regulator warns against the use of addictive patterns in its latest study. Often online services implement deceptive and addictive design patterns to prolong the time users stay on their services or to increase the level of engagement and the amount of personal data collected and perform profiling. The adverse impact of addictive strategies is considerably greater when they are used to process the personal data of vulnerable people, such as children. 

However, the enacted Digital Services Act establishes that online services will not design, organise or manage their interfaces in such a way as to deceive or manipulate users, or in such a way as to distort or hinder their ability to make free and informed decisions. So far the European Commission has opened two sanctioning procedures for possible non-compliance with the above requirements against TikTok and Meta. 

More official guidance

Errors in data processing: The Latvian data protection authority explains the most common mistakes by data controllers and how to avoid them. These include: a legal basis is not chosen or is inadequate regarding the purpose of the processing; data subjects are not properly informed, privacy by default is not represented as part of information system management,  ignoring technical and organisational security measures, incidents are not processed and recorded, improper exercise of the data subject requests, lack of core documentation and impact assessments, and poor due diligence of data processors. 

Generative AI: The European AI Office has opened a call for expression of interest to participate in the drawing-up of the first general-purpose AI Code of Practice. The Code of Practice will detail the AI Act rules for providers of general-purpose AI models and general-purpose AI models with systemic risks. These rules will apply 12 months after the entry into force of the AI Act by August 2025. The Code will be prepared in an iterative drafting process by April 2025. 

According to the latest guidance from America’s NIST, one of the primary risks in Gen AI is that such systems may leak or generate sensitive information about individuals, (included in the training data). Also, the integration of nontransparent or third-party components and data may lead to diminished accountability and the possibility of potential errors across the AI value chain. Finally, the GenAI training raises risks to widely accepted privacy principles, including transparency, individual participation, (consent), and purpose specification.

Facial recognition at school

In the UK, an Essex school was reprimanded after using facial recognition technology for canteen payments. The school, which has around 1,200 pupils aged 11-18, failed to carry out a prior assessment of the risks to the children. The school had not properly obtained clear permission to process the students’ biometric information and the students were not allowed to decide whether they did or didn’t want it used in this way.

It also failed to seek opinions from its data protection officer or consult with parents and students before implementing the technology. Instead, a letter was sent to parents with a slip for them to return if they did not want their child to participate in the FRT. Affirmative ‘opt-in’ consent wasn’t sought, meaning the school was wrongly relying on assumed consent.

Emergency calls disabled

In light of the recent global IT outage, BBC articles pay attention to a major incident in Britain from a year ago. BT, (formerly British Telecom), has just been fined 17.5 million pounds for a failure of its emergency call handling service which led to thousands of 999 calls not being connected. The network failure lasted for more than 10 hours. The emergency call handling outage was caused by an error in a file on a BT server, which meant systems restarted as soon as call handlers received a call.

It led to staff being left logged out and calls being disconnected or being dropped as they were transferred to the emergency services. The tech company was not prepared to respond to the problem: instructions on how to solve such an issue were “poorly documented” and staff were unfamiliar with the process.

More enforcement decisions 

French Guiana fine: Finally, the French CNIL decided to impose a penalty on the municipality of Kourou, in the overseas department of French Guiana, (also known as the main spaceport of France and the European Space Agency). The municipality will have to pay 6,900 euros for still not having complied with its obligation to appoint a data protection officer despite the CNIL’s injunction of December 2023. This penalty payment does not close the procedure as the injunction with its penalty payment still runs as long as the municipality has not appointed a data protection officer. A new penalty payment may therefore be ordered.

Human error in an educational ministry: The education minister in Northern Ireland has apologised after the personal details of more than 400 people who had offered to contribute to a review of special education needs were breached, the Guardian reports. According to the education department, 407 persons indicated their interest in attending the end-to-end review of special education needs, (SEN), events around Northern Ireland, and a spreadsheet attachment including their names, email addresses, and titles was accidentally emailed to 174 people. Several people’s remarks were included in the spreadsheet. 174 persons who unintentionally obtained the personal information were requested to remove it and attest to having done so.

