Weekly digest 11 – 17 July 2022: patient rights, land registers, user-generated health data, targeted ads & privacy

TechGDPR’s review of international data-related stories from press and analytical reports.

Legal processes: patient rights vs data access rights

The Belgian data protection authority has clarified the right of access and right to rectification regarding medical records under the GDPR and the patient rights legislation. The subject of the complaint was a medical report drawn up post-treatment. The plaintiff’s treating psychologist refused their request for a copy of the final report. After obtaining a copy through their general practitioner, the plaintiff claimed that an incomplete answer was provided by the processing manager because his right to full access to his data under the data protection law was limited. 

In its decision, the regulator stated that the right to information and access, (under the GDPR), and the right of access, (under the Patient’s Rights Law), are not absolute, cms-lawnow.com reports. The limitation in the patient’s rights legislation concerning the right to information and inspection is related to the fact that the information is not communicated, and access is not granted to the patient if this would cause “evidently serious harm to the patient’s health”. Similarly, rectification of data requested by the data subject could undermine the accuracy of the medical diagnosis and even results of the treatment, and would be possible only in the case of incorrect processing of personal data.

Official guidance: EU digital strategy, data transfers to Russia, children’s pictures

The French data protection authority CNIL clarified its position with regard to the EU’s digital strategy, and, namely, the upcoming Data Governance Act and Data Act, following the adopted position of the EDPB and EDPS. In short, this strategy aims to develop a single data market by supporting responsible access, sharing and re-use of data between actors in the data economy, in particular related to the use of connected objects and the development of the Internet of Things, while respecting the values of the EU and in particular data protection. With regard to the rights of access, use and sharing of data provided for by the Data Act, the CNIL and its counterparts ask the co-legislators to ensure:

• additional guarantees for the persons concerned,
• the legality, necessity and proportionality of the obligation to make data available to public sector bodies and EU institutions due to exceptional need, and 
• strict definition of the hypotheses of “public emergency” or “exceptional need”,
• a clear supervision process by data protection authorities.

The EDPB meanwhile has issued a statement on personal data transfers to the Russian Federation. It reiterates that the transfer of personal data to a third country, in the absence of an adequacy decision of the European Commission pursuant to Art. 45 GDPR, is only possible if the controller or processor has provided appropriate safeguards, and on the condition that enforceable rights and effective legal remedies are available for data subjects, (Art. 46 GDPR). Russia does not benefit from an adequacy finding from the European Commission. Therefore, transfers of personal data to Russia must be carried out using one of the other transfer instruments provided for in Chapter V of the GDPR. 

With this in mind, the EDPB notes that, when personal data are transferred to Russia, data exporters under the GDPR should assess and identify the legal basis for the transfer and the instrument to be used among those provided by Chapter V GDPR, (eg, Standard Contractual Clauses or Binding Corporate Rules), or the derogations for specific situations, in order to ensure the application of appropriate safeguards. 

In the midst of summer holiday plans, Norway’s data protection authority Datatilsynet reminds parents and other responsible persons of the proper usage of children’s pictures. The guide is made for both parents and employees at schools, kindergardens or other places where there is a high possibility of taking pictures of children. The data protection check list includes these main provisions:

• Legality: never share photos of other people’s children without the consent of their guardians.
• Images: think about the content and use filters or poorer resolution, it makes the images less interesting to others.
• Quantity: share as few photos as possible.
• Channel usage: be aware of how you share your photos. Dont leave it open to the public. Create closed groups.
• Delete regularly: Take a spring cleaning and delete previous photos you have published on a regular basis.
• Always ask the children: Use questions such as “Do you think it’s okay for me to share this picture with the  family or friends?” Then you make it understandable to them. Respect the answer. 

European Health Data Space

The proposal will add yet another layer to the already complex collection of provisions, (to be found both at EU and Member State levels), on the processing of health data. The interplay between those different pieces of legislation needs to be crystal clear. With regards to the scope of the proposal, the EDPB and the EDPS recommend excluding from it wellness applications and other digital applications, as well as wellness and behavioural data relevant to health. Should these data be maintained, the processing for secondary use of personal data deriving from the above applications should be subject to prior consent within the meaning of the GDPR. Moreover, it may fall within the scope of the e-Privacy Directive. Finally, the EDPB and the EDPS urge the co-legislator to ensure legal clarity on the interplay between the data subject’s rights introduced by the proposal and the general provisions contained in the GDPR on data subject’s rights. 

Investigations and enforcement actions: Clearview’s fine, e-commerce program’s security, multi factor logins, land and mortgage register, delivery service data on sale

The Danish data protection agency Datatilsynet expressed serious criticism of Sports Connection, (a webshop), for not having implemented appropriate security measures in connection with a hacker attack, where unauthorized persons collected customers’ payment information. Last year the company reported a breach of personal data security to the authorities. Sports Connection became aware of the unauthorized access when the company discovered that a field had been added to the shopping basket on the webshop, which had not previously been there. Via a security hole in a e-commerce program, a malicious program code was injected, which made it possible to upload a file to the webshop, which meant that the webshop’s check-out page could be tampered with. 

