TechGDPR’s review of international data-related stories from press and analytical reports.
Legal processes: Microsoft Office 365 cloud services, privacy complaints, lead supervisory authority, NIS2 Directive, Australia data breach penalties
The German Data Protection Conference negatively assessed the data processing agreements for Microsoft 365 cloud services, regarding the requirements of Art. 28 of the GDPR. The regulators came to the conclusion that “no data protection-compliant use of it is possible”. The assessment is based on the “Data Protection Addendum for Microsoft Products and Services”, including the current updated version. The central and recurring question of the series of talks with Microsoft was: in what cases it acts as the processor and in which as the controller.
- Microsoft does not fully disclose which processing takes place in detail, including subcontracting relationships. In addition,
- it does not fully explain which processing takes place on behalf of the customer or which for its own purposes.
During the discussions with Microsoft, the working group was not able to achieve any significant improvements in the drafting of the contracts, (eg, client specific and detailed).The regulators also were not able to identify additional protective measures that could lead to the legality of data export to the US. Many of the services included in MS 365 require the company to access the unencrypted, non-pseudonymized data. You can read the detailed assessment summary in German here.
The Stockholm Administrative Court held that the data protection authority must investigate complaints. This also applies if the authority opened a parallel ex officio investigation into a similar matter and at the same company. In 2019, a data subject filed a complaint in response to Spotify’s answer to an access request with the Austrian authority. The complaint was forwarded to Sweden as the lead supervisory authority for Spotify. After three years of inactivity, the data subject requested a formal decision.
The EDPB is finalising an updated guidelines on identifying a controller or processor’s lead supervisory authority. The rule is to determine the location of the controller’s main establishment or single establishment in the EU, (if any), where decisions about the purposes and means of the processing of personal data are taken. This place has the power to have such decisions implemented. However, there can be situations where more than one lead supervisory authority can be identified, in cases where a multinational company decides to have separate decision-making centres, in different countries, for different processing activities. But the most complicated might be so-called “borderline cases”, when, for example, decisions are taken exclusively outside of the EU/EEA.
The EU has approved the Directive on measures for a high common level of cybersecurity across the EU, (NIS2 Directive). Member states will have 21 months from its entry into force to incorporate the provisions into their national law. The act will repeal the current directive, amending the rules on the security of network and information systems of critical public and private sectors. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation.
In parallel, the UK government is introducing a new mandatory reporting obligation on managed service providers to disclose cyber incidents, alongside minimum security requirements which could see fines of up to 17 million pounds. The announcement was made as the government published its response to a public consultation on amending the NIS Regulation after Brexit.
After several major data leaks in Australia, the Parliament has approved a draconian privacy penalty bill. Companies which fail to take adequate care of customer data will face much higher fines – from the current 2.22 million dollars penalty to whichever is the greater of:
- 50 million dollars;
- three times the value of any benefit obtained through the misuse of information; or
- 30 per cent of a company’s adjusted turnover in the relevant period.
The bill also provides the Australian Information Commissioner with greater powers to resolve privacy breaches and quickly share information about data breaches to help protect customers. The higher penalties and new powers will come into effect the day after it receives Royal Assent ahead of an overhaul of the Privacy Act following a comprehensive review by the Attorney-General’s Department, currently being finalised.
Official guidance: EU-US data transfers, BCR-C, transfer risk assessment, trusted processors, Google Fonts, whistleblowing management
The Hamburg Data Protecton Commissioner published its observations on the proposed EU-US Data Privacy Framework. The regulator advised data transfer impact assessments must follow the ruling by the CJEU on lawful EU-US transfers until the proposed framework is finalised. At the current time, nothing decisive has changed in the legal situation in the USA. Joe Biden’s recent Executive Order provides for a transitional period of up to one year. That’s how long the eighteen US secret services have to integrate the guarantees provided for in the legal act into their practical work. This applies in particular to the new requirement to restrict data access to a reasonable level. The same applies to the institutional guarantees through the creation of a complaints body and a data protection court. These committees are still under construction. The ability to work will only be guaranteed in several months.
The UK Information Commissioner’s Office has updated its guidance on international data transfers. This includes a new transfer risk assessment, (TRA), section and a TRA tool. It gives an initial risk level for categories of data, and transfers that significantly increase the risk of either privacy or other human rights breaches. Earlier this year the UK adopted an International Data Transfer Agreement and Addendum that replaced Standard Contractual Clauses for organisations transferring personal data outside of the UK.
