Fingerprinting and what it means for privacy?

This week we discuss device fingerprinting.

Firstly though we want to know do you feel safe against online identifiers? Do you frequently delete cookies?

It’s time to up your game and here’s why…

what is fingerprinting?

Beyond cookies or pixels, there are other techniques of identification and monitoring on the Internet. While it can be done for a legitimate purpose such as enabling multiple-authentication mechanisms, it can also be used for tracking and profiling, with the ultimate goal of exploiting such data, although initially the information is collected with a technical purpose.

Privacy is affected by fingerprinting and here is how:

-Given that people usually tend not to share their devices, singling out  a device allows the identification of an individual, which points out the need for applying Data Protection rules.

-An additional concern comes from the possibility to reassign the linked information to the user even when cookies have been deleted.

An individual can be identified using fingerprinting and there are 3 main elements, which allow the identification of a singular device, which are:

-Gathering data.

-The Global nature of the Internet.

-A Unique ID.

Fingerprint risks are covered by GDPR under recital 30, which generically refers to online identifiers, which means data protection rules apply directly.

Tips for users:

 -Set up your preferences in the browser settings.

-Opt-in to the Do Not Track mechanism, which will allow you to disable web tracking on the device.

Tips for data controllers using fingerprinting:

-Check DNT preferences before processing any data.

-Gather users’ consent even where DNT is disabled

-Include fingerprinting in the record of processing activities.

We advise you to:

-Carry out a risk analysis and Data Protection Impact Assessment where relevant, considering the impact of the disclosure of profiling information contained in the database.

-Avoid the use of social, cultural or racial bias leading to automatic decisions.

-Create access controls for employees or third parties to specific users’ data.

-Avoid the excessive collection of data and retention for excessive periods.

-Consider the impact on the perception of the freedom of use of profiling information.

-Avoid the manipulation of user’s wishes, beliefs and emotional state.

-Lastly in relations to the above, consider the risk of re-identification.

If you need advice on your AI product, Aphaia offers both AI ethics and Data Protection Impact Assessments.


Apple to protect children’s privacy

Even though it could devastate their businesses, Apple has decided to change the rules it has for kids apps.

Under the new rules, kids apps on Apple’s App Store will be banned from using external analytics software — invisible lines of code that collect extremely detailed information about who is using an app and how. Apple is also severely curtailing their ability to sell ads, which underpins the business model that results in many apps being free. The changes were prompted in part by some children viewing inappropriate ads, Apple says.

Making all these changes is part of the move to better protect users’ privacy by shielding children from data trackers, a move that has been lauded by some privacy advocates. But some are worried that instead of protecting kids, the new rules will be possibly expose them to more adult apps.

A few app makers are worried that the new rules could limit the ability of their apps ads and they would needs to leave the models that they are currently using that makes their apps free. Apple says it was simply responding to parents’ concerns. Phil Schiller, Apple’s senior vice president of worldwide marketing, said parents were complaining to Apple about inappropriate advertising shown to their kids while using iPhone apps. “Parents are really upset when that happens because they trust us,” Schiller said.

Under the new rules, developers of mobile apps don’t have to stop collecting data themselves. (Apple’s own analytics software is also not banned, according to the new rules.) And once they collect the data, Apple can’t see what they do with it, such as send it to a server, where it can be analyzed by outside parties. In some sense, Apple could be making the problem worse by pushing data collection into the shadows, according to developers and people who work at analytics companies.

Apple’s App Store is already under the antitrust microscope. The company is facing a European investigation into allegations made by Swedish music app Spotify that Apple unfairly tipped the scales on the App Store in favor of Apple Music, a similar service. And the Supreme Court in May allowed a lawsuit to proceed that accuses Apple of using monopoly power to inflate app prices.

Kids apps are estimated to make up only a small portion of the millions of apps available in the store, though Apple declined to say what percentage they are. It’s unclear exactly how many of those are collecting personally identifiable data on kids, and Apple declined to quantify how many are behaving badly.

Privacy advocates have been complaining for years about the problems Apple says it is trying to fight. The 1998 U.S. Children’s Online Privacy Protection Act and the newer European General Data Protection Regulation limit what data kids apps are able to track.

According to Cristina Contero Almagro, Aphaia Partner, “although this is definitely a step in the right direction, it remains to be seen how it applies in practice. These new rules show a theoretical concern of Apple, which is one of the Internet giants, about privacy, but data protection is more than written rules. With their own analytics software still allowed, children data will keep being collected, thus exposed to misuse. And, what is worse, if there is no control over how and to who the app developers transfer this data to external systems, the individiuals cannot exercise their data protection rights properly, what would be an unacceptable limitation of the GDPR”.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

AI and GDPR fines

In this week’s vlog, we went through the fines under the GDPR and the role of Artificial Intelligence in this context.

