Exploring key aspects of password security involves evaluating password strength to resist brute force attacks and using password managers for secure and unique passwords. It also includes leveraging multi-factor authentication (MFA) to enhance protection and recognizing the risks of using browser-suggested passwords and potential vulnerabilities if the browser or device gets compromised.

How secure is my password?

One of the ways to access the strength of a password is through entropy. Entropy measures password complexity by assessing its randomness, indicating how unpredictable and difficult it is for attackers to guess. Higher entropy, or more randomness, in lay man’s terms means a more secure password. Factors that contribute to higher password entropy include:

• Length: Longer passwords are generally harder to crack.
• Complexity: Including a mix of uppercase and lowercase letters, numbers, and symbols.
• Unpredictability: Avoiding predictable patterns like common words and phrases.

If one is curious about understanding how secure their password is this Password Entropy Calculator helps an individual understand password strength and evaluate their own passwords. A secure password should have high entropy, which makes it resistant to brute-force attacks, where attackers systematically try every possible combination of passwords or keys until they find the correct one.

How password managers enhance security?

According to the German Federal Office for Information Security (BSI), using a password manager is one of the most effective ways to securely store and manage passwords. These standards ensure that the strategies outlined are both robust and reliable, offering a trusted framework for enhancing password security. Password managers are powerful tools for improving password security and convenience. They securely store and manage passwords, making it easier to use complex, unique credentials for each account. This not only enhances security by reducing the risk of weak or reused passwords, but also simplifies the online experience by eliminating the need to remember multiple passwords. Password managers enhance security by:

• Generating strong passwords: Password managers create random, complex passwords that are nearly impossible to crack.
• Secure /storage: Passwords are encrypted and stored securely, reducing the risk of exposure.
• Unique passwords for every account: Using unique passwords for each account limits the damage if one account is compromised (for instance if logging into a service while using public WiFi leads to a third party intercepting an individual’s credentials).
• Automatic filling: Password managers can auto fill login credentials, reducing the risk of phishing attacks by ensuring only the authentic individual can  enter credentials on legitimate sites.

There are many popular password managers that offer both free and premium versions to suit individual or organizational needs. Organizational password management needs often focus on collaboration, centralized control, and compliance with security policies, requiring features like shared vaults, role-based access, and audit trails. In contrast, individual users prioritize personal security, ease of use, and cross-device synchronization to protect their accounts.

How Multi-factor Authentication (MFA) adds an extra layer of security

While strong passwords are essential, they are not reliable. The European Union has emphasised how MFA protects consumer sensitive data, enhances operational resilience, and mitigates cybersecurity risks. Multi-factor Authentication (MFA) adds an extra layer of security by requiring users to provide two or more verification factors to access an account. These factors typically include a combination of at least two of the following:

• Something you know: A password or PIN.
• Something you have [i.e. physically]: A smartphone, hardware token, or security key.
• Something you are: Biometric data, such as fingerprints or facial biometrics.
• Somewhere you are: The location matches the expected location (VPNs).

MFA significantly reduces the risk of unauthorized access, even if a password is compromised. According to Microsoft, MFA can prevent 99.9% of account compromise attacks, making it a crucial component of any security strategy. 

Password security and compliance

Many industries are subject to regulations that require high password security to protect sensitive data such as:

• The General Data Protection Regulation (GDPR): Mandates the protection of personal data for EU residents.
• The Payment Card Industry Data Security Standard (PCI DSS): Requires strong password policies for organizations handling credit card data.
• Health Insurance Portability and Accountability Act (HIPAA): Enforces password security to safeguard patient information.

Failure to comply with these regulations can result in huge fines and legal consequences. Implementing best practices for password security is not just about protection best practices, it’s a compliance necessity.

Are browser-suggested passwords safe?

They are generally safe and convenient because modern web browsers like Chrome, Firefox, and Safari use encrypted storage and advanced algorithms offering built-in password managers that suggest and store passwords. While convenient, there are some risks to consider.

• Limited security features: Browser-based password managers may not offer the same level of encryption and security as dedicated password manager apps.
• Device dependency: If a device is compromised or lost, the stored passwords may be at risk, especially if the device lacks proper security controls.
• Synchronization risks: Attackers could make passwords synced across devices via a cloud service vulnerable if they compromise the cloud account.
• Phishing vulnerability: Phishing websites can exploit auto fill features by cloning legitimate sites.

When choosing to use browser-suggested passwords, ensure an up-to-date browser, use strong device security, and consider enabling MFA for cloud accounts.

Conclusion

Password security is a staple of digital safety and regulatory compliance. Creating strong, unique passwords, using password managers, and enabling multi factor authentication helps individuals and organizations reduce unauthorized access and breaches.

While browser-suggested passwords offer convenience, understanding their limitations and risks is essential. Ultimately, a proactive approach to password security can protect an individual’s data, ensure compliance, and build trust with customers.

Feel free to reach out to TechGDPR for any clarification of technical compliance needs.

The post Password security: how strong passwords work and the tools to simplify appeared first on TechGDPR.

Stay up to date! Sign up to receive our fortnightly digest via email.

LLMs, data labelling and data protection

A fundamental principle of data protection law is data minimisation. Privacy International however insists that LLMs are being trained through indiscriminate data scraping and generally maximise their approach to data collection. Under data protection laws, individuals have the right to assert control over data related to them. However, LLMs are unable to adequately uphold these rights, as the information is held within the parameters of a model in addition to a more traditional form, such as a database. ‘Regurgitation’ can also lead to personal data being spat out by LLMs. Because training data is enmeshed in LLM algorithms, this can be extracted, (or regurgitated), by feeding in the right prompts. 

PI also investigated digital labour platforms that have arisen to supply data labelling for LLM training. This includes training an AI model against a labelled dataset and is supplemented by reinforcement learning from human feedback. For example, data labellers mark raw data points, (images, text, sensor data, etc.), with ‘labels’ that help the AI model make crucial decisions, such as for an autonomous vehicle to distinguish a pedestrian from a cyclist. It appeared that many such labellers can be completely disconnected from the AI developers, and are often not informed about who or what they are labelling raw datasets for. They are also subject to algorithmic surveillance and unreliable job stability. 

Third-party cookies as a cause of data breaches

JDSupra legal insights look at the disclosure of data through website cookies which may facilitate a data breach in California. In the related court case, the plaintiff claimed that an online counselling service where website users can find and seek therapy violated the California Consumer Privacy Act by allowing tracking software to retarget website users with ads. The court refused to dismiss the data breach claim. Specifically, the simple fact a user visited the website, may qualify as sensitive information because such a visit could mean they must have been seeking therapy.

Concerning whether using retargeting cookies is inherently illegal, the court refrained from rendering a decision.

US Child privacy bill

On 30 July, the Kids Online Safety and Privacy Act was passed by the Senate. KOSPA is a variation of two previously proposed bills: the Kids Online Safety Act, (KOSA), and the amended Child Online Privacy Protection Act, (COPPA 2.0). The act applies to digital platforms, particularly those with more than 10 million active monthly users. The duty of care includes options for minors to protect their data, prohibition of the use of dark patterns, and transparency regarding the use of opaque algorithms, etc. KOSPA now heads to the House, where it will be debated over potential censorship and the possibility of minors lacking access to vital information. 

Oncological oblivion

The Italian data protection authority Garante looks at “the right to be forgotten” in oncology, and whether banks, insurance companies, credit bodies, and employers can ask for information on the oncological pathology of an individual in a remission stage. Also, can a clinically recovered person adopt a child? These and other questions are answered in the FAQs published by the regulator, (in Italian). The aim is to prevent discrimination and protect the rights of people who have recovered from oncological diseases.

Chatbots and customer data

Employees sharing patient or consumer personal information with an AI chatbot have resulted in allegations of data leaks to the Dutch Data Protection Authority, (AP). The majority of chatbot developers store all data entered. Organisations must make clear agreements with their employees about the use of AI chatbots.  They could also arrange with the provider of a chatbot that it does not store the entered data. 

More official guidance

Avoiding outages and system failures: The US Federal Trade Commission insists that many common types of software flaws can be preemptively addressed through systematic and known processes that minimise the likelihood of outages. This includes rigorous testing of both code and configuration and the incremental rollout procedures. For instance, when deploying changes to automatically updating software, vendors could initially deploy it to a small subset of machines, and then roll it out to more users after it’s confirmed that the smaller subset has continued to function without interruption. 