The EDPB has updated recommendations on Controllers Binding Corporate Rules, (BCR-C). The holders are asked to make the changes according to the instructions provided in the document. The GDPR expressly provides for the use of such data transfer policies by a group of undertakings. The BCR approval only covers transfers to third countries or to international organisations, however, groups may design BCR to be used as their global data protection policy. The updated recommendations also bring the existing guidance into line with the requirements in the CJEU’s Schrems II ruling, which invalidated EU-US data transfers.
The Baden-Wuerttemberg data protection commissioner has presented a Code of Conduct for data processors, to create more legal certainty. By committing themselves to the code, processors make it clear to the outside world that they follow the guidelines and submit to monitoring by a body accredited by the regulator. Those interested can find the Trusted Data Processor code of conduct here.
The Hessen data protection authority issued a warning about the use of Google Fonts. If they are integrated online, the user’s browser loads these fonts when the website is accessed and contacts the Google servers for this purpose. User data is transmitted to Google at this point. If personal data is transferred to a third country, such as the US, the requirements for third-country transfers must also be met. If these requirements cannot be met, the transfer is inadmissible. It is also advisable to self-host Google Fonts locally on your own web server. This applies equally to other font providers.
Who becomes a data controller when outsourcing an internal whistleblower scheme? In various scenarios an external supplier can handle reports from whistleblowers via a) direct contact, b) an available IT platform, or c) a combination of both. In the case of direct contact, the subcontractor gets a level of independence and decision-making, and both parties would act as data controllers, (unless the employer provides very strict instructions to the supplier). However, the supplier can become a processor in relation to the operation, (hosting), of the IT platform, and there may be a need for a data processing agreement.
Enforcement actions: M&A customer data, retention periods, account ownership, consent forms, data brokers, consent layers, misleading and incomprehensible commercial prospecting
The Italian regulator Garante fined the Douglas perfume chain 1.4 mln euros: the data of millions of customers was kept for many years. The company was born in 2019 having incorporated three companies in the sector. Douglas decided to keep the data of almost 3.3 million customers of the previous companies,without requesting their consent. The company will have to destroy data dating back more than 10 years and delete or pseudonymise the more recent files, properly secure them, and inform the customers. It will have to change the setting of the Douglas app, clearly distinguishing the contents of the privacy information. Customers must be allowed to express free and specific consent for the various activities, (marketing of the company, marketing of third parties and profiling).
The French CNIL imposed a fine of 800,000 euros on Discord Inc. also with regard to retention periods and the security of personal data. This US “voice over IP” service offers instant messaging, in which users can create servers, text, voice and video rooms. The company did not have a written data retention policy: there were 2,47 mln accounts of French users who had not used their account for more than three years. Discord’s password management policy was not robust, (only six characters including letters and numbers), and when a user logged into a voice room closed the app window by clicking the “X” icon, they were just putting the app in the background and staying connected.
The CNIL also sanctioned EDF 600,000 euros for commercial prospecting practices. The standard prospect data collection forms were made available by a data broker. However , the EDF was not able to communicate to the CNIL the list of partners receiving the data, whereas such a list must be made available to individuals at the time of giving their consent. Finally, the measures put in place by EDF with its data brokers to ensure that consent was validly given were insufficient. At the time of the audits, the EDF did not check the consent forms used and it did not conduct due diligence on data brokers.
The Spanish AEPD fined online banking service Bankinter 80,000 euros for violating security obligations. The complainant had access to the data of a third party alongside their personal data, whilst accessing their monthly statement on Bankinter’s website. The incident occurred due to an error in managing the ownership of the accounts. The AEPD also fined BBVA 80,000 euros for violating the integrity and confidentiality principle: the claimant had requested a certificate of ownership for their account from the bank, however they received a copy of a third party contract. Moreover, it took BBVA too long to remove the link to the file, so the claimant could not access, download or view the document.
The Danish data protection authority Datatilsynet criticised JP/Politik’s consent procedure. It gave visitors three options, (Necessary only, Customize Settings and Accept all). From the “first layer” it appeared that JP/Politiken processed personal data for statistical and marketing purposes. In the “second layer”, which the visitor could access by clicking on Customize Settings , the visitor could select the processing purposes preferences. However, the regulator assessed that visitors who clicked on Accept all did not receive information about all processing purposes.
