Icelandic DPA fines InfoMentor

Icelandic DPA fines InfoMentor

Icelandic DPA fines InfoMentor for a data breach affecting hundreds of children from 2019.

 

The Icelandic Data Protection Authority has fined the company InfoMentor EUR 23,100 for not ensuring the proper security of personal data of several data subjects, mainly affecting children. According to this report from the EDPB, in an incident reported in February 2019, their system, Mentor, an information system for schools and other parties, which provides  services for working primarily with children,was subject to a data breach. A vulnerability on their part, led to the six-digit system number of each user being visible in the URL address of a particular page within the Mentor system. This resulted in unauthorised parties gaining access to the personal information of these students, including the national identification numbers and avatars of over 400 children. 

 

At its core, this data breach was caused primarily by human error, including a delay in fixing a vulnerability that the company had been aware of. 

 

InfoMentor acknowledged that the company had been aware of the vulnerability which led to this data breach, and that a solution had already been created. However, due to human error, the solution was not fully implemented into their Mentor system until after the data breach had already occurred. This data breach could have been avoided, had those vulnerabilities been addressed once the relevant persons had been made aware of them. In addition, InfoMentor sent national identification numbers of students affected by the data breach to the wrong schools and data protection officers in error.

The Icelandic DPA fined InfoMentor based on the number of data subjects affected, and the fact that those affected were children.

 

The rights and freedoms of children were directly affected by this data breach. The most significant factors considered by the Icelandic DPA  in determining the administrative fine were the number of data subjects directly and potentially affected, and the fact that the data subjects are children. The Icelandic DPA also considered that InfoMentor‘s main activity is the development and operation of an information system intended for schools and other entities working with children. On the plus side, there was no indication of harm suffered by the data subjects as a result of this breach. In addition, InfoMentor has taken numerous steps to improve their  security and address the vulnerabilities which caused this breach, affecting the personal data within their system.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Digital Green Certificates

Digital Green Certificates: the EDPB and EDPS release a joint opinion

Digital Green Certificates have been a topic of debate lately, and the EDPB & EDPS have released a joint opinion on this, regarding data protection and privacy.

Digital Green Certificates, which some refer to as “vaccine passports” are, contrary to popular belief, not specific to vaccines. In actuality, the digital green certificates or passes, as they would preferably be called, are proposed to be a QR code with information on a person’s status with regard to the COVID-19 virus. The specifics of the information may be pertaining to the vaccine and have details on which vaccine was taken and when it was administered, or it may contain information on a negative COVID-19 test and the date on which the last test was taken. This scannable code may also contain information on antibodies present in a person’s system, if they have developed antibodies from being infected with and recovering from this virus. Vaccines are not mandatory at this time, and the digital green certificates proposed by the European Commission are intended to make it easier to identify someone’s current status with regard to COVID-19, whether vaccinated or not, making travel throughout the EU more seamless, for anyone traveling during this global pandemic. 

The EDPB and EDPS released this joint statement specific to the aspects of the Proposal pertaining to personal data protection. 

The Commission first published the proposal for a Regulation of the European Parliament and of the Council the issuance, verification and acceptance of certificates of vaccination, testing and recovery to third-country nationals who are legally staying or residing in any of the EU Member States during the COVID-19 pandemic on March 17th. The EDPB & EDPS note that the aim of this proposal is to facilitate the exercise of the right to free movement within the EU during the COVID-19 pandemic. Due to the particular importance of these proposals and their impact on individual rights and freedoms regarding the processing of personal data, the EDPB and EDPS released their joint opinion specific to the aspects of the proposal relating to personal data protection. The organisations highlight that it is essential that the proposal is consistent and does not, in any way conflict with the application of the GDPR. 

Digital Green Certificates should be approached from a holistic and ethical standpoint, as asserted by the EDPB and EDPS in their joint opinion. 

The EDPB and EDPS suggest that the Commission take a holistic and ethical approach to the proposal in an effort to encompass all the issues related to privacy and data protection, and fundamental rights in general. They note that data protection is not an obstacle to fighting the current pandemic and that compliance with data protection law will only aid by helping citizens trust the frameworks provided in those efforts. The EDPB and EDPS advise that any measure adopted by Member States or EU institutions must be guided by the general principles of effectiveness, necessity and proportionality. In addition, they note that the World Health Organisation (WHO) in its ‘ interim position paper: considerations regarding proof of COVID-19 vaccination for international travelers’ stated that “(…) national authorities and conveyance operators should not introduce requirements of proof of COVID-19 vaccination for international travel as a condition for departure or entry, given that there are still critical unknowns regarding the efficacy of vaccination in reducing transmission.” 

