TechGDPR’s review of international data-related stories from press and analytical reports.
Official guidance: Google Analytics, risk assessment tool, work monitoring, privacy policy check-list, machine learning, APIs
The Danish data protection authority, following several other European counterparts’ decisions, concludes that the Google Analytics tool cannot be used legally without implementing several additional measures, (eg, effective pseudonymisation by using proxy servers), in addition to the settings provided by Google.
The Spanish privacy regulator AEPD launched an online tool that helps assess the level of risk of personal data processing. The tool allows an initial and non-exhaustive evaluation to be carried out, which, where appropriate, must be adjusted by each person in charge to determine an accurate risk level for the processing.
The Latvian data protection authority DVI issued two guides, (in Latvian only), on online tools to organise remote work meetings and video surveillance of employees performing their work duties. The organisation must determine exactly why data processing during online meetings or workspace is necessary. The purpose of data processing must be determined precisely and realistically, and interact with one of the legal tenets of the GDPR. A privacy notice is to be made available before data processing is started. If the organisation has a data protection specialist, they must be consulted for advice on carrying out the planned processing more appropriately.
Jersey’s privacy regulator has tried to demystify Art.12 of the GDPR – obligation to inform. It concludes that the most direct way to communicate to your data subjects is through writing clear statements. For the best transparency when constructing a robust privacy policy, view the regulator’s privacy policy checklist.
The use of application programming interfaces, (APIs), to share personal data can promote better data protection. The French regulator CNIL launched a draft recommendation on the technical and organisational measures to be applied. It aims to identify the cases in which an API is recommended to securely share personal data or anonymised information, and to disseminate best practices regarding their implementation and use. Data sharing here means the ability of identified reusers or the public to retrieve data held by an organisation, or the ability of data holders to transmit data for reuse by others.
The EDPS explains 10 misunderstandings about Machine Learning. ML systems adapt autonomously to the patterns found among the variables in the given dataset, creating correlations. Once trained, these systems will use the patterns learned to produce their output. Typically, the training of ML systems requires large amounts of data, depending on the complexity of the task to be solved. However, adding more training data to a machine learning model development process will not always improve the system’s performance. On the contrary, more data could bring more bias.
Legal processes: general data retention ban, Europol database, sensitive data, digital health infrastructure, commercial practices
In Germany, the Federal commissioner for data protection approved the CJEU preliminary ruling that the country’s general indiscriminate data retention, (IP-addresses, traffic, and location data), violates EU law. The law may only be applied in circumstances where there is a serious threat to national security defined under very strict terms, stated the top court. The retention law came into force after major attacks by Islamists in Europe and cost the country’s internet and telecom industries millions of euros.
The EDPS is taking legal action as the new Europol Regulation puts the rule of law and EDPS independence under threat. The regulator requested that the CJEU annuls two provisions of the newly amended Europol Regulation, (which came into force on 28 June 2022). These new provisions, (articles 74a and 74b), have legalised Europol’s practice of processing large volumes of individuals’ personal data with no established link to criminal activity retroactively. The EDPS notes that the co-legislators have decided to retroactively make this type of data processing legal, overriding the EDPS Order which requests that Europol deletes concerned datasets.
The privacy commissioner of Canada, along with his provincial and territorial counterparts, endorsed a resolution that encourages governments to implement a digital health communication infrastructure that would phase out the use of unencrypted email and fax communication in favour of more secure alternatives available to all Canadians. The pandemic has spurred rapid digital advancements in the delivery of services. At the same time, data breaches in the health sector continue, potentially leading to harm including discrimination, stigmatisation, and financial and psychological distress states the regulator.
Meanwhile, US President Joe Biden has initiated a review of foreign investment for national security risks to sharpen focus, among other things, on threats to sensitive data. The executive order instructs the dedicated Committee to consider whether a “covered transaction involves a US business with access to US persons’ sensitive data and whether the foreign investor, for instance in biotechnology or AI, has, or the parties to whom the foreign investor has ties, have sought or had the ability to exploit such information.”
A CJEU Advocate General suggests a competition authority may consider the compatibility of commercial practice with the GDPR. The non-binding opinion, (ahead of the court’s ruling), refers to Meta’s antitrust probe in Germany. The competition watchdog prohibited the practice of users having first to accept general terms which led to cookie placement, further data sharing with group services, (WhatsApp, Instagram), and linking the data to user accounts for advertising purposes. The freedom of consent in such a dominant position in the Social Media market is also an issue.
Investigations and enforcement actions: managing director as a dpo, Klarna bank, caller identification, data processing contract, image publication, legal professional privilege
The Berlin commissioner for data protection BlnBDI has imposed a 525,000 euro fine on a Berlin e-commerce group’s subsidiary due to a conflict of interest on the part of the company’s data protection officer. This person was at the same time the managing director of two service companies that processed data for the group. The DPO thus had to monitor compliance with data processing managed by himself.
The Swedish privacy protection authority IMY, in cooperation with Germany and Austria, is investigating complaints about Klarna Bank making data rectification or objection to direct marketing difficult. The complainants were asked for identification purposes via an unencrypted email service to provide: their name, date of birth, e-mail address, address, invoice and purchase details, and sometimes their telephone number.
