Legal processes and redress: gatekeeper obligations, US adequacy decision, Google litigation, UK data protection reform, Quebec privacy laws

Gatekeeper in the EU: The European Commission has designated, for the first time, six gatekeepers – Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft – under the Digital Markets Act. They will now have six months to ensure full compliance with the DMA obligations for each of their designated core platform services. This includes a list of do’s and don’ts: 

• allowing third parties to inter-operate with the gatekeeper’s own services,
• enabling end users to unsubscribe from the gatekeeper’s main platform services as simply as they subscribe to them, 
• giving companies that advertise on a gatekeeper’s platform access to the gatekeeper’s performance measurement tools and information, allowing advertisers and publishers to undertake their independent verification of advertising hosted by the gatekeeper, and
• a ban on tracking end users outside of the gatekeepers’ core platform service for targeted advertising without effective consent having been granted. 

EU-US DPF application: The German Data Protection Conference publishes application instructions for the EU-US Data Privacy Framework. The document contains, on the one hand, information for data exporters, those data controllers and processors who transfer data to the US. On the other hand, individuals can find out what legal protection and complaint options they have. This includes links to numerous materials, for example from the EDPB. At this point, the adequacy decision applies to EU law. However, given the previous adequacy decisions for the US that were declared invalid, many want to know whether the new adequacy decision will suffer the same fate as Safe Harbor and the Privacy Shield. 

In addition to the planned evaluations by the EU Commission, which can result in adjustments or a repeal, there are options for a judicial review of the new adequacy decision. For instance, on 6 September, a French member of parliament, who is also a member of the data protection authority CNIL, requested that the framework be annulled due to the lack of guarantees of a right to an effective remedy for data subjects by US companies, as well as a violation of the GDPR’s minimisation and proportionality principles due to the access and use of EU personal data for the US security purposes. 

Google taken to court: Alphabet’s Google is facing a class action in the Netherlands brought by non-profit organisations, demanding Google stop its constant surveillance and profiling of consumers and the sharing of data in online ad auctions, and also pay damages to consumers. Allegedly, through its services and products, the tech giant:

• Collects users’ online behaviour and location data on an immense scale, without having provided adequate information about it and without users’ consent.
• Through the use of ‘invisible’ third-party cookies, Google continues to collect data through others’ websites and apps, even when someone is not using its products or services. 
• Continually collects users’ physical locations, even when they are not actively using their devices and think they are ‘offline’. 
• Shares users’ data, including highly sensitive data concerning health, ethnicity and political affiliation, with hundreds of parties through its online advertising platform, (a recent study shows that in Europe, the real-time bidding industry exposes people’s data 376 times a day.) 

In total, Alphabet’s Google faces approximately 25 billion euros in damages claims and regulatory administrative fines over its ad tech practices in Europe, Reuters sums up.

UK data protection amendments:  By the end of the year, the UK government will amend the UK’s data protection legislation by updating the ‘fundamental rights and freedoms’ definition, so it will refer to rights recognised under UK law, rather than retained EU law rights. There is no direct equivalent to the right to the protection of personal data in UK law. However, the protection of personal data falls within the right to respect for private and family life under Article 8 of the European Convention of Human Rights, which is enshrined in UK law by the Human Rights Act 1998. Data protection rights are also protected by UK GDPR, and the Data Protection Act 2018 and will continue to be protected by the Data Protection and Digital Information Bill in the UK’s domestic legislation, states the explanatory memorandum. 

Quebec privacy amendments: On 22 September, the latest set of amendments (Bill 64) to Quebec’s Privacy Act will come into force. Some of the major updates include strengthened privacy rights for individuals and several controller requirements, such as a new consent and cookies management framework, privacy policies, risk assessments, rules on automated decisions, cross-border transfers, and monetary penalties. Previously companies were also obliged to designate privacy officers, conduct mandatory breach reporting, and register their biometric information systems while receiving some exceptions to the consent requirement, (under commercial transactions and research and statistical purposes). 

