Weekly digest March 28 – April 3, 2022: EU crypto-asset transfers to be traced and identified, with some exceptions

TechGDPR’s review of international data-related stories from press and analytical reports.

Legal Processes: crypto-asset transfers, Belgian DPA’s independence

EU lawmakers backed tougher rules for tracing transfers of bitcoin and other cryptocurrencies, Reuters reports. Now the EP as a whole should vote on it during the plenary session in April. Companies that transfer crypto-assets would need to collect details of senders and recipients to help authorities to prevent money laundering, terrorist financing, and other crimes. Under the new requirements agreed by MEPs:

  • Before making crypto-assets available to beneficiaries, providers would have to verify that the source of the asset is not subject to restrictive measures and that there are no risks of crime.
  • All transfers of crypto-assets will have to include information on the source of the asset and its beneficiary, information that is to be made available to the competent authorities. 
  • The rules would also cover transactions from so-called unhosted wallets, (a crypto-asset wallet address that is in the custody of a private user). 
  • No minimum thresholds and exemptions for low-value transfers.
  • Technological solutions should ensure that these asset transfers can be individually identified. 

However, the rules would not apply to person-to-person transfers conducted without a provider, such as bitcoin trading platforms, or among providers acting on their own behalf. Currently, there are no rules in the EU allowing crypto-asset transfers to be traced or the provision of information on the originator/beneficiary.

The Belgian data protection authority, (BE DPA), is concerned about legal developments that could threaten its independence. These include a preliminary draft law to amend the current BE DPA law, and the lack of resources allocated to it. The opinion has been forwarded to the Court of Audit, the Council of State, the European Commission and the other European supervisors assembled in the EDPB. The draft law notably introduces:

  • parliamentary interference in the internal organisation of BE DPA and in the setting of its priorities,
  • the renewal of the mandate of its members conditional on a positive evaluation by the House of Representatives, without any objective criteria to this effect being laid down in the law. 

Finally, the GDPR requires that every supervisor has the necessary resources at their disposal to perform their tasks. However, the BE DPA’s requests for additional human and financial resources, substantiated by the Court of Audit and an external study, have so far been largely ignored. The BE DPA points out that the gap with its European counterparts is therefore widening. Read the full opinion of the BE DPA here.

Data Security: EU institutions, Russian technology risks

EU bodies must step up their cybersecurity preparedness, according to the European Court of Auditors’s special report. Significant cybersecurity incidents in EU institutions increased more than tenfold between 2018 and 2021. It can take weeks if not months to investigate and recover from them. One example was the cyberattack on the European Medicines Agency, where sensitive data was leaked and manipulated to undermine trust in vaccines. So far there is no legal framework for information security and cybersecurity in EU bodies. They are not subject to the broadest EU legislation on cybersecurity, the 2016 NIS directive, or to its proposed revision, the NIS2 directive. There is also no comprehensive information on the amount spent by EU bodies on cybersecurity. To this end, the auditors recommend that binding cybersecurity rules should be introduced, and the amount of resources available to the CERT-EU and the ENISA should be increased.

The UK National Cyber Security Center, the NCSC, has updated its guidance on the use of Russian technology products and services following the invasion of Ukraine. The experts state they have not seen and do not expect the massive global cyber attacks that some had predicted. However, the NCSC has previously seen Russia acting against UK interests, and also acting through proxy compromises to get to UK entities (eg, SolarWinds Orion software, and UK telecoms networks). Additionally, Russian law already contains legal obligations on companies to assist the Federal Security Service, and the pressure to do so may increase in a time of war, the NCSC believes. 

The NCSC advises certain organisations to specifically consider the risk of Russian-controlled parts of their supply chain, (public sector, high-profile organisations, services related to critical national infrastructure, etc), if you contract directly with a Russian entity, or it just so happens that the people who work for a non-Russian company are located in Russia: “You may choose to remove Russian products and services proactively, wait until your contract expires, (or your next tech refresh), or do it in response to some geopolitical event. Alternatively, you may choose to live with the risk”. Finally, the ongoing global sanctions could mean that Russian technology services, (and support for products), may have to be stopped at a moment’s notice. Read the NCSC guides to improve security for enterprises, and for individuals

Official Guidance: DPO compliance provisions for organisations

The Polish data protection authority UODO refreshes its inspection report, (in Polish), on compliance provisions relating to designation, position and tasks of the DPO. In most cases, the verification of the reported cases did not provide grounds for the application of corrective powers for undertakings. Only in a few cases did the regulator find irregularities in the scope of a conflict of interest, or failure to consult the DPO on data processing operations. Several cases of violations related to the performance of a DPO’s function required the UODO to take corrective actions, including the issuing of an order to appoint a DPO as well as an administrative fine. The regulator has also published 27 DPO-related self-audit questions to be directed to controllers and processors, both in the public and private sectors.

