Category: Data Protection
16. December 2021
France’s data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), has published a guidance on the use of alternatives to third-party cookies.
The guidance aims to highlight that there are other ways to track users online than through third-party cookies, and that it is important to apply data protection principles to new technologies with tracking ability.
In the guidance, the CNIL gives an overview on what cookies are and the difference between first-party and third-party cookies, as well as the meaning of the two for personalized advertisement targeting.
It also highlights consent management and collection as being the key role to ensure a data protection compliant online tracking culture for new tracking methods and technologies. Further, the guidance also emphasizes that consent is not the only important requirement. In addition, online tracking and targeting methods should ensure that users keep control of their data and that all data subject rights are allowed and facilitated.
In light of this, the CNIL has gone ahead and published a guide for developers to help outline how to implement data protection compliant third-party cookies and other tracers in order to sensibilize people that are part of the implementation process as to how to stay compliant.
However, the CNIL also issued about 60 cookie compliance notices and 30 new orders to organizations for not offering users a data protection compliant ability to refuse cookies.
The CNIL has stepped up efforts to tackle cookie management and consent in order to ensure the rights and freedom of the data subjects in relation to their personal data online are kept safe. It has made clear that cookies are its main focus for the upcoming year, and that it will continue to hold companies liable for their insufficient data protection implementation.
10. December 2021
To this date, there is no comprehensive law on the protection of personal data in India. The need for such a law was already expressed in 2017, when the Constitutional Bench of the Supreme Court of India confirmed that privacy is a fundamental right enshrined in Article 21 of the Constitution. This led to the creation of an extensive Personal Data Protection Bill 2019 (PDPB), which we have already reported on several times. It is currently pending consideration of the Indian Parliament.
The PDPB aims to ensure the protection of personal data of individuals and to establish a data protection authority for this purpose. To review and, if necessary, amend the PDPB, a Joint Parliamentary Committee (JPC) has been formed on the demand of opposition members. On November 22nd, 2021, the JPC issued its report on the proposed law, which is meant to be the basis for further discussions in the Parliament.
Initially, it was expected to present the report together with the PDPB at the start of the Winter Session of the Parliament, which began on November 29th, 2021. However, most recently it has become known that the JCA was granted a last (so far the sixth) extension of time to submit its report to resolve disagreements among committee members. As a result, the Parliament is likely to table the final report and subsequently consider the proposed law along with possible clarifications on December 21st, 2021, ahead of the end of its current legislative session on December 23rd, 2021. Once passed by both houses of the Parliament and approved by the President, the PDPB is then to be enacted as legislation.
The online clothing sales website vinted.com, operated by the Lithuanian company Vinted UAB, has recently had to face a large number of complaints regarding data protection aspects. The appeals were addressed to several national supervisory authorities, which, as a result, joined forces to investigate the website’s overall compliance with the GDPR. To this end, a task force was established, supported by the European Data Protection Board (EDPB), which held its first meeting on November 8th, 2021.
Vinted’s headquarters are located in Lithuania, which makes the State Data Protection Inspectorate (Lithuanian data protection authority) the leading supervisory authority. However, the platform is available in several other countries in Europe, whose supervisory authorities also received the aforementioned complaints. For this reason, the establishment of the task force was jointly decided by the national supervisory authorities from France, Lithuania and Poland. The aim of this task force is to ensure a coordinated approach to resolving the complaints received. It shall also enable a consistent and efficient examination of the compliance of Vinted’s data processing practices with the provisions of the GDPR.
The investigations focus in particular on the following issues:
- website operator’s requirement to upload a scan of the user’s identity card in order to unblock funds received from sales on the corresponding account and the relevant legal basis,
- procedure and criteria for blocking the user’s account and
- applicable data retention periods.
This is not the first time Vinted has been accused of controversial practices. Back on May 18th, 2021, the French consumers group UFC Que Choisir filed a class-action lawsuit with 16 million users against the company for “misleading business practices.” These are said to consist of charging an allegedly optional commission on every transaction, the amount of which only appears at the time of payment.
