Monthly Roundup of Data Protection News: March 2019

Political campaigns and the GDPR

In preparation of the upcoming European Parliament elections, European institutions have issued statements and papers on the subject of processing personal data in the context of political campaigns. The EDPB issued a very brief statement on this topic in March, while previous guidance of the EDPS and the EC was already available.

The start of the EP campaign is imminent and steps are already being made for promoting political messages. In Romania, the National Post Company has sparked outrage after publishing a ‘services offer’ whereby it provides political parties and independent candidates the possibility to place political advertising in the post of certain segments of the public, such as pensioners and people who receive social benefits. The Romanian Data Protection Authority has stated for the news outlet Hotnews that it is analysing this case. (As a side note, the DPA’s statement to Hotnews reflects that the institution is still promoting consent as the preferable legal ground, which is contrary to the GDPR – this is a major issue concerning Romanian application of data protection legislation dating from the pre-GDPR era.)

The EDPB Statement on political campaigns does not tackle the hot topics of processing personal data for promoting political messages – this is something which we pointed out in this PrivacyOne article. Much harm can be done by using personal data to infer political opinions and target people with custom messages which respond to their fears and hopes, as has been seen in the ICO’s investigation into the harvesting of social media users’ data for political purposes. Unfortunately, even a regulatory response to unlawful personal data processing for political purposes is inefficient if applied post factum, as the recent investigations by ICO have shown. For details, you can read ICO’s penalty notice against Facebook for serious breaches related to the use of data analytics for political purposes, the ICO report Democracy disrupted? (11 July 2018), as well the ICO report Investigation into the use of data analytics in political campaigns.

In this ecosystem, the citizens and watchdog organisations, supported by privacy professionals, will carry a considerable part of the onus of identifying and reporting misuse of personal data for political purposes. Hopefully, this will legitimise data protection as a stand-alone theme in debates about the fairness of political campaigns and will lead to legislation and jurisprudence able to prevent the hijacking of democratic processes.

We’re also engaging with the privacy professionals community through our LinkedIn company page, so please follow us if you want live updates on relevant privacy issues in Romania.

First GDPR fine in Poland

The Polish Data Protection Authority (UODO) applied a fine of approx. 220,000 EUR to the Polish subsidiary of Swedish data company Bisnode. The company processes personal data from publicly available sources (such as economic activity register and court register) and provides company-verification services, as indicated by the EDPB and further explained in this article.

The company was found responsible for failing to provide GDPR art. 14 information to a high number of persons. The data subjects in this case are the natural persons who are entrepreneurs and who are featured in such business-related public databases.

The company fulfilled its transparency obligation towards a small percentage of data subjects, because the company only had those person’s e-mail address. For the rest of the data subjects, the company had their telephone number and postal address – in those cases, it invoked the “disproportionate effort exemption” (art. 14.5.b) and considered that providing them with data processing information would be too expensive. For this category of data subjects, the company posted an information notice on its website.

The Polish authority considered that the disproportionate effort exemption should not have been relied on, since the company held the contact data (phone no., postal address) of those data subjects. Moreover, the information notice posted on the company’s website was not enough to comply with the transparency obligations. Bisnode’s rebuttal is available here in Polish.

Just as heads up from us, at least in Ireland the national DPIA list includes “indirectly sourcing personal data where GDPR transparency requirements are not being met, including when relying on exemptions based on impossibility or disproportionate effort” as one of the situations when you need to perform a DPIA.

Copyright Directive versus GDPR

On March 26th the European Parliament adopted the Proposal for a Directive of the European Parliament and of the Council on copyright in the Digital Single Market (the Copyright Directive). This is a controversial legislative text which, according to privacy watchdog organisations, will lead to content filtering which will not be able to correctly identify copyright infringements, further leading to limiting freedom of expression.

The Copyright directive also raises issues from a data protection perspective, as shown in this EDRI article referring to this piece by German judge Dr. Malte Engeler. The latter author contends that the application of content filters implies the processing of the personal data of the uploader, by the platform provider as data controller, for the purpose of assessing whether the uploaded work falls under an exemption from copyright infringement rules. Keep in mind that a platform, in order to correctly conclude whether a work is uploaded for, for example, for the purpose of criticism, caricature or parody, might require context information about the user.

The legal basis for processing personal data in the context of upload filtering is problematic. Dr. Malte Engeler considers that controllers will rely on a legal obligation (complying with the Copyright Directive) as a ground for processing, with further problems arising, as argued in his article.

We underline that a legal obligation must be clear and precise in order to be relied on for data processing (GDPR preamble no. 41). Article 17(4) of the Copyright Directive proposal institutes a “best efforts” duty upon online content-sharing service providers and does not indicate that such efforts imply processing personal data. It remains to be seen whether this will become a clear and precise obligation in national transposition laws, in order to be relied on for the purposes of GDPR art. 6(1).