Olympics, performance, privacy and AI

The International Olympic Committee determined over 180 potential use cases for AI in the Olympics, with some of them already in use at the Paris venue, according to a fortune.com article. The primary purposes include “enhancing the fairness and accuracy of judging and refereeing through the provision of precise metrics”. In another case, Google was announced as “the official search AI partner of Team USA”.

Finally, event organisers and the French government are also leaning on AI to monitor potential threats, (prompting the French government to temporarily change the law to allow this use of experimental surveillance technology for the Olympics).

Data security

Data breaches and exploitation of APIs: In the US, the Federal Communications Commission settled with TracFone Wireless, (a telecommunications carrier), to resolve data security investigations. The underlying data breaches involved the exploitation of application programming interfaces, (APIs).  They allow different computer programs or components to communicate with one another. Numerous APIs can be leveraged to access customer information from websites, and thus are a common attack vector for threat actors.  The settlement includes a mandated information security program, consistent with standards, identified by the NIST and OWASP; subscriber Identity module, (SIM), changes and port-out protections; annual security assessments by independent third parties, and privacy and security awareness training for employees and certain third parties. 

Big Data

Third-party cookies: Google has officially changed its plans and no longer intends to deprecate third-party cookies from the Chrome Browser, as this transition requires “significant work by many participants and will have an impact on everyone involved in online advertising”. Implementation of the Privacy Sandbox project started in 2019. Now the tech giant is proposing an updated approach that elevates user choice. Google reportedly is discussing this new path with regulators and will engage with the industry soon.

Meta record settlement: Meta has also reached a 1.4 billion-dollar settlement to resolve claims brought by the Texas Attorney General. It aims at stopping the company’s practice of capturing and using the personal biometric data of millions of Texans without authorisation. This settlement is the largest ever obtained from an action brought by a single State. In 2011, Meta rolled out a new feature that it claimed would improve the user experience by making it easier for users to “tag” photographs with the names of people in the photo.

For more than a decade Meta ran facial recognition software on virtually every face contained in the photographs uploaded to Facebook. 

Data centre’s electricity hunger: According to official estimates cited by The Guardian, Ireland’s data centres consumed more power last year than all of the country’s urban households put together. Specifically, Google, which has its European headquarters located in Ireland, stated that its data centres might potentially delay its environmentally conscious goals following a 48% surge in its total emissions last year. This is the outcome of increased demand for cloud services and data processing, which includes advances in artificial intelligence.

The post Data protection digest 20 Jul – 2 Aug 2024: ‘legitimate interest’ criteria, surveillance pricing, Olympics and AI appeared first on TechGDPR.

Legal redress

Pseudonymised (non-personal) data processing: In the instance of SRB v. EDPS, the European General Court ruled that pseudonymised data communicated by one party with another would not be regarded as personal data in the recipient’s hands if that party lacks a legal way to obtain the extra, identifiable information. The lawsuit resulted from the Single Resolution Board, (SRB), decision to conduct a shareholder poll in the case of Banco Popular Español, as part of which it shared the results with a consulting firm. In order to guarantee that replies could not be traced back to specific respondents, SRB pseudonymised the data. The decoding key that might identify specific responses from the alphanumeric codes was not given to the consulting company.

Additionally, the court did not rule out that personal views or opinions may constitute personal data. However, such a conclusion must be based on a case-by-case examination. View the court’s ruling here.

Right to GDPR compensations: The CJEU has recently published a number of rulings related to data subject rights. In one case, Österreichische Post collected information on the political affinities of the Austrian population, using an algorithm. Following lawsuits for compensation from upset citizens who did not consent to that, the Austrian supreme court asked the CJEU whether mere infringement of the GDPR is sufficient to confer that right and whether compensation is possible only if the non-material damage suffered reaches a certain degree of severity. It also asked what are the EU-law requirements for the determination of the amount of damages. 

