Category: Data Protection

Data protection soon to become constitutional right in Brazil

24. September 2021

Brazil’s Chamber of Deputies last month approved the Federal Senate’s proposal to amend the Constitution making the protection of personal data, including in digital media, a fundamental right for all citizens. According to the proposal, the Federal Government would have exclusive competence to legislate and supervise matters in this area.

The country already has a General Law for the Protection of Personal Data (LGPD) and the National Data Protection Authority (ANPD) as a supervisory body. The deputy Orlando Silva pointed out that the proposal consolidates the regulations for the protection of personal data and justified the need to include data protection as a constitutional right as follows:

All of us here systematically use Internet applications, and the management of these applications is based on the provision of personal data, which is often manipulated without each of us knowing the risks to our privacy.

The deputy Isnaldo Bulhões added:

Without a doubt the proposal is a step forward, because we have seen major scandals, major violations, and fraud that have advanced a lot in recent times with technological development in Brazil and in the world.

A peculiarity of the amendment adopted by the Plenum is the deletion of the provision to make the ANPD an independent body, which would be part of the indirect federal public administration and subject to a special autonomous regulation. It was argued that the autonomy of the ANPD is not in question, but a constitutional regulation in this regard has never been adopted for any other agency.

For final approval the deputies’ adjustments require the proposal to return to the Federal Senate.

UK Ministry of Defence Data Breaches put more than 300 Afghans in Danger

23. September 2021

On Monday, 20 September 2021 the UK Ministry of Defence launched an investigation into a recent data breach. The breach has affected more than 250 Afghan interpreters who have cooperated with Western forces in Afghanistan and who have applied for relocation to the UK. The Ministry sent an e-mail to these Afghan individuals who are still in Afghanistan and are reportedly eligible for relocation. The e-mail included all e-mail addresses, names, and some associated profile pictures in copy (“cc”) instead of blind copy (“bcc”), thus exposing the personal information to all recipients. It was reported that some Afghans have sent reply e-mails to all recipients in the mailing list, even sharing details about their current personal situation.

The following Tuesday, Britain’s Defence Minister Ben Wallace apologised for the data breach publicly in Parliament. He explained that he is aware of the compromise of safety of the Afghan interpreters and has suspended an official as a result of the breach. Upon discovery, the Ministry sent out another e-mail advising the affected individuals to delete the previous e-mail and to change their e-mail addresses. Additionally, the Ministry of Defence will offer extra support to those affected by the incident. The Minister also stated that correspondence processes have already been changed.

In the meantime, a second data breach by the Ministry of Defence was uncovered on Wednesday. This time, an e-mail was sent to 55 people requesting them to update their details after the UK officials were unable to contact them. At least one of the recipients is a member of the Afghan National Army. Again, the e-mail was sent with all recipients in “cc” and not in “bcc”.

Military experts and politicians have criticised the Ministry for the data breaches which unnecessarily endanger the safety of Afghans, many of whom are hiding from the Taliban. The investigation into data handling by the “Afghan Relocation and Assistance Policy” team within the Ministry of Defence is still ongoing, a spokesperson of the Ministry has said.

UK intents to deliver own Adequacy Decisions for Data Transfers to Third Countries

30. August 2021

On August 26, 2021, the UK Department of Culture, Media and Sport (DCMS) published a document in which it indicated the intent to begin making adequacy decisions for UK data transfers to third countries.

As the UK has left the EU, it has the power under Chapter V of the UK General Data Protection Regulation (UK GDPR) to independently assess the standard of data protection in other jurisdictions, and recognize certain jurisdictions as adequate for the purpose of foreign UK data transfers. This was announced by the DCMS in a Mission Statement including reference to international data transfers, “International data transfers: building trust, delivering growth and firing up innovation“.

“In doing so we want to shape global thinking and promote the benefits of secure international exchange of data. This will be integral to global recovery and future growth and prosperity,” writes the UK Secretary of State for Digital, Culture, Media and Sport, Oliver Dowden and Minister for Media and Data John Whittingdale.

The UK has developed and implemented policies and processes for reaching adequacy agreements with its partners. So far it has identified 10 countries as “priority destinations” for these deals. The countries include Australia, Brazil, Columbia, The Dubai International Financial Centre, India, Indonesia, Kenya, The Republic of Korea, Singapore and the USA.