The EDPB and EDPS, in their joint opinion, state that these green certificates must not lead to the creation of any central database of personal data at the EU level, under the pretext of the Digital Green Certificate framework. In addition, they made specific mention that these certificates should be made available in both digital and paper based formats, to ensure the inclusion of all citizens, regardless of their level of engagement with technology. The organisations also call for clarification on the proposal’s stance on the manner in which these certificates will be issued, whether automatically, or upon request of the data subject. Recital 14 and Articles 5(1) and 6(1) of the Proposal currently state “(…) Member States should issue the certificates making up the Digital Green Certificate automatically or upon request (…)”

The EDPB and EDPS are glad to note the considerations to the rights and freedoms of individuals, as well as compliance with data protection regulation, included in the Proposal. 

The organisations are pleased to note that the Proposal explicitly states that compliance with European data protection regulation is key to the cross border acceptance of vaccination, test and recovery certificates. Recital 38 of the proposal states that “[i]n line with the principle of minimisation of personal data, the certificates should only contain the personal data necessary for the purpose of facilitating the exercise of the right to free movement within the union during the COVID-19 pandemic”. The EDPB and EDPS recommend the inclusion of reference to the GDPR in the main text of the proposal, as it is the legal basis for the processing of personal data, for the issuance and verification of interoperable certificates, as acknowledged in Recital 37. 

Article 3(3) of the Proposal states that citizens can obtain these certificates free of charge,and may renew these certificates to bring the information up to date, or replace as necessary. While the EDPB and EDPS commend this, the organisations also recommend clarifying that the original certificate, as well as modifications shall be issued upon request of the data subject. This is very important for maintaining accessibility for all persons. 

The EDPB and EDPS call for attention to data minimisation, as well as clarification on the validity period of the data processed. 

There are naturally certain categories and data fields of personal data which would need to be processed within the framework of the Digital Green Certificates. As a result, the EDPD and EDPS consider that the justification for the need for personal data fields needs to be clearly defined in the Proposal. In addition, the organizations ask that further explanation be provided as to whether all of the categories of personal data provided for are necessary for inclusion in the QR code for both digital and paper certificates. They note that data minimisation can be achieved using an approach of differently comprehensive data sets or QR codes. In addition, the organizations note the lack of specificity with regard to an expiry date or validity period for each certificate in the draft Proposal. It is also important to note that the EDPB and EDPS clearly state that given the scope of the draft of the proposal, and the context of the global pandemic, the statement of the disease or agent from which the individual has recovered should only be limited to COVID-19 and its variants. 

The EDPB & EDPS iterate the importance of adequate technical and organizational privacy and security measures in the context of the proposal.

With regard to the Digital Green Certificate, the organizations suggest that privacy and security measures should be specially structured to ensure compliance by the controllers and processors of personal data required by this framework.  The opinion states that controllers and processors should take adequate technical and organizational measures to ensure a level of security that is appropriate to the level of risk of the processing of this personal data in line with Article 32 of the GDPR. These measures should include the establishment of processes for regular assessment of the effectiveness of the privacy and security measures which are adopted. 

While the EDPB and EDPS are pleased to note the clarification, within the Proposal, of the roles of data controllers and processors, the organisations suggest that the Proposal specify, through a comprehensive list, all entities foreseen to be acting as controllers or processors of the data in EU Member States, taking into account the use of these certificates in multiple member states by persons traveling throughout the EU. They also suggest that the Proposal should provide clarification on the role of the Commission with regard to data protection law in the context of the framework, guaranteeing interoperability between the certificates. In addition, the organisations call for attention to compliance with Article 5(1)(e) of the GDPR, with regard to the storage of personal data, as well as clarification on the storage period that Member States should not exceed, beyond the pandemic. Furthermore, the EDPB and the EDPS recommend that the Commission explicitly clarifies whether, and when any international transfers of personal data are expected, as well as safeguards within the legislation to ensure that third countries will only process the personal data for the specific purposes that this data is exchanged, according to the framework.

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

EDPB published VVA guidelines

EDPB published VVA guidelines in the context of the GDPR

The EDPB published VVA guidelines giving context to the use of Virtual Voice Assistants in compliance with the GDPR. 

 

Recently, the EDPB published its guidelines for the use of virtual voice assistants. A virtual voice assistant (VVA) is a system that understands and executes voice commands and works with other IT systems if needed. It acts as an interface between users and their devices or online services like search engines. These services are very popular particularly with the integration of smart devices and smart homes. Due to the popularity of these devices in the home, in vehicles and even being worn by users, they are often given access to quite a bit of information on individuals, often of an intimate nature, which could threaten users’ rights to privacy. As a result VVAs have come under major scrutiny from several data protection authorities. The EDPB, by releasing these guidelines for the use of virtual voice assistants seeks to give guidance on the application of these systems in the context of the GDPR as well as other applicable legal frameworks. 

 

VVAs use machine learning methods which require the collections and interpretation of large amounts of voice data. 

