EDPB Publishes Opinions on National DPIA Lists

17. October 2018

Regarding the data protection impact assessment (“DPIA”) the European Data Protection Board (“EDPB”) recently published 22 Opinions on the draft lists of Supervisory Authority (“SAs”) in EU Member States. This is supposed to clarify which processing operations are subject to the requirement of conducting a DPIA under the EU General Data Protection Regulation (“GDPR”).

The European Data Protection Board is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. The Supervisory Authorities will now be given two weeks to decide whether they want to amend their draft list or maintain them and explain their decision.

Article 35(4) of the GDPR states that the SAs of the EU Member States must establish, publish and communicate to the EDPB a list of processing operations that trigger the DPIA requirement under the GDPR. Several EU Members States provided their list: Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Sweden and the United Kingdom.

The national lists can vary because the SAs must take into account not only their national legislation but also the national or regional context.

To some extent, the EDPB requests that the SAs include processing activities in their list or specify additional criteria that, when combined, would satisfy the DPIA requirement. Furthermore, the EDPB requests that the SAs remove some processing activities or criteria not considered to present a high risk to individuals. The objective of the EDPB opinions is to ensure consistent application of the GDPR’s DPIA requirement and to limit inconsistencies among the EU States with respect to this requirement.

France: Intelligence agency officer caught selling sensitive police data

9. October 2018

A massive case of misuse of confidential data from security authority surveillance systems has been uncovered in France. After the French customs tracked down an illegal marketplace called “Black Hand” in June, the investigators also found data that was sold by an anonymous user called “Haurus”. Haurus sold for example confidential documents and information from national police databases.

Meanwhile the investigators gleaned the identity of the hacker with the help of specific codes attached to the data. According to French newspaper “Le Parisien”, Haurus is an officer at the “Direction générale de la sécurité intérieure” (DGSI), a French intelligence agency. The DGSI is normally in charge of counter-terrorism, countering cyber-crime and surveillance of potentially threatening groups and organisations.

According to the reports, the agent offered services in exchange for bitcoin. For example, he advertised to track the location of buyer’s gang rivals or spouses based on the telephone number or he offered to tell them, if the French police tracked them. The investigators believe that he used the resources, which the French police uses to track criminals.

Haurus was arrested at the end of September and faces up to seven years in prison and a fine up to 100.000€.

Category: Cyber security · EU
Tags: ,

Facebook may face up to $1.63 Billion Fine in Europe after Data Breach

2. October 2018

Ireland’s Data Protection Commission, the company’s lead privacy regulator in the EU, could fine Facebook Inc. up to $1.63 billion for a data breach disclosed Friday, reports the Wall Street Journal. Hackers compromised the accounts of at least 50 million users, bypassing security measures and possibly giving them full control of both profiles and linked apps.

The Commission is now requesting more information on the scale and nature of the data breach in order to find out which EU residents could be affected. Facebook announced that it would respond to follow-up questions. The incident results in the latest legal threat Facebook is facing from U.S. and European officials over its handling of user data and is a severe setback to their efforts to regain trust after a series of privacy and security breaches.

The way in which this data breach is handled by data protection authorities could mark one of the first important tests under the GDPR, which came into force in May earlier this year. The handling could provide conclusions regarding the application of breach-notifications and data-security provisions by companies in the future.
The law requires companies to notify data protection authorities of breaches within 72 hours, under threat of a maximum fine of 2% of worldwide revenue. Furthermore, under the GDPR companies that fail to safeguard their users’ data risk a maximum fine of €20 million ($23 million), or 4% of a firm’s global annual revenue for the prior year, whichever is higher. Taking the larger calculation as a basis Facebook’s maximum fine would be $1.63 billion.

Record fine for Uber

28. September 2018

Due to an initially concealed data breach in 2016, the U.S. company Uber has to pay a fine of €126 million, as the Attorney General Barbara Underwood announced in a statement.

On November 21, 2017, Uber announced that a hacker attack would take place in 2016, in which the hackers would capture approximately 50 million customer data as well as seven million data from Uber drivers. The company paid the hackers blackmail money instead of reporting the data breach (we reported).

Now a settlement was reached between Uber and the relevant US authorities. The settlement includes the highest fine ever imposed, $148 million (€126 million), flanked by further obligations to improve data security.

Category: Data breach · USA
Tags: ,

India publishes draft of a data protection bill

14. September 2018

After the Hon’ble Supreme Court declared in its landmark decision that privacy is a “guaranteed fundamental right”, the Sikrishna Committee drafted a Personal Data Protection Bill, 2018.

In contrast to the terms “data subjects” and “controllers” chosen in the GDPR, the Indian draft designates the individuals whose personal data is processed “data principals” and the organisations responsible for the processing “data fiduciaries”.

With the new data protection bill, data principals have a variety of rights such as rights to access, rectification or the right to be forgotten. In order to ensure data compliance, the concept of an annual data audit, which will be carried out by organisations through independent data auditors, was also introduced. In addition to data fiduciaries who are based in India, the regulations also apply to those who systematically offer goods and services to data principals in India, or those whose work involves profiling of Indian data principals.

The new data protection bill also introduces the figure of the Data Protection Officer (DPO) for India. Organisations must appoint a DPO if they are “significant data fiduciaries”, i.e. if they are involved in high-risk processing activities, or if they are not present in India but covered by the bill. Those organisations shall appoint a DPO who is based in India. In contrast to the GDPR there is however no requirement of the independence of the DPO.

For cross-border data transfers, it is required that at least one copy of personal data is stored on servers or data centres located in India. Data classified as “critical personal data” may only be processed in a server or data centre located in India.

