Stay tuned! Sign up to receive our fortnightly digest via email.

Web browsing data for sale

The UK software provider Avast will have to pay 16.5 million dollars to the US Federal Trade Commission, and the business will not be allowed to sell or license any web browsing data for advertising purposes. Avast Limited, a UK-based firm, obtained customer surfing data unjustly through its antivirus software and browser extensions, retained it indefinitely, and sold it without providing consumers with sufficient notice or asking for their consent. The company also did this through its Czech subsidiary. 

Following its acquisition of rival antivirus software supplier Jumpshot, Avast renamed the business as an analytics firm. Jumpshot sold surfing data that Avast had gathered from users between 2014 and 2020 to a range of customers, including marketing, advertising, and data analytics firms as well as data brokers. The business said that before sending the data to its clients, it eliminated identifying information using an algorithm. 

However, according to the FTC, the business did not adequately anonymise user web browsing data that it sold through a variety of products in non-aggregated form. The FTC says, the business did not prohibit some of its data purchasers from using Jumpshot’s data to re-identify Avast users. For instance, Jumpshot allegedly signed a deal with advertising giant Omnicom for a supply of an “All Clicks Feed” for 50% of its clients in the US, UK, Mexico, Australia, Canada, and Germany. 

Americans’ sensitive data

The US seems to have increased regulations on restricted cross-border data transfers due to national security concerns. 

President Biden issued an Executive Order to protect Americans’ sensitive personal data. It will prevent the large-scale transfer of America’s sensitive and government-related data to countries of concern, (reportedly they are China, Cuba, Iran, North Korea, Russia and Venezuela), and prohibit commercial data brokers and other companies from selling biometrics, healthcare, geolocation, financial and other sensitive data to countries of concern, or entities controlled by those governments, intelligence services and militaries. 

The US Justice Department’s National Security Division has already published an Advance Notice of Proposed Rulemaking to provide transparency and clarity about the intended scope of the program. It would include six defined categories of bulk US sensitive data – US persons’ covered personal identifiers, personal financial data, health, precise geolocation data, biometric identifiers, human genomic data, and combinations of those data. The security requirements for certain data classes of transactions would include: 

• basic organisational cybersecurity posture,
• measures against unauthorised disclosure, 
• data minimisation and masking,
• use of privacy-preserving technologies,
• compliance requirements and audits.

The Department of Justice is also considering identifying three classes of restricted data transactions: a) vendor agreements, (including for technology services and cloud services), b) employment agreements, and c) investment agreements. Nonetheless, the order program is without prejudice to the free flow of data necessary for substantial consumer, economic, scientific, and trade relationships that the US has with other countries. 

Other official guidance

The EDPB’s new enforcement action: 31 data protection authorities across the EEA, (DPAs), including 7 German state-level regulators, will participate in the 2024 enforcement action, (mixture of surveys and formal investigations), on implementing the right of access. It is one of the most frequently exercised data protection rights, which DPAs receive many complaints about. In addition, it often enables the exercise of other data protection rights, such as the right to rectification and erasure. To understand how organisations must respond to access requests from individuals, see the EDPB’s latest guidelines on the right of access. 

Generative AI and data protection: In the UK, the House of Lords Communications and Digital Committee has published a report on large language models, (LLMs). These may have personal data in their training sets, drawn from proprietary sources or information online. Safeguards to prevent inappropriate regurgitation are being developed but are not robust. Data protection in healthcare attracts particular scrutiny as some firms are already using the technology on NHS data, which may yield major benefits. 

But equally, models cannot easily unlearn data, including protected personal data. There may be concerns about these businesses being acquired by large overseas corporations involved in, for example, insurance or credit scoring. Clear guidance is needed on how the data protection law applies to the complexity of LLM processes, including the extent to which individuals can seek redress if a model has already been trained on their data and released. Also, data protection provisions have to be embedded in licensing terms.

