{"id":8040,"date":"2024-02-19T11:51:24","date_gmt":"2024-02-19T10:51:24","guid":{"rendered":"https:\/\/s8.tgin.eu\/?p=8040"},"modified":"2025-06-11T14:04:47","modified_gmt":"2025-06-11T12:04:47","slug":"data-protection-digest-19022024-sneakily-changing-terms-of-service-and-privacy-policy-wont-help-your-business","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/data-protection-digest-19022024-sneakily-changing-terms-of-service-and-privacy-policy-wont-help-your-business\/","title":{"rendered":"Data protection digest 3-16 Feb 2024: Sneakily changing terms of service and privacy policy won’t help your business"},"content":{"rendered":"\n

In this issue, you will find that America\u2019s FTC is warning against retroactively changing terms of service or privacy policy. Palantir running the NHS\u2019s new data platform in the UK, and envisaged changes to the EU GDPR enforcement framework and new dispute resolution mechanisms are also in focus.<\/em><\/p>\n\n\n\n

Sign up to receive our fortnightly digest via email.<\/a><\/em><\/p>\n\n\n\n

Terms of Service and User Privacy<\/h4>\n\n\n\n

America\u2019s FTC warns AI developers and other companies that quietly changing terms of service could be unfair or deceptive<\/a>. While businesses creating AI products have strong financial incentives to utilize user data as fuel for their systems, they also have established policies in place to safeguard users’ privacy. A business that collects user data based on one set of privacy commitments cannot then unilaterally renege on those commitments after collecting users\u2019 data. Some companies may attempt to make these changes and inform users covertly by making retroactive amendments to their terms of service or privacy policy, (eg, to use that data for AI training). <\/p>\n\n\n\n

Last summer, the FTC alleged that a genetic testing company violated the law when the company changed its privacy policy to retroactively expand the kinds of third parties with which it could share consumers\u2019 sensitive data<\/a>, adding supermarket chains and nutrition and supplement manufacturers, without notifying consumers who had previously shared personal data, or obtaining their consent. Additionally, it did not encrypt that data, restrict access to it, log or monitor access to it, or inventory it, according to the complaints. The company stored it in publicly accessible \u201cbuckets\u201d on a cloud storage service with thousands of health reports about consumers and raw genetic data, sometimes accompanied by a first name, despite promising users its security practices would exceed industry-standard security practices. <\/p>\n\n\n\n

Other official guidance<\/h4>\n\n\n\n
\"\"<\/figure>
\n

<\/p>\n\n\n\n

Employment data: <\/strong>The Italian privacy regulator launched the Code of Conduct for employment<\/a> agencies. The agencies that adhere to the code undertake to process only data strictly necessary for the establishment of the employment relationship and must therefore not carry out investigations into jobseeker\u2019s political, religious or trade union opinions or carry out pre-selections based on information regarding marital status, pregnancy, disability, even if candidates have given their consent. <\/p>\n<\/div><\/div>\n\n\n\n

Agencies must not obtain information by consulting social profiles intended for interpersonal communication. Online information can be collected only if made available on professional social channels. Furthermore, employment agencies will not be able to acquire the candidate’s professional references from previous employers and communicate them to their clients, without “prior explicit authorization from the candidate”.<\/p>\n\n\n\n

Camera systems: <\/strong>The Czech data protection authority has published a new methodology for the design and operation of camera systems<\/a>, (in Czech). The methodology applies to camera systems, (including security cameras), that record as well as camera systems in online mode, minimum technical and organisational measures for them, and use cases. The methodology is not a legally binding document and it remains the duty of personal data administrators to always proceed following the GDPR and EDPB Guidelines No. 3\/2019<\/a>.<\/p>\n\n\n\n

New procedures for GDPR enforcement<\/h4>\n\n\n\n

MEPs have adopted a draft position laying down additional procedural rules for enforcing the GDPR. It deals with cooperation and dispute resolution mechanisms<\/a> of the GDPR and introduces deadlines for cross-border procedures and disputes. Concerning amicable settlements<\/a>, such settlements should require the parties’ explicit consent, and should not prevent a supervisory authority from starting an own-initiative investigation into the matter. The MEP’s position also ensures that all parties to complaint procedures have the right to effective judicial remedies, for example when the regulator does not take necessary actions or comply with deadlines. <\/p>\n\n\n\n

Digital Services Act is now fully applicable <\/h4>\n\n\n\n

The DSA has applied to online platforms and search engines with more than 45 million users in the EU since 25 August 2023. From 17 February, it applies to smaller platforms and online intermediaries<\/a>, (goods, content or services), on the European market. Its main goal is to prevent illegal and harmful activities online and the spread of disinformation. For instance, if you complain about what you suspect is illegal content, the service provider must handle the matter and inform you<\/a> of its solution. <\/p>\n\n\n\n

Compliance will be supervised by the specialised agencies<\/a> in the Member States, and certain obligations by consumer protection and data protection authorities. To avoid disproportionate constraints, small companies, (with less than 50 employees and an annual turnover of less than EUR 10 million), and micro-enterprises are exempted from the application of various measures, (transparency reports, internal complaints handling system, etc.). More details on the enforcement framework under the DSA are here<\/a>. <\/p>\n\n\n\n

More legal updates<\/h4>\n\n\n\n

Main establishment in the EU:<\/strong> The EDPB clarified the notion of the main establishment under the GDPR rules. A controller\u2019s \u201cplace of central administration\u201d in the EU<\/a> can be considered as a main establishment under Art. 4(16)(a) GDPR only if: <\/p>\n\n\n\n