Official guidance: Google Analytics, risk assessment tool, work monitoring, privacy policy check-list, machine learning, APIs

The Danish data protection authority, following several other European counterparts’ decisions, concludes that the Google Analytics tool cannot be used legally without implementing several additional measures, (eg, effective pseudonymisation by using proxy servers), in addition to the settings provided by Google.

The Spanish privacy regulator AEPD launched an online tool that helps assess the level of risk of personal data processing. The tool allows an initial and non-exhaustive evaluation to be carried out, which, where appropriate, must be adjusted by each person in charge to determine an accurate risk level for the processing. 

The Latvian data protection authority DVI issued two guides, (in Latvian only), on online tools  to organise remote work meetings and video surveillance of employees performing their work duties. The organisation must determine exactly why data processing during online meetings or workspace is necessary. The purpose of data processing must be determined precisely and realistically, and interact with one of the legal tenets of the GDPR. A privacy notice is to be made available before data processing is started. If the organisation has a data protection specialist, they must be consulted for advice on carrying out the planned processing more appropriately.

Jersey’s privacy regulator has tried to demystify Art.12 of the GDPR – obligation to inform. It concludes that the most direct way to communicate to your data subjects is through writing clear statements. For the best transparency when constructing a robust privacy policy, view the regulator’s privacy policy checklist.

The use of application programming interfaces, (APIs), to share personal data can promote better data protection. The French regulator CNIL launched a draft recommendation on the technical and organisational measures to be applied. It aims to identify the cases in which an API is recommended to securely share personal data or anonymised information, and to disseminate best practices regarding their implementation and use. Data sharing here means the ability of identified reusers or the public to retrieve data held by an organisation, or the ability of data holders to transmit data for reuse by others. 

The EDPS explains 10 misunderstandings about Machine Learning. ML systems adapt autonomously to the patterns found among the variables in the given dataset, creating correlations. Once trained, these systems will use the patterns learned to produce their output. Typically, the training of ML systems requires large amounts of data, depending on the complexity of the task to be solved. However, adding more training data to a machine learning model development process will not always improve the system’s performance. On the contrary, more data could bring more bias. 

Legal processes: general data retention ban, Europol database, sensitive data, digital health infrastructure, commercial practices

In Germany, the Federal commissioner for data protection approved the CJEU preliminary ruling that the country’s general indiscriminate data retention, (IP-addresses, traffic, and location data), violates EU law. The law may only be applied in circumstances where there is a serious threat to national security defined under very strict terms, stated the top court. The retention law came into force after major attacks by Islamists in Europe and cost the country’s internet and telecom industries millions of euros. 

The EDPS is taking legal action as the new Europol Regulation puts the rule of law and EDPS independence under threat. The regulator requested that the CJEU annuls two provisions of the newly amended Europol Regulation, (which came into force on 28 June 2022). These new provisions, (articles 74a and 74b), have legalised Europol’s practice of processing large volumes of individuals’ personal data with no established link to criminal activity retroactively. The EDPS notes that the co-legislators have decided to retroactively make this type of data processing legal, overriding the EDPS Order which requests that Europol deletes concerned datasets. 

The privacy commissioner of Canada, along with his provincial and territorial counterparts, endorsed a resolution that encourages governments to implement a digital health communication infrastructure that would phase out the use of unencrypted email and fax communication in favour of more secure alternatives available to all Canadians. The pandemic has spurred rapid digital advancements in the delivery of services. At the same time, data breaches in the health sector continue, potentially leading to harm including discrimination, stigmatisation, and financial and psychological distress states the regulator.

Meanwhile, US President Joe Biden has initiated a review of foreign investment for national security risks to sharpen focus, among other things, on threats to sensitive data. The executive order instructs the dedicated Committee to consider whether a “covered transaction involves a US business with access to US persons’ sensitive data and whether the foreign investor, for instance in biotechnology or AI, has, or the parties to whom the foreign investor has ties, have sought or had the ability to exploit such information.”  

