Binding Decision by the EDPB amends draft decision on WhatsApp

Binding Decision by the EDPB amends draft decision on controversial WhatsApp policy update, citing infringement of the transparency principle and recalculating the fine.

Following the controversial WhatsApp policy update, The Irish Supervisory Authority issued a draft decision. However, the decision invited various objections by other concerned supervisory authorities. According to this report by the European Data Protection Board, the EDPB, under Article 65 of the GDPR, adopted a binding dispute resolution decision wherein the organization recognized the need for amendments in several areas of the Irish Supervisory Authority’s decision regarding WhatsApp. This includes the part of the decision relating to infringements of transparency, the under-calculation of the fine, and the lenient time frame placed on the order to comply. Article 65 of the GDPR allows the EDPB to decide on matters when there may be objections or disagreements between a lead Supervisory Authority and other concerned supervisory authorities.

The EDPB explained that the violation involved an infringement of the transparency principle contained in the GDPR. 

The EDPB found that the information provided did not fully inform users about the legitimate interests being pursued, making this an infringement of Art. 13(1)(d) of the GDPR. Moreover, the EDPB explained that the violation involved an infringement of the transparency principle contained in Article 5(1)(a) of the GDPR. In fact, the procedure used to collect personal data of non-users does not ensure anonymity, as would be in accordance with Article 26 of GDPR.

The binding decision by the EDPB considered the turnover of WhatsApp’s parent company in deciding the amount of the fine. 

The EDPB believes that the turnover of a business is not just relevant for the determination of the maximum fine amount, it is also relevant for determining the recommended amount of the fine, in order to make the fine effective, proportionate and dissuasive. The EDPB also found that the consolidated turnover of the parent company (in this case, Facebook Inc.) is to be considered as well. In addition, the EDPB also interpreted, for the first time, Article 83(3) of the GDPR, where it is illustrated that where there are multiple infringements in one operation, each infringement should be considered for the imposition of a fine. 

The EDPB also suggested that a shorter time limit be imposed on WhatsApp, to bring its operations into compliance. 

The Irish Supervisory Authority had prescribed a timeframe of 6 months for WhatsApp Ireland to bring its operations into compliance. The EDPB however concluded that the compliance requirements with the transparency obligations are to be implemented within the shortest time possible. As a result, the prescribed time period of 6 months should be reduced to 3 months.

The Irish SA has adopted a new national decision based on EDPB landmark findings. WhatsApp Ireland has been notified of this national decision along with a copy of the EDPB decision.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Icelandic DPA fines InfoMentor

Icelandic DPA fines InfoMentor

Icelandic DPA fines InfoMentor for a data breach affecting hundreds of children from 2019.

 

The Icelandic Data Protection Authority has fined the company InfoMentor EUR 23,100 for not ensuring the proper security of personal data of several data subjects, mainly affecting children. According to this report from the EDPB, in an incident reported in February 2019, their system, Mentor, an information system for schools and other parties, which provides  services for working primarily with children,was subject to a data breach. A vulnerability on their part, led to the six-digit system number of each user being visible in the URL address of a particular page within the Mentor system. This resulted in unauthorised parties gaining access to the personal information of these students, including the national identification numbers and avatars of over 400 children. 

 

At its core, this data breach was caused primarily by human error, including a delay in fixing a vulnerability that the company had been aware of. 

 

InfoMentor acknowledged that the company had been aware of the vulnerability which led to this data breach, and that a solution had already been created. However, due to human error, the solution was not fully implemented into their Mentor system until after the data breach had already occurred. This data breach could have been avoided, had those vulnerabilities been addressed once the relevant persons had been made aware of them. In addition, InfoMentor sent national identification numbers of students affected by the data breach to the wrong schools and data protection officers in error.

The Icelandic DPA fined InfoMentor based on the number of data subjects affected, and the fact that those affected were children.

 

The rights and freedoms of children were directly affected by this data breach. The most significant factors considered by the Icelandic DPA  in determining the administrative fine were the number of data subjects directly and potentially affected, and the fact that the data subjects are children. The Icelandic DPA also considered that InfoMentor‘s main activity is the development and operation of an information system intended for schools and other entities working with children. On the plus side, there was no indication of harm suffered by the data subjects as a result of this breach. In addition, InfoMentor has taken numerous steps to improve their  security and address the vulnerabilities which caused this breach, affecting the personal data within their system.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Digital Green Certificates

Digital Green Certificates: the EDPB and EDPS release a joint opinion

Digital Green Certificates have been a topic of debate lately, and the EDPB & EDPS have released a joint opinion on this, regarding data protection and privacy.

