Weekly digest 13 – 19 June 2022: privacy in the digital age, geolocation, access rights, ransom victim-shaming

TechGDPR’s review of international data-related stories from press and analytical reports.

Legal processes: UK data protection reform, privacy in the digital age

The UK Government published its response to the privacy in the digital age discussion ahead of data protection reform. During the consultation period, it engaged with a range of stakeholders, including over 40 roundtables with academia, tech and industry bodies, and consumer rights groups, providing a wide range of views. The proposals in this response are arranged across 5 chapters:

• Reducing barriers to responsible innovation, (increasing confidence in personal data processing through the use of the legitimate interest and enabling greater personal data access and personal data sharing for research and other purposes).
• Reducing burdens on businesses and delivering better outcomes for people, (reforms to reduce disproportionate impacts of subject access requests on organisations, and ways to limit unnecessary cookie banners by altering rules in the Privacy and Electronic Communications Regulations).
• Boosting trade and reducing barriers to data flows, (creating an autonomous UK international transfers regime, which supports international trade and eliminates unnecessary obstacles to cross-border personal data flows). 
• Delivering better public services, (increasing the transparency of government processing activities by ensuring that clear information is provided on the use of algorithms; and, simplifying the legal framework in relation to the police’s collection, use and retention of biometric data).
• Reform of the Information Commissioner’s Office, (implementing a new, modern governance framework, with an independent board, and requiring the ICO to account for the impacts of its activities on growth, innovation, and competition). 

The summaries of responses can be read here.

Meanwhile, Privacy International issues its submission on the UN report on the right to privacy in the digital age. “National laws are often inadequate and do not regulate, limit or prohibit surveillance powers of government agencies as well as data exploitative practices of companies”, states PI. Even when laws are in place, they are seldom enforced. PI notes how it is often only following legal challenges in national or regional courts that governments are forced to act. This is not a sustainable position: journalists, and human rights defenders often do not have the capacity, (or legal standing), to challenge governments or companies’ actions, and they may face threats if they do so, (including the same unlawful surveillance that they are challenging), and in many jurisdictions there are no independent avenues of effective redress. PI’s key advocacy points include:

• mass surveillance, 
• government hacking, 
• mobile phone data extraction,
• data retention,
• public-private partnerships and their implications for the right to privacy,
• digital ID systems and the use of biometrics for identification and authentication,
• use of encryption and anonymity technologies,
• tracking online users, and more.

Official guidance: data exporters, geolocation data

Danish privacy regulator Datatilsynet issued a statement on the concept of a data exporter (in Danish). In the light of the ECJ’s “Schrems II” judgment, Datatilsynet received an increasing number of questions regarding the transfer of personal data to third countries. The term “data exporter” is not defined in the GDPR. The concept, on the other hand, is defined in the EU Commission’s Standard Contractual Clauses, which is one of the most widely used transfer bases in Chapter V of the GDPR. The short guidance text is aimed at data controller organisations that use European data processors, but where one or more of its sub-data processors are located outside the EU/EEA. 

The regulator indicated that it will hold both data controllers and processors liable for obligations under Art. 44 of the GDPR. And the obligation of the data controller in practice is to ensure – and be able to demonstrate to the Danish data protection agency – that the data processor has established the necessary transfer basis with subcontractors overseas, and that this transfer basis is effective in light of all the circumstances of the transfer, including the implementation of additional measures if necessary. 

The EDPB adopted guidelines on certification as a tool for transfers. Art. 46 of the GDPR introduces approved certification mechanisms as a new tool to transfer personal data to third countries in the absence of an adequacy agreement. The guidelines focus on the purpose, scope, and the different actors involved; implementing guidance on accreditation requirements for certification bodies; specific certification criteria for the purpose of demonstrating the existence of appropriate safeguards for transfers; and the binding and enforceable commitments to be implemented. The guidelines complement guidelines 1/2018 on certification, which provide more general guidance on certification, and will be subject to public consultation until the end of September. 

The affected dataset is a file containing timestamped geolocation data with location points associated with nearly 5,000,000 smartphone advertising identifiers (Android and iOS) over a period of approximately one week in 2021. The transmitted data is presented as anonymised by the data seller. After a quick analysis, the CNIL considers that at least part of this data is authentic. It will check whether, on the basis of this set of data, it is able to re-identify the persons and, if so, it will inform them individually. In addition to the data contained in the file sent by the data seller, publicly accessible data will be processed, such as open diaries of public figures, data on participation in parliamentary sessions, population density maps of France, and data from venues for public sporting events.