Consent principle

It is not always necessary for a company or an authority to obtain your consent before they can handle your data explains the Danish data protection authority. This is because consent is only one of several legal bases when it comes to the handling of your data. Storage of your information shall cease when you withdraw your consent, but only the information that is handled or processed based on consent. 

Information where the legal basis is someone else, for example in the case of a commercial contract or employment relationship, can continue to be handled or stored. It is also not needed if you, the data subject, are unable to give consent, for example, to a healthcare facility due to a serious illness. Public authorities can also process your data for specific tasks, such as handling your tax declarations. Private companies might have some legitimate reasons too, (such as for maintaining user services), but they should not violate your interests or rights. 

Finally, a revocation of consent does not have a retroactive effect, and the revocation therefore does not affect the handling of information that took place before.

 Rise in outsourcing contracts in the banking sector

The European Central Bank urges supervised institutions to tackle vulnerabilities stemming from their increasing operational reliance on third-party providers. Most banks outsource certain services to take advantage of lower costs, more flexibility and greater efficiency. Considering the relatively stringent data protection regulations in the EU, it is noteworthy that personal data processing is included in 70% of outsourcing contracts, and over 70 major banks contract these vital services out to companies with headquarters located outside the EU, (eg, cloud services in the US, the UK, and Switzerland). 

The ECB discovered that over 10% of contracts concerning essential tasks do not adhere to the applicable requirements. Furthermore, 20% of these non-compliant contracts have not had a rigorous risk assessment during the past three years, and 60% have not undergone an audit.

Starting in 2025, the Digital Operational Resilience Act will go into effect and offer further tools for monitoring important IT service providers, particularly those that ensure the operational resilience of financial institutions.

Illicit marketing

The Italian privacy regulator imposed a fine of over 79 million euros on Enel Energia for serious shortcomings in the processing of personal data of numerous users in the electricity and gas sector, carried out for telemarketing purposes. The case originated from a previous investigation which involved a 1,8 million euro privacy fine on four companies and confiscated databases used for illicit activities. It emerged that Enel Energia had acquired 978 contracts from the above companies, even though these did not belong to the energy company’s sales network. 

Furthermore, the information systems used for customer management and service activation by the company showed serious security shortcomings. Enel failed to put in place all the necessary measures to prevent the unlawful activities of unauthorised actors who for years fueled an illicit business carried out through nuisance calls, service promotions, and the signing of contracts with no real economic benefits for customers. Over time it involved the activation of at least 9,300 contracts.

Meanwhile, in California, a company will pay a 375,000 dollar civil penalty after it violated multiple consumer privacy laws. DoorDash is a San Francisco-based company that operates a website and mobile app through which consumers may order food delivery. To reach new customers, DoorDash participated in marketing cooperatives and disclosed consumers’ personal information as part of its membership without providing notice or an opportunity to opt-out. The other businesses participating in the cooperative also gained the opportunity to market to DoorDash customers. 

Data brokerage

Belgium’s data protection regulator recently fined Black Tiger Belgium, (formerly Bisnode Belgium), a company specialising in big data and data management, a total of 174,640 euros. At the time when the complaints were lodged, Bisnode Belgium operated a consumer database and a company database through which Bisnode Belgium offered “Data quality”, (to improve the quality of its customers’ data), and “Data Delivery”, (to provide data to its customers, especially for the implementation of marketing campaigns). These databases consisted of personal data and user profiles from various external sources. 

The regulator received a complaint based on the so-called ‘right of access’ with Bisnode, which allows anyone to request access to the data it keeps about them at any time. The investigation found that the company under its legitimate interest indirectly collected and processed personal data on a large scale, for a long period, (15 years), without the data subjects being informed individually, clearly and proactively about the processing carried out. The company also lacked records of its processing activities. 

