Data protection & privacy digest 27 Sept – 11 Oct 2022: New EU-US data privacy framework is now under EU legislators’ microscope

TechGDPR’s review of international data-related stories from press and analytical reports.

Legal processes: EU-US adequacy procedures, non-material damage in the GDPR, Colorado draft privacy law, Andorra data protection regime

On 7 October, President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’. Along with the Regulations issued by the Attorney General, it implements into US law the agreement in principle, (the EU-US data privacy framework), announced in March. The document introduces new binding safeguards to address all the points raised by the CJEU, limiting access to EU data by US intelligence services, enabling EU individuals to lodge a complaint with the so-called ‘Civil Liberties Protection Officer’, and to appeal under a ‘Data Protection Review Court’.  In parallel, the UK and US are also looking ahead to concluding a data adequacy agreement following Biden’s order. The European Commission will now prepare a draft adequacy decision in several steps: obtaining an opinion from the EDPB, and approval from an EU Member State committee. In addition, the European Parliament has a right of scrutiny for adequacy decisions. European Commissioner for Justice Didier Reynders is sure there will be a fresh legal challenge, but he is confident that the pact meets the court’s demands. However in the opinion of the NOYB privacy campaigners – there is no indication that US mass surveillance will change in practice. 

The European Council gave final approval to protect users’ rights online – the Digital Services Act. It defines clear responsibilities and accountability for providers of intermediary services, such as social media, online marketplaces, very large online platforms, and very large online search engines. The rules are designed asymmetrically, so larger intermediary services are subject to stricter rules. Among many measures, it imposes certain limits on the use of sensitive personal data for targeted ads, including age, gender, race, and religion; it bans misleading interfaces known as ‘dark patterns’, and offers users a system for recommending content that is not based on profiling. After being published in the Official Journal of the European Union, the law will apply in fifteen months.

A CJEU Advocate General issued a non-binding opinion on non-material damage resulting from unlawful processing of data, conditions for the right to compensation, and establishing damage above a certain threshold of seriousness. The Austrian supreme court referred the above questions for clarification to the EU’s top court as the GDPR grants any person who has suffered material or non-material damage due to an infringement of its provisions the right to receive compensation from the data controller or processor. According to the opinion:

• A mere infringement of a provision is insufficient if that infringement is not accompanied by relevant material or non-material damage for a person.
• The compensation for non-material damage provided for in the regulation does not cover the upset that the person concerned may feel due to the infringement.
• It is for national courts to determine when, owing to their characteristics, a subjective feeling of displeasure may be deemed, in each case, to be non-material damage. Find more contextual and theological considerations over data subjects’ powers over their data in the original text. 

Meanwhile, in US, Colorado state published Privacy Act Draft Rules. It concentrates, among many provisions, on consumer-facing compliance, (disclosures, handling requests, and opt-out mechanisms), handling sensitive data, data minimisation and purpose limitations, data protection impact assessments, and restrictions related to profiling. The rules are not finalised nor contain very strict language. The act does not go into effect until July 1, 2023, with input due from several stakeholders and a public hearing. 

Finally, Andorra approved two decrees regulating the protection of personal data and the supervisory authority. The first regulation integrates all the necessary regulatory provisions into the country’s daily life. The intention is to provide legal security to those responsible for data processing, (administrations, private entities, companies, associations, etc.). In addition, everyone has six months to adapt their processes to this new text. The second document configures the Andorran Data Protection Agency as a public body with its own legal identity, independent and with full capacity to act, along with its composition, functions, inspection capacity, penalty, and other main activities. 

Official guidance: public collections of support signatures, subject access requests, financial crimes, background checks, health data warehouses

The Slovenian data protection commissioner issued a reminder of the rules for protecting personal data in the public collection of support signatures. Organisers must ensure adequate security of personal data, (eg, against loss), and when collecting their data, also provide individuals with information on Art. 13 of the GDPR. The individual must therefore receive at least information about the controller, (who collects personal data), the purpose and legal basis for collecting personal data, their rights, and legal protection. Even if the collection of personal data is determined by law, (eg, in referendums), the signature collector must still provide information about the processing of personal data at the moment the data is obtained.

The UK data regulator the ICO has laid out the basics of data subject access requests. Everyone has the right to ask an organisation whether or not they are using or storing their personal information. You can also ask for copies of your personal information, verbally or in writing. The ICO deals with over 35,000 complaints from individuals every year, the vast majority of which are to do with the rules and obligations around accessing personal data: information rights requests taking too long, no one to contact, questions not being answered, incomplete or unsatisfactory responses, lack of trust in what people are being told, or lack of understanding leading to information being perceived as unclear or unhelpful. Thus the main rules for organisations to get access requests right are:

• Find out what your customer wants exactly, and ask them to provide additional details – such as the context in which information may have been processed and likely dates when processing occurred – to help you locate the requested information.
• If you cannot meet the deadline for individual rights requests, tell them.
• If you’re dealing with a complex or particularly large request, explain that you’ll send out information in batches and provide a timeframe for this.
• Explain exemptions, and redactions, if they apply.
• Keep a record of your decision so that you can share it with the supervisory authority.
• Explain legal provisions that someone will understand.
• Keep your privacy policy up to date and ensure it’s accessible and easy to understand.

