Data Protection - Summer 2021
This summer many academic legal 📄 and security 🔒 related articles have been published. A clear trend is visible in assessing organisations and their concrete security measures, as seen in the SchremsII follow-up and the focus by SA's in their enforcement.
🇪🇺 European developments
The EDPB 🇪🇺 adopted its opinion on the European Commission’s draft adequacy decision for the Republic of Korea 🇰🇷.
The EDPB focused on general GDPR aspects and access by public authorities to personal data transferred from the European Economic Area (EEA) to the Republic of Korea for the purposes of law enforcement and national security, including the legal remedies available to individuals in the EEA.
EC 🇪🇺 starts an infringement procedure against Belgium 🇧🇪
The European Commission will launch an infringement procedure against Belgium following complaints that the Belgian privacy regulator's ability to act independently is compromised because several of its members are also affiliated with the government.
Case law
EDPS 🇪🇺 published a case law digest: Transfers of personal data to third countries
Bundesgerichtshof 🇩🇪: Under art. 15 GDPR all personal data related to the data subject must be provided.
The unsurprising decision by Germany’s highest civil court, Bundesgerichtshof, specified the scope of data subject access requests. The court held that Article 15 GDPR also covers information already known about the data subject, previous correspondence and notes of internal processes or internal communications related to the data subject.
Belgian Council of State 🇧🇪 Considers Encryption in principle a Sufficient Measure for U.S. Data Transfers
The decision was made in the context of a tender granted by the Flemish Authorities to a company that used AWS cloud services. An unsuccessful tender participant had challenged the outcome of the tender process before the Council of State, deploying several arguments, including that a lack of appropriate safeguards for data transfers to AWS in the U.S. infringed the GDPR’s restrictions on data transfers in light of the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems II case.
Supervisory Authorities
Luxembourg's SA 🇱🇺 fined Amazon Europe Core EUR 746m
The Luxembourg National Commission for Data Protection, CNPD, imposed a fine on Amazon Europe Core of EUR 746 million. This decision is the result of a collective complaint sent to the CNIL by the association La Quadrature du Net (LQDN). In application of the cooperation procedures between authorities established by the RGPD, the CNPD was competent to deal with this case, as the company Amazon Europe Core was established on its territory. The CNIL cooperated closely with the CNPD throughout the procedure, in the context of controls and analysis of the evidence obtained, and then, during the examination of the draft decision in the context of the one-stop shop procedure.
DPC fines 🇮🇪 WhatsApp EUR 225 Million for transparency violations
The DPC announced a fine of €225 million against WhatsApp Ireland Ltd for failure to meet the transparency requirements of Articles 12-14 GDPR.
CNIL 🇫🇷 fines Monsanto 400k for processing without informing 200 individuals
The U.S.-based biotechnology firm Monsanto Company was fined by the CNIL for violating an individual's right to know under the GDPR. Monsanto allegedly held a file carrying personal information of 200 individuals without informing them what data was collected. Information gathered included individuals' occupations, company address and phone number, as well as personal mobile number and email address.
Garante 🇮🇹 fines Deliveroo EUR 2.5m & Foodinho EUR 2.6m over AI algorithm use
The investigation found that the platform’s use of algorithms to automatically penalise riders by excluding them from job opportunities if their ratings fell below a certain level was discriminatory, and the fact that there was no opportunity for human review nor the ability to challenge the decision contravened GDPR. [...] a controller should be able to show that its algorithm is not discriminatory.
AP 🇳🇱 imposed a fine of EUR 750k on TikTok for violating the privacy of young children and lack of transparency
The Dutch DPA previously investigated TikTok for alleged children’s privacy violations and submitted a report of its findings to the company in October 2020. As a result of its investigation, the Dutch DPA found that the notice provided to Dutch users when installing and using the TikTok app was in English and not easily and readily understandable to users, thereby violating the GDPR's transparency principle.
