Data controller obligation
Upon termination of a processing agreement, the controller is obliged to monitor the deletion of personal data held by the processor. Such was a ruling by the Higher Regional Court of Dresden, Germany, closely looked at by a DLA Piper analysis. The plaintiff was a user of the online music streaming service run by the controller. A data breach at a former external, (non-EU), processor of the controller in 2022, involving the personal data of clients, set off the case (hackers offered this data for sale on the dark web). The controller-processor relationship came to an end several years before the data breach, in 2019. As per the terms of the data processing agreement, the controller had the option to either delete or return the data once processing was complete. However, the controller never exercised this right.
Stay up to date! Sign up to receive our fortnightly digest via email.
Data subject rights under the DSA
On 21 April, the European Commission established internal regulations limiting certain data subjects’ rights, (information, access, rectification, erasure, and notification of breaches), under the Digital Services Act. It encompasses the personal data of suspects, victims, whistleblowers, informants, witnesses, and staff of undertakings, under the Commission’s supervisory, investigative, enforcement, and monitoring activities. The Commission must publish a data protection notice and inform affected individuals where appropriate.
TikTok fine
The Irish privacy regulator DPC has fined TikTok 530 million euros after an inquiry into transfers of EEA users’ data to China, (enabling storage and access to it). The inquiry also examined whether providing information to users about such transfers met TikTok’s transparency requirements as required by the GDPR. TikTok first informed the DPC that it did not store EEA user data on servers located in China. However, later on, TikTok informed the DPC that it provided inaccurate information to the Inquiry. Whilst TikTok has informed the DPC that the data has now been deleted, the regulator is considering whether further regulatory action, in consultation with peer EU Data Protection Authorities, may be warranted.
COPPA Rule
On 22 April, the US Federal Trade Commission adopted final amendments to the Children’s Online Privacy Protection Rule to enhance content moderation and data protection for children under 13. The amendments will take effect on 23 June, with full compliance required by 22 April 2026. It introduces a new definition for “mixed audience website or online service.” It also requires operators to implement age screening methods that are neutral and to avoid collecting any personal information before determining the user’s age, with few exceptions.
In the meantime, the first US state, Arkansas, approved the Children and Teens’ Online Privacy Protection Act, which was modelled after the pending federal law known as COPPA 2.0. Consent requirements, data minimisation, targeted advertising restriction, data subject rights, and data security are all applicable to any for-profit operator of a website, online service, or app that targets children or teenagers or knows that it is gathering their data.
More from supervisory authorities
The Data Act: The European Data Act will take effect on September 12. Manufacturers of internet-enabled devices will then be required to share the data sent by connected devices with third parties, explains the Hamburg data protection authority. Machines, household appliances, and vehicles connected to the internet generate large amounts of data every day. Those wishing to take advantage of the act should familiarise themselves with access rights. Those subject to the obligations of the act must prepare for access requests and develop strategies for protecting personal data and trade secrets.
To that end, the regulator offers the manual “The Data Act as a Challenge for Data Protection” (in German).
Multi-device consent: The French CNIL launches a public consultation on its draft recommendation (in French). The guidance concerns actors who plan to collect cross-device consent only when users are authenticated to an account. When a user accesses a website or a mobile app, they express their choices about the use of cookies or other trackers on a device connected to their account. These choices would be automatically applied to all devices connected to their account. This includes, but is not limited to, their smartphone, tablet, computer or connected TV, as well as the browser or app used.
Children’s code: In the UK, Ofcom issued a draft Protection of Children Code of Practice for search services under the Online Safety Act 2023. Implementing the list of recommended measures set out in this Code will inevitably involve the processing of personal data. The Information Commissioner’s Office has already set out that it expects service providers to take a ‘data protection by design and by default’ approach when implementing online safety systems and processes. Over time, Ofcom might update the Codes to take account of technological developments.
Customer data
What should merchants consider when recording telephone conversations with customers? The Latvian data protection regulator explains. A voice recording becomes personal data when it can be linked to a specific person. Therefore, such data processing must be carried out under the requirements of the GDPR:
- An appropriate and as specific as possible purpose must be defined for such data processing, (eg, improve the quality of the advice or service provided and thus to communicate with customers, as well as possibly to promote sales).
- The recordings may only be used to achieve the specified purpose and not for other, unrelated purposes.
- A balancing test must be carried out to determine whether such processing would unduly prejudice the customers’ rights to data protection.
- Conversation recordings may only be kept for as long as necessary to achieve the goal.
- Access to records should be limited to authorised persons whose tasks are directly related to the purpose of processing the records.
- When recording telephone conversations with customers, the merchant must inform them at the beginning of the conversation about the recording.
In parallel, the Estonian data protection agency issued new practical guidance to help online stores protect their customers’ data (in Estonian). It provides advice on ensuring data security, preventing cyber threats, and managing risks for both new and experienced online retailers, highlighting, among other things, the importance of strong authentication, encryption and log management, as well as the need to carefully evaluate cooperation with third-party service providers, data breach response and employee training.
Synthetic data generation
The Spanish AEPD has published the Spanish translation of the Guide to synthetic data generation, prepared by the Singapore data protection authority. Synthetic data is artificially generated to simulate real data and must retain its essential statistical characteristics to be useful without compromising personal data. Its generation must be carefully planned, falling along a spectrum ranging from completely random data to real data. The guide includes practical case studies on the best practices for generating synthetic data and reducing residual re-identification risks.
