Category: Data Protection

Data Breach made 136,000 COVID-19 test results publicly accessible

18. March 2021

Personal health data are considered a special category of personal data under Art. 9 of the GDPR and are therefore given special protections. A group of IT experts, including members of the German Chaos Computer Club (CCC), has now revealed security gaps in the software for test centres by which more than 136,000 COVID-19 test results of more than 80,000 data subjects have apparently been unprotected on the internet for weeks.

The IT-Security experts’ findings concern the software “SafePlay” of the Austrian company Medicus AI. Many test centres use this software to allocate appointments and to make test results digitally available to those tested. In fact, more than 100 test centres and mobile test teams in Germany and Austria are affected by the recent data breach. These include public facilities in Munich, Berlin, Mannheim as well as fixed and temporary testing stations in companies, schools and daycare centres.

In order to view the test results unlawfully, one only needed to create an account for a COVID-19 test. The URL for the test result contained the number of the test. If this number was simply counted up or down, the “test certificates” of other people became freely accessible. In addition to the test result, the test certificate also contained the name, date of birth, private address, nationality and ID number of the person concerned.

It remains unresolved whether the vulnerabilities have been exploited prior to the discovery by the CCC. The CCC notified both Medius AI and the Data Protection Authorities about the leak which led to a quick response by the company. However, IT experts and Privacy-focused NGOs commented that Medicus AI was irresponsible and grossly negligent with respect to their security measures leading to the potential disclosure of an enormous amount of sensitive personal health data.

The state of Virginia is second state in the USA to enact major Data Protection Legislation

17. March 2021

On March 2nd, 2021, Virginia’s Governor, Ralph Northam, signed the Consumer Data Protection Act into law without any further amendments.

This makes the state of Virginia the second US state to enact a major privacy law, next to California’s CCPA enacted in 2018. At the point of the law passing to the Senate, there was debate that the bills were flawed as they are not including a private right of action and leaving all enforcement to the Office of the Attorney General. This caused some senators to oppose the bills, however it was ultimately passed by a vote of 32 to 7. The Consumer Data Protection Act will take effect on January 1st, 2023.

The bill establishes a comprehensive framework for controlling and processing personal data of Virginia residents. In addition, it provides Virginia residents with certain rights with respect to their personal data, including rights of access, correction, deletion, portability, the right to opt out of certain processing operations, as well as the right to appeal a controller’s decision regarding a rights request. The bill further states requirements relating to the principles of data minimization, processing limitations, data security, non-discrimination, third-party contracting and data protection assessments, as well as imposes certain requirements directly on entities who act as processors of data on behalf of a controller.

However, the law also includes a number of exemptions at entity level, such as exemptions for financial institutions subject to the Gramm-Leach-Bliley Act and also includes some data or context specific exemptions, such as an exemption for HR-related data processing.

The Attorney General’s office, as the enforcing entity, has to provide 30 days’ notice of any violation and allow an opportunity for the controller to cure any violation. In case a controller does not oblige and leaves the violation uncured, the Attorney General is able to file an action seeking $7,500 per violation.

Firefox introduces new tool to prevent cookie-based tracking

12. March 2021

Mozilla has announced the introduction of a new privacy tool for its Firefox browser, “Total Cookie Protection”, aimed at blocking cookie-based tracking by ad-tech companies. The new feature prevents cross-site tracking by confining cookies to the website where they were created and placing them into a so-called “cookie jar”.

Mozilla refers to cookies as “a useful technology, but also a serious privacy vulnerability” because they are shared between websites which enables tracking user’s browsing behavior. This approach allows advertising companies, in particular, to gather information about users, their browsing habits and interests as well as create detailed personal profiles.

Total Cookie Protection works by maintaining a separate “cookie jar”, assigned to each website visited. This procedure prohibits the deposited cookie from being shared with any other website. A limited exception only applies to cross-site cookies needed for non-tracking purposes.

