Facebook View sunglasses questioned by Irish and Italian authorities

Facebook View sunglasses questioned by the Irish and Italian authorities, regarding whether they effectively notify data subjects that they are being recorded.

 

 

A new product by Facebook in collaboration with Ray Ban, is now coming under question by European data protection authorities. The product, called “Facebook View” was introduced to the general public with a short promotional video of Mark Zuckerberg speaking about these innovative glasses, which can take photos and record video. In the video, Mr. Zuckerberg made an attempt to appease possible qualms from the public on the privacy of this technology, citing that an LED light goes on, on the frame of these sunglasses, to notify those around when the glasses are recording. However this feature is now being called into question by the Irish and Italian regulators: the Irish DPC, and Garante respectively. Their main question: is a light on the frame enough to significantly notify people that they are being recorded?

 

 

Facebook View sunglasses are seen as much less conspicuous than a camera or cell phone, in communicating that recording is in progress.

 

It is important that when people are being recorded that they have a sense that this is happening. When someone pulls out a camera or a cell phone for example, the general assumption is that recording is in progress or a photo is being taken. People are not assuming automatically that they are being recorded when they see someone wearing a pair of Ray Bans. Most people are also not looking for a light on a pair of glasses under regular circumstances. The Irish and Italian authorities, according to this joint statement recently issued, do not believe that a pair of sunglasses can adequately give notice that recording is in progress.

 

 

The relevant authorities call on Facebook to demonstrate the effectiveness of the LED light to inform people that recording is in progress, as well as run an information campaign.

 

The Irish DPC and Garante claim that it has not been demonstrated to them that comprehensive testing was done by Facebook, to ensure that an LED light would effectively communicate to people that they are being recorded. Facebook is now being called to demonstrate the effectiveness of the LED light to inform people that they are being recorded. In addition, the authorities are asking Facebook to run an information campaign to adequately alert the public on how this new product may result in much less obvious recording of their images.

 

“Facebook should also explain whether there are any plans to combine the information recorded using the Facebook View sunglasses with Facebook existing databases. This scenario seems likely considering that Facebook core product consist on users sharing photos and videos on the social network, where they can tag their friends and contacts” points out Cristina Contero Almagro, Partner in Aphaia.

 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Guidance on cookie consent requirements from Malta DPA

The guidance on cookie consent requirements from the Malta DPA gives insight on the applicable legal framework for their use.

 

The Data Protection Authority of Malta has just published guidance cookie consent requirements to aid businesses and organizations in setting them up correctly on their web pages and apps. Cookies are alphanumeric files which are stored on a user’s device for later use. These later uses may include memorising preferences, storing session information or identifying a data subject through a unique identifier. Some cookies, known as tracking cookies, are used for the purpose of behavioral advertising. 

 

The guidance on cookie consent requirements from the Malta DPA heavily emphasizes the notion of consent. 

 

The application of cookieson a website or app is allowed under the applicable laws once they meet certain requirements. The guidance from the Malta DPA focuses on tracking cookies, understood as those used for commercial purposes to deliver behavioural advertising. According to the guidance, for tracking cookies to be lawfully installed on a user’s device, a valid consent mechanism which allows users to take affirmative action giving prior informed consent to the cookies must be implemented. Originally under the ePrivacy Directive, and now also under the GDPR, the notion of consent is very relevant to lawfully obtaining and storing information on data subjects. 

 

The notion of consent in the ePrivacy Directive is linked to that of the GDPR. As a result, in order for stakeholders to obtain valid consent within the scope of the ePrivacy Directive provisions, the elements of valid consent as upheld by Article 4(11) GDPRare applicable in a cumulative manner. This means that consent must  be freely given, specific, informed, and must result from an “unambiguous indication of the data subject’s wishes, by a statement or by a clear affirmative action” and this is what  would signify agreement to the processing of personal data relating to them. This consent must also be withdrawable.

