Category: General

French Data Protection Authority launches a public consultation on future standards – Data Processing for Managing Business Activities and Unpaid Invoices

12. December 2018

Due to the GDPR and the new French data protection law (“loi Informatique et Libertés”), the French Data Protection Authority (“CNIL”) launched two draft standards (in French: référentiels) on November 29, 2018. One o these CNIL’s draft standards deals with the processing of personal data to manage business activities, the other with unpaid invoices.

Until January 11, 2019 the possibility to consult the CNIL on the two draft Referentials will be open to the public. According to the CNIL, the draft standards will afterwards be adopted by the CNIL in plenary session.

CNIL’s Draft Referential on Data Processing for Managing Business Activities represents an update to the CNIL’s Simplified Norm No. 48 on the management of customers and prospective customers. It provides a framework for the implementation of “customer” and “prospect” files. The Draft Referential is applicable to data processing activities carried out by any data controller, except the following: health or educational institutions, banking or similar institutions, insurance companies and operators subject to approval by the French Online Gambling Regulatory Authority.

CNIL’s second draft (Draft Referential on Data Processing for Managing Unpaid Invoices) intends to provide a framework regarding the processing of personal data for managing unpaid invoices by private or public law entities. It does not apply to the processing of customer data for detecting risks of non-payment, or to identify other infringements (such as incivilities shown by customers).

Adherence to these two standards will ensure that the processing of unpaid invoices and business activities comply with current data protection principles.

Category: French DPA · GDPR · General

Electronic receipts sent by leading retailers may not comply with data protection rules

After investigating several large retailers the consumer body Which? claims that many retailers in the UK include in their e-receipt marketing messages.

A lot of retailers offer the possibility to send digital receipts instead of paper receipts to the shoppers. However, it should be noted that when the General Data Protection Regulation (GDPR) came into force on May 25th earlier this year, the regulations concerning this area were tightened.

Retailers are not allowed to send direct marketing to new customers by email unless the recipient has consented to receive it. Shoppers must be given the opportunity to opt out in case the retailer asks for their email address at the point of sale with the intention to afterwards send marketing information.

According to Which? the following companies were visited at least three times by “mystery shoppers” to test if they send out unwanted marketing information in their e-receipts: Topshop, Dorothy Perkins, Nike, Clarks, New Look, Arcadia Group (Miss Selfridge, Outfit, Burton), Gap, Mothercare, Halfords, Currys PC World and Schuh. The “mystery shoppers” requested an electronic receipt without receiving any additional marketing.

The retailers dealt with this situation differently. One shop apparently sent a marketing email with the e-receipt as an attachment, while others included prompts to sign up for a newsletter or invitations to complete a survey in return for money off a future purchase. The concern is that consumers might be “bombarded” with unwanted marketing messages.

ICO fines companies for not paying the data protection fee

4. December 2018

The UK’s Information Commissioner’s Office (ICO) fines the first companies for not paying the data protection fee. Unless they are exempt, all organisations, companies and sole traders who process personal data have to pay an annual data protection fee.

Depending on their maximum turnover, number of employees and whether they are a charity or public authority, the fee varies from £40 to £2,900. Whereas the fine for not paying varies from £400 to £4,000. The fines recovered go to the Treasury’s Consolidated Fund. The regulations came into force together with the new Data Protection Act on 25 May 2018.

“Following numerous attempts to collect the fees via our robust collection process, we are now left with no option but to issue fines to these organisations. They must now pay these fines within 28 days or risk further legal action. (…) You are breaking the law if you process personal data or are responsible for processing it and do not pay the data protection fee to the ICO”, said Paul Arnold, Deputy Chief Executive Officer at the ICO.

More than 900 fine notices have been issued by the ICO since September and more are set to follow. Companies can check if their fee is due to renewal on the ICO’s website.

Category: General · UK
Tags: ,

LinkedIn processed 18 million non-user email addresses to target Facebook advertisings

28. November 2018

The business and employment-oriented service LinkedIn processed the email addresses of 18 million non-members and targeted them with advertising on Facebook without permission.

A non-LinkedIn user issued a complaint to the Data Protection Commission that their email address had been obtained and used by the organisation for the purposes of targeted advertising on Facebook. Within Ireland’s Data Protection Commission the concerns grew regarding LinkedIn’s processing of personal data of non-users. Therefore, the office conducted an audit of the multinational LinkedIn Ireland, home to the company’s EU headquarters, and stated that it used million of e-mail addresses of non-users.