Digital Green Certificates, which some refer to as “vaccine passports” are, contrary to popular belief, not specific to vaccines. In actuality, the digital green certificates or passes, as they would preferably be called, are proposed to be a QR code with information on a person’s status with regard to the COVID-19 virus. The specifics of the information may be pertaining to the vaccine and have details on which vaccine was taken and when it was administered, or it may contain information on a negative COVID-19 test and the date on which the last test was taken. This scannable code may also contain information on antibodies present in a person’s system, if they have developed antibodies from being infected with and recovering from this virus. Vaccines are not mandatory at this time, and the digital green certificates proposed by the European Commission are intended to make it easier to identify someone’s current status with regard to COVID-19, whether vaccinated or not, making travel throughout the EU more seamless, for anyone traveling during this global pandemic. 

The EDPB and EDPS released this joint statement specific to the aspects of the Proposal pertaining to personal data protection. 

The Commission first published the proposal for a Regulation of the European Parliament and of the Council the issuance, verification and acceptance of certificates of vaccination, testing and recovery to third-country nationals who are legally staying or residing in any of the EU Member States during the COVID-19 pandemic on March 17th. The EDPB & EDPS note that the aim of this proposal is to facilitate the exercise of the right to free movement within the EU during the COVID-19 pandemic. Due to the particular importance of these proposals and their impact on individual rights and freedoms regarding the processing of personal data, the EDPB and EDPS released their joint opinion specific to the aspects of the proposal relating to personal data protection. The organisations highlight that it is essential that the proposal is consistent and does not, in any way conflict with the application of the GDPR. 

Digital Green Certificates should be approached from a holistic and ethical standpoint, as asserted by the EDPB and EDPS in their joint opinion. 

The EDPB and EDPS suggest that the Commission take a holistic and ethical approach to the proposal in an effort to encompass all the issues related to privacy and data protection, and fundamental rights in general. They note that data protection is not an obstacle to fighting the current pandemic and that compliance with data protection law will only aid by helping citizens trust the frameworks provided in those efforts. The EDPB and EDPS advise that any measure adopted by Member States or EU institutions must be guided by the general principles of effectiveness, necessity and proportionality. In addition, they note that the World Health Organisation (WHO) in its ‘ interim position paper: considerations regarding proof of COVID-19 vaccination for international travelers’ stated that “(…) national authorities and conveyance operators should not introduce requirements of proof of COVID-19 vaccination for international travel as a condition for departure or entry, given that there are still critical unknowns regarding the efficacy of vaccination in reducing transmission.” 

The EDPB and EDPS, in their joint opinion, state that these green certificates must not lead to the creation of any central database of personal data at the EU level, under the pretext of the Digital Green Certificate framework. In addition, they made specific mention that these certificates should be made available in both digital and paper based formats, to ensure the inclusion of all citizens, regardless of their level of engagement with technology. The organisations also call for clarification on the proposal’s stance on the manner in which these certificates will be issued, whether automatically, or upon request of the data subject. Recital 14 and Articles 5(1) and 6(1) of the Proposal currently state “(…) Member States should issue the certificates making up the Digital Green Certificate automatically or upon request (…)”

The EDPB and EDPS are glad to note the considerations to the rights and freedoms of individuals, as well as compliance with data protection regulation, included in the Proposal. 

The organisations are pleased to note that the Proposal explicitly states that compliance with European data protection regulation is key to the cross border acceptance of vaccination, test and recovery certificates. Recital 38 of the proposal states that “[i]n line with the principle of minimisation of personal data, the certificates should only contain the personal data necessary for the purpose of facilitating the exercise of the right to free movement within the union during the COVID-19 pandemic”. The EDPB and EDPS recommend the inclusion of reference to the GDPR in the main text of the proposal, as it is the legal basis for the processing of personal data, for the issuance and verification of interoperable certificates, as acknowledged in Recital 37. 

Article 3(3) of the Proposal states that citizens can obtain these certificates free of charge,and may renew these certificates to bring the information up to date, or replace as necessary. While the EDPB and EDPS commend this, the organisations also recommend clarifying that the original certificate, as well as modifications shall be issued upon request of the data subject. This is very important for maintaining accessibility for all persons. 

The EDPB and EDPS call for attention to data minimisation, as well as clarification on the validity period of the data processed. 

There are naturally certain categories and data fields of personal data which would need to be processed within the framework of the Digital Green Certificates. As a result, the EDPD and EDPS consider that the justification for the need for personal data fields needs to be clearly defined in the Proposal. In addition, the organizations ask that further explanation be provided as to whether all of the categories of personal data provided for are necessary for inclusion in the QR code for both digital and paper certificates. They note that data minimisation can be achieved using an approach of differently comprehensive data sets or QR codes. In addition, the organizations note the lack of specificity with regard to an expiry date or validity period for each certificate in the draft Proposal. It is also important to note that the EDPB and EDPS clearly state that given the scope of the draft of the proposal, and the context of the global pandemic, the statement of the disease or agent from which the individual has recovered should only be limited to COVID-19 and its variants. 

