Here we go, hoggo’s first newsletter for 2024. Exciting!
It’s been an interesting start to 2024, with a lot of mishaps of vendors misusing personal data and discussions regarding the liability of controllers over their processors. This topic has never been discussed in great detail before but we got an interesting use case and a court case about the matter only one week apart. So let’s dive in!
Credit: cheezburger
Carta
A multibillion-dollar company managing cap tables, Carta, is accused of trying to trade customers’ shares without their consent. Carta’s reputation suggested that staff were soliciting investors in start-ups to sell their stakes without their consent by using confidential and personal data. Linear’s CEO alleges Carta has approached its investor “cold” about selling Linear shares on the secondary market. Carta could only have identified the investor from data provided during the implementation process, Saarinen suggested, using confidential and personal data supplied by Linear to Carta’s primary business, a platform for start-ups to manage their cap-tables. According to Carta, a rogue employee misused personal data to contact investors in Linear and two other unnamed start-ups, and an investigation has been promised. However, the reputational damage has already been done, and less than 72 hours later Carta announced that it will be shutting down their activities in the secondary market,
What can we learn from this?
- Make sure you properly assess your vendors, especially if you are sharing or providing them access to confidential or personal data of your investors, customers, employees, users, etc.
- Monitor your vendors – Make sure they are using the data only for the purposes you shared it for. Make sure you know what data they have access to and how to mitigate damages in cases of data misuse or data breach.
- If you are a vendor processing data on behalf of your customers – It is your responsibility as a vendor to only use the confidential and personal data shared with you for the purposes for which they were shared. As soon as you use it for any other purpose, especially for your own interests, you are switching from a processor role to a data controller role under the GDPR. This means all obligations of a data controller (including establishing a legal basis and collecting consent) are rolled on to you. Although you may think you’re benefiting from the extra usage of the data at first, maybe think about what happened to Carta. The negative press and brand damage that their actions caused can be deadly and very difficult to recover from. And that’s without taking potential fines or lawsuits into consideration.
CJEU C-683/21
If we’re already talking about roles and responsibilities in controller processor relations (or in simpler terms, vendor usage), then we can’t not bring up the recent case from the Court of Justice of the European Union. This case C-683/21, analysed the relations between a controller and an app developer it hired to build an app. At one point, the controller told the app developer that it does not have the budget to complete the app development. However, they already had the app available and people were signing up to it which, given the fact that it was a COVID tracking app, also involved lots of personal data. However, the controller did not provide the processor with instructions to process that data on their behalf.
The court decided that a controller may be fined for unlawful processing carried out by its processor. However, a controller would not be held liable in situations where the processor has acted for its own purposes, where the processor has processed data in a manner that is incompatible with the arrangements for the processing set by the controller, or where it cannot be reasonably considered that the controller consented to such processing. In these situations, the processor would become a controller, in accordance with Article 28(10) GDPR.
Key Takeaways:
- Assess your vendors. According to this ruling of the CJEU, your company could be liable for unlawful processing done by your third-parties. Make sure to assess your vendors’ privacy practices and ensure they adhere to global standards before engaging with them in order to avoid liability and fines. You can look them up on hoggo’s Trust Hubfor free, view their privacy passport and trust grade and compare them to other vendors.
- Have an agreement with your vendors (DPA). According to this ruling of the CJEU (and Art. 28 GDPR), companies must have an agreement in place with their vendors and to clearly specify guidelines or instructions of processing. These are usually provided by signing a Data Processing Addendum (DPA). Remember, the fact that you don’t have an agreement with your vendors, does not mean that you didn’t ask the processor to process personal data and your behalf.
- Monitor your vendors. The CJEU clearly mentions that controllers must be careful when engaging with third-parties and that they must be managed and monitored for maximum protection. You can use hoggo’s My Vendors and enjoy automated vendor monitoring and simple vendor management.
Concerns in the US about data access
No one could have foreseen this, but apparently the Biden administration is concerned about countries exploiting americans’ data for blackmail or espionage. What a shocker! What’s also a shocker is that they are concerned about “countries accessing US data through legal means”. Hmm what would that look like? Buying personal data from data brokers legally? Just like the FBI does on a regular basis?
Anyway, Bloombergis reporting that there seems to be talk about an Executive Order that “seeks to prevent foreign adversaries from accessing troves of highly sensitive personal data about Americans and people connected to the US government”. We don’t want to be the one’s to say it but it’s going to take a lot more effort than that to solve the problem of data brokers.
Adequacy
The European Commission released its report on January 15, 2024, on the first review of the 11 adequacy decisions from before GDPR.
As a result of the Commission’s analysis, personal data transferred from the European Economic Area to Andorra, Argentina, Canada (for PIPEDA-regulated entities), the Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay continue to receive an adequate level of protection.
The Commission examined the development of data protection frameworks in the relevant countries and territories, as well as the evolving interpretation of the adequacy standard under EU law, particularly in light of the EU Court of Justice’s Schrems II judgement.
According to the Court, the GDPR’s “essential equivalence” standard means third country laws have to set minimum safeguards preventing public authorities from accessing transferred data more than what’s necessary and proportionate to pursue their legitimate objectives, as well as establishing effective and enforceable redress rights for people.