The EU top court responds that mere infringement of the GDPR does not give rise to a right to compensation. However, there is no requirement for the non-material damage suffered to reach a certain threshold of severity. The court notes that the GDPR does not contain any rules governing the assessment of damages. It is therefore for the legal system of each Member State to prescribe the detailed rules. 

“Copy” of personal data definition: The CJEU also ruled that the right to obtain a ‘copy’ of personal data means that the data subject must be given a faithful and intelligible reproduction of all those data. The Court notes that the term ‘copy’ does not relate to a document as such, but to the personal data which it contains and which must be complete. That right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain those data. 

The case relates to the CRIF in Austia, (a business consulting agency that provides, at the request of its clients, information on the creditworthiness of third parties). It sent the applicant in question a summary of his personal data undergoing processing. However, the individual had expected a copy of all of the documents containing his data, such as emails and database extracts. After the Austrian data protection authority rejected his complaint, the applicant went to court. 

CJEU opinions

Data controllers’ strict liability: A non-binding opinion by a CJEU Advocate General limits the strict liability of data controllers for GDPR fines: they may only be imposed on intentional or negligent conduct, (‘mens rea’). The referring court wanted to know whether the state agency could be fined on the simple basis that it breached the obligations imposed on it by virtue of being a controller, (strict liability), or whether an element of fault in committing the relevant breach is required. 

The case concerns the Lithuanian Public Health Centre in the design and deployment of a mobile application for tracking COVID-infected people. After funding for the project failed the state agency asked the app developers, (initially defined as joint controllers), not to use the LPHC details or any association with them in the mobile product. However it continued to be available for download by the public unaltered. To that end, the data protection authority decided to impose a fine on both entities in their capacity as joint controllers. 

The CJEU’s opinion confirmed that an entity which initiates the development of a mobile application can only be regarded as the ‘controller’. Furthermore, the absence of any agreement or even coordination between joint controllers cannot exclude a finding that the controllers are ‘joint controllers’.

Concept of lawful “data processing”: In the above case, the referring court also called for clarification as to whether the fact that the unlawful processing of personal data was not done by the controller itself but by a processor affects the ability of supervisory authorities to impose a fine on the controller.

The CJEU reasoned that a controller may be fined even though the unlawful processing is carried out by a processor. That possibility is open for so long as the processor acts on the controller’s behalf. However, if the processor uses personal data outside of, or contrary to, the lawful instructions of the controller, then the controller cannot be fined. 

The concept of ‘processing’ encompasses a situation in which personal data is used during the testing phase of a mobile application, unless such data has been anonymised in such a way that the data subject is not, or no longer, identifiable. 

Official guidance

Direct marketing: Effective direct marketing relies on you having a positive relationship with individuals you are marketing to and that is usually rooted in them having consented to you contacting them, states the latest guidance by the Guernsey data protection authority. The document answers the questions on how to obtain people’s consent in a lawful way, while being able to pursue commercial communication and inform people about what you are doing; explains lawful processing conditions under consent and legitimate interest; looks at the dangers of soft opt-in and automated calling systems and silent calls; and provides options for stopping direct marketing. See the full guidance (in English) here.

Client databases: The Latvian data protection agency also looks at client databases. Customer personal data permeates almost every aspect of business, from the delivery address of an order to the use of customer data to creating a company’s marketing campaign. Whether you only store a customer’s first name, last name and email address, or a personal identification number and bank details, you need to make sure that customer information is kept as correct and as secure as possible. The main principles to be followed are:

• Determine the purpose for which the database is being created  (eg, administration of fees, sending news, ensuring access).
• Evaluate and decide exactly what personal data is required from the client, and don’t collect or store personal data just because you think it might come in handy someday, (eg, if you plan to send information only to e-mail, you do not need to ask the customer for a phone number).
• The information included in the customer database must also be accurate and must be updated as necessary, (eg, inaccurate data may allow the service to be used by a person who has not paid for it).
• The necessary technical and organisational requirements must be implemented, (eg, limit personnel who can access customer information, maintain employee training, and if you transfer personal data, ensure that it is encrypted).

