Weekly digest January 3 – 9, 2022: CNIL fines Google and Facebook for making rejecting cookies difficult

TechGDPR’s review of international data-related stories from press and analytical reports.

Enforcement actions: Google, Facebook, FreeMobile, Myheritage, credit assessment by mistake, access rights misconduct

France’s data protection regulator CNIL has fined Alphabet’s Google a record 150 mln euros for making it difficult for users to refuse online trackers known as cookies. Meta’s Facebook was also fined 60 mln euros for the same reason. The CNIL noted that the facebook.com, google.fr and youtube.com sites do not allow users to refuse cookies as simply as to accept them. They offer a button allowing cookies to be accepted immediately. However, to refuse them several clicks are necessary. Since, on the internet, the user expects to be able to consult a site quickly, the fact of not being able to refuse cookies as simply as possible, can influence them to give consent. The two companies have three months to comply with its orders or face an extra penalty payment of 100,000 euros per day of delay. These include the obligation for Google and Facebook to provide French internet users simpler tools for refusing cookies.

The CNIL also imposed a fine of 300,000 euros on Free Mobile, (a wireless service provider), for failing to respect individuals rights and to ensure the security of users’ data. The CNIL has received many complaints concerning the difficulties encountered by individuals in a) getting responses to their requests for access, b) objecting to receiving commercial prospecting messages, or c) being billed after subscriptions had been cancelled. Also, the mobile operator transmitted by email, in clear text, the passwords of users when they subscribed to an offer, without these passwords being temporary or the company requiring them to be changed. All the above infringes Art. 12, 15, 21, 25 and 32 of the GDPR. 

The Norwegian data protection authority has fined Elektro & Automasjon Systemer, (EAS), 20,000 euros for carrying out an individual’s credit assessment without a legal basis (Art.6 of the GDPR). The data subject in this case had no customer relationship or other connection to EAS’s business. The EAS admitted that the credit check took place by accident, due to the general manager’s lack of understanding of a credit assessment tool, the DataGuidance reports. Although EAS did not store the credit information, the damage occurs the moment sensitive data was collected and processed. A credit rating is the result of compiling personal information from many different sources: individuals’ personal finances, payment remarks, voluntary mortgages and debt ratio. The aggravating factors were a lack of technical and organisational measures, and internal controls and guidelines for when and how a credit assessment can be carried out.

The Spanish data protection regulator the AEPD published a couple of similar decisions, (in Spanish), against deficiencies regarding cookie and privacy policies, including:

• the owner of a website, who did not provide users with a cookie banner on the main page that allowed an immediate “Reject all” option. It also lacked clear information on user tracking through registration forms, questionnaires and in the comments section, as well as through embedded content from other sites. Also, the privacy policy wrongly identified the data controller. 
• against Myheritage LTD for similar deficiencies regarding the website’s cookie policy on its Spanish website: the use of non-necessary cookies, no possibility of rejecting them, and a lack of information on cookies used. Additionally, the AEPD found that MyHeritage omitted two pieces of information in its privacy policy – the possibility of exercising the right to data portability and the right to file a claim with the supervisory authority, DataGuidance reports. 

The AEPD also issued a warning to a company for non compliance with individual rights to access the data and to receive a legally established reply. Under the threat of a fine, the company was forced to complete the process, notify the claimant whether the procedure was approved or denied, or indicate the reasons for which the request was not applicable.

Official guidance: employees access rights, data breach notification, real-world data in clinical study

• verifying the identity of the applicant, (the demand for supporting documents or information must not be abusive, irrelevant and disproportionate to the request);
• responding to the request free of charge;
• the right of access relates to personal data and not to documents. However in the case of email combining both is possible – metadata, (time stamp, recipients, etc.), & the content of the email;
• the right of access must not infringe the rights of third parties, (business and intellectual property secrecy, right to privacy, secrecy of correspondence are regularly invoked by employers to refuse to respond favorably to employees);
• the anonymisation or pseudonymisation of data relating to third parties constitutes good practice;
• different rules exist to protect third party interests depending on the role of the person making the request, (when they are a sender or receiver of the information, or they are mentioned in the content of the document).

