Data protection & privacy digest 18 Feb – 3 Mar 2023: practical application of the EU-US Data Privacy Framework remains a concern

TechGDPR’s review of international data-related stories from press and analytical reports.

Legal processes: EU-US data privacy framework, China’s outbound data rules, international transfer risk assessment, Australian small business to adopt data protection

The EDPB sees improvements under the EU-US Data Privacy Framework, but many more concerns remain. The improvements include the introduction of requirements embodying the principles of necessity and proportionality for US intelligence data gathering and the new redress mechanism for EU data subjects. However further clarifications are needed for:

  • rights of data subjects,
  • rules on automated decision-making and profiling,
  • onward transfers, (eg, to sub-processors in the US), 
  • the scope of exemptions, 
  •  the practical functioning of the redress mechanism,
  • temporary bulk collection, retention, and dissemination of data by the government, (targeted surveillance of foreign persons located outside the US under Section 702 FISA and Executive Order 12333).

Finally, the EDPB recognises the role of special advocates and the supervision of the redress mechanism by the Privacy and Civil Liberties Oversight Board. In addition, it is troubled by the general application of the Data Protection Review Court’s standard reply informing the complainant that either no covered violations were found or a determination requiring appropriate remediation was made, especially given that this decision cannot be appealed.

The German Data Protection Conference also assesses the risks of third-country authorities’ access to personal data processed in the EU/EEA. The mere possibility that a foreign public authority or parent company of a European subsidiary can demand the transfer of data does not constitute a data transfer in itself. However, if a processor does proceed with a data transfer under third-country laws or corporate law instructions, it needs to provide sufficient guarantees, through transfer impact assessments or suitable technical and organisational measures, to ensure GDPR compliance.

Meanwhile, the Cyberspace Administration of China, (CAC), started the approval of outbound data transfers.  All international data transfers from now on must follow one of three procedures in order to be legal: mandatory security assessment measures for significant data transfers, and state-approved standard contractual clauses or certification for less significant data sets. Typically, companies need to prepare a 180-page document mapping out the data flow and then justify to the local and national authorities why certain data must leave China. For less-significant cross-border transfers, newly released standard contractual clauses do not require approval, however, the CAC has the right to intervene at any moment. 

In Australia, small businesses with a 3 million dollar or less annual revenue may soon be required to abide by the Privacy Act, even though they are not currently required to protect user personal information or disclose how it is used. The 20-year-old exemption was introduced prior to businesses’ take-up of online platforms. Now experts say they are no longer a low risk for cybercriminals. Small business associations claim data security obligations will result in severe damages for the whole sector. The Australian government has not yet announced which changes it will adopt. Basically, companies would need to have a privacy policy, assure adequate data security measures, and delete data or de-identify it when no longer required.

Official guidance: international transfers definition, privacy by design and default for developers, deceptive design patterns, ROPAs, video surveillance

The EDPB updated guidelines on the concept of international transfers. A clarification was added regarding the responsibilities of the controller when the data exporter is a processor. In addition, further examples were added to clarify aspects of “direct collection” from individuals in the EU, as well as the meaning of “the data importer in a third country”, with further examples and illustrations. Processing of personal data outside the EU often involves increased risks, for example, because foreign authorities can gain access to the data. This needs to be identified and handled in order for the processing to be permitted according to the GDPR.

The Catalan data protection authority issued guidance on Privacy by design and by default for developers. The regulations governing data protection by design and default do not specify which particular technical and organisational measures must be put in place, says the document. The controller, as well as the developers of the technological solutions, must conduct a prior analysis before determining the necessary measures. Determining the nature, scope, context, and purposes of the processing is the controller’s responsibility. The risks associated with each available technology must be taken into account when choosing a specific technological solution. Collaboration with developers is crucial at this point. 

Overloading, Skipping, Stirring, Obstructing, Fickle, Left in the Dark – These are terms used to describe the main tactics employed in deceptive design patterns, and the EDPB has issued an update on how they apply to social media interfaces, and the best practices to recognise and avoid them. The guide offers assistance in design thinking processes for designers, but also alerts users of social media platforms, with numerous examples and illustrations.

The importance of records of data processing activities, (ROPAs), needs underlining says the Latvian data protection agency. A ROPA is not a document that can be developed, put on the shelf, and forgotten about, explains the regulator. The organisation can assign one or more responsible persons to maintain the register, (either in electronic, excel, or paper format). The responsible person can also be a data protection officer, whose duties include the creation and maintenance of the document. The organisation can include not only the mandatory amount of information for each data processing activity but also supplement the records with supportive documentation, for example, impact assessment reports.

Video surveillance is a strong invasion of privacy because it profoundly affects people’s thinking and actions, states the Estonian data protection agency. The smaller the area of surveillance, the better. The shorter you keep data, the better. Recordings may not be used for purposes other than the original objective, (with rare exceptions). Finally, visual warning signs should be always complemented with more detailed privacy notices on demand. 

