Weekly digest 20 – 26 June 2022: future US data privacy law, new ban on GA, ‘watched from home’ employees

TechGDPR’s review of international data-related stories from press and analytical reports.

Legal processes: future US data privacy law, Canada’s Bill C-27

Last week the “American Data Privacy and Protection Act” was officially introduced to the US House of Representatives. The document, be it enforced by Congress, promises to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement. The future US data privacy law consists of two key provisions: federal preemption over many state privacy laws and a private right of action. According to dataprotectionreport.com, it is the only bill currently under Congressional consideration that contains both of these components. The bill’s four titles draw upon many of the EU GDPR key principles.

• Duty of loyalty (data minimization, privacy by design, loyalty to individuals with respect to pricing).
• Consumer data rights (consumer awareness, transparency, individual data ownership and control, right to consent and object, data protections for children and minors, third-party collecting entities, civil rights and algorithms, data security and protection of covered data, small business protections, and unified opt-out mechanisms).
• Corporate accountability (executive responsibility, service providers and third parties, technical compliance programs, approved compliance guidelines, digital content forgeries).
• Enforcement, applicability, and miscellaneous (Enforcement by the Federal Trade Commission, by State Attorneys General, by individuals, relationship to Federal and State laws, COPPA, etc.).

Meanwhile in Canada, a new draft Digital Charter Implementation Act (Bill C-27) was introduced by the ministers of Industry and Justice. It would strengthen Canada’s existing legal framework for personal information protection in the private sector and introduce new rules related to artificial intelligence: 

• the Consumer Privacy Protection Act, (CPPA), would repeal and replace the Personal Information Protection and Electronic Documents Act with a more robust framework in line with the General Data Protection Regulation;
• the Personal Information and Data Protection Tribunal Act would establish an administrative tribunal for organizations and individuals to seek a review of Privacy Commissioner decisions, as well as impose administrative monetary penalties for certain violations of the CPPA; and
• the Artificial Intelligence and Data Act would regulate the development and deployment of high-impact AI systems, establish an AI and Data Commissioner and outline criminal prohibitions and penalties for certain uses of AI.

Official guidance: proxy servers for US data transfers, advertising and address trading, health sector professionals

The French regulator CNIL has recently published a guide, (in French), on how to bring your audience measurement tool into compliance with the GDPR with reference to the case of Google Analytics. In February 2022 the CNIL, after a process of cooperation with its European counterparts, issued formal notice to several organizations using Google Analytics because of their illegal data transfers to the US. Only modifying the configuration of the conditions of treatment of an IP address is not enough, in particular because the latter continues to be transferred to the US, says the CNIL. Another defence often put forward is that of using “encryption” of the identifier generated by Google Analytics, or replacing it with an identifier generated by the site operator. However, in practice, this provides little or no additional safeguard against possible re-identification of data subjects, mainly due to the continued processing of the IP address by Google. 

However, the use of a correctly configured proxy can constitute an operational solution to limit the risks for people’s privacy, as it breaks the contact between the user’s terminal equipment and the server. Beyond the case of Google Analytics, this type of solution can also make it possible to reconcile the use of other measurement tools with the rules of the GDPR on the transfer of data. The proxy server must also be hosted under conditions guaranteeing that the data it will have to process will not be transferred outside the EU/EEA to a country that does have an adequacy decision. It will be up to the data controllers to carry out an analysis on how to put in place the necessary measures in the event that they wish to use this type of solution, as well as to verify that these measures are maintained over time, as products evolve.

The Berlin data protection authority published guidance on advertising and address trading, (in German). Advertising is relevant to data protection law whenever your personal data is used for advertising purposes. Examples are personally addressed advertising mail or e-mail advertising that is directed to e-mail addresses with personal references or addresses those affected by name. On the other hand, for example, direct mail in the mailbox that is not addressed personally or advertising inserts are not covered by data protection law. 