Enforcement decisions

Concept of warning and expansion of investigation periods: Spain has modified its law on the protection of personal data and clarified that a warning should not be considered a sanction, but rather an appropriate measure, of a non-punitive nature, included within the corrective powers of the supervisory authorities. Additionally, the increase and greater complexity, (including a one-stop-shop mechanism), of the issues addressed by the data protection agency in the sanctioning procedures show the need to extend some of the resolution deadlines. In particular, for this reason, the modification contemplates an increase from nine to twelve months in the maximum duration of disciplinary procedures, and from twelve to eighteen months in previous investigation actions.

TikTok fine: The UK Information Commissioner’s Office has issued a 12,7 million pound fine to TikTok Information Technologies UK Limited and TikTok Inc, for a number of breaches of data protection law, including failing to use children’s personal data lawfully. Whilst TikTok purports to rely on, in part, a contractual necessity as its lawful basis for processing the personal data of children under 13, the Commissioner considers that the legal test for contractual necessity is not met in this case. In addition, TikTok failed to make reasonable efforts to ensure that consent was given or authorised for underage child users of its video-sharing platform or to prevent children under 13 from accessing its services. Read the full list of TikTok’s infringements in the original decision.

Information obligation: The Romanian data protection agency fined Libra Internet Bank for not fulfilling its data subject rights obligation. It was found that a response sent to a plaintiff by e-mail did not contain information about the possibility of filing a complaint before a supervisory authority and introducing a judicial appeal for the bank’s refusal to communicate a copy of a requested video recording, thus violating the provisions of Art. 12 in conjunction with Art. 15 of the GDPR. On the same occasion, the regulator noted that the data controller did not present evidence to show that it had adopted measures to facilitate the exercise of the right of access.

Grocery data: The Norwegian data protection authority has taken a decision to ban Statistics Norway’s planned collection of data from the population’s grocery purchases. Through bank data and bank transaction data, Statistics Norway would have information on what a significant proportion of the population buys for groceries. This in turn could be linked to socio-economic data such as household type, income and level of education. No sufficient legal basis for such intrusive processing of personal data exists. Even if the purpose of the collection is anonymous statistics for societal benefit, the intervention in the individual’s privacy will have already occurred once the personal information was collected, (from private actors). Finally, citizens have no real opportunity to oppose such a collection, other than by using cash as a means of payment.

Debt collection data: Croatia’s privacy regulator issued an administrative fine of over 2 million euros on the debt collection agency. The data controller didn’t inform its data subjects, in an accurate and clear manner, about the processing of their personal data. In addition, it did not conclude a data processing agreement with the service of monitoring consumer bankruptcy. The debt collecting agency also did not apply appropriate technical and organisational measures while processing quite sensitive personal data, so it would probably never have noticed a data breach. 

Data security

Encryption pros and cons: The Spanish data protection agency has published a guide for the supervision of cryptographic systems as a security measure in data protection. Encryption is a procedure by which information is transformed into an apparently unintelligible data set using various techniques. The GDPR mentions it as a measure that is part of the conditions for the compliance of the treatment and as an aid to mitigate the risks in the event of a possible breach of personal data. However, if not well designed it can give a  false sense of security, that relaxes the application of other complementary measures, in particular, privacy by design. The document also proposes a list of controls to facilitate the data protection specialist in selecting those that could be the most appropriate in validating the encryption system. Read the full guide, (in Spanish), here.  