The adequacy of a third country will be determined on the basis of whether the level of protection under the UK GDPR is undermined when UK data is transferred to the respective third country, which requires an assessment of the importing jurisdiction’s data protection laws as well as their implementation, enforcement and supervision. Particularly important for the consideration will be the third country’s respect for rule of law and the fundamental human rights and freedoms.

The Mission Statement specifies four phases in assessing the adequacy of a jurisdiction. In the first phase, the UK Adequacy Assessment team will evaluate if an adequacy assessment will take place. The second phase involves an analysis of the third country’s level of data protection laws, the result of which will influence the third phase, in which the UK Adequacy Assessment team will make a recommendation to the UK Secretary of State. In the fourth and last phase, the relevant regulations will be presented to Parliament to give legal effect to the Secretary of State’s determination.

Adequacy decisions are planned to be reviewed at least once every four years, and may be subject to judicial review.

New Mexico Attorney General files suit against “angry birds” developer

The developer of the popular app “Angry Birds” is currently under investigation by the New Mexican Attorney General.

On August 25, 2021, New Mexico Attorney General Hector Balderas filed charges against Rovio Entertainment. The company is alleged to have violated the federal Children’s Online Privacy Protection Act (COPPA) and to have intentionally collected the data of players under the age of 13. One of the accusations is that the data was processed for commercial purposes.

COPPA requires app developers to inform parents of children of the appropriate age about their data collection practices. Further, it is required to obtain parental consent for the collection of personal data from children under 13 and to properly record that consent.

The Attorney General’s complaint alleges that children’s data was disclosed to third parties for the purpose of targeted advertising. The data is analyzed, vermacred to third parties, and from then on is also available to an even wider circle of interests. The Angry Bird developer is also said to have failed to obtain parental consent and to have proclaimed it. The privacy policy was also said to be misleading. The company however stated that the Angry Birds app was not for children. Nevertheless, according to the authorities the developers are aware that the application is downloaded and played by a young audience in particular. Even in the event that the privacy policy is not specifically marketed to minors, however, the company must take measures under COPPA to minimize the risk to children.

The procedure may entail civil penalties, restitution, and other relief.

Children’s data also receive special protection within the EU. According to Art. 8 of the GDPR, this protection even applies up to the age of 16. However, the state legislators are free to set this limit at the age of 13.

Discussions on Mongolian data protection bill

27. August 2021

The Mongolian legislation on the protection of personal data is currently limited to two laws: the Law on Personal Secrets and the Law on Organisational Secrets, both enacted in 1995. The provisions are considered vague, ambiguous and insufficient, which makes them rarely used in practice. This leads to the lack of interpretation and application. Therefore, the not well developed data protection legislation requires systematic and consistent reforms in order to meet the various societal challenges and to comply with international standards.

Within the framework of the “Action Plan of the Government of Mongolia for 2020-2021” a draft law on the protection of personal data is in the process of being approved. In this regard, the parliament of Mongolia, the State Great Khural, has recently announced discussions on several draft laws. They include the Law on Public Information, the Law on Protection of Personal Data, the Law on Cyber ​​Security, and the Law on Electronic Signatures.

The discussions were jointly held by the Standing Committee on Innovation and e-Policy and the Standing Committee on Legal Affairs on August 10th, 2021. Now, the Mongolian government is responsible for preparing the revised drafts.

The draft Law on Protection of Personal Data aims to regulate relations with regard to the collection, processing, and use of personal data as well as to ensure their security. It outlines rights and obligations of data processors and controllers, contains data subject rights and includes provisions for international data transfers.

The bill is an important step towards alignment with international data protection standards. If passed, the law will come into force on November 1st, 2021.

noyb filed complaints against the cookie paywalls of seven major news websites in Austria and Germany

25. August 2021

Privacy Activist Max Schrems’ data protection organization noyb (an acronym for “none of your business”) announced on August 13th, 2021, they filed complaints against the cookie paywalls of seven major German and Austrian news websites. In the statement, they question whether consent can be “voluntarily” given if you have to pay to keep your data.

An increasing amount of websites asks their users to either agree to data being passed on to hundreds of tracking companies (which generates a few cents of revenue for the website) or take out a subscription (for up to € 80 per year). Can consent be considered “freely given” if the alternative is to pay 10, 20 or 100 times the market price of your data to keep it to yourself?

