Privacy In Focus | July

July 19, 2024

by Olena Nechyporuk

We bring you a round up of articles and updates in the data sphere

Friday, 19h July 2024

EDPB to Change DPAs into MSAs

On 16th July 2024, the EDPB released a statement, establishing that since Data Protection Authorities (DPAs) already have experience dealing with the impact of AI on human rights, in particular the right to protection of personal data, they should therefore be designated as Market Surveillance Authorities (MSAs). According to the AI Act, Members States shall appoint MSAs at national level before 2 August 2025, for the purpose of supervising the application and implementation of the AI Act.

This would ensure better coordination among different regulatory authorities, enhance legal certainty for all stakeholders and strengthen the supervision and enforcement of both the AI Act and EU data protection law.

Read more

---

ICO Reprimands London Borough of Hackney

The London Borough of Hackney was issued a reprimand from the ICO following a cyber-attack in 2020 which affected at least 280,000 residents. The hackers attacked the local government's systems - accessing, encrypting, and in some instances exfiltrating records containing personal data. The records revealed racial or ethnic origin, religious beliefs, sexual orientation, health data, economic data, criminal offence data, and other data. The hackers encrypted the data and then deleted 10% of the council’s backup before the council managed to intervene.

In the investigation of the data breach, the ICO found lack of proper security, which included the failure to change an insecure password on a dormant account still connected to Hackney council servers which was exploited by the attackers.

Read more

---

CJEU Re-establishes TikTok as a Gatekeeper

On 5 September 2023, the Commission designated Bytedance Ltd (of which TikTok is a subsidiary) as a gatekeeper under the Digital Markets Act (DMA). In November 2023, Bytedance applied for an annulment of that decision. The Court, at Bytedance's request, decided to look into that decision. As of today, 17th July 2024, the judgment is that Bytedance is indeed a gatekeeper under the DMA, based on the fact that Bytedance met the quantitative thresholds laid down in the DMA regarding its global market value, the number of TikTok users within the European Union.

Read more

---

Netherlands Fines Drugstore Over Cookies

The Dutch Data Protection Authority (AP) has imposed a fine of 600,000 euros on the company behind the drugstore Kruidvat. The company collected data from website visitors and was able to use this to create personal profiles of these people. This is very sensitive information due to the specific nature of drugstore products. Items such as pregnancy tests, contraceptives or medication for all kinds of ailments, when linked to location data (which can be traced via the IP address) of the unique visitor, can create a very specific and invasive profile of the person.

In the cookie banner on Kruidvat.nl, the boxes 'agree' to the placement of tracking software were checked by default, which is not permissible. Visitors who still wanted to refuse the cookies had to go through many steps to achieve this. The AP has found that personal data of website visitors to Kruidvat.nl had been processed unlawfully.

Read more

---

ICO Calls on Water Companies to Release Information

On the 15th of July, the ICO has written to 12 water companies, calling on them to proactively disclose information relating to sewage discharges on a monthly basis. In May 2024, they issued six water companies - Anglian Water, Severn Trent Water, South West Water, Northumbrian Water, United Utilities and Yorkshire Water - with decision notices requiring them to disclose the start and stop time of sewage discharges. The ICO noted that information about ‘emissions’, which includes sewage discharges, as a special category of information, has no grounds to be omitted from public knowledge in most cases.

Read more

---

Friday, 12th July 2024

NOYB Releases Cookie Banner Report

NOYB is partially responsible for the fact that we have the option to 'reject' cookies, and that most of the non-necessary cookies are unticked by default. The European Data Protection Board established a "cookie banner taskforce" in September 2021 largely due to cookie banner complaints from NOYB. On July 11, 2024 NOYB released a report providing a comparison of EDPB recommendations with national DPA positions.

