TechGDPR’s review of international data-related stories from press and analytical reports.
Legal Processes and Redress
The Council of Europe strengthens its legal arsenal on disclosure of electronic evidence between governments and with service providers. A Second Additional Protocol to the “Budapest Convention“ will extend the rule of law further into cyberspace. As of today, the increasing complexity of obtaining electronic evidence that may be stored in foreign, multiple, shifting or unknown jurisdictions and the powers of law enforcement are limited by territorial boundaries. As a result, only a very small share of cybercrime that is reported is leading to court decisions. The Protocol provides a legal basis for disclosure of domain name registration information and for direct co-operation with service providers for subscribers’ personal information and traffic data, (excluding anonymised data), an effective means to obtain subscriber information and mutual assistance tools along with personal data protection safeguards. The latter stipulates each party to a request shall provide notice to the individual whose personal data has been collected, with regard to:
- the legal basis for and the purpose(s) of processing, (eg, the important public interest for investigation of criminal offences);
- any retention or review periods of recipients or categories of recipients to whom such data is disclosed;
- and access, rectification and redress available.
However, once made public at trial, an individual’s data passes into the public domain. In these situations, it is not possible to ensure confidentiality or DP safeguards for the investigation or proceedings for which the material was sought. The text should be opened for signature in May 2022.
Similarly, the CJEU’s Advocate General Opinion reiterates that general and indiscriminate retention of traffic and location data relating to electronic communications is permitted, but only in the event of a serious threat to national security. It must not include the prosecution of offences, including serious ones. Namely, national legislation which requires electronic telecommunications undertakings to retain traffic data on a general and indiscriminate basis for investigating market manipulation and abuse is contrary to EU law. Moreover, the time limit imposed on that storage does not remedy the issue, since, apart from the situation justified by the defence of national security, the general storage of electronic communications entails serious interference with fundamental rights to private and family life and the protection of personal data, irrespective of the duration of the period for which access to this data is requested.
The Hanover Administrative Court saw an important decision on extensive data collection, Data Guidance reports. It dismissed an action by an online mail-order pharmacy against the Lower Saxony data protection authority. The regulator had instructed the plaintiff to refrain from collecting customers’ dates of birth unless the information was required in relation to the drug ordered, and to avoid using gender-specific titles based on information collected during the ordering process. The plaintiff had agreed to insert the option ‘no information’ into the order form in relation to titles but argued as they were obliged to provide age-appropriate advice a corresponding query on date of birth had to be made in the ordering process. The court found that the ordering process in question only related to products that could be purchased without a prescription, and as such, questions regarding a customer’s date of birth during the ordering process should be omitted.
The EDPB adopted Guidelines on the interplay between Art. 3 and Chapter V of the GDPR. By clarifying the interplay between the territorial scope of the GDPR and the provisions on international transfers, it aims to assist controllers and processors in the EU in identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers. In particular, the guidelines specify three cumulative criteria that qualify processing as a transfer:
- the data exporter, (a controller or processor), is subject to the GDPR for the given processing;
- the data exporter transmits or makes available personal data to the data importer, (another controller, joint controller or processor);
- the data importer is in a third country or is an international organisation.
The processing will be considered a transfer, regardless of whether the importer established in a third country is already subject to the GDPR. However, the EDPB considers that collection of data directly from data subjects in the EU at their own initiative does not constitute a transfer.
Finland’s data protection ombudsman reminds data controllers that event log data stored in connection with personal data breaches in the information system must be kept as part of the documentation obligation. The Data Protection Officer may request log information to process a breach notification. Log files refer to chronologically recorded records of events and their causes in data networks, applications, systems, and data content. For example, it can capture all login sessions to a network, along with account lockouts, failed password attempts, etc.
Meanwhile, the French regulator CNIL published, (in French), recommendations on the implementation of logging measures. The purpose of logging tools in the context of multi-user systems is to ensure traceability of access and actions by various people accessing the information systems and, more specifically, the processing of personal data implemented within the organization. The data thus collected and processed by these tools contain information on the persons administering or accessing the resources, such as the user identifier, the date and time of access, the identifier of the equipment used, etc. In general it is always recommended to save logging data for access, creation, modification and deletion actions when processing personal data.
The CNIL also publishes its guidance on why and how to appoint a data protection officer, and what resources should be given to this person to do their job. Today nearly 30,000 professionals in France perform this function, (natural and legal persons combined), for 80,000 organisations that have appointed a DPO. Of these, the public administration, education and health sectors are the most represented.
