Sweden’s first GDPR fine

A School in Sweden has been charged by the Swedish DPA a fined of 200 000 SEK (approximately 20 000 euros) for using facial recognition technology to monitor the attendance of students in school.

22 students’ participation in class was captured by a camera using facial-recognition software. This trial was conducted to determine if it could be used as a standard procedure to cut down on class time.

The faces and full name of students were captured through biometric data. The data was stored in a local computer without an internet connection, and placed in a locked cabinet. Consent was gathered from the guardians and the school gave the participants the option to take back consent and stop the trial. However, neither a risk assessment nor prior consultation with the Swedish DPA was executed.

GDPR was violated in three ways:

  • Violation of the fundamental principles of Article 5 by processing personal data in a more integrity invasive manner than necessary relative to the purpose (attendance)
  • Article 9 by processing sensitive personal data (biometrical data) without legal basis
  • Articles 35 and 36 by not fulfilling the requirements of data protection impact assessment and prior consultation.

Even though, the school maintains it had its students’ consent, the DPA found there was no valid legal basis for this as there’s a clear imbalance between the data subject and the controller.

When it comes to the workplace, Spanish DPA, AEPD, rules that the controller can gather biometric data (e.g.fingerprint) for attendance control purposes as long as some principles and requirements are met, mainly purpose limitation and data minimisation, among others.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

Fingerprinting and what it means for privacy?

This week we discuss device fingerprinting.

Firstly though we want to know do you feel safe against online identifiers? Do you frequently delete cookies?

It’s time to up your game and here’s why…

what is fingerprinting?

Beyond cookies or pixels, there are other techniques of identification and monitoring on the Internet. While it can be done for a legitimate purpose such as enabling multiple-authentication mechanisms, it can also be used for tracking and profiling, with the ultimate goal of exploiting such data, although initially the information is collected with a technical purpose.

Privacy is affected by fingerprinting and here is how:

-Given that people usually tend not to share their devices, singling out  a device allows the identification of an individual, which points out the need for applying Data Protection rules.

-An additional concern comes from the possibility to reassign the linked information to the user even when cookies have been deleted.

An individual can be identified using fingerprinting and there are 3 main elements, which allow the identification of a singular device, which are:

-Gathering data.

-The Global nature of the Internet.

-A Unique ID.

Fingerprint risks are covered by GDPR under recital 30, which generically refers to online identifiers, which means data protection rules apply directly.

Tips for users:

 -Set up your preferences in the browser settings.

-Opt-in to the Do Not Track mechanism, which will allow you to disable web tracking on the device.

Tips for data controllers using fingerprinting:

-Check DNT preferences before processing any data.

-Gather users’ consent even where DNT is disabled

-Include fingerprinting in the record of processing activities.

We advise you to:

-Carry out a risk analysis and Data Protection Impact Assessment where relevant, considering the impact of the disclosure of profiling information contained in the database.

-Avoid the use of social, cultural or racial bias leading to automatic decisions.

-Create access controls for employees or third parties to specific users’ data.

-Avoid the excessive collection of data and retention for excessive periods.

-Consider the impact on the perception of the freedom of use of profiling information.

-Avoid the manipulation of user’s wishes, beliefs and emotional state.

-Lastly in relations to the above, consider the risk of re-identification.

If you need advice on your AI product, Aphaia offers both AI ethics and Data Protection Impact Assessments.


Apple to protect children’s privacy

Even though it could devastate their businesses, Apple has decided to change the rules it has for kids apps.

Under the new rules, kids apps on Apple’s App Store will be banned from using external analytics software — invisible lines of code that collect extremely detailed information about who is using an app and how. Apple is also severely curtailing their ability to sell ads, which underpins the business model that results in many apps being free. The changes were prompted in part by some children viewing inappropriate ads, Apple says.

Making all these changes is part of the move to better protect users’ privacy by shielding children from data trackers, a move that has been lauded by some privacy advocates. But some are worried that instead of protecting kids, the new rules will be possibly expose them to more adult apps.

A few app makers are worried that the new rules could limit the ability of their apps ads and they would needs to leave the models that they are currently using that makes their apps free. Apple says it was simply responding to parents’ concerns. Phil Schiller, Apple’s senior vice president of worldwide marketing, said parents were complaining to Apple about inappropriate advertising shown to their kids while using iPhone apps. “Parents are really upset when that happens because they trust us,” Schiller said.