More official guidance
NIST cybersecurity guide: America’s NIST has updated its Privacy Framework, tying it to recent Cybersecurity Guidelines. It is intended to help organisations manage the privacy risks that arise from personal data flowing through complex IT systems. Furthermore, failure to manage these risks effectively can directly affect individuals and society, potentially damaging organisations’ brands, bottom lines and prospects for growth. Following the comment period, (until 13 June), the NIST will consider additional changes and release a final version later this year.
Domestic cameras are not excluded from GDPR: The Liechtenstein data protection agency has supplemented its guide on video surveillance with information on surveillance within one’s own home. This means that data protection does not stop in your living room, at least not if the purpose of data collection is not exclusively for personal or family activities. This is particularly the case if the purpose is to ensure security or perform quality control, for example, the observation of staff or external third parties, (cleaners, gardeners, babysitters, etc.). This applies equally to video surveillance and pure audio recordings.
Large databases: Art. 5 and 32 of the GDPR require controllers and processors to process personal data in such a way as to ensure an appropriate level of security, in particular regarding the risks of massive data exfiltration, as the French CNIL reminds us. These measures in large numbers can be implemented via the following procedures:
- Secure external access to the information system via multi-factor authentication
- Log, analyse and set limits on the data flows that pass through the information system
- Consider humans as security actors: organise regular awareness-raising sessions adapted to user profiles (employees, developers, managers, subcontractors, etc.)
- Emphasise the data controller obligation to supervise data security with subcontractors.
More content from the CNIL on cybersecurity can be found on this page.
In other news
Apple and Meta fines: The European Commission imposed the first fines under its Digital Markets Act, punishing tech behemoths Apple and Meta for violating the EU’s new digital regulations. Apple was fined 500 million euros for violating the rules governing app stores ( “anti-steering” obligation). In comparison, Meta was fined 200 million euros for its “pay or consent” advertising approach, which charges EU users to use Facebook and Instagram without advertisements.
Worcado AI detector: America’s FTC requires Workado to stop advertising the accuracy of its AI detection products unless it shows that those products are as accurate as the claimed 98%, as independent testing showed the accuracy rate on general-purpose content was just 53%. The company says that its AI Content Detector was developed using a wide range of material, including blog posts and Wikipedia entries, to make it more accurate for the average user. The FTC alleges, however, that the AI model powering the AI Content Detector was only trained or fine-tuned to effectively classify academic content.
Receive our digest by email
Sign up to receive our digest by email every 2 weeks
Facial recognition at football matches
The Danish data protection agency has granted FC Copenhagen and the Danish Football Association permission to use automatic facial recognition during international football matches. The purpose is to support the enforcement of the rules on club quarantines and general quarantines in connection with football matches. The technology can therefore be used for access control to Parken Stadium. The impact assessment must be carried out before the processing begins.
Personal data processed as part of the facial recognition system must be transported to and stored encrypted on the server using up-to-date and widely recognised encryption algorithms. This also applies to the use of mobile devices at away matches.
More enforcement decisions
Proof of consent for marketing calls: The UK’s ICO fined AFK Letters 90,000 pounds for making more than 95,000 unsolicited marketing calls to people registered with the Telephone Preference Service. Between January and September 2023, AFK used data collected through its website and a third-party telephone survey company to make mass marketing calls without being able to demonstrate valid and specific consent from the people contacted. Despite AFK claiming it could not provide evidence of consent because it deleted all customer data after three months, when challenged it was also unable to provide consent records for several calls made within a three-month timeframe.
User tracking: The Hamburg data protection authority launched a large-scale automated review campaign in mid-April. Most of the 1,000 websites randomly selected comply with data protection regulations; however, deficiencies were identified on 185 local websites. Various third-party web services, (Google Analytics, Google Maps, Google Ads, YouTube, Facebook, Vimeo, MS advertising, Pinterest), were activated immediately upon accessing the site, resulting in users being tracked without the legally required consent.
Email security analysis tool errors: In Romania, the data protection agency fined BITDEFENDER, (a software company), the equivalent of 10,000 euros. The investigation was initiated following the submission by the company of a personal data breach notification. Due to a programming or implementation error in the update operation of the email security analysis service, a significant amount of customers’ personal data was disclosed to third parties. The operator did not implement appropriate technical and organisational measures and did not carry out periodic testing, evaluation and assessment, including of the continued confidentiality, integrity, availability and resilience of systems and services.
In case you missed it
Revolut staff tracking: According to The Guardian, the fintech company Revolut has been monitoring employee behaviour and awarding or deducting points on an internal “Karma” system. Revolut’s annual report described the practice as ‘successful’ while also revealing that last year’s profits had more than quadrupled. The 2020-launched system tracks how effectively employees adhere to risk and compliance regulations, awarding and deducting points that eventually impact compensation. After those points are added up at the team level, the ultimate bonus for each employee is either deducted or multiplied.
CJEU knowledge base on data protection: The EU’s top court has published a Fact Sheet document on the Protection of personal data, to present a selection of seminal rulings on the subject and rulings that have made a significant contribution to the development of this case-law. The document relates to sector-specific rules, particularly in the electronic communications sector and criminal law, but also aims to present a selection of judgments dealing with rules which are applicable across multiple areas.