 

According to Regulation 5(1) of the “Processing of Personal Data (Electronic Communications Sector) Regulations” (Subsidiary Legislation 586.01), which transposes article 5(3) of the ePrivacy Directive, the “storing of information or the gaining of access to information stored in the terminal equipment of a subscriber or user shall only be allowed on condition that the subscriber or user concerned has given his consent”.

 

Transparency is necessary in all matters to ensure that the rights and freedoms of data subjects remain protected. 

 

The GDPR maintains that data subjects must be informed, and have at the very least, a basic understanding of the state of play, allowing them to decide whether or not to give consent and how to exercise the right to withdraw consent. Pursuant to article 7(3) of the GDPR, data subjects should be able to withdraw their consent at any time and it should be as easy to withdraw their consent as it is to give it. With regards to cookies, transparency refers to the provision of adequate information regarding the processing operation, including how data subjects can exercise their rights. Accordingly, the GDPR stipulates that individuals must also be informed on how to withdraw their consent before it is given. The failure to provide data subjects with a permanent withdrawal option, including the relevant information on withdrawal, infringes several articles of the GDPR.

 

According to the guidance on cookie consent, cookie walls, pre-ticked boxes and scrolling infringe on the regulations governing cookie consent. 

 

In order to fairly and transparently obtain informed consent from users, there are some features which must be avoided as they compromise the rights and freedoms of users. The Malta DPA, in their non-exhaustive list of practices deemed non-compliant, makes mention of cookie walls, pre-ticked boxes and necessary scrolling. 

 

Cookie Walls

 

Cookie walls are banners linked with a website or a mobile app which only allow users to access the site or app after the user grants consent to the use of all cookies and to the purposes for which they are processed. In these cases, access to the website or mobile app is not possible by other means. Indiscriminately collecting personal data through this approach, essentially denies users a  genuine choice, falls foul of the consent requirements as set out in the applicable laws and it is considered to be an unlawful practice. In these cases, consent is in fact not “freely given”. For consent to be freely given, access to services and functionalities should not be made conditional upon the user’s consent for storing information, or gaining access to information already stored, in the device. 

 

Pre-ticked Boxes

In some cases, users’ consent for installing exempt cookies on their devices is sought by using pre-ticked opt-in boxes. According to  recital 32 of the GDPR, “silence, pre-ticked boxes or inactivity should not […] constitute consent”.  As a result, pre-ticked boxes are not a valid tool to obtain consent under the GDPR, specifically with regard to cookies. The approach of using pre-ticked boxes is considered unlawful. 

 

Scrolling  

 

The practice of obtaining consent through a user’s action, such as scrolling or swiping through a web page or pages, does not count as “clear and affirmative”, in terms of the requirements of article 7 of the GDPR and as well as recital 32. As a result, this approach does not satisfy one of the core requirements of valid consent. In addition, this practice makes it extremely difficult to inform, as well as provide the user with his right to withdraw their consent, as easily as it was initially obtained.

 

Does your company want to collect cookies through a website or app? Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

LinkedIn users’ data for sale

LinkedIn users’ data for sale on hacking forum – 700 million affected

The details of 700 million LinkedIn users were recently posted for sale on a notorious hacking forum. 

 

The details of 700 million LinkedIn users were recently posted for sale on a popular hacking forum. Last month, a user put information for sale on RaidForums, where it was spotted by Privacy Sharks, a news site. The seller provided a sample of 1 million records, which Privacy Sharks viewed and investigated, confirming the validity of the records which included names, gender, phone numbers, email addresses and work information. This is the second instance this year of LinkedIn user information being scraped and posted for sale online. In April, a total of 500 million LinkedIn users were affected in a similar event. 

 

LinkedIn’s investigation revealed that the data was scraped from LinkedIn as well as other other sources. 