AdTech industry under scrutiny

The AdTech industry has been the subject of a lot of discussion among privacy experts as well as regulators lately. One of the first signs that the current status quo is not exactly great was in September 2018, when the first “Regulatory complaint concerning massive, web-wide data breach by Google and other “ad tech” companies under Europe’s GDPR” has been filed by Johnny Ryan, Jim Killock, and Michael Veale. The complaint has been updated in early 2019, indicating massive data leakage during the ad bidding process.

Among other things, the new evidence shows that ad companies can very easily target ads to users based on categories that imply (and sometimes directly include) very sensitive matters. For example, “incest/abuse support,” “hate content,” and “AIDS/HIV.” These categories accompany web users on all websites they visit, and as part of the real time bidding process are shared millions of times a day with a massive number of ad companies, even if they don’t get to show an ad.

Then, in March 2009, Cookiebot launched a report based on its own research, showing that an astonishing number of government websites contain third party advertising trackers. While the use of advertising is somewhat expected on a website that needs to fund it’s content, the same cannot be said about governmental websites, which makes the findings in this report very worrying. Even public health services websites have such advertising cookies, which increases the likelihood that data about a certain visitor of such website (which simply by browsing can become very sensitive, imagine if one is looking for information about a sensitive medical condition, like HIV) is then used by the ad service provider to target ads to that user on other websites.

Also in March the ICO organised a factfinding event to consult with adtech stakeholders on sensitive data protection issues and published the preliminary outcome. The key issue, especially if you read the research report itself, is how to ensure transparency to users. A clear conclusion of the research was that once receiving a short explanation of the data processing in AdTech, perceived levels of acceptability decreased significantly. Another aspect revealed was that the current way of informing users about the data processing (i.e. cookie banners) is ineffective – many respondents didn’t even remember them, and a large proportion said they never click on the options, due to them not being able to do anything about it and the amount of time it takes. Even of those who do click, a large proportion said they do not understand the explanation provided.

There is no conclusion on this point right now, perhaps just that the work is merely starting. Still, one thing that is said more and more often is that perhaps the current system of funding “free internet” through ads is not sustainable anymore, due to it in many cases not being able to meet GDPR’s requirements of transparency and consent. On this last point you can also read CNIL’s decision concerning AdTech company Vectaury, which although recent will most likely remain a landmark in the field.

CNIL: biometric data at work

The French Data Protection Authority (CNIL) adopted a binding regulation on the use of biometric data for the purpose of controlling workplace access to premises, devices and computers. The rules applicable to organisations wishing to use such biometric authentication systems include the following:

organisations must apply a “least intrusive means test” to demonstrate why other measures such as badges and passwords are not appropriate for reaching the same security purposes and document the decision to use biometrics-based systems;

a Data Protection Impact Assessment (DPIA) is mandatory; the DPIA must be updated at least every 3 years;

the decision to choose one type of biometric data category over another must also be documented (e.g. iris instead of fingerprint)

the personal data which can be processed through the biometric access device for the purpose of identifying the data subject is expressly limited by the regulation, as well as the data which can be logged by such a device; in other words not any types of data can be processed, but only those strictly related to the purpose of the access system;

biometric sampling (e.g. blood and saliva samples) is prohibited for the purpose o controlling access in the workplace;

only certain entitled persons may access the data processed through the biometric authentication system and annual reviews of access rules must take place;

the raw recording of the biometric characteristic which led to the creation of the template cannot be preserved for more than the time required to create the template;

templates must be encrypted and can only be stored for the duration for which the data subjects need authorisation;

log data generated by biometric access systems can only be kept for 6 months from their registration, except for situations where there are legal obligation or litigations for which specific data is needed;

the CNIL regulation lists specific technical and organisational requirements.

Guidelines & reports

EDPB issued an Opinion on the interplay between the ePrivacy Directive and the GDPR and a Statement on the ePrivacy Regulation. Here are all the documents adopted by the EDPB at its 8th plenary session.
The German Supervisory Authority has re-issued its guidance on data processing in the employment context (available only in German here; see article in English here).
The EDPB has adopted Information note on BCRs for companies which have ICO as BCR Lead Supervisory Authority.
The European Parliament approved the Proposal for a Cybersecurity Regulation – the proposal is still subject to approval from the Council before it will be published.
The Irish Data Protection Commissioner issues Guidance for Drivers on use of “Dash Cams” – recording with the use of a Dash Cam makes you likely to be a data controller.
EU: The EU Parliament and the Council agreed provisionally on a set of EU-wide rules to protect whistleblowers.
Netherlands: The Data Supervisory Authority issues a indication for the application of pecuniary sanctions under the GDPR (available in Dutch).
The Council of Europe Committee of Ministers has issued Recommendation CM/Rec(2019)2 to member States on the protection of health-related data.
EDPS issues Opinion on online manipulation and personal data.
The EDPB has organised a stakeholders’ meeting in connection to its reviewing of the WP 29 Opinion on the concept of controller and processor.
The ICO provides information for medical practitioners with regard to patients’ access to medical data.
ENISA publishes Guidance and gaps analysis for European standardisation on the topic of privacy and the study entitled Towards a framework for policy development in cybersecurity – Security and privacy considerations in autonomous agents.

