Category: Countries

The ICO intends to fine Facebook a maximum of £500.000

12. July 2018

The British Information Commissioner’s Office (ICO) intends to fine Facebook a maximum of £500,000 after investigating the Facebook/Cambridge Analytica case. Back then, the Investigation started because of allegations that information of about 50 million Facebook users were obtained by Cambridge Analytica without the data subject’s consents by the use of a personality-analysis app. Present estimate suggest that about 87 million users were affected, as the ICO reports.

As stated by the ICO, it intends to fine Facebook for two breaches of the Data Protection Act 1998. It is further said, that Facebook should have contravened the law by failing to safeguard people’s information and failing to be transparent regarding the harvesting of people’s data by others. Facebook, however, will have the possibility to respond to the Notice of Intent. Afterwards a final decision will be made.

Unlike the much higher fees (up to €20 million or 4% of their global annual turnover, whichever is higher) that might be imposed under the General Data Protection Regulation (GDPR), depending on the individual case, £ 500.000 is the maximum possible under the British Data Protection Act 1998. The reason that the Data Protection Act 1998 and not the General Data Protection Regulation was applicable is the time of the events, since they happened before the 25th May 2018, which was the time the General Data Protection Regulation became directly applicable in all member states.

Category: EU · USA
Tags: ,

EU Adequacy Approach for Japan and South Korea

29. June 2018

These days the European Commission is focussing on talks with Japan and the Republic of Korea in order to advance the process towards mutual adequacy findings. Therefore,  the European Justice Commissioner Vera Jourová recently visited Japan’s Justice Minister, Yōko Kamikawa, and Commissioner of the Personal Information Protection, Haruhi Kumazawa, along with Korean Chairman of the Communications Commission Lee Hyo-seong to make progress on the approached adequacy deals. The engagement of all parties in allowing the free flow of personal data between the EU and Japan as well as the EU and South Korea started in 2017 by discussing to reaching an “adequacy decision“.

At the meeting in Tokyo, the two parties “took note of the significant progress achieved in the past month” referring, “in particular, [to] the agreement on solutions to bridging relevant differences between the two systems such as the Supplementary Rules, to be adopted by the Personal Information Protection Commission (PPC) following the public comment procedures, coupled with the Basic Policy on the Protection of Personal Information (Cabinet decision).” In addition, “they affirmed that the Personal Information Protection Commission and the European Commission will continue to consult each other with a view to finding mutually acceptable solutions whenever there is a need for cooperation with respect to personal data based on the framework for mutual and smooth transfer of personal data between Japan and the EU.”

In Seoul, Chairman Lee Hyo-seong and Commissioner Vera Jourová also held a very productive meeting, and “took note of the significant progress made since Korea submitted its request for partial adequacy and agreed that the two parties share very similar values with respect to human rights, with both sides recognising personal data protection as a fundamental right.” Furthermore, “they agreed to intensify their efforts to accelerate the pace of discussion.” The adequacy talks are very likely to be finalized in 2018, especially considering the fact that there are many similarities of South Korea’s “Personal Information Protection Act”  with the GDPR. However, concerning a final decision on the adequacy, another meeting in Brussels is planned later this year.

Currently the European Commission has recognised 12 countries for being able to ensure an adequate level of data protection, including Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.

The US Senate votes in favor of restoring Net Neutrality rules

17. May 2018

On June 11, anti-net-neutrality is set to take effect in the USA. In a resolution, the Senate has now declared itself in favour of its preservation. The U.S. Senate on Wednesday voted narrowly (52 to 47) to reverse the Federal Communications Commission (FCC) decision in December 2017 to repeal net neutrality rules. Three Republicans voted with all 47 Democrats and two Democratic-leaning senators to back the measure.

The FCC resolution is under the rarely used Congressional Review Act. It is a law that allows Congress, with a simple-majority vote in both houses, to repeal new regulations by federal agencies within 60 legislative days of implementation. Despite the Senate’s passing of the resolution, the measure is unlikely to be approved by the House of Representatives because at least two dozen Republicans must vote against the party line.

Net neutrality is the concept that internet service providers (or governments) treat all data on the internet the same regardless of content, user, platform, application or device. Network neutrality prevents all internet service providers from slowing down connections for people attempting to access certain sites, apps and services, and blocking legal content.

Category: General · USA
Tags:

United States vs. Microsoft II

4. April 2018

In the USA, the “Cloud Act” (Clarifying Lawful Overseas Use of Data Act) came into force a few days ago with the signature of President Trump.

The Cloud Act stipulates that US investigators should have access to personal data located on servers outside the USA. To this end, bilateral agreements may be concluded authorizing investigators to contact the cloud provider directly.

As part of this, the US Department of Justice filed an application with the US Supreme Court to declare United States of America vs. Microsoft Corporation (New York Search Warrant Case) closed. The case dates from 2013 and has been highly controversial ever since.

