WP29: Guideline for profiling and automated decision-making

19. October 2017

The Article 29 Data Protection Working Party (WP29) adopted a guideline for the automated individual decision-making and profiling which are addressed by the General Data Protection Regulation (GDPR). The GDPR will be applicable from the 25th May 2018. WP29 acknowledges that “profiling and automated decision-making can be useful for individuals and organisations as well as for the economy and society as a whole”. “Increased efficiencies” and “resource savings” are two examples that were named.

However, it was also stated that “profiling and automated decision-making can pose significant risks for individuals’ rights and freedoms which require appropriate safeguards”. One risk could be that profiling may “perpetuate existing stereotypes and social segregation”.

The Guideline covers inter alia definitions of profiling and automated decision-making as well as the general approach of the GDPR to these. It is addressed that the GDPR introduces provisions to ensure that the use of profiling and automated decision-making does not have an “unjustified impact on individuals’ rights” and names examples, such as “specific transparency and fairness requirements” and “greater accountability obligations”.

ICO fines bank and ad firm for illegal marketing

13. October 2017

The Information Commissioner’s Office (ICO) has fined Vanquis Bank and advertising firm Xerpla £125,000 in total.

Vanquis Bank had sent over a million spam text messages and spam emails promoting its credit card. As the recipients had not given consent for such messages, Vanquis Bank’s marketing campaign was deemed illegal and a fine of £75,000 was imposed on the Bradford based bank.

Ad firm Xerpla had sent over a million spam emails promoting various products. The ad firm was fined £50,000 for not having the right consent of the recipients as it was not clear and specific enough.

“People need to be properly informed about what they are consenting to. Telling them their details could be passed to ‘similar organisations’ or ‘selected third parties’ cannot be relied upon as specific consent,” ICO Head of Enforcement Steve Eckersley said, adding, “these firms should have taken responsibility for ensuring they had obtained clear and specific consent for the sending of the messages. They didn’t and that is unacceptable.”

Category: UK
Tags: , , , , ,

UK government introduced Data Protection Bill

The UK government introduced the Data Protection Bill to implement the General Data Protection Regulation (GDPR – 2016/679).

The GDPR enters into force on 25th May 2018 in the European Union. After the brexit, until now it was unclear if the UK would implement the GDPR into UK domestic law. The Data Protection Bill implements not only the legal requirements of the GDPR. The Law Enforcement Directive (2016/680) and the standards of the Council of Europe’s draft modernized Convention 108 on processing of personal data carried out by the intelligence services will also be adopted in the new Data Protection Law of the UK.

The new Law will replace the existing UK Data Protection Act 1998.

Currently the bill is at the beginning of the parliamentary process. The first reading in the House of Lords was held on 13th September, the second on 10th October. The bill consist of seven parts and 18 Schedules.

The data flow between European countries and the UK will not cause those problems that caused concerns after the Brexit, because the data protection level in Europe and the UK will be equal.

Irish High Court refers Facebook case to the CJEU

6. October 2017

On October 3rd 2017, the Irish High Court publicised it will refer the Facebook case to the Court of Justice of the European Union (CJEU). The lawsuit is based on a complaint to the Irish Data Protection Commissioner filed by Max Schrems, an Austrian lawyer and privacy activist. Schrems was also involved in the case against Facebook resulting in the CJEU’s landmark decision declaring the Commission’s US Safe Harbour Decision invalid.

In his new complaint, Schrems is challenging the data transfers of Faceook to the US on the basis of the “Model Contracts for the transfer of personal data to third countries”, also known as standard contractual clauses (SCCs). Schrems himself said, “In simple terms, US law requires Facebook to help the NSA with mass surveillance and EU law prohibits just that.”

In contrast to Schrems, the Irish Data Protection Commissioner challenged the validity of the SCCs in general and not only in matters of Facebook. Due to the importance of the case, the Irish High Court referred it to the CJEU. The CJEU will now have to decide whether data transfers to the US are valid on the basis of the Commission’s Model Contracts. It remains to be seen what the CJEU will decide and if its decision will have an impact on the Privacy Shield framework.

Moscow adds facial recognition to its network of surveillance cameras

2. October 2017

Moscow adds facial recognition to its network of 170.000 surveillance cameras across the city to be able to identify criminals and boost security, Bloomberg reports. The camera surveillance started in 2012. The recordings of the camera surveillance system have been held for five days after they are captured, with an amount of 20 million hours of video material stored at any one time. “We soon found it impossible to process such volumes of data by police officers alone,” Artem Ermolaev, who is Head of the Department of Information Technology in Moscow, said according to Bloomberg. “We needed an artificial intelligence to help find what we are looking for.”, he further said.