Surveys at schools: The Latvian data protection authority investigates if a teacher can ask students to complete surveys. The educational process has long been not limited to the learning of the subject, but the psychological state of the child too. Answers given in student surveys can be divided into standard, personalised or anonymous forms. However, children often are not able to assess how much private information to give to others. Thus, security requirements, such as data non-disclosure and storage limitations must be applied in most cases.

Additional parent consent should be required if the surveys are related to the organisation of the learning process indirectly.

AI systems transparency: The German Federal Information Security Office, (BSI), published a white paper on the “Transparency of AI systems”. It says that the increasing complexity of the AI “black boxes” systems as well as missing or inadequate information about them makes it difficult to make a visual assessment or to judge the trustworthiness of the outputs. The paper defines the term transparency for various stakeholders from users to developers, and discusses the opportunities and risks of transparent AI systems, both positive, (promoting safety, data protection, avoiding copyright infringements), and negative, (the possible disclosure of attack vectors). 

Uniqlo ‘payroll’ mistake

The Spanish regulator imposed a fine of 450,000 euros, (reduced to 270,000 euros), on the UNIQLO branch in Spain, DataGuidance reports. The complainant, who provided services to UNIQLO, requested their payroll data and received an email containing a PDF document with payroll information on the entire 446-strong workforce. The document contained names, surnames, social security, bank account numbers, and more.

The breach was caused by a human error within the human resources department, but the employee in question had not informed their superior. The regulator confirmed that the negligent action of the employee does not exempt the data controller from liability.

Healthcare IT provider fine

The UK Information Commissioner’s Office has provisionally decided to fine Advanced Computer Software Group 6.09 million pounds. It provides IT and software services to the NHS and other healthcare providers, and handles people’s personal information on behalf of these organisations as their data processor. The decision relates to a ransomware incident in 2022, when hackers accessed several of Advanced’s health and care systems, (with the personal information of 82,946 people), via a customer account that did not have multi-factor authentication. 

More enforcement decisions

Car rental and client’s income: The Italian Garante imposed a one million euro fine on Credit Agricole Auto Bank for the illicit processing of personal and income data of customers who requested financing for the long-term rental of a car. The bank accessed the centralised fraud prevention system, also on behalf of its subsidiary, a car leasing company, despite it not having the necessary authorisation from the Ministry of Finance. 

The complainant contacted the bank to know the reasons behind the denial of the long-term rental and the inclusion of their name on a credit risk list. The bank stated these were due to the client’s negative income situation. Furthermore, the bank did not first acquire the client’s tax return form, an essential document for making a comparison with the information contained in the database. 

Dark patterns in the gambling industry: The Guernsey privacy regulator reviewed 19 online gaming sites for indicators of deceptive designs. In 42% of cases, the analysis was unable to find the website or app’s privacy settings, (in most cases those found were unnecessarily lengthy and complex). Also, it was more difficult to delete an account than it was to create one. In one of the instances, a user made their account deletion request through an on-site chatbot, as they were unable to find the ‘delete account’ option on the site. In another case, the organisation asked that a form be completed and returned to them, along with identity verification documents. Neither the documents nor the form were required to create an account. 

Data security

Lack of encryption: The Danish regulator has reprimanded the Vejen Municipality for insufficient security measures. Three stolen computers with information about children were not encrypted – and the same turned out to be the case with up to 300 other computers in the municipality. The computers were only intended for use by teachers as part of the teaching process. In practice, however, they were also used by teachers to make status descriptions of students, class handovers, etc. The regulator also issued a reminder that encryption of portable devices is a very basic security measure which is relatively easy and not very costly to implement.

GPS tracking: A court in Slovenia confirmed the decision of the Information Commissioner to restrict the use of GPS tracking of company vehicles, on a systematic, automated and continuous basis. The company did not demonstrate that such GPS tracking is a suitable and necessary measure for the protection of company vehicles and the equipment and documentation contained in them, nor to ensure employee safety or for the enforcement of potential legal claims and defence against them. 

Among other things, the court confirmed that the data obtained by the operator through the GPS tracking of company vehicles constitutes employees’ data, even though it is not recorded and stored in the tracking system itself, as the employees as drivers can be identified with the help of other documents, (eg, travel orders).

AI Grok

X agreed with the Irish Data Protection Commission to suspend the processing of the personal data contained in the public posts of X’s EU/EEA users, (processed between 7 May and 1 August), to train its AI ‘Grok’. The suspension will last while the DPC examines, together with other regulators, the extent to which the processing complies with the GDPR. The agreement was reached after the regulator submitted the case to the country’s Supreme Court.

In June, Meta also agreed with the DPC that it would delay processing EU/EEA user data for its AI tools. However, unlike Meta, X didn’t even notify its users beforehand. To make sure that X’s AI training is properly handled, the privacy advocacy group NOYB has now filed complaints with the data protection authorities in nine countries, (questioning what happened to EU data that had already been ingested into the systems, and how X can effectively distinguish between EU and non-EU data).

The post Data protection digest 3 – 16 Aug 2024: data labelling for LLMs, third-party cookies as a cause of leaks appeared first on TechGDPR.

Legal processes: EU-US adequacy procedures, non-material damage in the GDPR, Colorado draft privacy law, Andorra data protection regime

On 7 October, President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’. Along with the Regulations issued by the Attorney General, it implements into US law the agreement in principle, (the EU-US data privacy framework), announced in March. The document introduces new binding safeguards to address all the points raised by the CJEU, limiting access to EU data by US intelligence services, enabling EU individuals to lodge a complaint with the so-called ‘Civil Liberties Protection Officer’, and to appeal under a ‘Data Protection Review Court’.  In parallel, the UK and US are also looking ahead to concluding a data adequacy agreement following Biden’s order. The European Commission will now prepare a draft adequacy decision in several steps: obtaining an opinion from the EDPB, and approval from an EU Member State committee. In addition, the European Parliament has a right of scrutiny for adequacy decisions. European Commissioner for Justice Didier Reynders is sure there will be a fresh legal challenge, but he is confident that the pact meets the court’s demands. However in the opinion of the NOYB privacy campaigners – there is no indication that US mass surveillance will change in practice. 

The European Council gave final approval to protect users’ rights online – the Digital Services Act. It defines clear responsibilities and accountability for providers of intermediary services, such as social media, online marketplaces, very large online platforms, and very large online search engines. The rules are designed asymmetrically, so larger intermediary services are subject to stricter rules. Among many measures, it imposes certain limits on the use of sensitive personal data for targeted ads, including age, gender, race, and religion; it bans misleading interfaces known as ‘dark patterns’, and offers users a system for recommending content that is not based on profiling. After being published in the Official Journal of the European Union, the law will apply in fifteen months.

A CJEU Advocate General issued a non-binding opinion on non-material damage resulting from unlawful processing of data, conditions for the right to compensation, and establishing damage above a certain threshold of seriousness. The Austrian supreme court referred the above questions for clarification to the EU’s top court as the GDPR grants any person who has suffered material or non-material damage due to an infringement of its provisions the right to receive compensation from the data controller or processor. According to the opinion:

• A mere infringement of a provision is insufficient if that infringement is not accompanied by relevant material or non-material damage for a person.
• The compensation for non-material damage provided for in the regulation does not cover the upset that the person concerned may feel due to the infringement.
• It is for national courts to determine when, owing to their characteristics, a subjective feeling of displeasure may be deemed, in each case, to be non-material damage. Find more contextual and theological considerations over data subjects’ powers over their data in the original text. 

Meanwhile, in US, Colorado state published Privacy Act Draft Rules. It concentrates, among many provisions, on consumer-facing compliance, (disclosures, handling requests, and opt-out mechanisms), handling sensitive data, data minimisation and purpose limitations, data protection impact assessments, and restrictions related to profiling. The rules are not finalised nor contain very strict language. The act does not go into effect until July 1, 2023, with input due from several stakeholders and a public hearing. 

Finally, Andorra approved two decrees regulating the protection of personal data and the supervisory authority. The first regulation integrates all the necessary regulatory provisions into the country’s daily life. The intention is to provide legal security to those responsible for data processing, (administrations, private entities, companies, associations, etc.). In addition, everyone has six months to adapt their processes to this new text. The second document configures the Andorran Data Protection Agency as a public body with its own legal identity, independent and with full capacity to act, along with its composition, functions, inspection capacity, penalty, and other main activities. 