Datatilsynet concluded in this case that Sports Connection, by not updating its e-commerce program to the latest version at the time of the attack, had not taken appropriate organisational and technical measures to ensure a level of security appropriate to the risks. When choosing a response, the agency emphasized that it is a known risk scenario that frequently-used e-commerce platforms are targets for attempts to compromise built-in weaknesses. In addition, the regulator has emphasized that this is the customers’ payment information, which was not secured, and that the company has no documentation on the continuous and adequate upgrade required of its e-commerce program.

The Greek data protection authority made headlines last week by sanctioning the controversial facial recognition firm Clearview AI 20 million euros and prohibiting it from collecting and processing the personal data of people in Greece. It has also ordered the deletion of any data on Greek residents already collected, TechCrunch reports. Their counterparts in France, Italy and UK have already issued similar decisions in the last year. In the US Clearview faced major restrictions too, while in Canada and Australia they also appear to be in breach of local privacy regulations. 

Clearview have scraped hundreds of millions of images of individuals from social media profiles without clear consent. Despite a legal backlash, the company is expanding sales of its facial recognition software to companies mainly serving the police: “Instead of online photo comparisons, the new private-sector offering matches people to ID photos and other data that clients collect with subjects’ permission”. The images are stored as long as customers wish and are not shared with others, nor used to train Clearview’s AI, the company states. 

The Polish privacy regulator UODO imposed an administrative fine on the chief national surveyor, for the failure to report the breach of personal data protection to the supervisory body and the failure to notify the persons whose personal data was disclosed online. Here are some findings of the case:

• for over 48 hours on the website maintained by the Chief Surveyor of the Country, land and mortgage register numbers were visible. With the number it was easily possible to determine data about real estate owners, including names, surnames, parents’ names, or address,
• the data protection office learned about the breach not from the controller, who should report it to the supervisory authority, but from the media,
• the defendant maintained that the land and mortgage register numbers are not personal data, and
• argued that the numbers are also visible on other websites and that the short-term appearance on their website did not carry any risk of violating the rights and freedoms of the data subjects.

In its decision, the regulator returned to the definition of personal data specified in Art. 4 GDPR, according to which personal data is any information about an identified or directly or indirectly identifiable natural person. UODO pointed out that the administrator cannot justify their unlawful activity by the existence of private entities operating websites that allow access to the content of land and mortgage registers. In addition, the assessment of the risk of violating the rights or freedoms of a natural person should be made from the point of view of the interests of the affected person, and not the interests of the controller. The person can then judge for themselves whether, in their opinion, the security incident may have negative consequences for them and take appropriate remedial action. On the other hand, the lack of such a data breach notification not only takes away that possibility, but may have negative consequences for the person.

The Romanian data protection body ANSPDCP completed an investigation at a delivery company (Delivery Solutions), following a complaint filed by a natural person who reported that the database of the service was for sale online. It was found that personal data belonging to over 26,500 individuals, (information that accompanies the shipment of any package, courier codes, sender name, name and surname of the recipient, telephone number, address, delivery status, type of service, package weight, amount receivable, delivery range), were available for sale on the RaidForums website  and could be accessed via an open link. Delivery Solutions was fined approx. 3,000 for failing to implement adequate technical and organisational measures to ensure a level of security appropriate to the risk of data processing.

Data security: US location, health, and other sensitive data

It goes on to underline the “always on” aspect of connectivity and how intrusive that can be. Even unused, a device is in constant communication with local and national networks. Constant location data can reveal where people work, sleep, socialize, worship, and seek medical treatment. Each user actively generates their own sensitive data, via apps testing their blood sugar, recording sleep patterns, monitoring blood pressure, or tracking fitness. They share face and other biometric information to use apps or device features. Combining location and user-generated health data creates a “new frontier of potential harms to consumers” says the FTC, which concludes, “The marketplace for this information is opaque and once a company has collected it, consumers often have no idea who has it or what’s being done with it.” 

The FTC has additional guidance for businesses on consumer privacy and data security.

Big Tech: Ring’s audio, TikTok presses pause on privacy policy changes

Just a day before it was due to take effect TikTok postponed its new privacy policy, after the Italian data protection agency ‘Garante’ officially warned the Chinese social media giant it breached EU privacy rules. TikTok told users the changes would deliver targeted advertising without seeking their consent for using data on their devices. The Italians have told TikTok they reserve the right to impose penalties if the policy changes are not scrapped. TikTok insists the changes were made in the legitimate interests of the company and its partners, but after consultations with lead regulator Ireland, acting on the Italian ruling, the policy changes have been “paused”, pending analysis by Ireland’s Data Protection Commission.

Amazon’s doorbell camera system Ring is in the spotlight after product testing revealed it recorded audio well beyond the proximity of its location, and a US Senator called for better privacy in the device. Ring rejected the request by Democrat Ed Markey of Massachusetts, but his concerns are shared by security and privacy experts. Markey did not call for a restriction of the microphone range, but to require users to switch it on, and not have it active as a default setting. Ring claimed this might “confuse” customers, and did not rule out Ring’s future use of facial recognition technology when responding to the request that it never be employed. Markey called for support for the  Facial Recognition and Biometric Technology Moratorium Act currently in Congress.