Transparency is not enough: EDPS on targeted advertising

The EDPS says “transparency is not enough” and calls for a prohibition on targeted advertising based on pervasive tracking. 

 

In a statement penned by the European Data Protection Supervisor, Wojciech Wiewiórowski, he described the current state of cyberspace as figurative “walled gardens”, lamenting that the internet has become “a space of advertising-driven business models and continuous surveillance”. Wiewiórowski believes in a form of advertising which does not depend on the tracking of user interaction with content. He takes the stance that “transparency is essential but it is not enough,” and suggests regulatory incentives and restrictions to curb user tracking and the collection of certain types of data for targeted advertising. 

 

The EDPS suggests regulatory incentives in favour of less intrusive forms of advertising. 

 

Wiewiórowski, in a recent statement, referred to the current business model as an “attention economy”, denouncing the political and ideological polarisation, disinformation and manipulation which seem to have come about as a result of its general nature. Data protection advocates have been concerned about targeted advertising for many years for this reason. Many of the associated risks have been recognised by authorities, as reflected in the Proposal for Digital Services Act. He asserts that less intrusive forms of advertising that do not depend on the user interaction with content, should be incentivised in order to encourage businesses to adopt alternative models, which already currently exist.

 

According to the EDPS, in addition to transparency, perhaps we need further restrictions on the categories of personal data which can be processed for targeted advertising. 

 

According to the EDPS, “We will need more than increased transparency.” In a recent statement by the EDPS, a suggestion of further restrictions on the categories of personal data which can be processed for the purposes of targeted advertising was one of the suggestions to tackle the risks associated with online advertising. He says that it is time to set clear limits to online targeted advertising, as the current state of the internet is the product of human and political choices, and not set in stone. In his statement, the EDPS says “Special categories of data or other data that can be used to exploit vulnerabilities should not be used to target ads.” He suggests preventing the use of data of vulnerable populations (for example children), claiming that this practice has the ability to affect entire generations in unprecedented ways. While it is a necessary part of the equation, the EDPS man obtains that just transparency is not enough, and that more should be done to tackle the ills of targeted advertising. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

EDPS reprimands European Parliament for use of Google Analytics

Illegal EU-US data transfers by the European Parliament lead to sanction from EDPS 

 

Due to a complaint made approximately one year prior, the European Parliament has been sanctioned by the EDPS over illegal EU-US data transfers, among other violations. On a COVID-19 testing site, the use of Google Analytics and Stripe (both US companies) by the European Parliament was a violation of the Court of Justice’s (CJEU) “Schrems II” ruling on EU-US data transfers. In the complaint, filed in January 2021 by noyb, several issues were raised, including deceptive cookie banners, vague and unclear data protection notices, and of course.  the illegal transfer of data to the US. The European Parliament did not incur a fine, but was reprimanded and ordered to come into compliance and address its data protection notice and other transparency issues within a month. 

 

Personal data transferred from the EU to the US is subject to very strict conditions, and must ensure an adequate level of protection.

 

Since the Schrems II ruling, Data transfers to the US have, under much scrutiny. This is because personal data transferred from the EU to the US in most cases do not ensure adequate protection for the data. The COVID-19 testing website provided by the European Parliament was no different. According to the EDPS, “the Parliament provided no documentation, evidence or other information regarding the contractual, technical or organisational measures in place to ensure an essentially equivalent level of protection to the personal data transferred to the US in the context of the use of cookies on the website.” The data stored included health data, for example symptoms and results of a COVID-19 test. This is considered special category personal data, and therefore particularly sensitive. 

 

The EDPS found the European Parliament to be in violation of several articles of the GDPR and therefore issued a reprimand.

 

The placement of cookies by a US provider without having appropriate measures in place is a violation of EU privacy law. This leaves the site open to possible surveillance by US bodies. The complaint from noyb also highlighted the fact that the site’s cookie banners were unclear and deceptive. The banner did not list all the cookies, and there were also differences between the language versions. As a result users were unable to give valid consent. The European Parliament removed all cookies from the website during the investigation. 

 

There were also several issues of transparency noted in the complaint filed by noyb. It stated that the privacy policy was not clear and transparent and referred to a wrong legal basis. The privacy policy was also changed during the course of the investigation, however the changes made may have worsened the situation. The EDPS concluded that the European Parliament was violating the obligation of transparency under the GDPR. In addition it was found that the Parliament did not adequately reply to the access request of the complainants. The EDPS found the European Parliament To be in violation of several articles of the GDPR, and therefore issued a reprimand in accordance with article 58(2)(b) of the Regulation.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Call for a ban on facial recognition

Call for a ban on facial recognition: EDPB and EDPS release a joint statement

The EDPB and EDPS have made a collaborative call for a ban on facial recognition for automated recognition in public spaces. 