DPC 🇮🇪 launches two inquiries into TikTok concerning compliance with GDPR requirements relating to the processing of childrens’ personal data and transfers of data to China
Datatilsynet 🇳🇴 fined Ferde AS, a Norwegian toll company, EUR 496k for data transfer to China
Through a report on the state-owned broadcasting company NRK, the Norwegian DPA became aware that Ferde AS was transferring information on passages in toll rings to a data processor in China. On this basis, the DPA initiated an investigation into whether Ferde has implemented routines and measures to ensure adequate information security for the information transferred to China.
Datatilsynet 🇳🇴 choose not to use Facebook
What are the privacy risks associated with communicating through a Page on Facebook? And what kind of responsibility for the processing of personal data may we have as the owner of a Page? We have carried out a risk assessment and a DPIA of Facebook, based on the obligations that follow from data protection regulations.
Hamburg SA 🇩🇪 warns it's government from using Zoom due to data transfer to the US
The HmbBfDI has formally warned the Senate Chancellery of the Free and Hanseatic City of Hamburg (FHH) against using the video conferencing solution from Zoom Inc. in the so-called on-demand variant. This use violates the GDPR, as such use involves the transfer of personal data to the US. There is no sufficient protection for such data in this third country, according to Schrems II.
Datatilsynet 🇩🇰 has serious criticism of Helsingør Kommune in Chromebook-case
As the municipality had not assessed this [risk], the municipality also did not have evidence that the configuration had been done in a way that was appropriate to the risks to data subjects.
Garante 🇮🇹 publishes updated Guidelines on Cookies and Other Tracking Technologies
The guidelines do not relate just to cookies, but also other types of identifiers (such as fingerprinting and radio-frequency identification tags). Providing consent through Scrolling and Cookie Walls is not permitted. Reposting banners to seek consent when a user already has expressed preferences for the relevant website is prohibited.
CNIL 🇫🇷 has updated its PIA software and templates
ICO 🇬🇧 has published a new resource to help public sector organisations understand when the direct marketing rules will apply to their messages
Literature
Article - Digital welfare fraud detection and the Dutch SyRI judgment
In 2020, a Dutch court passed judgment in a case about a digital welfare fraud detection system called Systeem Risico Indicatie (SyRI). The court ruled that the SyRI legislation is unlawful because it does not comply with the right to privacy under the European Convention of Human Rights. In this article we analyse the judgment and its implications. [...] The judgment reminds policymakers that fraud detection must happen in a way that respects data protection principles and the right to privacy. The judgment also confirms the importance of transparency if personal data are used.
Article: How machine-learning recommendations influence clinician treatment selections: the example of antidepressant selection
Decision support systems embodying machine learning models offer the promise of an improved standard of care for major depressive disorder, but little is known about how clinicians’ treatment decisions will be influenced by machine learning recommendations and explanations. [...] More generally, our findings challenge the common assumption that clinicians interacting with ML tools will perform better than either clinicians or ML algorithms individually.
Paper: Not Directly Stated, Not Explicitly Stored:: Conversational Agents and the Privacy Threat of Implicit Information
Our first point is that meaning that is expressed implicitly is an integral part of natural language, implying that agents that have the ability to engage in a fully humanlike dialogue will also have the ability to manipulate implied meaning. As a result, such agents will be capable of acquiring sensitive information about users that is not directly stated. Users have little awareness of or control over information that is implicitly communicated. Our second point is that in today's search and recommender systems user profiles are not explicitly stored. As a result, it is not obvious that a user is being targeted on the basis of implicit person-specific information.
Article: An Institutional View Of Algorithmic Impact Assessments
This Article combines insights from governance, organizational theory, and computer science to analyze how future AIA regulations will be implemented on the ground. Institutional logics, such as liability avoidance and the profit motive, will render the first goal—early consideration of social impacts—difficult in the short term.
Article: Is That Your Final Decision? Multi-Stage Profiling, Selective Effects, and Article 22 of the GDPR
* Provisions in many data protection laws require a legal basis, or at the very least safeguards, for significant, solely automated decisions; Article 22 of the GDPR is the most notable.
* Little attention has been paid to Article 22 in light of decision-making processes with multiple stages, potentially both manual and automated, and which together might impact upon decision subjects in different ways.
