Data Protection: An Overview of the General Data Protection Regulation Occurrences during the month of May
In May we saw some developments that should be kept in mind for the future. Namely, ex-contractor of Apple drew attention of regulators to the highly questionable Apple’s practice in wiretapping individuals’ phones. Meanwhile, airline EasyJet faced a significant class-action lawsuit in relation to the cyber-attack affecting 9 million data subjects. Furthermore, EDPB raised concerns over the disproportionate suspension measures of Hungary, as well as updated the existing consent guidelines.
Whistleblower voices concern about Apple’s use of Siri’s recorded voice snippets
The whistleblower and Apple’s former contractor Thomas le Bonniec has sent a letter to European Data protection regulators on the manner how the Apple’s voice control application Siri is being improved in terms of voice recognition quality and has asked the regulators to take action against the company.
Thomas le Bonniec’s raised concerns on the poor regulation and enforcement on the big tech companies, who, as he put it, are basically wiretapping the entire population in spite of European citizen being made believe that EU has in place one of the strongest data protection laws in the world. He added that passing a law is not enough, if the there is no enforcement done.
In 2019 Thomas le Bonniec already raised concerns and went public about the Apple’s way of improving the quality of its Siri services. While he was working for Apple he was exposed to hearing snippets of Siri’s recordings which contained discussion of wide range of topics, including sensitive information on medical issues, drug deals, and people having intercourse. Furthermore, it was stated that these recordings were not always recorded with the knowledge of the users and were sometimes done without deliberate activation of the application. It must be noted, that Apple itself has stated that it saves the voice recordings for six months, and after this period period a copy of the data is saved for up to 2 years with the purpose of improving the performance of the application.
The statements and the weight of the accusation is particularly important as GDPR as a huge safety promise in terms of data protection has been in use now for little over two years, however, the ongoing situation with the tech giants is raising questions in regards to the effective enforcement. This situation also raises a few critical questions about the efficacy and enforcement measures of Ireland’s Data Protection Commission that oversees the many tech giants that have established their presence in Ireland.
£18 billion class-action lawsuit against EasyJet
The budget airline EasyJet has been involved in a class-action lawsuit filed by the law firm PGMBM for a major data breach under Data Protection Act 2018 of 9 million customers of the airline. The law firm is requiring the airline company to pay out up to £2,400 to all customers who were negatively impacted by the airline. Furthermore, the law firm is inviting other customers of the airline who have suffered from this breach to join the lawsuit.
The British law firm PGMBM who specializes in class-action lawsuits has already had class-action lawsuit experience in relation to data breaches of an airline with its known case against British Airways.
The significant breach involved leaking of sensitive personal data of travelers, namely, names, email addresses and specific information such as departure and arrival dates, reference numbers and booking values. It was regarded as a serious data breach because of the possibility to make out from the personal data leaked the movement patterns of individuals. The details of the data breach are not clearly stated as of yet, however, it is known that the data were accessed by unknown parties unlawfully, and that this cyber-attack was carried out in a highly sophisticated manner.
The breach had allegedly occurred in January. The airline company did notify the ICO in a timely manner, however, the public and, in particular, customers were informed about the data breach only four months later.
European Data Protection Board has worries about the Hungary’s suspension of EU data protection rights
The Hungarian government had introduced plans and later on 4 June issued a decree in regards to legal measures to suspend obligations arising from the General Data Protection Regulation (GDPR). The measures would address the right to be forgotten, the obligation of public agencies to notify individuals on collection of their personal data, and implement extensions of the time limits for authorities for responding to information requests, until the state of emergency is over.
This was done as one of the measures taken in tackling the COVID-19 crisis, and is legally based on Article 23 of GDPR that allows member states to derogate from certain obligations laid down in the regulation. The Article states that the restrictions of the limited number of rights may be introduced when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard such elements as national security, defense, public security, detection or prosecution of criminal offences, as well public health and social security and other elements. Therefore, the fight with the outbreak may have fallen under the scope of Article 23.
However, in the view of EDPB, the measures taken in this case are disproportionate, unjustified, and potentially harmful in the fight with the virus and do not satisfy the relevant criteria. Andrea Jelinek, the Chair of EDPB has stated that “the existence of a pandemic or any other emergency situation alone is not a sufficient reason to provide for any kind of restriction on the rights of data subjects. Rather, any restriction must clearly contribute to the safeguard of an important objective of general public interest of the EU or of a Member State.” EDPB on 2 June 2020 issued a Statement on restrictions on data subject rights in connection to the state of emergency in Member State that addressed the issue.
The Hungarian Parliament has voted on June 17 to end the nation’s state of emergency and to revoke the much debated law that gave the extraordinary powers to Viktor Orbán’s government in the fight the spread of coronavirus without a fixed date of termination.
EDPB issues new Consent Guidelines
European Data Protection Board (EDPB) on 4 May 2020 issued new Consent Guidelines. These guidelines do not revolutionize the meaning of consent, and merely expand and update previous the Guidelines on consent that were published on 10 April 2018 adopted by the Article 29 Working Party and endorsed on its first plenary meeting by the newly established EDBP. In the new guidelines it is encouraged when encountering any references to the previous Guidelines to interpret these as a reference to the new guidelines. The main point of these updated guidelines is the clarification on certain matters, in particular, two questions in relation to the validity of consent provided by the data subject when interacting with so-called “cookie walls” and the example 16 on scrolling and consent. Namely, in relation to browsing, the guidelines imply that scrolling through a website is not to be considered a consent as it is ambiguous and may be difficult to distinguish from other activity, as well as it is difficult to provide a way to withdraw consent in the same way it would have been given. Except for these updates mentioned above and some editorial changes, the document was not changed further.