 

LinkedIn maintains that this compilation of information of 700 million users was not the result of a data breach, and that the information is all publicly available. The company reported that no private LinkedIn member data was exposed. The ongoing investigation has so far uncovered in an initial analysis, that the data includes information scraped from LinkedIn as well as other sources. LinkedIn has released a statement, stating that they determined that the information which was posted for sale was “an aggregation of data from a number of websites and companies.” The company also states that scraping, and other misuse of members’ data violates its terms of service, and that it will work to stop any entities misusing LinkedIn members’ data, and hold them accountable. 

 

LinkedIn has sought legal action in the past for violation of its terms of service, by data scraping. 

 

While no one has been named as being responsible in this case, LinkedIn is currently in an almost 2-year legal battle to protect its user data and terms of service by seeking litigation over data scraping. In September of 2019, LinkedIn sought legal action against data analytics organization hiQ Labs in the United States Court of Appeals for the Ninth Circuit. At the time, hiQ Labs was found to have been using automated bots to scrape information from public LinkedIn profiles, at which time LinkedIn served them with a cease and desist, claiming that this violated their terms of service. In this case the court ruled that data scraping was legal. The information was all publicly available and was being collected by this data analytics organization. However, LinkedIn once again brought this case before the courts last month, in this instance, going to The Supreme Court. The Supreme Court threw out the lower court’s original ruling, giving LinkedIn another opportunity to plead its case in the 9th circuit. No statement has been made as to whether legal action will also be taken in this instance. 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

emergency measures for children’s protection

EU approves emergency measures for children’s protection

Temporary emergency measures for children’s protection have just been adopted by European Parliament.

 

Temporary emergency measures for children’s protection were adopted by European Parliament on July 6th. This regulation will allow electronic communication service providers to scan private online messages containing any display of child sex abuse. The European Commission reported that almost 4 million visual media files containing child abuse were reported last year. There were also 1,500 reports of grooming of minors by sexual predators. Over the past 15 years, reports of this kind have increased by 15,000%. 

 

This new regulation, which is intended to be executed using AI, has raised some questions regarding privacy. 

 

Electronic communication service providers are being given the green light to voluntarily scan private conversations and flag content which may contain any display of child sex abuse. This scanning procedure will detect content for flagging using AI, under human supervision. They will also be able to utilize anti-grooming technologies once consultations with data protection authorities are complete. These mechanisms have received some pushback due to privacy concerns. Last year, the EDPB published a non-binding opinion which questioned whether these measures would threaten the fundamental right to privacy. 

 

Critics argue that this law will not prevent child abuse but will rather make it more difficult to detect and potentially expose legitimate communication between adults. 

 

This controversial legislation drafted in September 2020, at the peak of the global pandemic, which saw a spike in reports of minors being targeted by predators online, enables companies to voluntarily monitor material related to child sexual abuse. However, it does not require companies to take action. Still, several privacy concerns were raised regarding its implementation, particularly around exposing legitimate conversation between adults which may contain nude material, violating their privacy and potentially opening them up to some form of abuse. During the negotiations, changes were made to include the need to inform users of the possibility of scanning their communications, as well as dictating data retention periods and limitations on the execution of this technology. Despite this, the initiative was criticized, citing that automated tools often flag non relevant material in the majority of cases. Concerns were raised about the possible effect this may have on channels for confidential counseling. Ultimately, critics believe that this will not prevent child abuse, but will rather make it harder to discover it, as it would encourage more hidden tactics. 

 

This new EU law for children’s protection is a temporary solution for dealing with the ongoing problem of child sexual abuse. 

 

From the start of 2021, the definition of electronic communications has been changed under EU law to include messaging services. As a result private messaging, which was previously regulated by the GDPR, is now regulated by the ePrivacy directive. Unlike the GDPR, the ePrivacy directive did not include measures to detect child sexual abuse. As a result, voluntary reporting by online providers fell dramatically with the aforementioned change. Negotiations have stalled for several years on revising the ePrivacy directive to include protection against child sexual abuse. This new EU law for children’s protection is but a temporary measure, intended to last until December 2025, or until the revised ePrivacy directive enters into force. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.