The EDPS reminded organisations of the meaning of the US Cloud act, which may conflict with the GDPR. The federal law that came into force in 2018 allows the US government, with a court order, to access electronically stored communication data located in a private entity subject to US law, (eg, corporate link, direct or indirect), but located overseas, providing that the data is relevant to an ongoing criminal investigation). As a result, the EDPS reconfirms the importance of seeking alternative services, such as cloud and web services based in the EU, to ensure that personal data is processed according to  EU law.

Sweden’s privacy regulator IMY has allowed a bank to handle personal data relating to violations of the law in cases of money laundering and the financing of terrorism when there is no legal support for the processing. Such control may be necessary for a bank to prevent a customer whose customer relationship has been terminated in one branch from being able to turn to another one within the group. Private companies must apply for permission from IMY for such processing to be allowed. Similarly, the IMY gives companies that offer background checks permission to handle personal data related to legal violations in some instances, (eg, fraud and economic crime, tax crimes and embezzlement crimes, criminal violations of individual job seekers and consultants, and persons with senior positions or controlling influence in the business).

The French regulator CNIL published a “checklist” of compliance, (in French), for health data warehouses. It can be used by anyone wishing to set up a data warehouse in the health field. It goes through the various requirements in the form of statements that data controllers judge to be true, false, or not applicable. Any processing that does not comply with all the requirements defined by the repository must be the subject of specific authorisation from the CNIL before being implemented, (by using “declare a file” on the CNIL website). An action plan to bridge any gaps between the envisaged treatment and the requirements of the reference framework can thus be drawn up on this basis. 

Investigations and enforcement actions: one-stop-shop complaints, unlawfully communicated e-mail addresses and health data, predatory direct marketing, unreported data breach, and ethical hacking

The Irish data protection commission, (DPC), issued a report providing a detailed fact-based overview and statistical analysis of its handling of One-Stop-Shop complaints in the period May 2018 to end of 2021. The DPC has received almost 20,000 complaints since the GDPR came into force, and over 17,000 have been concluded. The report illustrates that:

The Hungarian data protection authority NAIH issued a fine to the National Health Insurance Fund management after receiving an individual complaint. The fund’s website vaksinareg.neak.gov.hu had “published” the information that the complainant had registered for their Covid-19 vaccination. Anyone knowing their social security number and date of birth could confirm the validity of the registration of the person concerned. In this context, the complainant contested why the respondent did not send the query result only to the e-mail address for example. The fund management also failed to respond to the subject access request, (when and from which IP address the query was made), as well as cooperation obligations during the regulator’s inspection. 

Meanwhile the Italian privacy regulator ‘Garante’ fined a US company, (Senseonics), 45,000 euros for violations of personal data in the use of its glucose monitoring system and for having unlawfully communicated e-mail addresses and health data of about 2000 Italian diabetic patients. The company notified the SA of a data breach due to an employee’s sending – as part of an information campaign – email messages with the recipients’ addresses in the ‘Cc’ field rather than in the ‘Bcc’ one. This enabled every recipient to view the other recipients’ email addresses. The messages contained ‘data disclosing health’; accordingly, they could only be disclosed to third parties based on the data subjects’ written authorisation or on other appropriate legal grounds. The inquiries by ‘Garante’ shed light on additional infringements caused by the glucose monitoring system being offered. After downloading the app, users were expected to accept, with a single click, the terms of use of the service jointly with the contents of the privacy policy. This prevented them from giving their consent separately to the individual processing operations including the processing of health-related data.

The UK’s ICO has fined Easylife Ltd 1,350,000 pounds for using the personal information of 145,400 customers to predict their medical condition and target them with health-related products without their consent. The company was also fined 130,000 pounds for making 1,345,732 predatory direct marketing calls. The ICO investigation found that when a customer purchased a product from Easylife’s Health Club catalog, the company would make assumptions about their medical condition and then market health-related products without their consent. If a person bought a jar opener or a dinner tray, Easylife would use that purchase data to assume that person has arthritis and then call the individual to market glucosamine joint patches.