One of the most talked about fines under GDPR so far, has been Facebook’s £500,000 fine from the Information Commissioner’s Office & this was for serious breaches of data protection law. The ICO’s investigation found that Facebook processed personal information of users unfairly by allowing application developers’ access to data subjects’ information without gaining clear & informed consent. Facebook also failed to keep the personal information secure because it did not do checks on apps and developers using its platform. This meant that Facebook data of up to 87 million people worldwide was harvested without their knowledge.

A subset of this data was then shared with other organisations, including the parent company of Cambridge Analytica who were involved in political campaigning in the US. The ICO found that the personal information of at least 1 million UK users was amongst the harvested data & consequently, put at risk of further misuse.

The Federal Trade Commission also formally announced its $5 billion settlement with Facebook this summer, after a long investigation into Cambridge Analytica scandal and other privacy breaches. The $5 billion fine is the 2ndlargest fine ever levied by the FTC.

Now crucially, GDPR fines are designed to make non-compliance a costly mistake for businesses regardless of its size. The most serious infringements may result in a penalty of up to £17m, or 4% of the business’ global turnover from preceding of the financial year & this is based on whichever fine is greater.

These include any violations of the articles that govern:

  • The basic principles for processing.
  • The conditions for consent.
  • The data subjects’ rights.
  • The transfer of data to an international organization or a recipient in a third country.

A misuse of AI systems may trigger most of them, because there are only two valid bases for processing when it comes to automated decision making and profiling: contract and consent. Consent must be explicit.

Automated decision making and profiling is regulated in article 22 of GDPR, which is included within Chapter III: “Rights of the data subject”.

So, Applying all GDPR security measures become an essential step in order to avoid data breaches and fines by:

  • using pseudonymisation and encryption of personal data;
  • ensuring the ongoing confidentiality, integrity, availability, resilience of processing systems and services;
  • restoring the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • Lastly  adding a process for regularly testing, assessing as well as evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

However, The use of AI requires some additional measures to safeguard the data subject’s rights and freedoms as well as legitimate interests, which are the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

The ICO, intends to impose a fine of over £180 million on British Airways for the theft of customers’ personal and financial information and £100 million to Marriott hotel for accidentally exposing 339 million guest records globally. British Airways and Marriott data breaches have nothing to do with AI. Could you imagine what the fine amount would have been if AI was involved? Feel free to share your thoughts with us.

If you need advice on your AI product, Aphaia offers both AI ethics and Data Protection Impact Assessments.


The Court of Justice of the European Union, the EU’s highest court, has ruled that an operator of a website that features a Facebook ‘like’ button can be a data controller jointly with Facebook.

What happened?

The EU Court of Justice weighed in on a dispute after an online fashion retailer was accused of violating EU law by embedding a Like plugin. Fashion ID, a German online clothing retailer, embedded on its website the Facebook ‘Like’ button. The consequence of embedding that button appears to be that when a visitor consults the website of Fashion ID, that visitor’s personal data are transmitted to Facebook Ireland. It seems that that transmission occurs without that visitor being aware of it and regardless of whether or not he or she is a member of the social network Facebook or has clicked on the ‘Like’ button.

A German public-service consumer association criticised Fashion ID for transmitting to Facebook the personal data of visitors without their consent, and in breach of their information obligation to visitors regarding the use and disclosure of their data under the Directive.


The Court finds, first, that the former Data Protection Directive does not preclude consumer-protection associations from being granted the right to bring or defend legal proceedings against a person allegedly responsible for an infringement of the protection of personal data. The Court notes that the new General Data Protection Regulation now expressly provides for this possibility.

The Court found that Fashion ID cannot be considered to be a controller in respect of the operations involving data processing carried out by Facebook Ireland after those data have been transmitted to the latter. It seems, at the outset, impossible that Fashion ID determines the purposes and means of those operations. By contrast, Fashion ID can be considered to be a controller jointly with Facebook Ireland in respect of the operations involving the collection and disclosure by transmission to Facebook Ireland of the data at issue, since it can be concluded that Fashion ID and Facebook Ireland determine jointly the means and purposes of those operations. Overall, Facebook like button ECJ ruling concludes thats websites and Facebook share joint responsibility.

The Court has now made its ruling and concluded that:

  1. With regard to the case in which the data subject has given his or her consent, the Court holds that the operator of a website such as Fashion ID must obtain that prior consent (solely)in respect of operations for which it is the (joint) controller, namely the collection and transmission of the data.
  2. With regard to the cases in which the processing of data is necessary for the purposes of a legitimate interest, the Court finds that each of the (joint) controllers, namely the operator of a website and the provider of a social plugin, must pursue a legitimate interest through the collection and transmission of personal data in order for those operations to be justified in respect of each of them.

According to Dr Bostjan Makarovic, Aphaia Managing Partner, “the Facebook like button ECJ decisions strikes a balance between data subject rights and the commercial realities of web giants’ operations. It is important that the responsibility of the website owner does not extend to further processing of the data by the social network. That said, the assessment of the legitimate interest of the social network in the initial operation might still pose a challenge. Such assessment would best be provided by the social network itself, as part of the standard joint controller arrangement.”

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.