Chapter 17 - Internet Technology & Communications Flashcards
What is cloud computing?
-Refers to the provision of information technology services over the internet.
-These services may be provided by a company for its users in a private cloud or by third-party suppliers.
-The services can include software, infrastructure (i.e., servers), hosting, and platforms (i.e., operating systems).
-Cloud computing has numerous applications, from personal webmail to corporate data storage, and can be subdivided into different types of service models: Infrastructure as a service (IaaS), Platform as a service (PaaS), and Software as a service (SaaS)
What are the applicable laws for cloud computing under the GDPR?
-Under Article 3, the GDPR applies where either the processing relates to the activities of an EU establishment of the controller or the processing relates to offering goods or services to individuals in the European Union or monitoring their behaviour, even when the controller or processor is not established in the European Union.
-The first test is retained from the Data Protection Directive 95/46/EC, and the second test represents a significant expansion in the applicability of European data protection law
What are the controllership issues in cloud computing?
-A controller is a natural or legal person, public authority, agency, or any other body which determines the purposes and means of processing.
-A processor is a natural or legal person, public authority, agency, or any other body that processes data on behalf of a controller, acting on the instructions of the controller.
-In most supply of services situations, the customer is typically a controller, and the supplier is a processor.
-However, cloud service suppliers may exercise discretion regarding the technical and organisational means of processing without becoming a controller, provided they do not process customer data for their own purposes
What are the requirements for cloud service contracts under the GDPR?
-GDPR sets out a detailed list of obligations on the processor that must be included in cloud service contracts, including:
- the subject matter
-duration - nature,
-purpose of the processing,
-documented instructions,
-confidentiality,
-prescriptive security measures,
-notice of subprocessors,
-appropriate measures to ensure the data controller can meet its obligations,
-deletion or return of personal data once services are completed, and
-availability of information for audits
What are the applicable laws for cookies and similar technologies?
-ePrivacy Directive requires member states to ensure the storing of information or gaining access to information already stored in the terminal equipment of a subscriber or user is allowed only with the user’s consent, provided with clear and comprehensive information.
-Exemptions apply for cookies used for the sole purpose of carrying out the transmission of a communication or strictly necessary for the provider of an information society service explicitly requested by the subscriber or user
What are the conditions for international data transfers under the GDPR?
-GDPR imposes conditions on the transfer of personal data outside the EEA. Controllers must show evidence of appropriate safeguards for the protection of personal data transferred.
-Methods include geographically limiting the cloud, using:
-standard contractual clauses (SCCs),
-tailored data transfer agreements,
-processor binding corporate rules (BCRs),
-codes of conduct and certification,
-and reliance upon a derogation under Article 49 of the GDPR
What is the EU Cloud Code of Conduct?
-EU Cloud Code of Conduct, approved in May 2021, contains requirements applicable to cloud services for businesses (B2B cloud services) where the cloud provider is acting as a processor.
-Cloud providers that sign up to the Code must adhere to these requirements, and their compliance is verified by an independent monitoring body.
-The Code is designed to ensure cloud services can be used by business customers in compliance with the GDPR
What are cookies and similar technologies?
-A cookie is a small text file placed onto a user’s device when they visit a website, either by the website operator or by a third party.
-Cookies store information about the user’s visit, such as content viewed, language preference, time and duration of each visit, or advertisements accessed.
-Cookies can be used to track and create profiles of users’ online movements to serve them with targeted online advertising.
-Other tracking technologies include device fingerprinting, tags, pixels, web beacons, embedded scripts, and social plugin
What are the controllership issues for cookies?
-First-party cookies are placed and read by the operator of the website visited, making the website operator the controller of the personal data gathered by its own cookies.
-Third-party cookies are placed and read by an entity other than the website operator.
-Where the third party determines the means and purposes of processing the personal data gathered from third-party cookies, it is a controller and must comply with the GDPR
What are the applicable laws for IP addresses?
-IP addresses can be used to construct user profiles and are likely to be personal data subject to the GDPR.
-Both static and dynamic IP addresses will be personal data in the hands of ISPs because the ISP can link the IP address back to a particular customer.
-The CJEU ruled dynamic IP addresses would be personal data in the hands of the German state because German law allowed the state to obtain additional identifying information from ISPs
What are the legal bases for processing personal data obtained via cookies?
-Consent is required to place and read cookies under the ePrivacy Directive.
-The EDPB has expressed the view that consent will generally be the most adequate legal basis to cover subsequent processing.
-However, it is possible to obtain consent for these operations but rely on legitimate interest for subsequent processing carried out on personal data collected via cookies.
-The CJEU in the Fashion ID case accepted it is possible to rely on legitimate interest as the lawful basis for processing personal data initially collected via cookies
What are the controllership issues for search engines?
