This edition at a glance:
🤖 German DPAs issue joint guidance on data protection compliance in AI deployment
On 6 May 2024, the Conference of German Data Protection Authorities (DPAs) has published a joint guidance for AI and data protection, particularly focusing on the use of large language models (LLMs) by businesses.
Here are the key points:
- Concept Phase and selection of AI applications: Emphasizes defining AI use cases, determining if there are use cases that do not involve personal data. If personal data is involved, then the entity must ensure a valid legal basis, minimize personal data usage, ensure transparency and provide choice regarding AI training and input history, comply with data subject rights (see my post on the complaint against OpenAI for Chat GPT’s failure to comply exactly with data subject rights), as well as involve DPOs and employee representatives in decision-making. It advises against fully automated decision-making without human oversight (art. 22 GDPR).
- Implementation Phase: Includes defining responsibilities, concluding appropriate agreements, establishing AI policies, conducting DPIAs if the processing of personal data is likely to result in high risks to individuals, ensuring data security through robust technical and organizational measures, and providing training and guidelines to the employees.
- Usage Phase: Advises to exercise caution when entering and outputting personal data (in particular when special categories are used), and calls for checking the accuracy of AI outputs and preventing discriminatory practices.
This comprehensive guidance is part of an ongoing effort by German DPAs to provide clear and actionable recommendations for AI use in line with current privacy laws, ensuring organizations can effectively integrate AI technologies while maintaining robust data protection standards.
The content is in line with French CNIL’s recent “AI how-to sheets”.
The guidance is available here in German, but you can grab an automated translation into English here (direct download link).
📡 Austrian DSB Launches Investigation into Telecommunications Sector for GDPR Compliance
On 6 May 2024, the Austrian Data Protection Authority (DSB) began a targeted investigation into the telecommunications sector, focusing on the adherence to the General Data Protection Regulation (GDPR). This enforcement action is part of a broader initiative to conduct sector-specific examinations to ensure that data processors and controllers comply with established privacy standards.
The investigative process will involve several stages:
- Initial Compliance Checks: Telecom companies are required to submit their records of processing activities, providing a comprehensive overview of how personal data is handled.
- Detailed Questionnaire: Companies must respond to a questionnaire that addresses general and sector-specific data protection issues. This step is designed to evaluate the thoroughness of each company’s data protection measures.
- Potential Further Actions: The DSB has indicated that the investigation could lead to oral negotiations and on-site inspections if preliminary findings warrant a deeper examination.
In 2023 DSB conducted a similar procedure in the financial sector.
Read more here.
📊 Canadian OPC Survey Highlights Privacy Priorities in Business Sector
On 6 May 2024, the Office of the Privacy Commissioner of Canada (OPC) released findings from its latest biennial survey assessing the privacy practices of Canadian businesses. Conducted between 21 November and 21 December 2023, this survey involved 800 businesses nationwide. Here’s the short version:
High Priority on Privacy: 80% of businesses consider the protection of customer personal information a high or extremely high priority.
Awareness and Compliance: 88% of businesses are at least moderately aware of their privacy obligations under national laws, and 76% have implemented measures to comply with these obligations.
Technology and AI Use: Current AI usage is low, with only 6% of businesses utilizing the technology; however, about 24% plan to adopt AI within the next five years, indicating a shift towards more tech-driven operations.
Privacy Management Practices:
- Privacy Officers: Over half (56%) have designated a privacy officer.
- Complaint and Access Procedures: Half of the businesses have procedures for handling complaints and access requests (50% each).
- Privacy Training: 33% provide regular privacy training to their staff.
Resource Utilization:
- OPC Tools Awareness: Awareness of OPC’s informational resources has increased to 41%, from 33% in 2022.
- Resource Usage: Despite the availability of these tools, only 26% of businesses reported using them.
📶 Spain's AEPD Releases Guidelines on WiFi Tracking
On 7 May 2024, the Spanish Data Protection Authority (AEPD), along with the data protection bodies of Catalonia, Basque Country, and Andalusia, published a comprehensive Guidance on the lawful use of WiFi tracking technology under GDPR.
Context and Data Protection Concerns:
WiFi tracking technology enables the identification and movement tracking of mobile devices through WiFi signals. This can reveal presence, location data, and patterns of movement, especially in high-density settings like shopping centers, museums, and public transport. The AEPD has raised concerns regarding the potential privacy risks associated with such technology, particularly the lack of awareness among individuals being tracked and the absence of a robust legal basis for the tracking.
