Wolfgang Lehna

To sub-processor infinity and beyond! European Data Protection Board opinion on sub-processors requires controllers to collect & review sub-processor lists; compliance documents & transfer impact assessments all the way down the sub-processor chain, even if it's hard/complex. TL:DR Roses are red Violets are blue Cross border transfers are complicated but that problem, controller, is for you. To do: Initial processor: 🔹Conduct due diligence for the processor you choose and be able to demonstrate to regulators that you did e.g. through: a questionnaire relevant documentation; publicly-available information and/or third party audits 🔹Conduct regular audits of the processor. Sub-processors: 🔹Before engaging: You definitely need a list of intended sub-processors (including: locations, what they will be doing and proof of safeguards). 🔹Conduct diligence / assure the guarantees. The extent depends on the data. 🔹In cases the information received seems incomplete/inaccurate or data is more sensitive; verify and complete/correct if necessary. 🔹Ask for the sub-processing contracts if necessary. 🔹Document all measures / steps. 🔹Include in contract how/when processor should provide you with all information on the processing. 🔹You may rely on the information provided by the processor, if the information submitted by the processor actually demonstrates compliance. This also applies to sub-processors. 🔹General authorization for engaging processors should be supplemented with criteria to guide the processor’s choice. Onward transfers - before engaging the processors/sub-processors: 🔹Ask for and assess things like: transfer mapping (which personal data is transferred including remote access), where, and for which purposes) , ground for transfer used, “transfer impact assessment” and supplementary measures. 🔹You may rely on such mapping and if necessary build on it if seems incomplete/inaccurate. 🔹For transfers based on an adequacy decision: assess: (1) whether the adequacy decision is in force and (2) whether the transfers carried out fall in scope and (3) get documentation re (sub-)processor ‘sufficient guarantees’ but no need to independently assess in all cases. 🔹For transfers without adequacy decision: (1) get TIA; (2) ensure it's OK and (3) build on it if necessary and (4) ensure (sub-)processor ‘sufficient guarantees’ In your Art 28 contract you: 🔹MUST include a commitment from the processor to only process personal data on documented instructions 🔹SHOULD add “unless required to do so by Union or Member State law to which the processor is subject” (either verbatim or in very similar terms). 🔹MAY add “unless required to do so by law or binding order of a governmental body” for non EU country 🔹MUST include processor’s obligation to inform controller before carrying out a processing that is not based on instructions #dataprivacy #dataprotection #privacyFOMO pic by ChatGPT https://lnkd.in/ehy32wUV

270

23 Kommentare

Worried about immaterial damages under the #GDPR? Whether #datasubjects can #claim #compensation for GDPR #infringements that caused only 'moral' damages has been the subject of a very heated debate. The national courts are ruling very differently on the subject. Germany's Federal Court of Justice BGH, judgement of 18.11.2024, case no. VI ZR 10/24 has ruled against #Meta in a large data #leak case from 2021 that comprises personal data of half a billion people. This overrode the decision of a lower court that had ruled in favor of #Meta, and said instead that it was sufficient for users to just show they were victims of the #dataleak and they did not have to prove #suffering. Does the fact that a data subject does not know whether their own data, such as their name and telephone number, has been disclosed constitutes damage? Plaintiffs are often unable to prove any further #damage - such as increased spam calls. They therefore only receive money if the "abstract" loss of control is recognised as damage. At the same time, it is undisputed that the "loss of control" can be #harmful. This has long been recognised by the European Court of Justice (#ECJ). According to the ECJ, however, it must be proven that such damage has actually occurred. German courts have therefore often argued that the mere possibility that third parties have gained access to the data does not constitute damage. More would have to be involved, such as a demonstrable increase in spam calls or credible psychological stress. Most plaintiffs are unable to do this. BGH: Loss of control over #Facebook data justifies compensation, the "mere and short-term loss of control over one's own personal data as a result of a breach of the #GDPR alone constitutes immaterial damage. It is not necessary to prove that the data has been #misused to the detriment of the data subject. Further noticeable negative consequences are also not required. The judgement gives a boost to professional plaintiffs' representatives in particular, may influence many pending #PrivacyLitigation cases, and opens the door for potentially unforeseeable #risks and limitless #liability for organizations. The companies should take precautions: Data protection #violations can quickly become expensive because professional plaintiffs' representatives organise waves of lawsuits for their own financial gain. This can be prevented with good data protection #compliance. Ideally, this will prevent an #incident from occurring in the first place. If a data protection incident does occur, which can never be ruled out, good documentation of the #TOMs taken provides a good line of defence to halt such #risks at an early stage. #Personaldata #DataProtection #GDPR #ArtificialIntelligence #Webscraping #LossOfControlOverData #TOMs #Security #Lawfulbasis #ScrapingIncident #DataBreach #MisuseOfData #Accountability #Documentation #ClaimsForDamages

