French DPA provides GDPR recommendations

French DPA provides GDPR recommendations regarding chatbots

CNIL of France has provided GDPR recommendations regarding chatbots and insights on the implications of their use. 

 

Chatbots are a fairly common feature on websites today, providing users with an experience of having frequently asked questions answered quickly and easily, and providing other useful information in an interactive way. Personal data is typically processed during this process and as such, it is important that data controllers and processors remain mindful of any issues relating to the rights and freedoms of individuals during this process. If available, a Data Protection Officer would be helpful in this regard, as there are cases where Data Protection Impact Assessments are recommended or necessary. 

 

Chatbots require cookie placing and must remain within regulation. 

 

Chatbots save the conversation history between the different website pages where it is present, and in order for that to be successfully executed, cookies are frequently placed on user devices. This must be done in accordance with data protection laws. The CNIL has published recommendations regarding chatbots, and navigating the use of cookies in accordance with the Data Protection Act, particularly article 82, which provides guidance on the use of cookies. 

 

Two ways to place cookies. 

 

Because the presence or use of a chatbot requires the deposit of cookies onto a user’s computer, permissions may be required in order to do so. There are two available options for the chatbot operator. The first option would be to obtain prior consent from the user in order to deposit the cookie. This consent must be free, specific, informed and unambiguous. The second option would be to place the cookie only when the user activates the chatbot. This would involve the user clicking a button specifically triggering the opening of the chatbot. In this case it does not require specifically obtaining consent of the user, as the cookies would be specifically for the purpose of the provision of the chatbot service. However, if the tracker used for the chatbot is attached to any other purpose apart from that chatbot, user consent would be required. The data collected by this tracker must only be stored for as long as is necessary to achieve the purpose of the processing. 

 

French DPA recommendations on the collection of special categories of data by a chatbot. 

 

The CNIL advises that special attention should be paid when collecting data of a special category. This may include information relating to health, religious affiliation, political opinions etc. In some cases the collection of this information is predictable and therefore the processing is relevant. For example a chatbot for a health related assistance service may collect and process relevant health data. In those cases it is necessary to ensure that the data processing is in accordance with Article 9.2 of the GDPR. The processing of special categories of data is one of nine criteria which can make a Data Protection Impact Assessment necessary. In the case where more than one of these criteria is met, a Data Protection Impact Assessment may become mandatory. “This might be the case where minor’s data is involved or where the data gathered by the chatbot is combined, compared or matched with data from other sources”, comments Cristina Contero Almagro, Partner in Aphaia .

 

In some cases the collection of such sensitive data is not predictable as chatbots often offer the option to freely write or type, and the data controller or subcontractor may not have anticipated sensitive data being provided by a user. In those cases prior consent is not required. However, mechanisms must be put in place to minimize the risks to the rights and freedoms of individuals. This can be done by communicating before or when the chatbot is launched, urging people to refrain from communicating special categories of data. In addition a purge system can be set up since the conservation of the sensitive data is not necessary.

 

Conversations with a chatbot may not be used for decision making affecting an individual.

 

Regardless of the nature of the conversation with a chatbot human intervention is required to lead to important decisions affecting an individual. A conversation with a chatbot, without any human intervention alone cannot lead to important decisions for the person concerned. This includes the refusal of an online credit application, the application of higher rates or the inability to submit an application for a position. Conversations with chatbots, however, may form part of a larger process that would include meaningful human interaction.

 

Article 22 of the GDPR prohibits automated decision-making where there are legal ramifications significantly affecting an individual. Exceptions include  cases where the person has given expressed consent, as well as when decision making is necessary for a contract between the user and the controller. A data subject must in either case be provided with the means to obtain a human intervention, which a chatbot alone cannot provide.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

New EU ePrivacy rules

New EU ePrivacy rules update

The ePrivacy rules governing electronic communication data will be updated as agreed upon by EU Member States. 

 

Earlier this month, EU member states agreed upon a negotiating mandate for revised ‘ePrivacy’ rules. The rules on the protection of privacy and confidentiality in the use of electronic communications define cases in which service providers are allowed to process data from electronic communications or access that which has been stored on an end user’s device. The last update to the ePrivacy directive was in 2009, and as such, the member states agree that this legislation needs to be brought up to date with new technological and market developments. The new ePrivacy Regulation will repeal the current ePrivacy Directive and is intended to complement and characterize the GDPR. This regulation will become effective 20 days after its publication in the EU Official Journal, and two years later, will start to apply. Details can be found in this press release by the European Council

 

The revised draft regulation will cover content from electronic communication over public services and networks, as well as related metadata. 