Official guidance: public collections of support signatures, subject access requests, financial crimes, background checks, health data warehouses

The Slovenian data protection commissioner issued a reminder of the rules for protecting personal data in the public collection of support signatures. Organisers must ensure adequate security of personal data, (eg, against loss), and when collecting their data, also provide individuals with information on Art. 13 of the GDPR. The individual must therefore receive at least information about the controller, (who collects personal data), the purpose and legal basis for collecting personal data, their rights, and legal protection. Even if the collection of personal data is determined by law, (eg, in referendums), the signature collector must still provide information about the processing of personal data at the moment the data is obtained.

The UK data regulator the ICO has laid out the basics of data subject access requests. Everyone has the right to ask an organisation whether or not they are using or storing their personal information. You can also ask for copies of your personal information, verbally or in writing. The ICO deals with over 35,000 complaints from individuals every year, the vast majority of which are to do with the rules and obligations around accessing personal data: information rights requests taking too long, no one to contact, questions not being answered, incomplete or unsatisfactory responses, lack of trust in what people are being told, or lack of understanding leading to information being perceived as unclear or unhelpful. Thus the main rules for organisations to get access requests right are:

• Find out what your customer wants exactly, and ask them to provide additional details – such as the context in which information may have been processed and likely dates when processing occurred – to help you locate the requested information.
• If you cannot meet the deadline for individual rights requests, tell them.
• If you’re dealing with a complex or particularly large request, explain that you’ll send out information in batches and provide a timeframe for this.
• Explain exemptions, and redactions, if they apply.
• Keep a record of your decision so that you can share it with the supervisory authority.
• Explain legal provisions that someone will understand.
• Keep your privacy policy up to date and ensure it’s accessible and easy to understand.

The EDPS reminded organisations of the meaning of the US Cloud act, which may conflict with the GDPR. The federal law that came into force in 2018 allows the US government, with a court order, to access electronically stored communication data located in a private entity subject to US law, (eg, corporate link, direct or indirect), but located overseas, providing that the data is relevant to an ongoing criminal investigation). As a result, the EDPS reconfirms the importance of seeking alternative services, such as cloud and web services based in the EU, to ensure that personal data is processed according to  EU law.

Sweden’s privacy regulator IMY has allowed a bank to handle personal data relating to violations of the law in cases of money laundering and the financing of terrorism when there is no legal support for the processing. Such control may be necessary for a bank to prevent a customer whose customer relationship has been terminated in one branch from being able to turn to another one within the group. Private companies must apply for permission from IMY for such processing to be allowed. Similarly, the IMY gives companies that offer background checks permission to handle personal data related to legal violations in some instances, (eg, fraud and economic crime, tax crimes and embezzlement crimes, criminal violations of individual job seekers and consultants, and persons with senior positions or controlling influence in the business).

The French regulator CNIL published a “checklist” of compliance, (in French), for health data warehouses. It can be used by anyone wishing to set up a data warehouse in the health field. It goes through the various requirements in the form of statements that data controllers judge to be true, false, or not applicable. Any processing that does not comply with all the requirements defined by the repository must be the subject of specific authorisation from the CNIL before being implemented, (by using “declare a file” on the CNIL website). An action plan to bridge any gaps between the envisaged treatment and the requirements of the reference framework can thus be drawn up on this basis. 

Investigations and enforcement actions: one-stop-shop complaints, unlawfully communicated e-mail addresses and health data, predatory direct marketing, unreported data breach, and ethical hacking

The Irish data protection commission, (DPC), issued a report providing a detailed fact-based overview and statistical analysis of its handling of One-Stop-Shop complaints in the period May 2018 to end of 2021. The DPC has received almost 20,000 complaints since the GDPR came into force, and over 17,000 have been concluded. The report illustrates that:

• 1,278 valid cross-border complaints were received by the DPC: 85% as lead supervisory authority, (LSA), and 15% as a concerned supervisory authority, (CSA).
• The DPC handles 62% of cross-border complaints as the LSA, originally lodged with another supervisory authority and transferred to the DPC.
• 73% of all cross-border complaints handled by the DPC as the LSA have been concluded.
• Most cross-border complaints handled by the DPC as the LSA were resolved through amicable resolution in the complainant’s favour.
• 87% of all cross-border complaints handled by the DPC as the LSA relate to just 10 data controllers.
• 48% of complaints transferred by the DPC to other EU/EEA LSAs ,(excluding the UK), have been concluded.

The Hungarian data protection authority NAIH issued a fine to the National Health Insurance Fund management after receiving an individual complaint. The fund’s website vaksinareg.neak.gov.hu had “published” the information that the complainant had registered for their Covid-19 vaccination. Anyone knowing their social security number and date of birth could confirm the validity of the registration of the person concerned. In this context, the complainant contested why the respondent did not send the query result only to the e-mail address for example. The fund management also failed to respond to the subject access request, (when and from which IP address the query was made), as well as cooperation obligations during the regulator’s inspection. 

Meanwhile the Italian privacy regulator ‘Garante’ fined a US company, (Senseonics), 45,000 euros for violations of personal data in the use of its glucose monitoring system and for having unlawfully communicated e-mail addresses and health data of about 2000 Italian diabetic patients. The company notified the SA of a data breach due to an employee’s sending – as part of an information campaign – email messages with the recipients’ addresses in the ‘Cc’ field rather than in the ‘Bcc’ one. This enabled every recipient to view the other recipients’ email addresses. The messages contained ‘data disclosing health’; accordingly, they could only be disclosed to third parties based on the data subjects’ written authorisation or on other appropriate legal grounds. The inquiries by ‘Garante’ shed light on additional infringements caused by the glucose monitoring system being offered. After downloading the app, users were expected to accept, with a single click, the terms of use of the service jointly with the contents of the privacy policy. This prevented them from giving their consent separately to the individual processing operations including the processing of health-related data.

The UK’s ICO has fined Easylife Ltd 1,350,000 pounds for using the personal information of 145,400 customers to predict their medical condition and target them with health-related products without their consent. The company was also fined 130,000 pounds for making 1,345,732 predatory direct marketing calls. The ICO investigation found that when a customer purchased a product from Easylife’s Health Club catalog, the company would make assumptions about their medical condition and then market health-related products without their consent. If a person bought a jar opener or a dinner tray, Easylife would use that purchase data to assume that person has arthritis and then call the individual to market glucosamine joint patches.

The Spanish data protection authority AEPD decided to sanction BAYARD REVISTAS on insufficient risk analysis, technical and organisational measures, and unreported data breach notification after receiving a complaint. The complaining party informed the agency that they received an email from the person in charge of the web portal, informing them of the unauthorised access to the database, (BAYARD being responsible), by an unauthorised third party. According to the email, the location and contact data of the people who had provided their information on the website through the registration form were involved. The attack reportedly had not been carried out for malicious purposes, but with the intention of ethical hacking. The number of affected people matched the total number of users of the web portal, around 464,762. After the incident, the person in charge claimed to have solved all the vulnerabilities that made the attack possible, had implemented the protocols to follow in the event of an incident related to data protection and had adopted a series of measures, including the encryption of the stored information. 

Data security: online accounts protection, “think before you click”

The UK National Cyber Security Centre, (NCSC), published tailored advice to support online retailers, hospitality providers, and utility services to protect themselves and their customers from cybercriminals. The guidance encourages organisations to add an extra layer of security on top of passwords to authenticate customers. Organisations are also advised what steps to take if their brand has been spoofed online. Buyer authentication methods and malicious websites takedown guidance are the latest additions to the advice package. The NCSC encourages the public and small businesses to adopt six behaviours to protect their online accounts and devices:

• Use a strong and separate password for your email
• Create strong passwords using 3 random words
• Save your passwords in your browser
• Turn on the two-step verification
• Update your devices and apps
• Back up your data

“Think before you click” (#ThinkB4UClick). This is the message during the EU’s information security month, which falls in October every year. The Swedish data protection authority IMY repeats some tips for businesses on how they can protect their most important information. Reasonable security imposes costs, in time, money, and resources. It requires long-term and persistent work and ongoing prioritisation. Good security – whether it’s data and privacy protection, information security, or cyber security – is a central issue for top management. It usually requires collaboration between many roles and competencies:

• Establish systematic security work – security testing.
• Backup – a working backup can be your only salvation if the worst happens!
• Use anti-malware software.
• Keep systems and software in all equipment up to date, to reduce the risk of vulnerabilities being exploited.
• Train the staff – on an ongoing basis – to maintain a high awareness of the risks.