13

Upcoming Cases in Germany on Data Scraping Damages Mark your calendar: On October 8, 2024, the Federal Court of Justice (BGH) in Germany will hear two pivotal cases (VI ZR 7/24 and VI ZR 22/24) concerning compensation claims for individuals whose data was illicitly scraped and disseminated online by unknown third parties. In both cases, the defendant is Facebook (Meta Platforms, Inc.). The incidents stem from a major data breach in April 2021, where information from approximately 533 million Facebook users across 106 countries was leaked online. This breach was facilitated by a feature that allowed Facebook profiles to be found via phone numbers, which third parties exploited using automated scraping tools. The plaintiffs, whose user IDs, names, countries, and genders were exposed, seek compensation for non-material damages, alleging insufficient security measures by Facebook. They report experiencing anxiety, stress, and loss of comfort and time. Additionally, they demand an injunction and information disclosure. Previous rulings saw the Heilbronn and Cologne Regional Courts dismiss the claims, but the Stuttgart and Cologne Higher Regional Courts provided mixed outcomes. The Stuttgart Higher Regional Court partially upheld one plaintiff’s appeal, recognizing Facebook's liability for future damages, while the Cologne Higher Regional Court upheld the dismissal. Both plaintiffs are now pursuing their claims through BGH-approved revisions. The outcomes could set significant precedents in data protection law. #DataProtection #Facebook

173

3 Kommentare

⚖️ 𝗘𝗖𝗝 𝗮𝗻𝗱 𝘁𝗵𝗲 𝗚𝗗𝗣𝗥 𝟭/𝟯: 𝗔 𝗽𝘂𝗿𝗲𝗹𝘆 𝗰𝗼𝗺𝗺𝗲𝗿𝗰𝗶𝗮𝗹 𝗶𝗻𝘁𝗲𝗿𝗲𝘀𝘁 𝗰𝗮𝗻 𝗯𝗲 𝗮 𝗹𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲 𝗶𝗻𝘁𝗲𝗿𝗲𝘀𝘁 On Friday, the ECJ published interesting new decisions on the interpretation of the GDPR. Please find below our summary with the key takeaways of the first decision, 𝗖 𝟲𝟮𝟭/𝟮𝟮: 💼 𝗖𝗼𝗺𝗺𝗲𝗿𝗰𝗶𝗮𝗹 𝗶𝗻𝘁𝗲𝗿𝗲𝘀𝘁𝘀 in processing personal data can also constitute a 𝗹𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲 𝗶𝗻𝘁𝗲𝗿𝗲𝘀𝘁 under the GDPR. Therefore, an association's interest to disclose its members' personal data to sponsors for 𝗺𝗮𝗿𝗸𝗲𝘁𝗶𝗻𝗴 𝗽𝘂𝗿𝗽𝗼𝘀𝗲𝘀 could, in principle, be a legal basis if the interests of the 𝗱𝗮𝘁𝗮 𝘀𝘂𝗯𝗷𝗲𝗰𝘁𝘀 do not outweigh the interests of the 𝗰𝗼𝗻𝘁𝗿𝗼𝗹𝗹𝗲𝗿. However, it is for the national court to decide whose interest outweighs the other. 📄𝗥𝗲𝗮𝗱 𝘁𝗵𝗲 𝗳𝘂𝗹𝗹 𝗱𝗲𝗰𝗶𝘀𝗶𝗼𝗻 𝗵𝗲𝗿𝗲: 🔗 https://lnkd.in/gStNUNEB