A CJEU Advocate General suggests a competition authority may consider the compatibility of commercial practice with the GDPR. The non-binding opinion, (ahead of the court’s ruling), refers to Meta’s antitrust probe in Germany. The competition watchdog prohibited the practice of users having first to accept general terms which led to cookie placement, further data sharing with group services, (WhatsApp, Instagram), and linking the data to user accounts for advertising purposes. The freedom of consent in such a dominant position in the Social Media market is also an issue.

Investigations and enforcement actions: managing director as a dpo, Klarna bank, caller identification, data processing contract, image publication, legal professional privilege

The Berlin commissioner for data protection BlnBDI has imposed a 525,000 euro fine on a Berlin e-commerce group’s subsidiary due to a conflict of interest on the part of the company’s data protection officer. This person was at the same time the managing director of two service companies that processed data for the group. The DPO thus had to monitor compliance with data processing managed by himself.  

The Swedish privacy protection authority IMY, in cooperation with Germany and Austria, is investigating complaints about Klarna Bank making data rectification or objection to direct marketing difficult. The complainants were asked for identification purposes via an unencrypted email service to provide: their name, date of birth, e-mail address, address, invoice and purchase details,  and sometimes their telephone number.

Vodafone Romania was fined 2000 euros after not checking compliance with the caller identification procedure, which allowed third parties to fraudulently purchase new phones on behalf of some of the operator’s customers. Also, third parties could access data from contracts concluded by customers and data from personal accounts, such as name, address, contact phone number, PUK code, the contact number of the account holder, the SIM ID of the original card, billing and debt details, and data traffic.

In Poland, a personal data breach was reported, (followed by an administrative fine), in a cultural center. The investigation found that the administrator entrusted another entity for processing, without concluding a written contract, for keeping accounting books, records, (in ​​finance, taxes), and documentation storage. The controller did not verify the processor, did not check whether it provided appropriate technical and organisational measures, and did not have any documents confirming the verification of the terms of cooperation. Additionally, any communication with the controller was ineffective.

The Spanish data protection authority AEPD fined a company, (Digitecnia Solutions), for publishing on its website an image of a complainant to illustrate the work they were doing. The image did not allow the complainant to be seen in full, but he can be seen in part. This, together with the fact he appeared linked to Digitecnia, was information that made this person identifiable. All this constituted the processing of the claimant’s personal data, which he was not aware of. 

The Isle of Man information commissioner issued an enforcement notice to Sentient International regarding the company’s refusal to comply with a data subject access request. Sentient decided to restrict the data subject’s right of access, believing that the right of access does not apply to data that consists of information in respect of which a claim to legal professional privilege could be maintained in legal proceedings. The regulator clarified that the rule applies to some documents, but not personal data therein, such as communications that were not made for the dominant purpose of obtaining or providing legal advice. Also,  professional legal privilege cannot be applied retrospectively.

Data security: data put online by hackers, SMEs, IoT, and ZTA in a mobile world

The French privacy regulator CNIL notes a clear increase in data breach notifications, nearly half resulting from ransomware attacks. In some cases, users’ personal data may be put online by hackers. If a violation concerns you, the responsible body must inform you as soon as possible. The CNIL is not able to tell you if a breach impacts your data. Some websites indicate that they hold the data and can tell you whether or not you are concerned. The CNIL advises against using them. 

The German federal office for information security has published a guide on cybersecurity for small and medium-sized enterprises. It offers SMEs an easy-to-understand introduction to improving their cyber security level because information security is the prerequisite for secure digitisation. It starts with the most important basics of IT security – briefly and concisely based on 14 questions. Among other things, it provides information on who is responsible for information security in the company, why patches and updates should be installed regularly, why an anti-virus program is necessary, and why data backup is so important.

Zero trust architecture, (ZTA), is not a new concept, but there is renewed interest in implementing zero-trust principles for an organization’s mobile administrators, states the US NIST. Due to the pandemic, many employees have transitioned to remote/telework options. The portability of mobile devices makes it easier to respond promptly to emails, attend virtual meetings, and use special work apps from anywhere. In this new environment, mobile devices are now another endpoint connected to enterprise resources and can put the entire enterprise at risk if compromised or stolen.