Official guidance: ‘sharenting’, online exams, smart data sandbox, right to object

‘Sharenting’ children’s data: The Italian data protection authority has prepared tips for parents to limit the online dissemination of content concerning their children. The neologism, coined in the US, derives from the English words “share” and “parenting”. It has been a phenomenon that has been under the attention of the Guarantor for some time, especially due to the risks it entails on the digital identity of the minor and therefore on the correct formation of their personality. When something appears on a screen, not only can it be captured and reused without our knowledge by anyone for improper purposes or illicit activities, but it contains more information than we think, such as geolocation data. If you decide to publish images of your children, it is important to at least try to follow some precautions, such as:

• make the minor’s face unrecognizable, (by simply covering the faces with the emoticon “smiley”);
• limit the visibility settings of images on social networks only to people who know each other or who are trustworthy and who do not share without consent in the case of sending via an instant messaging program;
• avoid creating a social account dedicated to the minor;
• read and understand the privacy policies of the social networks on which we upload photographs, videos, etc.

Online proctoring: The use of digital distance learning by public and private higher education institutions is becoming more widespread. With the remote monitoring devices used in this context being intrusive by nature, the French data protection regulator CNIL reiterates the obligations under the GDPR: For instance, institutions organising examinations, as well as any subcontractors, (e.g. remote monitoring solution providers), should assure candidates that their data will not be used for any purpose other than taking and proctoring a remote examination. Also, examination modalities allowing remote validation of skills without the use of remote monitoring devices should be given priority where possible. 

In general, taking proctored exams remotely should be an opportunity for students, not an obligation. In this case, a face-to-face alternative should be offered to candidates, (except in specific cases, such as a health crisis or for institutions that have made distance learning the very essence of their organisation). Students should be informed as soon as possible of the conditions for implementing remote monitoring so that they can make their choice with full knowledge of the facts. Institutions and organisations should ensure that devices used for remote monitoring are compatible with the equipment available to students, that they do not pose security risks to students and that the necessary software can be easily installed and uninstalled. Read the full guidance, (in French), here. 

Smart Data: The UK Information Commissioner’s Office has published the Regulatory Sandbox Final Report for Smart Data Foundry. The sandbox specifically targets projects operating within challenging areas of data protection. Smart Data Foundry’s product is comprised of two parts. The first is the research facility, and the second is the innovation service which provides synthetic data for further research opportunities. There are broadly speaking two approaches to the creation of these synthetic datasets:  

• Using simulation – known as ‘agent-based modelling’ – where data is generated from approximations and predictions of behaviour using characteristics given to a computer-generated population to understand how they would interact. This processing does not use personal data beyond some aggregate information generated from real data to test and improve parameters. This is the synthetic data approach that Smart Data Foundry is already using. 
• Using ‘learning-based’ synthetic data generation to create synthetic doubles of existing datasets utilising differential privacy and modern learning-based approaches which aim to learn all the meaningful patterns in data, and use this learnt knowledge of patterns in the original data to generate new data that exhibit similar patterns, without recreating any input data. 

To understand key data protection considerations in such scenarios, read the full report. 

Right to object to data processing: The right to object gives a person the opportunity to request the termination of the processing of their data if it is processed for the following purposes: a) for legitimate interests of the data controller including marketing, as well as in the case of automated decision-making, b) in the public interest and c) for scientific or historical research and statistics. To exercise your right to object, you should:

• Identify the data controller, (It can be a natural person, company, organisation or state administrative body.)
• Contact the controller in writing, (recommended), and clearly state that you are exercising your right to object to the processing of your data. Please specify which processing operations you object to.
• State the reason. The reason and the characteristics of your special situation require the manager to evaluate the necessary changes in data processing and whether, by continuing data processing, you as a data subject will not have your rights infringed. 
• Wait for the answer. The administrator is obliged to respond to your request within a month. This must either stop the processing of your data to which you have objected or provide a valid reason for continuing the processing.

