Monthly Roundup of Data Protection News: April 2019

Voice recordings

The past month has seen two interesting cases about voice recording during calls, from Denmark and the UK. Voice recordings can be used for different purposes and it appears that there are differences in regulatory approach between Member States.

First of all, we must point out that the recording of an individual’s voice does not always represent processing of biometric data for the purpose of uniquely identifying a natural person (which would make such processing fall under GDPR Article 9). The key to decide whether or not a voice recording should be legally viewed as processing of a special category of data is the purpose of its use – identification of the person (voice ID) or documentation (proof) of a certain conversation. In the latter case, the GDPR restrictions in Article 9 would not apply, unless the voice would also be used for identification purposes.

In Denmark, the Data Protection Authority (Datatilsynet) sanctioned a telecoms company for recording the conversations with customers and using them for internal training, without the customers’ consent. What is important to point out is that the Danish DPA had previously issued specific regulation  which provides that for some purposes, such as educational use and quality assurance, a person’s voice can only be recorded based on consent; in other cases, such as when the recording is needed for reasons of documentation (e.g. securities trading), the recording can be performed without consent. Since this approach is country-specific, the applicability of the DPA decision should not, therefore, be exported to other countries where the conditions differ or where there are no regulated requirements.

In a different situation, the ICO sanctioned the HM Revenue & Customs in connection to the institution’s Voice ID system. The HMRC used voice authentication for their helplines but did not offer data subjects information about how their biometric data would be used and did not obtain explicit consent.

Together with photographs and video footage, the legal treatment of the processing of a person’s voice depends on the purpose of its use. If it is processed as part of an authentication method, then the data will most likely be treated as special category and will be subject to the strict processing conditions imposed by GDPR Article 9. One should also consider that individuals’ images and voices might be processed for journalistic, academic, artistic or literary purposes and – depending on how a Member States has implemented the exemption provided in GDPR Article 85 – such data processing might escape the application of the GDPR altogether.

We’re also engaging with the privacy professionals community through our LinkedIn company page, so please follow us if you want live updates on relevant privacy issues in Romania.

Data Protection Impact Assessments

All but one EEA countries’ Data Protection Authorities have submitted their Data Protection Impact Assessment (DPIA) lists for the EDPB to analyse – Cyprus’s list is still expected.

The EDPB review’s role is to ensure a harmonised approach and consistency between the different national DPIA lists. If this has been achieved, it is unclear – there are many differences between the lists, as this IAPP centralizer shows (Romania’s list is not there, but you can find it in English here). Nevertheless, controllers (especially those belonging to international groups) must take into account that there are local particularities when it comes to DPIA requirements and should apply the national criteria with precedence, before relying on the general rules of GDPR Article 35.

When it comes to the actual performance of a DPIA, the GDPR offers some limited guidance, but the practicalities of the process remain the responsibility of the entity performing the analysis. For this purpose, having an internal DPIA procedure is always a good approach, and there are online resources available to help – such as the ICO’s guidance, the former WP29’s DPIA Guidelines, this Protecture article on common mistakes made with DPIAs, Nymity’s PIA&DPIA software solutions, CNIL’s PIA software and many others.

EU Legislation watch: news about legislative processes

⚖ EDPB launches public consultations on its Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects. The deadline is May 24th.
⚖ The last step in the adoption process of the Copyright Directive was completed and the final form of the text is expected to be published in the Official Journal of the EU. Read about the problems this legislation poses for data protection in our previous newsletter.
⚖ The Proposal for a Directive on certain aspects concerning contracts for the supply of digital content has been approved and is expected to be signed and published.
EU Parliament voted in favour of the Proposal for a Directive on the protection of persons reporting on breaches of Union law. The new proposed legislation encourages and protects those who report breaches of EU law.
⚖ EU Parliament adopts its position at first reading of the New Deal for Consumers legislation (proposal for a Directive to modernise existing EU consumer rules).
⚖ Further developments regarding the ePrivacy Regulation proposal must wait for the EU Parliament election process to finish, when negotiations with the Council of the EU are expected to start.

Romania: helpline for cybersecurity threats launched

The Romanian National Centre for Cybersecurity Incident Response (CERT-RO) launched a dedicated helpline for reporting cybersecurity threats in Romania – 1911. Any individual, company or public authority may use this number to report cyber threats. This is not, however, the notification required under Article 33 GDPR or under other sectoral regulations. The helpline is constructed as an instrument to help the victims of cybersecurity incidents, and the reports will be used to shape the national cybersecurity strategy.