The NIST IoT Cybersecurity Program also released two new documents:

• The final version of Profile of the IoT Core Baseline for Consumer IoT Products. This publication documents the consumer profile of NIST’s IoT core baseline and identifies cybersecurity capabilities commonly needed for the consumer IoT sector (eg, IoT products for home or personal use).
• Workshop report for Building on the NIST Foundations: Next Steps in IoT Cybersecurity. These considerations have broad applicability across IoT product sectors, including the consumer IoT products sector and the industrial IoT sector. 

Big Tech: Uber, Optus, and TAP cyberattacks, World Cup data analysis app

Uber’s EXT contractor had their account compromised by an attacker. The attacker likely purchased the contractor’s Uber corporate password on the dark web after their device had been infected with malware. The attacker then tried logging in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, the contractor accepted one, and the attacker successfully logged in. From there, the attacker accessed other employee accounts which gave the attacker permission to use several tools, including G-Suite, and Slack. 

Sensitive information about TAP Air Portugal’s customers also has been shared on the dark web after a cyberattack. The attackers were booted from the system but not before gaining access to sensitive data, including name, nationality, gender, date of birth, address, email, telephone contact, customer registration date, and frequent flyer number. It is unclear how long the hackers had access to the system. However, the airline has assured its passengers that the breach has not affected their flights. 

Australia’s major telecommunications company Optus experienced a cyberattack that leaked personal data of up to 10 million customers, in one of Australia’s biggest cybersecurity incidents. An offshore-based entity, possibly in Europe, had broken into the company’s customer information database, accessing home addresses, driver’s licenses, and passports. Stolen customer data and credentials may be sold through several forums including the dark web.

World Cup players to get FIFA data analysis app. Players at the finals will be able to browse their performance data on a purpose-built app developed by the governing body which allows footballers of all 32 teams access to analysis and information. The data will be synced with a video of the action to allow a quick assessment of key moments. While such data and metrics are widely available to players with the top clubs and national sides, who employ teams of analysts, the app will ensure teams with fewer resources compete on a level playing field, Reuters reports.

The post Data protection & privacy digest 13 – 26 Sept 2022: Google Analytics clash, caller identification, commercial practices & GDPR appeared first on TechGDPR.

Grindr’s privacy fine in focus

Norway’s data protection authority has handed Grindr, the world’s largest social networking app for LGBTQ people, an over 6 mln euro privacy fine for disclosure of user data to third parties behavioural ads without a legal basis. The offenses were committed before April 2020, when its terms of use and consent management platform were updated. In 2020, the Norwegian Consumer Council filed a complaint against US-based Grindr, saying the app had illegally shared users’ GPS locations, IP addresses, ages, gender, and use of the app. Last week the regulator stated that Grindr shared such data through software development kits included in the Grindr app, often used to facilitate communication between the apps and the advertising vendors. At the same time, Grindr failed to comply with the most of the requirement for freely given, specific, informed and unambiguous consent and its withdrawal for such data sharing:

• users were forced to accept the privacy policy through the previous CMP in its entirety to use the app;
• the consents for sharing data with its advertising partners that Grindr collected were bundled with acceptance of the privacy policy as a whole (users were not asked specifically if they wanted to allow their data to be shared with third parties ads);
• the information about the sharing was not properly communicated to users;
• refusing consent was dependent on the user’s patience and technological understanding, and it did not demonstrate a fair, intuitive and genuine free choice.

Grindr argued that users who pressed “Cancel” when asked to accept the privacy policy, could upgrade to the paid version. However, the regulator  pointed out, at the time of registration the users were not given the choice to opt for the paid version of the app. The user would first have to go through the above described consent mechanism. It was only after this process that the user could decide to upgrade to the paid version. 

Grindr also argued that its advertising partners – in the event they would ever theoretically receive sensitive personal data – must “blind” themselves pursuant to Art. 25 of the GDPR, (Data protection by Design and by Default). Participants in the ad tech ecosystem would likely only receive a “blinded” app-ID and not the corresponding app name. However, in a different statement, Grindr also recognised that “all apps and all websites that serve advertising necessarily share the identity of the app and/or the website with their advertising partners. Simply put, it is highly unlikely any advertiser would purchase advertising on an unknown app or an unknown website.” 