Firefox has blocked some cookies used by ad-tech companies for years in an effort to fight against cookie abuse and web tracking. In order to achieve this goal, “Enhanced Tracking Protection” (ETP) was introduced in 2019. It blocks many of the companies identified as trackers by Mozilla’s partners at Disconnect. Despite being an effective strategy to stop tracking, this form of cookie blocking has its limitations, Johann Hofmann and Tim Huang remark on the developer blog Mozilla Hacks:

ETP protects users from the 3000 most common and pervasive identified trackers, but its protection relies on the fact that the list is complete and always up-to-date. Ensuring completeness is difficult, and trackers can try to circumvent the list by registering new domain names. Additionally, identifying trackers is a time-consuming task and commonly adds a delay on a scale of months before a new tracking domain is added to the list.

With this in view, Total Cookie Protection has been built into ETP as a new privacy advance. The feature intends to address the limitations of ETP and provide more comprehensive protection. It is complemented by Supercookie Protections rolled out last month, which shall eliminate the usage of non-traditional storage mechanisms (“supercookies”) as a tracking vector.

In conclusion, Mozilla stated:

Together these features prevent websites from being able to “tag” your browser, thereby eliminating the most pervasive cross-site tracking technique.

French Government seeks to disregard CJEU data retention of surveillance data ruling

9. March 2021

On March 3rd, POLITICO reported that the French government seeks to bypass the Court of Justice of the European Union’s (CJEU) ruling on limiting member states’ surveillance activities of phone and internet data, stating governments can only retain mass amounts of data when facing a “serious threat to national security”.

According to POLITICO, the French government has requested the country’s highest administrative court, the Council of State, to not follow the CJEU’s ruling in the matter.

Last year in October, the CJEU ruled that several national data retention rules were not compliant with EU law. This ruling included retention times set forth by the French government in matters of national security.

The French case in question opposes the government against digital rights NGOs La Quadrature du Net and Privacy International. After the CJEU’s ruling, it is now in the hands of the Council of State in France, which will have to decide on the matter.

A hearing date has not yet been decided, however POLITICO sources state that the French government is trying to bypass the CJEU’s ruling by presenting the argument of the ruling going against the country’s “constitutional identity”. This argument, first used back in 2006, is seldomly used, however can be referred to in order to avoid applying EU law at national level.

In addition, the French government accuses the CJEU to have ruled out of its competence, as matters of national security remain solely part of national competence.

The French government did not want to comment on the ongoing process, however has had a history of refusing to adopt EU court rulings into national law.

AEPD issues highest fine for GDPR violations

5. March 2021

The Spanish Data Protection Authority, the Agencia Española de Protección de Datos (AEPD), imposed a fine of EUR 6.000.000 on CaixaBank, Spain’s leading retail bank, for unlawfully processing customers’ personal data and not providing sufficient information regarding the processing of their personal data. It is the largest financial penalty ever issued by the AEPD under the GDPR, surpassing the EUR 5.000.000 fine imposed on BBVA in December 2020 for information and consent failures.

In the opinion of the AEPD, CaixaBank violated Art. 6 GDPR in many regards. The bank had not provided sufficient justification of the legal basis for the processing activities, in particular with regard to those based on the company’s legitimate interest. Furthermore, deficiencies had been identified in the processes for obtaining customers’ consent to the processing of their personal data. The bank had also failed to comply with the requirements established for obtaining valid consent as a specific, unequivocal and informed expression of intention. Moreover, the AEPD stated that the transfer of personal data to companies within the CaixaBank Group was considered an unauthorized disclosure. According to Art. 83 (5) lit. a GDPR, an administrative fine of EUR 4.000.000 EUR was issued.

Additionally, the AEPD found that CaixaBank violated Art. 13, 14 GDPR. The bank had not complied with the information obligations since the information regarding the categories of personal data concerned had not been sufficient and the information concerning the purposes of and the legal basis for the processing had been missing entirely. What’s more, the information provided in different documents and channels had not been consistent. The varying information concerned data subjects’ rights, the possibility of lodging a complaint with the AEPD, the existence of a data protection officer and his contact details as well as data retention periods. Besides, the AEPD disapproved of the use of inaccurate terminology to define the privacy policy. Following Art. 83 (5) lit. b GDPR, a fine of EUR 2.000.000 was imposed.