30. November 2021
On November 25th, Apple announced in a press release that it has filed a lawsuit against NSO Group Technologies Ltd. (NSO Group) to hold them accountable for their spy software “Pegasus”.
NSO Group is a technology company that supplies surveillance software for governments and government agencies. Applications like Pegasus exploit vulnerabilities in software to infect the target’s devices with Trojans. Pegasus is a spyware that can be secretly installed on cell phones (and other devices) running most iOS and Android versions. Pegasus is not a single exploit, but a series of exploits that exploit many vulnerabilities in the system. Some of the exploits used by Pegasus are zero-click, which means that they can be executed without any interaction from the victim. It is reorted to be able to read text messages, track calls, collect passwords, track location, access the microphone and camera of the targeted device, extract contacts, photos, web browsing history, settings and collect information from apps.
NSO Group is accused of selling its software to authoritarian governments, which use it to monitor journalists and the opposition. Accusations that the company regularly denies. According to an investigation done by a global consortium of journalists of 17 media oganizations, Pegasus has been used to monitor female journalists, human rights activists, lawyers and high-ranking politicians. There are even reports suggesting it is even used by Mexican drug cartels to target and intimidate Mexican journalists. Among the more famous confirmed Pegasus victims are Amazon founder Jeff Bezos and murdered Saudi Arabian journalist Jamal Kashoggi.
Apple wants to prevent “further abuse and harm” to Apple users. The lawsuit also demands unspecified compensation for spying on users.
In the press release Apple states:
NSO Group and its clients devote the immense resources and capabilities of nation-states to conduct highly targeted cyberattacks, allowing them to access the microphone, camera, and other sensitive data on Apple and Android devices. To deliver FORCEDENTRY to Apple devices, attackers created Apple IDs to send malicious data to a victim’s device — allowing NSO Group or its clients to deliver and install Pegasus spyware without a victim’s knowledge. Though misused to deliver FORCEDENTRY, Apple servers were not hacked or compromised in the attacks.
Ivan Krstić, head of Apple Security Engineering and Architecture is quoted:
In a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place
Apple has announced the lawsuit contains new information about the so-called ForcedEntry exploit for a now-closed vulnerability that NSO Group used to “break into a victim’s Apple device and install the latest version of NSO Group’s Pegasus spyware program,” according to Apple’s press release. The vulnerability was originally discovered by Citizen Lab, a research group at the University of Toronto. Apple says it will support organizations like Citizen Lab and Amnesty Tech in their work, and will donate $10 million and any compensation from the lawsuit to organizations involved in researching and protecting against cyber surveillance. The company will also support Citizen Lab with free technology and technical assistance.
Apple is the second major company to sue NSO Group after WhatsApp Inc. and its parent company Meta Platforms, Inc.(then Facebook, Inc.) filed a complaint against NSO Group in 2019. The allogation of that lawsuit is that NSO Group unlawfully exploited WhatsApp’s systems to monitor users.
In early November 2021, the US Department of Commerce placed NSO Group on its “Entity List”. The justification for this step states that Pegasus was used to monitor government officials, journalists, business people, activists, academics and embassy staff. On the “Entity List,” the U.S. government lists companies, individuals or governments whose activities are contrary to the national security or foreign policy interests of the United States. Trade with these companies is subject to strict restrictions and in some cases is only possible with an exemption from the Department.
25. November 2021
The EU Commission is working on a legislative package to combat child abuse, which will also regulate the exchange of child pornography on the internet. The scope of these regulations is expected to include automated searches for private encrypted communications via messaging apps.
When questioned, Olivier Onidi, Deputy Director General of the Directorate-General Migration and Home Affairs at the European Commission, said the proposal aims to “cover all forms of communication, including private communication”.
The EU Commissioner of Home Affairs, Ylva Johansson, declared the fight against child sexual abuse to be her top priority. The current Slovenian EU Council Presidency has also declared the fight against child abuse to be one of its main priorities and intends to focus on the “digital dimension”.
