What’s Happening in the World?
While the field of Data Protection is developing at an accelerating pace in our country, worldwide innovations continue to remain on the radar of the Personal Data Protection Authority (“Authority”).
From the examples we have repeatedly encountered before, we witness that the Authority keeps up with the world agenda, especially the European General Data Protection Regulation (“GDPR”) regulations, and tries to catch up with the requirements of the fast-moving data privacy world.
As GRC Legal Law Firm, we closely follow the world agenda and present a selection of the current developments for your information with this content.
The news below belongs to the month of March 2023.
Online Tracking x Opt-Out
Websites often offer their visitors the opportunity to opt-out of data collection. This is not out of any great concern for your privacy, but because they are required to do so by law. According to privacy researchers, this method of opting out of data collection does not always work and visitor data is still collected despite opting out.
Legal texts such as the GDPR and the ePrivacy Directive require websites and related third parties to obtain consent before collecting and processing personal data. To help website operators comply with this requirement, companies such as Didomi, Quantcast, OneTrust and Usercentrics offer a solution known as the Consent Management Platform (“CMP”).
CMP: A technology that websites use to obtain users’ legal consent to process their personal data, usually through cookies and trackers running on the domain.
These firms provide software that websites use to ask visitors to accept or reject cookies in order to control how personal information is processed. They also claim to enable companies to comply with privacy laws in the US, EU, UK, Brazil, South Africa, Singapore and elsewhere.
However, computer scientists designed an audit mechanism to test the effectiveness of CMP-based opt-out controls and found that these platforms do not comply with GDPR and California Consumer Privacy Act (CCPA) requirements.
“Our results show that, unfortunately, users’ personal data continues to be collected, processed, and shared in many cases, even when users opt out,” the researchers said in their paper. “Our findings suggest that some leading advertisers could potentially be in violation of the GDPR and CCPA.”
In the Summary of the Decision of the Personal Data Protection Board dated 27/02/2020 and numbered 2020/173, it is stated that “in the explicit consent statements to be obtained from the data subjects by the data controllers, it is necessary to use an opt-in system, i.e. a system in which the individual consents to the processing of personal data with the conscious action of the individual, rather than an opt-out system, i.e. a system in which it is accepted that the individual automatically consents to the processing of personal data without prior consent and allows individuals to remove this consent.”
The opt-out under the law is not very different from the “Do Not Track” option, a web specification that allows browser users to declare their desire not to be tracked, with no consequences for ignoring this preference.
Do Not Track (“DNT”) is a formal HTTP header field designed to allow users to opt-out of tracking by websites; it involves the collection of data on a user’s activity in multiple different contexts and the retention, use or sharing of data derived from that activity outside the context in which it occurs.
To check for opt-out compliance, the researchers set up a process that involved visiting the top 50 websites in 16 different interest categories to simulate users’ personalities categorised according to their interests. They focussed on the top websites that support both header bidding and opt-out using CMPs tuned for GDPR and CCPA compliance.
To check whether opt-out choices were respected, the researchers visited websites with a control persona with user interests and a blank browser profile. They collected offers and network requests from advertisers for both opt-in and opt-out settings and then analysed the results.
In theory, the opt-out option should have reduced ad bids to a level comparable to the blank control persona in terms of data usage, client-side data sharing and server-side data sharing, but this was not the case.
Leaked user interests were used in targeted advertising to users, despite the fact that users had opted out as part of the arrangements.
Experts also observe that opt-out results are not statistically different from opt-in, which they interpret as user content not having a major impact on the processing and selling of data. Even after users opt out of tracking through CMPs, their data may continue to be used and shared for advertising purposes.
Unfortunately, until privacy authorities step up enforcement and do more to detect violations of the law at scale, users must continue to rely on privacy-enhancing tools such as ad/tracker blocking browser extensions and privacy-focused browsers to fully protect privacy.