Other enforcement decisions

Student privacy vs teachers’ authority: The Icelandic data protection authority ruled on personal data processing by the University of Iceland. According to the complaint, a teacher had monitored a student through the teaching site in the Canvas learning management system. However, the supervisory authority concluded that there was no electronic monitoring, as the teacher’s assessment of the complainant’s activity in the learning management system was not sustained or repeated regularly. It was also considered that the said processing of personal information had been necessary for the university in connection with statutory tasks entrusted to the university by law. 

However, the complainant was not sufficiently informed of the teacher’s ability to examine their use of the Canvas learning management system and make it the basis for grading. The peer assessment of the complainant’s fellow students in a group project was one of the factors that formed the basis of the grading for the assessment component. The University’s processing therefore failed to comply with the transparency requirements under privacy legislation.

Biometric scanning abuse: In the UK Serco Leisure, Serco Jersey and seven associated community leisure trusts have been issued enforcement notices ordering them to stop using facial recognition technology and fingerprint scanning to monitor employee attendance. The investigation found that Serco and the trusts have been unlawfully processing the biometric data of more than 2,000 employees at 38 leisure facilities. Serco had to record employee attendance to pay workers as per its contractual duties but rejected less invasive options available, including timesheets or electronic cards. Although Serco had indicated that these choices may be abused, it had shown no proof of real, widespread misuse. 

Data security

Password retention guide: Too often identity theft is caused by the use of computer authentication credentials stored in databases that are not adequately protected with cryptographic functions. Stolen data is used to illicitly enter entertainment sites, (35.6%), social media, (21.9%) and e-commerce portals, (21.2%). In other cases, they allow access to forums and websites of paid services, (18.8%), and financial services, (1.3%). As a result, the Italian data protection authority recently developed an FAQ and more detailed guidelines regarding password storage, providing cryptographic functions currently considered the most secure, (in Italian only). 

Cybersecurity core 2.0: America’s NIST has meanwhile released version 2.0 of its landmark Cybersecurity Framework. The agency has finalised the framework’s first major update since its creation in 2014. Now it explicitly aims to help all organisations — not just those in critical infrastructure, its original target audience — to manage and reduce risks. The framework’s core is now organised around six key functions: Identify, Protect, Detect, Respond and Recover, along with CSF 2.0’s newly added Govern function. The CSF is used widely internationally. Versions 1.1 and 1.0 have been translated into 13 languages, and the NIST expects that CSF 2.0 also will be translated by volunteers around the world. 

Federated Learning

The UK Responsible Technology Adoption Unit, in cooperation with the NIST, published a series of analyses about Privacy-Preserving Federated Learning. Organisations often struggle to articulate the benefits of the approach, associated with machine learning that involves training a model without the centralised collection of training data. This can lead to lower infrastructure and network overheads. However, bespoke privacy infrastructure can introduce additional costs. Plus, there are fewer people with the skills and experience required to design and deploy it. 

On the other hand, federated learning allows organisations to use and monetise data assets that would not have previously been accessible. In removing the need for access to the full data, it protects the value of the data for the data owner. Finally, legal consultation is a necessary cost, but in principle PETs can significantly reduce data protection risks, as when used appropriately, differentially private data can be considered anonymised. 

The post Data protection digest 18 Feb – 2 Mar 2024: web browsing data for sale, banking sector outsourcing, cybersecurity core 2.0 appeared first on TechGDPR.

Enforcement actions: Google, Facebook, FreeMobile, Myheritage, credit assessment by mistake, access rights misconduct

France’s data protection regulator CNIL has fined Alphabet’s Google a record 150 mln euros for making it difficult for users to refuse online trackers known as cookies. Meta’s Facebook was also fined 60 mln euros for the same reason. The CNIL noted that the facebook.com, google.fr and youtube.com sites do not allow users to refuse cookies as simply as to accept them. They offer a button allowing cookies to be accepted immediately. However, to refuse them several clicks are necessary. Since, on the internet, the user expects to be able to consult a site quickly, the fact of not being able to refuse cookies as simply as possible, can influence them to give consent. The two companies have three months to comply with its orders or face an extra penalty payment of 100,000 euros per day of delay. These include the obligation for Google and Facebook to provide French internet users simpler tools for refusing cookies.