Big Tech: Meta Ireland inquiry, Facebook and Google settlements, Equifax and Experian data practices, Uber’s former chief security officer’s criminal obstruction, Optus breach outcomes

The Irish data protection commission has submitted a draft decision in a large-scale inquiry into Meta Platforms Ireland Limited to other concerned EU supervisory authorities. An inquiry was opened in 2021 after media reports highlighted that a collated dataset of Facebook user personal data, approx. 533 million Facebook users worldwide, had been made available on the internet. The inquiry concerned the question of Meta’s compliance with its obligations under Art. 25 of the GDPR, (“data protection by design and by default”). Other concerned supervisory authorities have one month to review the draft decision.

Following a significant data breach at Optus, the nation’s second-largest mobile operator, Australia recommended a change of consumer privacy legislation to aid targeted data sharing between telecommunications companies and banks. With the new rules, telcos will be able to provide banks with government-issued identity cards so that banks may adopt improved monitoring for clients affected by data breaches. Through already-in-place industry reporting systems, such as fraud information exchanges, the proposed reforms will also enable enhanced fraud detection in the more significant financial services sector. Banks are supposed to erase the information they get when they no longer need it. They are only permitted to use it to prevent or address cybersecurity problems, fraud, scams, or identity theft. 

In a letter to the FTC that Reuters reviewed, the European Commission was encouraged to look into how data brokers like Equifax and Experian had accumulated payroll details about most Americans. To assist lenders, landlords, and hiring managers with background checks on potential candidates, businesses like Equifax have been acquiring employee employment histories and salary data from employers for decades. However, privacy campaigners claim that these sizable databases are prone to fraud and inaccuracy and that sometimes employees are shocked to learn that their information is included. According to Equifax, it abides by all legal requirements and encourages new voices in the sector.

Uber’s former chief security officer, Joe Sullivan, was found of criminal obstruction for failing to report a 2016 cybersecurity incident to authorities. According to the Guardian, the case was being watched as an important precedent regarding the culpability of individual security staffers and executives when handling cybersecurity incidents. In 2018, Uber paid 148 mln dollars to settle claims by all 50 US states and Washington DC that it was too slow to disclose the hacking. The case affected the data of 57 million passengers and drivers.

Finally, Meta and Google recently settled a couple of significant privacy actions in the US:

• Illinois residents involved in a class-action lawsuit against Google will receive 154 dollars each as part of a 100 million dollar settlement. The class of roughly 420,000 people who brought the lawsuit argued Google Photos’ face grouping tool violated the state Biometric Information Privacy Act.
• Facebook parent Meta has settled a lawsuit against two companies that had engaged in data scraping operations, which had seen them gathering data from Facebook and Instagram users for marketing intelligence purposes. 
• Arizona’s Attorney General announced an 85 million dollar settlement with Google related to alleged user tracking via location data from smartphones despite users disabling the tracking settings.

The post Data protection & privacy digest 27 Sept – 11 Oct 2022: New EU-US data privacy framework is now under EU legislators’ microscope appeared first on TechGDPR.

Official guidance: Google Analytics, risk assessment tool, work monitoring, privacy policy check-list, machine learning, APIs

The Danish data protection authority, following several other European counterparts’ decisions, concludes that the Google Analytics tool cannot be used legally without implementing several additional measures, (eg, effective pseudonymisation by using proxy servers), in addition to the settings provided by Google.

The Spanish privacy regulator AEPD launched an online tool that helps assess the level of risk of personal data processing. The tool allows an initial and non-exhaustive evaluation to be carried out, which, where appropriate, must be adjusted by each person in charge to determine an accurate risk level for the processing. 

The Latvian data protection authority DVI issued two guides, (in Latvian only), on online tools  to organise remote work meetings and video surveillance of employees performing their work duties. The organisation must determine exactly why data processing during online meetings or workspace is necessary. The purpose of data processing must be determined precisely and realistically, and interact with one of the legal tenets of the GDPR. A privacy notice is to be made available before data processing is started. If the organisation has a data protection specialist, they must be consulted for advice on carrying out the planned processing more appropriately.

Jersey’s privacy regulator has tried to demystify Art.12 of the GDPR – obligation to inform. It concludes that the most direct way to communicate to your data subjects is through writing clear statements. For the best transparency when constructing a robust privacy policy, view the regulator’s privacy policy checklist.

The use of application programming interfaces, (APIs), to share personal data can promote better data protection. The French regulator CNIL launched a draft recommendation on the technical and organisational measures to be applied. It aims to identify the cases in which an API is recommended to securely share personal data or anonymised information, and to disseminate best practices regarding their implementation and use. Data sharing here means the ability of identified reusers or the public to retrieve data held by an organisation, or the ability of data holders to transmit data for reuse by others. 

The EDPS explains 10 misunderstandings about Machine Learning. ML systems adapt autonomously to the patterns found among the variables in the given dataset, creating correlations. Once trained, these systems will use the patterns learned to produce their output. Typically, the training of ML systems requires large amounts of data, depending on the complexity of the task to be solved. However, adding more training data to a machine learning model development process will not always improve the system’s performance. On the contrary, more data could bring more bias. 

Legal processes: general data retention ban, Europol database, sensitive data, digital health infrastructure, commercial practices

In Germany, the Federal commissioner for data protection approved the CJEU preliminary ruling that the country’s general indiscriminate data retention, (IP-addresses, traffic, and location data), violates EU law. The law may only be applied in circumstances where there is a serious threat to national security defined under very strict terms, stated the top court. The retention law came into force after major attacks by Islamists in Europe and cost the country’s internet and telecom industries millions of euros. 

The EDPS is taking legal action as the new Europol Regulation puts the rule of law and EDPS independence under threat. The regulator requested that the CJEU annuls two provisions of the newly amended Europol Regulation, (which came into force on 28 June 2022). These new provisions, (articles 74a and 74b), have legalised Europol’s practice of processing large volumes of individuals’ personal data with no established link to criminal activity retroactively. The EDPS notes that the co-legislators have decided to retroactively make this type of data processing legal, overriding the EDPS Order which requests that Europol deletes concerned datasets. 

The privacy commissioner of Canada, along with his provincial and territorial counterparts, endorsed a resolution that encourages governments to implement a digital health communication infrastructure that would phase out the use of unencrypted email and fax communication in favour of more secure alternatives available to all Canadians. The pandemic has spurred rapid digital advancements in the delivery of services. At the same time, data breaches in the health sector continue, potentially leading to harm including discrimination, stigmatisation, and financial and psychological distress states the regulator.

Meanwhile, US President Joe Biden has initiated a review of foreign investment for national security risks to sharpen focus, among other things, on threats to sensitive data. The executive order instructs the dedicated Committee to consider whether a “covered transaction involves a US business with access to US persons’ sensitive data and whether the foreign investor, for instance in biotechnology or AI, has, or the parties to whom the foreign investor has ties, have sought or had the ability to exploit such information.”  

A CJEU Advocate General suggests a competition authority may consider the compatibility of commercial practice with the GDPR. The non-binding opinion, (ahead of the court’s ruling), refers to Meta’s antitrust probe in Germany. The competition watchdog prohibited the practice of users having first to accept general terms which led to cookie placement, further data sharing with group services, (WhatsApp, Instagram), and linking the data to user accounts for advertising purposes. The freedom of consent in such a dominant position in the Social Media market is also an issue.

Investigations and enforcement actions: managing director as a dpo, Klarna bank, caller identification, data processing contract, image publication, legal professional privilege

The Berlin commissioner for data protection BlnBDI has imposed a 525,000 euro fine on a Berlin e-commerce group’s subsidiary due to a conflict of interest on the part of the company’s data protection officer. This person was at the same time the managing director of two service companies that processed data for the group. The DPO thus had to monitor compliance with data processing managed by himself.  

The Swedish privacy protection authority IMY, in cooperation with Germany and Austria, is investigating complaints about Klarna Bank making data rectification or objection to direct marketing difficult. The complainants were asked for identification purposes via an unencrypted email service to provide: their name, date of birth, e-mail address, address, invoice and purchase details,  and sometimes their telephone number.

