CIPL´s certifications

20. April 2017

On 12 April 2017, a discussion paper on Seals, Marks and Certifications under the GDPR and Their Roles as Accountability Tools and Cross-Border Data Transfer Mechanisms has been released by the Centre for Information Policy Leadership (“CIPL”).

It is regarded as a formal input into that process and contains recommendations on GDPR`s provisions on use of certification mechanisms and their development implementation.

Certifications may be profitable for multinational companies as they may facilitate business arrangements with service providers and business partners. Their comprehensive GDPR compliance structure should also be useful for medium-sized and small enterprises. Their potential to create interoperability with other legal regimes can also be used efficiently.

Namely, the Discussion Paper contains the following:

  • Certification is foreseen to be available for service, system, product and particular process or an entire privacy program
  • Certification should be created for the purpose of data transfers (art. 42 (2)(f))
  • Specific GDPR certification sectors may be covered by a sector-specific codes of conduct
  • Certification proliferation should be avoided in order to make it most wanted
  • Certifications should be adaptable to different contexts, affordable and scalable to the different companies sizes
  • Organization`s BCR approvals should be leveraged in order to achieve the certification
  • There should be created a common baseline certification, which may be directly used
  • Baseline certification should differentiate in its application depending on the certification bodes and processes
  • GDPR certification should be consistent with other certification schemes (the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, Japan Privacy Mark, ISO/IEC Standards, and the APEC CBPR)
  • DPAs should affirm certifications as recognized means of GDPRs compliance

Facebook & Instagram improve privacy for user data

10. April 2017

The social networks Facebook and Instagram improve the privacy of their customer data. In the past, a research held by the Civil Liberties Association (ACLU) had revealed data usage by third parties in he Internet analysis company “Geofeedia”, in which the company publicly viewed customer data from Facebook, Instagram and Twitter regarding participation in protest actions, which were evaluated and sold to government agencies. Facebook and Instagram responded by improving the conditions with regard to data usage so that they should be more stringent now. Accordingly, software developers are now expressly forbidden to use data from the networks for monitoring purposes. By the end of 2016 Twitter had already issued appropriate regulations.

Data Protection in the UK after the “Brexit”

4. April 2017

After the Brexit, keeping data by the UK companies and organizations is expected to become more certain locally than globally.

Elizabeth Denham, the UK’s Information Commissioner, recently commented before the House of Lords EU Home Affairs Sub-Committee, that the UK should apply to the European Commission for a full “adequacy” decision in terms of proving the adequate data protection measures as UK will become soon a non-EU country.

British government comments on the free trade deal with these words: “no deal for the UK is better than a bad deal for the UK”.

In the context of Brexit, it is crucial for the industry of the UK to keep the data-flows unhindered though.

British politician David Davis indicates that the UK and EU are now on their way to find and maintain equivalence (and not identity) in their relations (especially when it comes to business) in order to keep up their common interest.

Even though Davis is not using the “adequacy” term in his speech, this is what the UK technology industry is asking for.

Government assures that if no accord in that matter will be reached, there are still many alternatives to adequacy.

Category: UK
Tags: ,

New genetic testing law launch – USA

30. March 2017

The “Süddeutsche Zeitung” has reported that in the US, under the exclusion of the public, a new law on genetic testing was launched. According to this law, workers must submit genetic tests to their employers.
The genetic tests are not based on a voluntary basis, since the company will be allowed to demand genetic tests in the future. Therefore, employees must carry out a genetic test and disclose its results. This can be perceived as a strong intrusion into privacy, since genetic tests should be voluntary and, above all, there shall be no force to publish the results. Likewise according to the European Society of Human Genetics (ESHG).

The law seems to appall not only American geneticists. European scientists also expressed their fears that innovations in the field of bioethics would eventually spread from the USA on Europe, which can lead to the risk of an outreaching intervention into the private sphere of one being. Whether such an action in the European area is actually planned remains not known, however if such a law has to be passed, first the legal review by the supreme courts has to resist. Therefore, it looks like so far there should be nothing to fear about.
Regarding this topic, to prohibit such a genetic testing in the USA, there has already been a law, which was passed in 2008.

However, the interest of companies in such an investigation is undoubted. From then on, companies could get genetic information and therefore decide on the issues regarding their employees. It is clear that a risk-prone employee may be more costly to the company in case of illness. Employers could surely draw logical conclusions out of the results of the tests. These could, for instance, result in a non-renewal or non-adjustment of the employment contract.

One may say that the risk of a disease is not yet a certainty of a real outbreak of the disease. However the concern about the interference in the privacy should still be undoubtedly high.

Category: USA
Tags:

UK government to meet tech giants after Westminster attack

28. March 2017

In consequence of the Westminster Bridge attack in London, Home Secretary Amber Rudd announced that she wants to meet several tech giants in order to make sure law enforcement is able to access encrypted data for terrorism investigation.

The topic came up as the attacker reportedly used the messaging application WhatsApp shortly before his attack began. As WhatsApp uses end-to-end encryption, neither law enforcement nor WhatsApp itself can read messages. The same applies to Apple’s iMessage. While Rudd did not want to make public which tech companies she will meet in detail, Google confirmed that it will be meeting the UK government.

“We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don’t provide a secret place for terrorists to communicate with each other,“ Rudd said. Labour leader Jeremy Corbin, however, stated that law enforcement already had enough powers and that there needed to be a balance between the right to know and the right to privacy.

In the meantime, Microsoft confirmed that it had provided email information relating to the Westminster Bridge attack to the British authorities after it had received lawful orders.

