WELCOME TO ATGROUP

Latest news

POSSIBLE LEGAL PROBLEMS OF THE CLONING OF THE HUMAN VOICE

Recently, technology companies have announced that 30 seconds of someone's conversation is enough to clone their voice and transmit any message with the cloned voice.

What if someone says that we have sent a voice message accepting a contract for the provision of services via telephone? What if we ask for the audio and it turns out that it sounds like we are ourselves?

Without a doubt, all these situations are perfectly feasible with current technology. There are companies in the market that already advertise this capacity (e.g. Aflorithmics Labs or Vicomtech), technology currently allows us to clone our voice with only thirty seconds of conversation. The system is not simple, Artificial Intelligence is applied through automated mastering in the cloud, in a short moment of time we already have the application parameterized to clone the initial subject's voice.

In short, a cloned voice is a voice exactly the same as ours, with our tone, timbre, accent, rhythm, and whoever has control of said cloned voice will have the ability to emit messages and communications exactly like us, but without our participation. Recently, a television advertisement for a well-known beer brand reproduced not only the voice but also the image of a famous folk artist who died decades ago.

It is evident that the use of our cloned voice can have multiple applications, some legitimate, others of doubtful legality and on certain occasions manifestly illegitimate.

It should be noted that these technological advances on the cloning of the voice coincide in time, (and it is not by chance), with the evolution of the voice as a digital interface, the voice has taken on a nature in terms of security system and interface communication with electronic devices, applications such as Siri or Ok Google, now allow us to manage our home automation or any other digital activity simply with voice commands.

But this ease of management by voice can also entail significant risks in the case of illegitimate or illegal cloning, since anyone can send messages or impersonate us without limitations, given these risks, what would be the means of legal protection?
for In principle, and go ahead, that in terms of privacy, voice is an unquestionable personal data, (RGPD art. 4.1) since it identifies us in a unique and differentiating way.

The strongest form of protection against the most serious crimes is the field of criminal law. It is evident that the impersonation of personality through voice cloning can be an illegal act of those contemplated in article 401 of the Penal Code. Also the cloning of the voice can be. An ideal element to make enough deception in the crime of fraud. The famous CEO scam, can acquire very dangerous derivatives in the case of the voice is indeed that of our Boss and asks us to make a transfer to an unknown bank account (if it is already a type of common scam by mail, now adding the cloned voice, already takes on a frankly dangerous look). It could also be a crime to use the cloned voice of an announcer for commercial actions or advertising exploitation without authorization (art. 270 et seq. CP), for example making a commercial announcement with the exact voice of a famous announcer, but without your participation or authorization.

In the civil aspect, we could suppose the realization of activities of special media projection, let's imagine a public figure who makes incendiary statements against another person from the entertainment world ... we can imagine the impact they can have on social networks, and as a consequence on the public image of the person who made such statements. But ... that person has not been guilty of anything, on the contrary he has been the victim of an impersonation that has diminished his image and his honor. Apart from the criminal actions that may be filed, the civil actions contemplated in Law 1/82, on civil protection of the right to honor, image and privacy, would also fit. Said norm allows the filing of the corresponding legal claims including in the same the damages caused, including the consequential damage and the loss of profits that may occur due to the termination of advertising contracts and the like.

Finally, we would have administrative protection, specifically when dealing with the voice of a personal data, its capture, processing and subsequent use will be subject to the provisions of the European Data Protection Regulation and by the Organic Law on Data Protection and Guarantees of Digital Rights, together with its complementary and / or concordant legislation.

At this point, it should be noted, as we have already commented, that although criminal actions can have consequences of harsh prison sentences or in civil cases we can have situations of important economic compensation, all of this is overshadowed by the sanctioning capacity that it grants the RGPD to the competent control authorities, in Spain, to the AEPD...

Data protection penalties can in the most serious cases reach 20 million euros or 4% of the global turnover of the offender. In these circumstances we can find that a very serious infringement in terms of data protection such as the lack of consent in the cloning treatment, where an economic benefit has been obtained, may entail millionaire penalties.

In any case, it seems clear that the voice as an element of communication will lead to many doubts about authorship and not manipulation. If we are talking about cloning, we will be in front of an exact copy of our voice, therefore it will only be possible to distinguish the possible manipulations by highly qualified computer experts, here we recommend visiting the website of the Professional Association of Computer Experts (ASPEI), www.aspei.es

We will inform you of this and other news.

