Privacy Enhancing Technologies (PETs)
The Israeli data protection authority published a technical guide to Privacy Enhancing Technologies, available in English. PETs are a diverse family of methods, processes, and digital tools that are appropriate for different stages in the information life cycle:
- Data collection and preparation for use: Obfuscating personal data and reducing its level of detail by removing identifiers, altering data values, or masking exact figures.
- Data use and processing: Reducing exposure of personal data during processing, and in some cases, enabling data use without the need for viewing it during processing.
- Control over data use: Defining rules and permissions for access to personal data and displaying data relating to the identity of the person accessing the data, the type of data, and the time of access.
Stay up to date! Sign up to receive our fortnightly digest via email.
Main developments
Brazil adequacy decision: On 28 January, the European Commission recognised that Brazil ensures an adequate level of protection for personal data under the EU GDPR. The enforced decision confirms that Brazil provides comparable levels of data protection, allowing the free transfer of personal data between the two jurisdictions without additional authorisations or safeguards. The Commission also recognises the independence of the Brazilian Data Protection Authority (ANPD), and the safeguards governing public authorities’ access to personal data for law enforcement and national security purposes.
Data Privacy Framework: The EDPB has published a new version of the EU-US Data Privacy Framework FAQ for European individuals. “European individuals” means any natural person, regardless of their nationality, whose personal data has been transferred to a US company under this framework. It applies to any type of personal data processed for commercial or health purposes, and human resources data collected in the context of employment, as long as the recipient company in the US is self-certified under the DPF.
If you believe that a company in the US has violated its obligations or your rights under the EU-U.S. Data Privacy Framework, several redress avenues are available.
Digital omnibus: The EDPB and EDPS also adopted a joint opinion on simplification of the implementation of harmonised rules on AI. Among other things, the EDPB and the EDPS recommend maintaining the standard of strict necessity currently applying for the processing of special categories of personal data for bias detection and correction in relation to high-risk AI systems. They also support the creation of EU-level AI regulatory sandboxes to promote innovation and help SMEs, as well as AI literacy obligations for systems providers and deployers. The full opinion can be read here.
HIPAA Notice
In the US, if your company provides health benefits or qualifies as a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), it is important to update your Notice of Privacy Practices (NPP) by 16 February to remain compliant. The notice must include new and more restrictive requirements related to protected health information (PHI) in particular, on the disclosure of patients’ substance use disorder records. The following steps may include assessing related policies, training, materials, and business associate agreements (BAAs) for consistency.
You can also read the latest epic.org report on the health data privacy crisis in the US here.
More from supervisory authorities
M&A: Before a planned company sale, large amounts of data are often processed as part of a due diligence review. This can include personal data, particularly of employees, customers, and suppliers. The Liechtenstein Data Protection Authority has compiled information (in German) regarding which data protection regulations must be observed. This information does not replace an individual assessment and is not exhaustive.
Camera surveillance in public transport: The Dutch data protection authority states that permanent camera surveillance at employees’ designated workstations is not permitted. Cameras may only be used when strictly necessary, for example, for safety during incidents, and not for systematic monitoring or evaluation of employees. For the data controller, this includes technical adjustments to cameras, adapting internal protocols, and providing clear instructions to employees.
AI tools safe usage: The Spanish AEPD has published the main principles of safe, responsible, and conscious use of AI. Among the recommendations, the privacy regulator advises against sharing personal data with AI – full name, address, telephone number, ID/NIE, images of people, or sensitive or delicate information – medical, financial or contractual details, geolocation. In the workplace, the agency emphasises the importance of following the information and security policies of each organisation and, in particular, of not including information that reveals confidential data of the entity, its staff or clients.
Digital identities ecosystem
Verifiable Digital Credentials (VDCs) can represent a wide range of data, from a driver’s license to a diploma to proof of age, explains America’s NIST. However, their interoperability requires a common set of standards and protocols for issuing, using, and verifying VDCs. As VDCs gain traction for both in-person and online identity verification, two key standards are helping to define this space:
- ISO/IEC 18013-5, which underpins mobile driver’s licenses and related mobile documents, and
- the World Wide Web Consortium’s Verifiable Credentials formats.
See their comparison in the original publication.
In parallel, the German Federal Office for Information Security (BSI) has issued the updated Technical Guideline for Biometric Authentication Systems (in German), which can be used for significantly more use cases of facial and fingerprint recognition through smartphones or access control systems.
Cookie policy
The Latvian data protection authority reminds us of the essentials of a cookie policy, which provides the user with clear information about how their data is processed when using cookies. A document published on any website must explain in a user-friendly way: a) what cookies the website uses; b) for what purpose they are used; c) who their recipients are.
The multi-layered approach ensures that the most important information about the use of cookies on the website is provided in a concentrated manner (in the cookie pop-up notification or banner), including an indication of where more detailed information can be found (cookie policy). Cookie policies are often confused with privacy policies (by briefly including information about cookies among what is described in the privacy policy). However, to ensure transparency, information should be provided to users separately – in two documents or at least in clearly separated “blocks” of information.