Vodafone Romania was fined 2000 euros after not checking compliance with the caller identification procedure, which allowed third parties to fraudulently purchase new phones on behalf of some of the operator’s customers. Also, third parties could access data from contracts concluded by customers and data from personal accounts, such as name, address, contact phone number, PUK code, the contact number of the account holder, the SIM ID of the original card, billing and debt details, and data traffic.
In Poland, a personal data breach was reported, (followed by an administrative fine), in a cultural center. The investigation found that the administrator entrusted another entity for processing, without concluding a written contract, for keeping accounting books, records, (in finance, taxes), and documentation storage. The controller did not verify the processor, did not check whether it provided appropriate technical and organisational measures, and did not have any documents confirming the verification of the terms of cooperation. Additionally, any communication with the controller was ineffective.
The Spanish data protection authority AEPD fined a company, (Digitecnia Solutions), for publishing on its website an image of a complainant to illustrate the work they were doing. The image did not allow the complainant to be seen in full, but he can be seen in part. This, together with the fact he appeared linked to Digitecnia, was information that made this person identifiable. All this constituted the processing of the claimant’s personal data, which he was not aware of.
The Isle of Man information commissioner issued an enforcement notice to Sentient International regarding the company’s refusal to comply with a data subject access request. Sentient decided to restrict the data subject’s right of access, believing that the right of access does not apply to data that consists of information in respect of which a claim to legal professional privilege could be maintained in legal proceedings. The regulator clarified that the rule applies to some documents, but not personal data therein, such as communications that were not made for the dominant purpose of obtaining or providing legal advice. Also, professional legal privilege cannot be applied retrospectively.
Data security: data put online by hackers, SMEs, IoT, and ZTA in a mobile world
The French privacy regulator CNIL notes a clear increase in data breach notifications, nearly half resulting from ransomware attacks. In some cases, users’ personal data may be put online by hackers. If a violation concerns you, the responsible body must inform you as soon as possible. The CNIL is not able to tell you if a breach impacts your data. Some websites indicate that they hold the data and can tell you whether or not you are concerned. The CNIL advises against using them.
The German federal office for information security has published a guide on cybersecurity for small and medium-sized enterprises. It offers SMEs an easy-to-understand introduction to improving their cyber security level because information security is the prerequisite for secure digitisation. It starts with the most important basics of IT security – briefly and concisely based on 14 questions. Among other things, it provides information on who is responsible for information security in the company, why patches and updates should be installed regularly, why an anti-virus program is necessary, and why data backup is so important.
Zero trust architecture, (ZTA), is not a new concept, but there is renewed interest in implementing zero-trust principles for an organization’s mobile administrators, states the US NIST. Due to the pandemic, many employees have transitioned to remote/telework options. The portability of mobile devices makes it easier to respond promptly to emails, attend virtual meetings, and use special work apps from anywhere. In this new environment, mobile devices are now another endpoint connected to enterprise resources and can put the entire enterprise at risk if compromised or stolen.
The NIST IoT Cybersecurity Program also released two new documents:
- The final version of Profile of the IoT Core Baseline for Consumer IoT Products. This publication documents the consumer profile of NIST’s IoT core baseline and identifies cybersecurity capabilities commonly needed for the consumer IoT sector (eg, IoT products for home or personal use).
- Workshop report for Building on the NIST Foundations: Next Steps in IoT Cybersecurity. These considerations have broad applicability across IoT product sectors, including the consumer IoT products sector and the industrial IoT sector.
Big Tech: Uber, Optus, and TAP cyberattacks, World Cup data analysis app
Uber’s EXT contractor had their account compromised by an attacker. The attacker likely purchased the contractor’s Uber corporate password on the dark web after their device had been infected with malware. The attacker then tried logging in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, the contractor accepted one, and the attacker successfully logged in. From there, the attacker accessed other employee accounts which gave the attacker permission to use several tools, including G-Suite, and Slack.
Sensitive information about TAP Air Portugal’s customers also has been shared on the dark web after a cyberattack. The attackers were booted from the system but not before gaining access to sensitive data, including name, nationality, gender, date of birth, address, email, telephone contact, customer registration date, and frequent flyer number. It is unclear how long the hackers had access to the system. However, the airline has assured its passengers that the breach has not affected their flights.
Australia’s major telecommunications company Optus experienced a cyberattack that leaked personal data of up to 10 million customers, in one of Australia’s biggest cybersecurity incidents. An offshore-based entity, possibly in Europe, had broken into the company’s customer information database, accessing home addresses, driver’s licenses, and passports. Stolen customer data and credentials may be sold through several forums including the dark web.
World Cup players to get FIFA data analysis app. Players at the finals will be able to browse their performance data on a purpose-built app developed by the governing body which allows footballers of all 32 teams access to analysis and information. The data will be synced with a video of the action to allow a quick assessment of key moments. While such data and metrics are widely available to players with the top clubs and national sides, who employ teams of analysts, the app will ensure teams with fewer resources compete on a level playing field, Reuters reports.