The CNIL also imposed a fine of 300,000 euros on Free Mobile, (a wireless service provider), for failing to respect individuals rights and to ensure the security of users’ data. The CNIL has received many complaints concerning the difficulties encountered by individuals in a) getting responses to their requests for access, b) objecting to receiving commercial prospecting messages, or c) being billed after subscriptions had been cancelled. Also, the mobile operator transmitted by email, in clear text, the passwords of users when they subscribed to an offer, without these passwords being temporary or the company requiring them to be changed. All the above infringes Art. 12, 15, 21, 25 and 32 of the GDPR. 

The Norwegian data protection authority has fined Elektro & Automasjon Systemer, (EAS), 20,000 euros for carrying out an individual’s credit assessment without a legal basis (Art.6 of the GDPR). The data subject in this case had no customer relationship or other connection to EAS’s business. The EAS admitted that the credit check took place by accident, due to the general manager’s lack of understanding of a credit assessment tool, the DataGuidance reports. Although EAS did not store the credit information, the damage occurs the moment sensitive data was collected and processed. A credit rating is the result of compiling personal information from many different sources: individuals’ personal finances, payment remarks, voluntary mortgages and debt ratio. The aggravating factors were a lack of technical and organisational measures, and internal controls and guidelines for when and how a credit assessment can be carried out.

The Spanish data protection regulator the AEPD published a couple of similar decisions, (in Spanish), against deficiencies regarding cookie and privacy policies, including:

• the owner of a website, who did not provide users with a cookie banner on the main page that allowed an immediate “Reject all” option. It also lacked clear information on user tracking through registration forms, questionnaires and in the comments section, as well as through embedded content from other sites. Also, the privacy policy wrongly identified the data controller. 
• against Myheritage LTD for similar deficiencies regarding the website’s cookie policy on its Spanish website: the use of non-necessary cookies, no possibility of rejecting them, and a lack of information on cookies used. Additionally, the AEPD found that MyHeritage omitted two pieces of information in its privacy policy – the possibility of exercising the right to data portability and the right to file a claim with the supervisory authority, DataGuidance reports. 

The AEPD also issued a warning to a company for non compliance with individual rights to access the data and to receive a legally established reply. Under the threat of a fine, the company was forced to complete the process, notify the claimant whether the procedure was approved or denied, or indicate the reasons for which the request was not applicable.

Official guidance: employees access rights, data breach notification, real-world data in clinical study

The French CNIL published its guide, (in French), on the right of employees to access their data.  It allows a person to know if data concerning him is being processed and then to obtain the information in an understandable format. This may include the objectives pursued by the use of the data, the categories of data processed, and the other bodies  obtaining the data. This process also makes it possible to check the accuracy of the data and, if necessary, to have it corrected or erased. The rules for the procedure always include:

• verifying the identity of the applicant, (the demand for supporting documents or information must not be abusive, irrelevant and disproportionate to the request);
• responding to the request free of charge;
• the right of access relates to personal data and not to documents. However in the case of email combining both is possible – metadata, (time stamp, recipients, etc.), & the content of the email;
• the right of access must not infringe the rights of third parties, (business and intellectual property secrecy, right to privacy, secrecy of correspondence are regularly invoked by employers to refuse to respond favorably to employees);
• the anonymisation or pseudonymisation of data relating to third parties constitutes good practice;
• different rules exist to protect third party interests depending on the role of the person making the request, (when they are a sender or receiver of the information, or they are mentioned in the content of the document).

Emails identified as personal or whose content turns out to be private despite the absence of any mention of personal character, are subject to special protection, the employer not being authorized to access them. Also, an employer may refuse to act on a request for the communication of emails relating to a disciplinary investigation and the content of which, even redacted, could allow the requester to identify persons of whom they should not be aware.