15

New Guidance from German Authorities for Digital Service Providers The German data protection authorities (DSK) have released updated guidance for digital service providers. It is only available in German but here are the key points: Scope: Applies to all digital service providers Consent Requirement: Storing information on or accessing information from end devices requires user consent. Technology Neutrality: Applies to all technologies, not just cookies. No Personal Data Required: Protection extends beyond the GDPR. Consent Requirements: Must be voluntary, informed, unambiguous, and revocable. Exceptions from consent: Only in cases of technical necessity or service provision. The new guidance significantly impacts the design of digital services, especially regarding consent declarations. It's worth examining the sections on consent design closely. For instance: Informed consent in this context (referring to user tracking by third parties) requires clearly explaining the purposes of processing, particularly if individual profiles are created and enriched with data from other websites. Third-party service providers must be individually named. The requirements aare not limited to the operation of websites and apps, although these are the most common use cases. Therefore, the guidance primarily includes examples from these areas to illustrate the points.

35

📕 🔥 Consent Banner Report. Overview of EU and national guidelines on dark patterns by noyb.eu The purpose of this report is to offer a comprehensive account of the European Data Protection Board taskforce’s report findings for each violation, compared with the positions taken by national DPAs in guidance documents. The Report will address each practice in turn, outlining some relevant issues, the position of the #EDPB taskforce, and the guidelines published by the national DPAs. The final section of the report will outline some other relevant EDPB and WP29 guidelines for further research. #cookies #GDPR

79

The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg/Germany has published an update of its discussion paper "Legal Foundations in Data Protection for the Use of Artificial Intelligence. I recommend to read chapter IV. 1 on legitimate interest. Like: "In the development and use of AI systems, a legitimate interest of the controller will regularly be assumed. Such a legitimate interest may, for example, lie in the development of AI systems. Thus, controllers in a commercial context will regularly pursue the goal of offering increasingly better and more innovative products, which may include, for instance, the development of autonomous vehicles or the flawless recognition of human interactions." Thank you Dr. Henrik Hanssen for sharing the machine translation!

40

📕 On the record. Exploring the ethical, technical and legal issues of voice assistants - White paper by CNIL - Commission Nationale de l'Informatique et des Libertés The CNIL - Commission Nationale de l'Informatique et des Libertés presents leading practices for designers, application developers, integrators and organisations wishing to roll out #voiceassistants in shared locations. It emphasises the need for #transparency and #security of the devices designed, in order to comply with #GDPR and protect the privacy of individuals. The white paper also explains how good security practices that users can implement, for instance to ensure confidentiality of the data transmitted, or the protect children who may interact with those devices.

96

4 Kommentare

📍 #Software Protection and Product #Liability ➡ Software programs are protected by #copyright laws and in case of infringement of the relevant #IP rights #damages linked to loss of profits are automatically recognized. The minimum amount to be liquidated is a lump-sum compensation according to the "consent price" criterion (i.e. the price to be paid for a lawful #license of the software program concerned). This principles has been recently reinstated by the judgement of the Court of Milan issued last May 6. ➡ The New Product Liability #Directive approved by EU Parliament on March 12 has set a wider definition of “product”, in order to adapt it to the digital age, that covers also software , whether #embedded or #standalone, including #AI systems. The software producer or developer, including the #provider of AI systems, is to be considered a #manufacturer for the purpose of the Directive. Some points to be considered, also in relation with the AI Act: 🔸 both free and #opensource software developed not in the context of a commercial activity and source codes are excluded from the definition; 🔸 a “product #defect” (e.g. failure to address #cybersecurity vulnerabilities) may emerge also after the product has been placed on the market or put to service, especially with reference to #machinelearning and other #technologies that learn independently during their use; 🔸 damages deriving from #data destruction or corruption, including costs to recover such data, must be compensated (save for applicability of #privacy laws in case of data breaches); 🔶 further provisions are established in order to simply the burden of proof upon the damaged party.