The Italian competition authority AGCM fined Enel Energia and partner agencies over 5 million euros for unfair commercial practices. Various complaintants received misleading messages disseminated by an answering machine and call centre operators, which were intended to induce consumers to sign a contract with Enel Energia. In most cases, the consumers involved had never provided their consent, and some had been contacted despite their telephone numbers being in the Do Not Call register.
The Italian Garante also issued a similar fine to the one above against Vodaphone. In this case, a woman over 80 was offered a contract at a speed of 200 words per minute for 6 minutes, in a so-called “vocal order“, (contract concluded directly by telephone). The offer was judged to be incomprehensible, even after repeated listening. The fine of 500,000 euros imposed on Vodafone was calculated taking into account the aggravating circumstances of having committed other telemarketing violations in the previous three years.
Data security: public WI-FI, World Cup apps, M&A due diligence
Ahead of the festive season, America’s NIST reminds consumers of secure use of public Wi-Fi networks. They are wireless local area networks that are available to the public and do not require a password. Unfortunately, many public Wi-Fi hotspots and access points do not provide encryption. Networks that lack data-in-transit protections are at risk of unauthorised eavesdropping taking place to access sensitive information. Employees can use public Wi-Fi to work remotely from numerous public places such as hotels, airports, and coffee shops. If information is compromised, it may lead to serious harm, financial loss, or reputational damage for an organisation. To mitigate this threat, individuals or enterprises should be mindful of using secure connections to websites and resources:
- a virtual private network (VPN) solution can ensure all communication to and from their applications is encrypted prior to leaving the device.
- Websites that use Hypertext Transfer Protocol Secure (HTTPS), which is HTTP transmitted over Transport Layer Security.
Visitors to the World Cup in Qatar are asked to pay close attention to their digital security. Two apps are required to attend the festivities. They are advised to use a telephone that they do not use for anything else. No other personal data, such as telephone numbers, image or sound files should be stored on this device. After using the apps, the operating system and all content on the phone used should be completely deleted.
The Starwood/Marriott data security breach in Canada provides an important signal for parties to M&A transactions and for all organisations that handle personal information. After the two hotel chains merged Marriott delayed measures to improve the security of the Starwood networks as they were due to be decommissioned. Then Marriott discovered a breach of the Starwood network involving unauthorized access to approximately 339 million customer records. The regulator concluded that Marriott failed to perform an ongoing assessment of the security safeguards in breach of the PIPEDA requirement. Class action lawsuits also were commenced against Marriott in Canada and the US.
Big Tech: Meta Ireland “data scraping”, Amazon Prime subscriptions, Voodoo gaming apps, Google location tracking
The Irish Data Protection Commission concluded an inquiry into Meta Platforms Ireland, data controller of the “Facebook” social media network, imposing a 265 million fine and a range of corrective measures. The regulator commenced the inquiry after media reports into the discovery of a collated dataset of Facebook personal data that had been made available on the internet. The scope of the inquiry concerned an examination and assessment of data security measures of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools. There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU.
A recent class action filed in Washington alleges that Amazon used dark patterns to make cancelling customers’ Prime subscriptions more difficult. Amazon’s deceptive cancellation interface effectively prevents Prime subscribers from ending their memberships, leads to further subscription fees, and allows the company to continue collecting, retaining, and using the personal data of misdirected subscribers.
The UK ICO published the Age Appropriate Design Code audit report for Voodoo mobile gaming apps. Among high priorities, Voodoo does not have an accurate understanding of the age demographics of the players, (users are asked to confirm that they are 16 or over via a self-declared age-gate). Younger users are not provided with age-appropriate prompts, information messages, or explanations. There has not been a documented assessment of serving a high volume of advertising at minors, and no consent options were provided.
Finally, Google agreed to a 391.5 million settlement in most US states over misleading location tracking practices, the biggest of its kind. The confusion arose around the Location History setting and the extent to which users could limit Google’s location tracking by adjusting their account and device settings, CNN reports. Location data collected by Google could be used to target advertising and build profiles on internet users; or disclose highly sensitive information to law enforcement.