Google – “sharing location” option

24. March 2017

On the 22nd of March 2017 Google Maps, came up with a real time sharing location (the newest “share location” option), which now gives its users an opportunity of sharing their whereabouts with each other. It`s range is said to be from 15 minutes till around three days.

Since now on your friends can follow your location (if you will make it visible for them), for example when you attempt to navigate the city’s bus system or while you are stuck in traffic. Its aim is to make the social life like meetings and hang-outs easier by giving your friend an updated information on your localization.

Furthermore, via this new option, it is also possible to create itineraries, see the most popular local businesses hours, track parking spots or special traffic-destroying events around the area.

All of these facilities have their price to be paid though. Namely, if you will activate this option Google is going to get all the information about your daily habits and rituals (on what you are doing, when, where and which is your favorite coffee shop), which could later be sold for instance to advertisers.

However, Erik Gordon, a student of the University of Michigan’s Ross School of Business´ (entrepreneurship and strategy) says: “If you can couch it in social, it’s your friends that can track you—not that Big Brother can track you, not that an ad server can track you, not that Travis Kalanick can track you”.

Google itself stresses the interface makes it clear that the option to share will be entirely and only in the hands of the individual users when it comes to sharing locations.

Category: Personal Data · USA
Tags:

The highest sanctions in Europe so far imposed by the Italian DPA

16. March 2017

Ultimately, the Italian police department (in cooperation with Garante – Italian data protection authority) has carried out an investigation, which has revealed a violation of a data protection legislation and specific actions aimed at introducing the legal circulation of money onto the Chinese market.

Four agent companies and one multinational have turned out to split money transfers for remaining sub-threshold under this perspective. Under these circumstances an unlawful massive personal data processing of unaware individuals (payments and senders) has been performed. What is more, some of the records were up to be filed by not existing individuals or even deceased. Other records however, were left blank.

Taking into account all of the gathered facts, which actually indicated that personal data were used in order to unlawfully avoid the money laundering provisions, a wide-ranging Italian data protection authority sanctioning initiative has been launched. As a result, Garante has issued the highest fines ever in Europe.

Given the number of violations of data protection provisions, the Garante has set the whole amount of sanctions up to a total sum of almost 11,000,000 euros (850,000; 1,260,000; 1,590,000 1,430,000 euros for the agent companies and 5,880,000 euros for the multinational company).

It is believed that such a strict data protection authorities sanction will encourage individual data controllers and companies to accelerate their compliance with the upcoming GDPR (May 2018).

CIA´s circumvention methods on Wikileaks

10. March 2017

Tuesday, 7th March on Wikileaks there was a release of around 9,000 pages of documents on the U.S. Central Intelligence Agency hacking methods, called “Year Zero”, which revealed CIA´s hardware and software world´s top technology products circumvention methods (including smartphone operating systems exploitation). These methods are believed to allow agents to circumvent encryption apps.

According to a Reuters report U.S. government contractors are suspected by the law enforcement and U.S. intelligence to have likely handed over the information to Wikileaks.

However, after it has already occurred in government contractor employees´ cases (Harold Thomas Martin´s and Edward Snowden´s), sensitive government information leak nowadays remains no wonder anymore.

Google Director, Apple, Microsoft and Samsung believe that they are continuously and accurately looking into any identified vulnerabilities in order to implement necessary protections.

Even though the authenticity of the leaks still awaits the confirmation, the CIA has expressed its concern about the topic.

Open Whisper Systems confirm that there was no Signal protocol encryption break, even though the New York Times originally reported that the CIA could break the encryption of WhatsApp, Signal and Telegram apps.

Category: Cyber security · Encryption · USA
Tags: ,

European Union’s justice commissioner Jourová threatens to suspend Privacy Shield

6. March 2017

Vera Jourová, the European Union’s justice commissioner, is willing to suspend Privacy Shield in case the Trump administration budges from the result of the negotiation between the Obama administration and the European Union.

The Privacy Shield pact was meant to replace the Safe Harbor decision of the European Commission that was overturned in October 2015 by the European Court of Justice (ECJ). The pact’s purpose is to enable the transfer of EU citizens’ personal data to the US while ensuring the protection of those data.

Concerns about the effectiveness of the Privacy Shield came up as President Trump passed an executive order in January 2017 saying “agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

Although the US Department of Justice already affirmed the US’s commitment to the Privacy Shield, Jourová stays sceptical and wants to keep an eye on the US government’s stance. In case EU citizens’ personal data are not safe in the US Jourová will not hesitate to suspend the pact.

Hundreds of thousands of users affected by CloudPets data breach

2. March 2017

Yet another toy maker named Spiral Toys hit the headlines. The company suffered a big data breach with its stuffed animals called CloudPets resulting in the disclosure of 800,000 users’ personal data such as email addresses, passwords, profile pictures and 2 million voice recordings.

Spiral Toys’ CloudPets are able to connect to an app on a smartphone via Bluetooth so that parents can provide the toy with voice messages for their children.

The personal data were stored in an online database without authentication requirements so that hackers could easily access the database. According to Troy Hunt, a web security expert, the passwords were encrypted but Spiral Toys set no requirements for the password strength. That means hackers “could crack a large number of passwords, log on to accounts and pull down the voice recordings”.

Spiral Toys’ Mark Meyers denied that voice records were stolen. Still the company wants to increase the requirements for the password strength after the data breach was made public.

Both the decision of the German Federal Network Agency to take the doll “My friend Cayla” off the market in Germany and the data breach suffered by Spiral Toys, show that the privacy concerns smart toy producers are exposed to, should be taken seriously.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 22 23 24 Next
1 5 6 7 8 9 24