EU Data Protection Update Q4-2023
We often start our data protection digest by noting that there is no such thing as a "boring quarter" in this space. And this holds true for Q4/2023 as well.
The EU is working hard on extending the free flow of data outwards by lowering hurdles for cross-border flows to Japan (more agreements are in the pipeline, e.g., with South-Korea), and inwards, by extending the common market in the digital realm. At the same time, businesses and administration must get ready to implement the NIS2 cybersecurity directive and the upcoming Data Act.
Data protection watchdogs were still very busy finding out how and from which angle to tackle the challenges that AI poses for privacy and compliance. At the same time, enforcement action often happened in rather mundane situations, reminding us of the fact that data protection also applies to everyday cases.
And, of course, the quarter also saw private initiatives, court action, and data breaches.
Let's dive into the details.
Legislative Action
Steps towards an EU health data space
The EU is attempting to do something that many member countries (including my home country, Germany) did not manage on their turf to do so far: digitize health data and create a European Health Data Space (EHDS).
The idea is to extend the single market and make national healthcare systems more compatible with each other. To this end, interoperability between existing national electronic systems will have to be achieved. As health data are particularly sensitive data (Art. 9 GDPR), emphasis will be placed on cybersecurity and data protection.
Ambassadors of the EU member states have agreed on a mandate for the EU Council to shape a regulation to this end and negotiate with the EU parliament.
Data Act adopted by Council of the EU
In previous data protection digests we have already reported about the progress of the EU Data Act that has finally been adopted on 27. November 2023.
The Data Act seeks to harmonize access to data across the EU and to find a balance between use and protection of such data as well as a fair regulation of who can profit. As a side effect, the Data Act should make it easier for citizens to switch between providers by creating portability rights and requiring interoperability standards.
The Data Act strives to make the EU a leader in the data-driven society. Whether or not that will work in practice remains to be seen: So far, the track record of the EU – and its member states – when it comes to digital and data driven services, is patchy.
EU-Agreement on EU Digital Identity Wallet
One far reaching but not often discussed idea of the EU is the creation of a digital wallet that can be used to authenticate citizens and give access to both, public and private services, as well as to store, share and electronically sign documents. Basically, this is an EU-wide ID.
The idea of a centralized, electronic identity is, in equal measures, promising and terrifying – depending on how well it is done. It can be an empowering move, making life in the union easier, or a Kafkaesque nightmare.
On 8. November 2023, the EU Parliament and the Council reached a provisional agreement regarding the project.
In practical terms, the wallet will be open-source and transactions done involving it will have the same legal standing as written form.
Should the wallet come to be, digital signature services such as HelloSign or signNow will have to compete against it. That may, in fact, be a good thing, as the legal standing of e-signatures provided through private services is not always fully transparent.
EU and Japan finalize their data transfer agreement
After connecting the USA to the European Data Space through the EU-US Trans-Atlantic Data Privacy Framework, the EU is making another step in removing roadblocks in cross-border data flows: This time with Japan, by means of a new Economic Partnership Agreement.
An adequacy decision for Japan had already been in place since 2018. The Economic Partnership Agreement strives to streamline data flows even further by removing administrative requirements and data localization as well as storage duties. This basically means, that companies may store their data wherever they see fit.
Administrative data protection initiatives
European Cybersecurity Month
October 2023 was the 11th EU Cyber Security Month. The idea was to raise awareness regarding online safety, hacking threats, social engineering, phishing, ransomware, and malware. The official theme of this year's edition: "Be smarter than a hacker". Activities, events, tools, and tests were offered to that end.
The US joined in with a parallel initiative, the "Cybersecurity Awareness Month".
The EU, rightly, is in particular concerned about the state of cybersec in small and medium-sized enterprises (SMEs).
As we have often reported, awareness regarding cyber security indeed needs to be improved. Threats, turbocharged by AI, are on the rise, while at the same time we, the people, are still often use the same, unsecure password across many online services.
In each issue of our data protection digest, we have to report on hacking and data incidents in both, the private and public sector.
Spain's DPA provides an assessment tool for cryptography
Agencia Española de Protección de Datos, Spain's DPA, released a browser app that can help evaluate encryption systems. No data are being stored or recording, instead the tool monitors the suitability of cryptographing systems present.
The idea is to enable data processors as well as controllers and sub-processors to assess compliance of their data processing activities. Advisors and auditors may find the tool helpful as well.