The Norwegian regulator however stated that even if the app-ID in some instances was “blinded”, the recipient could still receive keywords relating to the Grindr app. As an example, OpenX, who Grindr consider to be its processor, appended keywords “gay”, “bi” and “bi-curious” in ad calls. This would have a similar effect to disclosing that the data subject is a Grindr user, and also constitute processing of personal data “concerning” an individual’s “sexual orientation” (Art. 9 of the GDPR). Read a 70-page fine notice of the Grindr case (available in English) with more facts and relevant GDPR provisions explained.

Data breaches, investigations and enforcement actions: ransomware attack, Clearview AI, children’s data

In Finland, a psychotherapy Center was issued a privacy fine over a failure to properly secure the processing of personal data and to report a security breach. The company notified the data protection commissioner in September 2020. The company found a blackmail message: the patient database has been uploaded to the attacker’s servers and a ransom was demanded to recover the lost data. A sample of the patient database was attached to the threat letter. Later it became clear that the hacking had probably already taken place in 2018, and another hack took place in 2019 due to the poor protection of the patient information system. The data protection impact assessment carried out by the respondent also did not meet the requirements of Art. 35 (7) of the GDPR. Finally, the company did not have a documented notification procedure in place at the time of the security breaches.

French regulator CNIL has ordered US-based Clearview AI, a facial recognition company that has collected billions of publicly-available images worldwide, to stop illegal use of biometric data from people in France and delete it within two months. The UK Information Commissioner’s Office, which worked with the Australians on the Clearview investigation, also said last month it intended to fine Clearview 17 mln pounds for alleged breaches of data protection law.

California-based online advertising platform OpenX Technologies will be required to pay 2 mln dollars to settle Federal Trade Commission allegations that the company collected personal information from children under 13 without parental consent, a direct violation of a federal children’s privacy protection law. The FTC also alleged that despite offering an opt-out option, OpenX collected geolocation information from users who specifically asked not to be tracked. The FTC’s investigation reviewed hundreds of child-directed apps with terms that identified the intended audience as “for toddlers,” “for kids,” “kids games,” or “preschool learning,” and included age ratings for the apps indicating they were directed to children under 13. However, these apps and their data were not flagged as child-directed and participated in the OpenX ad exchange, according to the FTC. 

Legal processes and redress: LED, DMA, DSA, US/AU Cloud Act 

The EDPB published its contribution to the EU Commission’s evaluation of the Data protection Law Enforcement Directive (LED). It is a piece of EU legislation, parallel to the GDPR, which also came into effect in 2018. LED aims at supporting the possibility of police authority co-operation through the exchange of personal data. Previously, EU legal instruments in this area have been limited to data protection rules for EU agencies, large scale IT systems established under EU law or cross-border exchanges of personal data in the context of police and judicial cooperation in criminal matters. However, new legislative and technological developments in the processing of data for law enforcement purposes have increased the workload of EDPB members. Also, data protection authorities may often have to balance their resources between supervision of the GDPR and the LED, noting: “more crucial than the number of available staff are the skills of the experts, who should cover a very broad range of issues – from criminal investigations and police cooperation to big data analytics and AI”.

The EU Parliament is ready to start negotiations with the Council on the Digital Markets Act (DMA). The text, now approved by MEPs, blacklists certain practices used by large platforms acting as “gatekeepers” and enables the Commission to carry out market investigations and sanction non-compliant behaviours. Core services will include not only social networks, search engines, operating systems, online advertising services, cloud computing, and video-sharing services, but also web browsers, virtual assistants and connected TV. The approved text also includes additional requirements on:

• the use of data for targeted or micro-targeted advertising and the interoperability of services, (eg, number-independent interpersonal communication services, social network services);
• gives users the option to uninstall pre-installed software applications, such as apps, on a core platform service at any stage. 