Under the new rules, developers of mobile apps don’t have to stop collecting data themselves. (Apple’s own analytics software is also not banned, according to the new rules.) And once they collect the data, Apple can’t see what they do with it, such as send it to a server, where it can be analyzed by outside parties. In some sense, Apple could be making the problem worse by pushing data collection into the shadows, according to developers and people who work at analytics companies.

Apple’s App Store is already under the antitrust microscope. The company is facing a European investigation into allegations made by Swedish music app Spotify that Apple unfairly tipped the scales on the App Store in favor of Apple Music, a similar service. And the Supreme Court in May allowed a lawsuit to proceed that accuses Apple of using monopoly power to inflate app prices.

Kids apps are estimated to make up only a small portion of the millions of apps available in the store, though Apple declined to say what percentage they are. It’s unclear exactly how many of those are collecting personally identifiable data on kids, and Apple declined to quantify how many are behaving badly.

Privacy advocates have been complaining for years about the problems Apple says it is trying to fight. The 1998 U.S. Children’s Online Privacy Protection Act and the newer European General Data Protection Regulation limit what data kids apps are able to track.

According to Cristina Contero Almagro, Aphaia Partner, “although this is definitely a step in the right direction, it remains to be seen how it applies in practice. These new rules show a theoretical concern of Apple, which is one of the Internet giants, about privacy, but data protection is more than written rules. With their own analytics software still allowed, children data will keep being collected, thus exposed to misuse. And, what is worse, if there is no control over how and to who the app developers transfer this data to external systems, the individiuals cannot exercise their data protection rights properly, what would be an unacceptable limitation of the GDPR”.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

AI and GDPR fines

In this week’s vlog, we went through the fines under the GDPR and the role of Artificial Intelligence in this context.

One of the most talked about fines under GDPR so far, has been Facebook’s £500,000 fine from the Information Commissioner’s Office & this was for serious breaches of data protection law. The ICO’s investigation found that Facebook processed personal information of users unfairly by allowing application developers’ access to data subjects’ information without gaining clear & informed consent. Facebook also failed to keep the personal information secure because it did not do checks on apps and developers using its platform. This meant that Facebook data of up to 87 million people worldwide was harvested without their knowledge.

A subset of this data was then shared with other organisations, including the parent company of Cambridge Analytica who were involved in political campaigning in the US. The ICO found that the personal information of at least 1 million UK users was amongst the harvested data & consequently, put at risk of further misuse.

The Federal Trade Commission also formally announced its $5 billion settlement with Facebook this summer, after a long investigation into Cambridge Analytica scandal and other privacy breaches. The $5 billion fine is the 2ndlargest fine ever levied by the FTC.

Now crucially, GDPR fines are designed to make non-compliance a costly mistake for businesses regardless of its size. The most serious infringements may result in a penalty of up to £17m, or 4% of the business’ global turnover from preceding of the financial year & this is based on whichever fine is greater.

These include any violations of the articles that govern:

  • The basic principles for processing.
  • The conditions for consent.
  • The data subjects’ rights.
  • The transfer of data to an international organization or a recipient in a third country.

A misuse of AI systems may trigger most of them, because there are only two valid bases for processing when it comes to automated decision making and profiling: contract and consent. Consent must be explicit.

Automated decision making and profiling is regulated in article 22 of GDPR, which is included within Chapter III: “Rights of the data subject”.

So, Applying all GDPR security measures become an essential step in order to avoid data breaches and fines by:

  • using pseudonymisation and encryption of personal data;
  • ensuring the ongoing confidentiality, integrity, availability, resilience of processing systems and services;
  • restoring the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • Lastly  adding a process for regularly testing, assessing as well as evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

However, The use of AI requires some additional measures to safeguard the data subject’s rights and freedoms as well as legitimate interests, which are the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

The ICO, intends to impose a fine of over £180 million on British Airways for the theft of customers’ personal and financial information and £100 million to Marriott hotel for accidentally exposing 339 million guest records globally. British Airways and Marriott data breaches have nothing to do with AI. Could you imagine what the fine amount would have been if AI was involved? Feel free to share your thoughts with us.

If you need advice on your AI product, Aphaia offers both AI ethics and Data Protection Impact Assessments.