For all the DPOs out there (or those responsible to appoint one)
The EDPB identified areas of improvement to promote the role and recognition of DPOs. The report is the result of an EU-wide coordinated investigation and lists the obstacles currently faced by DPOs, along with a series of recommendations to further strengthen their role.
Despite some concerns and challenges faced by some DPOs (such as the lack of designation of a DPO, even if mandatory; insufficient resources or expert knowledge for the DPO; DPOs not being fully entrusted with the tasks required under data protection law; lack of independence or of reporting to the highest management), the results are encouraging. The majority of the DPOs interrogated declare that they have the necessary skills and knowledge to do their work and receive regular trainings; they have clearly defined tasks in line with the GDPR and do not receive instructions on how to exercise their duties. In addition, they indicate that they are consulted in most cases, and provided with sufficient information to fulfil their tasks, and their opinions are followed quite well. Moreover, most consider that they have the means to do their job. However, there are still too many DPOs who are not in such a position.
Read the full report here.
Privacy Wins Data Brokers?
Last week, the US Federal Trade Commission (FTC) reached a settlement with an American data broker, formerly known as X-Mode and now rebranded as Outlogic, that sold location data collected from hundreds of phone apps to the US government.
Outlogic’s failure to disclose how its location data was used exemplifies the inadequacy of the FTC’s regulatory tools, such as Section Five, which addresses false statements in privacy claims. A privacy notice is not enough if it’s not accurate and backed with actual protection activities and a clear overview of where the data is going and processed.
Seems like the FTC is not actually armed to protect Americans from being relentlessly surveilled. At best, it is permitted to hold surveillants to a standard of “notice and choice,” but that standard remains vague. Corporations (and the US government by proxy) can right now track Americans at all times, without real legal concern, at any time.
Privacy & AI
Draft consolidated text of EU AI Act leaked online
The process to adopt the EU AI act is making sure to keep us all on our toes. Earlier this week, two unofficial versions of consolidated text on the proposed EU AI Act leaked online. These are not the final versions so we’d suggest refraining from cancelling your weekend plans so that you can read it thoroughly. As far as we’re aware, there is no official deadline for when the final version is to be published but at least we know that progress is being made. Read more here.
EU Commission Launches AI innovation package
In case you’re bored waiting for the final version of the AI Act, the EU Commission was nice enough to launch a package of measuresto support European startups and SMEs in the development of trustworthy Artificial Intelligence (AI) that respects EU values and rules.
This includes launching the Large AI Grand Challenge that provides financial support and supercomputing access to AI startups, amending the EuroHPC Regulation to establish AI Factories, creating an AI Office, providing financial support for AI through Horizon Europe and the Digital Europe program, advancing initiatives to strengthen the generative AI talent pool, and developing Common European Data Spaces. The Commission is also establishing two European Digital Infrastructure Consortiums and has adopted a Communication outlining its strategic approach to AI use, preparing for the implementation of the EU AI Act.
According to the Italian DPA, ChatGPT violates Europes privacy laws
- OpenAI has been told it’s suspected of violating European Union privacy following a multi-month investigation of its AI chatbot, ChatGPT.
- OpenAI could be forced to change how it operates or pull its services out of EU Member States if it breaches the pan-EU regime.
- Concerns were raised about the lack of a suitable legal basis for collecting and processing personal data for training ChatGPT’s algorithms. In addition, it raised concerns about the tool’s tendency to produce inaccurate information and pose risks to child safety.
- OpenAI has been notified of the allegations and given 30 days to respond. Read more here
New Privacy Laws
New Privacy Laws
- New Jersey is the first to enact a comprehensive privacy law in 2024
The “Garden State” is getting a new law! The New Jersey Assembly and Senate passed Senate Bill 332 (S. 332) on January 8, 2024, and Governor Phil Murphy signed it into law on January 16. This makes New Jersey the first state to enact a comprehensive privacy law in 2024.
As with other enacted state laws, SB 332 covers organizations that control or process data on at least 100,000 individuals, or those that hold data on at least 25,000 individuals while generating revenue.
It is evident from the scope of the bill that it diverges from common state privacy frameworks, since processing data “solely for the purpose of completing a transaction” is explicitly excluded. Additionally, most states put a certain percentage of revenue to the lower coverage threshold, but New Jersey’s bill does not specify such a requirement.
- Comprehensive overview of US privacy laws entering into force in 2024
The regulatory landscape in the US is getting crowded and keeping up with the requirements gets even more challenging. This year, a lot of new privacy laws are due to be implemented, such as in Florida, Montana, Oregon and more. But don’t worry, we have prepared a clear overview of all the new US privacy laws of 2024 right here–
See you next month!
Get notified every month when the next edition is released by subscribing to this newsletter if you haven’t already.
We have a friendly Discord server where you can find daily privacy news bots.
📰 Subscribe Now:
Privacy News Monthly Recap
You will receive only useful resources on privacy and trust every month.
You can unsubscribe at anytime.
Noa Kahalon
Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, an AI-driven Digital Governance platform that allows legal and compliance teams connect, monitor, and automate digital governance across all business workflows.
Samuel Solberg
Samuel is an experienced privacy consultant who holds CIPM, CIPP/E, and FIP certifications from the IAPP, as well as an L.L.M. He is the co-founder and CEO of hoggo, a privacy tech startup that aims to eliminate privacy concerns for businesses.