The EDPB & EDPS iterate the importance of adequate technical and organizational privacy and security measures in the context of the proposal.

With regard to the Digital Green Certificate, the organizations suggest that privacy and security measures should be specially structured to ensure compliance by the controllers and processors of personal data required by this framework.  The opinion states that controllers and processors should take adequate technical and organizational measures to ensure a level of security that is appropriate to the level of risk of the processing of this personal data in line with Article 32 of the GDPR. These measures should include the establishment of processes for regular assessment of the effectiveness of the privacy and security measures which are adopted. 

While the EDPB and EDPS are pleased to note the clarification, within the Proposal, of the roles of data controllers and processors, the organisations suggest that the Proposal specify, through a comprehensive list, all entities foreseen to be acting as controllers or processors of the data in EU Member States, taking into account the use of these certificates in multiple member states by persons traveling throughout the EU. They also suggest that the Proposal should provide clarification on the role of the Commission with regard to data protection law in the context of the framework, guaranteeing interoperability between the certificates. In addition, the organisations call for attention to compliance with Article 5(1)(e) of the GDPR, with regard to the storage of personal data, as well as clarification on the storage period that Member States should not exceed, beyond the pandemic. Furthermore, the EDPB and the EDPS recommend that the Commission explicitly clarifies whether, and when any international transfers of personal data are expected, as well as safeguards within the legislation to ensure that third countries will only process the personal data for the specific purposes that this data is exchanged, according to the framework.

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

EDPB published VVA guidelines

EDPB published VVA guidelines in the context of the GDPR

The EDPB published VVA guidelines giving context to the use of Virtual Voice Assistants in compliance with the GDPR. 

 

Recently, the EDPB published its guidelines for the use of virtual voice assistants. A virtual voice assistant (VVA) is a system that understands and executes voice commands and works with other IT systems if needed. It acts as an interface between users and their devices or online services like search engines. These services are very popular particularly with the integration of smart devices and smart homes. Due to the popularity of these devices in the home, in vehicles and even being worn by users, they are often given access to quite a bit of information on individuals, often of an intimate nature, which could threaten users’ rights to privacy. As a result VVAs have come under major scrutiny from several data protection authorities. The EDPB, by releasing these guidelines for the use of virtual voice assistants seeks to give guidance on the application of these systems in the context of the GDPR as well as other applicable legal frameworks. 

 

VVAs use machine learning methods which require the collections and interpretation of large amounts of voice data. 

 

Virtual voice assistants rely very heavily on machine learning methods in order to perform their wide range of tasks. For starters, these devices usually have a wake up command, for example either pushing a button or having a command word which wakes the device up, and puts it into active listening mode. VVAs typically depend on large data sets to be collected, selected, and labeled. Both quality and quantity of data in these scenarios are equally important and as a result, the VVA’s typically depend on snippets, which could give context to the use of the devices and service in real conditions. In some circumstances the VVA can capture audio of individuals who did not intend to use the VVA service in error. For example, in an instance where the wake up expression is accidentally detected, or the wake up expression has changed and the user has accidentally woken up the device by using the new wake up expression unbeknownst to them. For this reason, among several others, it is imperative that VVA services function in compliance with the GDPR particularly regarding the storage of data. 

 

The guidelines set out by the EDPB outline the legal framework for VVAs regarding not just the GDPR, but in some cases, the e-Privacy Directive. 

 

Because VVAs will undoubtedly process significant amounts of personal data, the relevant legal framework for VVAs is the GDPR. In addition to the GDPR, for all actors who require storage or access to information stored in the terminal equipment of a subscriber or user, the e-Privacy Directive sets a specific standard. The term “terminal equipment” refers to any smart phones, smart TVs, or any similar IoT devices. VVAs should also be considered as terminal devices when information in the VVA is stored or accessed. In all of those cases, the provisions for the e-Privacy Directive are applicable. The VVA guidelines published by the EDPB provide guidance on the identification of data processors and stakeholders, transparency, processing of children’s data, processing of special categories of data, as well as many other elements of data protection relating to VVAs. 

 

The EDPB published VVA guidelines, specifically outlining mechanisms for exercising Data Subject Rights. 

 

The EDPB has suggested several mechanisms for exercising data subject rights. These include the right to access, right to rectification, right to erasure, and the right to data portability. Data controllers must allow all users, whether registered or not, access to all of those rights. The data controllers must provide information on the data subjects’ rights, at best when a data subject turns on a VVA, or at the very latest when the first user voice request is processed. Since the main interaction intended for VVAs is using voice commands, and a portion of the VVA users are actually persons with disabilities requiring them to use voice assistance, VVA designers should ensure that users can exercise any of their data subject rights using easy to follow voice commands. The EDPB suggests implementing specific tools in the development of VVAs, providing efficient and effective ways to exercise data subjects rights. 

 

Do you provide VVA services or smart devices that use VVA services? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing.  Contact us today.