Guidelines for Responsible Use:
The authorities underscore the need for conducting Data Protection Impact Assessments (DPIAs) before deploying WiFi tracking, to evaluate and mitigate risks effectively. Transparency is crucial; data controllers are urged to inform the public through visible informational panels, public signage, voice alerts, and comprehensive information campaigns.
Technical and Legal Recommendations:
The guidelines provide a detailed examination of the technical and legal implications of WiFi tracking. They set forth measures to ensure the processing of personal data adheres to GDPR principles, including:
- Anonymizing and aggregating data immediately after collection.
- Limiting tracking to necessary scopes and not reusing identifiers for different visits.
- Implementing security measures proportionate to privacy risks.
- Establishing visible, simple, and accessible mechanisms for data subjects to exercise their rights.
Security and Data Subject Rights:
The guidance emphasizes the importance of security measures tailored to the level of risk and regular independent audits or reviews. It also highlights the necessity of establishing accessible and straightforward electronic means for individuals to exercise their rights under the GDPR.
By adhering to these guidelines, entities using WiFi tracking can ensure they comply with privacy laws while respecting the rights and freedoms of individuals. The collaborative effort of multiple Spanish data protection authorities in drafting these guidelines underscores the importance of a unified approach to regulating emerging technologies that impact personal privacy.
You can read the press release here and the guidelines here (in Spanish). Grab an automated translation into English here (direct download link).
📝 Oregon Department of Justice Releases FAQs on Consumer Privacy Act
The Oregon Department of Justice published a comprehensive FAQ section on 8 May 2024 to elucidate the Oregon Consumer Privacy Act (OCPA), which will be enforced starting 1 July 2024. These FAQs are designed to help both businesses and consumers understand their responsibilities and rights under the new legislation.
Scope
The OCPA affects businesses operating within Oregon or those serving Oregon residents, specifically targeting entities that either:
- Control or process personal data of at least 100,000 consumers.
- Handle the data of 25,000 consumers and derive over 25% of their annual gross revenue from selling personal data.
FAQs for Businesses
The FAQs targeted at businesses cover several critical areas:
- Definition of Controllers and Processors: Clarifying roles, the FAQs define ‘controllers’ as entities making decisions about personal data processing, while ‘processors’ act under the instructions of controllers.
- Data Handling Requirements: Businesses must limit data collection to necessary amounts, ensure transparency about data use, and provide robust security measures.
- Compliance Timelines: For-profit entities must comply by 1 July 2024, whereas non-profits have until 1 July 2025.
- Exclusions: Certain entities like state, local, and tribal governments, financial institutions, and certain insurers are exempt from the OCPA.
FAQs for Consumers
Separate FAQs for consumers detail their rights under the OCPA, including:
- Rights to Access, Correction, and Deletion: Consumers can request access to, correction of, or deletion of their personal data.
- Disclosure Requirements: Businesses must inform consumers about third parties receiving their data.
- Consent for Sensitive Data: Explicit consent is required for processing sensitive data, which includes personal identifiers, financial information, and health data.
- Consumer Rights Enforcement: Consumers do not have a private right of action; instead, the Oregon Attorney General enforces these rights, with potential civil penalties up to $7,500 per violation.
Read the FAQs here.
Heads up: the Oregon Consumer Privacy Act is only one of the three US state privacy laws that enter into force on 1 July – the other two are Texas and Florida. Montana follows on 1 October, then Iowa, Delaware, Nebraska, New Hampshire and New Jersey in January 2025 (that’s a lot!).
🔐 International Cybersecurity Agencies Release New Guidelines for Secure-by-Design Technologies
On 9 May 2024, the collaborative publication titled ‘Secure-by-Design Choosing Secure and Verifiable Technologies’ was released by major cybersecurity agencies from Australia, the USA, Canada, the UK, and New Zealand. This essential guide is tailored for both manufacturers of digital products and the organizations that procure these technologies, emphasizing the importance of integrating cybersecurity throughout the product lifecycle.
Key Recommendations:
- For Manufacturers:
- Secure-by-Design: Encourages the integration of security features from the early stages of product development to proactively address potential vulnerabilities.
- Transparency and Reporting: Urges manufacturers to be transparent about their security measures and proactive in reporting vulnerabilities.