Vodafone Romania was fined 2000 euros after not checking compliance with the caller identification procedure, which allowed third parties to fraudulently purchase new phones on behalf of some of the operator’s customers. Also, third parties could access data from contracts concluded by customers and data from personal accounts, such as name, address, contact phone number, PUK code, the contact number of the account holder, the SIM ID of the original card, billing and debt details, and data traffic.

In Poland, a personal data breach was reported, (followed by an administrative fine), in a cultural center. The investigation found that the administrator entrusted another entity for processing, without concluding a written contract, for keeping accounting books, records, (in ​​finance, taxes), and documentation storage. The controller did not verify the processor, did not check whether it provided appropriate technical and organisational measures, and did not have any documents confirming the verification of the terms of cooperation. Additionally, any communication with the controller was ineffective.

The Spanish data protection authority AEPD fined a company, (Digitecnia Solutions), for publishing on its website an image of a complainant to illustrate the work they were doing. The image did not allow the complainant to be seen in full, but he can be seen in part. This, together with the fact he appeared linked to Digitecnia, was information that made this person identifiable. All this constituted the processing of the claimant’s personal data, which he was not aware of. 

The Isle of Man information commissioner issued an enforcement notice to Sentient International regarding the company’s refusal to comply with a data subject access request. Sentient decided to restrict the data subject’s right of access, believing that the right of access does not apply to data that consists of information in respect of which a claim to legal professional privilege could be maintained in legal proceedings. The regulator clarified that the rule applies to some documents, but not personal data therein, such as communications that were not made for the dominant purpose of obtaining or providing legal advice. Also,  professional legal privilege cannot be applied retrospectively.

Data security: data put online by hackers, SMEs, IoT, and ZTA in a mobile world

The French privacy regulator CNIL notes a clear increase in data breach notifications, nearly half resulting from ransomware attacks. In some cases, users’ personal data may be put online by hackers. If a violation concerns you, the responsible body must inform you as soon as possible. The CNIL is not able to tell you if a breach impacts your data. Some websites indicate that they hold the data and can tell you whether or not you are concerned. The CNIL advises against using them. 

The German federal office for information security has published a guide on cybersecurity for small and medium-sized enterprises. It offers SMEs an easy-to-understand introduction to improving their cyber security level because information security is the prerequisite for secure digitisation. It starts with the most important basics of IT security – briefly and concisely based on 14 questions. Among other things, it provides information on who is responsible for information security in the company, why patches and updates should be installed regularly, why an anti-virus program is necessary, and why data backup is so important.

Zero trust architecture, (ZTA), is not a new concept, but there is renewed interest in implementing zero-trust principles for an organization’s mobile administrators, states the US NIST. Due to the pandemic, many employees have transitioned to remote/telework options. The portability of mobile devices makes it easier to respond promptly to emails, attend virtual meetings, and use special work apps from anywhere. In this new environment, mobile devices are now another endpoint connected to enterprise resources and can put the entire enterprise at risk if compromised or stolen.

The NIST IoT Cybersecurity Program also released two new documents:

• The final version of Profile of the IoT Core Baseline for Consumer IoT Products. This publication documents the consumer profile of NIST’s IoT core baseline and identifies cybersecurity capabilities commonly needed for the consumer IoT sector (eg, IoT products for home or personal use).
• Workshop report for Building on the NIST Foundations: Next Steps in IoT Cybersecurity. These considerations have broad applicability across IoT product sectors, including the consumer IoT products sector and the industrial IoT sector. 

Big Tech: Uber, Optus, and TAP cyberattacks, World Cup data analysis app

Uber’s EXT contractor had their account compromised by an attacker. The attacker likely purchased the contractor’s Uber corporate password on the dark web after their device had been infected with malware. The attacker then tried logging in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, the contractor accepted one, and the attacker successfully logged in. From there, the attacker accessed other employee accounts which gave the attacker permission to use several tools, including G-Suite, and Slack. 

Sensitive information about TAP Air Portugal’s customers also has been shared on the dark web after a cyberattack. The attackers were booted from the system but not before gaining access to sensitive data, including name, nationality, gender, date of birth, address, email, telephone contact, customer registration date, and frequent flyer number. It is unclear how long the hackers had access to the system. However, the airline has assured its passengers that the breach has not affected their flights. 

Australia’s major telecommunications company Optus experienced a cyberattack that leaked personal data of up to 10 million customers, in one of Australia’s biggest cybersecurity incidents. An offshore-based entity, possibly in Europe, had broken into the company’s customer information database, accessing home addresses, driver’s licenses, and passports. Stolen customer data and credentials may be sold through several forums including the dark web.

World Cup players to get FIFA data analysis app. Players at the finals will be able to browse their performance data on a purpose-built app developed by the governing body which allows footballers of all 32 teams access to analysis and information. The data will be synced with a video of the action to allow a quick assessment of key moments. While such data and metrics are widely available to players with the top clubs and national sides, who employ teams of analysts, the app will ensure teams with fewer resources compete on a level playing field, Reuters reports.

The post Data protection & privacy digest 13 – 26 Sept 2022: Google Analytics clash, caller identification, commercial practices & GDPR appeared first on TechGDPR.

Official guidance: data subject complaints, new business, identity cards, traffic licenses, TCF/OpenRTB, education platforms, insolvency claims, data sent by mistake, dpos

The UK Information Commissioner’s Office offers a brief guide on how to deal with data subject complaints, (your staff, contractors, customers), when you are a small business. The main steps are as follows: 

• Respond as soon as possible, in plain language, to let the customer know you’ve received their data protection complaint and are looking into it. 
• Let them know when they can expect further information from you and give them a point of contact. Include information about what you’ll do at each stage.
• Send them a link to a complaints procedure, (if there is one). 
• Check the complaint has come from an appropriate person. 
• Check all the details of their complaint against the information you hold.
• Ask for additional information if necessary. 
• Update them so they know you’re working to resolve the issue. 
• Record all your actions, due dates, and 
• Keep copies of relevant documents and conversations.

Starting a new business? The Jersey data protection regulator offers a quick guide on customer information, employee details, contact or payment details for suppliers and contractors, and other data points you’ll need to take responsibility for when getting a new business venture off the ground. The measures may include training your staff, limiting administrative rights, minimising data collection and storage, locking sensitive data, drafting a privacy policy, regular software updates and more. But even simple actions like turning off the ‘auto-complete’ function for email addresses or avoiding email forwarding may save you from personal data breaches. 

Financial institutions, for a range of services such as setting up and maintaining a bank account, electronic banking services, granting a loan or even a transfer order, make copies of our identity documents. The Polish data protection authority UODO assumes that such copying is not allowed in any situation. For instance, the country’s banking law allows processing information contained in identity documents, but this does not give the right to make copies. In many cases, it is enough to show an identity document for inspection. On the other hand, anti-money laundering and financing of terrorism legislation entitles financial institutions to make copies of identity documents. Before applying financial security measures, institutions must assess whether it is necessary to process the personal data of a natural person contained in the copy of the identity card for these purposes. According to the principles of purpose limitation and data minimisation, personal data must be collected for specific, explicit and legitimate purposes, using relevant criteria and limited to what is necessary for the purposes for which they are processed.

The Hungarian data protection authority NAIH issued a notice on data management related to the reading of the bar code on traffic licenses at filling stations. According to the submissions received by the regulator, in order to sell fuel at the official price, a fuel provider reads bar codes on vehicle registrations, (or records the registration number of the vehicle), and stores it in its system. The data is then forwarded for tax control purposes. In relation to data management, information was not available for customers at the filling stations, and the employees were not able to provide any meaningful information. The NAIH started an ex-officio investigation into the lawfulness of the processing, and to see if the tax authority and fuel providers had complied with Art. 13 of the GDPR. 

The Latvian data protection authority DVI recently issued a series of recommendations, (in Latvian), including:

• To evaluate the use of TCF and OpenRTB systems. Following the Belgian regulator’s decision, the transparency and consent system created by IAB Europe and the real-time bidding system were recognised as non-compliant. The decision stipulates that personal data obtained through TCF must be deleted immediately. This means that organisations using the tools, (website/app operators, advertisers and online ad technology companies), must stop using the tool, (unless it uses non-personal data).
• What to do if another person’s data has been received by mistake, (Do not open, do not publish, use minimal research to identify the sender, who should be notified, let the sender solve this situation himself, etc.).
• Safe use of online platforms used during the educational process.
• The processing of personal data by insolvency administrators in the register of creditors’ claims, and
• Functions and tasks of a data protection specialist.

