This issue highlights DPOs duties in the context of ongoing compliance with the GDPR, and the continuing saga of the US adequacy decision. Also of note are monitoring and privacy issues in the workplace.
Official guidance
DPOs duties: The Swedish data protection agency published the results of a coordinated investigation, initiated by the EDPB, on the role and position of data protection officers. It investigated 50 organisations in the public and private sectors. Here are some of the statistics:
- Several data protection officers have other tasks/roles in addition to the role of data protection officer, which in certain situations can potentially mean a conflict of interest.
- There are differences in how many hours data protection officers spend on skills development around data protection issues.
- There is a wide variation in the number of resources and methodological support needed to complete DPO’s duties.
- The organisations to some extent have different ideas about what should be included in the data protection officer’s mission.
Interestingly, most, but not all, organisations believe that the DPO should participate in the handling of personal data incidents whereas only two-thirds of the organisations believe that the DPO should be consulted in the planning of new personal data processing.
Sandbox invite for innovative tech: Organisations have until the end of this year to submit expressions of interest in entering the UK Information Commissioner Office’s Regulatory Sandbox in 2024. If you’re part of an organisation that’s tackling complex data protection considerations as you create innovative new products and services, the ICO’s team wants to hear from you. Expressions of interest will be assessed based on whether the product or service being developed is innovative and could provide a demonstrable benefit to the public, whether you’re a start-up, SME or larger organisation, from the private, public or voluntary sectors.
Server colocation: The Danish data protection authority has considered whether an IT company that provides (server) colocation should be considered a data processor for the organization for which the service is provided. The assessment is negative, in particular, if the supplier of colocation does not have access to the personal data that is processed on the servers. The provision of colocation primarily concerns the provision of a service other than the processing of personal data, in particular physical facilities as well as internet and power supply. However, this is only a starting point. Several circumstances can lead to the colocation company being considered a data processor to a certain extent:
- the company provides additional services beyond physical facilities,
- the company can and may be tasked with moving, restarting or otherwise handling the servers where the information is processed,
- the company can and may have the task of replacing hard drives, and memory, (firewall, backup services, etc).
AI code of conduct: The Canadian government published a voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems. Generative systems can be adapted by organisations for various uses – such as corporate knowledge management applications or customer service tools. Firms developing and managing the operations of these systems both have important and complementary roles.
Signatories of this code would develop and apply standards, and share information and best practices with other members of the AI ecosystem, prioritising human rights, accessibility and environmental sustainability. See the measures to be undertaken under the Code of Conduct in the original publication.
Encryption evaluation tool: The Spanish data protection agency launched the ValidaCripto tool to evaluate encryption systems. Encryption is a procedure by which information is transformed into a seemingly unintelligible set of data, helping to protect the information from a possible personal data breach. The tool runs in the browser, without recording or transmitting any data to the Agency, and allows information to be stored locally and reports to be generated. It has a help section where its operation is explained step by step, from selecting the impact of the encryption system on the treatment, categorising the most critical elements, reviewing the suggested controls and generating follow-up documentation.
Workplace monitoring: The UK Commissioner’s Office has published guidance to ensure lawful monitoring in the workplace. Monitoring can include tracking calls, messages and keystrokes, taking screenshots, webcam footage or audio recordings, or using specialist monitoring software to track activity. If an organisation is looking to monitor workers, it must take steps including:
- Making workers aware of the nature, extent and reasons for monitoring.
- Having a clearly defined purpose and using the least intrusive means to achieve it.
- Having a lawful basis for processing workers’ data – such as consent or legal obligation.
- Only keeping the information which is relevant to its purpose.
- Carrying out a data protection impact assessment for any monitoring that is likely to result in a high risk to the rights of workers.
- Making the personal information collected through monitoring available to workers if they make a subject access request.
Legal processes
EU-US DPF tried in court: The EU General Court rejected the request for interim suspension of the EU-US data Privacy Framework but has yet to examine the substance of the case. The request was introduced by a French member of parliament, who is also a member of the French data protection authority CNIL, requesting that the framework be annulled due to the lack of guarantees of a right to an effective remedy for data subjects by US companies, as well as a violation of the GDPR’s minimisation and proportionality principles due to the access and use of EU personal data for US security purposes. He also observed that the wording of the DPF ruling, which is currently only available in English, should be translated into the EU’s official languages.
Delete Act: California’s Governor signed the Delete Act into law. It revises the California Consumer Privacy Act by making it easier for residents to submit universal requests to registered data brokers for deletion of personal data. According to the Guardian analysis, Californians already have the right to request that their data be destroyed under current state privacy regulations, but doing so requires filing a request with each corporation. The revised measure emphasizes that all data brokers must register with the privacy protection agency, and mandates it to create a simple and cheap means for Californians to request that all data brokers in the state remove their data through a single page, regardless of how that information was obtained.
Consumer profiling: The EDPB-EDPS published a joint contribution to the public consultation on the draft template relating to the description of consumer profiling techniques. Under the new Digital Markets Act, designated gatekeepers now shall submit to the European Commission independently audited descriptions of any techniques for profiling consumers that they apply to or across their core platform services. The regulators wonder whether the Commission should expect to receive detailed audited descriptions of profiling techniques for each of the core platform services of the gatekeeper.