Investigations and Enforcement actions: forged “emergency data requests,” face recognition, agile development environment, Klarna bank

The Danish data protection agency has made a decision in a case concerning the use of a facial recognition system to control access to the company’s facilities. Based on the information provided by FysioDanmark Hillerød, (physiotherapeutic treatment), the regulator assessed that the system – which was based on the data subject’s consent – could be used. However, the regulator warned the company that it would probably be in breach of the GDPR if it used the system without the consent of customers. Furthermore, the agency warned that it would probably be in breach if the company did not ensure that the system was not used with persons who had not given their consent.

The Danish data protection agency also criticized a data controller who did not check whether personal data had been stored by mistake in IT environments. In the related case, an employee of the Danish Health and Medicines Authority, (HMA), in violation of internal guidelines and procedures, had stored a data set – containing pseudonymised personal information – in a development environment, (Microsoft Azure DevOps), where they were not allowed to be stored. The data set contained pseudonymised confidential data about citizens which could be “decoded” by trusted employees, regardless of whether they had a work-related need for it. The HMA did not discover it until a year later. 

The regulator found that the HMA had not complied with the rules on processing security. The agency emphasized that data controllers must generally establish controls – either manual or automatic, and it is not sufficient to have guidelines and procedures without regularly checking whether they are followed in practice. The regulator also emphasized that this was a so-called “agile development environment”, where there is a known risk that personal data will be stored by mistake.

Sweden’s data protection authority fined Klarna bank approx 724,000 euros for several breaches of the GDPR, namely:

  • it has continuously changed the information provided on how the company handles personal data;
  • did not provide information on the purpose for which and on the basis of which legal basis personal data was processed in one of the company’s services;
  • provided incomplete and misleading information about who were the recipients of different categories of personal data when data was shared with Swedish and foreign credit information companies;
  • did not provide information as to which countries outside the EU/EEA personal data were transferred to, or on where and how the individual could obtain information on the protection measures that applied to the transfer to third countries;
  • provided insufficient information about the data subjects’ rights, including the right to delete data, the right to data portability and the right to object to how one’s personal data is processed.

Hackers increasingly are using compromised US government and police department email accounts to obtain sensitive customer data from mobile providers, ISPs and social media companies, KrebsOnSecurity, (in-depth security news and investigation blog), warns. At issue are forged “emergency data requests,” (EDRs). Tech companies usually require a search warrant or subpoena before providing customer or user data, but any police jurisdiction can use an EDR to request immediate access to data without a warrant, provided the law enforcement entity attests that the request is related to an urgent matter of life and death. 

In the recent example, fraudulent EDRs were a tool used by members of LAPSUS$, the data extortion group that recently hacked Microsoft, NVIDIA, Okta and Samsung. Also tracked were the activities of a teenage hacker from the UK who was reportedly arrested multiple times for sending fake EDRs. The US lawmakers reacted to the report and are now asking tech companies and federal agencies for more information.  

Big Tech: TikTok/Musically class action, Chrome’s Privacy Sandbox, interoperability vs end-to-end encryption

A case filed in 2019 against TikTok has finally been settled, the Chinese giant and its Musical.ly offshoot agreeing a 1,1 million dollar deal with the US District Court for the Northern District of Illinois. The case, a class action, claimed the plaintiffs’ rights under the Children’s Online Privacy Protection Act had been violated by TikTok and Musical.ly tracking, collecting, and disclosing personally identifiable data of users under 13 without parental consent.

Alphabet’s Chrome is rolling out the next stage of testing for its Privacy Sandbox, appealing to developers to get on board and send feedback, and offering support. APIs are key, and global testing of Topics, FLEDGE and Attribution Reporting APIs is immediately available on Chrome Canary. Industry associations are also being encouraged to contribute. Chrome will also be testing updated Privacy Sandbox settings and controls, allowing people more visibility and management of the use of their personal preferences.

Trouble ahead for Europe’s new Digital Markets Act predicts an analyst in The Guardian. In privacy terms there’ll be limits on large companies, (45 million users or 10,000 business users), combining personal data from various sources for targeted advertising, and most critically, an insistence that the largest messaging systems become “interoperable’. Resolving the major technical problems preventing this could see end-to-end encryption abandoned, which in security terms raises many issues and may actually facilitate abuse. 

Instead of a challenge some are seeing interoperability as an opportunity, like Twitter-financed Bluesky. It is developing a new operating standard for social media, based on an open protocol. New board member and Twitter co-founder Jack Dorsey says the idea could take years to become a reality, but would offer social media users greater control and choice. The company has made its first key hires and is developing a prototype.

Book a free consultation to discuss your DPO needs and the most suitable package

Request your free consultation