With these paywalls, the user must decide whether to agree to the use of his or her own data for advertising purposes or to enter into a paid subscription with the respective publisher. However, personal data may only be processed if there is a legal basis for doing so. Such a legal basis may arise, for example, from Article 6 (1) (a) of the GDPR, if the data subject has given his or her consent to this processing. Such consent must be “freely given”. According to Rectical 42, sentence 5, “consent is not regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.” noyb is of the opinion that the paywall solution lacks the necessary voluntariness for consent and thus also lacks a legal basis according to Art. 6 (1) a) DSGVO.

Art. 7 (4) GDPR demands, “when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

In contrast, in a decision on November 30th, 2018, the Austrian data protection authority did not see a violation of the GDPR in a paywall system, as the data subject receives a recognizable benefit, and expressed that the decision was thus voluntary after all.

Accordingly, users’ personal data could be considered a “means of payment” with which they pay for a paid subscription instead of a monetary benefit. Consent to data processing would thus be necessary for fulfillment, as it represents the quid pro quo the data subject, in other words, the purchase price. How the responsible data protection authorities will ultimately decide remains to be seen.

These complaints by noyb represent the organization’s second major campaign this month. On August 10, they have already filed 422 formal complaints with 10 European regulators based on inadequate cookie banners.

Google Play Store apps soon obliged to provide privacy notices

20. August 2021

On the Android Developers Blog, Google has announced further details for the upcoming new safety section in its Play Store. It aims at presenting the security of the offered apps in a simple way to give users a deeper insight into privacy and security practices of the developers. This should allow users to see what data the app may be collecting and why, even before the installation. In order to achieve this, apps in the Google Play Store will be required to publish the corresponding information in the safety section.

The new summary will be displayed to users on an app’s store listing page. It is intended to highlight details such as:

  • What type of data is collected and shared, e.g. location, contacts, name, email address, financial information,
  • How the data will be used, e.g. for app functionality or personalization,
  • Whether the data collection is optional or mandatory for the use of an app,
  • Security practices, e.g. data encryption,
  • Compliance with the family policy,
  • Validation from an independent source against a global security standard.

To support the safety section, policy changes are being made which should lead to more transparency to users. Thus, all developers will be required to provide a privacy notice. Previously, only apps that collected personal and sensitive user data had to do so. The innovation applies to all apps published on Google Play, including Google’s own apps.

Developers will be able to submit information to the Google Play Console for review in October. However, by April 2022 at the latest, the safety section must be approved for their apps. The reason for this is that the new section is scheduled to be rolled out and visible to users in Q1 2022.

Aside from sharing additional information for developers on how to get prepared, Google has also assured that more guidance will be released over the next few months.

Luxembourg’s National Commission for Data Protection fines Amazon a record-breaking 746 million Euros for misuse of customer data

11. August 2021

On August 6, 2021, Amazon disclosed the ruling of the Luxembourg data protection authority Commission nationale pour la protection des donées (CNPD) in an SEC filing, which imposed a record-breaking €746 million fine on Amazon Europe Core S.à.r.l. for alleged violations of the EU General Data Protection Regulation (GDPR) on July 16, 2021.

Based on press reports and Amazon’s public statements, the fine appears to relate to Amazon’s use of customer data for targeted advertising purposes.

The penalty is the result of a 2018 complaint by French privacy rights group La Quadrature du Net, a group that aims to represent the interests of thousands of Europeans to ensure their data is used according to data protection law in an attempt to avoid Big Tech companies manipulating their behavior for political or commercial purposes. The complaint also targets Apple, Facebook, Google and LinkedIn and was filed on behalf of more than 10,000 customers and alleges that Amazon manipulates customers for commercial means by choosing what advertising and information they receive.

Amazon stated that they „strongly disagree with the CNPD’s ruling“ and intend to appeal. „The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”

The amount of the fine is substantially higher than the proposed fine in a draft decision that was previously reported in the press. The French data protection authority (CNIL) said Luxembourg’s decision, which is “of an unprecedented scale and marks a turning point in the application of the GDPR and the protection of the rights of European nationals.“

The CNIL confirmed the CNPD fined Amazon, and other European member states agreed to the Luxembourg decision. Amazon will have six months to correct the issue.

CNIL fines Monsanto 400,000 € for GDPR violations

29. July 2021

France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a fine of 400,000 € on the U.S.-based biotechnology corporation Monsanto Company for contravention of Article 14 GDPR regarding the information of data subjects about the collection of their personal data and Article 28 GDPR concerning contractual guarantees which lay down relations with a data processor.