Password hurdle: Reportedly, the average internet user has between 70 and 80 passwords for a wide variety of services, explains the Slovenian data protection agency base on recent research. Considering that a strong password is (at least) 12 characters long, complex and of course unique, it is extremely difficult to remember them all. 

Password managers also offer effective management and safe storage of passwords. In this case, it is important to have a very strong master password, which is also the only one we need to remember. Two-factor authentication solves two of the most common problems: short, weak, and repeated passwords are no longer so problematic since access to the service requires an additional unique code that is obtained over the phone. 

Finally, most information security experts do not recommend saving passwords in browsers. The reason is primarily the rapid spread of Trojan horses that specialize in stealing user data. Nothing helps if we have long and unique passwords, because the virus simply copies them and sends them to attackers.

International data transfers

US data transfers: The European Parliament has rejected the draft US adequacy decision during the plenary vote. However the resolution is not binding, MEPs concluded that the EU-US Data Privacy Framework fails to create essential equivalence on the level of protection, and calls on the Commission to continue negotiations with its US counterparts to provide the adequate level of protection required by Union data protection law as interpreted by the CJEU. MEPs call on the Commission not to adopt the adequacy finding until all the recommendations – on safeguards against American intelligence activities, and practical deployment of the redress mechanism for individuals are fully implemented. 

To that end, a parliamentary group from the Civil Liberties Committee visits the US capital this week to meet with members of the House of Representatives and Senators working on privacy, and cybersecurity issues, including sponsors of different federal privacy acts – the Federal Trade Commission, US Courts administration, Department of State, the Data Protection Review Court, the Office of the Director of National Intelligence, NGOs, and think-tanks. 

UK privacy reform: According to govinfosecurity.com, the Information Commissioner gave assurances to UK lawmakers considering changes to the country’s national privacy legislation that they won’t jeopardize the adequacy decision made with the EU in 2021. The Data Protection and Digital Information Bill was once again proposed this spring by the Conservative government as an alternative to the GDPR that is more pro-innovation and less bureaucratic. External observers, however, are less certain, citing rulings by the ECHR that British mass intelligence collecting infringed private communications. 

Supporting documents assessing the impact of the Data Protection and Digital Information Bill can be seen here.

The post Data protection & privacy digest 3 – 16 May 2023: data processing roles and obligations elaborated by EU top court appeared first on TechGDPR.

Legal processes: new EU-US data transfer deal, Digital Markets Act, China’s algorithmic rules

The EU and US have announced a new preparatory data transfer deal, seeking to end the legal uncertainty in which thousands of companies found themselves after the CJEU threw out two previous agreements due to America’s governmental surveillance practices, Reuters reports. It will take months to turn the provisional agreement into a final legal deal, as the US will need to prepare their executive order, and then the EU must complete internal consultation in the Commission and within the EDPB. So far the White House has released a fact sheet on the new deal, which addresses the CJEU ‘Schrems II’ decision concerning US law governing signals intelligence activities:

• Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties;
• EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the US Government who would have full authority to adjudicate claims and direct remedial measures as needed; and
• US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards. 

Earlier last week, EU privacy experts raised their concerns over the lack of details of the deal. Austrian privacy activist Max Schrems, who started a long-running dispute with Meta/Facebook, (resulting in the invalidation of the EU-US Privacy Shield data transfer framework), stated: “The final text will need more time, once this arrives we will analyze it in-depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it.”  The legal stance over transatlantic data flows has led, in recent months, to European data protection agencies issuing orders against flows of personal data passing via products such as Google Analytics, Google Fonts, and Stripe, along with long-standing and multilayered complaints against Meta/Facebook, TechCrunch sums up.