In May 2021, the EU Commission, the Council and the European Parliament reached a provisional agreement on an exemption to the ePrivacy Directive that would allow web-based email and messaging services to detect, remove, and report child sexual abuse material. Previously, the European Electronic Communications Code (EECC) had extended the legal protection of the ePrivacy Directive to private communications related to electronic messaging services. Unlike the General Data Protection Regulation, the ePrivacy Directive does not contain a legal basis for the voluntary processing of content or traffic data for the purpose of detecting child sexual abuse. For this reason, such an exception was necessary.
Critics see this form of preventive mass surveillance as a threat to privacy, IT security, freedom of expression and democracy. A critic to the agreement states:
This unprecedented deal means all of our private e-mails and messages will be subjected to privatized real-time mass surveillance using error-prone incrimination machines inflicting devastating collateral damage on users, children and victims alike.
However, the new legislative initiative goes even further. Instead of allowing providers of such services to search for such content on a voluntary basis, all providers would be required to search the services they offer for such content.
How exactly such a law would be implemented from a technical perspective will probably not be clear from the text of the law and is likely to be left up to the providers.
One possibility would be that software checks the hash of an attachment before it is sent and compares it with a database of hashes that have already been identified as illegal once. Such software is offered by Microsoft, for example, and such a database is operated by the National Center of Missing and Exploited Children in the United States. A hash is a kind of digital fingerprint of a file.
Another possibility would be the monitoring technology “client-side scanning”. This involves scanning messages before they are encrypted on the user’s device. However, this technology has been heavily criticized by numerous IT security researchers and encryption software manufacturers in a joint study. They describe CSS as a threat to privacy, IT security, freedom of expression and democracy, among other things because the technology creates security loopholes and thus opens up gateways for state actors and hackers.
The consequence of this law would be a significant intrusion into the privacy of all EU citizens, as every message would be checked automatically and without suspicion. The introduction of such a law would also have massive consequences for the providers of encrypted messaging services, as they would have to change their software fundamentally and introduce corresponding control mechanisms, but without jeopardizing the security of users, e.g., from criminal hackers.
There is another danger that must be considered: The introduction of such legally mandated automated control of systems for one area of application can always lead to a lowering of the inhibition threshold to use such systems for other purposes as well. This is because the same powers that are introduced in the name of combating child abuse could, of course, also be introduced for investigations in other areas.
It remains to be seen when the relevant legislation will be introduced and when and how it will be implemented. Originally, the bill was scheduled to be presented on December 1st, 2021, but this item has since been removed from the Commission’s calendar.
On November 19th, 2021, the European Data Protection Board (EDPB) published a new set of draft Guidelines 05/2021 on the interplay between the EU General Data Protection Regulation’s (GDPR) territorial scope, and the GDPR’s provisions on international data transfers.
The EDPB stated in their press release that “by clarifying the interplay between the territorial scope of the GDPR (Art. 3) and the provisions on international transfers in Chapter V, the Guidelines aim to assist controllers and processors in the EU in identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers.”
The Guidelines set forth three cumulative criteria to consider in determining whether a processing activity qualifies as an international data transfer under the GDPR, namely:
- the exporting controller or processor is subject to the GDPR for the given processing activity,
- the exporting controller or processor transmits or makes available the personal data to the data importer (e.g., another controller, joint controller, or a processor and
- the data importer is in a third country (or is an international organization), irrespective of whether the data importer or its processing activities are subject to the GDPR.
If all three requirements are met, the processing activity is to be considered an international data transfer under the GDPR, which results in the requirements of Chapter V of the GDPR to be applicable.
The Guidelines further clarify that the safeguards implemented to accommodate the international data transfer must be tailored to the specific transfer at issue. In an example, the EDPB indicates that the transfer of personal data to a controller in a third country that is subject to the GDPR will generally require fewer safeguards. In such a case, the transfer tool should focus on the elements and principles that are specific to the importing jurisdiction. This includes particularly conflicting national laws, government access requests in the receiving third country and the difficulty for data subjects to obtain redress against an entity in the receiving third country.
The EDPB offers its support in developing a transfer tool that would cover the above-mentioned situation.
The Guidelines are open for public consultation until January, 31st, 2022.