The Danish Data Protection Agency published a new guiding text with reference to use cases, (in Danish), on data responsibility between private suppliers and public authorities. It emphasizes the importance of defining data processor and controller roles. While some cases are classical, (eg, an IT provider acts solely on instructions from a public authority), others can be more complex, namely, when private individuals are suppliers to public authorities. It is thus the content of the parties’ contractual agreement, including which service is to be provided, that is decisive for the role of the supplier. If, for example, receiving and storing information so as to fulfill an agreement without this treatment in itself having been agreed would mean the supplier would be independently responsible for the processing of the data.
Data Breaches, Investigations and Enforcement actions
Known across the EU the Vinted platform – the online clothing sales marketplace, is under scrutiny by several data protection authorities. A significant number of complaints concerning vinted.com, operated by Lithuanian company Vinted UAB have arrived on the desks of supervisory authorities from France, Lithuania and Poland, who are cooperating to investigate this website’s GDPR compliance. Today the website operator requires a scan of an identity card in order to unblock funds received from sales on a user’s account. The legal justification for this may be an issue, as are procedures and criteria to block an account and the corresponding retention periods.
Cyprus’s regulator has fined WS WiSpear Systems, end-to-end WiFi surveillance solutions for the intelligence and public safety markets), 925,000 euros for violating the principle of lawful, fair, and transparent processing, (Art 5. of the GDPR). The company had collected Media access Control addresses and International Mobile Subscriber Identity data from various devices, in the context of testing and presentation of technologies, without the knowledge of users of these devices. The case highlights how data collected in combination with the geographical location of devices at different times can lead to the identification of device users, DataGuidance reports.
Spanish regulator the AEPD punished a couple of companies: an ambulatory health care service whose doctors accessing their former patients medical records, a natural gas and electricity trader company for unexpected changes in customer contracts, (on behalf of a tenant), in a prima facie example of identity theft, and a Spanish multinational telecommunications company for violating national Information Society Services and Electronic Commerce law for direct marketing communications to a customer without their consent.
Polish data protection regulator the UODO has fined a bank for not reporting the violation and not fully informing people about a data breach, as well as an unsatisfactory level of cooperation. A courier company happened to lose bank correspondence with personal data, including names, surnames, registration addresses, bank account details, and identification numbers given to the bank’s customers. The bank considered that the risk of negative consequences for the persons affected was moderate, and therefore decided not report the breach to the supervisory authority or comply with the GDPR obligation to notify the data subjects.
The EDPB has published its statement on the EU Digital Services Package and Data Strategy. The EU Commission has presented several legislative proposals, most notably the Digital Services Act, the Digital Markets Act, the Data Governance Act, the Regulation on a European approach for Artificial Intelligence, and proposal for a Data Act. The EDPB draws attention to a number of overarching concerns: lack of protection of individuals’ fundamental rights and freedoms; fragmented supervision; and risks of inconsistencies. The EDPB considers that, without further amendments, the proposals will negatively impact the fundamental rights and freedoms of individuals and lead to significant legal uncertainty that would undermine both the existing and future legal framework.
If a company is the victim of a data breach it is required to identify and notify an unknown number of individuals impacted by the breach. In order to determine which individuals to notify, the company must identify which documents contain protected information, extract data on impacted individuals from those documents and use that data to determine who to notify and by what means. This process requires a large and complex data review of documents from sources with varying degrees of uniformity and accessibility—ranging from scanned hard copy files to spreadsheets containing data for thousands of individuals. A Mayer Brown LLP article examines the pros and cons of using technology that could be used in the data review project, comparing traditional text recognition, and relatively new pattern recognition software driven by artificial intelligence.
Meta, which already uses end-to-end encryption on its WhatsApp product, is delaying rolling out the same feature on Facebook and Instagram messages until 2023. Messenger already has encrypted video and voice calls. Originally planned for next year, the delay is due to fears it could provide anonymity to abusers and terrorists. The opposition has been especially fierce in the UK, where leading children’s charity the NSPCC insists private messaging is “the frontline of child sexual abuse online”, and the Interior Minister says the social media behemoth’s encryption plans are “simply unacceptable”.
At the same time Meta denies that its Facebook and Instagram platforms are gathering browsing data from under-18s, the Guardian reports. The platforms’ parent company had announced in July that it would allow advertisers to target young users based on three categories only – age, gender and location – rather than a range of options including their personal interests. However, research by a trio of campaign groups states that Facebook and Instagram have retained the use of software, known as conversion APIs, that gathers details of teens’ web browsing activities. Their study set up fake accounts for a 13-year-old and two 16-year-olds. Campaigners were able to view the data harvested by the company’s software across the platforms as the “users” visited sites such as local newspapers and clothing retailers, clicked on buttons, searched for items or put products in baskets.