Cases & decisions

The AG has provided his Opinion in the CJEU Planet49 case, concerning the collection of valid consent for placing cookies. Read more on this topic in the PrivacyOne analysis.
Spanish DPA says it was lawful for Vodafone to contact a client via Whatsapp without his consent, for the purpose of installing a device (performing of a contract).
The Vienna Higher regional court: admissibility of lawsuit against Facebook in civil courts confirmed, in case brought by Max Schrems.
Drivers in the UK sue Uber for allegations of refusing Data Subject Access Requests for GPS and other app usage data.
German regional labour court decides that an employer unlawfully refused an employee’s Data Subject Access Request concerning information about the charges that led to his dismissal.
German court rules on the issue of using vehicle telematics services in the employment context. Read a related LinkedIn article here.
The Swedish National Procurement Services issues a study finding that “because of US regulations including the Cloud Act, Executive Order 12333 and Section 702 of the Foreign Intelligence Surveillance Act, cloud office solutions from the current market leaders cannot provide an adequate level of protection under the GDPR.”, according to this article.

English translations of Romanian data protection legislation

Romanian GDPR Application Law no. 190/2018

The Romanian DPIA List

GDPR enforcement actions

► UK: The ICO has fined the Vote Leave Limited organisation 40,000 £ for sending out thousands on unsolicited text messages during the UK Brexit referendum campaign.
► UK: ICO warns that employees could face criminal prosecution if they access or share personal data unlawfully. Thus, individual employees of an organisation could be sanctioned for data protection law breaches.
Denmark: first GDPR fine is proposed by the Danish Data Protection Agency for a taxi company which failed to enforce personal data retention policies with regards to clients’ telephone number.
Finland: Nokia is being investigated for possible GDPR violations concerning unencrypted data transfers from Nokia phones to servers in China.
The Global Privacy Enforcement Network issued its 2018 report on the implementation of privacy accountability around the world.

More EU data protection news

Estonia is working on introducing artificial intelligence in its justice system.
PrivacyOne article: What’s (not) new about EDPB’s Statement on political campaigns.
Read the EDPS March Newsletter here.
Irish church and school discontinue practice of encouraging children to write their sins next to their picture on a public display.
Article: The Impact of User Location on Cookie Notices (Inside and Outside of the European Union) (available on SSRN)
See here a centralisation of the national DPIA lists, complied by the IAPP (although not yet complete, because the Romanian DPA also published a blacklist which we have translated and is available here).
GDPR lessons and challenges – an article by Clifford Chance.

Other data protection news from around the world

► In New Zealand, a law firm charged a client with $19,000 (New Zealand Dollars) to send him information following a personal data access request. The New Zealand Privacy Commissioner said a reasonable sum would be one that would cover the cost of purchasing the means through which the information would be transmitted to the client (e.g. a USB stick).
► Thailand will have a data protection law – read here an article in English on this topic.
► Read this article about the development of facial recognition algorithms with the use of social media photos.
► In the US, Facebook’s partnership deals which allowed access to user information are under criminal investigation, according got this article.
► Facebook is being sued in the USA for allowing the exclusion of minority groups through its advertising algorithm used for promoting housing ads, in violation of housing legislation.
► Article: A Right to Reasonable Inferences: Re-Thinking Data Protection Law in the Age of Big Data and AI (available at SSRN)
► Facebook: Over 25,000 complaints against Facebook have been lodged with the US Federal Trade Commission, according to EPIC.
► Bird&Bird article: Big Data & Issues & Opportunities: Data Ownership.
► Facebook is being accused in the US for knowing that Cambridge Analytica used the personal data of the platform users, and did not tell them before the news went public.
► Article: Security Analysis of Subject Access Request Procedures. How to authenticate data subjects safely when they request for their data (available here).
► Article: Data sharing practices of medicines related apps and the mobile ecosystem: traffic, content, and network analysis (available here).
► In New Zealand, Facebook is criticised for failing to stop the livestreaming of the Christchurch shooting.
This IT Governance article summarises the data breaches and cyber attacks which happened in March.
► Aluminium plant works were disrupted by ransomeware.

Leave a comment