Meanwhile, sweeping new digital rules targeting US tech giants will likely come into force in October, EU antitrust chief Margrethe Vestager informed. The rules proposed a year ago in the Digital Markets Act set out a list of dos and don’ts for Amazon, Apple, Meta, Google, Microsoft, and others. Fines for violations will range reportedly from 10% of a company’s annual global turnover to 20% for repeat offenders who could face an acquisition ban. Companies that are designated as online gatekeepers, (intermediation services, social networks, search engines, operating systems, advertising services, cloud computing, video-sharing services, web browsers and virtual assistants), which control access to their platforms and the data generated there will have six months to comply with the new rules:

• additional requirements on the use of data for targeted or micro-targeted advertising and the interoperability of services; 
• gives users the option to uninstall pre-installed software applications, such as apps, on a core platform service at any stage; 
• ensures whistleblowers are able to alert competent authorities to actual or potential infringements of this regulation and protect them from retaliation, etc.

In China, the provisions  on the administration of algorithmic recommendations in the Internet Information Service became effective as of March, Chinalawupdate blog reports. It refers to the application of any algorithmic technology, including without limitation, generation and synthesis, individualized push, sorting and selection, searching and filtering, and scheduling and decision-making, to provide information to users. Among many provisions, it requires:

• algorithmic system and mechanism review, science and technology ethics review,
• user registration, information release review, data security protection,
• anti-telecom network fraud, security evaluation, monitoring, and incident emergency plan,
• informing users about its provision of algorithmic recommendation service, and notifying the public, in an appropriate manner, of the basic principles, the purpose and intention, and the main operation mechanism, 
• providing users with options that are not customized based on the users’ individual characteristics, or the option to conveniently close the algorithmic recommendation service, etc.

Official guidance: workplace monitoring

The Norwegian data protection authority Datatilsynet has issued workplace monitoring guidance, (in Norwegian). These activities must take into account important data protection criteria such as providing information about the treatment to jobseekers and employees, facilitating data subject rights, deleting the information when no longer necessary, and having satisfactory information security and internal control of their data. One of the examples, automatic forwarding of e-mails is considered continuous monitoring of the employee’s use of electronic equipment and is not allowed. Monitoring of an employee’s use of electronic equipment is prohibited, and can only exceptionally take place if the purpose is to administer the company’s computer network or detect or solve security breaches in the network. The guide also contains provisions for background checks during the recruitment process, access to e-mail and other electronically stored materials, and camera surveillance in the workplace.

Data breaches and enforcement actions: online retailer, third party provider, school’s trade union, insurance company

An American online retailer of stock and user-customized on-demand products CafePress to pay half a million dollars for FTC violations, DLA Piper reports. The online platform failed to secure consumers’ sensitive personal data collected through its website and covered up a major breach. This included:

• Storing personal information in clear, readable text.
• Maintaining lax password policies that allowed, for example, users to select the same word, including common dictionary words, as both the password and user ID.
• Failing to log sufficient information to adequately assess cybersecurity events.
• Failing to comply with existing written security policies.
• Failing to implement patch policies and procedures.
• Storing personal information indefinitely without a business need to do so, etc.

In 2019, a major data breach exposed millions of emails and passwords, addresses, security questions, and answers as well as a smaller number of social security numbers, partial payment card numbers, and expiration dates of the customer accounts. This information was later discovered for sale on the dark web. The company patched the vulnerability but allegedly failed to properly investigate the breach and notify the affected customers. Read more analysis of the case by the Workplace Privacy Report article.

The US authentication firm Okta has admitted that hundreds of customers may have been impacted by a prolific hacking group’s attack via a third-party provider, Infosecurity Magazine reports. Ransom group Lapsus shared screenshots, which purportedly showed “superuser” access to an internal Okta desktop in January. The attackers did have access to a third-party support engineer’s laptop for a five-day window. Okta initially said the matter with the sub-contractor was investigated and contained, BBC reports. Similarly, none of Okta’s clients such as Cloudflare, FedEx, Thanet has reported any issues.