Read the report here

---

Guidance on AI and GDPR Within the UK From the ICO

The EU AI Act is published in the EU Official Journal today, enabling lots of businesses to re-examine how they approach AI and personal data. What about the UK? While the UK has no legislation that would regulate AI completely as of yet, there are certain standards to uphold. The ICO has published a guide on how to use AI and personal data appropriately and lawfully. It covers such basics as:

- AI-made decisions

- Collecting data for developing AI systems

- Addressing AI bias

- How to carry out DPIAs with AI

- Data minimisation

Read more

---

EU AI Act Becomes Officially Published

Today, the 12th of July 2024, the long-awaited EU AI Act, that was passed as law in March 2024, is published in the EU Official Journal. This means that it becomes binding law 20 days later. This is a happy day for many privacy advocates and AI experts, as the EU is leading the first ever comprehensive law to regulate AI and ensure it is as safe as possible in use. As it becomes enforced, we are certain many countries will look upon the EU to gauge how to create and apply AI regulation in their own territories.

Read more

---

Ticketmaster Warns Customers 2 Months After Hack

Ticketmaster was hacked in May 2024, and has only now issued emails to their Canadian customers to "be vigilant and take steps to protect against identity theft and fraud." The personal details of 560 million Ticketmaster customers were stolen in the hack, which included encrypted credit card details.

During the investigation, it was revealed that the hackers had taken data from Ticketmaster by stealing login details from Snowflake, the company it uses for its cloud storage account. Over 160 other Snowflake clients have been targeted in the same way. Banking group Santander was one of those affected - 30 million of its customers in Chile, Spain and Uruguay were hacked.

Ticketmaster is urging customers to monitor their online accounts, including bank account statements, for any suspicious activity, and is encouraging customers to sign up for identity monitoring services. “Identity monitoring will look out for your personal data on the dark web and provide you with alerts for 1 year from the date of enrolment if your personally identifiable information is found online,” the company said.

Read more

Read our initial story about the Ticketmaster hack here

---

Do You Read Your Apps' Privacy Notices? You Should!

The amount of data that phone apps collect about your screen time, usage habits, location, tracking and a whole host of personal information can be astounding. We encourage people to read the Privacy notifications that appear when you download new apps to be aware of what information you will be sharing. The area where such personal information is most sensitive is in period and fertility apps. When downloading those, make sure:

- Is the privacy notice clearly written and easy to understand?

- Will they delete your data when you don’t want to use the app anymore?

- What measures do they have in place to prevent hackers from accessing your personal information?

- Who are they sharing your information with?

- Are you happy with where your personal information could end up?

The ICO has released a set of how-to videos to help people navigate the app privacy notices

---

Protect Your Neurodata: Have Your Say

The recent boom of neurotechnology's ability to record and intervene on neural brain activity promises scientific and clinical advantages, and raises important ethical, legal and societal risks. Information about a person's nervous system activity may allow for inferences about their motor activities, perceptions, and cognitive and affective processes - all of which constitute highly sensitive data.

A recent NeuroRights Foundation study examined privacy practices in the consumer neurotechnology market. Companies demonstrated significant gaps in compliance across the areas of data collection and storage, data sharing, user rights, and data safety and security. In light of this, UNESCO has launched a Global Consultation on the first draft of the Recommendation on the Ethics of Neurotechnology. Anyone can share their concerns and views.

The deadline for submitting your opinion is the 12th of July 2024. Privacy and data protection matters - share your view!

Read More

---

Thursday, 4th July 2024

Brazil Blocks Meta User's Data from AI Training

On the 2nd of July, Brazil's national data protection agency (ANPD) said it would immediately suspend Meta's latest privacy policy, which allows it to train generative AI models such as chatbots based on posts from its users. If Meta fails to comply it will face a daily fine of R$50,000 (£6,935).

"This is a step backwards for innovation, competition in AI development and further delays bringing the benefits of AI to people in Brazil," a Meta spokesperson said. Brazil has 102 million Facebook users and more than 113 million Instagram users, so that is a significant drop in trainable data for the company.

Read more

---

Spain to Introduce Porn-Passports

The Spanish government is launching an initiative to prevent under-18s from watching porn. In the beginning of July 2024, Madrid unveiled an app that would verify the age of someone who would like to access porn websites. Once verified, they'll receive 30 generated “porn credits” with a one-month validity granting them access to adult content.