-Search engines determine the purposes and means of processing data about their users and are controllers of that personal data.
-The CJEU ruled search engines process the personal data contained in third-party webpages they crawl as controllers because they play a decisive role in the overall dissemination of the personal data and significantly affect the fundamental right to privacy of individuals
What are the applicable laws for search engines?
-If a search engine is established in the EEA, the processing activities carried out by that establishment will be subject to the GDPR.
-Search engines outside the EEA offering services to individuals inside the EEA will be subject to the GDPR by virtue of Article 3(2)(a).
-User log files are likely to be subject to the GDPR by virtue of Article 3(2)(b).
-The CJEU ruled in Google v. Spain that search engines process the personal data contained in third-party webpages they count as controllers
What are the controllership issues for SMPs?
-SMP providers determine the purposes and means of processing and are controllers.
-Providers of third-party services offered through SMPs may also be controllers.
-The CJEU ruled in Wirtschaftsakademie that an entity administering a fan page on an SMP was a joint controller with the SMP in respect of the personal data collected by the SMP about visitors to the fan page.
-Advertisers and other parties targeting SMP users are likely to be joint controllers with the SMP
What are the applicable laws for social media platforms (SMPs)?
-SMP providers process personal data provided directly by users, generated by observing users’ actions, obtained from other sources, and inferred or predicted based on existing information.
-The processing of personal data is subject to the GDPR.
-SMP providers also make use of cookies and similar technologies, engaging the notice and consent requirements in the ePrivacy Directive
What are the transparency requirements for SMPs?
-SMP providers must provide all the information required under the GDPR.
-Users should be informed about the types of processing carried out, whether a profile based on their online behaviour will be built and used for targeted advertising, and what types of personal data will be used to build profiles.
-The essence of the arrangement between joint controllers must be made available to the data subject
What are the legal bases for processing personal data on SMPs?
-All processing of personal data under the GDPR must have a legal basis under Article 6.
-SMP providers must not process special categories of personal data unless one of the conditions set out in Article 9(2) applies.
-Special category data may be processed if it has been manifestly made public by the data subject or with explicit consent
What are the data subject rights for SMPs?
-Controllers must fulfil all valid requests by data subjects to exercise their rights under the GDPR.
-Recital 63 notes controllers should allow data subjects with direct access to their personal data by means of remote access to a secure system.
-Data subjects can exercise their rights against either controller in joint controllership situations
What are the applicable laws for targeted online advertising?
-Targeted online advertising involves displaying advertisements to individuals based on known or predicted information about them, involving processing their personal data subject to the GDPR.
-Much of the personal data used to target individuals is derived from cookies or similar technology, engaging the notice and consent requirements in the ePrivacy Directive
What are the transparency requirements for targeted online advertising?
-Controllers must provide information to data subjects about how their personal data are processed.
-Adtech companies may face difficulties in discharging their notification obligations due to the lack of direct relationships with data subjects and the impracticality of identifying each recipient and source of personal data.
-The GDPR allows for the notification of categories of recipients and general information about the source of personal data
What are the controllership issues for targeted online advertising?
-Adtech companies generally determine the purposes and means by which personal data are collected, analysed, and processed to target online advertising, making them controllers.
- The CJEU ruled in Wirtschaftsakademie that advertisers using SMPs to target users are joint controllers with the SMP.
- The EDPB guidelines suggest these principles apply to advertisers using other adtech services
What are the legal bases for processing personal data for targeted online advertising?
-The two likely potential bases for processing carried out by adtech companies are consent and legitimate interest.
-Consent must be demonstrable and as easy to withdraw as to give.
-Legitimate interest involves a balancing test weighing the interest of the controller or third party against any detriment to the data subject.
-Legitimate interest may be the basis most likely to support the profiling activities of adtech companies
What are the transparency requirements for applications on mobile devices?
-The requirement to adequately inform users about how their information is used deserves particular attention due to the limited screen space available on mobile devices.
-Icons, visual signifiers, and layered notices can be useful tools.
-Notice may need to be provided before an app is downloaded, through a privacy notice displayed in the app store
What are the controllership issues for applications on mobile devices?
-Where an app collects personal data and sends it back to the app developer’s servers, the app developer is likely to be a data controller.
-Where an app processes personal data only on a user’s mobile device and does not send it back to the app developer’s servers, the situation is less clear.
-The question is whether the app developer or another entity is determining the purposes and means of processing personal data by the application
What are the applicable laws for applications on mobile devices?
-Information collected through apps linked to a specific device is likely to be personal data subject to the GDPR.
-Downloading an app onto users’ devices entails storing information on their devices, and accessing information stored on the user’s device involves accessing information stored on the device, subject to the notice and consent requirements in the ePrivacy Directive
What are the legal bases for processing personal data collected via applications on mobile devices?
