In this digest issue, we explore the latest Clearview AI fine, the secure Swiss-US data transfers, the data controller’s violation of the GDPR as subject to collective actions, the privacy risks of e-shop apps, and a new privacy policy generator and BCR monitoring tool.
Stay up to date! Sign up to receive our fortnightly digest via email.
Swiss-US data transfers
The new Data Privacy Framework now allows for the secure exchange of personal data between Switzerland and certified US companies without any additional guarantees. The Swiss Federal Council on 14 August added the US to the list of countries with an adequate level of data protection. The relevant changes will apply from 15 September. The companies under Swiss-US data transfers framework will only be permitted to process the data for the purposes for which they were collected. Disclosure to third parties such as non-certified companies is not permitted. In the event of access by US public authorities to personal data transferred from Switzerland, various safeguards are provided, including access to a redress mechanism.
Collective actions under the GDPR
DLA Piper’s legal analysis looks at the CJEU’s recent decision, (C-757/22), where the violation of a controller’s information obligations under Art. 12 and 13 of the GDPR, can be subject to a representative action under Art. 80 of the GDPR. The case relates to Meta’s processing activities, claiming that the information provided to users by games in the App Center was unfair, particularly the failure to obtain valid consent from users. Instead, they were informed that by using certain games, the third-party provider would collect their data and have permission to publish this data and accept the general conditions and the relevant data protection policies.
More legal updates
California AI legislation: The progress of the California bill that would create the first-ever national safety regulations for the biggest AI systems is examined in an article published in The Guardian. According to the proposal, businesses would have to test their models and make their safety procedures available to the public. The law focuses on systems whose training costs exceed 100 million dollars in data. As of right now, no AI model has reached that point. The governor of California has until the end of September to determine whether to sign it into law.
BCR compliance guide: To support groups holding BCRs in verifying their implementation, the French CNIL provides them with a tool and describes the steps for its deployment, (available in English). BCRs refer to an intra-group data protection policy. They allow related entities to transfer personal data outside the EU, as provided by the GDPR. Separate monitoring tools were developed for local entities and group DPOs and should be adapted to the particularities of the organisation.
Privacy notice tool
The UK Information Commissioner has replaced its privacy notice template with a generator tool to help you create a bespoke privacy notice in just a few simple steps. This brand-new tool has been designed for sole traders and start-ups, small and medium-sized businesses and charities. Also, by generating an additional privacy notice for your staff and volunteers, you could include this on your staff intranet, in your recruitment welcome packs or in your policies library.
E-shop applications
The Czech authorities have issued a warning about e-shop applications that require non-standard permissions on the user’s device and may collect excessive amounts of user data. Some of these are completely legitimate, but some are inappropriate from the point of view of the purpose of the application, (eg, access to location, contacts, videos or other files). Thus, app users should always carefully review the privacy policy and terms of use.
Additionally, extremely low prices in some e-shops can be attractive, but they carry a risk that the provider receives profit in another way, (eg, by an excessive collection of personal data to pass on to third parties for a fee). If you still want to use the e-shop application, which may be associated with the above-mentioned risks, for example for a one-time purchase, then uninstall it from your device.
Guest access
The Data Protection Commissioner in Rhineland-Palatinate also launched an information campaign on online shops. It has become common practice to create a customer account for orders that last well beyond the individual purchase. Creating such a customer account can bring benefits to the customer. For example, further orders can be made without having to re-enter all the data, previous orders can be viewed, order and delivery status can be easily checked and favourite items can be saved.
However, customers do not always want such a long-term business relationship, so they should be able to freely decide whether or not they want to store their data in the online shop.
Contract as a legal basis
The Latvian data protection authority reminds us that one of the legal bases for the processing of personal data is the performance of a contract. However, to be able to correctly apply this basis, it is important to understand in which cases data processing is really necessary for this purpose. The application of this basis must be evaluated not only from the controller’s perspective but it must also be taken into account whether a person as a data subject, when entering into a contract, could have foreseen that their data would be processed within the framework of the contract:
- the data must be processed to fulfil the obligations specified in the contract, (eg, an online store needs a customer’s address to be able to deliver the product with the help of a courier);
- the data must be processed to fulfil obligations to the organisation, (eg, a person orders a new TV in an electrical goods store, and the store processes the customer’s payment data to receive payment);
- the contract has not been concluded, but the person has asked to perform an action, as a result of which the contract could be concluded, (eg, a person wants to buy travel insurance, but before buying it, they want to find out how much the policy will cost with a particular insurer, so they first submit their data to the insurer).
Finally, compliance with warranty provisions may also be a part of the performance of the contract, therefore it may require the storage of certain data even after the sale of the goods, and such processing will be justified by the performance of the contract.