Shopping cart reminder e-mail
According to the Saxony data protection commissioner, retailers often send a reminder email pointing out an incomplete purchase process. Despite regular complaints received about such communication, there are no data protection concerns regarding a one-time shopping cart status update via email. The automatically generated messages must be distinguished from unsolicited advertising and are considered technical support.
Given the customer’s expectations and the recipient’s perspective, it is at least realistic to expect a technically triggered status update during the contract negotiation phase, in accordance with Art. 6 of the GDPR. At the same time, the data processing known as reminder emails is subject to information requirements and must be appropriately indicated in the notices pursuant to Art. 13 of the GDPR.
In other news
Excel file disclosure: The Romanian regulator ANSPDCP imposed fines totalling 15,000 euros against Continental Automotive Products SRL for breaches of the GDPR principles of data minimisation, accountability, and the security of processing. The investigation followed the controller submitting a personal data breach notification concerning the repeated internal distribution of an Excel file containing a consolidated list of employees, including medical data from medical certificates relating to numerous employees and former employees over a period of time.
GM driver data ban: America’s Federal Trade Commission finalised an order against General Motors and its OnStar subsidiary after the automaker secretly collected and sold detailed driving data from millions of vehicles without consumer consent. The final order approved by the Commission imposes a five-year ban on GM disclosing consumers’ geolocation and driver behaviour data to consumer reporting agencies. And for the entire 20-year life of the order, GM will be required to:
- obtain affirmative express consent from consumers before collecting, using, or sharing connected vehicle data, with some exceptions, such as for providing location data to emergency first responders;
- create a way for all US consumers to request a copy of their data and seek its deletion;
- give consumers the ability to disable the collection of precise geolocation data from their vehicles if their vehicle has the necessary technology; and
- provide a way for consumers to opt out of the collection of geolocation and driver behaviour data, with some limited exceptions.
Receive our digest by email
Sign up to receive our digest by email every 2 weeks
Chromebook case
The Danish data protection authority decided in the Chromebook case regarding 51 municipalities’ use of Google’s products for teaching in primary schools. The regulator issues serious criticism and warns the municipalities about their setup of the programs in question and about the use of sub-processors outside the EU. In addition, it states that as a data controller, municipalities cannot legally use products that contain unclear processing constructs. Finally, they must have access to the necessary resources to ensure lawful processing of personal data, including in situations where the contractual basis for the product changes.
Microsoft 365 Education
The Austrian data protection authority upheld a complaint filed by a pupil, represented by the European Centre for Digital Rights (NOYB), against Microsoft regarding the use of tracking cookies in Microsoft 365 Education. The decision relates to the installation and use of non-essential cookies on the device of a minor using Microsoft 365 Education at an Austrian school. The authority also found that no valid consent had been obtained, digitalpolicyalert.org reports.
More enforcement decisions
Employees’ geolocation: The Italian regulator Garante fined a company in the agricultural seed selection and production sector 120,000 euros for unlawfully processing the personal data of five employees. As part of a multinational group, at the direction of its Swiss parent company, it installed a device on its company vehicles that unlawfully collected data on employees’ business and private travel (time, mileage, fuel consumption, and driving style) for the purpose of assigning a monthly score. The collected data was retained for 13 months and used to evaluate employee driving behaviour and to implement any corrective measures.
Access to a fired worker’s email: Garante also ruled that the content of emails, contact information, and any attachments fall within the definition of correspondence and are therefore protected by the right to confidentiality. In the related case, the regulator fined a company 40,000 euros for violating the confidentiality of a CEO’s email account after his employment ended. After receiving a disciplinary letter that resulted in dismissal, he asked the company to disable the email account, forward any messages received in the meantime to his personal email address, and activate an automatic reply. However, this request remained unanswered.
France Travail: The French CNIL, meanwhile, fined France Travail 5 million euros for failing to ensure the security of the data of job seekers. In 2024, attackers managed to break into the agency’s information system. They used social engineering techniques to usurp the accounts of CAP EMPLOI advisors, responsible for people with disabilities. The attackers accessed the data of all registered people, or those who have been registered over the past 20 years. However, the attackers did not gain access to the complete files of job seekers, which may include health data.
And finally
Change your password: According to the German BSI, a blanket password change is no longer an effective security measure. Frequent password changes often lead consumers to use weak, easily predictable passwords. Password managers help to keep track of passwords. However, even a complex password does not offer 100% protection. Instead, BSI recommends activating two-factor authentication (2FA).
Australia child accounts ban: According to the Guardian, Snapchat banned or disabled the accounts of around 415,000 Australian users who were detected as being under the age of 16. This was done to comply with the new under-16s social media prohibition. In December, Snapchat was one of ten platforms that needed to restrict people (4,7 million accounts) under the age of 16 from using its services. However, other allegations have surfaced after the prohibition went into place, with some claiming that Snapchat’s facial age verification was easily overcome by teens.