The EDPB published practice-oriented guidelines on examples regarding Personal Data Breach Notification. Its aim is to help data controllers in deciding how to handle data breaches, what factors to consider during risk assessment, and suggest organisational and technical measures for preventing and mitigating the impacts of hacker attacks. The document complements the  Article 29 Working Party Guidelines and reflects the common experiences of the supervisory authorities across the EEA since the GDPR became applicable.The paper includes 18 case studies from such sectors as hospitals, banking, HR:

• ransomware, (with or without proper backup/exfiltration, data exfiltration attacks on job application data, hashed passwords, credential stuffing);
• internal human risks, (by employees, trusted third parties);
• lost or stolen devices, (encrypted or unencrypted), and paper documents;
• mailing mistakes, and social engineering, (identity theft, mail exfiltration).

The UK Medicine and Healthcare product regulator, the MHRA, has published its guidance on the use of real-world data (RWD) in clinical studies . RWD is the vast amount of data collected on patients in electronic health records, disease and patient registries, from wearable devices, specialised/secure websites as opposed to being specifically collected in a clinical study. Among many quality provisions the guide demands that the sponsor, (data controller), include a protocol in the study describing the tools and methods for selection, extraction, transfer, and handling of data and how it has been or will be validated. It is essential that processes are established to ensure the integrity of the data from acquisition through to archiving and sufficient detail captured to allow for the verification of these activities, and across different centers and countries. Thus, it is important to establish which privacy and security policies apply to the use of the database, interoperability issues, restrictions on the transfer, storage, use, publication and retention of the data, etc. Identical processes would need to be in place for any additional data collected outside of the main source database.

Legal processes and redress: pilot consent e-service, genetic information privacy, medical records snooping incident

The Estonian Information System Authority, the RIA, announced its new consent service that allows companies to ask the state for an individual’s data. An e-service, developed and managed by the RIA, allows a person to give permission to the Estonian State to share their personal data with a certain service provider. First it is being used in the installment application process. If a person gives their consent in the consent service environment, the bank will check the solvency of the person from the database of the Tax and customs board, on the basis of which a data-based decision to allow the person to pay in installments can be made. It will be possible to see all given consents and revoke them at any time. The consent service is currently available to Estonian citizens and requires a valid strong authentication tool (ID-card, Mobile-ID, or Smart-ID).

In California, the Bill for Genetic Information Privacy Act takes effect in January, Data Guidance reports. The Act applies to direct-to-consumer genetic testing companies, and requires such companies to comply with, among many things, consumer’s revocation of consent, take reasonable measures to ensure that the information cannot be associated with a consumer or household, publicly commit to maintain and use the information only in de-identified form and not to attempt to re-identify the information, except for required by law compliance checks on the procedure. It must contractually obligate any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household, etc.

The Norwegian Supreme Court recently gave a hospital the right to dismiss an employee who had “snooped” on the medical record of her partner’s ex-wife, and a patient in the same hospital, Lexology website reports. The employee read several documents in the ex-wife’s medical record to avoid meeting her and to find out in which ward she was staying. Before the employer became aware of the snooping incident, the employee held that the ex-wife knew that she had looked at her medical record as she had sent a text message to her, which resulted in a heated exchange. The court concluded that the snooping was a serious and gross breach of duty and trust, and that there were means other than accessing medical records to obtain such information. 

The court assesses, among other things, whether the employer had based its decision on information that the company was aware of at the time of dismissal. In the case at hand, the employer had not referred in its reasoning to the text messages or that the employee had failed to notify the employer of the unauthorized access to medical files. The court held that both – were natural in the extension of the violation of the snooping ban. The hospital was therefore still allowed to use this information, even though it did not include it in its reasoning immediately after the employee’s dismissal.