The app is called the Digital Wallet Beta (Cartera Digital Beta) and will be available by the end of summer. There are plans that eventually, Madrid's porn passport is likely to be replaced by the EU’s very own digital identity system (eIDAS2) — a so-called wallet app allowing people to access a whole range of public and private services.

Read more

---

The Future of Advertising: CNIL Weighs In

According to a recent Arcom study, "digital advertising will represent 65% of the advertising market by 2030." Chrome announced recently it will limit third-party cookies, and the rise of 'consent-or-pay' systems also put potential consumers behind a protective paywall.

What should digital advertising look like in the future, and how should it be done correctly to not put data protection at risk? CNIL talk with two experts to hear their opinion.

Read more

---

Vinted Fined 2 Million Euros

The Lithuanian DPA issued an administrative fine to Vinted of 2,385,276 Euros for violation of the GDPR. This follows from an 2021-22 investigation whereby Vinted users complained about being denied Subject Access Requests by the company, and for having no clear data storage retention periods.

When considering the amount of the fine, the cross-border data flows and high number of complaints were taken into consideration.

Read more

---

Boarding Passes: The Privacy Threat

Oftentimes after travel, the printed boarding passes and luggage tags get carelessly disposed of in airport bins, hotel rooms and sometimes simply left in the front seat pocket in the airplane. Ms Forte describes her discovery on how easy it is to scan the barcode or QR code in a boarding pass and get access to a whole host of intimate personal details. Such free software is freely available on the App Store.

This makes it incredibly easy to steal data via phishing emails by posing as an airline worker, for example. Use these principles when flying, especially when flying to a country you are new to:

- Don’t post pictures of your boarding pass or luggage tags online.

- Try to avoid identifying which airline you are flying with in any social media posts. If someone does not know which airline you were using it would take a lot longer and a lot more effort to go through trying each airline’s website flying that route to find the one you were using.

- Destroy your boarding pass and luggage tags securely. Use a cross cut shredder ideally. Keep them in your possession until you return home and you can dispose of them securely.

- Only give the airline the information it marks as essential when booking your flight. If it is not marked as a compulsory field then leave it blank. Reduce the amount of personal information they hold on you in the first place.

Read more

---

Understanding the Harm From Ransomware Attacks: A Victim Perspective

A paper published by The Royal United Services Institute (RUSI) - the world’s oldest and the UK’s leading defence and security think tank - aims to understand the wide range of harm caused by ransomware attacks to individuals, organisations and society at large.

The paper analyses the average victim experience, analysing the timing of the incidents, the level of preparation of security measures, human factors such as pre-existing work-place dynamics, engagement with third-party service providers and what manner of communication campaigns were used after the ransomware attacks.

"Understanding how ransomware attacks are personally felt by victims and what factors aggravate or alleviate the harm they experience is key for policymakers seeking to implement measures to minimise harm as much as possible."

Read more

---

CNIL Publishes Second Set of How-To Sheets on AI

On June 2nd, 2024 CNIL published a second set a how-to sheets to show how the General Data Protection Regulation (GDPR) enables the promotion of innovative and responsible AI. This follows on from a first set of recommendations recently published after a public consultation.

The topics covered include:

- Legitimate interest is the most common legal basis for the development of AI systems

- Web scraping practices can be implemented but must be particularly supervised

- Open source dissemination is a positive practice in many respects and for data protection in particular

- The information and exercise of people’s rights must be at the heart of stakeholders’ thinking

Read more

---

Meta Guilty of Breaching the DMA

The European Commission announced on the 1st of July that it has informed Meta of its preliminary findings that its “pay or consent” advertising model fails to comply with the Digital Markets Act (DMA). The issue of the 'pay-or-okay' model is the main question in dispute.

As per Article 5(2) of the DMA, Meta:

- Does not allow users to opt for a service that uses less of their personal data but is otherwise equivalent to the “personalised ads” based service.

- Does not allow users to exercise their right to freely consent to the combination of their personal data.

Meta now has to reply in writing to the Commissions preliminary findings.

Read more