Also involved is LinkedIn Corp in the US, which processes data on behalf of LinkedIn Ireland. They targeted – by means of 18 million addresses – the individuals in Facebook. According to the commissioner’s annual report LinkedIn in the US carried out the processing in the absence of instructions from LinkedIn in Ireland (the controller). Said annual report covers the period from January 1st to May 24th 2018. Then the old office of the Data Protection Commissioner ceased to exist due to the General Data Protection Regulation. The new Data Protection Commission came into existence on May 25th 2018.

Brexit: Draft withdrawal agreement – GDPR remains applicable for foreseeable future

23. November 2018

Last week the U.K. and EU could conclude a draft withdrawal agreement for the United Kingdom to leave the European Union on 30th March 2019.The agreement covers the “divorce” of both of them and a non-binding political statement concerning their ideas for the future relations. The declaration is referring to a commitment regarding an ambitious free trade agreement, containing areas including financial services, continued free flow of data, and other subjects relating to the EU such as defense matters have been picked up.

After the U.K. will have left the EU in March 2019 a 21-month transition period is planned in order to facilitating business sectors in their planning. Thus, at least until the beginning of 2021, EU regulations would remain effective keeping the U.K. in the single market and Customs Union. However, this time frame could also be extended by common agreement.

With regard to data protection, the withdrawal agreement directly addresses data protection and security issues in Articles 70 to 74. These provisions stipulate that EU data protection rules, including the GDPR, shall apply in the U.K. when using personal data of data subjects outside the United Kingdom exchanged before the end of the transition period. Furthermore, after the end of the transition period, the U.K. is obliged to further apply these EU rules to the processing of “EU personal data”, until the U.K. data protection laws to be enacted ensure an adequate level of data protection which is “essentially equivalent” to that of the EU.  In the process of becoming subject to this formal adequacy decision to be established by the EU Commission the U.K.’s applicable data protection regime has to be assessed in the first place. In the event of annulling or repealing the adequacy decision, the provisions of the withdrawal agreement would be relevant for the EU personal data transferred to the U.K. to ensure the same “essentially equivalent” standard of data protection directly.

In other words, under the concluded agreement, the GDPR as well as the corresponding Data Protection Act would remain the applicable data protection law in the U.K. for the foreseeable future.

Apple, Google and Co. endorse a more GDPR-like U.S. federal privacy law

6. November 2018

At the 4oth International Conference of Data Protection and Privacy Commissioners (ICDPPC) Apple CEO Tim Cook and other prominent representatives of leading tech companies, all expressed their endorsement of a more GDPR-like privacy legislation around the globe and particularly the US. The ICDPPC takes place in Brussels once a year and apart from independent data protection authorities as accredited members, the attendees include representatives of states without independent data protection supervisory bodies, international organisations, non-governmental organisations as well as representatives from science and industry.

On this platform, Cook strongly supported the idea of introducing similar data protection standards to those of the GDPR in the US and encouraged his fellow tech companies to do so as well. The Apple CEO warned of a danger of a “data industrial complex”, where information about individuals is being weaponized against humanity “with military efficiency”. Cook pointed out that scraps of personal data are “carefully assembled, synthesized, traded and sold” creating an “enduring digital profile which lets companies know individuals better than they may know themselves”, since businesses would use these information to make billions and billions of dollars. As this would end up in surveillance while those stockpiles of data only serve to enrich companies, he ensures Apple’s “full support of a comprehensive federal privacy law in the United States”.

Without mentioning them, the Apple CEO refers in particular to the data giants Google and Facebook by emphasizing their responsibility of creating adequate data protection standards. Both of them have been in the focus of a global discussion on whether they provide their users with adequate privacy settings. However, Facebook’s CPO Erin Egan replied, unequivocally, “yes”, when she was asked whether she would support a GDPR-like data protection law in the U.S. as well as Google General Counsel Kent Walker said, “we’ve been on record for some time calling for comprehensive privacy legislation in the past years” when he was asked about Google’s position on a U.S. federal privacy bill. Walker also pointed to Google’s recent release of principles it supports as part of a federal bill.

Last but not least, Microsoft Corporate Vice President and Deputy General Counsel Julie Brill eventually stated that Microsoft has extended many of the GDPR’s protection measures to their entire customer base and has been a supporter of a U.S. federal privacy bill since 2005. In particular, Brill endorsed a “strong, robust, and horizontally effective baseline privacy legislation.” She further ensured that at Microsoft people are using their voice as strongly as they could to encourage that to take place.

