ICO opens public consultation on its Regulatory Action Policy

6. January 2022

On December 20th, 2021, the UK Information Commissioner’s Office (ICO) launched a public consultation on its regulatory approach.

The public consultation is aimed at three separate documents which are the basis of the ICO’s regulatory process. The documents are the Regulatory Action Policy (RAP), the Statutory Guidance on the ICO’s Regulatory Action, and Statutory Guidance on the ICO’s PECR Powers.

The RAP in particular identifies the ICO’s risk-based approach to regulatory action and explains the factors that play a role in the ICO’s consideration before taking regulatory action. It also sets forth how the ICO cooperates with other regulators and enforces the legislation for which it is responsible.

In conjunction, the three documents illustrate how the ICO aims to enforce information rights for data subjects in the UK.

The ICO indicated that the purpose for updating these documents was to provide further explanation about its regulatory powers. It aims to give the public a chance to their views on the approach the Commissioner should take with regards to the regulatory approach of his office.

The public consultation period will conclude on March 24, 2022.

Dutch Minister of Finance fined 2.75 million Euro for discriminatory and unlawful data processing

4. January 2022

On December 8th, 2021, the Autoriteit Persoonsgegevens (the Dutch Data Protection Authority (DPA)) announced that it had fined the Belastingdienst (the Dutch Tax Administration) €2.75 million. The fine was imposed because, as part of the so-called Toeslagenaaffaire (Childcare Benefit Affair), the Belastingdienst processed data on the (dual) nationality of childcare benefit claimants in an unlawful, discriminatory and therefore unlawful manner over many years, in serious breach of the principles of the General Data Protection Regulation (GDPR).

In the 2010s, the Belastingdienst wrongly reclaimed child benefits from tens of thousands of parents. Even minor formal errors in filling out the forms led to enormous claims, and a supposedly false citizenship could lead to years of stigmatizing fraud investigations. As a result, many families who relied on government assistance were driven into bankruptcy. The Belastingdienst should have deleted the data on dual nationality of Dutch nationals in January 2014, as from that date the dual nationality of Dutch nationals no longer played a legal role in the assessment of applications for childcare benefits. Nevertheless, the Belastingdienst retained and used these data. In May 2018, there were still about 1.4 million people with dual nationality registered in the Belastingdienst’s systems. What initially appeared to be a simple administrative failure has evolved over the years into a major scandal. The final report of the investigative commission, presented in December, concludes that the tax offices systematically preyed on innocent citizens. The Belastingdienst also used the nationality of applicants as an indicator in a system that automatically classified certain applications as risky. Again, the data were not necessary for this purpose. Under the General Data Protection Regulation, it is unlawful to process data on nationality in a discriminatory manner, as the data processing must not violate fundamental rights. These include the right to equality and non-discrimination. Under the GDPR, it is unlawful to process personal data on nationality in a discriminatory manner, as the data processing must not violate fundamental rights. These include the right to equality and non-discrimination. In addition, personal data may only be processed and stored for a specific, predetermined purpose. Processing without a purpose is inadmissible, and here there was no purpose, as nationality is legally irrelevant for the assessment of applications for childcare benefits.

In the statement DPA chair Aleid Wolfsen is quoted:

The government has exclusive responsibility for lots of things. Members of the public don’t have a choice; they are forced to allow the government to process their personal data.
That’s why it’s crucial that everyone can have absolute confidence that this processing is done properly. That the government doesn’t keep and process unnecessary data about individuals. And that there is never any element of discrimination involved in an individual’s contact with the government.
That went horribly wrong at the Benefits Office, with all the associated consequences. Obviously this fine cannot undo any of the harm done. But it is an important step within a broader recovery process.

In the wake of the DPA investigation, the Belastingdienst began to clean up its internal systems. In the summer of 2020, the dual nationalities of Dutch nationals were completely deleted from the systems. According to the DPA, since October 2018, the Belastingdienst no longer uses the nationality of applicants to assess risk. And since February 2019, it no longer uses the data to fight organized fraud. The fine was imposed on the Minister of Finance because he is responsible for the processing of personal data within the Belastingdienst.

Happy New Year 2022!

1. January 2022

Dear readers,

We, the team of the privacy-ticker.com, wish you a happy new year.

We would like to take this opportunity to thank you for your interest in our blog during the past year.

Month after month, we have brought you closer to the world of data protection and kept you up to date with judicial and supervisory decisions on European and world wide data protection law, as well as more news from the fields of data protection and data security.

