23. August 2016
In order to join the EU-U.S. Privacy Shield a company has to self-certify and therefore ensure the following requirements:
1. The eligibility of the company has to be confirmed in order to participate in the
EU-U.S. Privacy Shield.
3. Independent recourse mechanisms need to be identified.
- Enforcement and Liability Principle: the company has to provide an independent recourse mechanism available to investigate unresolved complaints at no cost to the individual.
4. Verification mechanisms need to be in place.
- The company is required to have procedures in place for verifying compliance through self-assessments or third party assessments.
5. Implementation of a person of contact.
- The company is required to provide a contact with regard to questions, complaints, access requests, and any other issues arising under the EU-U.S. Privacy Shield.
Furthermore, the company has to pay a fee depending on the annual revenue:
|Company’s Annual Revenue
|$0 to $5 million
|Over $5 million to $25 million
|Over $25 million to $500 million
|Over $500 million to $5 billion
|Over $5 billion
22. August 2016
Thomas de Maiziere, Germany’s Interior Minister, aims to introduce a facial recognition software at train stations and airports in order to support the identification of terror suspects. This suggestion was prompted by two Islamist attacks in Germany last month.
Due to the fact that internet software is able to determine whether individuals shown in photographs were celebrities or politicians Thomas de Maiziere commented that “I would like to use this kind of facial recognition technology in video cameras at airports and train stations. Then, if a suspect appears and is recognized, it will show up in the system”. He went on by explaining that such a system is already being tested in terms of the identification of unattended luggage, so that the camera reports the respective luggage to an authority after a certain number of minutes.
However, although other countries are also testing a similiar technology, Germany has been sceptical and has shown caution in terms of the introduction of surveillance due to historical events such as the abuses by the Stasi secret police in East Germany and the Gestapo under the Nazis.
19. August 2016
The ICO fined Hampshire County Council with 100,000 GBP due to a data breach.
The fine was the result of missing measures protecting personal information against unauthorized access: Documents containing personal information of more than 100 data subjects were stored in an abandoned building. Furthermore, 45 bags of confidential waste were also found.
Hampshire County Council released a statement saying that “We are very sorry that this incident occurred. Hampshire County Council takes the management and protection of its data very seriously. Accordingly, appropriate procedures were in place at the time, but unfortunately, on this occasion, the process was not fully adhered to. However, at no time was any information disclosed outside of the site”.
Furthermore the statemet points out that “Immediate steps were taken to investigate the matter fully, and remedial action was taken. This has included strengthened and improved processes in the removal of, and destruction of, confidential waste from vacated buildings.”
The statement highlights that Hampshire County Council reported the incident to the ICO as soon as they became aware of it and that they have cooperated fully at all stages of the ICO’s investigation.
18. August 2016
The Guardian just reported that the European Commission is about to release an update of the draft of the E-Privacy Directive in September.
This draft will probably inlcude that Apps like Skype and WhatsApp be treated the same in terms of the privacy regulations as SMS text messages and both mobile and landline calls. According to Jan Philipp Albrecht, Green MEP, this is due to the fact that “It was obvious that there needs to be an adjustment to the reality of today” he went on that “We see telecoms providers being replaced and those companies who seek to replace them need to be treated in the same way.” Furthermore, he mentioned that a focus of the new law lies in upholding strong encryption.
However, there are critics raising concerns as the law might decrease economic innovation and that it is “well-nigh impossible” to fit older legislation in newer technology.
17. August 2016
Concerning U.S.-American Companies:
- Annual self-certification that they meet the requirements
- Replying in a reasonable period of time to any complaints
- In case human resources data is processed: cooperation and compliance with European Data Protection Authorities
Concerning European Individuals:
- More transparency about the transfer of personal data to the U.S. and an increase of the protection level of this data.
- Cheaper and easier redress possibilities in case of complaints: either directly towards the company or with the support of the respective Data Protection Authority.
16. August 2016
A list was released last week containig about 40 companies that have been approved under the EU-U.S. Privacy Shield.
A spokesman of the Department of Commerce commented that this list would be updated continuously. He went on by saying that “There are nearly 200 applications currently involved in our rigorous review process.”
Nevertheless, the Wall Street Journal just released an article mentioning that due to the lack of legal uncertainty of the EU-U.S. Privacy Shield, companies demonstrate restraint in joining the agreement.