In conclusion, the AEPD ordered CaixaBank to bring its data processing operations into compliance with the legal requirements mentioned within six months.

European Commission publishes draft UK adequacy decisions

25. February 2021

On February 19th, 2021, the European Commission (EC) has published the draft of two adequacy decisions for the transfer of personal data to the United Kingdom (UK), one under the General Data Protection Regulation (GDPR) and the second for the Law Enforcement Directive. If approved, the decisions would confer adequacy status on the UK and ensure that personal data from the EU can continue to flow freely to the UK. In the EC’s announcement launching the process to adopt the newly drafted adequacy decisions Didier Reynders, Commissioner for Justice, is quoted:

We have thoroughly checked the privacy system that applies in the UK after it has left the EU. Now European Data Protection Authorities will thoroughly examine the draft texts. EU citizens’ fundamental right to data protection must never be compromised when personal data travel across the Channel. The adequacy decisions, once adopted, would ensure just that.

In the GDPR, this adequacy decision is based on Art. 45 GDPR. Article 45(3) GDPR empowers the EU Commission to adopt an implementing act to determine that a non-EU country ensures an “adequate level of protection”. This means a level of protection for personal data that is substantially equivalent to the level of protection within the EU. Once it has been determined that a non-EU country provides an “adequate level of protection”, transfers of personal data from the EU to that non-EU country can take place without further requirements. In the UK, the processing of personal data is governed by the “UK GDPR” and the Data Protection Act 2018, which are based on the EU GDPR. The UK is and has committed to remain part of the European Convention on Human Rights and “Convention 108” of the Council of Europe. “Convention 108” is a binding treaty under international law to protect individuals from abuses in the electronic processing of personal data, and in particular provides for restrictions on cross-border data flows where data is to be transferred to states where no comparable protection exists.

The GDPR adequacy decision draft addresses several areas of concern. One of these is the power of intelligence services in the UK. In this respect, the draft focuses on legal bases, restrictions and safeguards for the collection of information for national security purposes. It also details the oversight structure over the intelligence services and the remedies available to those affected. Another aspect discussed is the limitation of data subjects’ rights in the context of UK immigration law. The EC concludes that interference with individuals’ fundamental rights is limited to what is strictly necessary to achieve a legitimate purpose and that there is effective legal protection against such interference. As the UK GDPR is based on the GDPR and therefore the UK privacy laws should provide an adequate level of protection for data subjects, the main risks for EU data subjects do not lie in the current status of these laws but in possible changes of these laws in the future. For this reason, the EU Commission has built a fixed period of validity into the draft adequacy decision. If adopted, this decision would be valid for a period of four years and the adequacy finding could be extended for a further four years if the level of protection in the UK remains adequate. However, this extension would not be automatic, but subject to a thorough review. This draft marks the first time that the EU has imposed a time limit on an adequacy decision. Other adequacy decisions are subject to monitoring and regular review but are not time-limited by default.

The UK government welcomed the EC’s draft in a statement, while also calling on the EU to “swiftly complete” the process for adopting and formalizing the adequacy decisions, as the “bridging mechanism” will only remain in force until June 30th. Under the EU-UK Trade and Cooperation Agreement, the EU and UK agreed on a transition period of up to six months from January 1st, 2021, during which the UK is treated as an adequate jurisdiction (please see our blog post). The draft adequacy decisions address the flow of data from the EU to the UK. The flow of data from the UK to the EU is governed by UK legislation that has applied since 1 January 2021. The UK has decided that the EU ensures an adequate level of protection and that data can therefore flow freely from the UK to the EU.

