In this issue, we look at Meta’s new ads-free subscription model as the corporation runs out of available legal grounds for tracking and profiling people in the EU for targeted advertising, while being banned from using contract law and legitimate interest as justification.
Meta subscription model vs GDPR
Meta platform’s latest announcement of ads-free paid services in Europe is now challenged by the EDPB’s urgent binding decision. At the request of the Norwegian privacy regulator, Meta will soon be banned from using the legal basis of the contract and legitimate interest for tracking and profiling users for ad targeting across the entire EEA. The EDPB takes note of Meta’s new proposal to rely on a consent-based subscription model as a legal basis instead. The lead Irish Data Protection Commission is currently evaluating this together with the concerned supervisory authorities, (who have already expresses serious doubts).
Meta has just announced that it will offer people in the EU, EEA and Switzerland the choice to pay a monthly subscription to use Facebook and Instagram without any ads. Meanwhile, advertisers will be able to continue running personalised advertising campaigns in Europe to reach those who choose to continue to receive a free, ad-supported online service. Meta believes the above subscription model – “pay or agree” is a valid form of consent for an ads-funded service, anticipating the requirements of the European privacy regulators and the recent CJEU ruling.
Legal processes
America’s AI Action: President Biden issued a comprehensive Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence. The most sweeping actions compel the most powerful AI system developers to disclose their safety test findings and other key information to the US government. It promotes advancing the responsible use of AI in education as well as healthcare and the development of affordable and life-saving drugs. The document also promotes best practices to mitigate harms and maximize benefits of AI for workers and customers. Finally, it emphasizes the responsible government deployment of AI and modernization of the federal AI infrastructure.
Biden’s Administration will continue to collaborate with Congress to pursue bipartisan legislation for responsible innovation. The US Department of Commerce, along with the National Institute of Standards and Technology and other federal players will be responsible for carrying out the EO’s objectives.
Draft EU AI Act: Meanwhile, the EDPS issued its opinion on the Artificial Intelligence Act, as discussions between the EU’s co-legislators reach the final stages. It includes the banning of high-risk AI systems with decision-making patterns, such as for automatic recognition of human characteristics and other behavioural signals in public spaces, as well as profiling based on biometric traits. The EDPS is prepared to serve as the EU’s AI Supervisor and welcomes the formation of the European Artificial Intelligence Office. It believes that persons harmed by the usage of AI systems should have the right to file a complaint with competent national data protection authorities.
Legal redress
Clearview AI escapes punishment: Last year the UK Information Commissioner fined Clearview more than 7.5 million pounds for illegally keeping millions of face pictures. Now the First-tier Tribunal has quashed the enforcement as the company services were only utilised by law enforcement agencies outside the UK. Although Clearview did engage in data processing connected to monitoring people’s behaviour in the UK, the ICO “did not have jurisdiction” to initiate enforcement action or levy a fine. France, Italy and Australia had taken similar action against the firm. Clearview previously had commercial customers, but following a 2020 settlement with the US, the company now only takes clients that carry out criminal law enforcement or national security duties.
Official guidance
Shoplifting: According to the UK Information Commissioner, more retailers are turning to technology to protect their businesses. Data protection law enables retailers to share criminal offence data as long as it’s necessary and proportionate. Sharing information with a manager of another store in your shopping centre is likely to be appropriate, while wider public disclosures, such as posting it on an online retail-related social media platform, are less likely to be justifiable.
Consent criteria: Quebec has published guidelines on valid consent criteria, (in French). Consent must be obtained before carrying out any processing activity. It is also essential that the organisation document. Consent must be: evident, free, informed, specific, granular, understandable, temporary, and presented separately from any other information. Subject to exceptions, organisations must obtain consent to reuse data or to disclose it to a third party. Equally, consent can be withdrawn at any time by the data subject. If any above are not respected, the validity of such consent is to be null.
DP Toolkit: Jersey’s data protection authority created a dedicated resource zone. It features a variety of toolkits for small, medium and large organisations as well as financial services, non-executive directors, and non-profit organisations: a blend of infographics, step-by-step guidance, how-to-guides, templates, checklists and videos.
AI Q&A: The French privacy regulator published the first set of guidelines for the use of AI that respects the GDPR. The CNIL confirms the compatibility of AI research and development with the data protection principles. The principle of data minimisation does not prevent the training of algorithms on very large datasets. On the other hand, the data used must, in principle, have been selected to optimise the training while avoiding the use of unnecessary information. In any case, certain precautions to ensure data security are essential.