Cyprus’s data protection commissioner fined English school 4,000 euros for failure to implement sufficient technical and organisational security measures to prevent a data breach, Data Guidance reports. The investigation related to the unauthorized access and use of the email addresses of the students’ parents and guardians, by the school’s staff union ESSA. In particular, a school professor who was also the president of the ESSA, sent an email to all parents/guardians and to the staff, for purposes other than those for which said email addresses were originally collected, and without the parents/guardians being informed of such use. The regulator ruled that irrespective of the responsibility of the school professor and the ESSA, the English school, as a data controller, did not apply sufficient security measures following Art. 32 of the GDPR. ESSA, as a separate joint controller, was also fined 5,000 euros. 

The Icelandic data protection authority ruled in a case about an insurance company’s processing of personal data following a claim for compensation. There were complaints about the insurance company’s disclosure of the plaintiff’s personal data to an expert who prepared a report on the speed and impact of a traffic incident that the plaintiff had encountered. There were also complaints about the insurance company’s use of the report in question when assessing the claim for compensation against the company. The plaintiff contested that the insurance company was not authorized to administer the further use of the report data and that it did not take care to inform the individuals or obtain their consent. Although the data protection authority concluded that the above processing activities were in accordance with the law, based in particular on a contract (Art. 28 of the GDPR). Since the complainant was not informed or educated about the transfer of the data to the specialist and its processing, the regulator found that the company did not comply with the information and transparency obligations (Art.13 of the GDPR). 

Data security: pseudonymisation in the health sector

The European Union Agency for Cybersecurity has published guidance on deploying pseudonymisation techniques in the health sector. From a cybersecurity point of view, the confidentiality, availability, and integrity of medical data and relevant infrastructure are considered essential in order to be able to provide timely, appropriate, and uninterrupted medical care. This is also highlighted by the NIS Directive which categorizes the health sector as an operator of essential service and calls for minimum security requirements to ensure a level of security appropriate to the level of risks presented. Furthermore, the GDPR distinguishes, in Art. 9, data concerning health as a special category of data, and sets out additional requirements and stricter obligations for processing and protecting such data. Lastly, the Medical Devices Regulation imposes requirements regarding the safety, quality, and security of medical devices in order to achieve a high common level for safety. Case studies in the report include:

• exchanging patient’s health data,
• Clinical Trials,
• patients-sources monitoring of health data. 

Big Tech: data brokers, smartphone health monitoring, China’s crackdown on Bing algorithms

The legal implications of personal data usage by the data brokerage industry has been analysed by the Guardian. A new lawsuit reportedly involves two companies in this vast network: X-Mode, a data broker, and NybSys, one of X-Mode’s customers. The lawsuit claims people’s exact location data was sold through a chain of industry players, rather than the summary or analysis of that information, without knowledge or permission from   X-Mode. Data brokers collect personal data from a variety of sources, including social media, public records and other commercial sources or companies. These firms then sell that raw data, or inferences and analysis based on that data – such as a user’s purchase and demographic information – to other companies, like researchers or advertisers.

Google wants to use smartphones to monitor health, saying it would test whether capturing heart sounds and eyeball images could help people identify issues from home, Reuters reports. The company is investigating whether the smartphone’s built-in microphone can detect heartbeats and murmurs when placed over the chest allowing early detection of heart valve disorders, etc. Google also plans to test whether its artificial intelligence software can analyse ultrasound screenings taken by less-skilled technicians, as long as they follow a set pattern.

Microsoft’s Bing, the only major foreign search engine available in China, said a government agency has required it to suspend its auto-suggest function in the country for a week, Reuters reports. It is a second case for Bing since December, and arrives amid an ongoing crackdown on technology platforms and algorithms from Beijing. Since August, China’s top cybersecurity authorities have published draft rules dictating how internet platforms can and cannot make use of algorithms. These came into effect this month.

The post Weekly digest March 21 – 27, 2022: EU and US reach preliminary data transfer agreement, but experts have doubts appeared first on TechGDPR.