In this issue: security-focused software testing to find unexpected functionalities in recently developed applications; email management and metadata in the work context; Wikipedia must abide by the GDPR; and London hospitals suffer ransom attacks.
Stay up to date! Sign up to receive our fortnightly digest via email.
Software testing
To help businesses and authorities address a range of security threats, the Danish data protection authority has chosen to include a new position in its list of security measures, (in Danish). It concerns security-focused software testing, which can find flaws in recently created applications. The software’s intended functionality is what the “customer” usually desires. A product could, nonetheless, have unexpected or undesired capabilities.
Unwanted functionality is at the same time unnecessary and thus is generally not used, (creates hidden security issues). People with malicious intentions can also search for unnecessary/unwanted functionalities to misuse. Increasingly complex IT systems and integrations between IT systems increase the likelihood of errors/vulnerabilities, even if there is a focus on security during development.
Furthermore, a lot of software is created using pre-made components that are either created by other parties or are a part of “developer tools,” and it is unknown how much attention these third parties pay to security needs. Therefore, the only method to guarantee that the new software is designed with a focus on security may be through testing or requirements for the supplier’s testing. Testing documentation can also play a critical role in proving if sufficient precautions have been taken to prevent security breaches.
Whistleblowing and anonymity
The most recent EU whistleblower legislation is explained in Iuslaboris’ blog article using the example of the Netherlands. In particular, midsize employers, (50+ employees), are now also subject to the new and stricter obligations, (of the Dutch Whistleblower Protection Act 2023), regarding internal reporting processes for whistleblowers:
- The employer is generally free to choose an anonymous reporting mechanism, such as specialised software.
- A report is made anonymously, but it needs to be made to a properly designated officer.
- That officer must then discuss with the reporting person how they wish to communicate during the process.
- If the reporting person’s identity is partially revealed, the officer is responsible for making sure that any parties not involved in the inquiry are not informed.
- It’s also advisable to explain the breach of anonymity to the individual who filed the report.
- The reports might be looked into at the group level of the organisation, (even if the parent company is located in another country).
Email management and metadata
IT programs and services for e-mail management, marketed by suppliers in cloud mode, may collect metadata, by default, in a preventive and generalised way. This sometimes places limitations on an employer wishing to modify the basic settings of the program to disable the systematic collection of such data in the work context or to reduce the retention period of the same. The fundamental right to secrecy of the content of the e-mail correspondence, including the external data of the communications and the attached files, protects the essential core of the dignity of individuals and the full development of their personality in social formations.
Metadata may include the email addresses of the sender and recipient, the IP addresses of the servers or clients involved in the routing of the message, the times of sending, retransmission or reception, the size of the message, the presence and size of any attachments and, in certain cases, details about the management system of the email service used along with the subject of the message sent or received. The same metadata should not be confused with the information in the e-mail messages, (integrated into them although not immediately visible to users), in their “body part”, which remains under the exclusive user control.
Thus, all data controllers are reminded to verify that the collection and storage of logs take place in compliance with the principles of correctness and transparency and that workers have been adequately informed on the processing of personal data relating to electronic data communications concerning them, (specifying data retention times, any controls, etc).
More official guidance
Data subject requests: The Latvian data protection regulator explains how a data controller should act if a request from a person as a data subject has been received:
- Verify the data subject’s identity, (additional information can be requested).
- Find out what rights the person intends to exercise when sending the request.
- Develop a request form that formulates possible requests.
- Observe the response deadlines.
- Act accordingly if an unreasonable or disproportionate request is received.
- Take into account the restrictions on the exercise of the rights of data subjects.
- Document the request processing progress; and
- Cooperate with the Data State Inspectorate if necessary.
Information sharing in health emergencies at work: The Guernsey data protection authority explains how to think in advance about sharing workers’ information in a health emergency. It covers any situation where you believe that someone is at risk of serious harm to themselves, or others, because of their mental or physical health. This can include potential loss of life. Also, the same obligations apply to processing information about your workers’ mental or physical health.
In a health emergency, data protection does not act as a barrier to necessary and proportionate information sharing. Where there is a risk of serious harm to the worker, or to others, you should share necessary and proportionate information without delay with relevant and appropriate emergency services or health professionals. You must ensure that your workers are aware of any policy for sharing personal information in a health emergency and that it is available to them.
This policy also could become part of your Data Protection Impact Assessment on the everyday handling of your workers’ health information.
Meta AI training postponed in the EU/EEA
Meta was scheduled to train and improve its AI applications on users’ content from Facebook and Instagram next week. At the request of the Irish Data Protection Commission, (the lead supervisory authority), this has been postponed until further notice. Earlier this month, Meta announced it would begin using publicly available content from European users of Facebook, Instagram and Threads to train an AI app. The reason for the processing is allegedly legitimate interest, and users could object to using their content if they wished. Numerous complaints about Meta’s new practice were lodged with the European supervisory authorities, including in Norway, Austria, France and others.
