TechGDPR’s review of international data-related stories from press and analytical reports.
Official Guidance: ‘cookie-walls’, US governmental inquiries, cross-border data transfers
The French regulator CNIL published its first evaluation criteria on ‘cookie walls’ or ‘pay walls. All the principles of the GDPR remain applicable to the processing of data related to the use of cookie walls. Particular attention must in particular be paid to informing individuals regarding the question of data transfers outside the European Union that the use of certain solutions would apply. Most of the services offered on the Internet are presented as free. However, this pecuniary gratuity is not without a counterpoint: the personal data of Internet users collected are very often used by web players to finance the services they offer by resorting, in particular, to targeted advertising.
So, when an Internet user refuses the use of tracers on a website, (for example by clicking on a “refuse all” button), the CNIL recommends that publishers offer a real and fair alternative allowing access to the site and which does not does not imply having to consent to the use of their data. The fact, for a publisher, of conditioning access to its content, either on the acceptance of trackers contributing to monetising its service, or on the payment of a sum of money, is not prohibited in principle since this constitutes an alternative to consent to trackers. However, this monetary compensation must not be so expensive as to deprive Internet users of a real choice: we can thus speak of a reasonable price.
In the US, a government inquiry in the context of data security typically arises in one of two ways, says a K&L Gates article, either a data security incident involving a threat actor occurs, or a government agency is alerted to the possibility that a company is engaging in unlawful practices involving sensitive data. In both cases, it is not uncommon for a government agency to open an inquiry that could last months or even years. Thus, the most important factor is preparedness. Organizations should have a written policy for responding to government inquiries involving the storage, use, and management of sensitive data.
Also a careful analysis of the inquiry is crucial to formulating the best response. For example, if the company receives an inquiry letter or a subpoena, there may be ways to negotiate the scope, breadth, and timing of a response. On the other hand, if the inquiry is through the form of an investigation notice, such a notice may be followed by requests for information, documents, interviews, or inspections that warrant a careful, forward-looking plan of response, including planning for a potential dispute.
Meanwhile, the Berlin Data protection authority published new cross-border data transfers guidance, (in German). If personal data is to be transferred to third countries outside the EU or EEA, additional requirements apply. A two-stage check is then required: a) would data processing be permitted if it took place in the EU/EEA? b) is the data export to the third country also permitted, (eg, existence of adequacy decision, transfer tools like SCCs, approval of the supervisory authority)? Exceptions, (Art. 49 DS-GVO), also allows data exports in exceptional cases if certain special cases exist. These include in particular consent from the data subject, the necessity of the transmission to fulfill a contract with or in the interest of the data subject, (eg, hotel booking).
In view of the market power of US IT companies, data exports to the US are particularly relevant in practice. The ECJ analyzed the legal situation in the USA and came to the conclusion that the level of protection for personal data from the EU that prevails there does not meet the requirements for permissible data export in the light of the GDPR and the Charter of Fundamental Rights of the EU, (Schrems II decision). In order for the standard contractual clauses to be able to continue to be used after the “Schrems II” judgment, the data exporters must take additional measures, (eg, secure encryption or pseudonymization, although these are not possible with many US cloud services), and a detailed examination of the legal system and practice of the third country with regard to any access by the authorities there to the transmitted personal data.
The Berlin regulator also clarifies some ambiguity on which companies fall under the US secret service legislation, the data categories recorded and the legal protection options that are open to the addressees in the event of official orders. In addition, the question arises as to whether the US authorities have access rights even if data is processed exclusively in Europe.
Legal processes: administrative fines calculation, AML/CFT data protection obligations
The EDPB has adopted guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of fines. Throughout every stage, the fact that the calculation of a fine is no mere mathematical exercise must be taken into account. Rather, the circumstances of the specific case are the determining factors leading to the final amount, which can – in all cases – vary between any minimum amount and the legal maximum. The guidance set out applies to all types of controllers and processors except natural persons when they do not act as undertakings. This is not withstanding the powers of national authorities to fine natural persons. Taking into account these parameters, the EDPB has devised the following methodology:
- Identifying the processing operations in the case and evaluating the application of Art. 83(3) of the GDPR.
- Finding the starting point for further calculation based on a) classification; b) the seriousness of the infringement; c) the turnover of the undertaking.
- Evaluating aggravating and mitigating circumstances related to past or present behaviour of the controller/processor and increasing or decreasing the fine accordingly.
- Identifying the relevant legal maximums for the different processing operations. Increases applied in previous or next steps cannot exceed this amount.
- Analysing whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness and proportionality, as required by Art. 83(1) of the GDPR, and increasing or decreasing the fine accordingly.
A Romanian court of appeal confirmed its decision to fine Banca Transilvania approx. €100,000 for violating Art. 32 in conjunction with Art. 5 of the GDPR, Data Guidance reports. The Romanian data regulator ANSPDCP found in its initial decision that Banca Transilvania did not take sufficient measures to ensure that natural persons acting under Banca Transilvania did not process personal data other than at the request of Banca Transilvania, and received sufficient internal training. A court of appeal held that:
- the casual way bank employees acted, transmitting the personal data of the bank’s clients to one another and third parties, attests to the ignorance of work procedures, and their inability to identify and qualify the data they had access to;
- the bank did not prove employees were actually trained and that it applied the mechanisms, control, and evaluation measures designed to ensure that its employees complied with those internal regulations;
- the bank must prove an adequate level of security regarding the ability to ensure confidentiality and regular testing, evaluation, and assessment of the effectiveness of the same.