20

📢 Data Privacy Updates on Asset Deals, Patient Records, and Scientific Research in Germany On September 11, 2024, the German Conference of Data Protection Authorities of the Federal and State Governments (Datenschutzkonferenz=DSK) discussed critical topics. Here's a look at the major outcomes: 1. Revised Guidelines for Asset Deals: The DSK has updated its 2019 resolution on "Asset Deals" to offer clearer guidance on the application of the GDPR. This is crucial for companies involved in the transfer of business assets, including customer, supplier, and employee data. The new resolution provides a more detailed framework for ensuring data protection compliance in these transactions. 2. First Free Copy of Patient Records: Following a ruling from the European Court of Justice (ECJ) on October 26, 2023, the DSK is advocating for legislative changes to ensure patients receive their first copy of medical records for free. This aligns with Article 15(3) of the GDPR, which grants patients the right to one free copy of their records, challenging existing national regulations that require payment. 3. Unified Definition of Scientific Research: The DSK has established a consistent understanding of "scientific research purposes" under the GDPR. This aims to ensure that data processing for research is methodologically sound, independent, and serves the public interest, while also respecting the rights of data subjects. Why This Matters: These resolutions are pivotal for harmonizing data protection practices. The focus on AI, patient rights, and scientific research underscores the DSK's commitment to adapting data protection to contemporary challenges. The original press release was in German and has been translated into English using DeepL. Please read with care. #DataPrivacy

45

2 Kommentare

Hot off the press The #BerlinGroup, chaired by the German Federal Commissioner for Data Protection and Freedom of Information (#BfDI) Ulrich Kelber, has adopted a working paper on #FacialRecognition Technology. In view of the increasing use or intended use of this technology, the latest example being the planned nationwide use by the Swedish police, it is important to have clear and universally recognized rules. In addition, we may be seeing the first instance of abstract legal norms of the #AIAct being filled with life! #LEP https://lnkd.in/eTP6Y2qu

8

1 Kommentar

HOW LARGE IS "LARGE-SCALE" DATA PROCESSING? In almost all data protection laws worldwide, "large-scale" data processing is an important factor for certain requirements, like conducting a Data Protection Impact Assessment (DPIA) or appointing a Data Protection Officer (DPO). However, the definition of "large-scale" is often unclear, leaving organizations unsure about when these rules apply. Different countries take different approaches to define large-scale data processing. Some, like Estonia and Germany, use numbers to set thresholds. For example, Estonia considers processing data for 50,000 individuals as large-scale, while Germany defines it as involving over 5 million people or 40% of a relevant population. These specific numbers can help but are not consistent across all regions. Other countries focus on context instead of numbers. The United Kingdom looks at things like the number of people involved, the scope of the processing, and how sensitive the data is. France also considers factors like how much data is being processed, how long the processing lasts, and how wide its impact is. This approach requires businesses to make their own judgment based on the situation. Without a clear definition, organizations should focus on the risks involved. Ask questions like: How many people will this processing affect? Is the data sensitive? What could happen if there’s a problem with the processing? If the impact seems significant, it’s safer to treat the activity as large-scale and take steps like conducting a DPIA or appointing a DPO. To help businesses, regulators could provide clearer guidance or examples of what counts as large-scale. Until then, taking a cautious and proactive approach is the best way forward. Not only does this help meet legal obligations, but it also builds trust with customers and stakeholders. Here is the data I have gathered from various sources on the internet regarding large-scale data processing criteria across different jurisdictions. Please feel free to correct any inaccuracies or provide feedback if something appears incorrect or misaligned.