According to the Sikrishna Committee, the draft could be seen as a template for developing countries all over the world.

Category: India · Personal Data
Tags:

Belgium publishes new data protection law

12. September 2018

On September 5 2018, the new data protection law (“Law of 30 July”) was published in the Belgian Official Gazette (“Belgisch Staatsblad”) and entered into force with this publication.

After the “Law of 3 December 2017”, which replaced the Belgian Privacy Commission with the Belgian Data Protection Authority (“Gegevensbeschermingsautoriteit”), the Law of 30 July is the second law that implements the General Data Protection Regulation (GDPR).

The laws regulate various essential areas of data protection. New regulations are for instance, the reducing of the age of consent from 16 (as regulated in GDPR) to 13 years old for information society services or the requirement to list persons who have access to genetic, biometric and health-related data. Therewith, Belgium has also made use of the possibility to deviate from the GDPR in different scopes.

With the law of 30 July, Belgium has thus completed the incorporation of the GDPR into national law. The Law is available in French and Dutch.

Category: Belgium · GDPR
Tags: ,

EU Commission: Draft for adoption of adequacy decision for Japan

6. September 2018

The EU Commission has drafted the adequacy decision for Japan including next steps Japan has to undertake in order to ensure protection for the transfer of personal data from the EU to Japan. This includes additional safeguards Japan should apply, as well as commitments regarding access to personal data by Japanese public authorities.

Japan has committed to implement several safeguards that are necessary for the protection of the transfer of personal data before the actual adoption of the adequacy decision. These include,

  • a set of rules providing additional safeguards for transferred personal data of EU individuals (addressing inter alia the topics protection of sensitive data and the further transfer of personal data from Japan to another third country),
  • safeguards concerning the access to personal data by Japanese public authorities for criminal law enforcement and national security purposes,
  • a complaint-handling mechanism for Europeans regarding the access of Japanese authorities to their personal data.

The Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, said: “We are creating the world’s largest area of safe data flows. Personal data will be able to travel safely between the EU and Japan to the benefit of both our citizens and our economies. Our partnership will promote global standards for data protection and set an example for future partnerships in this key area.”

The next step in the adoption procedure of the adequacy decision is the European Data Protection Board (EDPB), which will be asked for his opinion.

Category: EU · EU Commission · General
Tags: ,

Facebook sues BlackBerry for patent infringement, claiming it stole Voice-Messaging Tech

5. September 2018

On Tuesday, September 5th, Facebook Inc. filed a lawsuit against BlackBerry Ltd., accusing the ladder of patent infringement, the news agency Bloomberg reports.

The complaint of the social media company contains the allegations that BlackBerry has been stealing its voice messaging technology. Furthermore, the accusation includes technology that improves how a mobile device delivers graphics, video and audio and another that centralizes tracking and analysis of GPS data.

According to Facebook a total of six patents are targeted, for which the company intends to claim unspecified damages in San Francisco federal court.

The lawsuit, in turn, follows BlackBerrys’ lawsuit in march, accusing the company of infringement on its mobile messaging tech for its own messenger, as well as its Instagram photo sharing app and WhatsApp messaging service.

Category: General · Instagram · USA
Tags: ,

Singapore: Collecting NRIC numbers will be prohibited for organisations

From September 2019, there will be stricter rules for the protection of personal data in Singapore hence the collection, use and disclosure of NRIC numbers of individuals and making copies of their NRIC cards will be illegal for organisations.

In the past years, it was not unusual for shopping malls and other places to collect the NRIC number of a customer for instance when registering for memberships.

From the unique section of numbers and letters of the Singapore National Registration Identification Card (“NRIC”) an individual can be precisely identified. Therefore, the NRIC number is considered personal data. Besides the number, the physical NRIC card contains the individual’s full name, photograph, thumbprint and residential address.

Apart from the prohibition of collecting, using and disclosing of NRIC numbers it will also be generally forbidden to collect, use or disclose individual’s birth certificate numbers, foreign identification numbers and work permit numbers. Exemptions are regulated in the new PDPC guidance (issued 31 August 2018) and will only apply where it is required by law or when it is necessary to verify an individual’s identity ”to a high degree of fidelity” (e.g. transactions involving healthcare).

If an organisation already collected those data they should proof whether they need to retain the numbers or not. In case they need to keep the data they have to ensure that there is adequate protection or they should anonymise the NRIC. The new regulation does not apply to the government or public agencies or organisations acting on its behalf, but organisations can be fined up to $ 1 million for disobeying the act.

Turkey – Starting dates for registration obligation for processing data has been announced

3. September 2018

The data protection authority in turkey has announced in his decision 2018/88 starting dates to register as a data controller on VERBIS prior to processing personal data, the online registration system VERBIS can be found on the homepage of the Turkish data protection authority. 

Earliest starting date for the registration process will be the 1st of October 2018.

 

Following start dates have been announced

a) 1st of October 2018 – 30th of September 2019, for data controllers that employ more than 50 employees and whose annual financial statement exceeds TRY 25 million

b) 1st of October 2018 – 30th of September 2019, for data controllers established outside of Turkey

c) 1st of January 2019 – 31st of March2019, for data controllers that employ less than 50 employees, whose financial statement does not exceed TRY 25 million, but whose core business includes the processing of sensitive data

d) 1st of April – 30th June, for public institutions and organizations that act as data controllers

 

Data controllers should take the necessary action and register with VERBIS during the applicable period.

Pages: 1 2 3 4 5 6 7 8 9 10 ... 25 26 27 Next
1 2 3 27