What’s Happening in the World?

While the field of Data Protection is developing at an accelerating pace in our country, worldwide innovations continue to remain on the radar of the Personal Data Protection Authority (“Authority”).

From the examples we have repeatedly encountered before, we witness that the Authority keeps up with the world agenda, especially the European General Data Protection Regulation (“GDPR”) regulations, and tries to catch up with the requirements of the fast-moving data privacy world.

As GRC Legal Law Firm, we closely follow the world agenda and present a selection of the current developments for your information with this content.

TikTok x Italy

TikTok’s attempt to change the legal basis for advertising targeting users in Europe was jeopardised when the Italian data protection authority stepped in and issued a legal insufficiency warning just days before the planned privacy policy change.

Last month, TikTok came under the radar of privacy experts when it announced that it would update its terms of use to apply to users in the European Economic Area, the United Kingdom and Switzerland, effective 13 July. It was stated that the application, which relies on consent to deliver personalised advertising using user data, would subsequently be based on legitimate interest and would no longer ask users for consent.

In a press release announcing its “official warning” to TikTok, the Italian authority concluded that the planned change of legal basis was incompatible. In addition to issuing an official warning to TikTok, Italy said it reserved the right to take additional measures, including an urgency procedure, if the platform “does not back down”.

Italy’s data watchdog said it also has a particular concern that TikTok has moved to an insufficient legal basis, also with regard to the protection of child users registered on the platform. The step was also taken to issue a formal warning to TikTok that processing user data on the basis of ‘legitimate interest’ would be in contradiction with the existing regulatory framework, at least in relation to information stored on users’ devices.

TikTok announced that the evaluation of the Italian Data Protection Authority’s latest notification is ongoing and that it cannot comment further. The Italian Data Protection Authority said that its two open investigations into TikTok were “highly advanced”. It also suggested that the investigation into the processing of children’s data will reach the draft decision stage and will be sent to the other European Union Data Protection Agencies for review next month.

European Commission x US

The European Commission faced a lawsuit over allegations that it breached its own data protection rules when transferring citizens’ personal data from one of the Commission’s websites to the United States (“US”). The American jurisdiction was found to have inadequate data protection, as US intelligence services had access to the personal data of European Union (“EU”) residents disproportionately and without any judicial remedy.

The case was initiated by a German citizen who alleged not only that the EU was illegally transferring data, but also that it failed to disclose sufficient information about its data processing practices. The case concerns the website of the Conference on the Future of Europe, a conference aimed at involving EU citizens in deciding the future of the bloc and its member states. Since the website is hosted by Amazon Web Services, personal data such as IP addresses are transferred to the United States when registering for the event.

As the website also allows users to log in through their Facebook account, a US-based social network has also been accused of illegally transferring personal data to the US and is currently being investigated by the Irish Data Protection Authority.

In parallel with the filing of a complaint with the European Data Protection Supervisor (“EDPS”), proceedings have been initiated. However, the EDPS suspended the investigations on the grounds that a case was already pending. The EDPS and the European Commission did not immediately respond to a request for comment. The EU Court is expected to deliver its judgement within 12 to 18 months.

Neopets x Hacker

Some time ago, it was reported by the virtual pet site Neopets that the data of its users was stolen and an investigation was launched into the stolen data, but the scale of the alleged breach could not be confirmed in reports that the hacker had databased user details. The site said it has launched an investigation supported by a leading forensic investigation firm, contacted law enforcement and increased its security.

Technology news site Bleeping Computer claimed that around 69 million users were affected and reported that the hacker provided a screenshot showing the stolen data, including names, dates of birth, email addresses, postal codes, gender, countries and other game-related information. The hacker announced that he was offering the stolen data for sale for $90,000 in bitcoin.

The hacker reportedly told the press that he did not ransom the data to Jumpstart, the owners of Neopets, but that he had received interest from potential buyers. Neopets has since urged users to change their passwords and promised to provide updates as the investigation continues.

