Thursday Thoughts – 3rd February 2022
Thursday Thoughts is back! Did anyone else’s January pass in a blur? Mine has been a combination of rewriting my book and organising an awards event. Just checking through my notes of what has happened in the digital world since Christmas it seems much has been going on there too.
So prepare for a bumper amount of news delivered in slightly shorter bites to try and cover as much as I can!
We have data protection day some tips for dealing with a subject access request. The ruling in Austria that the use of Google Analytics is unlawful under GDPR, and the Belgian ruling that the IAB’s consent framework is also unlawful (this could affect 80% of websites so is potentially HUGE).
There is also some guidance on keeping safe around your smart TV and the latest news on ICO and UK GDPR.
Blog/Podcast of the Week
Kellie Peters Data protection Challenges for 2022
Debbie Reynolds (The Data Diva) – The legality of the European IAB “Consent & Transparency” Framework.
Data Protection Day – yes it was a real day
Many are unaware that there is a day dedicated to Data protection in January Each year. Data Protection Day (Privacy Day as non Europeans call it) falls on the 28th of January. It came out of Article 8 of the European Convention on Human Rights - the right to private and family life and “Convention 108” says:
Your identity belongs to you
Your identity can only be used in a way that doesn't interfere with your human rights
Your identity can only be used by those more powerful than you with good reason and (in most cases) with your knowledge.
Very often organisations forget that the data they are referring to as "their data" or data "they need" isn’t in fact theirs at all it belongs to the individual to whom it relates.
Dealing with a SAR
When someone asks for everything in a SAR they often have something in mind. Therefore more often than not the organisation ends up sending an acknowledgment of receipt of the SAR, setting out what the organisation understands it has been asked for and asking for confirmation of any points. This can save hours of searching for information the subject wasn't aware they had asked for. The clock also stops on the request until the clarification is received.
The ICO revised it’s guidance on SARs in late 2020 which include "Stopping the clock for clarification" as well as providing a clearer discussion on what "a manifestly excessive request" looks like and also what can be included when charging a fee for excessive, unfounded or repeat requests.
Google Analytics
The Austrian Supervisory Authority has decreed that the use of Google Analytics is unlawful under GDPR. So organisations in Austria as well as those who have Austrian customers should now delete all their GA data because under the rules they cannot process it any more. Some may consider downloading the data from Google and port it into another analytics solution but because it was collected unlawfully it fails the lawfulness test meaning there is no legal basis on which they can process the data. Profiles created about users based on the Google Analytics data should also be deleted. You can’t just leave the data on the Google server as you no longer have a lawful reason to retain it. Let’s see how long this takes to make it’s way around other countries!
IAB’s TCF does not comply with GDPR – What this means for online advertising
The debate on cookies and other tracking technologies on websites has been raging for some time. This week the Belgian DPA confirmed that “Legitimate Interest is” NOT a valid legal basis for using these technologies. IAB Europe's TCF (Transparency and Consent Framework) was fined IAB Europe €250k and given two months to create an action plan to make the framework. What this means is that websites with unnecessary tracking technologies will still need a consent banner however there will be no more legitimate interest banners.
How to stop your Smart TV from “harvesting” your data
TVs have now become a 2 way mirror which allows us to be monitored by the device showing us content. This leads to our viewing data and habits being shared with manufacturers and sold on to advertisers. Keeping safe is an ongoing battle but the things to avoid are using the browser on the TV (it has weaker antivirus and security than your PC or smartphone) and don’t permit the automated content recognition (ACR) to sit in the background checking what you are watching, what is on your camera and what your voice sounds like. To keep yourself safe disable ACR and personalisation, opt out of all advertising features and cover or disable cameras and microphones when you are not using them. You can read more in the Guardian article from 29 January 2022. https://www.theguardian.com/technology/2022/jan/29/what-your-smart-tv-knows-about-you-and-how-to-stop-it-harvesting-data
New ICO Commissioner listening exercise
The UK’s ICO has a new Commissioner has announced a major listening exercise to hear direct from businesses about their experiences of working with the ICO. So now is your chance to tell them what you think. Whether it is more tweaks to SAR's, clearer (or less ambiguous) advice when you phone with a question, or more draft policies and guidance you can have your say here: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/your-views-matter-ico-listening-exercise/
The NCSC has started a programme for Start-ups. They have a new programme looking to tackle malicious advertising and are looking for start-ups to help them develop and adapt solutions. Also they have a number of members offering services for start-ups including a triage system that ranks and assigns vulnerabilities based on your business rules and are actively looking for start-ups who can defend SMEs from ransomware.
Will UK GDPR be revamped?
There are rumours that the UK GDPR may be revamped so that it is more business-friendly. It will be interesting to see what comes from the ICO “listening exercise”. I think there will be a need to balance UK “flexibility” with what the EU focus is so that there is no reduction in the UK’s adequacy status. After all we do not want “customs” type data protection problems for businesses trading with our European partners.
Fines
So far this year there have been 26 fines across Europe for a range of violations including:
Austria
The Austrian DPA has fined REWE International AG €8 million for a number of as yet undisclosed violations of GDPR.
Greece
The Hellenic DPA has fined Cosmote subsidiary OTE Group €3.2 million for failure to have appropriate security measures in place. This followed a data breach in which a hacker had accessed and leaked customer data including sensitive information such as age, gender and contract information. Nearly 10 million people were affected by the incident.
The Hellenic DPA also fined a company operating a video surveillance system to monitor the payment of tolls €1000 for failure to respond to a Subject access request.
Netherlands
The Swedish DPA has fined the Uppsala hospital board €152,000 for sending sensitive personal health data to recipients inside and outside Sweden without using encryption. In addition, the hospital administration stored sensitive personal data in Outlook.
Malta
The DPA of Malta has fined C-Planet (IT Solutions) Limited imposed a fine of €65,000 for failure to have adequate technical and organizational measures in place to prevent a data breach. The controller also failed to notify the DPA about the data breach within the required deadline and failed to inform the data subjects.
Spain
The Spanish DPA made the following fines:
GARLEX SOLUTIONS - €15,000 for obtaining a data subject’s data without consent and filling in an electricity supply contract with this personal data.
EDUCANDO JUNTOS SL - €9,000 for publishing photos of an employee on some of its channels on social networks and its website without the consent of the data subject. The company also failed to remove the photos when asked to do so by the data subject.
Cyrana España General S.L. - €5,000 for sending an invoice to a data subject although no contractual relationship existed.
INCOPROSOL, S.L. - €,000 for recording a telephone conversation with a customer without obtaining the customer's consent.
Blog of the Week
Kellie Peters Data protection Challenges for 2022
The webinar focusses on what Kellie and her team think the data protection challenges will be for the year ahead. There are some vey interesting issues discussed including moving data into the cloud, retention schemes, hybrid working and why we should all plan for “when” a data breach will occur not “if” it will occur. With the UK's new Information Commissioner, John Edwards looking to hear what businesses have to say there are potential changes to UK data protection with may result in divergence from the EU
Check out the webinar here: https://www.dbxuk.com/webinars-2022/data-protection-challenges-for-2022
Debbie Reynolds (The Data Diva) - Discusses the legality of the European International Advertising Bureau “Consent & Transparency” Framework
As this has the potential to impact over 80% of websites who use the IAB Europe “Consent & Transparency” Framework (TCF) I found Debbie’s explanation of the issues that marketers and betting organisation are going to face very interesting. You can listen to the podcast here https://www.youtube.com/watch?v=O_UrRvcUS2k