New cookie guidance, joint controllership status due to social media plugins, and tech companies spying on you through their digital assistants - they might be listening when you ask Google or Siri for the route back home from France. The weeks from the 20th of July to the 10th of August were hectic. Instead of going through piles of news around data privacy from the summer months, get quickly caught up by looking at a summary of the most important happenings in this short blog post, the second of a three piece series, focusing on the last two summer months.
India possibly seeking adequacy status within GDPR framework
India will approach the EU seeking the status once the country finalises and passes its own Privacy legislation, two people intimately familiar with the matter said. The Indian IT industry derives almost 30% of its revenues from Europe.
Facebook’s cryptocurrency Libra under fire
Facebook's planned cryptocurrency has received a chilly response from several regulators, non-profits and politicians. All expressing concerns about the project. Representatives of the global community of data protection and privacy enforcement authorities are joining together to express shared concerns about the privacy risks posed by the Libra digital currency and infrastructure. The mentioned parties have joined forces to put out a privacy statement about the privacy concerns of the currency.
Facebook reaches record breaking $5 billion settlement with US FTC
The US Federal Trade Commission settled with Facebook on a $5 billion penalty over the tech giant’s handling of user data following Cambridge Analytica breach. Cambridge Analytica had accessed the data of 87 million Facebook users that used an app posing to be a psychological test. The company then used this data to try and influence the US presidential elections by assisting the presidential campaign of current president of the USA, Donald Trump.
French DPA (CNIL) fines insurance company Active Assurance €180.000: customers’ data freely available
CNIL received a complaint from a customer stating that he had been able to access other users’ data. The accounts were accessible via hypertext links as found on a search engine and by slightly changing the URL. Among the accessible files were drivers’ licences, bank statements as well as documents on licence withdrawals and hit and runs.
Greek DPA warns PWC with 150,000 euro fine for GDPR infringements
The Greek DPA conducted an investigation into the processing of personal data by PriceWaterhouseCoopers Business Solutions SA (PWC BS) in response to a complaint. The employees were found to be required to provide consent to the processing of their personal data. Consent under the GDPR means offering individuals real choice and control. Given that an employer is in a position of power over an employee, the employee is unlikely to be seen to be giving their consent freely. This meant that a legal ground for the processing was missing. Additionally, PWC BS was found to have violated the principle of accountability set out in Article 5(2) of the GDPR by transferring the burden of proof of compliance to the data subjects.
German regulator bans Google from listening to Google Home recordings for three months across Europe
Hamburg’s DPA has banned Google from listening to conversations recorded on Google Home devices for three months across Europe from the first of August onwards. The authority opened an investigation after it became clear that Google had been listening to conversations, even when users had not activated the device by saying the phrase “Ok Google”. In a statement on its website, the regulator said using digital assistants from Google, Apple, and Amazon is “a high risk to the privacy” of consumers. The regulator added that both Amazon and Apple would likely be subject to an investigation.
In related news: Amazon has digital assistant Alexa’s voice recordings listened to not only by its own employees, but also by Polish temporary workers at home(-offices). Also related: Apple’s assistant Siri audio fragments sent for analysis can be easily linked to users.
OPINIONS, GUIDANCE, JURISPRUDENCE
Boris Johnson chosen as Prime Minister of the UK - ICO guidance on Brexit
With Johnson's election, a no-deal Brexit has become more likely. The new Prime Minister has made it clear that there will be ‘no ifs or buts’ on Brexit day - 31 October 2019. What this would mean for privacy and data protection remains to be seen. In the meantime, the UK’s DPA ICO put forward this guidance.
EDPB adopts guidelines on data processing through video devices. The guidelines provide examples of data processing for video surveillance. It should be noted however, that these examples are not exhaustive in nature. If you or your company uses video surveillance, please examine the guidance.
CNIL and ICO publish revised cookie guidelines
The guidelines contain similarities:
• Both CNIL and ICO consider rules that apply to cookies also applicable to any device that stores or accesses information.
• They stress that users must give specific, free and unambiguous consent before cookies are placed.
• Scrolling cannot be considered as consent.
• Obtaining consent from T&Cs is not lawful.
• Browser settings alone are not a sufficient basis for valid consent.
• These practices violate Art. 7(2) of the General Data Protection Regulation (GDPR), according to which the request for consent shall be “presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.”
• All parties who place cookies must be named so that informed consent can be obtained.
They also differ in some regards, however:
• CNIL states that the new guidance only applies to the processing of cookies within the activities of an establishment of a controller or processor in France, regardless of whether the processing takes place in France. The ICO’s guidelines do not contain such a clause.
• CNIL has spoken out clearly against cookie walls. They are considered non-compliant with GDPR due to the negative consequences for the user in case of refusal. ICO has not yet taken up a clear position - it is of the opinion that a consent forced on the basis of a cookie wall is probably not valid, but the GDPR has to be weighed against other rights.
• Concerning analytical cookies, CNIL explains that a consent is not always necessary. Namely not if they meet certain, cumulative requirements formulated by the CNIL. ICO does not exempt analytical cookies from the consent requirement.
• Finally, CNIL notes that companies have six months to comply after their guidelines have been published in an official statement (which is still pending). ICO does not provide companies with such an adjustment period.