Next, the non-binding opinion of the European Data Protection Board is sought (Art. 70 GDPR). After hearing the opinion of the European Data Protection Board, the representatives of the member states must then confirm the draft in the so-called comitology procedure. This procedure is used when the EC is given the power to implement legal acts that lay down conditions for the uniform application of a law. A series of procedures ensure that EU countries have a say in the implementing act. After the comitology procedure, the EC is free to adopt the drafts.

EU Member States agree on EU Council’s Draft for the ePrivacy Regulation

22. February 2021

On February 10, 2021, representatives of the EU Member States have reached an agreement on a negotiating mandate for the draft ePrivacy Regulation.

The Council of the European Union’s (the Council) text approved by the EU Member States was prepared under Portugal’s Presidency. It will form the basis of the Council’s negotiations with the European Parliament as part of the trilogue process on the final terms of the ePrivacy Regulation, which will replace the current ePrivacy Directive.

The main key elements of the new draft are highlighted by the Council, and encompass the following points:

  • Coverage of both electronic communications content and communications metadata – the text sticks with the general principle that electronic communications data is confidential, which means that any interference by anyone other than the parties involved in the communication is prohibited, except when given permission by the ePrivacy Regulation
  • Machine-to-machine data transmitted via a public network, as this is deemed necessary to protect privacy rights in the context of Internet of Things applications
  • The scope of application includes users located in the EU, regardless of whether the processing of their data takes place outside the EU or the service provider is located in a non-EU jurisdiction
  • Regarding the use of cookies and other technologies involving the storage of information on or collection of information from a user’s device, the Council’s text provides that the use of these technologies will only be legitimate if the user has consented or for specific purposes laid down in the ePrivacy Regulation; however, users should be able to have genuine choice

In addition to broadening the scope of the current directive, the proposed regulation would most likely affect an advertising technology market that is already in the process of undergoing significant changes. As such, the European Commission is also working on the proposed Digital Service Act, Digital Governance Act and Digital Market Act.

However, the draft is presumed to initiate some arguments going forth into the next stage. Based on previous drafts, there are some differences which will need to be reconciled. Especially with regard to the permissions for accessing content and metadata of electronic communications, the two sides are somewhat divided. Where the European Parliament is pushing primarily for consent, the Council seems to have added some more permissions and exceptions to the consent rule. The content regarding data retention will be another point where intense arguments are predicted.

Criticism also comes from some countries, for example from the German Federal Commissioner for Data Protection, Ulrich Kelber. In a press release he attacked the new draft as “a severe blow to data protection”, mentioning that he is concerned by the “interference with the fundamental rights of European citizens”.

Although the new draft brings the erPrivacy Regulation back to life, it is still a long road before unison on its text is fully reached. It is certain that intense discussion in the upcoming trilogue process will continue, and the outcome will be closely watched by many.

Dutch data scandal: illegal trade of COVID-19 patient data

19. February 2021

In recent months, a RTL Nieuws reporter Daniël Verlaan has discovered widespread trade in the personal data of Dutch COVID-19 test subjects. He found ads consisting of photos of computer screens listing data of Dutch citizens. Apparently, the data had been offered for sale on various instant messaging apps such as Telegram, Snapchat and Wickr. The prices ranged from €30 to €50 per person. The data included home addresses, email addresses, telephone numbers, dates of birth and BSN identifiers (Dutch social security number).

The personal data were registered in the two main IT systems of the Dutch Municipal Health Service (GGD) – CoronIT, containing details about citizens who took a COVID-19 test, and HPzone Light, a contact-tracing system, which contains the personal data of people infected with the coronavirus.

After becoming aware of the illegal trade, the GGD reported it to the Dutch Data Protection Authority and the police. The cybercrime team of the Midden-Nederland police immediately started an investigation. It showed that at least two GGD employees had maliciously stolen the data, as they had access to the official Dutch government COVID-19 systems and databases. Within 24 hours of the complaint, two men were arrested. Several days later, a third suspect was tracked down as well. The investigation continues, since the extent of the data theft is unclear and whether the suspects in fact managed to sell the data. Therefore, more arrests are certainly not excluded.