DATA PROTECTION AND DIGITAL INFORMATION BILL
The “Data Protection and Digital Information Bill” (DPDIB) submitted to Parliament by the UK Government was presented to the House of Commons on 8 March 2023 and had its first reading. The DPDIB, whose second reading date has not yet been announced, envisages the following:
To introduce provisions on the regulation of all kinds of information relating to an identified or identifiable natural person,
To make provisions on services consisting of the use of information to establish and verify facts about individuals,
Making provisions on access to customer data and commercial data,
To introduce provisions on confidentiality and electronic communication,
To introduce provisions on services for the provision of electronic signature, electronic seal and other trust services,
To make provisions for the disclosure of information to improve the delivery of public services,
To introduce provisions for the implementation of agreements on information sharing concluded for the purpose of implementing law sanctions,
To make provision for the keeping and preservation of birth and death records,
To make provisions on information standards for health and social care,
Establish the Information Commission,
To introduce provisions on the surveillance of biometric data,
and to make provisions for purposes connected with these matters.
Information Corner
Within the scope of the legislative activities of the UK House of Commons, public bills are divided into two categories. The first one is Private Member’s Bills (MP’s Bills) proposed by MPs and the other one is Government Bills (Government Bills) proposed by the government. The legislative process consists of five stages. These are first reading, second reading, committee stage, report stage and third reading.
While the DPDIB could give businesses more leeway in how they use personal data, privacy experts are concerned that the bill means personal data could fall into the wrong hands.
With data-driven trade accounting for 85% of the UK’s total services exports in 2021, Technology Minister Michelle Donelan said: “Better data access and use is at the heart of our mission to grow the economy and improve the lives of everyone in the UK. Data is fundamental to economic growth, scientific research, innovation and productivity.”
Abigail Burke, policy manager at the Open Rights Group, was quick to point out that DPDIB would pose a major threat to our privacy rights and is intended to weaken the government’s ability to exert control over our data and greatly increase the power of businesses and government departments to collect, process and re-use our data in new ways.
UK X WhatsApp
According to statistics, WhatsApp is the most popular messaging platform in the UK. Despite this, company president Will Cathcart said that if they are asked to weaken the privacy of end-to-end encrypted messages, they will refuse to comply. WhatsApp stated that it would be preferable to block use in the UK than to weaken the messaging system with end-to-end encryption under the Online Safety Bill (Online Safety Bill, “OSB”).
What happened?
The European Union (“EU”) had introduced a new regulation aimed at combating the sexual abuse of children, which would enable a process called “client-side scanning” to be carried out in order to enable children to “detect, report and remove” images of sexual abuse. However, this process was criticised for weakening encryption and making the internet less secure.
Although the government believes that both privacy and child safety are possible, Signal, another messaging application that uses end-to-end encryption like WhatsApp, has said that it may stop providing services in the UK if the ASB requires it to scan messages. (You can find the details of the news in the 7th issue of the What’s Happening in the World Bulletin, which you can access on our page).
With grooming* and child abuse offences in the UK on the rise, according to research by the National Society for the Prevention of Cruelty, leading child protection charities and the government are now arguing that encryption is hampering efforts to tackle the growing problem of online child abuse.
*Grooming: Attempting to gain the trust of a minor for the purpose of engaging in sexual intercourse.
“Tech companies must make every effort to ensure that their platforms do not become a ‘breeding ground’ for paedophiles,” the Home Office said.
The charity said that the OSB will make it a legal requirement for tech companies’ platforms to detect and prevent child abuse taking place on their premises, so that companies can begin preparations to develop technological solutions that protect the safety and privacy of all users, especially victims of child abuse, and underlined that it is possible to combat child abuse and grooming in end-to-end encrypted environments.
Although the government has stated that the ASD does not mean a ban on end-to-end encryption, critics have argued that the only way to check the content of encrypted messages for the presence of child sexual exploitation material is “client side scanning”, which undermines the privacy provided by encryption.
Will Cathcart said that if scanning users’ private communications for ‘illegal content’ is legitimised and companies install software on users’ phones and computers to scan the content of their communications against this list of ‘illegal content’, there are questions about what the outcome will be for users in countries with different definitions of ‘illegal content’.
Dr Monica Horten of the Open Rights Group stated that end-to-end encrypted communications services in the UK are becoming a mass surveillance tool that could have damaging consequences for the privacy and freedom of expression of many users, while The Information Commissioner’s Office stated that any interference that could weaken encryption should be “necessary and proportionate” and that technological solutions that facilitate the detection of illegal content without weakening privacy protections should be encouraged.
