The data protection landscape seems to choose one or two dominant topics for every quarter, maybe just to avoid sensory overload. In this fashion, the first quarter of 2024 saw increased regulatory activity in the field of employee data protection and monitoring on the workplace. In particular, administrative fines were handed out but also help and guidance given by the respective privacy regulators.
But before we dive deeper into this focal topic, let's look into the more general developments in the field of privacy.
General Developments
The first five years of the GDPR – as CNIL sees them
French data protection agency CNIL released an assessment on the first five years of the GDPR and what the new law has done to the privacy landscape. The GDPR has been already six years in force now, but it took some time to compile all the necessary data.
The data compilation mostly focusses on reports of data breaches to the French DPA. The good news: the reporting system works. The bad news: because it works it is hard to compare data. There is an increase of reports over the years, but it is unclear if this is a result of more incidents or just companies getting more used to reporting as such. If broken down by sector, it is interesting how many incidents reports come from public bodies and the administration.
Lots of work to do in the public sector to make it more safe.
Governments take action to limit commercial spyware
Governments of eleven countries are taking action to combat commercial spyware. Such nasty software has become a real threat and is widely abused in the commercial but also political realm to sniff on opponents and dissidents. Such misuse endangers trade secrets and the freedom of expression alike.
For those reasons it is imperative that the proliferation of such tools is tightly controlled.
In practice, this seems difficult, and so the to-do list of the initiative does manage to impress only mildly. It lists items such as export control and raising awareness among industry partners and civil society groups. Not exactly an edgy plan.
Poland looks into political use of spyware
On the topic of spyware and its abuse even in – democratic! – countries: the Polish parliament is investigating the alleged usTerrife of the infamous "Pegasus"-spyware in Poland. More to the point: the former PiS-government of the country is suspected to have used the snooping tool against political opponents.
Pegasus has wide ranging capabilities. On mobile phones, it can not only access data, but also activate sound and video recording. In short: a nightmare.
Extend and quality of data storage affected by the GDPR
The US National Bureau of Economic Research (NBER) has looked into the cost of data storage under the GDPR and how it has developed in the six years of its existence. No surprise here: the added complexity of compliance and the hefty cost of enforcement have raised those costs. By about 20%, which is rather substantial.
The good news is that this led to a re-thinking of data strategies in many companies. Business may collect fewer data, but those data can often be of higher quality.
And that would be a business beneficial side effect of the GDPR.
Cyber Resilience Act passed in legislative action
On 12.3.2024, the European Parliament finally passed the new Cyber Resilience Act which aims to make the digital infrastructure in the EU more secure and resilient (the hint is in the name) against all kinds of nefarious activity and attacks.
The idea is not only make sure that new products are safe when introduced to the market, but also keep them up-to-date during their lifecycle. To that end, they are sorted into buckets according to the risk they pose and then treated accordingly.
The Cyber Resilience Act governs not only hardware such as phones, switches, computers and such, but also software.
Enforcement
On the enforcement side of data protection, the first quarter of 2024 saw no big cases in the ongoing tech-slash, no billions requested from social media behemots. But the full picture of the "medium-big" cases was instructive, nevertheless. It shows the sheer breadth of compliance issue that are still present in many data processing organizations.
Let's have a look.
Danish DPA on consent mechanism in cookie walls
Questions around cookies never seem to get old. Datatilsynet, the Danish Data Protection Agency, had to decide on a case where users could access parts of a website without consenting into cookies being set, but for premium content like videos and blog posts consent was required.
Datatilsynet found such consent not to be not valid as there is no free choice: if visitors want the content, they have to give consent. They are not offered an alternative option as for example a paid subscription.
Norwegian Labour Agency NAV fined by Norway's DPA
While in today's world of big data and social media we often think of personal informatioin needing protection vis-à-vis private companies, privacy regulation originated in a healthy distrust against the state. The government holds a host of sensitive data, and they need to be protected.
To that end, the Norwegian DPA conducted an inspection in the Labor and Welfare Agency (NAV) and found data protection practices wanting. In particular, the safeguarding of confidentiality trough access control was not up to standard: it was not clear who could access which data when and how.
As the data in question were sensitive and the affected data subjects vulnerable, a high fine of 20 Mio NOK (1,73 Mio Euro) was handed out.
