Spain imposes fine against Facebook

13. September 2017

The Spanish Data Protection Authority imposes a fine of €1,2m against Facebook. The social media network collects Personal Data of the users without a permission for this.

The responsible Data Protection Authority considers that Facebook collects personal information like gender, religious attitudes, personal preferences and personal beliefs without informing the persons concerned about the concrete use of this data.

The Data Protection Authority criticizes the unclear wording of Facebooks privacy policy. Moreover Facebook uses the personal data for advertising purposes without a permission. This constitutes a breach against Spanish Data Protection law.

Furthermore Facebook recognizes as well third party pages the user is referred if he clicks on links and illegally tracks visitors who are not Facebook users.

Finally is criticized that Facebook does not remove data, if a user unsubscribe the network. The collected information is stored for month even if the user terminates its account.

Not only Spain started an investigation against Facebook and imposes a fine as well as Spain also Belgium, France, Germany and the Netherlands are investigating against Facebook due to breaches against the local Data Protection law.

Credit Bureau Equifax has been hacked

11. September 2017

The consumer credit reporting agency Equifax has been hacked in the middle of May. The operators have noticed the breach much later, on 29th July. The public has learned about the breach just last week on Thursday, 7th September.

The breach potentially affects the sensitive data of approximately 143 million consumers. Data concerned are the consumer’s name, social security numbers, birth dates, addresses and in some cases driver’s license numbers. As well as credit card numbers for 209.000 U.S. consumers and other dispute documents that contained identifying information for 182.000 consumers.

Not only the US is concerned. A hired third-party cybersecurity company also found some residents of the U.K. and Canada.

The Equifax Chairman and CEO Rick Smith announced steps Equifax is taking at the moment to respond on the breach and is working with authorities.

Category: Data breach · General · USA
Tags:

New Zealand: Police uses backdoor in law to gather private data

5. September 2017

According to the New Zealand Council of Civil Liberties, in several cases private data was handed over by banks to the police, after the police requested these data from them. It is further explained that the police used forms that looked official, instead of applying to a judge for a search warrant or examination. The police should neither have an oversight, nor a register which tracks the amount of filed requests.

The Police and banks rely on a legal loophole in the Privacy Act that allows organisations to reveal information about persons in order “to avoid prejudice to the maintenance of the law”. The Privacy Commissioner John Edwards is willing to end the further use of this backdoor. Referring to the case of handing over the private information of activist and journalist Martyn Bradbury, he said:

“…we concluded that Police had collected this information in an unlawful way by asking for such sensitive information without first putting the matter before a judicial officer. Our view is that this was a breach of Principle 4 of the Privacy Act, which forbids agencies from collecting information in an unfair, unreasonable or unlawful way.”

New Data Protection Act in Austria

31. August 2017

In regards to the General Data Protection Regulation (GDPR), coming into force on 25th May 2018, the Austrian Parliament has passed the new Data Protection Act.

The GDPR is directly applicable which means that the GDPR will regulate the data protection within the European Union, without the need for any transposing act of the member states. Nevertheless the GDPR contains a certain amount of opening clauses. Opening clauses enable the countries to complete the law. Moreover, in some cases, the member states are obliged to provide specifications. Because of this reasons the member states have to revise the existing Data Protection Law. The first country with renewed law was Germany and now Austria follows.

The first draft of the new act was published on 12th May 2017. After evaluating the results of the consultation the new Data Protection Act was published in the federal law gazette on 31st July 2017.

It is noticeable that the Austrian parliament has been reticent with deviations from the GDPR which benefits the harmonization of data protection within the European Union.

India’s Supreme Court rules that privacy is a fundamental right

29. August 2017

In the past few years, India’s government aimed to build up the world’s largest biometric database, named Aadhaar. So far, more than a billion citizens have been registered to the identity programme, whereby eye scans and fingerprints are collected. In order to make sure that all citizens registered to the Aadhaar database, the government restricted access to government services for those who are not part of the database.

Critics expressed concerns about the implications of possible future data breaches, jeopardising the privacy of more than a billion Indians. It was also feared that the Indian government could use the database for surveillance purposes.

Last week, a nine-member panel of India’s Supreme Court ruled that a right to privacy is a part of article 21 of the Constitution of India. This historic ruling could result in the abrogation of the mandatory enrolment to the Aadhaar database. Furthermore, any future laws aiming at restricting privacy, will now “have to be tested on the touchstone of article 21”. It remains to be seen whether the ruling will also have lasting effects on the civil liberties and the daily life of Indians.

Cifas: Identity theft at epidemic level

24. August 2017

According to BBC.com, the fraud prevention group Cifas warns that cases of identity theft increase year by year in the UK. In the first six months of the year Cifas already recorded 89,000 cases, which is a 5% increase in relation to the same period of the last year and a new record.

BBC.com further reports that Simon Dukes, chief executive of Cifas, said: “We have seen identity fraud attempts increase year on year, now reaching epidemic levels, with identities being stolen at a rate of almost 500 a day.” It is further explained that “these frauds are taking place almost exclusively online. The vast amounts of personal data that is available either online or through data breaches is only making it easier for the fraudster.”

Fraudsters are targeting data such as the name, address, date of birth or bank account details. They gather these data by hacking computers, stealing mails or buying data through the “dark web”. Also, victims are tricked into giving away their personal data. However, most of the thefts, about 80%, are committed online and mostly without notice of the victims. The crimes often come to light, when for example the first random bill arrives.