The text approved will be Parliament’s mandate for negotiations with EU governments, planned to start in the first semester of 2022. The Digital Services Act (DSA) – a parallel proposal to regulate online platforms dealing with, among other issues, profiling algorithms, deceiving or nudging techniques to influence users’ behaviour through “dark patterns” – is due to be put to the vote in plenary in January. Read also the latest analysis of the DSA’s possible effect for EU residents’ fundamental rights and freedoms by Baker McKenzie. 

Meanwhile, Australia and the US signed a Cloud Act deal to help law enforcement agencies demand data from tech giants, the Guardian reports. It will allow Australian and US law enforcement agencies to use existing warrants to demand information from overseas-based companies and communications service providers, reducing the time taken to obtain information. “It means companies including email providers, telcos, social media platforms, and cloud storage services could soon find themselves answering warrants from law enforcement agencies based in the US or Australia rather than their home jurisdiction”, the Guardian reports.

Official guidance: SMEs, developers, biometrics, cookies

The French regulator CNIL published a new version of its GDPR guide for developers (in French). The new content relates in particular to the use of cookies and other online tracers and on audience measurement solutions. It also draws up a non-exhaustive list of vulnerabilities that have led to data breaches notified to the CNIL, and presents examples of measures that would have made it possible to avoid them. In total, the guide now includes 18 thematic sheets that cover most of the developers’ needs to support them at each stage of their project from identifying and minimizing the personal data collected to preparing for the exercise of data subjects rights, managing the retention periods, and technical implementation of legal bases.

The CNIL is also continuing its action plan to ensure compliance by companies that use cookies. Since May 2021 the CNIL has sent out around 60 formal notices. Online checks have revealed that a number of organizations still do not allow online users to refuse cookies as easily as to accept them. The CNIL decided to send 30 new formal notices. The recent checks observe that:

• cookies, subject to consent, were automatically placed on the user’s terminal equipment before acceptance;
• information banners are still not compliant because they do not allow the user to refuse cookies as easily as accepting them;
• information banners can offer the user a means of refusing cookies with the same degree of simplicity as that provided for accepting them, but the proposed mechanism is not effective because cookies, subject to consent, are still placed after the refusal expressed by the user.

The following are particularly affected by these new formal notices: public establishments, higher education establishments, the clothing industry, transport sector, mass distribution sector, and distance selling sector.

In Germany, the Saxony-Anhalt data protection commissioner published its guide for small and medium-sized companies (in German only). Craftsmen, merchants and freelancers in various industries collect, store and use personal data from customers, employees or suppliers, often in a variety of ways – and must comply with data protection. The State Commissioner has received numerous inquiries from these companies for a long time. 

• What customer or employee data is a company allowed to collect? 
• How long may the data be stored? 
• What should be done when customers exercise their data protection rights or employee data has been encrypted by a cyber attack?

Answers to these and many other typical questions are provided by the State Commissioner in the newly published guide. Read the full text here.

The Belgian data protection authority published its final recommendation on the use of biometrics (in French and Dutch). Biometric data is qualified as a special category of personal data (Art. 9 GDPR). The recommendation includes a general prohibition to process such data, unless a specific ‘derogation’ is granted, either the explicit consent of the data subject, or the necessity for reasons of substantial public interest. Since there is currently no legal norm in Belgian law that authorizes the processing of biometric data for the authentication of individuals, and insofar as explicit consent cannot be invoked, such processing is currently performed without a legal basis. Other key takeaways are:  

• it is important to consider whether the performance of a contract or the provision of a service is conditioned on the consent being provided. 
• a presumption of consent not being “freely given”, exists in particular in employer-employee relationships and where a product or service has a (quasi-) monopoly in the market.
• Purpose limitation, data minimization and proportionality principles are particularly important for the processing of biometric data.
• Data protection impact assessments will generally be required. 
• No transition period for companies is provided. 

Opinion: What if your boss was an algorithm?