16. November 2021
In its October Infringements Package, the European Commission has stated it is pursuing legal actions against Belgium over concerns its Data Protection Authority (DPA) is not operating independently, as it should under the General Data Protection Regulation (GDPR).
The Commission stated that it “considers that Belgium violates Article 52 of the GDPR, which states that the data protection supervisory authority shall perform its tasks and exercise its powers independently. The independence of data protection authorities requires that their members are free from any external influence or incompatible occupation.”
According to the European Commission, however, some members of the Belgian DPA cannot be regarded as free from external influence, as they either report to a management committee depending on the Belgian government, they have taken part in governmental projects on COVID-19 contact tracing, or they are members of the Information Security Committee.
On June 9th, 2021, the Commission sent a letter of formal notice to Belgium, giving the member state two months to take corrective measures. Belgium’s response to the Commission’s letter did not address the issues raised and the members concerned have so far remained in their posts. The European Commission is now giving Belgium two months to take relevant action. If this fails, the Commission may decide to refer the case to the Court of Justice of the European Union.
15. November 2021
On November 10th, 2021, the UK Supreme Court issued a long-awaited judgment in the Lloyd v Google case and denied the class-action lawsuit against Google over alleged illegal tracking of millions of iPhone users back in 2011 and 2012 to proceed further. The 3 billion GBP lawsuit, which was filed on behalf of 4.4 million residents in England and Wales, had implications for other class-action lawsuits filed in the U.K.
The case was originally filed by Richard Lloyd on behalf of the group “Google You Owe Us.” The group accused Google of bypassing Apple iPhone security by collecting personal information of users on the phone’s Safari web browser between August 2011 and February 2012. A U.K. court dismissed the case in October 2018, but it was later overturned by the UK Court of Appeal.
In a final decision in the case dating from last week, the Supreme Court ruled in favor of Google, deciding that the representative claim against Google under the Data Protection Act 1998 (DPA) should not be allowed to proceed. In reaching its decision, the Supreme Court considered the following points:
- the statutory scheme of the DPA does not permit recovery of compensation for the mere “loss of control” of personal data and
- the representative claim by Lloyd on behalf of the 4.4 million affected individuals should not be allowed to proceed, as Lloyd was unable to demonstrate that each of those individuals who he represented in the claim had suffered a violation of their rights under the DPA and material damage because of that violation.
“The claimants seeks damages,” Judge George Leggatt stated the decision, “for each individual member of the represented class without attempting to show that any wrongful use was made by Google of personal data relating to that individual or that the individual suffered any material damage or distress as a result of a breach.” Judge Leggatt also said, “Without proof of these matters, a claim for damages cannot succeed.”
The decision will be welcomed by controllers, as it limits the prospects of representative claims of the nature of that advanced by Lloyd and further provides reassurance that mere technical breaches of the UK GDPR that do not result in material damage to data subjects do not represent sufficient ground for compensation.
8. November 2021
On October 29th, 2021, the Cyberspace Administration of China (CAC) announced a public consultation on its “Draft Measures on Security Assessment of Cross-border Data Transfer”. This is the CAC’s third legislative attempt to build a cross-border data transfer mechanism in China, and it came only days before the effective date of the Personal Information Protection Law (PIPL) on November 1st, 2021.
The CAC said its proposed data transfer assessment aims to comply with China’s PIPL and Data Security Law, while specifically focusing on efforts to “regulate data export activities, protect the rights and interests of personal information, safeguard national security and social public interests, and promote the safe and free flow of data across borders”. If they were to be made final, the Draft Measures would apply to cross-border transfers of personal information and “important data” collected and generated in China under certain circumstances.
Data controllers, or data handlers according to the PIPL, would be subject to mandatory security assessments by the CAC in the following circumstances:
- transfer of personal information and important data collected and generated by critical information infrastructure operators as defined under China’s Cybersecurity Law;
- transfer of important data;
- transfer of personal information by data handlers who process over 1 million individuals’ personal information;
- cumulatively transferring personal information of more than 100,000 individuals or “sensitive” personal information of more than 10,000 individuals; or
- other conditions to be specified by the CAC.