Article: Do data breaches damage reputation? Evidence from 45 companies between 2002 and 2018
These results suggest that current regulatory guidance may not provide complete incentives for firms to invest in cybersecurity capabilities, particularly for small- to medium-sized breaches.
Handbook: Handbook on non-discriminating algorithms
Algorithms are used increasingly frequently for risk-based operations and automated decision-making. However, this approach carries a great risk, especially with machine-learning systems, namely, that it is no longer clear how the decision-making takes place.
Article: Smartphone platforms as privacy regulators
Tool: Assembling Accountability: Algorithmic Impact Assessment for the Public Interest
The Algorithmic Impact Assessment is a new concept for regulating algorithmic systems and protecting the public interest. Assembling Accountability: Algorithmic Impact Assessment for the Public Interest is a report that maps the challenges of constructing algorithmic impact assessments (AIAs) and provides a framework for evaluating the effectiveness of current and proposed AIA regimes.
DPIA follow-up: Google mitigates 8 high privacy risks for Workspace for Education
Google has agreed to act as data processor for the Diagnostic Data about the individual use of the services. In a role as data processor Google may only process the personal data for the three (fixed) purposes authorised by the schools and universities, in stead of the current 17 dynamic purposes.
Complaints: noyb files 422 formal GDPR complaints on Cookie Banners
NOYB has filed 422 complaints with ten EU data protection authorities. The move came after it sent written warnings and draft complaints to more than 500 companies on May 31, 2021.
About 42% of all violations were remedied within 30 days. However, 82% of all companies have not fully stopped violating the GDPR (meaning, some fixed some of the violations and some didn’t fix them at all.)
Report: Beyond Debiasing: Regulating AI and its Inequalities
EDRi's latest report "", authored by Agathe Balayn and Dr. Seda Gürses,* argues that policymakers must tackle the root causes of the power imbalances caused by the pervasive use of AI systems. In promoting technical ‘debiasing’ as the main solution to AI driven structural inequality, we risk vastly underestimating the scale of the social, economic and political problems AI systems can inflict.
Blog: Embedding the new standard contractual clauses in IT contracts
The new SCCs will not only affect new agreements but also existing agreements after a short transition period. The SCCs obligate duly assessesment of the data transfer and the possiblity of the suspension of the transfer, which might impact the continued performance of the related agreement.
List: Currently pending CJEU 🇪🇺 data protection cases by Legalbeetle and their details by FPF
What are the questions that the Court is asked to clarify next? This overview includes a preview of the most interesting cases where the CJEU is expected to weigh in.
Compliance: AWS provides some features for adjusting data protection settings in Web Services and new SCCs form part of Data Protection Addendum
Compliance: Microsoft updates its Products and Services Data Protection Addendum
Mapping: GDPR Guide to National Implementation by White & Case
The GDPR does not create total uniformity. Despite the fact that it is a Regulation, the GDPR does not create completely identical privacy and data protection rules across all Member States. Instead, it permits or requires Member States to implement specifications or restrictions on certain rules set out in the GDPR.
Mapping: Global Comprehensive Privacy Law Mapping by CNIL and IAPP
Tool: SCCs Generator
Technology
Whatsapp, backdoors and traceability
The ostensible goal of the new legislation is to make it possible for police to track down those who originate or disseminate this content. Put simply, what the authorities say they want is a means to identify a piece of content (for example, a video or a meme) that has gone to a large group of people, and then trace the content back to the WhatsApp account that originally sent it.
Article: Wireless Charging Power Side-Channel Attacks
This paper shows that today’s wireless charging interface is vulner-
able to power side-channel attacks; a smartphone charging wire-
lessly leaks private information about its activity to the wireless
charger (charging transmitter).
Article: Light Ears: Information Leakage via Smart Lights
In this paper, we design and evaluate novel attacks that take advantage of light emitted by modern smart bulbs in order to infer users’ private data and preferences. The first two attacks are designed to infer users’ audio and video playback by a systematic observation and analysis of the multimedia-visualization functionality of smart light bulbs.
Cyber attacks by state actors - seven moments to stop an attack.