Fine for online retailer for mandatory consumer profiles
Unspecified data retention periods and the forced creation of costumer profiles were the reason for 850.000 Euro fine handed out by the Finish DPA against an online retailer.
Customers could only make purchases if they created an account with the fined retailer – there was no choice to buy "on the fly". The privacy watchdog saw this as unlawful, and indeed most other retailers offer options to buy without creating a permanent record, so quite obviously it is possible.
At the same time, the retention period for data was undefined. The retailer argued that customers can always request the deletion of their data. But that is, of course, a hassle and only a minor fraction of data subjects will actually do it.
The decision is currently being challenged in court and it will be instructive to see the result.
Italian bank fails in security resulting in massive data leak
Italy's Garante fined 800.000 Euro against a bank and the company carrying out the security tests for said bank.
Background of the story is a massive data breach and theft of customer data on the mobile banking portal affecting almost 800.000 customers. Some access PINs were acquired as well.
When looking into the case, Garante found several violations of privacy and lacking technical and organizational measures. To make the matter worse, the deadline for reporting the data breach to the authorities was not kept.
Klarna fined for intransparency about data processing of customer data
Data protection is also about information. People have a right to know what happens to their data.
In Sweden, Klarna, a payment group, gave insufficient information about how they stored customer data. It was unclear, how, why, and for how long the data would be processed. Needless to say, that financial data are of a sensitive nature.
Therefore, the Swedish DPA had filed Klarna an administrative fine of 733.000 Euro. Klarna challenged the decision in court but lost.
Credit card processor fined for missing data protection impact assessment
Staying for a bit in the world of finance, the Dutch DPA Autoriteit Persoonsgegevens fined credit card processor International Card Services BV 150.000 Euro.
The company processed customer data without conducting a data protection impact assessment first. This, however, was required as the activities affected a large number of people and involved sensitive financial data and, furthermore, in some cases photos of faces and IDs.
We at Engity believe that the fine was rather mild. Such data open the door to identity theft if stolen.
Yahoo sets cookies on users machines – whether users agree or not
France's data protection authority CNIL handed a 10 million Euro fine to Yahoo.
Yahoo placed up to 20 cookies on the computers of users visiting some of their sites without proper consent. Furthermore, when users wanted to withdraw their previously give consent, Yahoo informed – or rather: threatened – that they could lose access to the desired content and services.
Any consent under what is essentially a threat is, of course, not freely given.
Spanish utility fails to report massive data breach – fine issued
In the last case in our enforcement section, the Spanish AEPD handed out a fine of 6.1 million Euros to utility company Endesa Energía. AEPD found a whole number of GDPR violations and dealt with them separately, adding up to the relatively whopping number.
The main issue in the case, however, was failure on the side of Endesa Energía to report a data breach affecting up to 6.5 million customers. That incident was made worse by the fact that the company did not properly protect the data on its system by using encryption or anonymization, making this theft more dangerous to the data subjects. Identity theft and loss of control over one's own data may be the results.
Developments
There is no end to interesting and thrilling developments in the field of data protections. Some of those are even more exciting than the ones in previous quarters as new laws are being allied for the first time.
EU starts enforcing the DSA by requesting information
The Digital Services Act (DSA) is still a relatively new device in the regulatory toolbox. The act specifically targets so called Very Large Online Search Engines ("VLOSE") and Very Large Online Platforms (VLOP).
To know what those entities are doing in particular, the EU commission has sent out information requests to players such as Google, Bing, Facebook, Instagram, Snapchat, TikTok, YouTube, and X.
This request is meant to find out if and what further steps should be taken. It will be interesting to see the Commission's conclusion as this is the first large scale action under the DSA and no precedent exists.
AI and data scraping – a report by the OECD
Data scraping was always a hotly debated topic. But the issue was turbocharged by AI as advanced systems need gargantuan amounts of data to be properly trained. It seems, however, that national data protection laws can do little to regulate or even guide the fast paced development in the field of AI.
The understand the landscape, the OECD issued an article on how it thinks legislators should respond to the challenge. The piece analyses existing legislation but eventually concluded that a better and internationally harmonized approach with input from all stakeholders is needed.
It fails to recommend a very concrete plan of action or a process to arrive at such though.
