Category: General

EU Commission: Draft for adoption of adequacy decision for Japan

6. September 2018

The EU Commission has drafted the adequacy decision for Japan including next steps Japan has to undertake in order to ensure protection for the transfer of personal data from the EU to Japan. This includes additional safeguards Japan should apply, as well as commitments regarding access to personal data by Japanese public authorities.

Japan has committed to implement several safeguards that are necessary for the protection of the transfer of personal data before the actual adoption of the adequacy decision. These include,

  • a set of rules providing additional safeguards for transferred personal data of EU individuals (addressing inter alia the topics protection of sensitive data and the further transfer of personal data from Japan to another third country),
  • safeguards concerning the access to personal data by Japanese public authorities for criminal law enforcement and national security purposes,
  • a complaint-handling mechanism for Europeans regarding the access of Japanese authorities to their personal data.

The Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, said: “We are creating the world’s largest area of safe data flows. Personal data will be able to travel safely between the EU and Japan to the benefit of both our citizens and our economies. Our partnership will promote global standards for data protection and set an example for future partnerships in this key area.”

The next step in the adoption procedure of the adequacy decision is the European Data Protection Board (EDPB), which will be asked for his opinion.

Category: EU · EU Commission · General
Tags: ,

Facebook sues BlackBerry for patent infringement, claiming it stole Voice-Messaging Tech

5. September 2018

On Tuesday, September 5th, Facebook Inc. filed a lawsuit against BlackBerry Ltd., accusing the ladder of patent infringement, the news agency Bloomberg reports.

The complaint of the social media company contains the allegations that BlackBerry has been stealing its voice messaging technology. Furthermore, the accusation includes technology that improves how a mobile device delivers graphics, video and audio and another that centralizes tracking and analysis of GPS data.

According to Facebook a total of six patents are targeted, for which the company intends to claim unspecified damages in San Francisco federal court.

The lawsuit, in turn, follows BlackBerrys’ lawsuit in march, accusing the company of infringement on its mobile messaging tech for its own messenger, as well as its Instagram photo sharing app and WhatsApp messaging service.

Category: General · Instagram · USA
Tags: ,

EU Commission: Using Personal Data In Political Campaigns

29. August 2018

Following the Facebook-Cambridge Analytica case, the EU Commission intends to prohibit the misuse of Collection data of voters in order to influence elections. As the Irish Times reports, the EU Commission is drafting an amendment to existing party funding rules prohibiting parties profiting from data collections of the kind as alleged against Cambridge Analytica.

Cambridge Analytica has been accused of obtaining information of millions Facebook users without the data subjects’ consent by using a personality-analysis app during Donald Trump’s presidential campaign.

It is expected that sanctions will have the extent of approximately 5 percent of the annual budget of a political party. An official said “it is meant to ensure that something like Cambridge Analytica can never happen in the EU”.

Considering the upcoming election of the European Parliament in May 2019, various measures are to be recommended or imposed by the EU Commission that shall be followed by the member states in order to prevent misuse of voters’ personal data or the online manipulation of voters. While it is intended to recommend the governments to watch over and clamp down on groups sending personalized political messages to users of social media without their consent, the member states shall also be stricter about the transparency requirements of political advertisement on national level by amending national law.

Last month, Vera Jourova, EU justice commissioner, said: “voters and citizens should always understand – when something is an online campaign – who runs the campaign, who pays for it and what they want to achieve.”

However, she also made clear that the EU will respect free expression and that the EU is not going to regulate online activities of political parties. “The internet is a zone for free expression. Everybody can be a journalist or an influencer, and these are the things that we don’t want to touch”, she stated.

Luxembourg publishes two new Data Protection Laws

24. August 2018

On August 1st, 2018 the Luxembourg government adopted two new data protection laws implementing certain parts of the General Data Protection Regulation (Regulation (EU) 2016/679 – the “GDPR”) and repeals the former data protection law of 2002. Draft Bill Number 7184 and 7168 were adopted and complement the GDPR, which has been in force since 25 May 2018 throughout the European Union.

The newly implemented laws don’t add any further restrictions to the processing of personal data, but rather serve as implementing provisions required under GDPR.

The new Luxembourg Data Protection Law defines the organisation, missions and competence of the Luxembourg data protection authority (Commission nationale pour la protection des données – CNPD) and provides specific requirements or exceptions. The CNPD has been granted broad investigation powers. The CNPD receives for example the right to obtain access from any controller or processor to all personal data and information necessary to verify compliance under GDPR. The CNPD is also in charge to issue warning, orders and fines to any controller or processor who is not compliant under the provisions of the GDPR.

The second new law, the Luxembourg Law on Criminal Data Processing specifically relates to the protection of individuals with regard to the processing of personal data in criminal matters and national security.

The two laws should be read together, as they jointly extend the competences of the CNPD.

Starting with the new implementations, Luxembourg companies are discharged of the administrative burden of an active notification of personal data processing to the CNPD prior to processing personal data. However, companies should be ready to be controlled by the local regulator and therefore they are obliged to keep a record of the processing of personal data that is carried out under their responsibility.

The final versions were published on August 16th, 2018 in the Official Gazette of Luxembourg.

Database operators in Sweden exempt from GDPR

With the GDPR coming into effect, enterprises in Sweden will also be subject to complying with the European principles and adhering to the GDPR.

However, new amendments and changes to the country’s constitution will be required to harmonise existing laws.

Due to the fact that Sweden emphasizes freedom of press and speech, it will initially make exemptions in cases where elements don’t comply with its Freedom of the Press Act of 1766.