According to the Romanian Communications Ministry, the reporting rate has grown from 3 reported incidents per day to 17 in the first 5 days after the launch of the 1911 number. The most common threats are frauds, such as phishing and sextortion (30%), followed by unwanted commercial communications (14%), compromised systems, automated password cracking, information theft and ransomware.

CNIL: 2018 activity report & 2019 enforcement strategy published

On April 15, 2019, the French Data Protection Authority (CNIL) published its 2018 activity report and announced its 2019 enforcement agenda. In 2019 CNIL’s control powers will focus on three major themes:

  • Observance of the data subjects’ rights
  • Processing personal data of minors
  • Distribution of responsibilities between controllers and processors

As opposed to the previous 3 years, considered by the CNIL as being a transitional phase between the old and the new legislation, the French DPA will not be so lenient in 2019.

Nevertheless, CNIL also emphasized that it will use its institutional abilities to counsel professionals in the application of the GDPR, not only to investigate alleged violations.

Guidelines & reports

► ICO publishes a draft code of practice on age appropriate design. Consultations end on May 31st .
► Ireland’s Data Protection Commission comments on the topic of the right to rectification in the specific context of names with diacritics.
► The Conference of Independent Federal and state data protection authorities in Germany (DSK) issued a position paper on data protection requirements regarding the operation of Facebook pages. See here the paper in German and here an article commenting in English.
► DSK also published Guidance and FAQ on cookies.
► The same German DSK issued guidance on the applicability of the German Telemedia Act, which includes the topic of cookies post-GDPR and a paper on consent for scientific research.
► German Federal Government: measures to address consent fatigue (original document in German available here and unofficial English translation here).
► European Commission: Study on Data Protection Certification Mechanisms.
Ireland’s Data Protection Commission: Elections and canvassing: Data Protection and Electronic Marketing – the data protection rights of individuals
Italy’s Garante issues rules on processing personal data in the context of political campaigns.
CNIL published draft standards on the processing of personal data for core HR activities.
European Commission: updated Q&A on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation.
► Read the Verizon Insider Threat Report.
► CNIL: Shaping Choices in the Digital World report shows the impact of user experience design on user empowerment.
► European Commission: Ethical guidelines for trustworthy AI and Recommendation on cybersecurity in the energy sector.

GDPR certification

The Luxembourg Data Protection Authority (the CNPD) published the first ever GDPR certification scheme, called CARPA. The certification scheme consists of two documents, which are available in English:
certification criteria: mandatory requirements to be assessed in order to be eligible for certification;
certification mechanism: accreditation criteria for certification bodies and description of the certification process.

Cases & decisions

Preliminary Questions raised by Orange Romania on the application of the Data Protection Directive 95/46/EC have been published (see CJEU Case no. C-61/19).
Danish DPA decides that public transportation travel cards system must respect the right to rectification; a system which only permits adding information instead of correcting it does not comply with the GDPR.
◉ In France, a company successfully argued the reduction of a fine imposed by CNIL by showing that it had taken measures to reduce the impact of a data breach.
Swedish Data Protection Ombudsman ordered a financial credit company to change the way it performs the creditworthiness assessment. An upper age limit, without considering other solvency indicators, is not acceptable based on national credit information legislation. The company’s online credit decision process was also deemed by the Ombudsman as being a solely automated decision-making process under GDPR Article 22.
In Greece an oil company was fined a total of 30,000 EUR by the Data Protection Authority for failing to adopt appropriate security measures after the results of a study containing sensitive data performed for it by a vendor was made available online.
◉ UK High Court of Justice: data subjects are entitled to information about the sources from which an organisation received their personal data (Case of Rudd v Bridle [2019] EWHC 893 (QB)).
◉ The Bavarian Data Protection Authority decided that the use of Facebook Custom Audience tool, whereby customers’ e-mail addresses are uploaded and shared with Facebook must be based on the customers’ consent.
German high court decides that the scope of the right to a copy of the personal data includes copies of performance and behavioral data. See here a comment on this case in English.

GDPR and health care in Romania

Processing personal data in health care services” presentation by Andreea Lisievici is now available online (in Romanian only).

