Monthly Roundup of Data Protection News: May 2019

Facebook as your Joint Controller

The Wirtschaftsakademie case opened a can of worms which is yet to be contained when it comes to the joint controllers situation between Facebook and page owners. Basically, the Court of Justice of the EU said that an administrator of a fan page hosted on Facebook is a controller jointly with Facebook, since the former takes part in the determination of the purposes and means of processing the personal data of visitors on the page.

As a result of this qualification by the CJEU, Facebook published a “Page Insights Controller Addendum” to its Terms of Service, intended as a means of satisfying GDPR Art. 26 (the need for an arrangement between joint controllers). This addendum has recently been criticized by the German Data Protection Authorities for, among others, annihilating the decision-making powers of fanpage admins, which in their opinion would be contrary to GDPR Art. 26. This approach is controversial – the Wirtschaftsakademie case does not impose equal involvement of controllers in deciding the purposes and means of processing and, moreover, according to this article by Dr. Carlo Piltz, GDPR Art. 26 requires only an arrangement between the joint controllers, an arrangement where parties would be free to regulate the distribution of the decision-making powers.

There is still a sense of uncertainty and risk surrounding the legal consequences of the decision to open a fan page, and the onus falls on organizations and individuals, especially in a time when engaging with clients on social media is a huge advantage for any business.

How will these issues shape the future of client interaction, civil society campaigns and the potential of small organisation to accelerate their growth? This is especially worrisome considering the trend to use Facebook pages in lieu of websites.

Moreover, national Data Protection Authorities will have different enforcement approaches on this topic, which will probably create discrepancies and discrimination between fan page users from different Member States. In any case, clear guidelines from the European Data Protection Board on this topic would be highly beneficial.

We’re also engaging with the privacy professionals community through our LinkedIn company page, so please follow us if you want live updates on relevant privacy issues in Romania.

GDPR’s 1-year anniversary: adding up the numbers

The GDPR just turned 1 this May! Stakeholders are adding up the numbers (complaints, sanctions, data breaches) and optimism is mixed with concern about respect for data subjects’ rights. Here are some anniversary reports published by authorities and organizations:

♛ ICO – GDPR – one year on.

♛ IAPP – GDPR at One Year: What We Heard from Leading European Regulators.

♛ Spanish DPA: Report on the first year of GDPR application.

♛ The Technolawgist: GDPR – a year in review.

♛ Global HR Lawyers: The GDPR – one year on.

♛ FRA – Widespread data protection abuses highlighted by GDPR.

♛ accessnow: A GDPR progress report: how is the law being implemented in the EU?

Netherlands: detailed guidance on personal data in medical files

The Dutch DPA issued detailed guidance on the processing personal data of patients in a medical file. Here are some key points:

  • In the Netherlands, as a general rule, the storage limitation for medical files is set by law to 15 years from the end of the treatment agreed (with some exceptions).
  • Patients cannot be charged for copies of their medical data, except when they ask for multiple copies.
  • Patients can be refused full access to their medical file if such access would affect another person’s privacy.
  • Only factual information concerning the patient can be corrected (e.g. mistakes regarding date of birth, address etc.). Medical diagnoses are not subject to rectification and can only be supplemented with additional opinions.
  • The right to data portability applies to some data in the medical file, namely the data which patients have actively and consciously provided, as well as data provided indirectly through the use of a service or a device (e.g. a pacemaker). Portability does not apply to the conclusions, diagnoses, suspicions or treatment plans that the health care provider establishes on the basis of the information which patients provide.

It is also worth mentioning that in the Netherlands the treatment of information in a medical file is regulated both by specific medical regulations, as well as the GDPR.

Who targeted who during EU Parliament elections

Surely one of the hottest topics of 2019 is the processing of personal data in political campaigns – a theme we covered in the March edition of this newsletter. May, however, was the month when the GDPR was actually tested at EU level during the elections for Parliament and issues with treatment of voters’ personal data resurfaced.

As explained in this article by Valentina Pavel, the various national (mis)implementations of rules for processing personal data by political parties create risks of voter manipulation, lack of transparency and security vulnerabilities.

Stronger stances by European data protection authorities are still expected to set the limits of personal data processing for political purposes. Until then, some online tools became available during the EU Parliament election campaigns.

For example, Who Targets Me is a browser extension which allows users to see who targets them with paid political advertising on Facebook. Also, Google has launched a Transparency Report on political advertising in Europe, to help people better understand who is targeting them with paid advertisements. This tool shows you the number of political ads, the money spent and who paid for them.

Such tools are surely welcome and will give citizens more information about the use of their personal data. However, in the absence of a clear legal framework to control how far politicians can go to profile their public and feed their innermost hopes and fears, any insight without a prevention mechanism is just a consolation prize.

