The risks associated with geolocation data: an assessment by LINC, CNIL

The “Laboratoire d’Innovation Numerique de la CNIL” or LINC in France has been assessing the risks associated with geolocation data. 

 

France’s digital innovation laboratory, known as “Laboratoire d’Innovation Numerique de la CNIL ” or  LINC secured a geolocation database from a data broker which was supposedly anonymized. The purpose of this was to test and evaluate the risk of re-identification using this data. LINC seeks to experiment with anonymisation methods with the intention of helping to limit privacy risks for users while maintaining the serviceability of the data. In particular, this report from LINC, gives a brief assessment of the risks associated with the possibility of re-identification of a specific type of data – geolocation data. 

 

Geolocation data is regarded as highly valuable due to its abundant and precise nature, which allows better tracking. 

 

The usefulness of smartphone geolocation data is undeniable. We have seen the benefits in the context of fighting disease outbreaks, optimising road traffic and many other applications. However, this data is also used for behavioral surveillance, and to track individuals for advertising purposes. The LINC questioned whether geolocation data should also be regarded as special category data. In its 2017 report, it states “geolocation and data flow are to personal data what stem cells are to cellular biology”. It goes on to say that geolocation data allows, “by its abundance of context to infer a considerable amount of data about behavior, habits, and lifestyle. Knowing where you live may allow someone to infer your income, where you go, to guess your lifestyle (hobbies, family circumstances…), your religious habits or sexual preference, even your health situation”. This accumulation of information is seen as highly valuable by data brokers, particularly those who specialize in the collection and resale of geolocation data. This data is regarded as much more valuable as it is abundant and very precise.

 

While geolocation data is highly valuable, it is regarded as personal data and must therefore maintain a level of protection. 

 

The issue lies in the fact that this determination to collect, use and sell extremely precise data may create issues of personal data protection for the people who contribute to these datasets. In many cases, these people are unaware of how much data they are passing on, as well as the precision thereof. There are cases in which companies have betrayed the trust of users by reselling geolocation data collected from children, people visiting abortion centers, or even giving context to a person’s sexual orientation. While geolocation data is most often anonymised, and sharing anonymised data allows one to be released from some GDPR restrictions, there are cases where the nature of this data allows for RE-identification. According to the GDPR geolocation data associated with a person, whether directly or indirectly, is considered to be personal data. As such, data controllers and data processors must respect strict rules regarding the processing of this data as well as the rights of the people whose location is collected.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

CJEU ruling on special categories of personal data

A recent CJEU ruling on special categories of personal data may have far reaching implications for online platforms. 

 

On 1 Aug., the Court of Justice of the European Union issued a preliminary ruling on a few legal interpretations referred to them by a Regional Administrative Court in Lithuania. This ruling relates to the processing of special categories of personal data data under Article 9(1) of the EU General Data Protection Regulation and Article 8(1) of Directive 95/46. It may have major implications for online platforms which use tracking and profiling to target users with specific ads based on their behavior. This ruling by the CJEU was regarding whether the publication of the name of a spouse or partner amounted to the processing of sensitive data because it could reveal sexual orientation.

The CJEU addressed the interpretation of some articles of the GDPR and the Directive 95/46, broadening the spectrum of what is recognized as personal data. 

 

The main issue addressed by the court was whether Article 9(1) of the EU General Data Protection Regulation and Article 8(1) of Directive 95/46 should be interpreted as meaning the online publication “of personal data that are liable to disclose indirectly the political opinions, trade union membership or sexual orientation of a natural person constitutes processing of special categories of personal data, for the purpose of those provisions.” The CJEU ruled that the interpretation of personal data should in fact be so broad as to recognize that “it is possible to deduce from the name-specific data relating to the spouse, cohabitee or partner of the declarant certain information concerning the sex life or sexual orientation of the declarant and his or her spouse, cohabitee or partner.” 

 

The CJEU further clarified that the context of the data plays a vital role in its categorisation as “special categories of personal data.”