According to the Draft Measures, data handlers that require a mandatory security assessment would need to submit certain materials in connection with it, which include an application form, the data handler’s self-security assessment, and the relevant data transfer agreement.
Upon receiving the data handler’s application, the CAC would confirm whether it will accept the application within seven business days. The CAC would have 45 business days to complete the assessment after issuing the notice of acceptance. This period could be extended in complex cases or where the CAC requires supplementary documents, however according to the Draft Measures the timeline should not exceed 60 business days.
In evaluating a data handler’s mandatory security assessment, the CAC would aim to focus on:
- the legality, propriety and necessity of the cross-border transfer;
- the data protection laws and regulations of the data recipient’s jurisdiction, the security of the data being transferred, and whether the protections provided by the data recipient satisfy Chinese laws and regulations and mandatory national standards;
- the volume, scope, type and sensitivity of the data being transferred and the risk of a leak, damage, corruption, loss and misuse;
- whether the data transfer agreement adequately allocates responsibilities for data protection;
- compliance with Chinese laws, administrative regulations and departmental regulations; and
- other matters that are deemed necessary by the CAC.
The CAC’s mandatory security assessment result would be effective for two years, after which a new assessment is necessary. Under circumstances, a re-evaluation would have to take place, e.g. in cases of changes to the purpose, means, scope and type of the cross-border transfer or processing of personal information and/or important data by the data recipient, an extension of the retention period for the personal information and/or important data and other circumstances that might affect the security of transferred data.
The public consultation period extends until November 28th, 2021, after which the CAC will review the public comments and recommendations.
29. October 2021
Last month, TechRepublic reported a new and devious SMS malware called TangleBot that attempts to take control of mobile devices by sending notifications about COVID-19. Currently, it targets Android users in the USA and Canada and can lead to a variety of harmful activities, according to security firm Cloudmark.
TangleBot tries to deceive users into downloading the malware through fake messages about COVID-19, such as “New regulations about COVID-19 in your region. Read here…” or “You have received the appointment for the 3rd dose. For more information, visit…”.
The link contains a notice that the Adobe Flash Player on the affected device needs to be updated but leads to the installation of the malicious software instead. As a result, TangleBot gets permission to access and control a wide range of functions and content. It is assumed that for this reason, the malware was named TangleBot.
TangleBot has the ability to make and block phone calls as well as send, obtain and process text messages. It is used to message other devices in order to spread faster among others. The malware is also designed to spy on users through accessing the camera, screen or microphone and setting up additional methods to observe activity on the device. Of particular concern is the possibility to place overlay screens on the device covering legitimate apps, such as banking or financial apps, in an attempt to steal account credentials. Furthermore, the personal data stolen by the attacker usually moves to the dark web for sale, which poses a risk even if the victim manages to remove the malware.
Hank Schless, senior manager for security solutions at security firm Lookout, pointed out the dangers of cybercriminals exploiting the pandemic:
Social engineering that uses the pandemic as a lure continues to be a major issue globally. It’s advantageous for attackers to leverage socially uncertain situations in order to make their phishing campaigns more effective. People are more likely to let their guard down and interact with something online that promises information they need.
According to Schless, the risks exist not only for private individuals, but also for companies:
Mobile devices offer countless channels for attackers to deliver socially engineered phishing campaigns with the goal of swiping corporate login credentials or installing advanced malware that can exfiltrate sensitive data from the device. For organizations that allow employees to use personal devices for work in a BYOD model, the risk is even higher considering the number of personal apps people use. Attackers can deliver campaigns through SMS, social media, third-party messaging apps, gaming and even dating apps.
Additionally, Cloudmark advised that users should be vigilant in this regard and provided several tips to protect against SMS malware:
- Look out for suspicious text messages,
- Guard your mobile number,
- Access any linked website directly,
- Report SMS phishing and spam messages,
- Be cautious when installing apps to your device,
- Avoid responding to unsolicited texts,
- Install apps only from legitimate app stores.
To keep ahead of the latest cybersecurity threats, companies should also take some precautions. These include especially the implementation of security across mobile devices, protection of cloud services and raising awareness among own employees.