The question is whether Microsoft must disclose personal data stored outside the US, here on servers in Ireland, to US authorities. The basis for this was a search warrant issued by a federal district court in New York, which was intended to oblige Microsoft to hand the data over. Microsoft complained about this. A ruling was actually expected in June of this year, but now the matter could be filed before a decision is taken.

Noel J. Francisco, the US government’s chief litigant, filed a petition with the Supreme Court, citing the Cloud Act, arguing that the Microsoft-US dispute is over and no longer needs to be heard. A new search warrant based on the Cloud Act has already been sent to Microsoft.

United States vs. Microsoft

28. February 2018

The United States Supreme Court (SCOTUS) heared yesterday the arguments in the case United States vs. Microsoft.

The dispute betwenn the US government and Microsoft has spanned several years, since 2013, and has major implications for the privacy profession.

Issue is, that the U.S. can compel Microsoft to turn over data stored on a server outside the United States. Basis of the the obligation is a warrant issued by a US court under the Stored Communications Act. Microsoft should turn over emails of a customer stored on Microsoft servers, both in the US and in Ireland. Microsoft handed out the data stored in the US, but reject to turn over the data stored in Ireland. Basis for the rejection is, according to the position of Microsoft, that a Irish court is responsible and not a US court, due to the Stored Communications Act cannot reach outside of the territorial jurisdiction of the US. The US position, adopted by the magistrate judge and district court is, that because Microsoft is a US company, and fully capable of accessing the information described in the warrant, the warrant is a valid exercise of wholly domestic power.

A judgement could be made in June.

United Kingdom become a third country after Brexit

29. January 2018

Withdrawal of the United Kingdom from the Union and EU leads to United Kingdom become a third country.

The European Commission annouced, that on 30.03.2019, 00:00h (CET) the United Kingdom will no longer be member of the Union and EU, all Union and secondary law will cease to apply.

That means, tat all stakeholders processing personal data need to consider the legal repercussions of Brexit, beacuse as of the withdrawal date, the EU rules for transfer personal data to third countries apply. GDPR allows a transfer if the controller or processor provides appropriate safeguards.

Safeguards may be provided by:

  • Sandarad data protection clauses (SCC)
  • Binding corporate rules (BCR)
    • legally binding data protection rules approved by the competent data protection authority which apply within a corporate group
  • Condes of Conduct
    • Approved Codes of Conduct together with binding and enforceable commitments of the controller or processor in the third country
  • Certification mechanisms
    • Approved certification mechanisms together with binding and enforceable commitments of the controller or processor in the third country

Besides a transfer may take place based on consent, for the performance of a contract, for exercise of legal claims or for important reasons of public interest.

These procedures are already well-known to business operators beacuse they are uses today for the transfer of personal data to non EU-countries like the USA, Russia or China.

The decision is disappointing for everyone who were hoping for an adequate level of data protection in the United Kingdom.

Stakeholders should prepare for the requirements associated with recognition as a third country.

Category: EU Commission · European Union · GDPR · UK
Tags:

Will Visa Applicants for the USA have to reveal their Social Media Identities in future?

11. January 2018

The U.S. Department of State is aiming for Visa applicants to answer supplemental questions, including information about social media. A 30-Day notice has been published in November in order to gather opinions from all interested individuals and organizations. The goal is to establish a legal basis for the “proper collection of all information necessary to rigorously evaluate all grounds of inadmissibility or deportability, or grounds for the denial of other immigration benefits”.

In concrete terms, applicants are supposed to reveal their social media identifiers used during the last five years. The State Department stresses the fact that “the collection of social media platforms and identifiers will not be used to deny visas based on applicants’ race, religion, ethnicity, national origin, political views, gender, or sexual orientation.”

Meanwhile, the Electronic Privacy Information Center (EPIC) has submitted its comments asking for withdrawal of the proposal to collect social media identifiers and for review of the appropriateness of using social media to make visa determinations.

EPIC not only critizes the lack of transparency as it is “not clear how the State Department intends to use the social media identifiers” and further continues that “the benefits for national security” don’t seem precise. The organization also expresses concerns because the collection of these data enable enhanced profiling and tracking of individuals as well as large scale surveillance of innocent people, maybe even leading to secret profiles.

It remains to be seen how the situation develops and how the public opinion influences the outcome.

Cancer Care Organization settles for 2.3 Mio $ after Data Breach

22. December 2017

In 2015, a data breach occurred at 21st Century Oncology  (21stCO), one of the leading providers of cancer care services in the USA, potentially affecting names, social security numbers, medical diagnoses and health insurance information of at least 2.2 million patients.

On its website, the provider had announced in 2016 that one of its databases was inappropriately accessed by an unauthorized third party, though an FBI investigation had already detected an attack as early as October 2015. The FBI, however, requested 21stCO to delay the notification because of ongoing federal investigations.