Enforcement decisions: fertility apps, Chinese academic database, Meta ban in Norway, waste collection and the GDPR

Fertility apps checks: The Information Commissioner’s Office is reviewing period and fertility apps available in the UK as new figures show more than half of women have concerns over data security. A poll commissioned by the regulator revealed women said transparency over how their data was used and how secure it was were bigger concerns than cost and ease of use when it came to choosing an app. The poll showed a third of women have used apps to track periods or fertility. The research also showed over half of people who use the apps believed they had noticed an increase in baby or fertility-related adverts since signing up. While some found the adverts positive, 17% described receiving these adverts as distressing. The ICO is now urging users to come forward to share their experiences through a survey in a call for evidence. 

Chinese academic database: The China Cyberspace Administration announced that the China National Knowledge Infrastructure, (CNKI),  has been fined approx. 6 million euros for illegally collecting and processing personal information. The operators collected users’ personal information without consent on the 14 CNKI-related apps that failed to publicly disclose or state collection and usage rules, did not provide an account cancellation function, and illegally kept their information after the users closed their accounts. CNKI is one of the biggest Chinese academic information gateway websites. It has over 1,600 institutional clients in 60 countries and regions, as well as 32,000 institutional customers from diverse sectors on the Chinese mainland. Top universities, research institutions, government think tanks, corporations, hospitals, and public libraries are among the primary consumers.

Waste disposal and the GDPR: A fine of 45,000 euros was imposed by the Italian privacy agency on a Sicilian municipality for having installed cameras to control the collection of waste. The municipality had appointed two companies, also sanctioned by the guarantor, to purchase, install and maintain fixed cameras, and to collect and analyse the videos relating to violations. The authority’s intervention follows reports from a citizen who complained about receiving some fines for having disposed of unsorted waste incorrectly. 

The monitoring was carried out without the citizens having been adequately informed of the presence of the cameras and the processing of the data. The municipality had placed a sign directly on the dumpster, which was not easily visible and lacked the necessary information. Furthermore, the municipality had not identified the data retention periods and had not appointed, before the start of the processing, the two aforementioned companies as data processors.  

Meta ban confirmed: The Norwegian data protection authority won against Meta in court. In July, the regulator made an emergency decision on a temporary ban on behaviour-based marketing on Facebook and Instagram, which involves very intrusive monitoring of users. The regulator therefore decided on a compulsory fine of approx. 90,000 euros per day if the ban was breached. The penalty was set to start on 14 August. However, Meta has petitioned the Oslo District Court for a temporary injunction. In the ruling, the court stated that the Norwegian data protection authority’s decision was valid and that there was no reason to stop it. In addition to this case, Meta has submitted several administrative complaints against the Norwegian Data Protection Authority’s decision. Those processes are ongoing. 

DNA data and transparency obligations: The US Federal Trade Commission finalised an order with 1Health.io, that settles charges that the genetic testing firm left sensitive genetic and health data unsecured, deceived consumers about their ability to get their data deleted, and changed its privacy policy retroactively without adequately notifying consumers and obtaining their consent. The company failed to keep its promises to only share consumers’ sensitive data in limited circumstances, to destroy customers’ DNA samples shortly after they had been analyzed, to not store DNA results with a consumer’s name or other identifying information, and to remove such data from its servers upon consumers’ request. 

Data security: automotive industry

Automotive cybersecurity: The Federal Office for Information Security in Germany published a report on the status of cybersecurity in the automotive industry. The greatest damage in the automotive industry comes from cybercriminal “double extortion” – ransomware and data leaks. The report contains:

• Assessments of the cybersecurity of production systems and processes.
• Advice on exploiting security vulnerabilities for car theft and unauthorized opening of vehicles.
• Description of attacks on vulnerabilities in the communication protocol or other security mechanisms used to control charging processes between electric vehicles and their charging stations.
• Assessments of new legal regulations and standardization activities.
• Outlook on technological and regulatory developments that will be important in the coming years, (the industry is affected by the EU NIS 2 Directive as a critical sector).

According to the Associated Press’s recent publication, automakers are failing the privacy test, and owners have little or no control over the data collected. The nonprofit Mozilla Foundation’s newest “Privacy Not Included” study states that security requirements are a major worry considering manufacturers’ record of vulnerability to hacking. The minimal privacy criteria were not fulfilled by any of the 25 automobile companies whose privacy notices were assessed in Europe and North America. This outcome is significant for over a dozen other product categories, including fitness trackers, reproductive health applications, smart speakers, and other connected household products. 