Data security: healthtech vendors

In the US a tech vendor Ciox Health recently reported an email breach that affects dozens of health entities. In its notice, the healthcare information management vendor said an unauthorized person accessed one employee’s email account, potentially downloading emails and attachments, containing all sorts of patient data. However, the employee did not have direct access to any healthcare provider’s or facility’s electronic medical record system. In total, the HIPAA Breach Reporting Tool showed about 700 major health data breaches affecting 45 mln individuals in 2021. Vendor incidents were responsible for nearly 47% of the individuals affected. Among the most critical measures that tech healthcare providers could implement are comprehensive business associate agreements, say US legal experts. The attestation questions in them may include, but are not limited to:

• Does your organization require annual training for workforce members?
• Do you undergo an annual risk analysis to evaluate the requisite technical, administrative, and physical safeguards?
• Do you have business associate agreements in place with all required persons?
• Is your data encrypted both at rest and in transit?

Also, covered entities should continually monitor industry trends, reassess their business associate/vendor relationships, and keep their board informed about any potential risks.

Big Tech: No-cookie data transfer, cryptominer Norton360, China’s credit scoring and oversees listings, Fisher-Price toy failed privacy

Google’s new patent describes how its Technology enables transfer data without cookies. MediaPost website reports. The US Patent and Trademark Office granted Google a patent describing a web browser-based application programming interface that can control the authorization of data transmissions within a network and attribute a click without using cookies. The system can reduce the number of transmissions that do not result in content for the client device – saving bandwidth and computational resources for the client device. The website can transmit small packets of data to the client device when it visits a website. They can include preferences or session information or can be used to authenticate and maintain a session between the client device and the device hosting the website, according to the patent. The full patent document is available here.

According to the KrebsonSecurity blog, Norton 360, one of the most popular antivirus products on the market today, has installed a cryptocurrency mining program on its customers’ computers: “Norton’s parent firm says the cloud-based service that activates the program and allows customers to profit from the scheme — in which the company keeps 15 percent of any currencies mined — is “opt-in,” meaning users have to agree to enable it. But many Norton users complain the mining program is difficult to remove”.  Reportedly, there is no way to fully opt out of the program, and the user actually has to dig into NCrypt.exe in their computer’s directory to delete it. Meanwhile, some longtime Norton customers were horrified at the prospect of their antivirus product installing coin-mining software, regardless of whether the mining service was turned off by default.

China’s central bank said it will adjust the legal framework around financial credit-scoring if needed, state media reported, an indication authorities may tweak guidelines for fintech firms on the amount and type of user data they can collect. The People’s Bank of China has just implemented new rules around what kinds of data can be collected for credit scoring and clarified what kind of businesses the rules would apply to. It also urged companies to apply for credit scoring licenses and to refrain from excessive collection of user data. AI, blockchain, cloud computing and big data have been developed rapidly over recent years in China, prompting governmental concerns about how private individuals could be affected  by the technology, Reuters reports.

China will also order cybersecurity reviews for platform firms seeking overseas listings. The Cyberspace Administration of China said the new rules come into effect on Feb. 15 and apply to platform companies with data on more than 1 million users. However, based on the rules, it remains unclear which types of companies would be affected. The regulator would also implement new rules on March 1 on the use of algorithm recommendation technology to increase oversight of news providers that use the technology to disseminate information. The rules will give users the right to switch off the service if they choose. 

Finally, researchers identified a vulnerability in children’s Bluetooth-connected phones, IAPP News reports. Security researchers at Pen Test Partners found that US Fisher Price Chatter uses Bluetooth Classic with no secure pairing process. When powered on, it just connects to any Bluetooth device in range. Thus, someone nearby could also use the Chatter telephone to speak to and listen to a child in your home, or to bug the neighbors. The attacker can make the Chatter phone ring, so an unsupervised child is likely to answer. While developer Mattel said the Bluetooth pairing times out once a connection occurs or if none is made, TechCrunch claims its attempts found the pairing process did not time out after more than one hour.

The post Weekly digest January 3 – 9, 2022: CNIL fines Google and Facebook for making rejecting cookies difficult appeared first on TechGDPR.