 

The CJEU considered not only the wording of the legislation but emphasised the importance of its context and objectives, in arriving at this determination that “data that are capable of revealing the sexual orientation of a natural person by means of an intellectual operation involving comparison or deduction fall within the special categories of personal data.” This rule will furthermore apply to inferences connected to other types of special category data.

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today. 

Fine imposed on Volkswagen by German Data Protection Commissioner for multiple GDPR violations

A recent fine imposed on Volkswagen by a German Data Protection Commissioner, for multiple GDPR violations amounted to €1.1 million.

 

The State Commissioner for Data Protection in the German state of Lower Saxony (LfD Lower Saxony) has imposed a fine of €1.1 million on Volkswagen Aktiengesellschaft in accordance with GDPR Article 83. The fine is as a result of multiple data protection violations in connection with the use of a service provider for research trips, for testing a driver assistance system which aids in avoiding traffic accidents. Due to the cross-border processing of personal data, other affected data protection supervisory authorities across Europe were involved in the decision making process before this fine was issued, in accordance with Article 60 DS-GVO. Volkswagen has cooperated extensively with the LfD Lower Saxony and accepted the fine. The company also immediately remedied the defects that are not related to series vehicles as part of the previous test procedure.

 

During a traffic stop, law enforcement observed cameras on a vehicle which lacked signage informing affected persons of the recording. 

 

In 2019, a test vehicle from the company was observed during a traffic stop by Austrian law enforcement near Salzburg. The officers noticed unusual attachments, which turned out to be cameras on the vehicle, which was, at the time, being used to test and train the functionality of a driver assistance system to avoid traffic accidents. These cameras recorded the traffic conditions around the vehicle, among other things for the purposes of error analysis. However, due to a prior accident, the vehicle was missing magnetic signs with a camera symbol and the other mandatory information, intended to communicate with other road users. According to Article 13 DS-GVO, those affected by data protection law must be informed, among other things, about who is carrying out the processing, for what purpose and for how long the data will be stored. This was not being done in this case, resulting in a violation of data protection law. 

 

Volkswagen failed to conclude an order processing contract with a subcontractor and to perform a data protection impact assessment. 

 

Upon further investigation, it was also revealed that Volkswagen failed to conclude an order processing contract with the company carrying out these journeys. This is required under Article 28 GDPR. Among other stipulations, GDPR Article 28 stipulated that a “processor shall not engage another processor without prior specific or general written authorisation of the controller.” In addition, the company also neglected to perform a data protection impact assessment as required under Article 35 GDPR. Article 35 states that “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Facebook cookie injunction has been dropped

CNIL has recently lifted an injunction placed on Facebook last December, regarding the company’s use of cookies.  

 

Last December, CNIL ordered Facebook Ireland Limited to allow the use of facebook.com by users in France, in a manner that allows these users to refuse having cookies deposited on their device, just as easily as they are able to accept them. This is a stipulation required by Article 82 of the French Data Protection Act, to allow users to give true consent to those cookies. According to this report from CNIL, Facebook was required to comply with this injunction within three months, as well as pay a fine of €60 million. Any delay in complying with this, would have been met with a penalty of €100,000 per day, as per the Facebook cookie injunction imposed on December 31st 2021. 

 

The Facebook cookie injunction was lifted after the company made necessary changes to its cookie banner. 

 

CNIL noted that the changes made by Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) were accomplished within the timeframe necessary. This change includes the inclusion of an “Only allow essential cookies” button above the button for acceptance of all cookies — the “Allow essential and optional cookies” button. CNIL saw this change as satisfactory for compliance with the injunction and therefore had the injunction lifted, and closed that case on July 11, 2022. 

 

This change particularly relates to the scope of the injunction issued in the deliberation by CNIL  on December 31, 2021.

 

This decision to lift the injunction does not prejudge CNIL’s analysis of the compliance of the new cookie consent windows deployed on the “facebook.com” site as it relates to all the provisions of Article 82 of the French Data Protection Act. This decision does not relate, in particular to the company’s requirement to provide “clear and complete” information to users or to obtain user consent for each purpose. As a result, CNIL still reserves the right to preside over the compliance of the “facebook.com” site moving forward, with regard to these other requirements and, if necessary, to mobilize law enforcement. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.