Meanwhile, the Hamburg Data Protection Commissioner, (HmbBfDI), published recommendations regarding AI training with personal data by Meta. Users worldwide should be aware that this cannot be reversed once a large language model has been trained with personal data. Individuals can object to this in the settings on the profile page under the Privacy Policy. Persons who do not have an account with a Meta service may also be affected by the processing of personal data by Meta for AI training purposes, as Meta also uses data from so-called third-party providers.
In the future, Meta’s AI-supported tools could become available for both users and companies.
Receive our digest by email
Sign up to receive our digest by email every 2 weeks
Wikipedia vs GDPR
The Italian privacy regulator Garante recently ruled that the processing of personal data carried out by Wikipedia falls under the GDPR, and the rules on journalistic activity and the expression of thought apply to the published contents. The decision came after the complaint of an interested party whose request for deletion of a biographical article relating to a judicial matter by the Wikipedia Foundation was not satisfied. The regulator ordered the de-indexing of the article.
The US non-profit believes it does not offer a service to users in the EU and is therefore not bound to compliance with the GDPR: it just “hosts” the contents inserted by the community of volunteers. In reality, explains Garante, Wikipedia constantly addresses and verifies the quality standards of the content and creates versions of the site dedicated to users from one or more EU countries.
More enforcement decisions
Cookies without consent: An Amsterdam court held that LinkedIn, Microsoft and Xandr must cease the placement of cookies without user consent, the Data Guidance reports. The plaintiff visited 52 websites, of which 19 installed cookies on their device either without their knowledge or after it was expressly denied. The website provider bore certain duties even in cases where third parties are accountable for the installation of cookies on the users’ devices. The court decided that the above companies’ partnerships with third-party operators resulted in the cookies in question. They did not, however, prevent third parties from placing cookies without authorisation.
Recruiting company deletion requests: Meanwhile, the Dutch data protection authority has imposed a fine of 6,000 euros on the recruitment company Ambitious People Group. The company did have a method for requests to delete data. Yet in practice, things went wrong several times. The data remained in the database after the people requested their removal. The company also kept approaching these people about vacancies. The data in question included names, home addresses, e-mail addresses, telephone numbers, dates of birth and CVs containing information about education and work experience.
Security gaps: As part of an unsolicited audit by the Lower Saxony data protection authority, 20 companies have closed security gaps in their Microsoft Exchange servers. There is sometimes only a very short period between the release of a security update and the exploitation of vulnerabilities, and sometimes the first waves of attacks on customers’ and employees’ data have already occurred beforehand. Therefore:
- Anyone who commissions an IT service provider to operate an Exchange server must ensure that the contract also includes regular patching of the server.
- Companies must ensure that they can patch their servers immediately if critical security vulnerabilities arise.
Data security
Affordable data security: An opinion article by the Estonian data protection regulator suggests that small and medium-sized companies perceive data protection mainly as a source of costs and worries. However, the practice shows that mitigating risks associated with the cyber security aspects of data protection may not be as scary and expensive as it may seem at first glance. Most familiar and valid recommendations for your web security would include:
- updating the software on your devices and IT infrastructure, (hosting providers offer automated application installation)
- adopting multi-factor authentication, (user log-ins and web hosting control panel),
- auditing accounts, (access control), and
- disposing of unused and unnecessary applications and files on the web server.
Privacy vulnerabilities of AI systems: A luslaboris law blog looks at cyber security obligations under the EU AI Act – against model poisoning, model evasion, confidentiality attacks, and model flaws. One example is privacy attacks. Once the AI system is operational bad actors can use legitimate means to obtain personal data. It may be possible for bad actors to ask a large language model many queries which enable the actor to reverse engineer personal data about a particular individual in the aggregate data set. The same techniques can be used to access proprietary or confidential information relating to the AI system’s architecture, enabling attackers to extract sufficient information about an AI system to reconstruct a model.
Hospital system under attack
BBC News reports that London hospitals are still grappling with the aftermath of a cyber attack that has led to many hours of extra work for their staff. A critical incident was declared on 4 June after a ransomware attack targeted the services provided by pathology firm Synnovis. Healthcare facilities are experiencing significant disruptions to their services, including blood transfusions, and blood sample processing is being done by hand in the labs. The results are added into the system “line by line” after being double-checked. It was also necessary to move some patients who needed emergency surgery to different institutions and cancel other operations.
Privacy research
The Norwegian data protection regulator revealed the results of a nationwide survey on the population’s relationship to privacy. The vast majority of people in the survey have refrained from downloading an app because they are unsure of how their data will be used. Young people are used to giving up large amounts of personal data, and they use a far greater range of services than older age groups do. Most people believe that AI will challenge privacy by collecting too much personal data and using it. There is broad support that the authorities should take an active role in the regulation of artificial intelligence, but fewer believe that this will be possible.