Emails identified as personal or whose content turns out to be private despite the absence of any mention of personal character, are subject to special protection, the employer not being authorized to access them. Also, an employer may refuse to act on a request for the communication of emails relating to a disciplinary investigation and the content of which, even redacted, could allow the requester to identify persons of whom they should not be aware.

The EDPB published practice-oriented guidelines on examples regarding Personal Data Breach Notification. Its aim is to help data controllers in deciding how to handle data breaches, what factors to consider during risk assessment, and suggest organisational and technical measures for preventing and mitigating the impacts of hacker attacks. The document complements the  Article 29 Working Party Guidelines and reflects the common experiences of the supervisory authorities across the EEA since the GDPR became applicable.The paper includes 18 case studies from such sectors as hospitals, banking, HR:

• ransomware, (with or without proper backup/exfiltration, data exfiltration attacks on job application data, hashed passwords, credential stuffing);
• internal human risks, (by employees, trusted third parties);
• lost or stolen devices, (encrypted or unencrypted), and paper documents;
• mailing mistakes, and social engineering, (identity theft, mail exfiltration).

The UK Medicine and Healthcare product regulator, the MHRA, has published its guidance on the use of real-world data (RWD) in clinical studies . RWD is the vast amount of data collected on patients in electronic health records, disease and patient registries, from wearable devices, specialised/secure websites as opposed to being specifically collected in a clinical study. Among many quality provisions the guide demands that the sponsor, (data controller), include a protocol in the study describing the tools and methods for selection, extraction, transfer, and handling of data and how it has been or will be validated. It is essential that processes are established to ensure the integrity of the data from acquisition through to archiving and sufficient detail captured to allow for the verification of these activities, and across different centers and countries. Thus, it is important to establish which privacy and security policies apply to the use of the database, interoperability issues, restrictions on the transfer, storage, use, publication and retention of the data, etc. Identical processes would need to be in place for any additional data collected outside of the main source database.

Legal processes and redress: pilot consent e-service, genetic information privacy, medical records snooping incident

The Estonian Information System Authority, the RIA, announced its new consent service that allows companies to ask the state for an individual’s data. An e-service, developed and managed by the RIA, allows a person to give permission to the Estonian State to share their personal data with a certain service provider. First it is being used in the installment application process. If a person gives their consent in the consent service environment, the bank will check the solvency of the person from the database of the Tax and customs board, on the basis of which a data-based decision to allow the person to pay in installments can be made. It will be possible to see all given consents and revoke them at any time. The consent service is currently available to Estonian citizens and requires a valid strong authentication tool (ID-card, Mobile-ID, or Smart-ID).

The Norwegian Supreme Court recently gave a hospital the right to dismiss an employee who had “snooped” on the medical record of her partner’s ex-wife, and a patient in the same hospital, Lexology website reports. The employee read several documents in the ex-wife’s medical record to avoid meeting her and to find out in which ward she was staying. Before the employer became aware of the snooping incident, the employee held that the ex-wife knew that she had looked at her medical record as she had sent a text message to her, which resulted in a heated exchange. The court concluded that the snooping was a serious and gross breach of duty and trust, and that there were means other than accessing medical records to obtain such information. 

The court assesses, among other things, whether the employer had based its decision on information that the company was aware of at the time of dismissal. In the case at hand, the employer had not referred in its reasoning to the text messages or that the employee had failed to notify the employer of the unauthorized access to medical files. The court held that both – were natural in the extension of the violation of the snooping ban. The hospital was therefore still allowed to use this information, even though it did not include it in its reasoning immediately after the employee’s dismissal.