However, “we don’t expect a stampede to join it in the next few days, but rather a steadily growing wave over the long run, especially if European companies begin to favor Privacy Shield membership in competitive bids” concluded Jay Cline working with PwC.
15. August 2016
One of the biggest US-American insurance companies namely the American International Group just declared that it will be the first insurer to offer standalone primary coverage for property damage, bodily injury, business interruption and product liability caused by cyber attacks.
Due to the fact that “Cyber is a peril [that] can no longer be considered a risk covered by traditional network security insurance product[s]” AIG released the new product CyberEdge Plus.
AIG commented on the new product as followed:
“CyberEdge can provide companies with protection against the following:
- Third-party claims arising from a failure of the insured’s network security or a failure to protect data. Insurance also responds to regulatory actions in connection with a security failure, privacy breach, or the failure to disclose a security failure or privacy breach.
- Direct first-party costs of responding to a security failure or privacy breach by paying costs of notifications, public relations, and other services to assist in managing and mitigating a cyber incident. Forensic investigations, legal consultations, and identity monitoring costs for victims of a breach are all covered.
- Business interruption caused by a network security failure by reimbursing for resulting lost income and operating expenses.
- Threats made against a company’s computer network and confidential information by an outsider attempting to extort money, securities, or other valuables. Coverage includes monies paid to end the threat and the cost of an investigation to determine the cause of the threat.
- Liability faced by companies for content distributed on their website. Coverage is provided for numerous media perils including copyright infringement, trademark infringement, defamation, and invasion of privacy.”
Furthermore, the coverage has a limit of up to $100 million.
12. August 2016
Due to the fact that the smartphone App called Pokemon Go inserts the animated creatures into real-life surroundings by using real-time GPS data and phone cameras the concern about the safety and privacy implications of location-based games and apps was raised.
- In the US armed criminals using Pokemon Go lured teenage victims to an isolated place where they were robbed last month.
- Iran became the first country to ban the game because of unspecified “security concerns” last week.
- Also, the contract customers must agree to before using the game has been questioned by consumer watchdogs across Europe due to the fact that Pokemon Go’s terms of service abandon a player’s rights to courtroom representation as a plaintiff or class action member unless the player opts out within a month of the download.
A spokesman for Ireland’s Data Protection Commissioner commented that in regard to Pokemon Go “It was not aware of any specific data protection issues arising at this stage”. He continued by saing “However, like any smartphone app that seeks permissions in respect of users’ personal data, such as location data or for advertising or personalising services, there are privacy implications and users should make themselves aware of the terms to which they are agreeing in downloading and installing the app”.
The spokesman concluded that “In respect of location data, this office will be publishing detailed guidance early next week to assist individuals in understanding how organisations collect and process information relating to their location and their rights to the protection of their personal data.”
The ICO fines Regal Chambers Surgery with 40,000 GBP due to the fact that personal medical information was handed out.
Regal Chambers Surgery disclosed medical file to a man regarding his son containing 62 pages not only of personal data but also including information on the ex-partner, her parents, and an older child he was not related to. However, although the man requested the records under Section 7 of the Data Protection Act, Regal Chambers had no process implemented to determine whether the data should be handed out.
The ICO’s Head of Enforcement, Steve Eckersley commented that “Most people would be horrified to think the information they entrust to their GP was being treated with anything less than the utmost care. In this case a patient reinforced this, however her pleas went unheeded”.
11. August 2016
The Ponemon Institute has recently published a study about security gaps and the protection of corporate data. The study was carried within U.S. and European organizations in France, Germany and the United Kingdom. The study aims at identifying gaps in organizations that may lead to data breaches.
The study reveals data theft by “insiders” as being the main reason for data breaches within organizations. A vast majority of the participants stated that their organization had suffered from such insider theft over the past two years.
Furthermore, respondents of the IT field confirmed that insider theft is twice more likely to compromise corporate information as any other external attack. Regarding this, the study reveals that data breaches by insiders is increasing due to the fact that employees require wide access rights to perform their job and, therefore, they have access to confidential and sensitive information of their organization.
The report suggests that companies should improve their tracking possibilities, in order to identify access and use of data by its employees and to detect in a shorter timeframe the intents of employees to access information and data which they are not authorized to see.