 

 The EDPB and EDPS call for a ban on the use of AI for biometric identification in publicly accessible spaces. This includes facial recognition, fingerprints, DNA, voice recognition and other biometric or behavioral signals. This call comes after the European Commission outlined harmonized rules for artificial intelligence earlier this year. While the EDPB and EDPS embrace the introduction of rules addressing the use of AI systems in the EU, by institutions, bodies or agencies, the organizations have expressed concern over the exclusion, from the proposal, of cooperation from international law enforcement. The EDPB and EDPS also stress that it is necessary to clarify that the existing data protection regulation within the EU applies to any and all personal data processing under the scope of the draft AI regulation. 

 

The EDPB and EDPS call for a general ban on the use of AI in public spaces, particularly in ways which might lead to discrimination. 

 

In a recently released joint statement, the EDPB & EDPS recognize that extremely high risks are posed by remote biometric identification of individuals in public spaces, particularly the use of AI systems using biometrics to categorize individuals based on ethnicity, gender, political or sexual orientation, or other grounds on which discrimination is prohibited. According to Article 21 of the Charter of Fundamental Rights, “Any discrimination based on any ground such as sex, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation shall be prohibited.” In addition the organizations are calling for a prohibition on the use of AI to deduce the emotional state of natural persons except in specific cases. One example of this in the field of health includes cases where patient emotion recognition is relevant and important. However the EDPB and EDPS maintain that any use of this sort of AI for any type of social classification or scoring should be strictly prohibited. “One should keep in mind that ubiquitous facial recognition in public spaces makes it difficult to inform the data subject about what is happening, which also makes it all but impossible to object to processing, including profiling” comments Dr Bostjan Makarovic, Aphaia’s Managing Partner

 

The EDPB and EDPS call for greater clarity on the role of the EDPS as competent and market surveillance authority. 

 

The organizations in their joint opinion, embrace the fact that the European Commission proposal designates the EDPS as the market surveillance authority and competent authority for the supervision of institutions, agencies and bodies within the European Union. However the organisations are also calling for further clarification on the specific tasks of the EDPS within that role. The EDPB and EDPS acknowledge that data protection authorities are already enforcing the GDPR and LED in the context of AI involving personal data. However the organizations are suggesting a more harmonized regulatory approach, involving the DPAs as designated national supervisory authorities, as well as  consistent interpretation of data processing provisions across the EU. In addition, the statement calls for greater autonomy to be given to the European Artificial Intelligence Board, in order to avoid conflict and create an atmosphere for an  AI European body free from political influence. 

 

Do you want to learn more about facial recognition in public spaces? Check our vlog.

Do you use AI in your organisation and need help ensuring compliance with AI regulations? We can help you. Aphaia provides EU AI Ethics Assessments, Data Protection Officer outsourcing and ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments. We can help your company get on track towards full compliance.

Digital Green Certificates

Digital Green Certificates: the EDPB and EDPS release a joint opinion

Digital Green Certificates have been a topic of debate lately, and the EDPB & EDPS have released a joint opinion on this, regarding data protection and privacy.

Digital Green Certificates, which some refer to as “vaccine passports” are, contrary to popular belief, not specific to vaccines. In actuality, the digital green certificates or passes, as they would preferably be called, are proposed to be a QR code with information on a person’s status with regard to the COVID-19 virus. The specifics of the information may be pertaining to the vaccine and have details on which vaccine was taken and when it was administered, or it may contain information on a negative COVID-19 test and the date on which the last test was taken. This scannable code may also contain information on antibodies present in a person’s system, if they have developed antibodies from being infected with and recovering from this virus. Vaccines are not mandatory at this time, and the digital green certificates proposed by the European Commission are intended to make it easier to identify someone’s current status with regard to COVID-19, whether vaccinated or not, making travel throughout the EU more seamless, for anyone traveling during this global pandemic. 

The EDPB and EDPS released this joint statement specific to the aspects of the Proposal pertaining to personal data protection. 

The Commission first published the proposal for a Regulation of the European Parliament and of the Council the issuance, verification and acceptance of certificates of vaccination, testing and recovery to third-country nationals who are legally staying or residing in any of the EU Member States during the COVID-19 pandemic on March 17th. The EDPB & EDPS note that the aim of this proposal is to facilitate the exercise of the right to free movement within the EU during the COVID-19 pandemic. Due to the particular importance of these proposals and their impact on individual rights and freedoms regarding the processing of personal data, the EDPB and EDPS released their joint opinion specific to the aspects of the proposal relating to personal data protection. The organisations highlight that it is essential that the proposal is consistent and does not, in any way conflict with the application of the GDPR. 

Digital Green Certificates should be approached from a holistic and ethical standpoint, as asserted by the EDPB and EDPS in their joint opinion. 