The address traders may collect personal data from business directories, commercial registers, telephone directories and other publications. As a precautionary measure, the regulator therefore generally recommends that consumers use their own data sparingly. When ordering online, also consider whether they  are interested in advertising from the company and, if not, object to advertising when placing the order. It also offers some sample letters for excercising data subject rights for: information about the data stored about the person, deletion of stored personal data, objection to the use of personal data stored for advertising purposes, objection to the use of personal data stored by Deutsche Post. 

And for those who can read Spanish, the AEPD has published a guide aimed at professionals in the health sector. The document addresses frequent issues such as the legitimacy to process health data, (beyond informed consent of the patient – ed.), who can access the clinical history and in what cases, the responsibility and obligations derived from these treatments, as well as the management of the rights of patients or situations that may involve communication of data to third parties. To that end, the guide attempts to respond to the various situations that arise when health professionals develop their services in hospitals or clinics, indicating the criteria that allow to identify, in each case, who is responsible for the treatment of patients’ data and of the corresponding clinical histories.

Investigations and enforcement actions: sound recording, cookies, ban on GA in Italy, unauthorised disclosure and data storage

The Polish data protection regulator UODO fined the Warsaw Center for Intoxicated Persons some 2000 euros, related to the monitoring system it used. The center was accused of recording sound in the facility without legal basis. The administrator has confirmed that the system records both video and sound, and the purpose of the processing is, inter alia, exercising constant supervision over persons brought in to sober up to ensure their safety. The monitoring record covering all rooms, including audio and video signals, is kept for 30 to 60 days, except when the recording is secured as evidence in any pending proceedings. As the legal basis, the center indicated that the data processing is necessary to fulfill the legal obligation incumbent on the controller. In addition, the administrator referred to the regulations contained in the Act on Upbringing in Sobriety and Counteracting Alcoholism. 

In the opinion of the supervisory body, the legal provisions did not authorize the controller to process sound data as well as video. In this case, sound recording is a redundant activity, which is not justified by the provisions of both the GDPR and the Act on Upbringing in Sobriety and Counteracting Alcoholism. Finally, the fact that audio was recorded for such a long time means that the infringement may potentially affect a very large number of people. In the opinion of the UODO, recording the voices of people who are often intoxicated, making it impossible for them to consciously formulate their statements or control the sounds produced, is an excessive, pointless activity.

The Belgian data protection authority GBA imposed a fine of 50,000 euros on the Rossel press group for its management of cookies on the websites lesoir.be, sudinfo.be and sudpressedigital.be. The fine mainly relates to violations related to the required consent for the placement of non-essential cookies. This is the second decision taken by the GBA as part of its thematic research into the management of cookies on the most popular Belgian press sites. During its investigation in this area, the GBA identified several violations on the above sites:

• several cookies were placed on the visitor’s device by these websites before the visitor’s consent,
• analytical and social network cookies placement was based on legtitmate interest, and not user’s consent,
• the cookie policy was incomplete and difficult to access,
• further browsing was considered as a sign of the user’s consent, while consent can only be considered valid if it is the result of a clear and sufficiently specific, active action to confirm the acceptance of cookies,
• the consent boxes for the placement of cookies by third parties were already pre-ticked. 

Moreover, when a user withdrew their consent, the procedure was ineffective.   

In the related case, the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the US. Based on the above findings, the regulator adopted a decision, to be followed by additional ones, reprimanding Caffeina Media – a website operator – and ordering it to bring the processing into compliance with the GDPR within 90 days. If this is found not to be the case, suspension of the GA-related data flows to the US will be ordered. The Italian authority calls upon all controllers to verify the use of cookies and other tracking tools on their websites. 