Better cybersecurity cooperation between EU and US
The cyber landscape becomes more and more a battleground for low-intensity warfare, nefarious acts, and outright criminal activity. Therefore, cyber resilience becomes ever more important.
To this end, the EU and the US agreed on a Joint Cyber Safe Products Action Plan. The idea is to mutually discuss cybersecurity requirements and align regulatory actions and legislative activities.
TikTok under investigation in the EU
Few social media platforms raise as much concern as TikTok. Some see it as harmless fun, others as a tool to dumb down whole populations and a platform to wage information warfare.
The EU commission tends towards the latter camp and opened a probe into TikTok, in particular in the context of targeting of minors. The investigation will be carried out under the Digital Services Act – a tool specifically designed to look into and limit the practices of bit Social Media platforms. The DSA stipulates rules on content moderation, user privacy and transparency. Rules the EU commission suspects TikTok not to observer properly.
Employee Monitoring
Considering the amount and severity of cases and developments, the focal topic of Q1/2024 was employee monitoring. While such monitoring can be justified under certain conditions, it must be conducted in compliance with GDPR principles and requirements. Employers need to balance their legitimate interests with employees' privacy rights, ensuring that monitoring is necessary, proportionate, and transparent.
And in that, they often fail.
Amazon appeals a 32 million Euro fine handed out by CNIL, France's DPA
According to France's data privacy watchdog CNIL, Amazon uses excessive video surveillance in its warehouses, tracking the working speed and break times of its employees and retaining them in profiles. CNIL sees this as intrusive and not observant to the principle of data minimization. Furthermore, the system is inadequately secured, using shared accounts and weak passwords. In short: a dystopian nightmare.
Amazon appeals the fine mainly on the grounds that it thinks the facts are inaccurate and the system is necessary to manage the operations.
Italy's Garante fines waste disposal companies over facial recognition software
Garante, Italy's DPA, took action against companies using facial recognition software to track their employees, deeming such use of biometric data to be an overreach.
Interesting about the case is that the companies worked at the same disposal site and shared the tracking system without using proper technical and organizational measures to make sure that access to the data collected is granted only to the respective employer. To top it off, no clear and comprehensive information on the data processing was given to the employees affected.
Garante found that there are much less intrusive ways to track employee attendance at the workplace.
Garante approves Code of Conduct of Italy's Employment Agencies
The Code of Conduct proposed by Assolavoro, Italy's Association of Employment agencies, specifies good practices for data processing in the context of HR-activities. Furthermore, it provides for a monitoring board that can verify members observance of the code.
Some of the measures set forth in the code are:
- process limited to data strictly necessary for the establishment of the employment relationship;
- no recording of the political, religious or trade union opinions of the workers;
- no pre-selection on the basis of information regarding marital status, pregnancy, disability;
- during hiring, members must not obtain information from social profiles intended for interpersonal communication.
These kinds of initiatives give members reasonable safety in their activities by providing a yardstick, and also level the playing field. For those reasons, Garante, Italy's DPA, approved of the Code of Conduct.
We should hope to see more of this.
Iceland's DPA issues fine for improper employee monitoring
Last but not least, Persónuvernd, Icelands DPA handed a fine for electronig monitoring of employee attendance. The fine is small but the reasoning behind it is instructive.
The operator of a fast-food restaurant in Iceland used CCTV-cameras to monitor their employees. To that end, they took screenshots of the footage and recorded what the employees were doing at the given time. Persónuvernd's investigation that the employees were not even told that they would be surveilled, nor did they have access to the results of the program.
But more importantly, the DPA found that there simply was no need to use such system in the first place. Such need could only be deemed given if, i.e.,
- it is impossible to manage the workplace in other ways,
- the monitoring is necessary because wages are based on a performance-related system,
- or that only such monitoring can ensure safety in the area.
Administrative guides
DPAs and other organizations continue to provide helpful tools and guidance to the private as well as the public sector to ensure better data protection compliance.
Iceland's DPA give advice on pictures of minors
Personuvernd, Iceland's data protection authority, gave very hands-on advice on posts of minors online and in social media. The advise focuses mainly on the confirmation season, a big event in Iceland, where countless pictures of the event will be taken and published.
As we know, "confirmation" is linked to religion and thus per se sensitive. But as we also know, at the end of a confirmation party, everybody will be drunk and not in their best shape.