July 30th, 2021

PLATAFORMA DE VEHÍCULO CONECTADO, DGT 3.0, APLICACIÓN DE LA DIRECCIÓN GENERAL DE TRÁFICO., ¿NUEVO RETO EN MATERIA DE PROTECCIÓN DE DATOS?

LA ENTRADA EN VIGOR DEL REAL DECRETO 159/2021, DE 16 DE MARZO, POR EL QUE SE REGULAN LOS SERVICIOS DE AUXILIO EN LAS VÍAS PÚBLICAS, EL PRÓXIMO 1 DE JULIO, CONSOLIDA LA TENDENCIA DE LA MOVILIDAD CONECTADA QUE FOMENTA LA DGT DESDE SU PROPUESTA DE PLATAFORMA DE MOVILIDAD INTELIGENTE , DGT 3.0

Recientemente ha vuelto a salir en prensa (La Vanguardia, 26/05/2021) que la Dirección General de Tráfico tiene muy avanzada una aplicación informática que interconectará a los conductores entre sí, con la vía y les notificará en tiempo real las diferentes incidencias y novedades que puedan tener en la ruta.

El objetivo no puede ser más interesante: accidentes cero, heridos cero y fallecidos cero para el famoso año 2050.

Para el desarrollo de esta aplicación se han destinado recursos económicos importantes, que ascienden a más de tres millones de euros y se han implicado prestigiosas empresas e instituciones en su desarrollo. También se han tenido presentes los diferentes operadores que tengan datos o conocimientos para aportar en la mejora de la movilidad, como son los fabricantes de vehículos, centros de coordinación de emergencias o de control de tráfico rodado.

A nadie se le escapa que la potencia y el alcance de esta aplicación va en paralelo a la evolución de las nuevas tecnologías como son el 4G y el 5G, y sobre todo el llamado Internet de las Cosas (IoT), donde millones de dispositivos se conectan en tiempo real, interactuando de forma automatizada. Las previsiones son que una vez este implantado el 5G la plataforma DGT 3.0 entre en pleno funcionamiento.

Sin duda el saber la situación de la vía, si hay un accidente, un tramo de obras o esta cortada por una inclemencia meteorológica es una valiosa información, que a buen seguro será apreciada por los conductores y aportará mejoras en la seguridad y la reducción de la contaminación, optimizando trayectos y reduciendo caravanas e incidentes.

Con la entrada en vigor del RD 159/2021, de 16 de mayo, por el cual se reforma el Reglamento General de Vehículos, se da un paso más en esa dirección, dicha norma, modifica el Reglamento General de Vehículos y regula la conexión a la nube de la DGT, no sólo de los vehículos con incidencia en la vía ( señales luminosas e interconexión bajo protocolo V.16), sino de los servicios de asistencia en ruta, creando un registro de homologación de los operadores de dichos servicios, de obligada inscripción en el Registro Estatal de Auxilio en Vías Públicas (REAV), así como a la señalización en tiempo real de las actividades de asistencia , geoposicionando los servicios en tiempo real de la ubicación de los trabajos con el protocolo de comunicaciones asignado (V.2, V.23 y V.24).

De todas estas novedades en materia de movilidad y seguridad vía echamos a faltar un elemento importante, el estudio de la evaluación del impacto en materia de privacidad.

En efecto, la realidad es que detrás de cada vehículo, u operador de movilidad hay personas físicas, identificadas o identificables (titulares, conductores, peatones afectados, personal técnico de asistencia en ruta, etc.), haciendo poco o nada creíble que esos datos masivos utilizados se traten exclusivamente de forma anónima sin posibilidad de reversión por ninguno de los operadores afectados.

La interconexión de todos los elementos de movilidad urbana en interurbana mediante el 5G e IoT, junto a la IA, hace que el cerco sobre la esfera de la intimidad sea cada vez más estrecho, y más si lo asociamos al uso masivo de nuestros inseparables smartphone.

El cruce de datos entre todos los dispositivos interconectados en tiempo real puede abrir la puerta no sólo a las conductas de asistencia en carretera o ayuda ante incidentes, sino a la supervisión de fiel y estricto cumplimiento de las normas de circulación, ya que será nuestro propio vehículo el que vaya indicando a la Autoridad de Control las situaciones que pudieran constituir infracción administrativa e incluso penal.