Legal processes: EU Data Act, Quebec Bill 64, California privacy laws, China cross-border transfers

The Czech Presidency of the EU Council brought more clarity on the proposed Data Act, namely the part that refers to public sector bodies’ access to privately held data, Euractiv.com reports. Public authorities might request data, including the relevant metadata, if its timely access is necessary to fulfil a specific task in the public interest, (eg, local transportation, city planning and infrastructural services). At the same time, safeguards for requests involving personal data have been added, as the public body will have to explain why the personal data is needed and what measures are taken to protect it. The top priority should be anonymisation, or at least aggregation and pseudonymisation, of collected data.

In Quebec, the first amendments from Bill 64, (modernises data protection legislative provisions), to the Quebec Privacy Act and the Quebec IT Act will come into force on 22 September. They create obligation for a person carrying on an enterprise to protect personal information and automatically designates the person exercising the highest authority within the enterprise as the main responsible. Other provisions create mandatory reporting of confidential incidents, biometric information database registration no later than 60 days before it is put in service, notification of any processes used to verify/confirm an individual’s identity based on biometric data, and allow disclosure of personal data necessary for commercial transactions, (eg, mergers, leasing).

In California a new privacy rights act, the CPRA, will take effect on 1 January 2023, while the new California privacy protection agency is consulting on draft regulations, with special attention on the draft American Data Privacy and Protection Act and its possible preemptive effect on California privacy laws. Other key regulatory issues include data processing agreements, programs on exercising data subjects rights, data minimisation and valid consent requirements, and prohibition of  “dark patterns”.

China will enforce cross-border data transfer rules starting from 1 September. Consequently, many critical industries like communication and finance or transportation will face additional checks under the countries’ latest cybersecurity, data security and personal information protection legislation. Companies seeking to transfer personal data on 100,000 or more people, (10,000 or more for sensitive data), handle the personal data of 1 million or more people, as well as operators that transfer the personal information of at least 100,000 cumulative individuals a year will undergo security reviews. Business will have to explain to government investigators the purpose of transfer, the security measures in place, and the laws and regulations of the destination country. More details on the new regulatory framework can be found in this guidance (by KPMG China).

Enforcement actions: commercial prospecting, employee’s consent, smart TV reset, Chromebook ban, PHI disposal, medical results without encryption

A famous French hotel group was slapped with a 600,000 euro fine from the privacy regulator CNIL for carrying out commercial prospecting without the consent of customers, when making a reservation directly with the staff of a hotel or on the website. The consent box to receive the newsletter was prechecked by default. Also a technical glitch prevented a number of people from opposing the receipt of such messages for several weeks. As the processing in question was implemented in many EU countries, the EDPB was asked to rule on the dispute concerning the amount of the fine. The CNIL was then asked to increase the sum so that the penalty would be more dissuasive.

Guernsey’s data protection authority has issued a reprimand, (recognition of wrongdoing), to HSBC Bank’s local branch for inappropriate reliance on consent. An employee felt obliged to consent to providing sensitive information about themselves in connection with what they believed was a possible internal disciplinary matter. They then made a formal complaint. The authority’s opinion is that reliance on “consent” where a clear imbalance of power exists is inappropriate, as it is difficult for employers to demonstrate that consent was freely given. Whilst in this case the controller ceased processing as soon as concerns were raised, they nonetheless continued to use consent as justification for the processing. How to manage data protection in employment? See in Guernsey’s latest guide.

The Danish data protection authority expressed serious criticism of retailer Elgiganten A/S that had a returned television stolen during a break-in at their warehouse, which had not been reset to zero for the plaintiff’s personal data. This meant that a third party gained access to the TV and thus to information from streaming services that the plaintiff was logged into, as well as the browsing history. Before the break-in, the company had carried out a risk assessment for theft of their products and assessed the risk to be high, so the warehouse was secured by locks, a high wall, surveillance cameras and motion sensors. The burglar gained access by simply punching a hole in the wall. 

The Danish data protection authority is maintaining its ban on Chromebook use by a Helsingør municipality, on the grounds of high risks for individuals. The regulator stated that the decision does not prohibit the use of Google Workspace in schools – but the specific use of certain tools in the municipality is not justifiable regarding children’s information. The Municipality assessed that Google only acts as a data processor, but in the opinion of the regulator, it acts in several areas as an independent data controller, processing personal data for its own purposes in the US. 

The Danish regulator ruled that the municipality cannot reduce the risk to an acceptable level without changes to the contract basis and the technology the municipality has chosen to use. Although the decision specifically relates to the processing of personal data in Helsingør Municipality, the regulator encourages other municipalities to look at the same areas in relation to unauthorised disclosure and transfers to unsafe third countries.

The recent HIPAA settlement, (over 300,000 dollars), offers lessons on data disposal and the meaning of Protected Health Information, (PHI), workplaceprivacyreport.com reports. A dermatology practice reported a breach last year when empty specimen containers with PHI labels were placed in a garbage bin on the practice’s carpark. The labels included patient names and dates of birth, dates of sample collection, and name of the provider who took the specimen. The workforce should have been trained to follow disposal policies and procedures. These requirements can include: shredding, burning, pulping, or pulverizing records so that PHI is rendered essentially unreadable; store labelled prescription bottles in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI. 

The Belgian data protection authority also fined a laboratory 20,000 euros for insufficient security measures, DPIA, and privacy policy (Art. 5, 12-14, 32 and 35 of the GDPR), Data Guidance reports. Namely:  

• the laboratory webpage allowed doctors to remotely consult the medical results of patients without employing any encryption;
• the laboratory failed to conduct a DPIA for the large-scale processing of health data;
• while rejecting that the health data had been processed on a large-scale, it had failed to clarify what criteria they were using to determine this;
• the laboratory failed to include a privacy policy on their webpage related to the  maintenance of the abovementioned medical results.

Data security: cyber security breaches landscape, personal data bought by FBI, social engineering on healthcare

The UK government published an in-depth qualitative study with a range of businesses and organisations which have been affected by cyber security breaches. The findings help businesses and organisations understand the nature and significance of the cyber security threats they face, and what others are doing to stay secure. It also supports the government to shape future policy in this area. The guide also contains 10 practical case studies on: understanding the level of existing cyber security before a breach, determining the type of cyber attack , understanding how businesses and organisations act in the immediate, medium, and long-term aftermath of a breach, etc.

Top US Democrats in Congress demand the FBI and Department of Homeland Security detail their alleged purchases of Americans’ personal data, Gizmodo.com reports. They suspect federal law enforcement agencies of using commercial dealings with data brokers and location aggregators to sidestep warrant requirements in obtaining Americans’ private data. Reportedly data points may include, among others, records of internet browsing activity and precise locations. The demand includes the release of of documents and communications between the agencies and data brokers with whom they may have dealings or contracts.

The US Health Sector Cybersecurity Coordination Center published guidance on the impact of social engineering on healthcare. Social engineering is the manipulation of human psychology for one’s own gain. “A social engineer can manipulate staff members into giving access to their computers, routers, or Wi-Fi; the social engineer can then steal Protected Health Information, (PHI), Personal Identifiable Information, (PII), or install malware posing a significant threat to the Health sector”, says the study. It also answers the questions on phases, types of social engineering attacks, (eg, tailgating, vishing, deepfake software, smishing, baiting and more), the personality traits of a social engineer, data breaches and steps to protect your organisation.

Big Tech: US mobile carriers, Google location data, Cambridge Analytica settlement, TikTok iOS app, Oracle class action

The US Federal Communications Commission will investigate mobile carriers’ compliance with disclosure to consumers how they are using and sharing location data, Reuters reports. Top mobile carriers like Verizon, AT&T, T-Mobile, Comcast, Alphabet’s Google Fi and others were requested to detail their data retention and privacy policies and practices. Recent enforcement of anti-abortion legislation in many states also raised concern that the police could obtain warrants for customers’ search histories, location and other information that would reveal pregnancy plans. Last month Google responded to this by promising to delete location data showing when users visit an abortion clinic.

The Federal Court of Australia ordered Google to pay 60 million dollars for misleading consumers about the collection and use of personal location data. Google was guilty of misleading and deceptive conduct, breaching Australian Consumer Law. The conduct arose from representations made about two settings on Android devices – “Location History” and “Web & App Activity”. Some users spotted that the Location History default setting changed from from “off” to “on”. Another misleading practice was telling some users that having the Web & App Activity setting turned “on” would not allow Google to obtain, retain or use personal data about the user’s location.