The Spanish data protection authority AEPD decided to sanction BAYARD REVISTAS on insufficient risk analysis, technical and organisational measures, and unreported data breach notification after receiving a complaint. The complaining party informed the agency that they received an email from the person in charge of the web portal, informing them of the unauthorised access to the database, (BAYARD being responsible), by an unauthorised third party. According to the email, the location and contact data of the people who had provided their information on the website through the registration form were involved. The attack reportedly had not been carried out for malicious purposes, but with the intention of ethical hacking. The number of affected people matched the total number of users of the web portal, around 464,762. After the incident, the person in charge claimed to have solved all the vulnerabilities that made the attack possible, had implemented the protocols to follow in the event of an incident related to data protection and had adopted a series of measures, including the encryption of the stored information. 

Data security: online accounts protection, “think before you click”

The UK National Cyber Security Centre, (NCSC), published tailored advice to support online retailers, hospitality providers, and utility services to protect themselves and their customers from cybercriminals. The guidance encourages organisations to add an extra layer of security on top of passwords to authenticate customers. Organisations are also advised what steps to take if their brand has been spoofed online. Buyer authentication methods and malicious websites takedown guidance are the latest additions to the advice package. The NCSC encourages the public and small businesses to adopt six behaviours to protect their online accounts and devices:

• Use a strong and separate password for your email
• Create strong passwords using 3 random words
• Save your passwords in your browser
• Turn on the two-step verification
• Update your devices and apps
• Back up your data

“Think before you click” (#ThinkB4UClick). This is the message during the EU’s information security month, which falls in October every year. The Swedish data protection authority IMY repeats some tips for businesses on how they can protect their most important information. Reasonable security imposes costs, in time, money, and resources. It requires long-term and persistent work and ongoing prioritisation. Good security – whether it’s data and privacy protection, information security, or cyber security – is a central issue for top management. It usually requires collaboration between many roles and competencies:

• Establish systematic security work – security testing.
• Backup – a working backup can be your only salvation if the worst happens!
• Use anti-malware software.
• Keep systems and software in all equipment up to date, to reduce the risk of vulnerabilities being exploited.
• Train the staff – on an ongoing basis – to maintain a high awareness of the risks.

Big Tech: Meta Ireland inquiry, Facebook and Google settlements, Equifax and Experian data practices, Uber’s former chief security officer’s criminal obstruction, Optus breach outcomes

The Irish data protection commission has submitted a draft decision in a large-scale inquiry into Meta Platforms Ireland Limited to other concerned EU supervisory authorities. An inquiry was opened in 2021 after media reports highlighted that a collated dataset of Facebook user personal data, approx. 533 million Facebook users worldwide, had been made available on the internet. The inquiry concerned the question of Meta’s compliance with its obligations under Art. 25 of the GDPR, (“data protection by design and by default”). Other concerned supervisory authorities have one month to review the draft decision.

Following a significant data breach at Optus, the nation’s second-largest mobile operator, Australia recommended a change of consumer privacy legislation to aid targeted data sharing between telecommunications companies and banks. With the new rules, telcos will be able to provide banks with government-issued identity cards so that banks may adopt improved monitoring for clients affected by data breaches. Through already-in-place industry reporting systems, such as fraud information exchanges, the proposed reforms will also enable enhanced fraud detection in the more significant financial services sector. Banks are supposed to erase the information they get when they no longer need it. They are only permitted to use it to prevent or address cybersecurity problems, fraud, scams, or identity theft. 

In a letter to the FTC that Reuters reviewed, the European Commission was encouraged to look into how data brokers like Equifax and Experian had accumulated payroll details about most Americans. To assist lenders, landlords, and hiring managers with background checks on potential candidates, businesses like Equifax have been acquiring employee employment histories and salary data from employers for decades. However, privacy campaigners claim that these sizable databases are prone to fraud and inaccuracy and that sometimes employees are shocked to learn that their information is included. According to Equifax, it abides by all legal requirements and encourages new voices in the sector.

Uber’s former chief security officer, Joe Sullivan, was found of criminal obstruction for failing to report a 2016 cybersecurity incident to authorities. According to the Guardian, the case was being watched as an important precedent regarding the culpability of individual security staffers and executives when handling cybersecurity incidents. In 2018, Uber paid 148 mln dollars to settle claims by all 50 US states and Washington DC that it was too slow to disclose the hacking. The case affected the data of 57 million passengers and drivers.

Finally, Meta and Google recently settled a couple of significant privacy actions in the US:

• Illinois residents involved in a class-action lawsuit against Google will receive 154 dollars each as part of a 100 million dollar settlement. The class of roughly 420,000 people who brought the lawsuit argued Google Photos’ face grouping tool violated the state Biometric Information Privacy Act.
• Facebook parent Meta has settled a lawsuit against two companies that had engaged in data scraping operations, which had seen them gathering data from Facebook and Instagram users for marketing intelligence purposes. 
• Arizona’s Attorney General announced an 85 million dollar settlement with Google related to alleged user tracking via location data from smartphones despite users disabling the tracking settings.