The Garante also recently imposed a fine of 2,500 euros to Isabella Gonzaga High School, for violations of Articles 5, 6, and 9 of the GDPR  for unathorised disclosure of a special category of data, Data Guidance reports. According to the complaint, the high school had published, in a special section dedicated to teachers in the electronic register, a document relating to the final timetable for the school year 2020-2021, containing a reference, next to the plaintiff’s name, to the benefits received by the same due to their disability. The regulator found that: 

• the document in question contained detailed information about personal and family events or information linked to the specific employment relationship of other teachers, (eg, maternity leave due to serious pregnancy complications), 
• the restricted document had been published due to a human error to a very wide range of unauthorised persons, namely all of the plaintiff’s colleagues among the teaching staff.

The Danish data protection agency hit Gyldendal A/S with a fine of approx. 135,000 euros for storing information about 685,000 book club members for longer than necessary. Gyldendal kept the information in a so-called “passive database”. Information on some 395,000 of the former members had been intentionally retained for more than 10 years after they had resigned from the book clubs. Gyldendal had no procedures or guidelines for deleting information in the passive database. After the inspection visit, Gyldendal deleted all the information in the passive database and informed the regulator that, according to the company’s assessment, it would be necessary to store information about announced members for up to six years. Also, according to Gyldendal, only two employees had access to the passive database.

Big Tech: pregnancy-related data, coffee-shop location data, new ways to verify age, ‘watched from home’ employee monitoring

The US Tech sector is bracing for the possibility of having to hand over pregnancy-related data to law enforcement, after the Supreme Court overturned women’s constitutional right to an abortion, Reuters reports. As state laws could limit abortion after the ruling, technology trade representatives reportedly fear police will obtain warrants for customers’ search history, geolocation and other information indicating plans to terminate a pregnancy. Prosecutors could access the same via a subpoena, too. In one example, Mississippi prosecutors charged a mother with second-degree murder of her new-born baby after her smartphone showed she had searched for abortion medication in her third trimester. 

Canada’s provincial and federal regulators recently investigated privacy and data management practices of a well-known ‎coffee shop and restaurant chain, DLA Piper reports.  The received complaint alleged that the mobile app unlawfully collected a ‎significant amount of personal information and location data at a ‎very high frequency, even when it was not being used. This data was then processed by a third-party ‎supplier based in the US. The data collected by the app, (either on its own or combined with other data), could be used to deduce a wealth of information about the individual, including some highly sensitive information such as home address, workplace, and travel habits. The business did not:

• conduct a privacy impact assessment before launching its application,
• adequately inform users of how the data would be collected before obtaining their consent,
• obtain clear and detailed consent for such uses of data, 
• clarify contractual obligations with the third party on the use of the data collected for its own purposes.

Privacy International investigated Office 365 and found features that can enable employers to access all communications and activities on Microsoft services. One of these features, the “Microsoft Office 365 Admin Center” can inform administrators about productivity and efficiency of employees within their company. Another source of far more granular employee information is the “Microsoft Teams Admin Center”, followed by “Audit” and “Content Search” features.  From there an administrator can select specific users and read individual metrics from each, including how long they spent on calls, how many messages they exchanged, how many group and 1-1 meetings they attended and more. These features can be operated without the employees’ knowledge and there seems to be a lack of transparency for users in terms of what data is collected and for what purpose, PI says: “This includes not only a list of pretty much most of the actions they take, but also the possibility to plainly access all the content being exchanged within the organisation and external communications through e-mail”. 

Finally, Instagram is to introduce new ways to verify age. In addition to providing an ID, people will now be able to ask others to vouch for their age or use technology that can confirm their age based on a video selfie. For that Meta is partnering with Yoti, a company that specializes in privacy-preserving ways to verify age. “If someone attempts to edit their date of birth on Instagram from under the age of 18 to 18 or over, we’ll require them to verify their age using one of three options: upload their ID, record a video selfie or ask mutual friends to verify their age (social vouching)”, says a company statement. Finally, in addition to testing the new menu of options to verify people’s ages, Meta also claims to be using AI to understand if someone is a teen or an adult. Read more in the original statement by the company.