Y de todo ello, no parece que nadie vaya a informar adecuadamente según el RGPD y la LOPDGDD a los usuarios e incluso a los terceros afectados, como pudieran ser pasajeros o viandantes.

Por tanto, entendemos que dichas nuevas plataformas de gestión de la movilidad, ya sea urbana o interurbana, compartidas o no , necesitan un análisis profundo desde el punto de vista de la afectación o los riesgos que pueda tener en materia de privacidad desde el punto de vista del RGPD Y.

No basta con enunciar que serán datos anónimos, el principio de Responsabilidad Activa del artículo 5.2 del RGPD nos exige poder acreditar en todo momento los hechos, por tanto, se hace imprescindible que en todo proyecto donde pueda haber uso masivo de datos que pudieran ser vinculados a personas se haga la correspondiente evaluación del riesgo y los oportunos Planes de Evaluación de Impacto, y todo ello, por supuesto, antes de la puesta en explotación, como nos indica el principio de privacidad desde el diseño del artículo 25 del RGPD.

No perdemos la esperanza de que en breve se publicaran los informes correspondientes por parte del Delegado de Protección de Datos de la Dirección General de Tráfico respecto a la plataforma DGT 3.0.

May 28th, 2021

AEPD 2020 Report: Endorsement of the Tribunal Supremo to the Sanctions Imposed by the AEPD: 95%

Image from Hans Braxmeier on Pixabay
In the recently published 2020 report of the Spanish Data Protection Authority (AEPD), the trend of the TS of overwhelmingly confirm the sanctioning resolutions of the AEPD is confirmed.

In a legal system with guarantees, such as the Spanish one, sanctioning administrative resolutions can be reviewed by the judges as established by the appropriate procedural laws.

In the case of sanctioning resolutions filed by the Spanish Data Protection Agency, the competent judging body in the first instance is the National Court and in the second instance it is the Supreme Court.

Historically, as the AEPD is a legal operator with guarantees and extensive procedural experience, the sanctioning decisions that were appealed by those affected were, in the first instance, mostly totally or partially rejected and in some cases inadmissible, the few being considered in favor of the appellant normally by procedural rather than substantive issues (eg prescriptions, expiration, material errors, etc.) or favorable legislative changes.

It is evident that once the first procedural instance has passed, (the National Court), when the matter reaches the second instance, (the Supreme Court), it has already been tried by a collegiate and qualified judicial body, and it is unlikely that it will not be have taken into account arguments or situations with legal relevance that may modify the meaning of a ruling. In any case, as human error exists, the second instance verifies if the ruling appealed to the Law is adjusted, as an example of the above, it should be noted that in this year 2020, there has been a sentence estimated by the Supreme Court, although it should also be noted that another 17 have been rejected ...

In any case, it is an undeniable fact that the historical statistics of judicial decisions act as a deterrent when filing a judicial appeal against the AEPD, making it only advisable in cases where there is truly a clear and precise legal basis.

In any case, in the resolution of conflicts in matters of RGPD, if we would like to highlight from these lines the importance that the system of "Transfer" of actions that the AEPD is adopting is gaining, consisting of informing the accused of the existence of a complaint against his natural or legal person, indicating the possibility of making allegations and clarifying the facts before initiating the inspection actions.

We understand that this prior procedure, the "Transfer" is a great opportunity to solve possible misunderstandings and incidents and avoid further sanctioning procedures with uncertain results and very likely onerous. From ATGROUP we will inform you of the news about this and other issues that may be of interest in matters of RGPD.

April 30th, 2021

FLoC: THE END OF COOKIES... EXCEPT FOR GOOGLE

Google is preparing the FLoC, an update to its famous Google Chrome browser in which they will not accept any third party cookies
t has recently come out in the media that Google is preparing a major change to its famous CHROME browser that will consist of two key elements:

 First You will only accept Google’s own cookies and not those of third parties.
 Second Google cookies will use FLoC technology to filter users by cohorts or common interest groups.

Without a doubt, it may seem like an advance in privacy with respect to the current system where multiple companies develop their cookies (browser attachments with different functions) and generate their own user profiles in an absolutely decentralized system, Unlike Google, where the future model will be totally controlled by the Internet giant with no option to third-party participation in the segmentation of users.