Google Chrome x Netherlands

The Netherlands is taking additional steps to protect students across the country by adding new restrictions on the use of Chrome OS and the Chrome web browser in schools. Students and school staff are being suspended from using Google Search and directed to the alternative, DuckDuckGo. Initial reports indicated that the Dutch education ministry had banned two Google products. However, a Google Netherlands spokesperson told BleepingComputer that ChromeOS and the Chrome browser have not been completely banned and that schools can continue to use the products as long as they take additional steps to protect students’ data.

In a joint letter to the country’s parliament last year, the Dutch Minister of Education, Culture and Science, together with the Minister of Primary and Secondary Education, raised concerns about Google’s processing of metadata, including search histories and duration of user activity through Workspace for Education.

Google will have until at least August 2023 to adopt updated versions of the two services, which are expected to be more compliant with the European General Data Protection Regulation (GDPR). Dutch schools wishing to continue using Google services can refer to the technical guidance in Google Workspace for Education published through SURF.

Ireland x Commission

Ireland’s Data Protection Commission is expanding with two extra commissioners. The Irish Government will appoint two additional commissioners to support the needs of the Data Protection Commission. The appointment process is expected to take six months. The Minister for Justice said the decision “sends a strong message” of the Government’s intention to continue to build the capacity of its national authority.

In addition to being the national data watchdog, the Irish Data Protection Commission also acts as the European Union’s lead data controller under the GDPR, with the influence of several major technology companies headquartered in Ireland. These companies are Apple, Facebook, Google, LinkedIn, TikTok and Twitter, increasing Ireland’s position.

He also recognised that “higher standards of responsiveness” are still needed in many sectors and added: “The Irish Data Protection Commission will continue to target enforcement actions aimed at achieving the necessary improvements.”

Ring Doorbell x Neighbours

Ring Doorbell is the most popular video home monitoring device in the United States, capturing approximately 40% of the video doorbell market. It is sometimes described by privacy advocates as “the largest corporate-owned surveillance network in the United States” due to its increasing prevalence in neighbourhoods. Amazon acquired the company for $1 billion in 2018, during which time it has already sparked controversy for various aspects of its operation, from the “Neighbours” app it uses to share surveillance footage to incidents of camera hacking.

Ring boasts of its partnerships with many law enforcement agencies across the country, but the access to users’ surveillance footage by these agencies has raised concerns. Law enforcement agencies can circumvent this restriction by submitting emergency requests involving “imminent danger,” and Amazon says it has fulfilled 11 of them so far this year.

Amazon was forced to disclose this information in late 2019 as part of an investigation into Ring privacy issues and concerns about law enforcement access. In its response, Amazon said it does not regularly share surveillance footage with law enforcement, but that it may do so in an “urgent or very urgent situation” where a request is made based on a belief that “there is imminent danger”. The number of law enforcement agencies partnering with Ring nationwide has grown from just 400 in 2019 to 2,161 now.

Ring also declined to commit to end-to-end encryption of stored images and to disable default audio. At the same time, Ring gave its users enhanced privacy settings, which greatly increased law enforcement’s overall access to these surveillance recording systems.

Despite the apparent attention to user privacy, Ring continues to aggressively forge new relationships with law enforcement agencies; a 2021 report revealed that Ring provided free and discounted products to Los Angeles police officers in exchange for offering its services to their colleagues, and since 2019, it has been known to approach police departments in areas with increased crime with free samples and targeted sales campaigns.

Didi x China

China’s ride-hailing giant Didi was fined $ 1.2 billion. China’s ride-hailing giant Didi has been fined more than 8 billion Yuan ($1.2M) and ended a year-long investigation into alleged data security breaches, it announced in a statement. The Cyberspace Administration of China (CAC) said in a statement that the investigation found “conclusive evidence” that Didi had committed violations of an “egregious nature”.

Didi was accused of illegally storing the credentials of more than 57 million drivers in plain text rather than in a more secure format. It was also said to have analysed passenger details without their knowledge, including photos and facial recognition data on mobile phones. Didi’s violations took place over seven years from June 2015.