Receive our digest by email
Sign up to receive our digest by email every 2 weeks
AI analysis of phone conversations
The Danish regulator investigated an insurance company’s, (IDA Forsikring), use of artificial intelligence for the analysis of recorded telephone conversations. It stated that incoming telephone calls were recorded, after which the audio files from the recordings were sent for analysis by a data processor, which converted the files into text using self-developed speech recognition, partly to make the sound files searchable. The purpose of the analysis of the conversations is to improve IDA Forsikring’s member service, ensure quality and give the employees insight into their conversations to strengthen the service to the members.
The regulator found this a valid legal basis under the GDPR, however, the current process for obtaining consent from the person calling in does not meet the data protection rules.
More enforcement decisions
Mass claim dismissed: A Dutch court has rejected allegations of collective damage claims in a data security case. The claims were made against several government agencies for inadequate protection of personal information, according to a cms-lawnow.com blog. There were significant security vulnerabilities in the IT systems that local health services employed during the COVID-19 pandemic. For months, some 35,000 employees had access to millions of people’s sensitive personal data. It was discovered that 1,250 people’s data had been taken. Based on European case law, the court deduced that non-material damages may only be granted to those who have suffered injury as a consequence of the GDPR violation. The concern about a potential breach in the future, since the possibility that personal data was illegally gained by third parties, is insufficient.
Delayed data access request: The Belgian regulator sanctioned a telecom operator 100,000 euros for a 14 month-late reply to a right-to-access request. The complainant and the defendant went through a mediation process after a contractual issue. The accused party has acknowledged their error. Still, the complainant was not satisfied. Then they made use of their access rights. Among other things, they were interested in learning the names of the workers who had processed their data and why they had done so. They submitted their request, making it clear that they wanted it forwarded to the DPO. Nevertheless, even though two staff worked on the request, it was neither approved nor forwarded to the DPO. The regulator found this a valid legal basis under the GDPR, however, the current process for obtaining consent from the person calling in does not meet the data protection rules.
Data security
Biometrics and 2FA: Biometric procedures such as fingerprint and facial recognition are popular with consumers because they allow quick and easy access to online services as part of 2FA. But how secure is this authentication option in practice? The Federal Office for Information Security in Germany offers a white paper for developers and operators on biometric procedures in two-factor authentication, (in German), where the knowledge factor, (PIN or password,) is replaced by biometrics.
Data protection-compliant redaction of documents: PDF and Office files can be fully readable despite blacking out with shapes or coloured bars, reiterates the Saxon data protection authority. To do this, users often only have to mark the supposedly blacked-out content from the file and copy it into a text editor, and everything is readable again. Moreover, with the help of artificial intelligence, blurred content can certainly be reconstructed. It is therefore important that data is not only visually but also technically removed or edited, (before any redactions, it is recommended to make a backup copy of the original file).
Also, because Office metadata may contain a history of changes, and other information on the person, their location, etc, the redacted Office document in its original file format, (docx), should not be shared. Instead, save or export the file as a PDF document, or if an editable version is necessary, copy all the already anonymised text into a new document and then share the new document. Similarly, an edited image must be saved in a file format in which the original layer cannot be restored. The JPG format, for example, is ideal for this.
Big Data
Uber case explained: Uber was fined 290 million euros by the Dutch regulator for failing to implement adequate measures when transferring drivers’ data, including certain sensitive categories, to the US. The company discontinued using the “Privacy Shield” in 2021 when it was shown to be invalid. Uber later said that it complies with the new EU-US Data Privacy Framework implemented only in 2023; nevertheless, there remain at least two years where driver data may not have been protected.
During this period of legal uncertainty, Uber was sending data to its San Francisco headquarters without the drivers’ express consent or the usage of the EU Model Standard Contractual Clauses (SCCs).
Clearview AI fine: The Dutch data protection authority has imposed a fine of 30.5 million euros and orders subject to a penalty for non-compliance of up to more than 5 million euros on Clearview AI. Clearview is an American company that offers facial recognition services. Among other things, Clearview has built an illegal database with billions of photos of faces, including of Dutch people. The Dutch regulator warns that using the services of Clearview is also prohibited.
Meta Pixel: The Swedish Data Protection Authority IMY decided on hefty fines against Apoteket and Apohem AB. This was after the companies used the Meta pixel on their websites and transferred privacy-sensitive personal data to Meta, (the tool is dedicated to improving the company’s marketing on Facebook and Instagram). Moreover, the companies did not have the routines required to discover the deficiencies themselves. The transfer of personal data had been going on for a long time and was only stopped after the companies were made aware of the incident by third parties.