 

This draft ePrivacy regulation will repeal the existing directive and will cover content transmitted via public services and networks and related metadata, when end users are in the EU. Metadata refers to the information on the time, location and recipient of the communication for example. Metadata is considered to be potentially as sensitive as the actual content of electronic communication. The rules will also cover the handling of data transmitted from machine to machine via a public network. 

 

Any electronic communication data will be considered confidential, except when permitted by the ePrivacy regulation. 

 

As a general rule, all electronic communication is to be considered confidential, and should not be processed without the consent of the user. There are, however, a few exceptions specifically outlined in the ePrivacy regulation. These exceptions include any processing for the purposes of checking for malware and viruses as well as for ensuring the integrity of the communication service. Provisions are also made for cases where the service provider is required to do so by EU or member states’ law with regard to the prosecution of criminal offenses or the prevention of public security threats. 

 

Metadata may be processed for very specific purposes, and with strong additional safeguards applied to it. 

 

Metadata may be processed for example for billing purposes or for detecting and preventing fraud. If users give their consent, service providers may use metadata to display movements of traffic to help public authorities develop new infrastructure when needed. This processing is also allowed in instances where users’ vital interests need to be protected, for example the monitoring of epidemics or in emergencies like natural and man-made disasters. In specific cases network providers may process metadata for purposes other than that for which it was collected. In those cases, the intended purpose must be compatible with the initial purpose for the metadata and strong specific safeguards must be applied to the processing. 

 

It will be possible for users to whitelist service providers, giving consent to certain types of cookies, from certain websites via users’ browser settings. 

 

Users will be able to permit certain types of cookies from one or many service providers, and change those settings easily in their browser settings. This should make permissions for cookies easier and more seamless for users, alleviating cookie consent fatigue. In addition, end users will be able to genuinely choose whether to accept cookies or any similar identifier. It may be possible for service providers to make access to a webpage or website dependent on consent to the use of cookies for additional purposes, instead of using a paywall, however this will only be allowed if the user is able to access an equivalent offer by the same provider, that does not involve consenting to the use of cookies. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy rules, GDPR, and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

 

The next update to iOS

The next update to iOS could significantly impact targeted advertising on free apps.

The next update to iOS has created friction between Apple and advertising giants like Facebook which rely on targeted ads for revenue. 

 

The next update to iOS, initially announced last summer, will force app developers to explicitly seek permission to access the phone’s unique identifier known as the IDFA. This update is expected early in spring and is expected to significantly impact the effectiveness of targeted mobile ads. In order to tailor mobile ads to smartphone users, app developers and other industry players typically access this unique identifier on devices. However once this new rollout takes effect, a prompt will begin showing up for users, seeking their permission to give access to their IDFA. It is expected that roughly half of users may respond negatively or refuse access via this prompt. 

 

The effectiveness of targeted advertising relies heavily on access to personal identifiers like Apple users’ IDFA. 

 

Targeted advertising relies heavily on access to significant amounts of personal data, determining who is most likely to be affected by a particular message, and also how and when to deliver the message for maximum impact. For this reason, in order for targeted ads to be truly effective, access to data through Apple users’ IDFA is key and this update from Apple will no doubt, significantly impact targeted advertising.

 

Facebook argues that these changes will be of dire consequence to small businesses which depend on targeted advertising on free apps like theirs. 

 

One industry leader which generates much of its revenue through advertising has spoken up about the anticipated update. In a recent blog post, Facebook has expressed that they disagree with Apple’s approach, complaining that Apple provides no context on the benefits of having targeted ads, and suggesting that Apple’s new prompt implies that there is a trade off between personalized advertising and privacy. Facebook argues that the two are not mutually exclusive, and that they can and do provide both.

 

 Facebook urges that these changes will significantly impact the income of small business owners who rely on targeted ads via free apps to reach the customers most likely to convert into revenue for their businesses. Facebook intends to show Apple’s prompt asking for consent, but to also include their own prompt providing context on the benefits available to users through targeted advertising. 

 

Some industry leaders are opting to give up access to certain data, eliminating the need to seek consent. 

 

Google has also spoken up about the change and how they plan to navigate affairs taking this change into account. The company plans to cease from using any data that falls under Apple’s AppTrackingTransparency framework for iOS apps, which will exempt them from needing to show this prompt. Google is essentially forgoing access to a significant amount of personal data, to avoid needing to seek consent. 