We look forward to informing you again in 2022 about many interesting topics and contributions from these fields and await the new year with excitement and joyful anticipation.

We wish you only the best for the new year.

Stay safe and healthy!

Your team of privacy-ticker.com

Category: General

European Commission adopts South Korea Adequacy Decision

30. December 2021

On December 17th, 2021, the European Commission (Commission) announced in a statement it had adopted an adequacy decision for the transfer of personal data from the European Union (EU) to the Republic of Korea (South Korea) under the General Data Protection Regulation (GDPR).

An adequacy decision is one of the instruments available under the GDPR to transfer personal data from the EU to third countries that ensure a comparable level of protection for personal data as the EU. It is a Commission decision under which personal data can flow freely and securely from the EU to the third country in question without any further conditions or authorizations being required. In other words, the transfer of data to the third country in question can be handled in the same way as the transfer of data within the EU.

This adequacy decision allows for the free flow of personal data between the EU and South Korea without the need for any further authorization or transfer instrument, and it also applies to the transfer of personal data between public sector bodies. It complements the Free Trade Agreement (FTA) between the EU and South Korea, which entered into force in July 2011. The trade agreement has led to a significant increase in bilateral trade in goods and services and, inevitably, in the exchange of personal data.

Unlike the adequacy decision regarding the United Kingdom, this adequacy decision is not time-limited.

The Commission’s statement reads:

The adequacy decision will complement the EU – Republic of Korea Free Trade Agreement with respect to personal data flows. As such, it shows that, in the digital era, promoting high privacy and personal data protection standards and facilitating international trade can go hand in hand.

In South Korea, the processing of personal data is governed by the Personal Information Portection Act (PIPA), which provides similar principles, safeguards, individual rights and obligations as the ones under EU law.

An important step in the adequacy talks was the reform of PIPA, which took effect in August 2020 and strengthened the investigative and enforcement powers of the Personal Information Protection Commission (PIPC), the independent data protection authority of South Korea. As part of the adequacy talks, both sides also agreed on several additional safeguards that will improve the protection of personal data processed in South Korea, such as transparency and onward transfers.

These safeguards provide stronger protections, for example, South Korean data importers will be required to inform Europeans about the processing of their data, and onward transfers to third countries must ensure that the data continue to enjoy the same level of protection. These regulations are binding and can be enforced by the PIPC and South Korean courts.

The Commission has also published a Q&A on the adequacy decision.

Microsoft Teams now offers end-to-end encryption for one-to-one calls

16. December 2021

On December 14th, 2021, John Gruszczyk, a technical product manager at Microsoft (MS), announced, that end-to-end encryption (E2EE) is now generally available for MS Teams calls between two users. MS launched a public preview of E2EE for calls back in October, after announcing the option earlier in 2021.

IT administrators now have the option to enable and manage the feature for their organization once the update is implemented. However, E2EE will not be enabled by default at the user even then. Once IT administrators have configured MS Teams to be used with E2EE enabled, users will still need to enable E2EE themselves in their Teams settings. E2EE encrypts audio, video and screen sharing.

Certain futures will not be available when E2EE is turned on. These include recording of a call, live caption and transcription, transferring a call to another device, adding participants, parking calls, call transfer, and merging calls. If any of these features are required for a call, E2EE must be turned off for that call.

Currently, MS Teams encrypts data, including chat content, in transit and at rest by default, and allows authorized services to decrypt content. MS also uses SharePoint encryption to secure files at rest and OneNote encryption for notes stored in MS Teams. E2EE is particularly suitable for one-on-one calls in situations requiring increased confidentiality.

MS also published an in depth explanation of how this option can me turned on.

With this step, MS is following the example of Zoom, which launched E2EE in October and is making it available for larger group sessions (up to 200 participants).

EU Advocate General : Member States may allow consumer protection associations to bring representative actions against infringements of the protection of personal data

On December 2nd, EU Advocate General Richard de la Tour published an opinion in which he stated that EU member states may allow consumer protection associations to bring representative actions against infringements of rights that data subjects derive directly from the General Data Protection Regulation (“GDPR”). In doing so, he agrees with the legal opinion of the Federation of the Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (Federation of German Consumer Organisations (“vzbv”)), which has filed an action for an injunction against Facebook in German courts for non-transparent use of data.