“We will take this as a warning and further strengthen the network security and data security structure,” the company said on social media. It was the largest fine imposed by the Chinese authorities since the e-commerce giant Alibaba was ordered to pay about $ 2.75 billion for anti-competitive practices in April 2021. China now requires internet companies with more than one million users to undergo a data security review before being listed overseas.

Metaverse x Data Privacy

The wealth of information provided through augmented reality (AR) and virtual reality (VR) has been known for years. (VR uses headsets and smart glasses to create a virtual environment that stimulates the senses and creates a sense of reality through three-dimensional modelling. Experts, however, argue that the issue of data privacy in the promised Metaverse of these virtual reality worlds requires further consideration.

In an article titled “Exploring the Metaverse’s Unique Privacy Risks”, researchers tested an “escape room” virtual reality (VR) game to understand how much data a potential attacker could access from a person’s movements and sensory organs.

The researchers created a framework for assessing and analysing potential privacy threats through a 30-person virtual reality use study and identified more than 25 specific data attributes that attackers could use, including participants’ gender, wealth, ethnicity, age and disabilities, some of which are very difficult or impossible to obtain from traditional mobile or web applications. This research has once again raised the problem of ensuring data privacy in the Metaverse.

Developers say that some plugins are being developed for anonymity and that they will be like ‘Incognito mode for virtual reality’. This privacy setting will work like incognito mode in browsers, adding noise in a way that does not significantly affect the user experience, and users will be able to switch the mode on and off and edit settings as they wish, depending on the environment and their level of trust.

GDPR & DeFine

On 12 May, the European Data Protection Board published guidelines containing a methodology for calculating fines for GDPR violations. As these guidelines are likely to have an impact on the future decisions of data protection authorities in the European Union, DeFine, a GDPR sensitive calculator tool based on this methodology, was developed.

While we hope that companies will never need it, it is a positive development in terms of ensuring uniformity and transparency in violation sanctions.

Twitter x Bug

Last month, Twitter’s security breach involving the sale of a database compiled from 5.4 million accounts was raised in a cybercrime forum, and today Twitter has officially acknowledged the security flaw that caused the data breach, but the number of people affected by the data breach has still not been identified or is not capable of being identified.

According to Twitter’s statements, if an e-mail address or phone number is sent to their system as a result of the vulnerability, their system tells the person which Twitter account the e-mail address or phone number, if any, is associated with. This vulnerability allowed a hacker to compile a database of Twitter account data from more than 5.4 million Twitter users, which includes the Twitter user’s account identifier, phone and/or email.

To mitigate the risks, Twitter recommends that users enable two-factor authentication. Unfortunately, Twitter also advises people not to use a publicly known email address or phone number on their Twitter accounts, which would be a reasonable action if it were limited to this recommendation, opening new horizons for all stakeholders in the data protection world.

Refugees x Biometric Data

The British government has awarded Buddi Limited a contract to prepare “un-worn devices” to monitor “specific groups” as part of the Home Office Satellite Monitoring Service. It says the scheme, which will be introduced across the UK at an initial cost of £6 million, will involve “daily monitoring of people subject to immigration control”, with the requirement to wear an ankle tag or a smartwatch attached to them at all times. Those who have to wear the devices will have to complete periodic monitoring checks throughout the day by taking a photograph of themselves on a smartwatch with their name, date of birth, nationality and photograph stored for up to six years.

The data will be shared with the Home Office, Ministry of Justice and police, with Home Office officials adding: “Sharing this data with police colleagues is not new.”

The Home Office said the smartwatch scheme would be for foreign national offenders convicted of an offence. The government said it “sees electronic monitoring as a low-cost alternative to surveillance that contributes to the objectives of protecting the public and reducing reoffending”. Opponents say 24-hour surveillance of asylum seekers violates human rights and could have a detrimental impact on the health and well-being of migrants.