 

Virtual voice assistants rely very heavily on machine learning methods in order to perform their wide range of tasks. For starters, these devices usually have a wake up command, for example either pushing a button or having a command word which wakes the device up, and puts it into active listening mode. VVAs typically depend on large data sets to be collected, selected, and labeled. Both quality and quantity of data in these scenarios are equally important and as a result, the VVA’s typically depend on snippets, which could give context to the use of the devices and service in real conditions. In some circumstances the VVA can capture audio of individuals who did not intend to use the VVA service in error. For example, in an instance where the wake up expression is accidentally detected, or the wake up expression has changed and the user has accidentally woken up the device by using the new wake up expression unbeknownst to them. For this reason, among several others, it is imperative that VVA services function in compliance with the GDPR particularly regarding the storage of data. 

 

The guidelines set out by the EDPB outline the legal framework for VVAs regarding not just the GDPR, but in some cases, the e-Privacy Directive. 

 

Because VVAs will undoubtedly process significant amounts of personal data, the relevant legal framework for VVAs is the GDPR. In addition to the GDPR, for all actors who require storage or access to information stored in the terminal equipment of a subscriber or user, the e-Privacy Directive sets a specific standard. The term “terminal equipment” refers to any smart phones, smart TVs, or any similar IoT devices. VVAs should also be considered as terminal devices when information in the VVA is stored or accessed. In all of those cases, the provisions for the e-Privacy Directive are applicable. The VVA guidelines published by the EDPB provide guidance on the identification of data processors and stakeholders, transparency, processing of children’s data, processing of special categories of data, as well as many other elements of data protection relating to VVAs. 

 

The EDPB published VVA guidelines, specifically outlining mechanisms for exercising Data Subject Rights. 

 

The EDPB has suggested several mechanisms for exercising data subject rights. These include the right to access, right to rectification, right to erasure, and the right to data portability. Data controllers must allow all users, whether registered or not, access to all of those rights. The data controllers must provide information on the data subjects’ rights, at best when a data subject turns on a VVA, or at the very latest when the first user voice request is processed. Since the main interaction intended for VVAs is using voice commands, and a portion of the VVA users are actually persons with disabilities requiring them to use voice assistance, VVA designers should ensure that users can exercise any of their data subject rights using easy to follow voice commands. The EDPB suggests implementing specific tools in the development of VVAs, providing efficient and effective ways to exercise data subjects rights. 

 

Do you provide VVA services or smart devices that use VVA services? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing.  Contact us today.

EDPB Guidelines on the targeting of social media users overview

On 2nd September, the EDPB adopted their Guidelines 8/2020 on the targeting of social media users, which aim to clarify the implications that these practices may have on privacy and data protection.

Most social media platforms allow their users to manage their privacy preferences by enabling the option to make their profiles public or private. Pictures, videos and text are not the only personal information processed in this context though: what about analytics used to target social media users? Analytics are also personal data and they should be managed and protected accordingly. The European Data Protection Board (EDPB) is aware of the risks this creates to the fundamental rights and freedoms of individuals and has published these guidelines to provide their recommendations with regard to the roles and responsibilities of targeters and social media providers.

Actors involved in social media targeting

The EDPB explains the concepts of social media providers, users and targeters as follows:

  • Social media providers should be understood as providers of online platforms that enable the development of networks and communities of users, among which information and content is shared.
  • Users are the individuals who are registered with the service and create accounts and profiles which data is used for targeting purposes. This term also comprises those individuals that access the services without having registered.
  • Targeters are defined as natural or legal persons that communicate specific messages to the users of social media in order to advance commercial, political, or other interests, on the basis of specific parameters or criteria.
  • Other actors who may be also relevant are marketing service providers, ad networks, ad exchanges, demand-side and supply-side platforms, data brokers, data management providers (DMPs) and data analytics companies.

Identifying the roles and responsibilities of the various actors correctly is key in the process, as the interaction between social media providers and other actors may give rise to joint responsibilities under the GDPR.

Risks to the rights and freedoms of users

The EDPB highlights some of the main risks that may be derived from social media targeting:

  • Uses of personal data that go against or beyond individuals’ reasonable expectations.
  • Combination of personal data from different sources.
  • Existence of profiling activities connected to targeting.
  • Obstacles to the individual’s ability to exercise control over his or her personal data.
  • Lack of transparency regarding the role of the different actors and the processing operations.
  • Possibility of discrimination and exclusion.
  • Potential possible manipulation of users and undue influence over them.
  • Political and ideological polarisation.
  • Information overload.
  • Manipulation over children’s autonomy and their right to development.
  • Concentration in the markets of social media and targeting.