Data security: healthtech vendors

In the US a tech vendor Ciox Health recently reported an email breach that affects dozens of health entities. In its notice, the healthcare information management vendor said an unauthorized person accessed one employee’s email account, potentially downloading emails and attachments, containing all sorts of patient data. However, the employee did not have direct access to any healthcare provider’s or facility’s electronic medical record system. In total, the HIPAA Breach Reporting Tool showed about 700 major health data breaches affecting 45 mln individuals in 2021. Vendor incidents were responsible for nearly 47% of the individuals affected. Among the most critical measures that tech healthcare providers could implement are comprehensive business associate agreements, say US legal experts. The attestation questions in them may include, but are not limited to:

• Does your organization require annual training for workforce members?
• Do you undergo an annual risk analysis to evaluate the requisite technical, administrative, and physical safeguards?
• Do you have business associate agreements in place with all required persons?
• Is your data encrypted both at rest and in transit?

Also, covered entities should continually monitor industry trends, reassess their business associate/vendor relationships, and keep their board informed about any potential risks.

Big Tech: No-cookie data transfer, cryptominer Norton360, China’s credit scoring and oversees listings, Fisher-Price toy failed privacy

Google’s new patent describes how its Technology enables transfer data without cookies. MediaPost website reports. The US Patent and Trademark Office granted Google a patent describing a web browser-based application programming interface that can control the authorization of data transmissions within a network and attribute a click without using cookies. The system can reduce the number of transmissions that do not result in content for the client device – saving bandwidth and computational resources for the client device. The website can transmit small packets of data to the client device when it visits a website. They can include preferences or session information or can be used to authenticate and maintain a session between the client device and the device hosting the website, according to the patent. The full patent document is available here.

According to the KrebsonSecurity blog, Norton 360, one of the most popular antivirus products on the market today, has installed a cryptocurrency mining program on its customers’ computers: “Norton’s parent firm says the cloud-based service that activates the program and allows customers to profit from the scheme — in which the company keeps 15 percent of any currencies mined — is “opt-in,” meaning users have to agree to enable it. But many Norton users complain the mining program is difficult to remove”.  Reportedly, there is no way to fully opt out of the program, and the user actually has to dig into NCrypt.exe in their computer’s directory to delete it. Meanwhile, some longtime Norton customers were horrified at the prospect of their antivirus product installing coin-mining software, regardless of whether the mining service was turned off by default.

China’s central bank said it will adjust the legal framework around financial credit-scoring if needed, state media reported, an indication authorities may tweak guidelines for fintech firms on the amount and type of user data they can collect. The People’s Bank of China has just implemented new rules around what kinds of data can be collected for credit scoring and clarified what kind of businesses the rules would apply to. It also urged companies to apply for credit scoring licenses and to refrain from excessive collection of user data. AI, blockchain, cloud computing and big data have been developed rapidly over recent years in China, prompting governmental concerns about how private individuals could be affected  by the technology, Reuters reports.

China will also order cybersecurity reviews for platform firms seeking overseas listings. The Cyberspace Administration of China said the new rules come into effect on Feb. 15 and apply to platform companies with data on more than 1 million users. However, based on the rules, it remains unclear which types of companies would be affected. The regulator would also implement new rules on March 1 on the use of algorithm recommendation technology to increase oversight of news providers that use the technology to disseminate information. The rules will give users the right to switch off the service if they choose. 

Finally, researchers identified a vulnerability in children’s Bluetooth-connected phones, IAPP News reports. Security researchers at Pen Test Partners found that US Fisher Price Chatter uses Bluetooth Classic with no secure pairing process. When powered on, it just connects to any Bluetooth device in range. Thus, someone nearby could also use the Chatter telephone to speak to and listen to a child in your home, or to bug the neighbors. The attacker can make the Chatter phone ring, so an unsupervised child is likely to answer. While developer Mattel said the Bluetooth pairing times out once a connection occurs or if none is made, TechCrunch claims its attempts found the pairing process did not time out after more than one hour.