Therefore, a bit of guidance is welcome.
European Data Protection Board create website auditing tool
EDPB, the European Data Protection Board launched a tool that allow for the analysis of website compliance with the GDPR. While the tool is primarily intended to be used by auditors, the EDPB released the source code to be used freely for anybody to use. Hence, the tool may also be used by Data Protection Officers (DPO), consultants or simply in the context of internal compliance auditing.
Private Sector
Not just the public but also the private sector saw a lot of developments and initiatives in the first Quarter of 2024.
Glassdoor now has a real-name policy
Glassdoor is a popular online platform that provides company reviews, salary information, and job listings to help job seekers make informed career decisions. The platform also includes interview reviews and insights into company cultures, aiding job seekers in their preparations. Stories posted on Glassdoor can affect the ability to attract talent considerably.
Up until now, employees could anonymously share their workplace experiences and compensation details. That was convenient but also lead to rampant abuse, such as fake reviews done by people who did never actually work at a given employer.
To better that, Glassdoor now updated its privacy policy and asks users to verify names and email addresses.
Microsoft's EU cloud customers may store their data regionally
Processing EU data on cloud servers in, say, the USA, is a data transfer. Technically, such transfer is less of a legal problem than it used to be as the USA and the EU agreed on a transfer mechanism, the EU-US Data Privacy Framework. Based on that, the EU commission has released an adequacy decision, basically declaring the US a safe country.
In practice, of course, US intelligence authorities have wide reaching means and permissions to monitor all kinds of data – and they do. Therefore, many EU customers are uneasy with important personal data or trade secrets being transferred out of the EU.
Microsoft listened and allowed EU cloud customers to store their data regionally in the EU. This will later include local support, to that even temporary data transfers out of the EU can be avoided.
We at Engity welcome that initiative. At the same time, it does not really solve the underlying issue. As long as the US Patriot Act and US Cloud Act are in force, US companies will have to hand over data to US authorities even if such data are stored in the EU. Microsoft notoriously knows this, as it sued the US government over that practice – and lost.
Apple changes its OS and services towards DMA compliance
One of the EU's major tech legislations of the past years has been the Digital Markets Act (DMA). The main objective of the DMA is to ensure fair and competitive digital markets within the European Union. The DMA aims to prevent large online platforms, known as "gatekeepers," from abusing their dominant market positions.
It goes without saying, that Apple with its dominant position especially in the mobile market is one of such gatekeepers.
To comply with the DMA, Apple is making changes to iOS, Safari, and the App Store. One such major change is that developers will be able to create and users to access alternative marketplace apps in the US, and Apple will provide them with the necessary frameworks and APIs to do so.
Other changes pertain to more choice in browsers, different default app controls in the EU, and alterative payment systems. A bit more anarchy, but also a bit more freedom.
Court Decisions
German court issues verdict on inquiry to birthday data storage
The Oberverwaltungsgericht Niedersachsen, a German administrative court of appeals, ordered that an online pharmacy cannot ask customers (mandatorily) for their birthday.
The retailer argued that they needed the birthday to verify the identity of the customer and make sure they are of age – important for a pharmacy which also sells products with restricted access and only available by doctor's prescription.
The court, however, did not see why specifically the birthday date would be needed here. The retailer possesses Name and address of the customer and can just ask whether or not they are of age.
This may not be a breakthrough case, but it shows that data minimization is to be taken seriously.
ECJ rules on data controller liability
The European Court of Justice (ECJ) looked into the question of when and under which circumstances a data controller is responsible for processing on its behalf. Just to refresh our memories on the GDPR: the data controller is responsible for the legitimacy of data processing and has to make sure that the processor is reliable. At the same time, a controller cannot be held responsible if the processor goes "rogue" and starts processing data for its own purposes.
In the case at hand, the Lithuanian Ministry of Health had commissioned a Covid-19 app with an IT-provider. The app later found its way on the Play-Store and both, the ministry and the provider were listed as data controllers. However, neither did the ministry know about this nor did both parties enter into a Joint-Controllership Agreement.
The ECJ found the ministry to be liable for the actions of its processor – them "taking over" controllership. The argument is that the ministry could have prevented the IT provider from going rogue by stricter controls and better oversight but failed to do so.