Guidance on data protection using AI chatbots
The aptly named Datenschutzstelle, Liechtenstein's DPA, gives helpful guidance on the use of AI powered chatbots. Such systems have become very popular as they allow for text- and speech-based communication in natural language between people and machines.
They pose, of course, many compliance and data protection issues. Even more so, as they are typically cloud based and have to extensively store, process, and evaluate user input.
Businesses using such chatbots have to make sure they choose the right legal basis for processing, observer transparency obligations, and are aware of existing legal uncertainties. All of those topics are discussed in the guidance.
BaWü DPA offers guidance on AI related data processing
On a similar vein, the Landesbeauftragte für Datenschutz und Informationsfreiheit Baden-Württemberg published a paper discussing views and giving advice on data protection in connection with AI systems.
The idea is to enable data processors to already use Artificial Intelligence in a compliant manner in their data processing activities, even though EU regulations are still in the making. Therefore, the paper is meant to be a "living document" that will be amended on a regular basis to keep track with the latest developments.
Data Controllers therefore may want to bookmark the page.
Enforcement
20m NOK fine to Norwegian Labor and Welfare Administration
Data protection violations do not just happen in the private, but also the pubic space. Datatilsynet, the Norwegian DPA, handed out a NOK 20m fine against the Norwegian Labor and Welfare Agency (NAV).
In detail, the data protection watchdog found 12 violations of data protection regulations, mainly in the domain of lacking or not sufficient technical and organizational measures (TOMs).
Datatilsynet takes this case seriously, as the amount and sensitivity of the data concerned is high. The DPA describes the data processing as being "grossly mishandled over a long period of time".
Devastating.
French DPA issues many sanctions over employee monitoring
CNIL, the French DPA, issued a string of sanctions over (too far reaching) employee monitoring practices such as geolocation and continuous video surveillance.
Employee monitoring is not illegal per se. But there needs to be a very good reason in place and the measures used must be balanced and proportionate vis-à-vis the rights of the affected employees. Therefore, as CNIL found, it is an overshoot to monitor people during their break times or subject them to continuous video surveillance without a proper justification.
Italian DPA fines 10m Euro for unlawful data processing
Garante, the Italian DPA, fined a utility company 10m Euro. Many customers complained to the supervising authority, that the utility company processed outdated or simply wrong data of customers and potential customers. The company often simply treated citizens as if they were customers, supplying them with electricity and gas and issuing invoices – without the "customers" asking for such services: the utility obviously simply did not know better.
The case highlights that data protection also "spills over" into the law of competition and consumer protection.
EU Commission investigates X
X, formerly known as Twitter, may, according to the EU Commission, be in breach of the EU Digital Services Act (DSA). Therefore, the Commission instigated a formal investigation to clarify the matter, focusing on risk management, content moderation and dark patterns, advertising transparency and data access for researchers.
As so often, the initial complained was filed by Noyb, Max Schrems's data protection campaign. Schrems is the person who has two decisions of the European Court of Justice (ECJ) named after him, while X is a so called "Very Large Online Platform" (VLOP), and thus subject to specific rules under the DSA.
Depending on the findings in the case, the Commission may take further enforcement steps, such as interim measures, and non-compliance decisions.
Italy's DPA to look into practices around AI training data
Garante, Italy's DPA, has a history of looking into AI related matters – we have reported extensively. Little wonder that Garante started an investigation – mainly a fact-finding mission – into data collection practices for algorithm training.
The idea is to make sure that websites adopt security measures preventing the scarping of personal data to train AI algorithms. Garante invites trade associations, consumer associations, experts and academics to contribute and comment. Enforcement measures may follow.
Court Decisions
Alphabets data processing seen under the angle of competition law
Data Protection is, of course, the topic of very specific compliance rules and regulations, such as the GDPR. It does, however, also play a role in other areas of law such as in competition law. The idea here is that if a company ignores data protection regulations it might, at the time, get an unfair advantage of the competition. Hence, not only the data protection authorities might look into privacy practices but also, for example, the antitrust office. This is especially relevant for in the case of large digital companies wielding overwhelming market power.
We already have reported about a probe of the Bundeskartellamt – Germany's antitrust authority – into Google's data processing. The Kartellamt and Google now have agreed on guidelines on how to give users more control over the use of their data across Google's services. For many processing activities, Google committed to ask users for their free, specific, informed, and unambiguous consent.