Big Tech: ads-free Facebook and Instagram, the Privacy Sandbox

Paid Facebook and Instagram: Meta may allow Facebook and Instagram users in the EU to pay to avoid ads as a response to scrutiny from privacy regulators. Those who pay for the subscriptions would not see ads while Meta would also continue to offer free versions of the apps with ads in the EU. Previously users had effectively agreed to allow their data to be used in targeted advertising when they signed up to the services’ terms and conditions until the lead Irish regulator ruled it could not process personal information in that way. Therefore Meta also proposed offering EU users a new opt-in consent mechanism for receiving targeted ads. Reportedly, it would be updated to offer users a “yes or no” option for opt-ins across its platforms. 

Privacy Sandbox ‘availability’: Finally, the Privacy Sandbox for the Web reaches general availability on Chrome for relevance and measurement APIs. General availability means advertising providers and developers can now scale usage of these new technologies within their products and services, as these are now available for the majority of Chrome users. Google also rolled out new Ad privacy controls in Chrome that allow people to manage how the Privacy Sandbox technologies may be used to deliver the ads they see. These controls allow users to tailor their experience by customising what ad topics they’re interested in, what relevance and measurement APIs they want enabled, and more. Starting in Q4 of 2023, Google will enable the industry to bolster their testing efforts with the ability to simulate the deprecation of third-party cookies for a percentage of its users. Then, in Q1 of 2024, it will turn off third-party cookies for 1 per cent of all Chrome users for effectiveness testing.

The post Data protection digest 1 – 14 September 2023:  gatekeeper obligations, synthetic datasets, automotive cybersecurity appeared first on TechGDPR.

Legal processes and redress: synthetic data for fintech, draft Data Act, DPO dismissals

The UK Financial Conduct Authority, (FCA), issued a statement on synthetic data for beneficial innovation in UK financial markets. It strongly indicated fraud and anti-money laundering as a key use case for synthetic data, in part due to its ability to augment rare patterns of behavior in a dataset. Whilst the data protection legislation places conditions on such data processing, the FCA emphasizes that data sharing between different entities, (eg, access to the real datasets, as well as synthetic transactional datasets with embedded fraud typologies), is possible under the current regulatory framework if at least one lawful basis is met, accompanied by built-in privacy by design, data protection impact assessments, data sharing agreements, and other legal requirements.

The European Parliament adopted the draft Data Act – new rules for fair access and use of industrial data. It would contribute to the development of new services, in particular in the sector of AI where huge amounts of data are needed for algorithm training. It can also lead to better prices for after-sales services and repairs of connected devices. When companies draft their data-sharing contracts, the law will rebalance the negotiation power in favour of SMEs, by shielding them from unfair contractual terms imposed by companies that are in a significantly stronger bargaining position. Finally, the proposed act would facilitate switching between providers of cloud services, and other data processing services, and introduce safeguards against unlawful international data transfer by cloud service providers.

The CJEU rendered two decisions regarding the procedures for dismissing data protection officers and their potential conflicts of interest, (under the German Federal Data Protection Law), insideprivacy.com reports. In the relevant cases, the DPO also handled other organisational duties in a professional capacity. The data controllers argued that since those positions were incompatible, (chair of the work council in one of the cases), the DPO’s dismissal was appropriate. The former DPO started a legal action which ended up in the EU top court. 

However, the CJEU determined that as long as the national laws do not undermine the goals set for DPOs under the GDPR, EU member states may require that DPOs be dismissed for “just cause”. It is also for the national courts to decide whether a conflict of interest existed taking into account “all the relevant circumstances, in particular the organisational structure of the controller or its processor and in light of all the applicable rules, including any policies of the controller or its processor.”