Biden x Cloud Providers
The Biden administration is launching the country’s first comprehensive plan to regulate the security practices of cloud providers. The White House is concerned that cloud providers have become a major security vulnerability.
For two decades, governments and businesses have entrusted some of their most sensitive data to tech giants that promise virtually unlimited storage, powerful software and the know-how to keep it safe.
The country’s first comprehensive plan has been launched to regulate the security practices of cloud providers such as Amazon, Microsoft, Google and Oracle, whose servers provide data storage and computing power to customers ranging from small businesses to the Pentagon and the CIA.
The cloud has become too big to fail, with statements that it has “become indispensable to our daily lives” and that “if disrupted, it could lead to huge potential disasters for the economy and government”.
“The collapse of a single cloud provider could bring down the internet like dominoes”
For all their security expertise, cloud giants are a cause for great fear because of the potential for hackers to victimise a large number of targets at once. The crash of a major cloud provider could cut off hospitals’ access to medical records, paralyse ports and railways, corrupt software that helps keep financial markets moving, and destroy databases across a wide range of domains, from small businesses to government agencies.
Cloud servers have not proven to be as secure as government officials had hoped. Hackers from different countries have used cloud servers from companies such as Amazon and Microsoft as a springboard to launch attacks on other targets. Cybercrime groups also regularly rent infrastructure from US cloud providers to steal data or extort money from companies.
Among other steps, the Biden administration recently said it would require cloud providers to verify the identity of their users to prevent foreign hackers from renting space on United States (“US”) cloud servers. The administration warned of more cloud regulation to come in its national cybersecurity strategy, saying it plans to identify and close legal loopholes in the sector.
In interviews about this new, tougher approach, administration officials emphasised that they were not abandoning the cloud. Instead, they are trying to ensure that rapid growth does not lead to new security risks.
Pointing specifically to the 2020 SolarWinds espionage campaign, in which Russian spies partially evaded detection by renting servers from Amazon and GoDaddy, officials argued that cloud providers have so far done little to prevent criminals and nation-state hackers from misusing their services to launch attacks inside the United States. For months, they used these servers to infiltrate at least nine federal agencies and 100 companies undetected.
Government cybersecurity officials said the risk is growing, with foreign hackers becoming more adept at “spinning up and quickly shutting down” new servers – in other words, moving quickly from one rented service to another – and clues for US law enforcement disappearing much faster than they can trace them.
US officials have expressed frustration that cloud providers often charge customers more to add security protections. They both capitalise on the need for such measures and leave a vulnerability when companies decide not to spend the extra money.
Federal investigations into the SolarWinds attack revealed that the organisations that were victims of the Russian hacking campaign did not pay extra for Microsoft’s advanced data logging features.
Neither the government nor the companies using cloud providers know exactly what security protections their cloud providers have in place. In a study of the US financial sector’s use of cloud services, the Treasury Department found that cloud companies provide “insufficient transparency to support due diligence and monitoring” and that US banks “do not fully understand the risks associated with cloud services”.
But government officials said they see signs that the attitude of cloud providers is changing, especially as companies increasingly see the public sector as a source of new revenue.
Large cloud providers now realise that if they want to achieve the growth they want and participate in critical sectors, they must provide tools and mechanisms to make it easier to prove compliance arrangements, not just not get in the way.
The White House outlined a more aggressive regulatory regime in its new cyber strategy. It proposed holding software makers accountable for insecure code and imposing stronger security obligations on critical infrastructure companies such as cloud providers.
Ross Nodurft, executive director of the Alliance for Digital Innovation, a technology trade group whose members include cloud giants Palo Alto Networks, VMWare, Google Cloud and Amazon’s cloud computing arm AWS, said cloud computing companies are “eager” to work with the White House on a “harmonised approach to security requirements across industries”. He also said that companies already comply with “comprehensive security requirements” for certain sectors.
If the government cannot find a way to ensure the resilience of the cloud, he fears the consequences could be devastating.
According to a 2017 study by insurance giant Lloyds, an outage lasting between three and six days at one of the three largest cloud providers could lead to losses of $15 billion.
Such a collapse could be triggered by a cyberattack on a major cloud provider, a natural or man-made disaster that cuts or interrupts power to a major data centre, or simply a failure in the design and maintenance of a basic cloud service.