The regulators are also concerned that the template alone would not provide sufficient safeguards against low-quality or otherwise unreliable audits on behalf of gatekeepers. The EDPB and the EDPS underline that any approval or statement from the European Commission on how a gatekeeper processes personal data for consumer profiling or how it informs consumers about profiling techniques does not automatically mean that the gatekeeper is complying with the GDPR, which is for supervisory authorities to verify.
Health research in France: The CNIL has adopted two new reference methodologies to allow public and private bodies, (in addition to healthcare institutions and their federations, as well as healthcare manufacturers), except insurers, to process data from the main database of the National Health Data System. The data controller should indicated in their protocol:
- the components of the main database concerned by the access request;
- the target population;
- the targeting period;
- the data or categories of data required;
- the historical depth of the data;
- the requested access period.
As there are many ways to access these data, any controlled environment that meets the conditions set in new methodologies may host the data as part of the research projects concerned.
Enforcement decisions
Case studies book: The Irish data protection authority published detailed case studies, (based on 126 real cases), illustrating how data protection law is applied, how non-compliance is identified and how corrective measures have been imposed, from the past five years. It concentrates on such topics as access request complaints, the accuracy of personal data, cross-border cases, data breach notifications, unauthorised disclosure, direct marketing, objection to processing, the right to be forgotten, and much more.
“My AI” fine: the UK Information Commissioner has issued a preliminary enforcement notice against Snap and its generative AI chatbot “My AI”. The investigation provisionally found Snap failed to adequately identify and assess the risks to several million ‘My AI’ users in the UK including children aged 13 to 17. If a final enforcement notice were to be adopted, Snap may be required to stop processing data in connection with ‘My AI’. Snap launched the ‘My AI’ feature for UK Snapchat+ subscribers in February, with a rollout to its wider Snapchat user base in the UK in April. The chatbot feature, powered by OpenAI’s GPT technology, marked the first example of generative AI embedded into a major messaging platform in the UK. As of May Snapchat had 21 million monthly active users in the UK.
Employee geolocation data: The Italian data protection authority fined Shardana Working 20,000 euros following a complaint by three individuals employed by the company. The company is responsible for reading gas, electricity and water meters. The three workers, to verify the correctness of their pay slips, had asked the company to provide the information used to process mileage reimbursements and the monthly hourly salary, as well as the procedure for establishing the compensation due.
In particular, they had asked to know the data collected through the company smartphone on which a geolocation system had been installed which allowed workers to identify the route to take to reach the meters. The regulator found that Shardana Working had not adequately informed the employees of the data processed through the GPS installed on their smartphones. Even if the company deemed that it could not fully respond to the employees’ requests, it should have at least indicated the specific reasons why it could not comply with the access requests.
Dismissal based on geotracking: A similar instance occurred recently in France, according to the Ius Laboris legal blog. The highest civil court in France has intervened in an employee discharge based on geolocation data from his work car. An employee of an equipment rental firm was fired for making unnecessary trips. The geolocation process had been declared to the French Data Protection Agency CNIL to locate employee vehicles and ensure the safety of goods and people on site. The employee had been informed of this. The Supreme Court, on the other hand, held that the trial judge should have evaluated whether the company’s geolocation system was also intended, as stated to the regulator, to monitor the employee’s professional activities and working hours, and if the employee had been told about such a purpose.
Electronic ticketing: The Greek data protection authority carried out an extraordinary on-site inspection at the Athens Urban Transport Organization, (OASA), examining the protection of personal data processed in the framework of the automatic fee collection system, a system also referred to by the term “electronic ticket”. A total fine of 50,000 euros and a compliance order referred to the determination of the data retention times for the various processing purposes, (of 20 years), the anonymity of travel card holders and their movements, (eg, of employment categories), and a review of the personal data impact assessment and other documentation, (not available at the time of the audit).
Big Data
Biometric surveillance: According to The Guardian, dozens of cross-party MPs and privacy campaigners in the UK have joined a campaign calling for an “immediate stop” to the use of live face recognition monitoring by police and commercial companies. Live face recognition has lately been used by British police at large-scale public events such as King Charles’ coronation. The announcement follows the policing minister’s announcement of government intentions to make UK passport images searchable by police: to link data from the police national database, the Passport Office, and other national databases to allow officers to identify a match with the “click of a button.”
Google user data: Google will give users in the EU better choice as to how Google processes their data according to commitments undertaken by the company. This is the result of proceedings conducted by the Bundeskartellamt, (German Federal Cartel Office), based on the new instrument under competition law, which allows intervention when competition is threatened by large digital companies. Commitments concern situations where the company would like to combine personal data from one Google service with personal data from other Google or non-Google sources or cross-use these data in Google services that are provided separately.
Such an obligation already results from the new Digital Markets Act. Relevant core platform services listed in the Commission’s designation decision are thus not covered by the commitments, (Google Shopping, Google Play, Google Maps, Google Search, YouTube, Google Android, Google Chrome and Google’s online advertising services). However, Google’s commitments provided to the Cartel Office do concern data processing across services involving more than 25 other services (including Gmail, Google News, Assistant, Contacts and Google TV).