Fashion ID: embedding social media plugins may trigger joint controllership
The ECJ delivered judgement in the Fashion ID case, that will have a significant impact on all websites that have embedded plugins such as the Facebook “Like” button. These simple incorporations could deem such operators to be controllers jointly with the plugin owners with respect to the collection of personal data, giving them serious data protection responsibilities.
A German consumer protection association initiated legal proceedings, claiming that embedding the Facebook “Like” button made Fashion ID, an online clothing vendor, liable for data breaches. The personal data of visitors to the website is transmitted to Facebook regardless of whether or not such person is a member of the network or whether they have clicked the button. Transmission of data occurs without consent or knowledge of visitors.
Although the case considered the processing under the predecessor of the GDPR, the DP Directive (Directive 95/46/EC), the principles considered remain applicable under GDPR and may provide guidance.
The ECJ held that with regards to data processing carried out by Facebook Ireland after that data has been transmitted, Fashion ID is not a controller because Fashion ID could not possibly determine the purposes and means of those operations.
On the other hand, the ECJ concluded that Fashion ID is a controller jointly with Facebook Ireland in respect of the operations involving the collection and transmission of data to Facebook Ireland. The Court reasoned that Fashion ID and Facebook Ireland determine jointly the means and purposes of those operations.
For joint controllers, this has the following consequences:
• Liability of each controller only extends to processing for which controller actually determines the purposes and means of processing.
• Joint controllers require a legal basis for the transfer of personal data to other joint controllers.
If that basis is legitimate interest, each must separately satisfy the legitimate interests test.
• Prior to collection and transfer of personal data, operators of websites that embed social media plugins must:
• Provide for fair processing information to visitors with regards to those operations for which they are joint controller. Meaning for which they determine the purpose and means of processing. For the Facebook ”like” button, this concerned only the collection and transmission of personal data.
• Website operators must obtain prior consent with respect to those operations for which they are joint controller.
BREACHES, HACKS, AND INCIDENTS
Privacy problems for Twitter and Instagram
Both Twitter and Instagram admitted that they’ve had privacy issues regarding the personal data of users in connection with external advertising companies.
Twitter posted a statement explaining that the setting choices the user made in regards to ads on Twitter, especially those regarding data sharing, were not always respected. The statement also states that the problems were fixed on August 5, 2019 and no personal data like passwords or email accounts were affected.
Instagram had to admit that their trusted partner Hyp3r tracked millions of users’ location data and also secretly saving users’ stories. Hyp3r is specialized in location related advertising. Instagram ended the cooperation with Hyp3r and stated that they changed the platform to protect the users. The data protection problems of the Facebook-owned app are not over, however: according to Bloomberg, millions of young users switch to business accounts in order to get access to detailed analytics - surrendering privacy rights in the process.
Russian FaceApp goes viral, privacy concerns spring up all over Europe: false alarm?
Picture editing app FaceApp, which became popular on social media, was confronted with various concerns about their privacy. FaceApp was accused of not explaining that the images are uploaded to a cloud for editing as well as of uploading not only the selected image, but the entire camera roll.
Netherlands warns agencies of potential software data privacy issues
A new report filed on behalf of the Netherlands Ministry of Justice and Security warns state agencies that using Microsoft Office Online, Office mobile apps, and Windows 10 Enterprise carries privacy risks. The Dutch government will continue to negotiate with Microsoft to bring the software within the scope of the new privacy terms. For the time being however, SLM Rijk advises to refrain from using the software or to opt for the lowest possible level of data collection. The news came after it became clear that the German state of Hesse has made it illegal for its schools to use Microsoft Office 365 over privacy fears and Microsoft’s subsequent acquisition of BlueTalon, a data privacy and governance service platform.
Dutch student finance agency DUO suspends use of tracking software
The Dutch agency acknowledged it violated privacy laws when it was discovered it used tracking software in its communications with students. The software indicated whether an individual opened an email. After the Dutch DPA, Autoriteit Persoonsgegevens, informed DUO it “very likely” violated privacy regulations, the finance agency then announced it would suspend its use of the software. Similar software is widely used in business communications, the difference being that receivers of these are informed of the tracking.
30% of European businesses not GDPR compliant
Almost a third of European businesses are still not compliant with the GDPR. This number was gathered from a survey conducted by accounting firm RSM and the European Business Awards amongst 300+ companies.
Study shows ‘anonymised’ data lacks privacy
In the research, a whopping 99.98% of Americans were correctly re-identified using just 15 characteristics, including age, gender, and marital status: "While there might be a lot of people who are in their thirties, male, and living in New York City, far fewer of them were also born on the 5th of January, are driving a red sports car, and live with two kids (both girls) and one dog." Russian intelligence service FSB seems to have known this before the researchers, when hackers who breached a FSB contractor revealed its deanonymization plans.
Oxford PhD student reveals faults in DSAR responses
Oxford PhD student James Pavur contacted UK and US firms to research how they would handle a Data Subject Access Request (DSAR) made in someone else's name. He exposed 60 distinct pieces of personal information about his girlfriend. These included past purchases, 10 digits of her credit card number, its expiry date, issuer, her past and present addresses, as well as breached usernames and passwords. What is to be learned from this? Well, statistics on the actions performed by the 83 firms known to have held data about his partner might help:
• 39% asked for a copy of an ID
• 24% supplied personal information without verifying the requestor's identity
• 16% requested an easily forged type of ID that he did not provide
• 13% ignored the request
• 5% falsely stated they had no data to share,
• 3% misinterpreted the request and said they had deleted all her data