Transparency is not enough: EDPS on targeted advertising

The EDPS says “transparency is not enough” and calls for a prohibition on targeted advertising based on pervasive tracking. 

 

In a statement penned by the European Data Protection Supervisor, Wojciech Wiewiórowski, he described the current state of cyberspace as figurative “walled gardens”, lamenting that the internet has become “a space of advertising-driven business models and continuous surveillance”. Wiewiórowski believes in a form of advertising which does not depend on the tracking of user interaction with content. He takes the stance that “transparency is essential but it is not enough,” and suggests regulatory incentives and restrictions to curb user tracking and the collection of certain types of data for targeted advertising. 

 

The EDPS suggests regulatory incentives in favour of less intrusive forms of advertising. 

 

Wiewiórowski, in a recent statement, referred to the current business model as an “attention economy”, denouncing the political and ideological polarisation, disinformation and manipulation which seem to have come about as a result of its general nature. Data protection advocates have been concerned about targeted advertising for many years for this reason. Many of the associated risks have been recognised by authorities, as reflected in the Proposal for Digital Services Act. He asserts that less intrusive forms of advertising that do not depend on the user interaction with content, should be incentivised in order to encourage businesses to adopt alternative models, which already currently exist.

 

According to the EDPS, in addition to transparency, perhaps we need further restrictions on the categories of personal data which can be processed for targeted advertising. 

 

According to the EDPS, “We will need more than increased transparency.” In a recent statement by the EDPS, a suggestion of further restrictions on the categories of personal data which can be processed for the purposes of targeted advertising was one of the suggestions to tackle the risks associated with online advertising. He says that it is time to set clear limits to online targeted advertising, as the current state of the internet is the product of human and political choices, and not set in stone. In his statement, the EDPS says “Special categories of data or other data that can be used to exploit vulnerabilities should not be used to target ads.” He suggests preventing the use of data of vulnerable populations (for example children), claiming that this practice has the ability to affect entire generations in unprecedented ways. While it is a necessary part of the equation, the EDPS man obtains that just transparency is not enough, and that more should be done to tackle the ills of targeted advertising. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Clearview AI fined and ordered to remove data

Clearview AI fined by the Italian SA after various GDPR violations, and ordered to remove data and appoint an EU representative.

 

The company Clearview AI, has been fined by yet another EU watchdog, according to this report from the EDPB. The Italian SA has also ordered the company to delete the data of Italians from its database. The company has built its database of approximately 10 billion faces from pictures scraped across the internet. The Italian SA, Garante launched an investigation after a report on several issues regarding facial recognition products which were offered by the Clearview AI Inc.The investigation revealed several issues. As a result, the Italian SA imposed a fine amounting to EUR 20 million, ordered a ban on any further collection and processing, ordered the erasure of the data, including biometric data, processed by Clearview’s facial recognition system with regard to persons in the Italian territory and also ordered the company to designate a representative in the EU.

 

The investigation by the Italian SA uncovered several infringement by Clearview AI Inc. 

 

The Italian SA’s inquiries were spurred following complaints and alerts and found that Clearview AI allows tracking Italian nationals and persons located in Italy. The inquiries and assessment by the Italian SA found several infringements by Clearview AI Inc. The personal data held by the company were processed unlawfully without an appropriate legal basis. This includes biometric and geolocation information.  In addition, the company violated several principles of the GDPR, including transparency, purpose limitation, and storage limitation. Clearview AI neglected to provide the information required by Articles 13-14 of the GDPR when personal data is collected from data subjects. Additionally, the company failed to designate a representative in the EU.

 

Clearview AI was fined €20 million and ordered to remove all Italian user data. 

 

The Italian DP imposed a fine of €20 million on the company. In addition, Garante imposed a ban on any further collection, by web scraping techniques, of images and the relevant metadata of persons in the Italian territory.  A ban was also imposed on further processing of the standard and biometric data that are handled by the Company via its facial recognition system concerning persons in the Italian territory. The Authority also ordered the erasure of all data, including biometric data, processed by its facial recognition system with regard to persons in the Italian territory. The company is also required to designate a representative in the territory of the European Union, as ordered by Garante. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Violation of data minimisation leads to administrative fine

The Finnish DPA has fined the Finnish Motor Insurers’ Centre, after this controller was found to be in violation of data minimisation. 

The Finnish DPA has fined the Finnish Motor Insurers’ Centre over their inability to adhere to the principle of data minimisation. The company was fined late last year, for collecting an unnecessary amount of data from patients for health insurance claims, according to this report by the EDPB. The Finnish Motor Insurers’ Centre’s practices in requesting patient records from health care providers for claims handling purposes were investigated by the Office of the Data Protection Ombudsman. The Finnish DPA found that this controller systematically requested more information than necessary. The controller was fined €52,000 as a result. 

The Finnish Motor Insurers’ Centre requested unredacted patient records, which contained more information that is considered necessary for insurance claims. 