Bearing in mind the data scandals around – in particular – Google and Facebook, and the rather low data protection standards in the U.S., it seems that at least four representatives of the top seven tech companies in the world endorse a new U.S. federal privacy bill and will encourage in supporting an adequate privacy standard around the globe. Regarding the actual stance of the Trump administration, FTC Commissioner and recent Trump appointee Noah Phillips, gave an indication about how this subject will be treated. According to his personal opinion, such a regulation should be done “only if necessary and then very carefully.” Being asked whether the U.S. has the right laws in place to regulate technology appropriately, or whether there were any gaps, he replied, “that is a big question we are debating right now in the United States.”

Facebook: private messages from more than 81.000 people for sale

5. November 2018

According to a BBC report, more than 81.000 Facebook profiles were hacked. Private messages and other information was offered for 10 cents per account.

The BBC had the allegations checked by the IT security company Digital Shadows, who confirmed that over 81.000 of the profiles posted online contained private messenger messages. Furthermore, data from more than 176.000 accounts, including e-mail addresses and telephone numbers were available. This information did not necessarily have to come from a hack, as some of it was also open on public Facebook profiles

The BBC Russian Service also emailed the address that offered the data. The respondent – someone called “John Smith”- wrote that the offered data was neither from profiles involved in the Cambridge Analytica scandal nor of the recent security breach revealed in September. He said that his hacker group could offer data from 20 million users, of whom 2.7 million were Russians. But Digital Shadows doubts this because Facebook should have noticed such a big leak.

Facebook reported that its security has not been compromised. The data might be obtained through malicious browser extensions. According to Facebook executive Guy Rosen, they “have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores”.

 

EDPB Publishes Opinions on National DPIA Lists

17. October 2018

Regarding the data protection impact assessment (“DPIA”) the European Data Protection Board (“EDPB”) recently published 22 Opinions on the draft lists of Supervisory Authority (“SAs”) in EU Member States. This is supposed to clarify which processing operations are subject to the requirement of conducting a DPIA under the EU General Data Protection Regulation (“GDPR”).

The European Data Protection Board is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. The Supervisory Authorities will now be given two weeks to decide whether they want to amend their draft list or maintain them and explain their decision.

Article 35(4) of the GDPR states that the SAs of the EU Member States must establish, publish and communicate to the EDPB a list of processing operations that trigger the DPIA requirement under the GDPR. Several EU Members States provided their list: Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Sweden and the United Kingdom.

The national lists can vary because the SAs must take into account not only their national legislation but also the national or regional context.

To some extent, the EDPB requests that the SAs include processing activities in their list or specify additional criteria that, when combined, would satisfy the DPIA requirement. Furthermore, the EDPB requests that the SAs remove some processing activities or criteria not considered to present a high risk to individuals. The objective of the EDPB opinions is to ensure consistent application of the GDPR’s DPIA requirement and to limit inconsistencies among the EU States with respect to this requirement.

Facebook may face up to $1.63 Billion Fine in Europe after Data Breach

2. October 2018

Ireland’s Data Protection Commission, the company’s lead privacy regulator in the EU, could fine Facebook Inc. up to $1.63 billion for a data breach disclosed Friday, reports the Wall Street Journal. Hackers compromised the accounts of at least 50 million users, bypassing security measures and possibly giving them full control of both profiles and linked apps.

The Commission is now requesting more information on the scale and nature of the data breach in order to find out which EU residents could be affected. Facebook announced that it would respond to follow-up questions. The incident results in the latest legal threat Facebook is facing from U.S. and European officials over its handling of user data and is a severe setback to their efforts to regain trust after a series of privacy and security breaches.

The way in which this data breach is handled by data protection authorities could mark one of the first important tests under the GDPR, which came into force in May earlier this year. The handling could provide conclusions regarding the application of breach-notifications and data-security provisions by companies in the future.
The law requires companies to notify data protection authorities of breaches within 72 hours, under threat of a maximum fine of 2% of worldwide revenue. Furthermore, under the GDPR companies that fail to safeguard their users’ data risk a maximum fine of €20 million ($23 million), or 4% of a firm’s global annual revenue for the prior year, whichever is higher. Taking the larger calculation as a basis Facebook’s maximum fine would be $1.63 billion.

Pages: 1 2 3 4 5 6 7 8 Next
1 2 3 8