GDPR enforcement actions

► EDPS: Investigation into contractual agreements concerning software used by EU institutions.
► Facebook is under intense scrutiny from regulators around the world. Read more in this New York Times article. In a recently announced investigation for alleged unauthorised collection of users’ email databases, New York Attorney General Letitia James saidFacebook has repeatedly demonstrated a lack of respect for consumers’ information while at the same time profiting from mining that data.” A summary of investigations and allegations against Facebook can be read in this Data Rainbow piece.
Hellen Dixon, the Irish Data Protection Commissioner, says that her institution has opened 12 significant investigations into alleged data protection infringements by large US tech companies.
Investigation launched by EDPS into the contracts between Microsoft and EU institutions.
Read here the complaint filed by Johnny Ryan with the Irish Data Protection Commission regarding the cookie wall and cookie notice on the website of IAB Europe.
Facebook sentenced in France to pay 30,000 EUR for unfair clauses in its terms of use. See here an explanatory article.
ICO fines a pregnancy and parenting club with 400,000 GBP for unlawfully sharing with third parties the personal data which it collected from its members.
ICO fines a TV production company for unlawfully filming patients in a maternity clinic.

More EU data protection news

⚑ “We need to talk about terms and conditions” – an article by Giovanni Buttarelli on the EDPS blog.
⚑ IAB Europe and IAB Tech Lab launched public consultations on the new proposed version of the Transparency & Consent Framework for the digital advertising ecosystem.
⚑ Romanian audio-visual authority invokes GDPR to take down the public list of radio and TV stations owners.
⚑ Read the EDPS April Newsletter.
⚑ The Hambach Declaration on Artificial Intelligence has been adopted on April 3rd by German Conference of Independent Federal and state data protection authorities. An unofficial translation into English has been made available by the Belgian Data Protection Authority here.
⚑ AIRBNB should be considered an information society service and not and not as a real estate agent, says CJEU Advocate General in his Opinion in Case C-390/18. Read the press release here.
⚑ More news is surfacing about hotels leaking guests’ personal data to third parties such as advertising and analytics companies, without informing guests.
⚑ Jaguar Land Rover will offer drivers cryptocurrencies in exchange for personal data, according to this Mashable article.
⚑ Article: Automated Decision Making: the role of meaningful human reviews.
⚑ Read this Bird&Bird article about how the use of Big Data can lead to discrimination.
Data breach affects UK Government as 300 journalists’ e-mails are exposed during a press release.
⚑ Statewatch: analysis on the possible combining of EU Justice and Home Affairs databases.
⚑ Facebook updates terms and conditions following discussions with EU institutions.

Other data protection news from around the world

► Tech startup Transcend lets people see how companies use and track their personal data.
► Amazon’s Alexa voice recordings are listened to by thousands of Amazon staff.
► Facebook under scrutiny in Canada for privacy law violations.
► Microsoft warns users about Outlook data breach.
► Canadian Company Igloo Software’s 2019 State of the Digital Workplace report: 61% of employees share sensitive information via e-mail (read more in this ZDNet article).
► IAPP Westin Research Center publishes table comparing key provisions from privacy bills from across the US.
► Cloud storage from the US has been leaking personal data of 80 million US households.
► Read how the Police in the US is using location data to track perpetrators, in this New York Times article. On the other hand, Google announces that it will offer users the option to automatically delete search and location history after 3 months.
► Hertz car rental company sues consultancy firm over defective services for revamping Hertz’s online presence. Part of the claims refer to code which poses security risks.
► Bill set to strengthen consumer data breach notification obligations in Washington State.
► Hong Kong: Privacy Commissioner for Personal Data briefed the banking industry on the use of personal data in the digital era.
► US Department of Justice releases White Paper and FAQ on the he Clarifying Lawful Overseas Use of Data (CLOUD) Act.
► China: new privacy regulation developments take place.
► Read this BCLP article about liability of processors towards controllers for the acts of subprocessors.
► Read this article about concerns relating to the use of facial recognition technologies for the purpose of identifying passengers and replacing boarding cards.
► The United Arab Emirates has a new Federal Law which regulates the processing of health data.
► Toyota Motor Corporation in Japan suffered a data breach consisting of unauthorized access to the personal information of 3.1 Million customers.
► US: GDPR cannot be invoked to block discovery in US litigation.
► Facebook will start to reveal how its algorithms decide on what content to display in News Feeds, launching a “Why am I seeing this post” button.