Official guidance: MS Excel, research projects, free data protection tool, game developers

Bavaria’s data protection authority explains how to avoid data breaches when using Microsoft Excel. It is not uncommon for users to encounter the program intuitively; Contrary to the primary purpose, Excel is often used when the number of columns in Word is not sufficient. However, if there is personal data in an Excel workbook, improper handling of the application can easily trigger a data breach. Excel workbooks can contain multiple worksheets, (the number is only limited by the available memory), even if you don’t work regularly with such “multi-sheet” workbooks yourself. Be especially careful with Excel files created by others, as Excel workbooks can contain invisible worksheets, as well as columns, rows, or even individual cells, comments, and metadata. It is worth remembering:

• before sharing an Excel workbook with personal information, especially before attaching it to an email, make sure that you really want to share everything;
• consider whether the file should be processed further by a recipient, otherwise;
• send a PDF version that can be checked for hidden data before sending;
• if possible, consistently delete the worksheets that are no longer required;
• before creating a new workbook with multiple worksheets, consider whether you can complete the task with multiple single-sheet workbooks;
• consider whether you need Excel for the task to be completed or whether a “simple” resource, (eg, a word processing program), will suffice.

If not careful, an Excel data breach can trigger the reporting obligation under Art. 33 of the GDPR, and the notification obligation under Art. 34 of the GDPR.

Meanwhile, the Danish data protection authority has amended rules for deleting personal data at the end of research projects. Data controllers may have a legitimate need to process information for a period after the end of the investigation, (eg, for the purposes of peer review or countering accusations of scientific misconduct), so data should not always be deleted, anonymised, destroyed or returned at the end of a research project. Personal data can be transferred for storage in an archive in accordance with the rules in archive legislation. In addition, in some research areas, work is done with ongoing coverage of research fields, and building of relationships or data material, where it is not meaningful to talk about a project being “finished”. 

The Finnish data protection authority is promoting its data protection tool available as open source code to increase the data protection expertise of SMEs. You can familiarise yourself with the tool (in English) here. With the initial level test, the respondent can first check how well they control the basic issues of the data protection regulation. The role-mapping test helps the respondent to define what role the company plays in regard to the processing of personal data. Each role also has its own tests. The source code and content of the data protection tool are for free use, to further develop a company or industry-specific privacy tool or to produce new language versions, or even in commercial applications.

Finally, the UK Information Commissioner’s Office offers new guidance to game developers on protecting minors. The recommendations are based on the experiences and findings during a series of voluntary audits, (eg, on Yubo, Facepunch), of game developers, studios and publishers within the gaming industry: 

• The age range of the players and the different needs of children at different ages and stages of development should be at the heart of how you design your games. 
• Designing games to promote meaningful parent/guardian – child interactions, while setting a high level of privacy by default and appropriate parental controls is key.
• It is important to only process children’s personal data in ways that are not detrimental to their health or wellbeing. 
• It is crucial that games do not use nudge techniques to lead children to make poor privacy decisions.
• Bad privacy information design obscures risks, unravels good player experiences, and sows mistrust between children, parents, and game providers.

Investigations and enforcement actions: employee emails monitoring, failed data subject requests at a sports center, HBNR and BIPA violations in the US, student data management

In Austria, the data protection authority finds employer’s monitoring of employee emails unlawful. Several complainants argued that the company, without their consent and knowledge, checked the technical mail server logs of all 6,000 employees for a specific recipient domain. The reason for this control measure was the suspicion of a breach of trade secrets. The data protection authority came to the conclusion that the control measure, which only took place six months after the incident that gave rise to it, was not proportionate due to the lack of a temporal connection and the topicality. Plus, there was no valid consent from the works council. 

The Norwegian data protection authority confirmed its fine of over 900,000 euros to Sats for breach of several provisions in the GDPR. The complaints were related to the company’s failure to comply with clients’ demands for access and deletion. Furthermore, the fitness centre chain lacked the authorisation to process data about the customers’ training history. Sats is the Nordic region’s largest fitness center chain and has its head office in Norway.  Therefore the Norwegian regulators dealt with the case in collaboration with other supervisory authorities under the so called one-stop-shop mechanism.