Facebook agreed to settle a lawsuit seeking damages for allowing Cambridge Analytica access to the private data of tens of millions of users, The Guardian reports. Facebook users sued the tech giant in 2018 after it emerged that the British data analytics firm, connected to former US president Donald Trump’s successful 2016 campaign for the White House, gained access to the data of as many as 87 million of the social media network’s subscribers. Reportedly, if owner Meta had lost the case it could have been made to pay hundreds of millions of dollars.  

Reportedly, when you open any link on the TikTok iOS app, it’s opened inside their in-app browser. While you are interacting with the website, TikTok subscribes to all keyboard inputs, (including passwords, credit card information, etc.), and every tap on the screen, like which buttons and links you click. Such discovery was made by a software engineer Felix Krause. You can read more technical analysis of the most popular iOS apps that have their own in-app browser in the original publication. 

Finally, the Irish Council for Civil Liberties, (ICCL), started a class action against Oracle in the US for its worldwide surveillance machine. Oracle is an important part of the tracking and data industry. It claims to have amassed detailed dossiers on billions of people, and generates over 42 billion dollars in annual revenue. Oracle’s dossiers may include names, addresses, emails, purchases online and in the real world, physical movements, income, interests and political views, and a detailed account of online activity. For example, one database included a record of a man who used a prepaid debit card to place a 10 euro bet online. Oracle also coordinates a global trade of people’s dossiers through the Oracle Data Marketplace, claims the ICCL. You can view the full complaint here.

The post Data protection & privacy digest 16 – 29 Aug 2022: data subject complaints, inappropriate reliance on consent & Smart TV reset appeared first on TechGDPR.

Legal processes: commercial surveillance, sensitive data “by comparison”, workers electronic monitoring, farming data

The CJEU’s recent decision may have a major impact on digital services that use background tracking and profiling to target users with behavioral ads, TechCrunch reports. The EU top court’s decision related to the anticorruption law in Lithuania. It found out that the country’s law covering online disclosure of data contained in the declaration of private interest of directors of institutions receiving public funds, (data concerning the declarant’s spouse, cohabitee, partner, etc.), is contrary to the fundamental rights to privacy and data protection in the EU. The court believes disclosure online of relatives and associates’ names and their significant financial transactions is not strictly necessary for the objective pursued and may constitute highly sensitive data “by comparison”.

It is likely to reveal information of sensitive aspects of the private life of the persons concerned and to make it possible to draw up a particular detailed portrait of them, such as their sex life and sexual orientation, (Art. 9 of the GDPR). Finally, such processing results in this data being freely accessible on the internet to a potentially unlimited number of people. Thus, some privacy law experts suggest the judgement’s broad definition of what constitutes sensitive data, (involving the act of comparison or deduction), potentially covers a wide range of online processing, including online ads, dating and health apps, location tracking and more, concludes TechCrunch. 

In the US, the Federal Trade Commission, (FTC), seeks public comment ahead of ruling on the prevalence of commercial surveillance and data security practices that harm consumers. The Commission invites comment on whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies a) collect, aggregate, protect, use, analyze, and retain consumer data, as well as b), transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive. The permissions that consumers give may not always be meaningful or informed. Studies have shown that most people do not generally understand the market for consumer data that operates beyond their monitors and displays, the FTC states. Many privacy notices that acknowledge such risks are reportedly not readable to the average consumer or a minor. In the end, these practices that nowadays heavily rely on automated systems may have significant consequences for consumers’ wallets, safety, and mental health. 

The EDPS published its opinion on the proposal for a regulation regarding conversion of the Farm Accountancy Data Network into a Farm Sustainability Data Network (FSDN). The proposal aims to regulate the processing of personal data in the context of the collection of individual farm’s economic, environmental and social data as well as the further management and use of such data. The EDPS positively notes that in case individual data will be shared by the Commission or liaison agencies, the data of the farmers and all other individual details obtained would be anonymised or pseudonymised. However the EDPS considers that the proposal does not provide a specific reason of public interest justifying the publication of personal data in identifiable form, even if the data were to be pseudonymised prior to publication. 

The EDPS therefore recommended specifying that only duly anonymised FSDN data may be made publicly available. That being said, the regulator considered it important to preserve a clear distinction between these concepts, as pseudonymous data can still be related to an identifiable individual and therefore qualifies as personal data. Moreover, the EDPS considered that it is not clear whether the proposal refers only to the exchange of data between the national liaison agencies and the Commission or also extends to the sharing of data with the general public or otherwise making it available for reuse. Finally, the interoperability provisions include the need to identify all the IT tools and linked databases, data protection roles and responsibilities and relevant applicable safeguards. Read the full opinion here.

Meanwhile Ontario provided updated guidance on a new legislation which includes an electronic monitoring policy for workers. “Electronic monitoring” may include GPS systems to track employee movement, using sensors to track how quickly an employee performs a task or tracking the websites an employee visits during working hours. The policy must include:

• A statement as to whether or not the employer electronically monitors employees.
• How the employer may electronically monitor employees.
• The circumstances in which the employer may electronically monitor employees; and
• The purposes for which information obtained through electronic monitoring may be used by the employer.
• The date the Policy was prepared, and the date any revisions were made.

Any employer that employs 25 or more people in total across all of its locations in Ontario will be required to have a written policy. When determining whether the 25-employee threshold has been met, an employer must count all employees across all of its locations in Ontario, regardless of the number of hours worked by the employees or if they are full or part-time, including probationary employees, employees on layoff, leave of absence or strike and employees who are trainees.

Official guidance: use of cloud, sports associations, dpo, government data, customer research

The Danish data protection authority has published a questionnaire after recent inspections of the use of the cloud, (in Danish only), by public authorities and private companies. The questionnaire covers most of the points that data controllers must be aware of if they use  cloud solutions. It is divided into four parts:

• know your services,
• know your suppliers,
• supervision of suppliers,
• transfer to third countries.

Furthermore, each part is subdivided into two parts: a) the first part concerns the organisation’s general rules, policies, procedures, etc. to enable the organisation to comply with the relevant data protection rules; b) the second part looks at whether the organisation has followed these policies, etc. with regard to the specific cloud service and provider, and if not, how the organisation ensures compliance with the relevant data protection rules. The questionnaire can be downloaded via this link.

The French regulator CNIL offers amateur sport associations a self-assessment tool to test their compliance with the GDPR. The data subjects in this case include member athletes, athletes of an opposing team, paid or volunteer sports educators, referees, etc. The information collected responds to very different uses: storing the file of members, organizing competitions and tournaments, managing the club’s website, etc. The life cycle of the personal information contained in the files created by sports structures is likely to include 4 stages:

• collection,
• sharing and exchange, 
• reuse, 
• retention and destruction. (You can access the original questionnaire here).

The Dutch data protection authority recommends adjusting the proposal for an amendment of the Reuse of Government Information Act. The proposal, in which the government encourages government institutions to make government data, including personal data, available for reuse, does not set sufficient limits, raising the risk that personal data is shared without the permission or knowledge of the people involved. According to the proposal, that data must also be searchable with software and can be combined with other data. Personal data in the country’s Trade Register and the Land Registry is already public and that is already causing problems. By running an algorithm on it and combining the personal data with other sources, companies can, for example, create profiles of people to sell it.

The Latvian privacy regulator published guidance on the mandatory appointment of a data protection officer. Especially in cases where the economic activity of the company is directly related to the processing of personal data on a large scale, any company is obliged to involve a data protection specialist in the organisation of specific processes:

• for a company whose main activity is related to the profiling of natural persons, with the intention of carrying out an assessment of their creditworthiness;
• for a security company that uses video surveillance of publicly accessible areas as part of its core service;
• for a company that performs customer behavior analysis, (products a customer has viewed, purchased, etc.), in order to send targeted marketing communications;
• to a person who conducts customer research for the purpose of preventing money laundering;
• mobile apps that process user geolocation data for the maintainer;
• for companies that collect customer data as part of loyalty programs;
• for persons who monitor clients’ well-being, physical fitness and health data through wearable devices;
• for companies that process information obtained from devices connected to the IoT, (smart meters, connected cars, home automation devices, etc.).