It is clear that the current system of cookies may involve situations not wanted by the user and to avoid such situations the AEPD ,(we understand that with very good judgment) has required all website owners to allow the user to choose which cookies they accept or not before browsing a website. In this way, it is the user who chooses which level of privacy you want in the navigation within a web.

With the new model proposed by Google will not make sense such cookie settings, since only those that the dominant operator has developed for itself will be accepted, and surely the user when entering a website will only have to answer a binary question, that is whether or not I agree to enter the FLoC system.

The Federated Learning of Cohorts (FLoC) of Google, consists in identifying the user according to their tastes and browsing activity within a certain group or cohort, assigning a differentiated ID according to interests and profiles. In this way you don’t have an individual but a group with common interests with advertising segmentation that can be of interest at any time for advertisers and agencies.

At this point, we see some light and also some shadow, as a positive and interesting element in the improvement of privacy would highlight the lack of identification of the end user, that is, the FLoC system does not allow to identify users one by one as it happens now, would only be allowed to know which cohort ID belongs, without going into absolute anonymity, but blurred within a similar interest group. Undoubtedly, this layer of concealment, if well done can be an improvement with respect to privacy.

As shadows, the truth is that we are concerned that only Google can make Chrome cookies, a dominant operator with more than 90% of the Western market, is certainly a monopoly that goes beyond borders and states, while it is true that the fragmentation of the market made it more difficult to monitor and supervise it, It is no less true that the coercive capacity of the European Supervisory Authorities is much greater in these third party operators than they can in the face of Internet monsters such as Google.

The second shadow, is the alternative that Google gives us with its FLoC system to the personal identification of the user, the operator proposes us to classify by groups (cohorts in Google language) consumers, so that each user according to their behavior would be segmented and classified according to the pattern designed by Google.

It is clear that these patterns of conduct are of maximum interest to Google, and not precisely because of their altruistic spirit, but to market with them advertisers and advertisers with maximum efficiency and without competition, since only Google will have access to such profiles.

In short, it is not unreasonable to think that with the excuse of improving the privacy of your browser, Single-motion Google eliminates the possibility for third parties to extract commercial information from browsing by not accepting third-party cookies and also imposes the exclusive monopolistic system of segmentation of potential customers through its own and only cookies of the FLoC system... the truth is that it seems to us a monopolistic practice that can harm both users and other small developers in the advertising world who will see how they have to change all their patterns and economic investment, as always in favor of monopoly.

It is clear that all the European supervisory authorities are well aware of the ways in which the issue can be taken up, there is concern about the monitoring over time of users, consumption trends, the true anonymisation of the FLoC cohorts, the processing of specially protected data.

In any case, users feel the fight of David against Goliath, try to control through administrative procedures the giants of the Internet, It is not an easy task for any European supervisory authority, nor can it have an optimal outcome if there are no other complementary measures to promote competition and stimulate compliance.

In conclusion, we would like to restate a wish, now with more sense than ever, that the European Union must take a step forward in its Digital policy, it is clear that there is a common border, financial, goods and even external relations policy, but we miss the promotion of policies of digital independence similar to those undertaken by China in its day with BAIDO, ALIBABA, TACENT and XAOMI, and even Russia with YANDEX, certainly necessary alternatives and examples to follow if we are to have some European digital independence.

We will see in a few months where the FLoC evolves, we will be waiting and we will keep you informed.

A greeting.

April 8th, 2021

THE BEST WAY TO AVOID AN AEPD SANCTION: ANSWER THE TRANSFER OF THE COMPLAINT CORRECTLY

THE PRIOR MECHANISM FOR ADMISSION TO PROCESSING CLAIMS BEFORE THE AEPD, WHICH CONSISTS OF TRANSFERING THE ACCUSED.

The truth is that the prior mechanism established in article 65.4 of the LOPDGDD is a tool little known to all.

This is a process by which the competent Control Authority in matters of data protection, when it receives a complaint from a person affected by a possible violation of the LOPDGDD, proceeds to transfer it to the denounced party to express what it deems appropriate in his defense based on the facts presented in the complaint.

With the respondent's response, the supervisory authority will decide with better criteria whether to open another administrative procedure or, on the contrary, to file the complaint.

It is important to note that historically the number of disciplinary proceedings opened based on a complaint is much higher than those opened ex officio, and that in the event of an infringement of the RGPD, the Control Authority cannot evade its responsibility and will have to act, regardless of what the interest of the complainant is honest or not when presenting the complaint.