As a consequence, current laws give database operators a broad freedom to gather and release personal data enabling them to collect and distribute personal information from a broad range of sources, including the national tax office.

The database operators and online publishers Eniro, Ratsit and Hitta are some of the companies that will be exempt until an expert group has drafted new and stricter legislation regarding the processing of personal data by these.

It is expected that the relevant laws will be amended in the first half of 2019.

Brazilian General Data Protection Law

17. August 2018

On August 14th, a new data protection law was passed in Brazil and is named Brazilian General Data Protection Law (LGPD). The law will come into effect in early 2020.

The new legal framework deals with personal data in Brazil, both online and offline as well as in the private and public sectors. Until now the country has more than 40 legal norms at the federal level which are replaced and/or supplementing the previous regulations.

The new law aims to help Brazil enter the roll of more than 120 countries that today may be considered to have an adequate level of protection of privacy and the use of personal data, so that Brazil can compete on the global market.

As next step a DPA is created and will be an independent public authority responsible for the supervision of the law and enforcement. The authority is able to establish guidelines for the promotion of protection of personal data in Brazil.

Apple’s Taiwanese key chip supplier TSMC was struck by a virus

7. August 2018

Taiwan Semiconductor Manufacturing Co Ltd (TSMC), the largest contract chipmaker worldwide and one of Apple’s key suppliers, has warned of a 150 million EURO hit to revenue and delays to shipments after its factories were hit with a computer virus targeting Windows computers.

TSMC, which supplies the majority of the processors for Apple’s iPads and iPhones (iPhone 8 and X), claims that parts of its production facilities in Taiwan were forced to resume production after the outbreak of a virus last Friday night.

The virus is a variation of WannaCry. The ransomware attack aimed at computers running Microsoft Windows and threatened to erase files unless the attackers were paid in the cryptocurrency Bitcoin.

According to the company 80% of the company’s affected computers had been fixed on Sunday and neither its client information nor its data manufacturing base were implicated.
Since the manufacturer does not exclusively work for Apple, it also fabricates chips for lots of other companies which also have been notified. TSMC stated that it would have to delay shipments of chips to some customers. This would decrease their third quarter revenue up to 2% which is equivalent to 150 million EURO.

Category: Cyber security · General
Tags: ,

Data of patients disclosed in Singapore’s largest data breach in history

30. July 2018

A cyberattack has impacted data of 1.5 Mio patients of SingHealth clinics by stealing name, ID Card number, address, gender, race and date of birth as reported by ARN Net.

Due to “operational security reasons”, the authorities haven’t disclosed the identity of the responsibles behind the attack.

Even Singapore’s Prime Minister, Lee Hsien Loong, “had his personal particulars stolen as well as his outpatient dispensed medicines record.”

The report further states that all patients, whether or not they were affected will receive an SMS notification over the next five days, with patients also able to access the Health Buddy mobile app or SingHealth website to check if they are affected by this incident.

According to Channel Asia the SingHealth IT system was compromised through an initial breach on a particular front-end workstation, gaining privileged account credentials to gain access to the database.

It is believed that the attack began on June 27th, 2018 and was detected on July 4th, 2018. Apparently, no further illegal exfiltration has been detected since and all Patient records in SingHealth’s IT system remain intact.

Several measures have been taken in terms of IT-security such as controls on workstations and servers, resetting user and systems accounts and installment of additional system monitoring controls.

New Zealand: Privacy after death does matter

27. July 2018

Data protection rights generally refer to living persons only. Among others, the European General Data Protection Regulation (GDPR) explicitly mentions in its Recital 27 that the Regulation does not apply to the personal data of deceased persons.

However, the Recital also contains an opening clause for the EU Member States, stating that these may provide for specific rules for such cases. The GDPR hereby acknowledges that there might be cases that need to be tackled individually.

For example, requests can be made in order to find out whether the deceased had suffered from a hereditary disease. This information is not to be seen as protected for the offspring that might be affected by it.

Consequently, there will be situations that contain mixed information on both the deceased and the requestor.

The Privacy Commissioner’s Office (OPC) of New Zealand has now released a statement regarding the privacy of deceased persons on July 24th, 2018 taking up this exact issue.

Whereas the Privacy Act of New Zealand also defines an individual as a “natural person, other than a deceased person”, the OPC states that “sometimes it will be inappropriate to release the personal information of the dead”.

The OPC further says that “some information is inherently sensitive, for example mental or sexual health information. It could be unfair to release such information to those who are just curious and have no good reason to see it.”

Ultimately, it will often be necessary to balance the rights and elaborate case by case, also taking into consideration the wishes of the deceased person to some extent.

One year after the massive data breach at Equifax

Last year at this time the Credit Bureau Equifax has been hacked and the sensitive data of approximately 143 million consumers has been affected.

The data breach is considered to be the worst data breach in US history, according to the scale and the nature of the information exposed. Hackers have entered the system and stole data like consumer’s name, social security numbers, birth dates, addresses and in some cases also driver’s license numbers, as well as credit card numbers.

After the data breach, the company had to be determined that they were not prepared for such an event, measures had to be taken. So what happened during the past year?

Equifax has remained fairly quiet amidst class action suits, congressional scrutiny, a Federal Trade Commission probe, and a wave of new state regulations designed to ensure that Equifax substantially improves its security defenses. Beyond others, in February a new Chief Information Security Officer, Jamil Farshchi, was hired. Farshchi had managed information security at high-stakes companies and cleaned up data breaches before. Furthermore, Equifax invested $200 million on data security infrastructure.

So the transformation is in process to create a world-class security program at Equifax.

Pages: 1 2 3 4 5 6 7 Next
1 2 3 7