A Russian start-up, named N-Tech.Lab Ltd designed the facial recognition technology. The start-up is known for its mobile app FindFace which was released last year. With FindFace it is possible to search for users of the Russian social network VKontakte by making a picture of a person’s face and match it against the user profiles of VKontakte.

However, due to high costs the face recognition technology should not be deployed to every camera and therefore only be installed selectively within specific districts where it is needed the most. To maintain the camera surveillance, the Moscow government already should spend about $ 86 million a year and this amount would triple if every camera would use the new facial recognition technology.

The new technology is used to cross-reference images captured by the cameras with those from the Interior Ministry’s database.

Measures to strengthen the EU cybersecurity published

27. September 2017

On September 13, 2017 a joint communication to the European Parliament and the Council of the European Union on “Resilience, Deterrence and Defence: Building strong cybersecurity for the EU” was published. This should strengthen the EU regarding the response of cyber attacks.

The joint communication includes:

  • Greater EU resilience to cyber attacks
  • Better detect cyber attacks
  • Strengthen international cooperation on cybersecurity

and is part of a package of EU documents.

Spain imposes fine against Facebook

13. September 2017

The Spanish Data Protection Authority imposes a fine of €1,2m against Facebook. The social media network collects Personal Data of the users without a permission for this.

The responsible Data Protection Authority considers that Facebook collects personal information like gender, religious attitudes, personal preferences and personal beliefs without informing the persons concerned about the concrete use of this data.

The Data Protection Authority criticizes the unclear wording of Facebooks privacy policy. Moreover Facebook uses the personal data for advertising purposes without a permission. This constitutes a breach against Spanish Data Protection law.

Furthermore Facebook recognizes as well third party pages the user is referred if he clicks on links and illegally tracks visitors who are not Facebook users.

Finally is criticized that Facebook does not remove data, if a user unsubscribe the network. The collected information is stored for month even if the user terminates its account.

Not only Spain started an investigation against Facebook and imposes a fine as well as Spain also Belgium, France, Germany and the Netherlands are investigating against Facebook due to breaches against the local Data Protection law.

Credit Bureau Equifax has been hacked

11. September 2017

The consumer credit reporting agency Equifax has been hacked in the middle of May. The operators have noticed the breach much later, on 29th July. The public has learned about the breach just last week on Thursday, 7th September.

The breach potentially affects the sensitive data of approximately 143 million consumers. Data concerned are the consumer’s name, social security numbers, birth dates, addresses and in some cases driver’s license numbers. As well as credit card numbers for 209.000 U.S. consumers and other dispute documents that contained identifying information for 182.000 consumers.

Not only the US is concerned. A hired third-party cybersecurity company also found some residents of the U.K. and Canada.

The Equifax Chairman and CEO Rick Smith announced steps Equifax is taking at the moment to respond on the breach and is working with authorities.

Category: Data breach · General · USA

New Zealand: Police uses backdoor in law to gather private data

5. September 2017

According to the New Zealand Council of Civil Liberties, in several cases private data was handed over by banks to the police, after the police requested these data from them. It is further explained that the police used forms that looked official, instead of applying to a judge for a search warrant or examination. The police should neither have an oversight, nor a register which tracks the amount of filed requests.

The Police and banks rely on a legal loophole in the Privacy Act that allows organisations to reveal information about persons in order “to avoid prejudice to the maintenance of the law”. The Privacy Commissioner John Edwards is willing to end the further use of this backdoor. Referring to the case of handing over the private information of activist and journalist Martyn Bradbury, he said:

“…we concluded that Police had collected this information in an unlawful way by asking for such sensitive information without first putting the matter before a judicial officer. Our view is that this was a breach of Principle 4 of the Privacy Act, which forbids agencies from collecting information in an unfair, unreasonable or unlawful way.”

New Data Protection Act in Austria

31. August 2017

In regards to the General Data Protection Regulation (GDPR), coming into force on 25th May 2018, the Austrian Parliament has passed the new Data Protection Act.

The GDPR is directly applicable which means that the GDPR will regulate the data protection within the European Union, without the need for any transposing act of the member states. Nevertheless the GDPR contains a certain amount of opening clauses. Opening clauses enable the countries to complete the law. Moreover, in some cases, the member states are obliged to provide specifications. Because of this reasons the member states have to revise the existing Data Protection Law. The first country with renewed law was Germany and now Austria follows.

The first draft of the new act was published on 12th May 2017. After evaluating the results of the consultation the new Data Protection Act was published in the federal law gazette on 31st July 2017.

It is noticeable that the Austrian parliament has been reticent with deviations from the GDPR which benefits the harmonization of data protection within the European Union.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 21 22 23 Next
1 2 3 4 5 23