In this digest we look at the perception of the term privacy in the digital era, data protection measures when concluding “asset deals”, the new SCCs initiative for international transfers from the EU, the probability method and data accuracy, and much more.
Stay up to date! Sign up to receive our fortnightly digest via email.
New SCCs initiative
The European Commission started work on new SCCs for data transfer to third-country data importers, (controllers and processors), subject to the GDPR. They will complement the existing clauses for data transfers to third-country importers not subject to the GDPR. Adopted in 2021, the latest set of SCC does not work for importers whose processing operations are subject to the GDPR under Art. 3, as they would duplicate and, in part, deviate from the obligations that already follow directly from the GDPR. Despite the Commission’s call for action three years ago, SCCs for those specific cases were not introduced, leaving organisations in legal uncertainty, (see Uber’s latest fine).
The adoption of the new SCCs is planned for the second quarter of 2025.
Australia privacy reinforcement
The parliament introduced and held its first reading on the amendments to the privacy legislation to introduce a range of measures, including expanding the Information Commissioner’s powers, facilitating information sharing in emergencies or following eligible data breaches, requiring the development of a Children’s Online Privacy Code, providing protections for overseas data transfers, introducing new civil penalties and criminal offences, (for a practice known as ‘doxxing’), and increasing transparency about automated decisions.
Data disclosure on a party to the contract
The CJEU meanwhile explains the lawfulness of personal data processing in the performance of a contract, to which the data subject is a party. The case relates to a request of a partner seeking to obtain the contact details of other partners, (parties to the contract), with indirect shareholdings in an investment fund through a trust company.
The CJEU ruled that disclosure would be justified only if the main subject matter of the contract could not be achieved if that processing were not to occur. If such processing is also necessary for legitimate interests pursued by a controller or third party, it should be strictly necessary to achieve that purpose. While there is a legal obligation for a data controller, it should be foreseeable for those persons subject to disclosure, that the disclosure is proportionate, and meets an objective of public interest.
Dark patterns advisory
The California Privacy Protection Agency issued an enforcement advisory on user interfaces that subvert or impair a consumer’s autonomy, leading to a privacy-averse practice. Businesses should adopt clear and understandable language and offer consumers symmetrical choices to avoid impairing and interfering with consumers’ ability to make their choices.
More official guidance
Asset deals and data protection: The sale of a company can generally be carried out in two ways, either by transferring shares or by transferring assets and/or economic goods, explains the German Data Protection Conference. While the data processing in the context of a “share deal” is possible without any problems, apart from audit procedures, since only the shares in a company are transferred, the company otherwise continues unchanged as a data controller; the transmission of personal data in the context of an “asset deal” requires a differentiated approach in terms of data protection law. Read the methodology of the latter case in the original paper (in German).
How do you identify a person by phone? The common way is by asking to provide several personal details, such as their first name, email address, username, etc. In this case, the more data is requested, the more likely it is to identify the person accurately, and at the same time, the greater the intrusion into the person’s privacy. Therefore, the organisation must observe proportionality in its activities.
A better practice would be using a key: a password previously agreed upon by both parties chosen by the customer, or more sophisticated tools such as a secure electronic signature generator, explains the Latvian regulator.
Data subject notification upon a breach: People who are victims of a data breach often receive insufficient information from a data controller on what exactly happened, when and what information was leaked, and what they can do themselves to reduce the risks, states the Dutch regulator. Also, warning emails, even if sent within a legal time frame, sometimes lack an alarming title or introduction, with the risk that the recipient may simply not read the message. You can examine some recommendations, and sample notification texts, (in Dutch), here.
Receive our digest by email
Sign up to receive our digest by email every 2 weeks
Bank data
The Polish UODO imposed a fine of approx. 1 million euros on mBank for failure to notify persons affected by a data leak. An employee of a company processing personal data on behalf of mBank made a mistake and sent customer documents to another financial institution. The documents were returned to the bank, but they had already been opened. The documents included: all sorts of personal information, identification documents, and information on credit and real estate.
The bank did not notify its customers about the problem, even though after reporting the breach the regulator informed them about the need to take such action. The explanations offered by mBank included the fact that the documents were mistakenly sent to an institution that is also bound by banking secrecy, an entity that the bank cooperates with and which, according to the bank, has the status of a trusted entity. The employees of this institution confirmed that they do not have copies of the documents received in error.
