Data protection & privacy digest 25 Oct – 8 Nov 2022: EU-US privacy framework ambiguity, data breach reporting, right to be forgotten

TechGDPR’s review of international data-related stories from press and analytical reports.

Legal processes: EU-US privacy framework, DMA, CCPA/CPRA, right to be forgotten

The Baden-Württemberg data protection commissioner warns that Joe Biden’s executive order with regard to the EU-US privacy framework is an important step, but it creates legal ambiguity. It addresses the requirements of the CJEU’s “Schrems II” judgment by adapting, among other things, the extensive access to EU residents data in the context of US national security and the complaints and appeals procedure. Nonetheless, it represents an internal instruction to the government and subordinate authorities and is not a law that has been passed by parliament, and is not legally enforceable, especially for EU citizens. In addition, it is not clear how the executive order relates to other existing US regulations such as the Cloud Act. Other ambiguities are as follows:

  • The legal concept of proportionality differs in the EU, so that it remains unclear when, from the US’s point of view, access for national security remains permissible.
  • Significant requirements are placed on the filing of a complaint by EU data subjects, so that it is still possible to filter out “undesirable” complaints.
  • The newly created Data Protection Review Court, (an appeal body for complainants), will be set up by order of the Minister of Justice, which may contradict its judicial independence.
  • The CJEU not only demanded legal remedies against state spying, but also the end of surveillance without cause, (the system change demanded by the court does not exist at present).

The European Commission will now have to decide whether there is equivalent protection of personal data in the US. The draft decision is expected in spring 2023. More legal research on the topic is promised by the NOYB privacy foundation, whose founder Max Schrems started the legal battle in 2013. 

Where various controllers rely on the single consent of a data subject, it is sufficient that the data subject contacts any one of them, states the CJEU’s recent ruling. The controller of personal data must, by means of appropriate technical and organisational measures, inform the other controllers that have provided the data or have received such data of the withdrawal of the consent of the data subject. Equally, the controller is required to take reasonable steps to inform third parties such as internet search engine providers of a request for erasure. The case related to Telenet, a Belgium telephone service operator, which passes on the contact details of its subscribers, (with their consent), to providers of directories, including Proximus. One of Telenet’s subscribers asked not to be included in directories published by Proximus and third parties; nonetheless, their contact details appeared online.  

The EU Digital Markets Act, (DMA), entered into force on 1 November. The new regulation will put an end to unfair practices by companies that act as gatekeepers in the online platform economy. In many cases the rules intercept and reinforce fundamental privacy and data protection concepts, such as:

  • Provide business users with access to the data generated by their activities on the gatekeeper’s platform.
  • Ban on tracking end users outside of the gatekeepers’ core platform for the purpose of targeted advertising, without effective consent having been granted.
  • The interoperability obligation to ensure that the levels of service integrity, security and encryption offered by the gatekeeper will not be reduced, (eg, text messages/audio/video calls between individual or group users). End users will equally have the choice to use or refuse such an option, where their provider has decided to interoperate with a gatekeeper.

The DMA will also facilitate direct actions for damages by those harmed by the conduct of non-complying gatekeepers. After the entry into application on 2 May 2023, potential gatekeepers will have to notify their core platform services to the Commission within 2 months if they meet the quantitative thresholds.

The California privacy regulator released modified proposed regulations for compliance with the California Consumer Privacy Act, as amended by the California Privacy Rights Act. It also seeks public comments on the improved text until 21 November. The adaptations relate to:

  • the notice of collections, (on how to disclose third parties that the business allows to collect personal information from the consumer),
  • right to limit the use/disclosure of sensitive personal information, (without the purpose of inferring characteristics about a consumer),
  • limits to responding to consumer requests due to “disproportionate effort”,
  • requests to correct personal information,
  • data minimisation, (business’s collection, use, retention or sharing of personal information must be reasonably necessary and proportionate to achieve the relevant purposes).

Official guidance: anonymisation for SMEs, data breach reporting, direct marketing, employment practices, DP icons, dark commercial patterns

The Spanish data protection agency AEPD has published a basic anonymisation guide, (in Spanish), for data controllers, data processors and data protection specialists. It is especially aimed at serving SMEs and startups when they have to deal with the anonymisation of small data sets. The document explains the difference between the concepts of anonymisation, de-identification, and re-identification. The guide is complemented by a free tool, (downloadable via this link), for organisations to transform simple data sets by applying anonymisation techniques.