If the White House cannot achieve the desired results using existing regulations and persuading companies to voluntarily improve practices, it will have to turn to Congress.
AT&T x Personal Data Breach
Telecoms giant AT&T has exposed 9 million customer records in a third-party data breach. AT&T said the breach exposed Customer Proprietary Network Information (CPNI), such as the number of lines or subscribed wireless plans. This information is highly regulated by US federal law.
The telecommunications company notified federal law enforcement about the unauthorised access to comply with the Federal Communications Commission’s regulations. “The report we sent to law enforcement does not contain specific information about your account, it simply indicates that unauthorised access occurred,” AT&T said in a community forum.
AT&T said the 3rd party data breach exposed customers’ first names, wireless account numbers, wireless phone numbers and email addresses. Some wireless accounts also leaked the rate plan name, past due amount, monthly payment amount, monthly charges or minutes used. The data breach did not expose credit card information, social security numbers, account passwords or other sensitive personal information.
Describing the incident as a supply chain attack, AT&T said most of the leaked customer data related to device upgrade eligibility and was several years old. Although it withheld the identity of the compromised third-party supplier, AT&T said the incident occurred in January.
The operator also said its systems were not compromised during the incident and that the breached marketing vendor fixed the vulnerability to prevent further exploits. AT&T advised its subscribers to take extra password security measures to protect their accounts.
While the data breach did not leak credit cards or social security numbers, victims are still at risk of targeted phishing attacks that could expose sensitive personal and financial information. Telecommunications companies are always a lucrative target for financially motivated hackers and state-sponsored threat actors.
In June 2022, the Cybersecurity and Infrastructure Security Agency (CISA) warned that Chinese state-sponsored hackers were targeting telecommunications companies through widespread vulnerabilities and disclosures.
The US government views telecommunications companies as important elements of the nation’s critical infrastructure, the disruption of which would severely impact the economy and national security.
Industry Sector x Big Data
The Data Act (Data Act, “DA”), adopted by the European Commission on 14 March, will contribute to the development of new services, especially in the field of artificial intelligence, where large amounts of data are needed for algorithm training. It will lead to better prices for after-sales services and repairs of connected devices.
The volume of data generated by humans and machines is growing exponentially, becoming a key driver for innovation within businesses and public organisations (e.g. shaping smart cities). Such data is said to be a “new oil” discovery.
To ensure fairness in data sharing agreements, the DA sets common rules governing the sharing of data generated by the use of connected products or related services (e.g. Internet of Things, industrial machines, etc.).
Since, according to the EC, 80% of industrial data collected is never used, members of the European Parliament (European Parliament, “EP”) have adopted measures to ensure that users have access to the data they generate. In addition, they want to ensure that contractual agreements are at the centre of business-to-business relationships.
Companies will be able to decide which data can be shared and the producer can choose not to make certain data available “by design”. When companies are drafting data sharing agreements, the DA will rebalance bargaining power in favour of Small and Medium-sized Enterprises (SMEs), protecting them from unfair contract terms imposed by companies with much stronger bargaining power.
The DA also defines how public authorities can access and use data held by the private sector that is necessary in exceptional or emergency situations, such as floods and forest fires.
EP members have toughened the provisions to protect trade secrets and prevent competitors from redesigning and reusing services or devices with increased access to data. In addition, they set stricter conditions on data requests from businesses to the government.
Finally, the DA will facilitate migration between cloud service providers and other providers of data processing services and introduce safeguards against illegal international data transfer by cloud service providers.
MEP Pilar del CASTILLO VERA expressed her views on the DA in the following words: “The Data Act will be an absolute game-changer, providing access to an almost infinite amount of high-quality industrial data. Competitiveness and innovation are part of the DNA of this law.”
The principle of data minimisation adopted under Article 5/1-c of the GDPR establishes that personal data may be processed in a manner limited to what is adequate, appropriate and necessary in relation to the purpose for which they are processed.
Instead of simplifying industrial data, 80% of which is unusable, in line with the data minimisation principle, the DA changes the regime in order to “transform idle, unprocessable and unshareable data into economic value”. EP members are ready to start negotiations with the Council on the finalisation of the law.