In May 2019, several media outlets revealed that Monsanto was in possession of a file containing personal data of more than 200 political figures or members of civil society (e.g. journalists, environmental activists, scientists or farmers). The investigations carried out by the CNIL disclosed that the information had been collected for lobbying purposes. The individuals named on this “watch list” were Monsanto’s opponents and critics from several European countries, meant to be “educated” or “monitored”. This strategy should have influenced the debate and public opinion on the renewal of the authorization of glyphosate in Europe, a controversial active substance contained in Monsanto’s best-known product for weed control. The reason for the still current scientific controversy is the causation of diseases by glyphosate, most notably cancer.

The file included, for each of the individuals, personal data such as organization, position, business address, business phone number, cell phone number, business email address, and in some cases Twitter accounts. In addition, each person was given a score from 1 to 5 to evaluate their influence, credibility, and support for Monsanto on various issues such as pesticides or genetically modified organisms.

It should be noted that the creation of contact files by stakeholders for lobbying purposes is not illegal per se. While it is not necessary to obtain the consent of the data subjects, the data have to be lawfully collected and the individuals have to be informed of the processing.

In imposing the penalty, the CNIL considered that Monsanto had failed to comply with the provisions of the GDPR by not informing the data subjects about the storage of their data, as required by Article 14 GDPR. In addition, none of the exceptions provided in Article 14 para. 5 GDPR were applicable in this case. The data protection authority stressed that the aforementioned obligation is a key measure under the GDPR insofar as it allows the data subjects to exercise their other rights, in particular the right to object.

Furthermore, Monsanto violated its obligations under Article 28 GDPR. As a controller, the company was required to establish a legal framework for the processing carried out on its behalf by its processor, in particular to provide data security guarantees. However, in the CNIL’s opinion, none of the contracts concluded between the two companies complied with the requirements of Article 28 para. 4 GDPR.

EDPS and the EDPB call for a tightening of the EU draft legislation on the regulation of Artificial Intelligence (AI)

26. July 2021

In a joint statement, the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) call for a general ban on the use of artificial intelligence for the automated recognition of human characteristics in publicly accessible spaces. This refers to surveillance technologies that recognise faces, human gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioral signals. In addition to the AI-supported recognition of human characteristics in public spaces, the EDPS and EPDB also call for a ban of AI systems using biometrics to categorize individuals into clusters based on ethnicity, gender, political or sexual orientation, or other grounds on which discrimination is prohibited under Article 21 of the Charter of Fundamental Rights. With the exception of individual applications in the medical field, EDPS and the EDPB are also calling for a ban on AI for sentiment recognition.

In April, the EU Commission presented a first draft law on the regulation of AI applications. The draft explicitly excluded the area of international law enforcement cooperation. The EDPS and EDPB expressed “concern” about the exclusion of international law enforcement cooperation from the scope of the draft. The draft is based on a categorisation of different AI applications into different types of risk, which are to be regulated to different degrees depending on the level of risk to the fundamental rights. In principle, the EDPS and EDPB support this approach and the fact that the EU is addressing the issue in general. However, they call for this concept of fundamental rights risk to be adapted to the EU data protection framework.

Andrea Jelinek, EDPB Chair, and Wojciech Wiewiórowski, of the EDPS, are quoted:

Deploying remote biometric identification in publicly accessible spaces means the end of anonymity in those places. Applications such as live facial recognition interfere with fundamental rights and freedoms to such an extent that they may call into question the essence of these rights and freedoms.

The EDPS and EDPB explicitly support, that the draft provides for national data protection authorities to become competent supervisory authorities for the application of the new regulation and explicitly welcome, that the EDPS is intended to be the competent authority and the market surveillance authority for the supervision of the Union institutions, agencies and bodies. The idea that the Commission also gives itself a predominant role in the “European Artificial Intelligence Board” is questioned by the EU data protection authorities. “This contradicts the need for a European AI Board that is independent of political influence”. They call for the board to be given more autonomy, to ensure its independence.

Worldwide there is great resistance against the use of biometric surveillance systems in public spaces. A large global alliance of 175 civil society organisations, academics and activists is calling for a ban on biometric surveillance in public spaces. The concern is that the potential for abuse of these technologies is too great and the consequences too severe. For example, the BBC reports that China is testing a camera system on Uighurs in Xinjiang that uses AI and facial recognition to detect emotional states. This system is supposed to serve as a kind of modern lie detector and be used in criminal proceedings, for example.

Pages: 1 2 3 4 5 6 Next
1 2 3 6