This publication by the AIVD and MIVD provides insight into the threat of cyber attacks and practical tips for recognizing and preventing an attack.
Media
Afghans are racing to erase their online lives
Fingerprinting ad blockers, or: How Your Ad Blocker Can Track You Across the Web
🇳🇱 Nederlandse ontwikkelingen
Kentekencamera's scanden ook gezichten en gebruikte die voor onderzoek zonder wettelijke basis
Jurisprudentie
Rechtbank Rotterdam: EUR 2.5k immateriële schade bij een enkele langdurende onrechtmatige verwerking
[N]u verweerder door het bewaren en verwerken van de rapporten met persoonlijke gegevens van verzoekster in strijd heeft gehandeld met de AVG en daardoor het recht op eerbiediging van de persoonlijke levenssfeer van verzoekster heeft geschonden. Ten aanzien van de hoogte van de vast te stellen schadevergoeding is van belang dat de privacygevoelige persoonsgegevens gedurende een periode van ongeveer tien jaar door verweerder zijn bewaard, ondanks verschillende verzoeken van verzoekster tot vernietiging van de gegevens. De rechtbank acht voldoende aannemelijk dat in die tien jaar de persoonlijke gegevens van verzoekster zijn verwerkt en meerdere personen en/of instanties van de inhoud kennis hebben kunnen nemen zonder dat zij daartoe gerechtigd waren en dat verzoekster op grond daarvan immateriële schade heeft geleden.
Door het bewaren en verwerken van rapporten met gevoelige persoonsgegevens van verzoekster handelde het college van B&W in strijd met de AVG. Het college schaadde haar recht op de eerbiediging van de persoonlijke levenssfeer. Dit geldt als een aantasting in de persoon (artikel 6:106b BW).
De rechtbank neemt in aanmerking dat de gevoelige persoonsgegevens tien jaar zijn bewaard ondanks herhaaldelijke verzoeken tot verwijdering. Daarom is er een grote kans dat meerdere personen en organisaties in die tien jaar de gegevens – onrechtmatig – bekeken. De rechtbank komt daarom tot een schadevergoeding van EUR 2.500, in plaats van de geiste EUR 25k.
Rechtbank Den Haag: Binnen verzoeken van betrokkenen (15-22 jo. 35 AVG) passen geen vorderingen tot immateriële schadevergoeding
Rechtbank Amsterdam: Brit klaagt Microsoft Ireland aan in Nederland
De Nederlandse rechter verklaart zich onbevoegd van het verzoek kennis te nemen.
Rechtbank Rotterdam: Inzagerecht strekt tot geluidsopnamen
5.8 [naam verweerster] vordert Magnum Fx te veroordelen om binnen twee weken na betekening van het vonnis een digitale kopie te verstrekken van alle geluidsopnames die zij heeft gemaakt van telefoongesprekken tussen Magnum Fx en door haar ingeschakelde derden
6.4 veroordeelt Magnum Fx om binnen twee weken na betekening van dit vonnis een digitale kopie te verstrekken van alle geluidsopnames die zij heeft gemaakt van telefoongesprekken tussen Magnum Fx en door haar ingeschakelde derden
Rechtbank Midden-Nederland: Agent pleegde computervredebreuk door dates na te trekken in systemen
Verdachte heeft met niet-werkgerelateerde bevragingen onbevoegd gebruik gemaakt van politiesystemen van de politie. De rechtbank merkt dit aan als het opzettelijk en wederrechtelijk binnendringen in een geautomatiseerd werk in de zin van artikel 138ab van het Wetboek van Strafrecht. Het gebruik maken van inloggevens voor doeleinden die buiten de grenzen van haar autorisatie vallen, merkt de rechtbank aan als het gebruik maken van een valse sleutel in de zin van artikel 138ab, eerste lid, sub c van het Wetboek van Strafrecht.