- Supporting Resources: Provides tools such as the IoT Secure-by-Design Guidance and Secure-by-Design Foundations to aid manufacturers in adopting these practices.
- For Procuring Organizations:
- External Procurement Considerations (the interaction between purchasing organizations and external suppliers or manufacturers):
- Pre-purchase: Focuses on evaluating security features and the cybersecurity posture of external manufacturers, along with their commitment to secure production practices and transparency in vulnerability reporting.
- Post-purchase: Ensures continuous assessment of compliance with security standards and the manufacturers’ ongoing support, including updates and patches.
- Internal Procurement Considerations (the processes and policies within the purchasing organization itself):
- Pre-purchase: Involves assessing internal cybersecurity policies and infrastructure to ensure compatibility with new technologies, alongside conducting thorough risk assessments.
- Post-purchase: Involves regular security reviews of deployed technologies and managing the implementation of necessary updates and patches.
- External Procurement Considerations (the interaction between purchasing organizations and external suppliers or manufacturers):
You can find a short version of the guidance here, and the full 40 pages here. Read it together with the IoT Secure-by-Design Guidance for Manufacturers updated in September 2023 by the Australian Cybersecurity Centre.
🔄 Turkey's KVKK Drafts New Regulation on International Personal Data Transfer
On 9 May 2024, the Personal Data Protection Authority of Türkiye (KVKK) issued a draft regulation to detail the procedures and principles for the transfer of personal data abroad, which aims to become effective from 1 June 2024. This initiative is a response to the amendments in the Personal Data Protection Law (Law No. 6698), published on 12 March 2024, aiming to overhaul the existing framework for cross-border data transfers.
Regulatory Background
The regulation implements the revised Article 9 of Law No. 6698, establishing specific provisions for transferring personal data outside of Türkiye. This is part of broader efforts to resolve the inefficiencies in the earlier framework, where data controllers heavily relied on explicit consent due to the lack of determined “safe countries” and ineffective protection commitments between data exporters and importers.
Transfer Conditions
Under the new draft, personal data can be transferred internationally in several situations:
- Adequacy Decisions: Transfers are permissible to countries or international organizations that are deemed to have adequate data protection by the KVKK (none so far).
- Appropriate Safeguards: In the absence of an adequacy decision, data controllers and processors must ensure that the data is protected through binding corporate rules, standard contractual clauses approved by the KVKK, or similar guarantees.
- Exceptional Circumstances: If neither adequacy decisions nor appropriate safeguards are feasible, data transfers might still proceed under exceptional conditions outlined in the regulation. These include situations where the transfer is necessary for important reasons of public interest or for the establishment, exercise, or defense of legal claims.
The regulation mandates stringent technical and administrative safeguards to protect data during its transfer and processing. Data controllers are responsible for ensuring that their processors comply with these safeguards, maintaining the integrity and confidentiality of personal data.
Implementation and Public Consultation
The public consultation for this draft is running until 20 May 2024, and the final version should take effect on 1 June 2024 (quite tight).
📈 ICO Publishes 2024 Report on Increasing Cybersecurity Breaches
The Information Commissioner’s Office released the 2024 report on cybersecurity breaches, which underscores the need for organizations to bolster their cybersecurity to protect personal data. The finance, retail, and education sectors, which saw the highest number of reported breaches in 2023, are emphasized for their critical need for robust cyber security measures.
- Rising Threats: Over 3,000 cyber breaches were reported in 2023, highlighting the pressing need for improved security protocols.
- Sector-Specific Breaches: The finance sector experienced 22% of the breaches, retail reported 18%, and education accounted for 11%, signaling specific vulnerabilities within these sectors.
- Common Vulnerabilities: The report points out ransomware, phishing, brute force attacks, denial of service, poor security configurations and supply chain attacks as major threats, offering advice on how to reduce the risk of each of these occurring (less so for ransomware, given that guidance already exists).
- For example, where supply chain attacks are concerned, the ICO recommends the following measures:
- Supply Chain Risk Management, including continuous monitoring, managing, and reviewing of all systems, processes, and access points within the supply chain.
- Document the flow of data, where and how it is processed; Regular Reviews.
- Due Diligence before engaging services.
- Apply the principles of least privilege and segregation of duties.
- Test systems developed by third parties to ensure they meet your organization’s security standards before they are integrated into your operations.
- Secure assurances from all third-party providers regarding their security measures, and document these commitments in service level agreements.