The Finnish Motor Insurers’ Centre requested unredacted patient records from health care providers in order to settle claims as this controller expected to have the right to collect extensive patient information. This information included the facts of patients’ health care appointments to determine whether the health care provider had charged for visits unrelated to the examination or treatment of injuries sustained in the relevant traffic incident. The controller also requested additional information in the event that the healthcare provider had omitted any pertinent information. 

The Data Protection Ombudsman determined that the practice of requesting this extensive information was a violation of the GDPR. 

The Data Protection Ombudsman determined that the controller’s systematic requests for full patient records of claimants instead of limiting their requests to the information necessary for claims was a violation of the GDPR. According to the EDPS, the principle of “data minimisation” means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specific purpose. The information collected must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. The data controller in this case, was therefore found to be in violation of the GDPR. The Data Protection Ombudsman stated that the Traffic Insurance Act does not give direct access to all patient records. As a matter of fact, the information requested must be only that which is necessary for the settlement of the claim. In addition, any information on an individual’s state of health should be disclosed to insurance companies in the form of a statement, according to the Finnish Medical Association.

While this decision is not final as the Finnish Motor Insurers’ Centre has appealed it in the administrative court, a fine of €52,000 has been imposed. The controller was also ordered to bring their practices into compliance.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Data subject right of access: Guidelines by the EDPB

The EDPB recently released guidelines on data subject right of access in the context of the GDPR.

 

The right of access aims to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data. This is expected to add greater ease to the process of data subjects exercising their rights to erasure and rectification, although it is not a condition to them exercising those rights. The data subject right of access is enshrined in both the GDPR (Article 15), as well as the Charter of Fundamental Rights of the EU. Under the GDPR, this right consists of three components. This includes confirmation of whether or not an individual’s personal data is being processed, access to it, and information about the processing of this personal data. Essentially, this summarizes a data subject’s ability to question, access, and verify any personal data being held by a controller. The EDPB has released its official guidelines on data subject right of access.

 

Data subject right of access includes the right of confirmation as to whether or not data is being processed, access to the personal data being processed as well as information on the processing of the data.

 

The right of access can only be exercised regarding personal data which falls within the material and territorial scope of the GDPR. Therefore, an integral part of the assessment carried out by the controller, is the differentiation between personal data and other data, identifying the scope of the data which the data subject is entitled access to. Under the GDPR, personal data is “any information relating to an identified or identifiable natural person”. The CJEU ruled that the right of access covers personal data contained in minutes, like “name, date of birth, nationality, gender, ethnicity, religion and language of the applicant“ “and, where relevant, the data in the legal analysis contained in the minute”. This right of access can be exercised exclusively by the data subject (and in select cases by an authorized person or proxy). It is also important to note that at times personal data may include data relating to another individual at the same time, however this does not automatically mean that personal data of another individual can and should be shared by a controller. The controller must ensure compliance with Article 15(4) of the GDPR which states “The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.” 

Access requests must be handled within the required time frame, but may be extended by two months if necessary depending on the complexity and number of requests.

 

Under Article 12 of the GDPR, a controller is required to take action, and provide information on action taken regarding the access request to the data subject without undue delay, and within one month of receipt of the request. This deadline can be extended by a controller by a maximum of two months, depending on the number of requests received and the complexity of the requests. However, in the event the initial one month deadline needs to be extended, the data subject must be informed of the extension, and the reason why it is necessary without delay, and within the one month period after the request was received. The EDPB maintains however, that access requests should be handled without undue delay, meaning the information should be given as soon as possible. This time limit starts when the controller has received an access request. However in cases where the controller needs to communicate with the data subject in order to confirm the identity of the person making the request, there may be a suspension in time, with the time limit starting when the controller has obtained all the information needed from the data subject, provided that the controller has requested the information without undue delay. 

 

The EDPB has outlined how access should be provided, depending on the amount of data and the complexity of the processing.

 

According to the EDPB, unless explicitly stated otherwise, requests should be understood as referring to all personal data concerning the data subject. A controller may ask the data subject to specify the request if the controller processes a very large amount of data. Otherwise, the controller will have to search for personal data throughout all IT systems, as well as all non-IT filing systems based on a search criteria that mirrors the structure of the stored information. For example, the controller would search for information relating to a specific data subject name or customer number. Communication relating to the processing must be provided in a concise, intelligible, transparent and easily accessible form, making use of clear and clean language. This data, particularly if it contains “raw data” has to be explained in a manner which would make sense to the data subject. Generally speaking this data must be sent in a permanent form such as written text, and can be sent via email. The EDPB suggests taking a layered approach to presenting the information in cases where the amount of data is vast, in order to facilitate the data subject’s understanding of the data presented. In this case all layers should be provided at the same time if the data subject requests it. 

 

The EDPB, in this recent release of its official guidelines on data subject right of access, has provided several specific examples of scenarios, and how they each should be handled, to enable data controllers to understand their role and responsibilities in fulfilling access requests, and maintaining compliance. For more information, including visual flow charts demonstrating when and how access requests should be handled, controllers may refer to the guidelines

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.