-Consent is required under the ePrivacy Directive unless an exemption applies.
-Consent may also be required as the lawful ground for processing personal data.
-The intimate nature of location data collected through a user’s mobile device means the legitimate interest ground will not generally be available, and consent will usually be required.
-Consent must be specific, offering users the ability to consent to particular types of data processing
What is the Internet of Things (IoT)?
-Refers to physical objects equipped with technology enabling them to connect to and transmit information over a network, thereby communicating with other connected objects and servers.
-Connected objects are equipped with sensors and outputs that allow them to collect and transmit information and interact with their environment.
-Commercial applications include wearable technology, smart energy meters, and connected vehicles
What are the applicable laws for the Internet of Things (IoT)?
-The sensors in connected objects frequently collect information relating to identifiable individuals, constituting personal data subject to the GDPR.
-Connected objects generally constitute terminal equipment, engaging the notice and consent requirements in the ePrivacy Directive.
-The strictly necessary exemption applies to storage and access operations carried out for the purpose of providing a service explicitly requested by the user
What are the controllership issues for the Internet of Things (IoT)?
-The considerations relevant to determining the controllers and processors of data produced by connected objects are similar to those for internet-enabled mobile devices.
-Where connected objects provide services enabled by virtual voice assistant (VVA) technology, the roles of the VVA provider, VVA application developer, integrator, owner, and user must be considered.
-These entities may act as controllers, joint controllers, or processors depending on the context
What are the transparency requirements for the Internet of Things (IoT)?
-Providing appropriate transparency can pose challenges in the context of automatic data collection by objects involving no human action.
-Solutions include ensuring it is apparent whether a connected object is collecting personal data, providing information in the online store prior to download, offering voice-based interfaces, and separating information relating to the processing of personal data collected via VVA services from other sections of a privacy notice
What are the legal bases for processing personal data collected via connected objects?
-The processing of personal data collected via connected objects requires a legal basis under Article 6 of the GDPR.
-Where special category data are processed, one of the conditions set out at Article 9(2) must additionally be met.
-Contractual necessity and legitimate interest may be possible legal bases, but consent or explicit consent may be required in some cases.
-Obtaining consent in the context of connected objects can be challenging
What are the security requirements for the Internet of Things (IoT)?
-The requirement to take appropriate security measures in respect of personal data processed by connected objects and related services can be challenging due to the large number of objects connected to the same network and the likelihood of outdated software.
-Particular attention must be paid to ensuring IoT networks, connected objects, and related services are designed securely, consistent with the GDPR’s data protection by design requirement
What is artificial intelligence (AI)?
-Artificial intelligence (AI) is defined by the European Commission as software developed using certain techniques and approaches which can generate outputs, such as content, predictions, recommendations, or decisions influencing the environments it interacts with.
-These techniques and approaches are often based on statistical probabilities, such as machine learning
What are the applicable laws for artificial intelligence (AI)?
-AI systems typically need to be designed, trained using training data, and tested, frequently involving the use of personal data subject to the GDPR.
-Once deployed, AI systems often use personal data as input to produce outputs, subject to the GDPR.
-The notice and consent requirements of the ePrivacy Directive are engaged when AI systems process input data obtained from terminal equipment or via cookies or similar technologies
What are the transparency requirements for artificial intelligence (AI)?
-AI systems processing personal data must be sufficiently transparent.
-Where AI systems make significant decisions about individuals with no human involvement, Articles 13 and 14 of the GDPR require data subjects are provided with meaningful information about the logic involved, the significance, and intended consequences.
-The ICO has produced detailed practical guidance on explaining decisions made with AI
What are the legal bases for processing personal data by artificial intelligence (AI) systems?
-All processing of personal data by AI systems subject to the GDPR must have a lawful basis under Article 6.
-The EDPB has stated personal data cannot be used to improve a service on the basis of contractual necessity.
-Personalisation of content may constitute an intrinsic and expected element of certain services.
-Consent must be specific, and individuals must be able to withdraw consent
What are the requirements for automated decision-making by artificial intelligence (AI) systems?
-AI systems used to make solely automated decisions with legal or similarly significant effects on individuals are subject to Article 22 of the GDPR.
-Data subjects must be provided with meaningful information about the logic involved, the significance, and intended consequences of the decisions
What is the EU Artificial Intelligence Act?
-The EU Artificial Intelligence Act, proposed by the European Commission, would apply to providers and users of AI systems.
-It prohibits certain AI systems outright, designates others as high risk subject to strict requirements, and imposes transparency requirements on certain AI systems.
-Compliance would be supervised by member state authorities, and noncompliance could result in fines of up to six percent of total worldwide annual turnover