The AEPD has also launched a tool which aims to help data controllers decide whether to report a personal data breach to the supervisory authority, following Art. 33 of the GDPR, (available in English). This tool can also be used by data protection officers, data processors, or consultants to obtain adequate information with which to advise controllers. Once finished, the data provided during the process are deleted, and the AEPD does not have access.

The UK privacy regulator ICO updated its guidance on direct marketing using electronic mail. The Privacy and Electronic Communications Regulations 2003, (PECR), takes its definition of direct marketing from the UK Data Protection Act 2018 and covers the sending of electronic mail for direct marketing purposes to particular individuals. The guide does create a few exceptions for: a) some types of online advertising, (eg, advertisements placed on websites not using cookies or similar technologies), b) direct marketing using social media, (eg, advertising messages shown on news feeds), and c) mail sent for administrative or customer service purposes, (if they do not contain any promotional content). Read the full guidance here.

The ICO also released a draft guidance on employment practices: information about workers’ health, (sickness and injuries, disability, drug tests, health monitoring, etc). It is some of the most sensitive personal information you might process about your workers. Data protection law applies whenever you process information about your workers’ health. Notably, the term ‘worker’ relates to all employment relationships, whether this includes employees, contractors, volunteers, or gig and platform workers. 

The Baden-Württemberg data protection authority in Germany released free-of-charge data protection icons, aimed at making privacy notices by data controllers clearer and easier to understand. For example, data subjects can see at a glance on which legal grounds data processing is based. The icons can be downloaded here.

The OECD has published a paper on dark commercial patterns. These practices are commonly found in online user interfaces including cookie consent notices. Many consumer and data protection authorities have taken enforcement actions and consumer organisations have filed complaints about their use, states the OECD. However, enforcement cases to date predominantly relate to a limited set of dark patterns commonly recognised by regulators. This indicates possible gaps in the law, available evidence, or enforcement capacity.

Investigations and enforcement actions: learning records, bank cards’ contactless data, HTTP protocol, employee login information, adult domains

The ICO has issued a reprimand to the Department for Education (DfE), following the prolonged misuse of the personal data of up to 28 million children. An investigation found that the DfE’s poor due diligence meant a database of pupils’ learning records was ultimately used by Trustopia, an employment screening firm, to check whether people opening online gambling accounts were 18. At the time of the breach, 12,600 organisations had access to the learning records service database, including schools, colleges, higher education institutions, and other education providers. This allowed organisations to verify a number of functions including the academic qualifications of potential students or check eligiblity for funding. Trustopia had access to the database for two years and had carried out searches on 22,000 learners for age verification purposes. Trustopia has never provided any government-funded educational training.

The US FTC is taking action against the online alcohol marketplace Drizly, (an Uber subsidiary), and its CEO over allegations that the company’s security failures led to a data breach exposing the personal information of about 2.5 million consumers. In 2018, a Drizly employee posted company cloud computing account login information on the software development and hosting platform GitHub. As a result of this security breakdown, hackers were able to use Drizly’s servers to mine cryptocurrency until the company changed its login information for its cloud computing account.

The FTC is also taking action against education technology provider Chegg Inc. for its lax data security practices that exposed sensitive information about millions of its customers and employees. Chegg allegedly failed to fix problems with its data security despite experiencing four security breaches since 2017.  Notably multiple Chegg employees fell for a phishing attack, and a former Chegg contractor used login information the company shared with employees and outside contractors to access one of Chegg’s third-party cloud databases containing the personal information of approximately 40 mln customers).The FTC’s proposed order requires the company to bolster its data security, limit the data the company can collect and retain, offer users multifactor authentication to secure their accounts, and allow users to access and delete their data.

Spain’s AEPD fined Burwebs S.L and Techpump Solutions, (owners of various internet domains with adult content), 75,000 euros and 525,000 euros respectively for multiple violations of the GDPR, Data Guidance reports. In the case of Burwebs, the AEPD found:

  • All personal data of registered users is stored indefinitely.
  • No provision regarding the consent of holders of parental authority or guardianship on profiles of minors registered as users.
  • The process for opening an account on the domains does not employ additional data or procedures to confirm the applicant’s identification in addition to the supporting papers initially used.
  • Privacy policy does not inform users of the possibility of revoking consent at any time before the initial provision of consent, and fails to inform users of the period for which their personal data will be retained.
  • The total absence of “privacy by design”.
  • Records of processing activities does not list all the procedures, (eg, retention of unregistered user data).
  • In addition to cookie walls that block access to websites and require users to approve relevant cookies, its applicable webpages lack information on the usage of cookies. 