Privacy International with its partners have teamed up to challenge the unprecedented surveillance that gig economy workers are facing from their employers. They decided to file over 500 data subject access requests, (DSARs), to seven companies – Amazon Flex, Bolt, Deliveroo, Free Now, Just Eat, Ola, and Uber. They also interviewed gig-workers. According to their report, several gig economy employers seem reluctant to fully comply with their data protection obligations. The investigation was unable to obtain information about how algorithms calculate a score which is then used to prioritise dispatch of journeys to drivers. Some companies also failed to provide the guidance documents or location data that is gathered. Finally, the report demonstrates that surveillance is not just vast data collection, but also the use of more invasive technologies. The report provides specific examples where facial recognition technology ended up locking drivers out of their account due to potential identity verification failures.

Data security: Log4j follow up

The EU Commission, the EU Agency for Cybersecurity, CERT-EU and the network of the EU’s national computer security incident response teams have been closely following the development of the Log4Shell vulnerability since 10 December. It is a flaw in the well-known open source Java logging package Log4j, which is maintained by the Apache Software Foundation. Log4j is used in a wide array of applications and web services across the globe. Due to the nature of the vulnerability, its ubiquity and the complexity of patching in some of the impacted environments, it is important that all organisations, especially entities who fall under the Network and Information Security Directive, assess their potential exposure as soon as possible. The latest recommendations so far could be found in:

• list of vulnerable software, maintained by the Dutch National Cyber Security Center,
• advisory notices published by the CSIRTs Network Members in their relevant official communication channels,
• guidance given by CERT-EU.

Big Tech: E2EE, “buy-now, pay-later”, 5G smart factories, smartphones duopoly

Microsoft is rolling out end-to-end encryption, (E2EE), support for Microsoft Teams, the Verge reports. After announcing the feature earlier this year and testing a public preview since October, Teams is getting the E2EE security support for all one-to-one calls. Microsoft currently encrypts data in transit and at rest, allowing authorized services to decrypt content. Microsoft also uses SharePoint encryption to secure at-rest files and OneNote encryption for notes stored in Microsoft Teams. All chat content in Teams is also encrypted in transit and at rest.

US telecom giant Verizon signed a deal with Alphabet’s Google Cloud to use its 5G network and the tech firm’s computing power to offer services such as autonomous robots and smart factories, says Reuters. Telecom companies have been partnering with technology firms to automate businesses and factories to lower costs and speed up data traffic through private 5G networks that do not jostle for speed with others on a public network. Verizon has also been making private 5G deals in several countries and has partnered with other cloud operators such as Microsoft’s Azure and Amazon’s AWS. Reportedly “a camera attached to an autonomous mobile robot will scan packages to maintain inventory and using computer vision, the robot will send details over 5G to an inventory management system, providing real-time analytics”, the companies said.

The US Consumer Financial Protection Bureau, (CFPB), asked five “buy-now, pay-later” companies – Affirm, Afterpay, Klarna, PayPal and Zip Co – for information on their business practices, amid concerns that the financial products are putting consumers and their data at risk. The CFPB is concerned about “accumulating debt, regulatory arbitrage, and data harvesting” and is seeking data on the risks and benefits of the products. As an example, a recent survey by personal finance company Credit Karma found that one-third of US consumers who used “buy-now, pay-later” services have fallen behind on one or more payments, and 72% of those said their credit scores declined.

Apple and Google have a “vice-like grip” over people’s mobile phones and their duopoly over the market should be investigated by the proposed new regulator, the UK’s competition authority, the CMA. The two companies effectively control users’ mobile phone experience in the UK, with their operating systems installed on 99.45% of all phones in the country: “Once a consumer buys a phone they are essentially wedded to the ecosystem of one of the two companies – Apple’s App Store or Google’s Play Store and their respective web browsers Safari or Chrome”. The new Digital Markets Unit, (DMU), which will be part of the CMA, has been set up in shadow form until the government officially grants it regulatory powers. The DMU will enforce a code of conduct that the tech giants must follow when dealing with rivals and third parties. The code will affect only those companies deemed to have strategic market status, although no tech firms have been officially awarded that status yet, the Guardian reports.

The post Weekly digest December 13 – 19, 2021: Grindr’s privacy fine, guide for SMEs and developers, 5G smart factories appeared first on TechGDPR.