The lawsuit of the vzbv is specifically about third-party games that Facebook offers in its “App Center”. In order to play games like Scrabble within Facebook, users must consent to the use of their data. However, Facebook had not provided information about the use of the data in a precise, transparent and comprehensible manner, as required by Article 13 GDPR. The Federal Court of Justice in Germany (“Bundesgerichtshof”) already came to this conclusion in May 2020, but the Bundesgerichtshof considered it unclear whether associations such as the vzbv have the legal authority to bring data protection violations to court. It argues, inter alia, that it can be inferred from the fact that the GDPR grants supervisory authorities extended supervisory and investigatory powers, as well as the power to adopt remedial measures, that it is primarily the task of those authorities to monitor the application of the provisions of the Regulation. The Bundesgerichtshof therefore asked the Court of Justice of the European Union (“CJEU”) to interpret the GDPR. The Advocate General now affirms the admissibility of such an action by an association, at least if the EU member state in question permits it. The action for an injunction brought by the vzbv against Facebook headquarters in Ireland is therefore deemed admissible by the EU Advocate General.

The Advocate General states, that

the defence of the collective interests of consumers by associations is particularly suited to the objective of the General Data Protection Regulation of establishing a high level of personal data protection.  

The Advocate General’s Opinion is not legally binding on the CJEU. The role of the Advocate General is to propose a legal solution for the cases to the CJEUin complete independence. The judges of the Court will now begin their consultations in this case.

CNIL posts guidance on use of third-party cookie alternatives

France’s data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), has published a guidance on the use of alternatives to third-party cookies.

The guidance aims to highlight that there are other ways to track users online than through third-party cookies, and that it is important to apply data protection principles to new technologies with tracking ability.

In the guidance, the CNIL gives an overview on what cookies are and the difference between first-party and third-party cookies, as well as the meaning of the two for personalized advertisement targeting.

It also highlights consent management and collection as being the key role to ensure a data protection compliant online tracking culture for new tracking methods and technologies. Further, the guidance also emphasizes that consent is not the only important requirement. In addition, online tracking and targeting methods should ensure that users keep control of their data and that all data subject rights are allowed and facilitated.

In light of this, the CNIL has gone ahead and published a guide for developers to help outline how to implement data protection compliant third-party cookies and other tracers in order to sensibilize people that are part of the implementation process as to how to stay compliant.

However, the CNIL also issued about 60 cookie compliance notices and 30 new orders to organizations for not offering users a data protection compliant ability to refuse cookies.

The CNIL has stepped up efforts to tackle cookie management and consent in order to ensure the rights and freedom of the data subjects in relation to their personal data online are kept safe. It has made clear that cookies are its main focus for the upcoming year, and that it will continue to hold companies liable for their insufficient data protection implementation.

Final steps towards the first data protection law in India

10. December 2021

To this date, there is no comprehensive law on the protection of personal data in India. The need for such a law was already expressed in 2017, when the Constitutional Bench of the Supreme Court of India confirmed that privacy is a fundamental right enshrined in Article 21 of the Constitution. This led to the creation of an extensive Personal Data Protection Bill 2019 (PDPB), which we have already reported on several times. It is currently pending consideration of the Indian Parliament.

The PDPB aims to ensure the protection of personal data of individuals and to establish a data protection authority for this purpose. To review and, if necessary, amend the PDPB, a Joint Parliamentary Committee (JPC) has been formed on the demand of opposition members. On November 22nd, 2021, the JPC issued its report on the proposed law, which is meant to be the basis for further discussions in the Parliament.

Initially, it was expected to present the report together with the PDPB at the start of the Winter Session of the Parliament, which began on November 29th, 2021. However, most recently it has become known that the JCA was granted a last (so far the sixth) extension of time to submit its report to resolve disagreements among committee members. As a result, the Parliament is likely to table the final report and subsequently consider the proposed law along with possible clarifications on December 21st, 2021, ahead of the end of its current legislative session on December 23rd, 2021. Once passed by both houses of the Parliament and approved by the President, the PDPB is then to be enacted as legislation.

Vinted under scrutiny by European data protection authorities

The online clothing sales website vinted.com, operated by the Lithuanian company Vinted UAB, has recently had to face a large number of complaints regarding data protection aspects. The appeals were addressed to several national supervisory authorities, which, as a result, joined forces to investigate the website’s overall compliance with the GDPR. To this end, a task force was established, supported by the European Data Protection Board (EDPB), which held its first meeting on November 8th, 2021.