Chair of the Dutch Institute for Vulnerability Disclosure, Victor Gevers, told ZDNet in an interview:

Because people are working from home, they can easily take photos of their screens. This is one of the issues when your administrative staff is working from home.

Many people expressed their disapproval of the insufficient security measures concerning the COVID-19 systems. Since the databases include very sensitive data, the government has a duty to protect these properly in order to prevent criminal misuse. People must be able to rely on their personal data being treated confidentially.

In a press release, the Dutch police also raised awareness of the cybercrime risks, like scam or identity fraud. Moreover, they informed about the possibilities of protection against such crimes and the need to report them. This prevents victims and allows the police to immediately track down suspects and stop their criminal practices.

GDPR fines and data breach reports increased in 2020

12. February 2021

In 2020 a total of €158.5 million in fines were imposed, research by DLA Piper shows. This represents a 39% increase compared to the 20 months the GDPR was previously in force since May 25th, 2018.

Since that date, a total of € 272.5 million in fines have been imposed across Europe under the General Data Protection Regulation (“GDPR”). Italian authorities imposed a total of € 69.3 million, German authorities € 69.1 million, and French authorities 54.4 million. This calculation does not include two fines against Google LLC and Google Ireland Limited totalling € 100 million  (€ 60million + € 40million) and a fine of € 35 million against Amazon Europe Core issued by the French data protection authority “Commission nationale de l’informatique et des libertés” (“CNIL”) on December 10th, 2020, (please see our respective blog post), as proceedings on these fines are pending before the Conseil d’Etat.

A total of 281,000 data breaches were reported during this period, although the countries that imposed the highest fines were not necessarily those where the most data breaches were reported. While Germany and the UK can be found in the top of both lists, with 77,747 data breaches reported in Germany, 30,536 in the UK and 66,527 in the Netherlands, only 5,389 data breaches were reported in France and only 3,460 in Italy.

Although the biggest imposed fine to date still is a fine of € 50 million issued by CNIL against Google LLC in January 2019 (please see our respective blog post) a number of high-profile fines were imposed in 2020, with 6 of the top 10 all time fines being issued in 2020 and one in 2021.

1. H&M Hennes & Mauritz Online Shop A.B. & Co. KG was fined € 35 million for monitoring several hundred employees (please see our respective blog post).

2. TIM (Italian telecommunications operator) was fined € 27 million for making unwanted promotion calls.

3. British Airways was fined € 22 million for failing to protect personal and financial data of more than 400,000 customers (please see our blog post)

4. Marriott International was fined € 20 million for a data breach affecting up to 383 million customers (please see our respective blog post)

5. Wind Tre S.p.A. was fined € 17 million for unsolicited marketing communications.

A comparison of the highest fines shows that most of them were imposed due to an insufficient legal basis for the processing of personal data (Art. 5 & 6 GDPR) or due to insufficient technical and organizational measures to ensure an appropriate level of security (Art. 32 GDPR).

While the European authorities have shown their willingness to enforce the GDPR rules, they have also shown leniency due to the impact that the COVID 19 pandemic has had on businesses. At least in part due to the impact of the pandemic, the penalties planned by the UK ICO have been softened. A planned fine of €205 million for British Airways was reduced to €22 million and a planned fine of €110 million for Marriott International was reduced to €20 million. GDPR investigations are also often lengthy and contentious, so the increased fines may in part be due to more investigations having had sufficient time to be completed. For example, the dispute over the above fines for British Airways and Marriott International has already started in 2019.

Not only the fines but also the number of data breach notifications increased in 2020. In 2020 121,165 data breaches were reported, an average of 331 notifications per day, compared to 278 per day in 2019. In terms of reported data breaches per 100,000 inhabitants, there is a stark contrast between Northern and Southern European countries. In 2020, Denmark recorded 155.6 data breaches per 100,000 inhabitants, the Netherlands 150, Ireland 127.8, while Greece, Italy and Croatia reported the lowest number of data breaches per inhabitant.