65

Guidelines and introductory notes around #AI & #DataProtection from the Bavarian DPA tackling aspects like actors within the #AIRegulation, processing #personaldata within #AISystems, #DPIA, #transparency obligations and many more ... #AI #DataProtection https://lnkd.in/eTQ-PfGm

8

NEW PAPER: Christian Bergqvist writes about the European Commission's investigation against Microsoft's bundling of Teams with Office 365. EU has opened an antitrust investigation into Microsoft's policy of including the communication software Teams in its Office 365 packages. Very little is known about the case and the alleged grievances, as only a short press statement is available. This identifies Office 365 as dominant, and the integration of Teams is directed at monopolizing the market for communication software and shielding Office 365 from competition. DG COMP has shown its commitment to progressing the issue by filing a SO, which has also provided Microsoft with opportunities to provide justifications for its actions. This necessitates challenging the market definition and the risk of foreclosure, while also considering how bundling enhances efficiencies through seamless integration and counters rival communication software providers as a potential long-term threat to Microsoft. The ring-fencing strategy, which (potentially) acts as the governing incentive, relies on the latter. However, Microsoft may justifiably dismiss it as disconnected from reality. Regardless of everything, our ability is currently limited to making informed conjectures, which is somewhat more sophisticated than interpreting coffee grounds. See: https://lnkd.in/etT7N9W8

14

BREAKING NEWS: NIS2 Directive Implementing Regulation Approved! The European Commission has just green-lit the regulation on #cybersecurity measures and significant #cyber incidents. 📌 Wondering about the technical and methodological requirements for cybersecurity risk management under the NIS2 Directive? 📌 Curious when a cyber incident is deemed 'significant' according to the NIS2 Directive? These pivotal questions are addressed in the Implementing Regulation of the NIS2 Directive, approved today by the #EuropeanCommission, in light of Articles 21(5) and 23(11). ⚠️ IMPORTANT NOTICE: These rules apply ONLY to: Providers of #DNS services Top-level domain name registries #CloudComputing service providers #DataCenter service providers Content Distribution Networks (CDNs) Managed Service Providers (#MSPs) Managed Security Service Providers (#MSSPs), Online #Marketplaces, Online Search Engines, Social Networking Platforms, Trust Service Providers. 🔔 WHAT'S NEXT? We await the publication in the Official Journal of the European Union to consider the final text. However, it's essential for affected entities to begin studying and contemplating these rules now. 🚨 Your Input Matters! What are your thoughts on the proposed #cybersecurity measures and the thresholds for classifying an #incident as 'significant'? 📌 Let's dive into a discussion in the comments below and watch the recording of our DLA Piper webinar on the topic from a few days ago. #NIS2Directive #CyberSecurity #CyberIncidents #RiskManagement #EuropeanCommission #CloudComputing #DataCenter #ManagedServices #SocialNetworking #OfficialJournal #CyberRisk #DLAPiper

66

1 Kommentar

Dutch DPA Fines Clearview AI €30.5 Million for Illegal Data Collection The Dutch Data Protection Authority (Dutch DPA) has imposed a significant fine of €30.5 million on Clearview AI, an American company providing facial recognition services. The fine comes with an additional penalty of up to €5.1 million for future non-compliance. This decision highlights the serious breaches of privacy laws committed by Clearview AI, which has illegally amassed a database of 30 billions of facial images, including those of Dutch citizens, without their consent. The Dutch DPA’s investigation revealed that Clearview AI has seriously violated the GDPR on multiple fronts. The company’s actions include: - Illegal Database Creation: Collecting and using biometric data, such as facial images, without legal grounds. - Insufficient Transparency: Failing to inform individuals about the use of their data and not cooperating with data access requests. Despite previous fines from other data protection authorities, Clearview AI has not altered its conduct, prompting the Dutch DPA to explore additional measures, including holding the company’s directors personally liable. #GDPR #AI