Another guidance by the Latvian privacy regulator refers to the prevention of money laundering and financing of terrorism and arms proliferation. According to the country’s legislation anyone must conduct customer research before starting a business relationship, as well as during the maintenance of a business relationship. Taking into account the fact that customer research applies not only to legal entities, but also to natural persons, the regulator explains new procedures that determine the licensing of common customer research tools for service providers, as well as the monitoring of their activities. Considering that personal data will be processed in the customer research tool, the privacy regulator has the following rights: 

• re-registration, suspension or cancellation of the service provider’s license;
• inspections of the customer research tool service;
• receiving information and documents free of charge from the service provider, which are necessary for the verification of the operation or for the consideration of the customer complaint received about its operation;
• information erroneously or illegally included in the shared customer research tool be corrected or deleted;
• requiring the service provider of the customer research tool to review its information systems, facilities and procedures and appoint an independent expert.

Investigations and enforcement actions: profiling, video surveillance and geolocation, access codes, privacy notice, reused mail box

The Lower Saxony data protection commissioner has imposed a fine of 900,000 euros on a bank for profiling for advertising purposes. The company had evaluated data from active and former customers without their consent. To do this, it analysed digital usage behaviour and the total volume of purchases in app stores, the frequency of use of account statement printers and the total amount of transfers in online banking compared to the use of branch counters. For this it used a service provider. In addition, the results of the analysis were compared with a credit agency and enriched from there. The aim was to identify customers with an increased inclination for digital media and to prioritise electronic communication channels to contact them. Information was sent to most customers in advance along with other documents. However, these do not replace the necessary consents. The fine is not yet final.

The Luxembourg data protection authority recently issued a 3000 euro fine to an unnamed company for intrusive use of CCTV cameras and failing in their obligation to inform their workers and third-party visitors. The company neither justified not demonstrated how the video surveillance, (installed and operated by subcontractor firms), of the interior of the premises using door cameras was appropriate and necessary to protect the property, (fencing in this case could be a replacement measure), and in particular to prevent burglary. It also considered the psychological pressure that the cameras exerted on employees and third-party visitors, who felt observed at their workstations or meeting tables because of the cameras, which did not indicate if were working, or not.

In another recent case the Luxembourg regulator fined an unnamed company 1500 euros for performing geolocation on its employees while using a vehicle to travel to customers. The following purposes of geolocation were stated by the data controller: geographical tracking, asset protection, optimal fleet management, optimisation of work processes as well as the provision of responses to customer complaints.” Further investigation found out other undisclosed purposes such as: combatting theft, reduction of the number of kilometres driven, justification in the event of a dispute, monitoring and invoicing of services, and finally, monitoring of working time and setting remuneration.

 In the regulator’s opinion, the lack of clear policy, an unidentified legal basis for all the above-mentioned processing, as well as a one-year data retention period, were in violation with the requirements of Art. 5, (lawfulness, fairness and transparency), and Art. 13, (information obligation), of the GDPR. Finally, the employees were unaware that their data could have been transferred to the parent company, situated in a third country. 

In Denmark, citizens’ information was exposed to an unnecessary risk, as Lolland Municipality’s employees were able to disable access codes on phones and tablets. The Danish data protection authority issued a fine of approx. 6000 euros. In 2020 an employee in the municipality had a work phone stolen. Via the phone there was access to the employee’s work email account, which contained information about several citizens’ names, social security numbers, health information and sensitive events. The phone was not protected by a code as it was switched off, so access to its information was unlimited. The municipality stated that over a number of years it had been possible for employees to remove the otherwise mandatory access codes, so that telephones could be used without the use of a code. It had immediately initiated restorative measures in the form of new precautions and changes in the technical set-up of telephones handed out. 

The Romanian data protection authority has fined the CDI Transport Intern si Internazionale, (among the largest passenger transport companies in Romania), 7000 euros after a complaint that the company’s website contained no information regarding the method of collecting personal data. It also failed to inform users of the rights provided for in Art. 15-22 of the GDPR that data subjects benefit from, such as those relating to the purpose of processing and the legal basis, the identity and contact details of the operator, the period for which the data will be stored or the criteria used to establish this period, nor the fact that the operator has the obligation to inform the data subjects in the event of a breach of personal data security.

Finally, the Spanish data protection authority AEPD punished an online teaching institution to the tune of 3000 euros after a claimant, a newly hired tutor, was offered a corporate email box that belonged to the person they were replacing. The organisation stated that the plaintiff started working as an employee to replace another worker in the same field and with the same tasks on sick leave, so that their work was a continuation of those specific teaching activities and tutoring with students, for which it was necessary to have knowledge of all the background and communications between teacher and pupil. It argued that the data to which the plaintiff could have access was needed for the exercise of their duties. The data in the mailbox included pupils’ personal information, but also tax documentation, banking details, invoices, etc. The new tutor was instructed that she could access and delete folders in the inbox if needed. The regulator decided that the basic security measures were not respected in this case. 

Data security: email aliases, IoT devices

According to the US cybersecurity guru Brian Krebs, one way to protect your email inbox is to get into the habit of using unique email aliases when signing up for new accounts online. You can create an endless number of different email addresses linked to the same account by adding a “+” character after the username section of your email address, followed by a notation relevant to the website you’re signing up at. It is said that many threat actors will remove any aliases from their distribution lists because they believe that these consumers are more concerned with security and privacy than other users and are therefore more likely to report spam to their aliased addresses. Finally, email aliases are so uncommon that finding just a few email addresses using the same alias in a database breach can make it easy to determine which organization was probably hacked and which database was released.

The US Health Sector Cybersecurity Coordination Center published an advisory note for the healthcare sector of the risks posed by Internet of Things devices. Since these devices can collect data that includes personally identifiable information it is important to secure these systems. Ultimately, the goal is to protect the entire system, but there are steps that can be taken to help accomplish this: a) securely store, process, and transfer data, b) keep devices safeguarded, c) update devices to reduce vulnerabilities. To minimize risks from IoT devices you need to:

• Change default router settings: Most people do not rename their router and keep the manufacturer’s default settings. Those settings typically benefit manufacturers more than the user. 
• Pick a strong password: Make sure to use a secure password for each device. 
• Avoid using Universal Plug and Play: It makes it easier to network devices without additional configuration. 
• Keep your software and firmware updated: Firmware keeps you protected with the latest security patches and reduces the chances of cyber-attacks. 
• Implement a Zero Trust Model: A zero trust model assumes that nothing can be trusted in or outside of the network. Only a limited amount of people require access to certain resources to accomplish their jobs. For this strategy to be effective administrators must determine who the users are and what role they play.  

Big Tech: drivers data, cyberattack on NHS software, Meta’s tracking code

Only 28% of drivers have any idea what sort of data they generate, and is collected, when they drive, and they may never have heard of the at least 37 companies that are leading a growing vehicle data market says a report in The Markup. It’s a market with vast amounts of personal data all for sale: by whom, for whom, and with what aim? With the growth of third party vehicle data hubs concentrating data, and the range of data presenting a risk to anonymisation, the report notes a lack of regulation that High Mobility’s CEO and founder Ristro Vahtra warns could be a “privacy hell”. The report also criticises car manufacturers for failing to develop clear screen interfaces like mobile phones for drivers to choose privacy settings, which in some cases are entirely lacking. Legislation tackling this is currently in the committee stage in the US Congress.

UK government agencies along with the National Cyber Security Centre are investigating if patient data was stolen in a severe cyberattack on NHS software supplier Advanced. It was hit by ransomware on August 4th, taking several urgent treatment centres, the 111 phoneline for, among other things, booking a doctor’s appointment, and some mental health facilities offline. The hack could take nearly two weeks to resolve, and updates on the status of the data are awaited, although Advanced says it has “contained” the breach.

When you click on anything you see on Facebook or Instagram, owner Meta has been inserting code into the websites you visit, allowing your navigation to be tracked. That’s according to former Google engineer and privacy activist Felix Krause, who has published new research. It’s unknown how long Meta have been using the tracking code on their in-app browser. Krause built a tool to see how many extra instructions were added to a website by a browser. In most cases none were added, but navigation via Facebook or Instagram added as many as 18 lines of code. This so-called “Javascript injection” is often classified as a “malicious attack”, but there is no suggestion Meta has used it beyond monitoring all user interactions, like every button and link tapped, text selections, or screenshots.

The post Data protection & privacy digest 2 – 15 Aug 2022: commercial surveillance, sensitive data “by comparison”, worker electronic monitoring appeared first on TechGDPR.