In the US, the Illinois Supreme Court ruled that fast food chain White Castle System must face claims that it repeatedly scanned the fingerprints of nearly 9,500 employees without their consent, (to access a company computer system), which the company says could cost it more than 17 billion dollars. The Illinois Biometric Information Privacy Act, (BIPA), imposes penalties of 1000 dollars per violation and 5000 dollars for reckless or intentional violations. The law requires companies to obtain permission before collecting fingerprints, retinal scans, and other biometric information from workers and consumers. 

Also in the US, the Federal Trade Commission has taken enforcement action for the first time under its Health Breach Notification, (HBN), Rule against the telehealth and prescription drug discount provider GoodRx Holdings, for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies. The company collects personal and health information about its users, including information from users themselves and from pharmacy benefit managers confirming when a consumer purchases a medication using a GoodRx coupon. 

From 2021 US health apps and smart products that collect or use consumers’ health information must comply with the HBN Rule. It ensures that entities not covered by the Health Insurance Portability and Accountability Act, (HIPAA), face accountability when consumers’ sensitive health information is breached. In the above case, GoodRx also displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the HIPAA.

The French privacy regulator CNIL gave formal notice to two higher education institutions to comply with the GDPR concerning files used for administrative and pedagogical management. Areas of non-compliance include data retention period, student information, use of subcontractors, and data security:

• they had not provided a precise retention period for all processing of students’ personal data, nor have they provided for a purge and archiving system;
• they do not properly inform students about the collection of their data via the various forms they fill out during their schooling;
• they were not able to send the CNIL the duly signed data processing agreements with subcontractors;
• they had no password policy to guarantee a minimum level of security in this area.

Data security: messaging apps

Privacy International issued a guide on communicating with others via messaging apps. Reportedly, there are two main aspects to consider: a) whether it offers end-to-end encryption that protects the content of your communication; and b) whether it collects any information beyond the content of the message, such as location, who you communicate with, and other details referred to as ‘metadata’. For sensitive conversations, it may be sensible to use disappearing messages if offered by your app, (however, it is unclear whether self-destructing messages are also recoverable by mobile phone extraction technology).

The use of E2EE for messaging should always be preferred over text messages, which are completely unencrypted meaning they can be easily read, manipulated in transit, or spoofed. They may also be stored by your telecommunications provider, which may be subject to access requests from governments and law enforcement. For example, Signal uses E2EE not only to encrypt the contents of messages but also to obscure all metadata even from itself. In contrast, both WhatsApp and Telegram store, and can access IP addresses, profile photos, “social graphs”, and more.

Big Tech: Palantir technology ban in Germany, more Tik Tok data centers in Europe

A top German court ruled against the use of software developed by the Palantir Technologies, saying that police use of automated data analysis to prevent crime in some German states was unconstitutional as it infringes on the right to informational self-determination. The US-based technology has so far been employed, among other things, to look into the criminal organisation accused of plotting to overthrow the German government in December, Reuters reports. Palantir says it only offers software for processing data. However, the German Society for Civil Rights, which brought the lawsuit, claimed the software used data from innocent people to form suspicions and could produce errors.

TikTok plans to open two more data centers in Europe, (Ireland), hoping to lessen regulatory pressure on the business. Data migration for TikTok users in Europe will start this year and last until 2024. TikTok hasn’t been subject to the same hefty fines as Google and Meta in the EU. Now TikTok is attempting to reassure governments and privacy regulators that users’ personal information cannot be accessed and that its content cannot be altered by the Chinese government or anyone else working for Beijing. 

The company also reported an average of 125 million monthly active users in the EU, under the brand-new online content rules known as the Digital Services Act. For comparison, Twitter says it has 100.9 million. Alphabet – 278.6 million at Google Maps, 274.6 million at Google Play, 332 million at Google Search, 74.9 million at Shopping, and 401.7 million at YouTube. The Meta Platform claims 255 million on Facebook and about 250 million on Instagram.

The post Data protection & privacy digest 4 – 17 Feb 2023: synthetic data for fintech, MS Excel guide, Palantir technology ban appeared first on TechGDPR.