Investigations and enforcement actions: security patches and ransomware, non-existent debts and data deletion, conditions for cookie walls, Tesla security camera improvements

The Irish data protection authority fined Centric Health 460,000 euros for a data breach caused by a ransom attack in 2019. The attack, which restricted access to patient data, hit 11 Primacare GP practices integrated into Centric Health’s IT system.  The attack affected the data of 70,000 patients. Of those, 2,500 had their data deleted with no backup available during attempts to mitigate the attack, the Irish Times reports. The investigation into Centric Health discovered ‘Calum’ ransomware on the system, which encrypts data and asks for payment to decrypt it. Back-ups of the system were also affected by the ransomware. 

A forensic expert, hired by Centric, did not find any evidence of data exfiltration: “No evidence of archive files consistent with the attacker compressing large amounts of data for exfiltration was found on any of the systems, but this does not definitively rule it out”. However the regulator’s investigation identified that a large number of patches were released by Microsoft in 2018 that should have been applied to the Windows Operating System by Centric. It demonstrated a serious lapse on the part of Centric and an inability to identify all software operating on its system at the time of the breach.

The Danish data protection authority examined the use of cookie walls in two different cases. Where the user can access the content of a website or service in exchange for the processing of their data, or by paying,  the requirements of data protection rules for valid consent are met concluded the regulator. The exception is when the service offered by consent is different from that offered by payment, and when users are not really presented with a free choice. 

The Dutch privacy authority decided against a fine after Tesla made security camera settings more privacy-friendly. Tesla used ‘Sentry Mode’ to help owners protect themselves against theft or vandalism by filming everyone nearby. Now the cameras respond only if the vehicle is touched; it does not automatically begin filming but the owner receives an alert on their phone; the headlights flash to indicate to the passersby that filming has begun; records are saved in the car and not shared with Tesla, and limited to no more than 10 minutes of footage. 

Finally, the Croatian data protection agency fined a telecommunication company for failure to maintain up-to-date and accurate data. The complainant stated that their personal data was processed by the company, despite not being their client for more than ten years. The respondent found out about this during a security incident notification she received from the telecommunication company and then confirmed by customer service. After the respondent’s inquiry, the company found that it was still processing their personal data, all due to the fact that the data controller linked the existence of a non-existent debt to the respondent for unknown reasons, which is why the computer system did not allow the deletion of data until the non-existent debt was not canceled manually. 

Data security: danger of low-tech hacks, UK’s new certification scheme, genomic data

The UK Information Commissioner’s Office has approved the new set of UK GDPR certification scheme criteria. The scheme is aimed at training and qualification for service providers and will enable their candidates to make informed choices when applying for training programs, having confidence that their personal data will be processed in accordance with the UK’s GDPR. This scheme follows three others: one offering secure re-use and disposal of IT assets and the other two looking at areas including age assurance and children’s online privacy.

The US cyber security expert Brian Krebs demonstrates how low-tech hacks cause high-impact breaches. Last month web hosting giant GoDaddy revealed a multi-year hack had given hackers access to company source code, login information for clients and employees, and customer websites. The incidents could have stemmed from a small number of GoDaddy employees falling for a sophisticated social engineering scam. Attacks using voice phishing or vishing frequently target workers who are based off-site. The phishers typically pose as members of the employer’s IT department when calling. The objective is to persuade the target to enter their login information at a website that the attackers have set up that looks like the company’s corporate email or VPN portal.

The US National Cybersecurity Center of Excellence has published a draft internal report on the cybersecurity of genomic data. Genomic data is immutable, associative, and conveys important health, phenotype, and personal information about individuals and their past and future. In some cases, small fragments of genomic data stripped of identifiers can be used to re-identify persons, though the vast majority of the genome is shared among individuals. The report proposes a set of solutions that address real-life use cases occurring at various stages of the genomic data lifecycle along with candidate mitigation strategies and the expected benefits of the solutions. Additionally, areas needing regulatory/policy enactment or further research are highlighted. The public comment period is now open through 3 April.

Big Tech: TikTok scrutiny, YouTube child data complaint

TikTok announced that it is creating a tool that will enable parents to prevent their teenagers from viewing certain content, as well as limit the amount of time spent on the app. TikTok, owned by China’s ByteDance, is currently facing an international backlash for illicit content, and data security concerns. The app has been banned from government-owned and work-related devices in the United States, and Canada. The European Commission also banned the app on its corporate devices and personal devices that might be connected to the official mobile network provided by the institutions within their premises. 

Finally, in the UK, a member of child advocacy group 5Rights, filed a complaint with the Information Commissioner’s Office, asking Google/YouTube to stop collecting children’s data and potentially make it liable for the maximum penalty- of as much as four percent of annual turnover. It is the first such complaint alleging a major tech firm has broken the new Age-Appropriate Design Code, The Guardian reports. Although YouTube officially forbids users under the age of 13 from accessing its main website, the complaint claims the company failed to ensure that younger users were abiding by the rules and only accessing the main platform with parental permission.

Do you need support on data protection, privacy or GDPR? TechGDPR can help.

Request your free consultation


Show more +