Vinted’s headquarters are located in Lithuania, which makes the State Data Protection Inspectorate (Lithuanian data protection authority) the leading supervisory authority. However, the platform is available in several other countries in Europe, whose supervisory authorities also received the aforementioned complaints. For this reason, the establishment of the task force was jointly decided by the national supervisory authorities from France, Lithuania and Poland. The aim of this task force is to ensure a coordinated approach to resolving the complaints received. It shall also enable a consistent and efficient examination of the compliance of Vinted’s data processing practices with the provisions of the GDPR.

The investigations focus in particular on the following issues:

  • website operator’s requirement to upload a scan of the user’s identity card in order to unblock funds received from sales on the corresponding account and the relevant legal basis,
  • procedure and criteria for blocking the user’s account and
  • applicable data retention periods.

This is not the first time Vinted has been accused of controversial practices. Back on May 18th, 2021, the French consumers group UFC Que Choisir filed a class-action lawsuit with 16 million users against the company for “misleading business practices.” These are said to consist of charging an allegedly optional commission on every transaction, the amount of which only appears at the time of payment.

Apple sues NSO Group over “Pegasus” spyware

30. November 2021

On November 25th, Apple announced in a press release that it has filed a lawsuit against NSO Group Technologies Ltd. (NSO Group) to hold them accountable for their spy software “Pegasus”.

NSO Group is a technology company that supplies surveillance software for governments and government agencies. Applications like Pegasus exploit vulnerabilities in software to infect the target’s devices with Trojans. Pegasus is a spyware that can be secretly installed on cell phones (and other devices) running most iOS and Android versions. Pegasus is not a single exploit, but a series of exploits that exploit many vulnerabilities in the system. Some of the exploits used by Pegasus are zero-click, which means that they can be executed without any interaction from the victim. It is reorted to be able to read text messages, track calls, collect passwords, track location, access the microphone and camera of the targeted device, extract contacts, photos, web browsing history, settings and collect information from apps.

NSO Group is accused of selling its software to authoritarian governments, which use it to monitor journalists and the opposition. Accusations that the company regularly denies. According to an investigation done by a global consortium of journalists of 17 media oganizations, Pegasus has been used to monitor female journalists, human rights activists, lawyers and high-ranking politicians. There are even reports suggesting it is even used by Mexican drug cartels to target and intimidate Mexican journalists. Among the more famous confirmed Pegasus victims are Amazon founder Jeff Bezos and murdered Saudi Arabian journalist Jamal Kashoggi.

Apple wants to prevent “further abuse and harm” to Apple users. The lawsuit also demands unspecified compensation for spying on users.

In the press release Apple states:

NSO Group and its clients devote the immense resources and capabilities of nation-states to conduct highly targeted cyberattacks, allowing them to access the microphone, camera, and other sensitive data on Apple and Android devices. To deliver FORCEDENTRY to Apple devices, attackers created Apple IDs to send malicious data to a victim’s device — allowing NSO Group or its clients to deliver and install Pegasus spyware without a victim’s knowledge. Though misused to deliver FORCEDENTRY, Apple servers were not hacked or compromised in the attacks.

Ivan Krstić, head of Apple Security Engineering and Architecture is quoted:

In a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place

Apple has announced the lawsuit contains new information about the so-called ForcedEntry exploit for a now-closed vulnerability that NSO Group used to “break into a victim’s Apple device and install the latest version of NSO Group’s Pegasus spyware program,” according to Apple’s press release. The vulnerability was originally discovered by Citizen Lab, a research group at the University of Toronto. Apple says it will support organizations like Citizen Lab and Amnesty Tech in their work, and will donate $10 million and any compensation from the lawsuit to organizations involved in researching and protecting against cyber surveillance. The company will also support Citizen Lab with free technology and technical assistance.

Apple is the second major company to sue NSO Group after WhatsApp Inc. and its parent company Meta Platforms, Inc.(then Facebook, Inc.) filed a complaint against NSO Group in 2019. The allogation of that lawsuit is that NSO Group unlawfully exploited WhatsApp’s systems to monitor users.

In early November 2021, the US Department of Commerce placed NSO Group on its “Entity List”. The justification for this step states that Pegasus was used to monitor government officials, journalists, business people, activists, academics and embassy staff. On the “Entity List,” the U.S. government lists companies, individuals or governments whose activities are contrary to the national security or foreign policy interests of the United States. Trade with these companies is subject to strict restrictions and in some cases is only possible with an exemption from the Department.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 65 66 67 Next
1 4 5 6 7 8 67