 

How do data protection laws and this era of consent affect targeted advertising?

 

The GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. The GDPR clearly states and requires that consent must be unambiguous and made by a statement of clear affirmative action.

 

Data protection laws like the GDPR and CCPA are designed to empower consumers, giving them more control over their personal information. The GDPR in particular operates by an “opt-in” model of consent, as clarified in its definition of the term, meaning that it cannot be assumed that a user has given their consent, simply by them not opting out. Users must clearly and unambiguously opt in and companies cannot assume that a user has given consent unless they have been asked, and in the right way, resulting in a clear affirmative response. From Apple’s perspective, this update does fall in line with the GDPR, seeking clear unambiguous consent from users to share a unique identifier such as their IDFA. “The philosophy behind it is similar to that of cookie consents for websites, only in the world of IoS apps,” comments Dr Bostjan Makarovic, Aphaia’s Managing Partner. However, there is no doubt that this update will affect the current model of advertising, and not just companies like Facebook which generate much of their income through their ability to provide targeted ads to users on their free platforms, but also much smaller businesses seeking their targeted advertising audience through the social network giant.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

 

The EDPB and the EDPS

The EDPB and the EDPS have released a joint opinion on SCCs for international data transfers and SCCs between controllers and processors

The EDPB and the EDPS have released joint opinions on standard contractual clauses for the transfer of data within the EEA and internationally. 

 

Last month, the EDPB and the EDPS released joint statements on standard contractual clauses between controllers and processors and on standard contractual clauses for the transfer of personal data to third-countries. Both are referred to as ‘SCCs’ but it should be noted that they are two separate documents. This update is intended to bring the SCCs in line with the new GDPR requirements and provide a better reflection of the use of more complex processing operations, as well as provide specific safeguards addressing the laws of third countries and their effect on the data importer’s compliance. The Draft SCCs include, on the one hand, controller processor relationships within the EEA and, on the other, international data transfers. The EDPB and EDPS are pleased to note the specific provisions included many recommendations made by the EDPB, as well as several which address some of the main issues presented by the Schrems II ruling.

The EDPB and EDPS expressed overall satisfaction with both the Draft Decision and Draft SCCs for international data transfers. 

 

The EDPB and EDPS are both generally satisfied with the reinforced level of protection that the updated Draft Decision and Draft SCCs provide for data subjects. This update sought to bring the SCCs in line with the new GDPR while making special provisions for addressing third country destination laws on compliance with the Draft SCCs. The organisations noted that the Draft SCCs covered several of the supplementary measures recommended by the EDPB, while for some others, the organizations would like to see more consistency. There were specific recommendations made regarding the transfer of data on an international level. Many organizations will need to rely on these standard contractual clauses for international data transfers, particularly with the invalidation of the EU-US Privacy Shield. 

 

In analysing the Draft Decision and Draft SCCs between controllers and processors, the EDPB and EDPS made a few key suggestions.

While the EDPB and EDPS were generally pleased with the Draft SCCs presented, they expressed a request for the European Commission to clarify some specific clauses, with the aim of further clarifying the text and ensuring it is practical and  useful in day-to-day operations of the controllers and processors.. 

 

The EDPB and EDPS also suggested that the Annexes to the SCCs clarify as much as possible the roles and responsibilities of each of the parties with regard to each processing activity as any ambiguity in this regard could make it more difficult for the controllers or processors to fully meet their obligations under the accountability principle. The annexes are intended to provide a very technical explanation of how the SCCs will apply in specific situations. 

 

Andrea Jelinek, Chair of the EDPB, was quoted as saying: “The EDPB and EDPS welcome the controller-processor SCCs as a single, strong and EU-wide accountability tool that will facilitate compliance with the provisions under both the GDPR and the EUDPR. Among others, the EDPB and the EDPS request that sufficient clarity has to be provided to the parties as to the situations where they can rely on these SCCs, and emphasise that situations involving transfers outside the EU should not be excluded.”

 

The opinions presented by the EDPB and EDPS  will be considered by the Commission, together with the numerous other responses to its consultation on the SCCs. The European Commission will then formally adopt a decision incorporating the finalized SCCs and provide details for their adoption by organizations. Once finalized, the SCCs for international data transfers to third-countries will replace the existing sets of SCCs for transfers of personal data from within the EEA to other non-EEA countries that have not been recognized as providing an adequate level of data protection. As for the SCCs between controllers and processors, they will provide a standard for the parties, but its implementation will not be mandatory as controllers and processors will still be able to use their own clauses.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.