Meta facing 550 million Euro lawsuit – under competition law
AMI, a Spanish association of media and newspaper outlets, is suing tech giant Meta (owner of Facebook and Instagram) for a good 550 million Euro in damages for alleged systematic data protection violations.
In its core, the litigant claims that Meta did not seek the required consent from its users regarding the processing of their data for advertising profiling. AMI argues that this created an unfair advantage as it allowed Meta to better sell its ads than the competition could.
Prospects for the lawsuit are looking good asi Meta was indeed fined by the Irish Data Protection Commission (DPC) in January 2023 on those very grounds. Meta was profiling customers and targeting ads on the legal grounds of contractual necessity. The DPC found that insufficient and requiring consent – the very argument that AMI is making in the lawsuit at hand.
General Court of the EU does not halt the TADPF
The General Court of the European Union rejected an application to suspend the application of the Transatlantic Date Privacy Framework (TADPF).
The TADPF creates a transfer mechanism under which personal data can be exported from the EU to the US. The required adequacy decision has already been implemented by the EU Commission. We have reported extensively on why we at Engity do not believe that the TADPF will survive in-depth legal scrutiny. Mainly because the TADPF is very similar in content to previous transfer mechanisms Safe Harbor and Privacy Shield, and those were found lacking by the European Court of Justice (ECJ).
Philippe Latombe, Member of the European Parliament, was of the same opinion and therefore asked the General Court in an interim proceeding to suspend the TADPF. The court denied this request without, however, discussing the legality of the transfer mechanism as such. The court did, however, base its decision on a mere technicality: The applicant, Mr. Latombe, could not show the required urgency for an interim decision.
The decision therefore gives no indication on whether or not the courts will eventually nullify the TADPF.
Mr Latombe has already appealed the decision.
ECJ rules on automated decision-making by Schufa
The European Court of Justice (ECJ) found several data processing practices of German credit scoring company Schufa lacking.
In particular, the ECJ took issue with aspects of credit scoring that constitute "automated decision making", which is forbidden under the GDPR. The scoring as such, however, is permitted. Furthermore, the court found several data retention periods of Schufa extending beyond the maximum time limit permitted by law.
"Scoring" is a statistical prediction on the likelihood of future behavior. Schufa provides such scoring specifically on the likelihood of customers paying back debt or a credit in time. The "Schufa-Score" therefore is a very important information on which banks and similar institutions base their decision on granting loans or rolling over credit lines. A bad Schufa-Score can severely hamper access to capital. This is the reason why Schufa finds itself constantly in the crosshairs of consumer advocates and industry associations alike.
ECJ rules on the nature of damages for data incidents and fear of misuse
In a verdict concerning a data breach in the Bulgarian Revenue Agency NAP, the ECJ clarified on 14.12.2023 the non-material nature of damages under the GDPR.
The court made clear that the mere potential for misuse of breached personal data is in itself a reason to demand damages. Even further: the fear the data subject experienced is a non-material damage. In practice, that means that the bar for damages is very low.
The court made also clear, however, that the simple fact that a data incident happened does not mean that the data controller did not employ appropriate technical and organizational measures to protect personal data. It is, however, on the controller to prove that they did.
Private Initiative
Google vs. Device Fingerprinting
Google is making available tools to limit device fingerprinting by hiding IP-addresses from domains that are known to track users.
Fingerprinting is a very controversial technique that allows tracking users across the internet by taking a "fingerprint" of their device. This means condensing the device's characteristics (screen size, memory, browser used etc.) into a single data point, such that the user can be recognized. As this form of tracking does not require any consent (such as setting of a cookie), it is often seen as a particularly harsh violation of user privacy.
Meta encrypts messages by default
Meta, owner of services such as Facebook and Instagram, started to roll-out end-to-end encryption for all messages sent on Messenger. As an option, such encryption has been available since 2016 already.
End-to-end encryption should make it impossible for anybody other than sender and receiver to read message content. Indeed, according to current technical standards, such messaged cannot be deciphered – governments and other actors may, however, install spying software on end devices, where the message content is story in an unencrypted form.
Meta's move did give rise to concerns about bad actors such as child predators being too well protected in their illegal activities.