21stCO had then stated that ““we continue to work closely with the FBI on its investigation of the intrusion into our system” and “in addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future.” To make amends for the security gap patients had been offered one year of free credit monitoring services.

Nevertheless, the provider now has to pay a fine worth 2.3 million dollars as settled with the Office for Civil Rights (OCR; part of the U.S. Department of Health and Human Services).

It has been accused of not implementing appropriate security measures and procedures to regularly review information system activity such as access or security incident reports, despite the disclosure by the FBI.

The OCR further stated that “the organization also disclosed protected health information to its business associates without having a proper business associate agreement in place”.

The settlement additionally requires 21stCO to set up a corrective action plan including the appointment of a compliance representative, completion of risk analysis and management, revision of cybersecurity policies, an internal breach reporting plan and overall in-depth IT-security. The organization will, in addition, need to maintain all relevant documents and records for six years, so the OCR can inspect and copy the documents if necessary.

Following the settlement, District Attorney Stephen Muldrow stated “we appreciate that 21st Century Oncology self-reported a major fraud affecting Medicare, and we are also pleased that the company has agreed to accept financial responsibility for past compliance failures.”

New and surprising password guidelines released by NIST

21. December 2017

The National Institute of Standards and Technology (NIST), a non-regulatory federal agency within the U.S. Department of Commerce that promotes innovation and industrial competitiveness often by recommending best practices in matters of security, has released its Digital Identity Guidelines uttering advice for user password management.

Considering that Bill Burr, the pioneer of password management, has admitted regretting his recommendations in a publication back in 2003, the NIST is taking appropriate action by revising wide-spread practices.

For over a decade, people were encouraged to create complex passwords with capital letters, numbers and „obscure“ characters – along with frequent changes.

Research has now shown that these requirements don’t necessarily improve the level of security, but instead might even make it easier for hackers to crack the code as people tend to make minor changes when they have to change their already complex password – usually pressed for time.

This is why the NIST is now recommending to let go of periodic password change requirements alongside of algorithmic complexity.

Rather than holding on to these practices, the experts emphasize the importance of password length. The NIST states, that „password length has been found to be a primary factor in characterizing password strength. Passwords that are too short yield to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords.“

It takes years for computers to figure out passwords with 20 or more characters as long as the password is not commonly used.

The NIST advises to screen new passwords against specific lists: „For example, the list may include, but is not limited to passwords obtained from previous breach corpuses, dictionary words, repetitive or sequential characters (e.g. ‘aaaaaa’, ‚1234abcd’), context-specific words, such as the name of the service, the username, and derivatives thereof.“

Subsequently, the NIST completely abandons its own suggestions and causes great relief for industries all over:

„Length and complexity requirements beyond those recommended here significantly increase the difficulty of memorized secrets and increase user frustration. As a result, users often work around these restrictions in a way that is counterproductive. Furthermore, other mitigations such as blacklists, secure hashed storage, and rate limiting are more effective at preventing modern brute-force attacks. Therefore, no additional complexity requirements are imposed.“

French Data Protection Commission threatens WhatsApp with sanctions

The French National Data Protection Commission (CNIL) has found violations of the French Data Protection Act in the course of an investigation conducted in order to verify compliance of WhatsApps data Transfer to Facebook with legal requirements.

In 2016, WhatsApp had announced to transfer data to Facebook for the purpose of targeted advertising, security and business intelligence (technology-driven process for analyzing data and presenting actionable information to help executives, managers and other corporate end users make informed business decisions).

Immediately after the announcement, the Working Party 29 (an independent European advisory body on data protection and privacy, set up under Article 29 of Directive 95/46/EC; hereinafter referred to as „WP29“) asked the company to stop the data transfer for targeted advertising as French law doesn’t provide an adequate legal basis.

„While the security purpose seems to be essential to the efficient functioning of the application, it is not the case for the “business intelligence” purpose which aims at improving performances and optimizing the use of the application through the analysis of its users’ behavior.“

In the wake of the request, WhatsApp had assured the CNIL that it does not process the data of French users for such purposes.

However, the CNIL currently not only came to the result that the users’ consent was not validly collected as it lacked two essential aspects of data protection law: specific function and free choice. But it also denies a legitimate interest when it comes to preserving fundamental rights of users based on the fact that the application cannot be used if the data subjects refuse to allow the processing.

WhatsApp has been asked to provide a sample of the French users’ data transferred to Facebook, but refused to do so because being located in die United States, „it considers that it is only subject to the legislation of this country.“

The inspecting CNIL thus has issued a formal notice to WhatsApp and again requested to comply with the requirements within one month and states:

„Should WhatsApp fail to comply with the formal notice within the specified timescale, the Chair may appoint an internal investigator, who may draw up a report proposing that the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act issue a sanction against the company.“

 

Pages: 1 2 3 4 5 6 7 8 9 10 Next
1 2 3 10