News Data Protection: An overview of the General Data Protection Regulation occurrences during the month of April
In April European bodies took significant steps in the fight to contain the spread of the COVID19 by releasing guiding documents that aim to ensure safe and effective development of apps for curbing the spread of the virus. Meanwhile, hackers have taken advantage of booming social distancing activities by compromising video call app user credentials.
European Commission releases recommendation on a Common Union Toolbox for the use of technology and data to combat and exit from the COVID-19 crisis
A number of world countries, including European states, national authorities and software developers announced that they shall introduce software apps that would provide various functions in an effort to curb the outbreak. The reason of such a move is the hope and potential that such software that supports contact tracing in particular may become the most promising tool from the public health perspective. It must be noted that such apps are not important only during the active outbreak but also and in particular when social distancing and other measures are lifted and the risk of further spread increases as a result of people reengaging in social life.
For this reason the European Commission has taken steps to develop a strategy for the battle of containing the spread of COVID19. One of these steps in the month of April was the issue of Recommendations on a Common Union Toolbox for the use of technology and data to combat and exit from the COVID- 19 crisis.
The recommendation is a response to an urgent necessity for a European- wide action to battle the spread of COVID-19 and works as a guiding framework for development of mobile software applications and usage of anonymised data. The purpose of the recommendation is to ensure coordinated approach to the use of contact tracing and other relevant apps that would not undermine the privacy and protection of data of persons using these mobile apps by usage of data for surveillance, law enforcement and commercial reasons.
The recommendation sets forth the idea of the Toolbox, which would imply a set of technological and data related strategies that need to be developed by the Commission jointly with the member states.
The recommendation urges that the usage of personal data collected by software tools is strictly limited to what is required to fight against the outbreak and is terminated (data deleted) once the outbreak is contained and personal data no longer necessary. It is envisaged that the personal data collected may be further used in an anonymised form if it is concluded that further research of data, to ensure competence during times when the safety measures are lifted, is necessary.
The Commission starting from this month shall assess the reports submitted by member states and the progress made in relation to the effect of this recommendation.
eHealth Network publishes the Common EU Toolbox for member states
Following the publication of the European Commission’s Recommendations on 8 April, the eHealth Network published the Common EU Toolbox that was previously envisaged in the recommendations. This Toolbox has been developed in collaboration between the eHealth Network and the European Commission as a practical guide for member states in the development and usage of the software solutions that would allow contact with individuals at risk. The Toolbox proposes a set of measures and safeguards, which should be applied in the process of developing the muchneeded software.
The main points that are included in this Toolbox that should be complied with by the member states is the voluntariness in respect of exploitation of these apps, the approval by the national health authorities and privacy preserving nature (with focus on encryption), as well as data minimisation.
The Toolbox stresses the importance of a common approach, which requires a crossborder interoperability mechanism – complementing current solutions such as the Early Warning and Response System. The common approach that is envisaged in the Toolbox is grounded on the information and best practice collected and shared by the member states in the eHealth Network.
It is stated that such apps must be fit for purpose, compliant with the law and have full respect of the EU values and fundamental rights and freedoms. Furthermore, the apps need to be accepted as fit by the national public health authorities considering the specific scenarios of the spread of the disease to ensure that the best practices and public health guidance are exercised with these apps. The apps that are not in line with these principles may be detrimental to the cause and, therefore, should not be used.
European Commission releases Guidance on Apps supporting the fight against COVID-19 pandemic in relation to data protection
This Guidance that followed complements the Toolbox and should be read together. In comparison to the Toolbox, which names the measures and safeguards to be implemented, the Guidance lays down the principles and standards, as well as features and requirements that should be implemented in the apps in order to comply with the ePrivacy Directive and GDPR. The Guidance is not legally binding and will not address any further conditions, such as limitations that member states have implemented in national laws that address the processing of health data.
The aim of the Guidance is to address only the voluntary apps that are used in the fight against the pandemic that have the functions of providing accurate information about the pandemic and questionnaires for selfassessment and guidance ( symptom checker), as well as alerts to persons who have been in proximity to the infected and provide a communication forum between patients and doctors (increased use of telemedicine).
More than 500K Zoom users’ data stolen and sold on the dark web
During the COVID- 19 one of people’s past time activities, as well as means of conducting business and other activities, are video calls. However, the online environment, not unlike the public spaces, is not entirely a safe place to spend time with others. Zoom, as the one of the widely-used video call platforms that experienced a surge in users (10 million users in December to more than 300 million in April), saw a significant setback when individuals and businesses using Zoom’s video call software were compromised. Namely, their passwords and emails were stolen through the software and further sold for l ess than a penny on hacker forums on dark web. It is estimated that around 530,000 stolen credentials of Zoom users were subject to this attack.
After the news about the flawed security measures spread out, the reputation of Zoom went down. However, it was speculated that the credentials were stolen as a result of third party data breaches, not the hacking of Zoom platform and that a credential stuffing technique, which implies entering previously stolen credentials into the login page of other platforms, was used. This incident might serve as a lesson to those who do not take care of their cybersecurity by reusing the same passwords across multiple internet services they use.
Notwithstanding this, Zoom later on in April announced that it has taken steps to increase their security measures by implementing data centre routing capabilities for account administrators, which allow administrators to decide which data centre region their account hosted meetings and webinars use for real-time traffic at the account, group or user level. This was a response to the poor feedback from cybersecurity experts regarding the platform’s privacy and security problems and fears of the data transferred to Chinese servers, which could be accessed by the Chinese Intelligence services.