EU Legislation watch: news about legislative processes

ePrivacy Regulation proposal: progress report published by the Council of the EU.

⚜ The Copyright Directive (Directive 2019/790 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC) was published in the Official Journal of the European Union on 17 May 2019 and must be transposed by Member States no later than 7 June 2021.

PrivacyOne data protection courses

This Autumn we are continuing our GDPR lecture series at Wolters Kluwer Romania.

On October 2nd we will launch our first practical GDPR class where students will build their abilities to draft privacy notices.

We will discuss the implications of the GDPR in the health care services industry on October 24th.

See courses

Guidelines & reports

✎  Spanish DPA publishes two technical studies regarding the Android Operating System: User control over the personalization of advertisements and App access to the device screen. The studies are aimed at developers and users alike.
✎ ICO launches campaign to help people be more aware on how they are targeted with online advertising.
✎ The  Irish DPA Guidance on the Use of CCTV – For Data Controllers was released.
✎ The International Working Group on Data Protection in Telecommunications (the Berlin Group) adopted a Working Paper on Privacy and Artificial Intelligence (direct download link) and a Working Paper on Wide Area Location Tracking (direct download link).
✎ CNIL published a kit for developers, including guidance on using libraries and SDKs provided by third parties.
✎ The Italian authority (Garante) published its annual activity report for 2018.
✎ ICO Blog on AI: Accuracy of AI system outputs and performance measures.
✎ Irish DPC published guidance on Data Sharing in the Public Sector.
✎ EDPS Blog: The Hitchhiker’s Guide to Regulation 2018/1725.
✎ German Baden-Württemberg DPA publishes sample joint controllers agreement.
✎ Spanish DPA published a guide which makes an analysis on the data processing operations conducted via drone.
✎ Scope Europe: Standard Data Protection Clauses, Draft and Explanations.

Cases & decisions

⚖ Preliminary questions raised by Max Schrems about the transfers of Europeans’ personal data by Facebook to the U.S. are sent to the CJEU (see Case C-311/18).
⚖ Hearings in CJEU Case T-738/16, where the Privacy Shield legality is also under scrutiny, have been postponed until after the Schrems Case C-311/18 hearings.
⚖ In Belgian case against Facebook concerning cookies, social plug-ins and pixels, the national court agrees to refer questions to the CJEU on the possibility of the Belgian DPA to take action against Facebook.
⚖ Privacy International wins UK court case on the activities of the Investigatory Powers Tribunal to engage in device hacking without judicial oversight.
⚖ PNR again under scrutiny – the Society for Liberty Rights brought actions in Germany regarding the automatic transfer of passenger data to the German Federal Criminal Police Office.
⚖ The Cologne Regional Court, in a recent decision, has answered questions on the extent of “personal data” covered by the right of access, as well as what it means to provide a copy of the personal data.
⚖ On the 31st of May, 2019 the Irish Supreme Court has released a judgement regarding the conflict between The Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems.
⚖ The Swiss Federal Administrative Court made a final decision in in the Helsana+ app case. The case referred to the lack of valid consent to disclosure of health personal data to third parties.

GDPR enforcement actions

⚡ Lithuanian DPA fines e-payment company.
⚡ Irish DPA opens formal investigation into Quantcast regarding the application of the GDPR in the company’s online advertising business, following complaint filed by Privacy International.
⚡ The Norwegian Data Protection Authority (Datatilsynet) intends to fine the Oslo municipality’s Education Agency for making available an unsafe app for school-related communications between teachers and parents. The security vulnerability endangered the personal data of 63,000 students.
⚡ The leaders of the Irish and UK DPAs hint at upcoming sanctions, according to this IAPP article. Helen Dixon further underlined that investigations take time and they should be concluded with sanctions which can stand up in court.
⚡ Nordic Data Protection Authorities reaffirm their cooperation and highlighted the importance of joint investigations.
⚡ The Danish DPA (Datatilsynet) issues decision in the case regarding the electronic ticket system for public transportation in Denmark – the controller could not comply with the right to rectification concerning location information.
⚡ The ICO served the HMRC with an Enforcement Notice regarding the treatment of voice authentication. Here’s the story in the ICO Blog: Using biometric data in a fair, transparent and accountable manner.
⚡ In Finland, two financial services companies have been ordered to correct their practices regarding the processing of personal data for assessing creditworthiness.
⚡ Complaints in four different countries lodged against IAB Europe and Google.
⚡ Irish DPA opens formal investigation into Google Ireland Limited, on the issue of personalised online advertising.
⚡ Spanish Data Protection Authority is fining Endesa and Vodafone  under the GDPR, for issues related to data confidentiality and security.
German DPA fines financial institution  with 50,000 euros for GDPR violations, which consisted in storing data of former costumers on a so called ‘black list’.
⚡ The Belgian DPA applied its first financial penalty based on the GDPR – approx. 2,000 Eur on on issues regarding the processing of personal data for political purposes.
Quantcast will face GDPR privacy probe which was opened by The Irish Data Protection Commission (DPC).
⚡ The Danish Data Protection Authority (‘Datatilsynet’) has issued a decision against Rejsekort A/S regarding the way they process location data.