Meta to offer ad-free version of Facebook, Instagram
Meta announced that it will offer a paid (subscription based) but ad free version of its services Facebook and Instagram in the EU, EEA, and Switzerland. This is done in an effort to comply with the GDPR.
Background of this are decisions by Ireland's DPC, the European Data Protection Board (EDPB), and Norway's DPA that all found Meta's profiling and targeted advertising practices to be inconsistent with current data protection standards.
Both platforms will also be offered in the current – free but ads-based – versions in parallel.
Norway's DPA has already made clear that they will look in Meta's ad-free version as well to find out if other provisions of the GDPR are violated.
AWS to deliver EU based cloud services
In order to comply with EU law, Amazon has started to provide its "AWS European Sovereign Cloud" that will allow customers to not only store data but also metadate solely in the EU. Target customers are mainly regulated industries and the public sector.
We at Engity have doubt that such a cloud can ever be sufficiently protect EU data. According to the US Cloud Act, data can be accessed by US security and intelligence agencies solely based on the fact that company headquarters are based in the US.
Still: a step in the right direction.
Cybersecurity as Data Protection
Does the use of passwords finally come to an end?
Many swan songs have been sung on the end of the password. Many would welcome that, because they are not necessarily user friendly and also not always safe, as often passwords are re-used for multiple services and people struggle to come up with complex passwords in the first place. Thus, the end of classic login-credentials might be beneficial. Yet that end never came. Could this time be different?
Large tech companies, among them the really big ones (Amazon, Microsoft, Google, and the like) are increasingly looking for ways to replace passwords with more modern technologies. Amazon, in particular, is rolling out passkeys in its shopping apps, Google is walking a similar path with its range of apps.
We at Engity have our own thoughts on the end of passwords, and even Amazon, in their respective press release, concedes, that classic credentials will be "around for the foreseeable future".
Dangerous Data Breach in NI police was result of lacking cybersecurity
In our last quarterly digest, we have reported on a severe data breach affecting the Police Service of Northern Ireland. The incident endangered thousands of officers and their families by exposing their personal data, such as names and addresses. Finely sorted in an Excel sheet. Sent out in an email by the Police Service itself.
Investigations show that what happened within the Police Service was simply institutional failure on many levels. Information were not classified by sensitivity, Data Protection Impact Assessments not carried out, the Data Protection Officer (DPO) was not properly involved in decision making.
The fallout is not just a loss or security of officers and reputation of the force, but also a lawsuit that may cost tens of millions of pounds to settle.
Needless to say: Heads rolled as well.
Report on implementation of the NIS2 directive
According to a report issued by Euractiv, European countries are implementing the NIS2 directive, a cybersecurity framework, with varying degrees of speed and success.
Some countries, like Hungary, Czech Republic and, surprisingly, Germany, are over-archivers. That is mostly due to an already very solid implementation of the previous NIS1 directive. Other countries such as Poland and, again surprisingly, Norway, lag behind.
NIS2 has to be fully implemented by October 2024. As the new regulation imposes extensive new duties for public and private sector players, and in particular the critical infrastructure, time is running short.
EU Companies are lagging behind needed level of cybersecurity
At this point in time, studies and surveys find that 80% of EU companies are not yet in compliance with NIS2. In particular, the organization do not yet properly secure their supply chains, as the law demands.
Other deficiencies that need to be addressed are cybersecurity training, assessment of existing security measures, and HR security.
Political Agreement on Cyber Resilience Act
To a certain extent complimentary to NIS2 is the proposed EU Cyber Resilience Act, on which a political agreement was found between the EU parliament and Council.
The Cyber Resilience Act will oblige manufacturers of digital products to implement cybersecurity requirements. Think of things like a smart lightbulb or fridge not being usable for DDoS-Attacks.
Data Breaches
Genetic Data of almost 7 million people leaked
The price for the most embarrassing data leak of the quarter easily goes to Genetic testing company 23andMe that managed to leak very sensitive data of almost 7 million users.
According to information by the company, hackers were able to gain access to login credentials of users who chose a weak password and did not use two-factor authentication.
Even if that is true – and there are doubts considering the size of the data breach – it seems rather negligent for a company dealing with highly sensitive data to not turn on such very basic security mechanisms by default.
This article is a data protection digest and not an advertisement pamphlet, but we cannot resist to point out that simple fact: Had the company used the Engity IAM-system, such data leak would not have happened.