Moreover, the court stated that the regulator correctly qualified the seriousness of the amount of personal data disseminated by bank employees, their sensitivity, the manner of dissemination, and the number of people who gained unauthorised access to the bank’s customer data for an indefinite period of time.
The EDPB draws the attention of the European Institutions to the important data protection issues raised by the implementation of the AML/CFT obligations, as provided by the AML legislative proposals. Obliged entities are required to process personal data which allows to draw intimate inferences about individuals and which can notably lead to the exclusion of legal and natural persons from a right and/or a service, (for instance, a banking service). It is therefore crucial that the AML legislative proposals are in line with the GDPR. Among the safeguards the EDPB offers:
- Consultation of the EDPB in the context of the drafting and adoption of regulatory technical standards, (RTS), guidelines and recommendations, (eg, the RTS shall specify, notably, the information to be collected for the purpose of performing standard, simplified and enhanced customer due diligence, on an ongoing monitoring of a business relationship and on the monitoring of the transactions carried out in the context of such relationship).
- The need to better specify the conditions and limits of the processing of special categories of data and of personal data relating to criminal convictions, (eg, in order to avoid that decisions are made on a basis of discriminatory factors, it should be also specified that the assessment made by obliged entities shall not be solely based on the processing of special categories of personal data).
- The need to provide additional provisions in relation to the sources of information, (eg, the obligation to use reliable, accurate and up-to-date sources should be extended to every information processed by obliged entities for the purpose of AML/CFT).
- The need to provide specific provisions for the processing of personal data by providers of so-called “watchlists”. The providers of these “watchlists” are acting as data controllers, as defined in Art. 4 of the GDPR. Moreover, the legal basis, (Art. 6), for the processing of personal data by such providers is not clear, says the EDPB.
Meanwhile, the Italian privacy regulator ‘Garante’ fined restaurant operator Rebirth for privacy and data protection violations. The Garante noted that it had sent a request for information, and that it had launched an investigation in the absence of a response from the operating company Rebirth. In the end, the Garante found that 14 cameras were installed in the restaurant (‘Caffè Antica Roma’), in the absence of any notice providing information on their presence. Additionally, the regulator noted that the video surveillance system had been installed without prior authorisation from the Labour Inspectorate and from the relevant trade union, Data Guidance reports.
The Danish data protection agency expressed serious criticism of the Danish Financial Supervisory Authority for not having complied with the requirement for adequate security, as the Danish Financial Supervisory Authority inadvertently handed over information about whistleblowers to a journalist, in connection with a request for access to documents. The unintentional disclosure took place because the Danish Financial Supervisory Authority had not removed personal data from the material that had been provided with information in a sufficiently secure manner. The Danish Financial Supervisory Authority had thus crossed out personal data in the handed out pdf documents with ‘Hold the mouse cursor’ on crossed out passages. It appears that the Danish Financial Supervisory Authority was not aware that it is necessary to delete the hidden information behind the displayed document, (metadata, etc.), in order to ensure that it will no longer be available.
Data Security: ransomware gangs using AI
The strongest alarm yet has been sounded about ransomware gangs using AI and machine learning to expand their criminal activity. In itself this is nothing new, but what has changed is the criminals’ rapidly increasing cash, or crypto, pile, which may allow them to trump the tech giant’s salaries for specialists and lure them into illegal activity. Just one outfit, Conti, extorted over 180 million dollars in 2021, a bumper year for the cybercriminals who raked in over 600 million dollars, a doubling of attacks year-on-year, with many of the groups Russian-based. One expert predicted the gangs will start using the technology in 12 to 24 months time, as the currently tiny pool of experts grows with new graduates entering the jobs market.
Big Tech: Google’s Incognito mode, Tesla’s Bluetooth Low Energy, Snapchat’s Lenses app
Texas Attorney General Ken Paxton has amended an ongoing lawsuit against Google, adding a new complaint, that the search giant’s Incognito mode is anything but. In the suit Paxton calls the privacy claims made for Incognito mode “false, deceptive, and misleading” when it “represents that Incognito Mode allows Texans to control what information Google sends and collects.” Google denies the accusation, but industry experts agree that Google’s efforts fall short of safeguards in place at Firefox and Safari, for example. Along with four other Paxton suits Google is facing a 2020 class action lawsuit over continuing to track users while in Incognito mode, for which damages of a minimum of five billion dollars is being sought. Reportedly CEO Sundar Pichai was warned in 2019 to stop calling Incognito “private”, but he continued to do so anyway.
A major security vulnerability has been exposed with Teslas, but essentially the same vulnerability applies to any of the millions of vehicles worldwide that have Bluetooth Low Energy installed, Reuters reports. Researchers were able to break into a Tesla and drive it away using a simple relay and laptop to fool the car into thinking it was communicating with an authorised key. Only Model 3 and Model Ys appear to be at risk, but with BLE also embedded in smart locks in homes and businesses, and the technique able to be used by hackers from anywhere in the world, and not just in close proximity, the risks are exponentially multiplied.
Snapchat’s Lenses app is facing a class action lawsuit from two Illinois residents who allege the app violates the US state’s Biometric Information Privacy Act. The app adds effects to photos, but to do so it scans the user’s face. However BIPA states that written consent must be obtained by any company before collecting certain biometric data, including facial scans, and no such feature is incorporated into Lenses.