In many cases the receipt of said communication of transfer of the complaint by the AEPD is the first news that the complainant has that there is a problem in terms of data protection and that it has been reported by someone to the competent Control Authority .

In any case, from ATGROUP our recommendation is to take advantage of that first opportunity to explain, document and why not say it to help the Control Authority in its task of clarifying the facts, providing the evidence and evidence necessary to eliminate or minimize the alleged violation reported.

Let us remember that the principle of proactive responsibility (art. 5. RGPD) obliges the data controller to faithfully comply with the RGPD and the LOPDGDD and also to be able to demonstrate such compliance at all times.

Finally, we will not tire of recommending the intervention of the organization's Data Protection Delegate in all the management of responding to the transfer of the AEPD, the DPD being the natural interlocutor with the control authority and the qualified professional to advise and coordinate the entire response process to complaints filed (art. 37 RGPD).

We will continue to inform you.

All the best.

March 31st, 2021

SPANISH DATA PROTECTION AGENCY FINES VODAFONE 8 MILLION EUROS

The Spanish Data Protection Agency (AEPD) has imposed on Vodafone Spain several penalties totaling more than eight million euros for breaching several articles of Spanish law, making it the highest fine ever imposed by this body.

The company Vodafone Spain, according to the AEPD, has breached not only the Law on the Protection of Personal Data and Guarantees of Digital Rights, but also the General Telecommunications Law and the Law on Information Society Services and e-commerce.

In the resolution, to which EFE has had access, it is noted that since the second quarter of 2018 the AEPD has received almost two hundred complaints against the company.

Most of the complaints against Vodafone Spain denounce the performance of marketing and commercial prospecting actions through telephone calls and by sending electronic commercial communications, both mailings and SMS messages, actions that according to the Agency violate the law.

These communications have not been requested or expressly authorized by the persons who have received them, who have not been able to exercise their right to object; or they have been addressed to persons who had requested their inclusion in the "Robinson list" (a directory to which those who do not want to receive advertising subscribe); and they did not comply with the procedures and guarantees established to carry out these marketing actions.

The Spanish Data Protection Agency imposed a penalty of 4 million euros on the company for failing to comply with Article 28 of the General Data Protection Regulation; and 2 million euros for failing to comply with Article 44 of the same regulation. It also imposed a fine of 150,000 euros for failing to comply with Article 21 of the Law on Information Society Services and Electronic Commerce; and another two million euros for failing to comply with the General Telecommunications Law.

And it grants the company Vodafone Spain a period of six months to accredit before the Spanish Data Protection Agency that it has adjusted to the law all the operations that have been the reason for the investigation and the sanction.

The company assures that it does not agree with the breaches imputed to them by the Agency, considers that the amount of the proposed sanction is disproportionate and stresses that the company treats "with the maximum guarantees of confidentiality and privacy of its customers' data" and has communicated its intention to appeal the sanction before the Agency itself and has left open the possibility of taking the case to the National Court.

March 25th, 2021

SPANISH DATA PROTECTION AGENCY OPENS AN INVESTIGATION TO EMT ON SECURITY GAP IN FRAUD OF 4 MILLION EUROS

The AEPD has opened an investigation for possible security breach in the Municipal Transport Company of Valencia

The Spanish Data Protection Agency has estimated the appeal filed on June 1 by PP Councillor Carlos Mundina. This appeal will also investigate non-compliance with the EMT's data protection regulations.

From the political party they claim to appreciate very positively the opening of this investigation of the security breach in the EMT to avoid scams like the one that occurred a month ago and that it involved the theft of 4 million euros. The 'popular' warn in their claim a very low level of cybersecurity in the EMT as well as the lack of protocols in management. Consultancy Ernst and Young mentions that "EMT is not yet adapted to the legal obligations of the General Data Protection Regulation".

A statement is also collected by the EMT Data Protection Delegate about a possible security breach in Caixabank's e-banking in relation to possible phishing when accessing EMT's bank accounts in that entity.

Members of other political parties mentioned the major cybersecurity problems when the fraud of the 4 million euros occurred and which was certified by several important states. In addition, they claimed that the fact that there were cybersecurity problems in the EMT was cleared very prematurely, as there were notifications from the AEPD when the commission was closed.

March 11th, 2021