Investigations and enforcement actions: SAs’ dispute resolution, right to access, vehicle repair and maintenance history, traffic and location data

The EDPB adopted a dispute resolution decision on the basis of Art. 65 of the GDPR. The binding decision seeks to address the lack of consensus on certain aspects of a draft decision issued by the French SA as a lead supervisory authority, (LSA), regarding Accor SA, a company specialised in the hospitality sector headquartered in France, and the subsequent objections expressed by one of the concerned supervisory authorities (CSAs). 

The LSA issued the draft decision following a complaint-based inquiry into Accor SA, concerning a failure to take into account the right to object to the receipt of marketing messages by mail and/or difficulties encountered in exercising the right of access. The LSA shared its draft decision with the CSAs in accordance with Art. 60(3) of the GDPR. One CSA issued objections pursuant to Art. 60(4) GDPR concerning, among other things, the size of the fine. The SAs were unable to reach a consensus on one of the objections, which was then referred by the LSA to the EDPB for determination pursuant to Art. 65(1)(a) GDPR, thereby initiating the dispute resolution procedure. The EDPB has now adopted its binding decision. The decision addresses the merits of the part of the objection found to be “relevant and reasoned”.

The Swedish privacy protection authority IMY published a report that highlights the complaints that the authority received last year. The most common type of complaint concerns the rights of individuals, such as the right to access their personal data – every third complaint.  The report gives a number of recommendations to businesses, such as that they must know what rights individuals have when handling personal data and that they also have routines in place to meet these rights. For example, it is important to have routines in place to be able to handle the request. Other recommendations in the report include the requirement for businesses to be available. Individuals should be able to easily get in touch to exercise their rights. It is also important for businesses to clearly inform everyone whose personal data they process which personal data is being used and why.

Based on the complaints, it is also clear that businesses that use direct marketing need to develop their routines for interrupting mailings if a person hears from them and does not want more direct marketing or advertising sent to them.

The regulator considered that vehicle maintenance history data is in principle personal data within the meaning of the GDPR concerning the owner of the vehicle during the period of ownership. Service history information may directly or indirectly describe the owner of the vehicle or its activities. Nevertheless, some of the service history information may be non-personal. The regulator does not have jurisdiction over situations involving requests for non-personal data. Finally, according to the GDPR, a person has the right to access personal data concerning him or her. As the maintenance history and repair data are not the personal data of the new owner of the purchased vehicle, the new owner does not have the right to access it. 

The regulator also considered that the data protection rules do not, in principle, prevent the transfer of vehicle maintenance history and repair information to the person who purchased the used vehicle. This could be possible, for example, in the context of a legitimate interest. Although the service provider does not have an obligation under the GDPR  to provide information on the vehicle’s service history, it does not in principle constitute an obstacle to the disclosure.

The Portuguese data protection authority CNPD ordered electronic communications providers to delete traffic and location data of all communications, for the purposes of investigation, detection, and prosecution of serious crimes, finding it unconstitutional, Data Guidance reports. CNPD noted that retaining location and traffic data of all subscribers, without exception, is disproportionate in view of the objective pursued. As such, the CNPD added that it is now unlawful for telecom operators to maintain such autonomous data processing and retain a wide range of personal data. 

Notably, the CNPD ordered electronic communications providers to delete, within a period of 72 hours from the notification of the CNPD’s decision, the personal data kept under Law No. 32/2008, (Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks), and noted that relevant entities should send a certificate of destruction of such data to the CNPD within 72 hours of its deletion. 

Data security: ransom victim shaming and extortion, Tik Tok on Oracle

Cybercrime criminals are upping their game and diversifying the ways they extort individuals and corporations warns US cybersecurity guru Brian Krebs. Ransomware groups like ALPHV/BlackCat in the past would dump your stolen data on the Dark Web, but are switching to publishing individual victim websites on the public Internet, with the leaked data made available in an easily searchable form. The group recently boasted that it had hacked a luxury spa and resort in the western US. stealing the personal information of 1,500 resort employees and more than 2,500 residents. It published an internet page, with at the top two “Check Yourself” buttons, one for employees, and another for guests. With companies in general still slow to respond to security breaches if at all, this sort of incident may be the only way some discover their PI has been compromised. 

Tik Tok says Oracle will store all the data from US users, in a bid to allay fears about its safety in the hands of a platform owned by the Chinese company ByteDance, The Guardian reports. BuzzFeed News cites recordings from 80 TikTok internal meetings it obtained, and claims that US employees of TikTok repeatedly consulted with their colleagues in China to understand how US user data flowed because they did not have the “permission or knowledge of how to access the data on their own” is reported by TechCrunch. US officials have for years expressed concern that TikTok might let China’s government have access to the data the firm collects from Americans and users from other nations. The matter escalated in 2020 when the Trump administration said it would bar the Chinese-owned mobile apps WeChat and TikTok from US app stores.