The victims of impersonation were breaked down into categories of ages, showing that it is most likely that people in their 30s and 40s are victims of identity thefts, since about this group of people often a high amount of information was gathered online. It is further reported that according to Cifas, the amount of cases fell for the group of over-60s, while the group of 21 to 30 years old showed the biggest increase of cases.

Roskomnadzor publishes privacy guidelines for data operator

17. August 2017

The Russian data protection authority Roskomnadzor published guidelines for data operators on the drafting of privacy policies on July 31.

Russian data operators must adopt a privacy policy to comply with Russian data protection law. The policy must describe how they process of personal data. This policy shall be published online if personal data is collected online. In case of collecting personal data offline an unrestricted access to the policy has to be guaranteed.

The policy shall be detailed so that data subjects are aware of all potential actions.

According to the guidance the policy must contain in general the following information:

  • main purpose of the policy and definitions used in the policy
  • main rights and obligations of the data operator and data subjects,
  • purposes for personal data processing,
  • legal grounds for personal data processing
  • volume and categories of personal data processed. For each category of data subjects, Roskomnadzor recommends that a company list all the personal data it collects and processes tied to specific purposes and indicate all cases of processing special categories of personal data or biometric data,
  • procedures and conditions for personal data processing,
  • procedures for updating, correcting, deleting, or destroying personal data and
  • procedures for responding to data subjects’ requests.

In addition the guideline regulates the case of sharing personal data with third parties. The data operator has to explain the taken measures to protect personal data and beside the purpose of sharing, the volume of personal data to be transferred, the data use restrictions and security measures. Furthermore the name and the address of the the third party need to be published in the policy.

Finally it shall be mentioned that the guidance is recommendatory nature and non-binding. Nonetheless data operators should strongly take these recommendations into account if they develop new privacy policies to be compliant with the Personal Data Law.

TalkTalk fined by ICO

11. August 2017

According to a Press Release from the Information Commissioner’s Office (“ICO”), the TalkTalk Telecom Group (“TalkTalk”) was fined for violating the UK Data Protection Act. More than 21.000 customers could be the victims of scams and frauds.

As a result of an investigation in 2014, the ICO fined TalkTalk 100.000 GPB by failing to protect customer data. The breach was possible because of a lack of security of a portal holding a huge amount of customer data. One company with access to the portal was Wipro, an IT services company in India. 40 employees of Wipro had access to personal data of between 25.000 to 50.000 customers. During the investigation, three accounts were found that had unauthorized access to this portal. The ICO determined that TalkTalk did not ensure the security of the customer data held in this portal. There were different reasons:

  • The portal was accessible via any device. There was no restriction on which devices the portal can be accessed.
  • The search engine of the portal allowed wildcards searches (with * as a placeholder to get many results).
  • The search engine allowed up to 500 results per search.

The access rights were too wide-ranging regarding the high amount of customer data held by the portal. The ICO fined TalkTalk because it breached one of the principles of the UK Data Protection Act by not implementing enough technical and organizational measures.

Category: Personal Data · UK
Tags: , , ,

Nationwide: multistate data breach investigation settled by paying $ 5.5 million

According to Hunton & Williams, on the 9th of August, Nationwide Mutual Insurance Company (“Nationwide”), agreed to pay $ 5.5 million to settle a data breach investigation by attorneys general from 32 states concerning a data breach that exposed personal data of about 1.2 million individuals. They also published the settlement.

In October 2012, Nationwide and its wholly-owned subsidiary Allied Property & Cansualty Insurance Company (“Allied”) experienced a data breach that led to an unauthorized access to and exfiltration of certain personal data of their customers, as well as other consumers. Since Nationwide and Allied provide customers with insurance quotes, inter alia the following personal data are collected: full name, Social Security number, date of birth or credit-related score.

The attorneys general alleged that the data breach occurred when hackers exploited a vulnerability in the companies’ web application hosting software. Further, it is alleged that, after the data was exfiltrated, Nationwide and Allied applied a software patch, that was not previously applied, to address the vulnerability.

Besides the $ 5.5 million Nationwide and Allied agreed to implement a series of steps to update its security practices. Besides other measures that are listed in the settlement a technology officer shall be appointed that should manage and monitor security and software updates to ensure that future patches and other security updates are applied.

India: Is the “right to privacy” a fundamental human right?

4. August 2017

The Indian Supreme Court has to decide if the “right to privacy” should be considered a fundamental human right.

According to the Wire, a bench of nine justices was set up after several petitions that challenged the constitutional validity of India’s Aadhaar scheme, with some petitioners claiming that the biometric authentication system is a violation of the privacy of Indians. The bench examined over the last two weeks the nature of privacy as a right in context of two earlier judgements. Back in 1954 and 1962 these judgements came to the conclusion that the right to privacy was not a fundamental right. Legal experts expect the judgement in the last week of August.

Times of India reports that the Supreme Court outlined a three-tier graded approach to examine the question whether privacy can be considered as a fundamental right. The Bench therefore configures privacy into three zones. As stated by a justice of the Bench, the first zone could be the most intimate zone concerning for example marriage or sexuality. The state should only intrude this zone under “extraordinary circumstances provided it met stringent norms”.

The second zone would be the private zone. This zone could involve personal data like the use of credit card or the income tax declaration. In this zone, “sharing of personal data by an individual will be used only for the purpose for which it is shared by an individual”, it is further said.

The third zone would be the public zone. This zone should require only minimal regulation. However, that should not mean that the individual would lose the right of privacy, but “retain his privacy to body and mind”.

 

Pages: 1 2 3 4 5 6 7 8 9 10 ... 18 19 20 Next
1 2 3 20