More EU data protection news

► (Romanian) Privacy advocate Bogdan Manolea writes on the issues of AI and processing personal data on this blog post.
► The Council of the European Union is now able to impose sanctions against “persons or entities that are responsible for cyber-attacks or attempted cyber-attacks, who provide financial, technical or material support for such attacks or who are involved in other ways. Sanctions may also be imposed on persons or entities associated with them.”
► Members of the UK Royal Family use GDPR in dispute against paparazzi.
► ePrivacy Regulation proposal: read this piece from EDRI about blanket personal data retention and the access of law enforcement authorities to it.
► GDPR and garbage bins – in a surprising case originating from Ireland, the DPA confirmend that any litter collected in the postal office public bins would not be subjected to GDPR laws. An Post, the Irish postal services provider, removed all public bins from a certain post office, measure caused by, as stated by them, potential privacy breaches under the GDPR.
► The “Society for Liberty Rights” (Gesellschaft fur Freiheitsrechte e.V GFF”) has formulated multiple actions in front of different German courts against airlines for automated transfer of passenger data (passenger name records) to the Federal Criminal Police (BKA).
The Finnish Council EU Presidency work programme  was made public and it concentrates on issues related to EU privacy and data protection.
► Google implemented a new process to verify advertisers for the EU Parliamentary election, the stated purpose being helping people to better understand the elections ads they encounter online and increase the integrity of elections.
► Cooperation between the Nordic Data Protection Authorities is strongly empowered through the Stockholm Declaration 2019.
► What is state of the art in IT security? See discussion in this article written by Gabriela Zanfir-Fortuna.

Personal Data Breaches and other cyber incidents

☔ Twitter discovered a bug which let to inadvertent collection and sharing iOS location data.
☔ WhatsApp vulnerability allowed hackers to remotely install surveillance software on phones and other devices.
☔ Remote access software TeamViewer accounts hacked.
☔ Turkish Data Protection Authority says it fines Facebook for a data breach which let third-party app developers to access users’ photos.
☔ IT provider for Airbus, Porsche, Toshiba and Volkswagen was attacked, resulting in their client’s customer personal data stolen.
☔ Google suspends transfer of certain transfer of hardware, software and technical services to Huawei.
☔ Read the IBM Security Intelligence article: Data Breach Report: Small Businesses and C-Level Executives Were Top Targets in 2018.

Recommended articles

Affinity Profiling and Discrimination by Association in Online Behavioural Advertising by Sandra Wachter.
Privacy, identity, and autonomy in the age of big data and AI by Sandra Wachter on O’Reilly.
Social Media: how to use it safely by the UK National Cyber Security Centre.
Smart contracts as a form of solely automated processing under the GDPR, by Michèle Finck.
Who to Sue When a Robot Loses Your Fortune.
The Internet of Emotions: A New Legal Challenge, by Carola Spada.
✎ A paper written at Hasselt University, “Personal Information Leakage by Abusing the GDPR “Right of Access”, draws attention to GDPR related issues while also discussing themes like ‘Impersonation Techniques’ and how these can be used.

Other data protection news from around the world

☕  The New York Times: These Ads Think They Know You (this article is about an NYT experiment in targeted ads, where people were targeted with messages containing information on their own profiles).
☕  Google plans to offer users the option of auto deleting their search and location history after 3 months, instead of manually deleting such data.
☕  Duck Duck Go blog: Many websites don’t respect the “Do Not Track” browser option when this option is turned on by users.
  In the U.S., Facebook faces penalties by the Federal Trade Commission, but the levels are still to be set.
☕  China: Human Rights Watch unveils algorithm used by Chinese app to categorise and score citizens.
☕  Amazon faces complaint about collecting children’s personal data without parental consent through the Echo Dot Kid product.
☕  Facebook sues Rankwave company for gathering and misusing users’ data for their own business purposes.
☕  In the U.S. San Francisco is the first city to ban the use of facial recognition software by public authorities.
☕  The U.S. intends to endorse the OECD’s principles on the development and use of artificial intelligence.
☕  Hack of the Red Cross website leaves personal data such and blood type and phone numbers exposed.
☕  Canada is planning on building a Digital Charter.