Microsoft Teams
The Norwegian Data Protection Authority has issued a fine to the University of Agder, (UiA). The university had not implemented suitable measures to safeguard personal data security in its use of Microsoft Teams. In February 2024, an employee at UiA discovered that documents with personal data had been stored in open Teams folders, to which employees had access without an official imperative.
The discrepancy has been ongoing since the university adopted Microsoft Teams in August 2018. Around 16,000 registered users were affected. The information includes, among other things, name, social security number, information about exams, the number of exam attempts and special arrangements. In addition, the discrepancy included an overview of refugees associated with the university.
More enforcement actions
Health data: Meanwhile the French CNIL fined CEGEDIM SANTÉ 800,000 euros for processing health data without authorisation. The company publishes and sells management software to community doctors and health centres. Around 25,000 medical practices and 500 health centres use this software. They allow doctors to manage their agenda, patient records and prescriptions. As part of its activity, the company offers a panel of doctors using one of these software programs to conduct studies. This data was not anonymous, but only pseudonymous, so the re-identification of the persons concerned was technically possible.
Live cameras in psychiatric hospitals: America’s FTC reports that surveillance camera company Verkada Inc. failed to provide reasonable security for the personal information it collected, including 150,000 live camera feeds in sensitive areas like psychiatric hospitals, women’s health clinics, elementary schools, and prison cells. These failures allowed a threat actor, in March 2021, to remotely access Verkada’s customer camera feeds and watch them live, without anyone’s knowledge or consent.
Despite the invasive security breach, Verkada remained unaware of the threat actor’s intrusive exploration until the threat actor self-reported the hack to the media.
Invalid cookie banners: Finally the Belgian regulator took action against Mediahuis for several infringements in the use of cookie banners on 4 news sites, (De Standaard, Het Belang van Limburg, Het Nieuwsblad, Gazet van Antwerpen). They do not provide a “refuse all” button on the first information level of the cookie banner and misleading button colours are used. The complaints were filed by the Austrian non-profit privacy rights organization NOYB, which acted as a mandated representative in the case.
Probabilistic method and GDPR
The ability of machine learning and artificial intelligence to handle uncertainty and make predictions in the field of statistics has led to their widespread adoption. However, the limitations that probabilistic methods present in terms of performance, (false negatives, false positives, prediction errors, etc.), can affect the accuracy and suitability of data processing, states the latest Spanish AEPD blogpost.
In one example, an estimation operation for age verification with an error of 0.01% in a sample of 1000 adults might be acceptable for some purposes. However, in a sample of all types of users in the EU, (450 million inhabitants), an error of 0.01% means making errors with 45,000 people. A significant number of them would be under 18 years of age and this will probably in some cases generate erroneous estimates classifying them as adults.
Finally, the results obtained with different samples may show how accuracy and effectiveness are strongly influenced by the algorithm, gender, image quality, region of birth, age and the interactions between all these factors.
Big Data
Privacy ‘paradox’: The Guernsey data protection authority discusses in a blog that while people say they care about privacy, their actions suggest otherwise as they are quick to surrender their personal information online. However, there is no paradox in such behaviour. Privacy is not just synonymous with “secrecy”. It can be also about control and autonomy over one’s personal information. In just one example, a person can value privacy and still click “yes” to share their location with a food delivery app.
Positively, more companies now embrace the challenge of the realisation that respecting their customers’ privacy is the best way to earn trust. This is why individuals may now be seeing more prompts for permission to access their cameras or address books, offering the choice to say “yes” or “no”.
AI training: Meta and Google AI training programs are being investigated by the European data protection authorities. The Irish lead regulator DPC commenced a cross-border inquiry into Google’s new foundational AI model Pathways Language Model 2. In question its compliance with the requirement of the Data Protection Impact Assessment, before engaging in the processing of the personal data of EU/EEA data subjects. Meanwhile, Meta and X’s AI training programs are still on hold in the EU. In parallel, the UK Information Commissioner is monitoring the situation with Meta as it is about to resume, in a couple of weeks, the use of UK Facebook and Instagram user data to train generative AI. The company took into account the reprimand from the regulator and has made it simpler for users to object to the processing.