The EDPB and EDPS suggest that the Commission take a holistic and ethical approach to the proposal in an effort to encompass all the issues related to privacy and data protection, and fundamental rights in general. They note that data protection is not an obstacle to fighting the current pandemic and that compliance with data protection law will only aid by helping citizens trust the frameworks provided in those efforts. The EDPB and EDPS advise that any measure adopted by Member States or EU institutions must be guided by the general principles of effectiveness, necessity and proportionality. In addition, they note that the World Health Organisation (WHO) in its ‘ interim position paper: considerations regarding proof of COVID-19 vaccination for international travelers’ stated that “(…) national authorities and conveyance operators should not introduce requirements of proof of COVID-19 vaccination for international travel as a condition for departure or entry, given that there are still critical unknowns regarding the efficacy of vaccination in reducing transmission.” 

The EDPB and EDPS, in their joint opinion, state that these green certificates must not lead to the creation of any central database of personal data at the EU level, under the pretext of the Digital Green Certificate framework. In addition, they made specific mention that these certificates should be made available in both digital and paper based formats, to ensure the inclusion of all citizens, regardless of their level of engagement with technology. The organisations also call for clarification on the proposal’s stance on the manner in which these certificates will be issued, whether automatically, or upon request of the data subject. Recital 14 and Articles 5(1) and 6(1) of the Proposal currently state “(…) Member States should issue the certificates making up the Digital Green Certificate automatically or upon request (…)”

The EDPB and EDPS are glad to note the considerations to the rights and freedoms of individuals, as well as compliance with data protection regulation, included in the Proposal. 

The organisations are pleased to note that the Proposal explicitly states that compliance with European data protection regulation is key to the cross border acceptance of vaccination, test and recovery certificates. Recital 38 of the proposal states that “[i]n line with the principle of minimisation of personal data, the certificates should only contain the personal data necessary for the purpose of facilitating the exercise of the right to free movement within the union during the COVID-19 pandemic”. The EDPB and EDPS recommend the inclusion of reference to the GDPR in the main text of the proposal, as it is the legal basis for the processing of personal data, for the issuance and verification of interoperable certificates, as acknowledged in Recital 37. 

Article 3(3) of the Proposal states that citizens can obtain these certificates free of charge,and may renew these certificates to bring the information up to date, or replace as necessary. While the EDPB and EDPS commend this, the organisations also recommend clarifying that the original certificate, as well as modifications shall be issued upon request of the data subject. This is very important for maintaining accessibility for all persons. 

The EDPB and EDPS call for attention to data minimisation, as well as clarification on the validity period of the data processed. 

There are naturally certain categories and data fields of personal data which would need to be processed within the framework of the Digital Green Certificates. As a result, the EDPD and EDPS consider that the justification for the need for personal data fields needs to be clearly defined in the Proposal. In addition, the organizations ask that further explanation be provided as to whether all of the categories of personal data provided for are necessary for inclusion in the QR code for both digital and paper certificates. They note that data minimisation can be achieved using an approach of differently comprehensive data sets or QR codes. In addition, the organizations note the lack of specificity with regard to an expiry date or validity period for each certificate in the draft Proposal. It is also important to note that the EDPB and EDPS clearly state that given the scope of the draft of the proposal, and the context of the global pandemic, the statement of the disease or agent from which the individual has recovered should only be limited to COVID-19 and its variants. 

The EDPB & EDPS iterate the importance of adequate technical and organizational privacy and security measures in the context of the proposal.

With regard to the Digital Green Certificate, the organizations suggest that privacy and security measures should be specially structured to ensure compliance by the controllers and processors of personal data required by this framework.  The opinion states that controllers and processors should take adequate technical and organizational measures to ensure a level of security that is appropriate to the level of risk of the processing of this personal data in line with Article 32 of the GDPR. These measures should include the establishment of processes for regular assessment of the effectiveness of the privacy and security measures which are adopted. 

While the EDPB and EDPS are pleased to note the clarification, within the Proposal, of the roles of data controllers and processors, the organisations suggest that the Proposal specify, through a comprehensive list, all entities foreseen to be acting as controllers or processors of the data in EU Member States, taking into account the use of these certificates in multiple member states by persons traveling throughout the EU. They also suggest that the Proposal should provide clarification on the role of the Commission with regard to data protection law in the context of the framework, guaranteeing interoperability between the certificates. In addition, the organisations call for attention to compliance with Article 5(1)(e) of the GDPR, with regard to the storage of personal data, as well as clarification on the storage period that Member States should not exceed, beyond the pandemic. Furthermore, the EDPB and the EDPS recommend that the Commission explicitly clarifies whether, and when any international transfers of personal data are expected, as well as safeguards within the legislation to ensure that third countries will only process the personal data for the specific purposes that this data is exchanged, according to the framework.

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.