Enforcement decisions
BBVA: Following a complaint by an individual, the Spanish data protection regulator issued a fine of one million euros on Banco Bilbao Vizcaya Argentaria, (BBVA).The complainant, a BBVA client, had lost their purse containing their bank card. Following that, they claimed to have demanded that BBVA block all of their banking products. Third parties reportedly used identity theft to access the complainant’s financial products, take out loans, and transfer money from the complainant’s bank accounts after BBVA allegedly refused to act on the complainant’s request.
Canal+: The French data protection authority CNIL fined CANAL+ group 600,000 euros for poor data practices. In particular its standard forms for the collection of prospect data did not contain any information on the identity of the recipients to whom the data was transmitted. It also failed to inform individuals when creating a MyCanal account and during cold calling calls. The company also did not respond to some access requests. Apart from that, the CNIL found that a subcontracting contract did not include all the information required, and the storage of the company’s employees’ passwords was not sufficiently secure.
Data breaches
Gap Personnel: A UK recruitment company did not have appropriate security measures in place, which resulted in an unauthorised threat actor accessing and exfiltrating individuals’ data, (13,720 UK data subjects), twice within 12 months. Gap was unable to determine the specific cause of the incident but believes it is likely that the threat actor leveraged an insecure script, (PHP file), and performed an SQL injection attack. At the time of the incident, there were four specific vulnerabilities: a) an unsupported version of MySQL, b) an unsupported PHP version, c) poorly written PHP code and d) insufficient logging.
Optionis: In another similar reprimand, a data controller, (Optionis Group), suffered a ransomware attack, which resulted in the exfiltration of personal data. A reprimand was issued in respect of specific infringements of the UK GDPR, which include lack of multi-factor authentication, an inadequate account lockout policy, and no clear Bring Your Own Device policy. Aggravating factors were that Optionis took 11 months to notify all individuals of the breach. The company explained that the analysis of the impacted personal data took a considerable amount of time to complete, in particular, due to the size of the dataset. You can read the full decision here.
Data security
Telehealth: The US Office for Civil Rights released a HIPAA dedicated resource to help health care providers explain to patients, in plain language, the health information privacy and security risks that are present when using remote communication technologies such as video conferencing websites and applications. The HIPAA Rules do not require covered health care providers to educate patients about these risks; however, OCR is sharing this resource to assist providers who would like to explain to patients the privacy and security risks to their protected health information. Some examples of risks include viruses and other malware, unauthorized access, and accidental disclosures.
Code of Practice for app developers: The UK government published the latest version of its code, which should be used from now on by app store operators and app developers. The UK government has investigated the app ecosystem and found a range of threats relating to malicious and poorly developed apps. In particular, app store operators and developers shall comply with the broader requirements of data protection law, therefore new sections have been added to highlight requirements of particular relevance to the Code of Practice.
Non-banking financial services: The US Federal Trade Commission has approved an amendment that would require non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lending institutions, to report data security breaches. The amendment will require the FTC to be notified as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers. Such an event requires notification if unencrypted customer information has been acquired without authorization. The notice to the FTC must also include the number of consumers affected or potentially affected.
Big Tech
SolarWinds breach aftershock: The US Securities and Exchange Commission charges SolarWinds and its Chief Information Security Officer with fraud and internal control failures. In 2020, hackers targeted SolarWinds by deploying malicious code into its Orion IT monitoring and management software used by thousands of enterprises and government agencies worldwide. The complaint alleges the software company misled investors about its cybersecurity practices and known risks, in particular, that SolarWinds’ remote access set-up was not very secure and that someone exploiting the vulnerability “could basically do whatever without detecting it”.
In-vehicle monitoring: California enacted legislation that requires vehicle manufacturers to disclose the presence of in-vehicle cameras and prohibits any images or video recordings collected from being used for any advertising purpose, sold, or shared with any third party. The act requires consent to retain at any location other than the vehicle itself or download, retrieve a recording from the operation of an in-vehicle camera by a person or entity other than the user unless for diagnostics, service, repair, or improvement of equipment and systems. The act also provides consumers the right to revoke consent.
London Ulez fines: The Guardian reports that thousands of fines for breaches of London’s ultra-low emissions zone, (Ulez), rules may have been sent unlawfully to EU drivers, according to the Belgian authorities. Since Brexit, UK authorities do not have access to personal data of EU citizens for non-criminal enforcement. However, drivers in several EU countries have received fines, many totalling thousands of pounds, for failing to pay their Ulez charge before driving into London. Some have been penalised mistakenly, and one driver was fined nearly 11,000 pounds after a three-day visit in a hire car. Read the full story here.