News Data Protection: An Overview of the General Data Protection Regulation Occurrences during the month of May
In May we saw some developments that should be kept in mind for the future. Namely, excontractor of Apple drew the attention of regulators to the highly questionable Apple’s practice in wiretapping individuals’ phones.
Meanwhile, airline EasyJet faced a significant class-action lawsuit in relation to the cyber- attack affecting nine million subjects. Furthermore, raised concerns over the disproportionate suspension measures of Hungary, as well as updated the existing guidelines.
data EDPB
consent Whistleblower voices concern about Apple’s use of Siri’s recorded voice snippets
The whistleblower and Apple’s former contractor Thomas le Bonniec has sent a letter to European Data protection regulators on the manner how the Apple’s voice control application Siri is being improved in terms of voice recognition quality and has asked the regulators to take action against the company.
Le Bonniec’s raised concerns on the poor regulation and enforcement on the big tech companies, who, as he put it, are basically wiretapping the entire population in spite of European citizens being made to believe that EU has in place one of the strongest data protection laws in the world. He added that passing a law is not enough, if there is no enforcement.
In 2019 Le Bonniec already raised concerns and went public about the Apple’s way of improving the quality of its Siri services. While he was working for Apple he was exposed to hearing snippets of Siri’s recordings which contained discussions of a wide range of topics, including sensitive information on medical issues, drug deals and people having intercourse. Furthermore, it was stated that these recordings were not always recorded with the knowledge of the users and were sometimes done without deliberate activation of the application. It must be noted that Apple itself has stated that it saves the voice recordings for six months and after this period a copy of the data is saved for up to two years with the purpose of improving the performance of the application.
The statements and the weight of the accusations are particularly
GDPR
important as since a huge safety promise in terms of protection has been in use now for little over two years; however, the ongoing situation with the tech giants is raising questions in regards to the effective enforcement. This situation also raises a few critical questions about the efficacy and enforcement measures of Ireland’s
data
Data Protection Commission
that oversees the many tech giants that have established their presence in Ireland.
£18bn class-action lawsuit against EasyJet
The budget airline EasyJet has been involved in a class- action lawsuit filed by the law firm PGMBM for a major data breach under Data Protection Act 2018 of nine million customers of the airline. The law firm is requesting the airline company to pay out up to £ 2,400 to all customers who were negatively impacted by the airline. Furthermore, the law firm is inviting other customers of the airline who have suffered from this breach to join the lawsuit.
The British law firm PGMBM who specialises in class- action lawsuits has already had classaction lawsuit experience in relation to data breaches of an airline with its known case against British Airways.
The significant breach involved leaking of sensitive personal data of travellers, namely names, email addresses and specific information such as departure and arrival dates, reference numbers and booking values. It was regarded as a serious data breach because of the possibility to identify from the personal data leaked, the movement patterns of individuals. The details of the data breach are not clearly stated as of yet, however, it is
data
known that the was accessed by unknown parties unlawfully and that this cyber- attack was carried out in a highly sophisticated manner.
The breach had allegedly occurred in January. The airline company did notify the ICO in a timely manner, however, the public and, in particular, customers were informed about the data breach only four months later.
European Data Protection Board has worries about Hungary’s suspension of EU data protection rights
The Hungarian government had introduced plans and later on 4 June issued a decree in regards to legal measures to suspend obligations arising from the General Data
Regulation. The measures would address the right to
Protection
be
forgotten,
the obligation of public agencies to notify individuals on collection of their personal data and implement extensions of the time limits for authorities for responding to information requests, until the state of emergency is over.
This was done as one of the measures taken in tackling the COVID- 19 crisis and is legally based on Article 23 of GDPR that allows member states to derogate from certain obligations laid down in the regulation. The Article states that the restrictions of the limited number of rights may be introduced when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard such elements as national security, defense, public security, detection or prosecution of criminal offences, as well as public health and social security and other elements. Therefore, the fight with the outbreak may have fallen under the scope of Article 23.
However, in the view of the measures taken in this case are disproportionate, unjustified and potentially harmful in the fight with the virus and do not satisfy the relevant criteria. Andrea Jelinek, the Chair of EDPB has stated that “the existence of a pandemic or any other emergency situation alone is not a sufficient reason to provide for any kind of restriction on the rights of data subjects. Rather, any restriction must clearly contribute to the safeguard of an important objective of general public interest of the EU or of a member state”. On 2 June, EDPB issued a statement on restrictions on data subject rights in connection to the state of emergency in the member state that addressed the issue.
The Hungarian Parliament voted
EDPB,
on 17 June to end the nation’s state of emergency and to revoke the much debated law that gave the extraordinary powers to Viktor Orbán’s government in the fight of the spread of Coronavirus without a fixed date of termination.
EDPB issues new Consent Guidelines
European Data Protection Board on 4 May issued new Consent Guidelines. These
guidelines do not revolutionise the meaning of consent and merely expand and update previous Guidelines on consent that were published on 10 April 2018 adopted by the Article 29 Working Party and endorsed on its first plenary meeting by the newly established EDBP. In the new guidelines it is encouraged, when encountering any references to the previous Guidelines, to interpret these as a reference to the new guidelines.
The main point of these updated guidelines is the clarification on certain matters, in particular, two questions in relation to the validity of consent provided by the data subject when interacting with socalled “cookie walls” and the example 16 on scrolling and consent. Namely, in relation to browsing, the guidelines imply that scrolling through a website is not to be considered a consent as it is ambiguous and may be difficult to distinguish from other activity, as well as it is difficult to provide a way to withdraw consent in the same way it would have been given. Except for these updates mentioned above and some editorial changes, there were no further changes to the document.
Matiss Liepins is Compliance officer at Erremme Business Advisors and may be contacted on
matl@erremme.com.mt