204

8 Kommentare

Privacy protection association #Noyb announced on April 29 that it had filed a complaint against OpenAI with the Austrian #DataProtection Authority (DSB). The complaint relates to the start-up's inaction in correcting certain personal information provided by its ChatGPT service.   Noyb asked #ChatGPT about the date of birth of the association's founder, Max Schrems. The conversational agent then repeatedly gave him incorrect information rather than indicating that it didn't have the necessary #data. “OpenAI denied his request to rectify or delete the data, explaining that it was not possible to correct the data (...),” adds Noyb. #OpenAI did not provide any information about the data processed, its sources or recipients.”   For Noyb, leaving inaccurate personal data online violates three articles of the #GDPR. Article 5 states that “personal data must be accurate and, where necessary, kept up to date”. Article 16 states that individuals have a right to rectification and deletion of false information in the event of inaccurate personal data. Finally, article 15 stipulates that companies must be able to show what data is held by individuals, and the sources used.   “Inventing false information is problematic enough in itself,” says Maartje de Graaf, a lawyer specializing in #dataprotection, in the press release. But when it comes to false information about individuals, the consequences can be serious. Companies are currently unable to ensure that chatbots like ChatGPT comply with EU law when processing data about individuals.”   The association is asking the #DSB to investigate both OpenAI's data processing and the measures taken to ensure the accuracy of personal data.

6

Illegal Secondary Use by BinDoc? The former data protection officer of Schleswig-Holstein, Thilo Weichert, accuses #BinDoc of illegally #secondaryuse of #patient #data. BinDoc initially processes this data in a legally compliant manner on behalf of hospitals to document the course of patients' illnesses. Subsequently, the data is apparently #anonymized by BinDoc and used for its own purposes, such as cost-effectiveness and market analyses. Thilo Weichert and co-author Karin Schuler are of the opinion that the data is only #pseudonymized because BinDoc only uses three measures for "anonymization". Some data fields are removed from the dataset, others are replaced by a #hash value or transferred to working groups (#cohorts) by #categorization. Even by trying out with known #patientIDs, it is therefore possible to clearly assign them to natural persons. Last week I was able to listen to a lecture by Andreas Sachs from the Bavarian State Office for Data Protection Supervision (#BayLDA) on the topic of anonymization. The requirements of the BayLDA for the anonymization of patient data are certainly not met with these three measures. I also wonder whether BinDoc has a legal basis for anonymization? In my opinion, this can only lie in the #consent of the patients. I will continue to monitor the case. https://lnkd.in/eAx2tWxP

5

1 Kommentar

EU's Investigation of Temu Highlights DSA's Potential as a Political Instrument On October 31st, the European Commission initiated formal proceedings against Temu to investigate potential violations of the Digital Services Act (DSA). This significant move comes amid broader trade tensions between China and the EU, particularly in the electric vehicle (EV) sector. Why the DSA is Applicable to Temu: Temu was designated as a Very Large Online Platform (VLOP) on May 31, 2024, following its declaration of having more than 45 million monthly active users in the EU. As a VLOP, Temu is subject to the most stringent obligations under the DSA, designed to mitigate systemic risks and protect consumers. Key Focus Areas of the Investigation: 1. Sale of Illegal Products: Scrutinizing Temu's mechanisms to prevent the sale of non-compliant goods within the EU. 2. Addictive Design: Assessing the risks associated with potentially addictive features of the platform that could impact users' well-being. 3. Recommendation Systems: Ensuring transparency in how Temu recommends products and content to users, including providing non-profiling based options. 4. Data Access for Researchers: Reviewing Temu's compliance with providing access to publicly accessible data for research purposes. The investigation into Temu is particularly relevant against the backdrop of ongoing trade tensions between the EU and China. Recent disputes over EV tariffs and retaliatory measures have highlighted the complexities of international trade relations. The EU's firm stance on the DSA reflects its dedication to maintaining high standards for digital services and consumer protection, even amidst geopolitical challenges. Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age, emphasized, "We want to ensure that Temu is complying with the Digital Services Act. Our enforcement will guarantee a level playing field and that every platform, including Temu, fully respects the laws that keep our European market safe and fair for all."

22