Relevant case law

The EDPB analyses the respective roles and responsibilities of social media providers and targeters through the relevant case law of the CJEU, namely the judgments in Wirtschaftsakademie (C-210/16) and Fashion ID (C-40/17):

– In Wirtschaftsakademie, the CJEU decided that the administrator of a so-called “fan page” on Facebook must be regarded as taking part in the determination of the purposes and means of the processing of personal data. The reasoning behind this decision is that the creation of a fan page involves the definition of parameters by the administrator, which has an influence on the processing of personal data for the purpose of producing statistics based on visits to the fan page, using the filters provided by Facebook.

– In Fashion ID, the CJEU decided that a website operator can be a considered a controller when it embeds a Facebook social plugin on its website that causes the browser of a visitor to transmit personal data of the visitor to Facebook. However, the liability of the website operator will be “limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means”, therefore the website operator will not be a controller for subsequent operations carried out by Facebook after the data has been transmitted.

Roles and responsibilities of targeters and social media providers

Social media users may be targeted on the basis of provided, observed or inferred data, as well as a combination thereof.

In most cases both the targeter and the social media provider will participate in determining the purpose (e.g. to display a specific advertisement to a set of individuals social media users who make up the target audience) and means (e.g. by choosing to use the services offered by the social media provider and requesting it to target an audience based on certain criteria, on the one hand and by deciding which categories of data shall be processed, which targeting criteria shall be offered and who shall have access, on the other hand) of the processing personal data, therefore they will be deemed to be joint controllers pursuant to the Article 26 GDPR.

As pointed out by the CJEU in Fashion ID, the joint controllership status will only extend to those processing operations for which the targeter and the social media provider effectively co-determine the purposes and means, such as the processing of personal data resulting from the selection of the relevant targeting criteria, the display of the advertisement to the target audience and the processing of personal data undertaken by the social media provider to report to the targeter about the results of the targeting campaign. However, the joint control does not extend to operations involving the processing of personal data at other stages occurring before the selection of the relevant targeting criteria or after the targeting and reporting has been completed.

The EDPB also recalls that actual access to personal data is not a prerequisite for joint responsibility, thus the above analysis would remain the same even if the targeter only specified the parameters of its intended audience and did not have access to the personal data of the affected users.

Legal bases of the processing

It is important to note that, as joint controllers, both the social media provider and the targeter must be able to demonstrate the existence of a legal basis pursuant to the Article 6 GDPR to justify the processing of personal data for which each of the joint controllers is responsible.

In general terms, the two legal basis that are more likely to apply are legitimate interest and data subject’s consent.

In order to rely on legitimate interest as the lawful basis, there are three cumulative conditions that should be met:

– (i) the pursuit of a legitimate interest by each the data controller or by the third party or parties to whom the data are disclosed;
– (ii) the need to process personal data for the purposes of the legitimate interests pursued, and
– (iii) the condition that the fundamental rights and freedoms of the data subject whose data require protection do not take precedence.

In addition, opt-out should be enabled in a manner that data subjects should not only be provided with the possibility to object to the display of targeted advertising when accessing the platform, but also be provided with controls that ensure the underlying processing of his or her personal data for the targeting purpose no longer takes place after he or she has objected.

Legitimate interest will not be suitable in some circumstances though, therefore consent will be required in those cases. Intrusive profiling and tracking practices for marketing or advertising purposes that involve tracking individuals across multiple websites, locations, devices, services or data-brokering would be some of the examples.

The EDPB further notes that the consent collected for the implementation of tracking technologies needs to fulfil the conditions laid out in Article 7 GDPR in order to be valid. They highlight that pre-ticked check-boxes by the service provider which the user must then deselect to refuse his or her consent do not constitute valid consent. Moreover, based on recital 32, actions such as scrolling or swiping through a webpage or similar user activity would not under any circumstances satisfy the requirement of a clear and affirmative action, because such actions may be difficult to distinguish from other activity or interaction by a user, which means that determining that an unambiguous consent has been obtained would also not be possible. Furthermore, in such a case, it would be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it.

The controller that should be in charge of collecting the consent from the data subjects will be the one that is involved first with them. This is because consent, in order to be valid, should be obtained prior to the processing. The EDPB also recalls that the controller gathering consent should name any other controllers to whom the data will be transferred and who wish to rely on the original consent.

Finally, where the profiling undertaken is likely to have a “similarly significant [effect]” on a data subject (for example, the display of online betting advertisements), Article 22 GDPR shall be applicable. An assessment in this regard will need to be conducted by the controller or joint controllers in each instance with reference to the specific facts of the targeting.

The EDPB welcomes comments to the Guidelines until 19th October.

You can learn more about joint controllership in our recent blog Joint controllership: key considerations by the EDPB.

 

Are you targeting social media users? You may need to adapt your processes to comply with the GDPR and the EDPB Guidelines. We can help you. Aphaia provides both GDPR, Data Protection Act 2018 and ePrivacy adaptation consultancy services, including data protection impact assessments, CCPA compliance and Data Protection Officer outsourcing.