Overheid
10 concrete eisen informatiebeveiliging en privacybescherming voor aansluiting op CoronaCheck
Eis 1. Aanvraag door rechtsgeldig vertegenwoordiger
Eis 2. Voldoen aan NEN-7510/7512/7513
Eis 3. Voldoen aan NTA-7516
Eis 4. Veilig datatransport
Eis 5. Moderne versleutelingscijfers
Eis 6. PKI overheid-certificaten
Eis 7. DPIA
Eis 8. Websites conform standaarden W3C
Eis 9 Pentest op systemen in de keten voor CoronaCheck
Eis 10. Kwalificatie Internet.nl voor websites en emailadressen
Naleven Europese privacyregels door overheidsinstanties
Staatssecretaris Knops (BZK) geeft antwoord op vragen over het naleven van de Europese privacyregels van de AVG bij (uitvoerings)instanties. De antwoorden geven beknopt weer wat elke overheidsinstantie heeft opgezet voor de naleving van de AVG en geeft weinig inzicht over waar de pijnpunten zitten.
Politie geeft in jaarverantwoording 2020 niet te voldoen aan AVG
De volwassenheid van de privacybeheersing is nog niet voldoende. De deelportefeuille Privacy geeft richting aan de benodigde ontwikkeling. In
bepaalde gevallen is het nog niet mogelijk om aan alle voorwaarden te kunnen voldoen. Dit is deels een kwestie van tijd (mitigeren) en wordt deels veroorzaakt door een te complexe Wpg (accepteren). Deze laatste wordt momenteel door het departement herschreven. Naast de restrisico’s wordt
ook dit risico geaccepteerd.
Politie hackt met commerciële software met privacy risico's volgens Inspectie JenV
Daarnaast is in 2020 in bijna alle zaken gebruik gemaakt van commerciële
software waarbij de leverancier toegang heeft zonder dat de politie dit kan
beperken en controleren. De Inspectie concludeert dat hierdoor risico’s niet kunnen worden uitgesloten voor wat betreft de betrouwbaarheid van met de hackbevoegdheid verkregen bewijs en de privacy van de betrokkenen.
Privacyscan door BMC op Burgernet
Niet in alle gevallen zijn formele rollenen verantwoordelijkheden in de
samenwerking tussen de deelnemende partijen voldoende beschreven. [...] Om mogelijke onduidelijkheden in de toekomst te voorkomen, worden een
aantal aanbevelingen gedaan. Deze hebben met name betrekking op het
formaliseren van de rol van de Politie als verwerkingsverantwoordelijke, de rol
van het LPB en de rol van de deelnemende gemeenten. Daarnaast worden enkele
aanbevelingen gedaan om de transparantie naar betrokkenen te vergroten en de
beveiligingseisen naar de verwerkers verder te specificeren.
Politie gebruikt omstreden Chinese drones voor opsporing
De politie stelt ‘niet uit te kunnen sluiten dat hun data op Chinese servers belandt.’
Etnisch profileren: we hoeven het niet te accepteren
De Sociale Verzekeringsbank (SVB) publiceert binnenkort een register met veelgebruikte algoritmen
In dat register staan welke algoritmen door de SVB worden ingezet en hoe die werken. Ook verschijnt er een lijst met contactpersonen voor het opvragen van technische informatie.
Naleving & toezicht
SURF Taskforce Beyond Privacy Shield met Use cases
Het Europese Hof van Justitie heeft het EU-VS Privacy Shield ongeldig verklaard. Dit heeft grote gevolgen voor het gebruik van diensten door SURF en zijn leden. Alleen door samen te werken kunnen we verder komen in dit complexe onderwerp
Media
FD: megaboete voor WhatsApp – Transparantie klinkt goed, maar verbetert privacy amper
De Europese waakhonden eisen van WhatsApp, en daarmee van elke organisatie, dat zij tot in het kleinste detail moeten opschrijven welke data voor welke doeleinden worden gebruikt en onder welke condities: dit moet bovendien vaak zelfs in de lastige terminologie van de AVG. De toezichthouders vinden ook dat deze papieren tijger niet meer samengevat en ‘gelaagd’ (dat wil zeggen in een doorklikbare korte pop-up) aan de websurfer kan worden gepresenteerd, als dat zou leiden tot ‘enigszins onsamenhangende’ informatieverschaffing.