The trend shows that the GDPR is being taken more and more seriously by companies and authorities, and this trend is likely to continue as authorities become more confident in enforcing the GDPR. Fines are only likely to increase, especially as none of the fines imposed so far even come close to the maximum possible amount of 4% of a company’s global annual turnover. The figures also show that while the laws are in principle the same and are supposed to be applied the same in all EEA countries, nations have different approaches to interpreting and implementing them. In the near future, we can expect to see the first penalties resulting from the GDPR restrictions on data transfers to third countries, especially in the aftermath of the Schrems II ruling on data transfers to the USA.

Data Protection and Clinical Trials – Part 1

10. February 2021

In the two and a half years since the General Data Protection Regulation (GDPR) has come into effect, a lot of organizations have gotten used to the new laws and standards it has established. However, there are still a lot of unanswered questions in certain industries, one of those industries being life sciences, and more specifically clinical trials.

The GDPR and the guidance of the European Data Protection Board (EDPB) allow for a lot of speculation, due to the fact that they are unable to fully specify the reach and definitive approach to data protection in a lot of industries.

This short series aims to give an overview on the handling of clinical trials from a data protection point of view, as well as answers to important questions that come up in day to day business in the industry.

In general, clinical trials are a processing activity according to Art. 4 (2) GDPR, therefore the basic data protection obligations are to be applied to clinical trials, such as:

  • Following the basic GDPR principles laid out in Art. 5 GDPR, namely lawfulness, fairness and transparency, purpose limitation, data minimisation, data accuracy, storage limitation, integrity, confidentiality and accountability
  • Information obligations of the controller according to Art. 13, 14 GDPR
  • Data Subjects Rights according to Art. 15 to Art. 21 GDPR
  • Obligation to have a record of processing activities according to Art. 30 para. 1, 2 GDPR
  • Security Measures need to be in place, in compliance with Art. 32 GDPR
  • Data Breach Notifications to the supervisory authority as well as the data subjects according to Art. 33, 34 GDPR
  • A Data Protection Impact Assessment has to be done prior to the start of the clinical trials, according to Art. 35 GDPR

However, the first and foremost important question regarding the processing of personal data for clinical trials is:

Which legal basis is applicable to the processing?

The EDPB addressed this issue in their Opinion on the Interplay between Clinical Trials and the GDPR, and has, in a first instance, differentiated between the processing of personal data for clinical trial protocols as primary purpose of the processing, and, on the other hand, clinical trials as a secondary purpose next to, for example, patient care.

According to the EDPB’s opinion, the applicable legal basis is to be determined by the controller on a case by case basis. However, the EDPB does give their own general assessment on the legal basis applicable for the different scenarios that have crystalized in the eyes of the EDPB:

  • Primary use of the processed personal data for clinical trials
    a. Processing activities related to reliability and safety
    -> Legal obligations of the controller, Art. 6 para. 1 (c) GDPR in conjunction with Art. 9 para. 1 (i) GDPR
    b. Processing activities purely related to research activities
    -> Task carried out in the public interest, Art. 6 para. 1 (e) GDPR in conjunction with Art. 9 para. 2 (i) or (j) GDPR
    -> Legitimate interest of the controller, Art. 6 para. 1 (f) GDPR in conjunction with Art. 9 para. 2 (j) GDPR
    -> In specific circumstances, explicit consent of the data subject, Art. 6 para. 1 (a) GDPR and Art. 9 para. 2 (a) GDPR
  • Secondary use of the clinical trial data outside the clinical trial protocol for scientific purposes
    -> Explicit consent of the data subject, Art. 6 para. 1 (a) GDPR and Art. 9 para. 2 (a) GDPR

While the guidance in assessing the legal basis for the processing is helpful, the EDPB does not address any further open issues regarding clinical trials in their opinion. Nonetheless, there are further subjects that cause confusion.

However, some of these subjects will be treated in our next part of this series, where we will have a closer look at clinical trial sponsorship from outside the EEA as well as the questions revolving around controllership roles in clinical trials.

Pages: Prev 1 2 3 4 5 6 Next
1 3 4 5 6