In the case of Techpump Solutions, the AEPD found identical data processing violations to the above case, plus:

  • Transfers of personal data to companies within the same group occurring, despite the privacy policies claiming that such a process will not occur. 
  • Indefinite storage of the personal data of those who used the relevant webpages, until website users request the withdrawal of consent. 
  • No clear or affirmative consent mechanism exists to acquire user personal data.  
  • The majority of the company resides outside of Spain, and the information in its privacy policy is in English, a foreign language for the target audience. 
  • Frequent collection of personal information, including IP addresses, without explaining the circumstances to users.

Both companies were given one month to apply all the corrective measures.

The Greek data protection authority has fined four banks, (Eurobank, National bank,  Alfa Bank, and Piraeus), 20,000 euros each for the retention on the chip of customers’ Mastercards information on their last 10 transactions. The data can be read “contactless”. The banks, without informing clients, issued replacement cards with the feature. 

A 15,000 euro fine by the Italian privacy regulator Garante was issued against a company for not having adequately protected customer data. The access to the company’s website dedicated to “online services” took place via the “http” network protocol, not encrypted and not secure. Various data was passed through this channel, including authentication credentials, names, social security numbers, e-mail addresses, telephone numbers, and billing data. The company violated important principles of “privacy by design”, and “integrity and confidentiality” of the data processing. 

Data security: crucial TOMs, digital footprint, cybersecurity and privacy annual report by NIST

America’s NIST has published its latest Cybersecurity and Privacy Annual Report. It is organised into eight key areas: cryptographic standards and validation, cybersecurity measurement, education and workforce, identity and access management, privacy engineering, risk management, trustworthy networks, and trustworthy platforms. The NIST conducted research and demonstrated practical applications in several key priority areas, including post quantum cryptography, cybersecurity in supply chains, zero trust, and control systems cybersecurity. The NIST also initiated research in some new areas, including exploring the cybersecurity of genomics data.

The UK ICO warned that organisations are leaving themselves open to cyber attacks by ignoring crucial technical and organisational measures like updating software and training staff, (Art. 32 of the GDPR). The warning comes with a 4.4 million pound fine to Interserve Group. An employee forwarded a phishing email, which was not quarantined by the system, to another employee who opened it and downloaded its content –  data of up to 113,000 current and former employees was encrypted and rendered unavailable. 

The Latvian DVI explains a digital footprint and how to protect it. A user can leave it either actively or passively, but once shared, the digital footprint is relatively permanent. It can determine a person’s digital reputation, which is now as important as a person’s offline reputation. Cybercriminals can also use your digital footprint for purposes such as phishing or creating a fake identity. In one of the examples, the active digital footprint is formed when a credit card of a specific service provider is used, while the passive digital footprint is formed by analysing the flow of money in the account and the purposes for which one spends one’s financial resources. Thus:

  • Remember to carefully familiarise yourself with the privacy policies of the websites where you intend to consume the offered goods or services. Additionally, 
  • Every time you sign in to a third-party website using, for example, your Facebook credentials, you give that company permission to obtain your user data — potentially putting your personal information at risk. 
  • Perform regular searches for your name and related personal information in search engines.
  • Enforce the privacy settings of your online accounts, and minimise the amount of personal data shared, (eg, location). 
  • Regularly update software. 

Big Tech: TikTok employees’ access to data, Medibank’s refusal to pay ransom, Amazon’s Alexa recording

TikTok informed its EU users that their data can be accessed by employees outside the continent, including in China – to ensure their experience of the platform is “consistent, enjoyable and safe”. The other countries where European user data could be accessed by TikTok staff include Brazil, Canada and Israel as well as the US and Singapore, where European user data is stored currently, The Guardian reports.

Medibank, Australia’s biggest health insurer, said no ransom payment will be made to the criminal responsible for a recent data theft, (around 9.7 million current and former customers). The company believes there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published. Plus, paying a ransom could encourage the hacker to extort customers directly, hurting more people.  Australian companies have been hit by a string of cyber attacks in recent weeks prompting the government to think about significant increases in penalties for repeated or serious privacy breaches, with amendments to privacy laws. 

Finally, Amazon must produce millions of documents in response to discovery requests in a potential class action over the marketing of its Alexa-enabled devices, Bloomberg Law reports. Plaintiffs allege that Amazon sold its Alexa-enabled devices to consumers using unfair and deceptive advertising, and illegally record conversations. The plaintiffs need discovery concerning Amazon’s intent in marketing Alexa devices, complaints received by the company, and how Alexa-enabled devices function. Amazon estimated it would have to produce 4.4 million documents in response to the plaintiffs’ requests.

Do you need support on data protection, privacy or GDPR? TechGDPR can help.

Request your free consultation


Show more +