Category: Countries

US Border Control – traveler photos and license plate images stolen in a data breach

11. June 2019

U.S. Customs and Border Control (CBP) announced on Monday, 10th June 2019, that photos of travelers, their cars and their license plate images were stolen during a data breach.

The network of CBP itself was not affected by the breach, but the photos were transferred to a subcontractor and stolen by a hack at the subcontractor. The name of the subcontractor was not mentioned. According to US media reports, the subcontractor is Perceptics which was hacked in May 2019.

CBP announced: “CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network.”  CBP has not terminated its cooperation with the hacked subcontractor despite breaches of data protection and security regulations.

CBP was informed about the breach on 31st May 2019. The breach affects nearly 100.000 people who travelled the USA. Besides the photos of travelers, their cars and license plates neither passport or other travel documents nor images of airline passengers were involved. The photos show travellers crossing either the US border to Canada or Mexico.

Until now, the hacked data could neither be found on the Internet nor in the Dark net.

Royal family uses GDPR to protect their privacy

22. May 2019

Last week Prince Harry and Meghan Markle could claim another victory in the royal family’s never ending struggle with paparazzi photographers, securing “a substantial sum” in damages from an agency that released intimate photos of the Oxfordshire home the Duke and Duchess of Sussex rented to the media. In a statement, Splash News apologized for and acknowledged that this situation would represent “an error of judgement”.

The paparazzi agency “Splash News” took photos and footage of the couple’s former Cotswolds home — including their living room, dining area, and bedroom — using a helicopter and promptly sold to different news outlets. The lawyers of Prince Harry argued that this situation caused a breach of his right to privacy according to Art. 7 and 8 ECHR as well as a breach of the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA).

Considering the strategy of the Duke’s lawyers, it looks like the royal family have found a potentially attractive alternative to claims of defamation of invasion of privacy. Since in contrast to such a claim, a claimant relying on data protection law neither needs to prove that a statement is at least defamatory and met the threshold for serious harm to reputation nor that the information is private.

However, the (new) European data protection legislation grants all data subjects, regardless of their position and/or fame, a right of respect for their privacy and family lives and protection of their personal data. In particular, the GDPR requires organisations, according to its Article 5, to handle personal data (such as names, pictures and stories relating to them) fairly and in a transparent manner while also using it for a legitimate purpose.

Moreover, when obtaining pictures and footage of an individual’s private or even the intimite sphere, the organization using such materials need a specific reason like some kind of contract, the individual’s consent or be able to argue that using this photos and footage was “in the public interest” or for a “legitimate interest”. As a contract and a consent can be excluded here, the only basis that might be considerd could be a public interest or a legitimate interest of the organization itself. Taking into account the means and the way how these photos and footage of the Duke and Dutchess were created, both of these interest cannot withstand the interest  in protecting the rights and freedom of individuals’ private and intimite sphere.

Referring to this case, it seems pretty likely that the European data protection regime changed the way in how celebrities and the courts enforce the heavy-contested threshold of whether the public is allowed to see and be informed about certain parts and aspects of famous people’s lives or not.

 

 

New Jersey changes data breach law to extend it to online account information

20. May 2019

On May 10, 2019, Phil Murphy, Governor of New Jersey, signed a bill amending the law regarding notification of data breaches in New Jersey. The purpose of the amendment is to extend the definition of personal data to include online account information.

The amendment requires companies subject to the law to notify New Jersey residents of security breaches concerning the user name, e-mail address or other account holder identifying information.

The amendment states that companies should notify their customers affected by violations of such information electronically or otherwise and instruct them to promptly change any password and security questions or answers or take other appropriate measures to protect their online account with the company. The same shall be done for all other online accounts for which the customer uses the same username or e-mail address and password or the same security question and answer.

In addition, the amended law prohibits the company from sending notifications to the e-mail account of a person affected by a security breach. Instead, notifications must be sent in another legally required manner or by a clear and unambiguous notification sent online when the customer’s account is connected to an IP address and the company knows that the customer regularly accesses their account from that online location.

The amendment will take effect on 1 September 2019.

Data of millions of US-citizens available in the internet

2. May 2019

Sensitive data of 80 million US households are unprotected available in the internet. The data are stored on an openly accessible database whose owner is unknown.

Affected are 65 % of all US households, in numbers, 80 million households. The database includes detailed information regarding the number of persons living in a household, their names, marital status, age, date of birth, residential address including GPS data for localization and household income.

The number of affected US-citizens cannot be named due to the fact, that in one household can live a different amount of people. Because of this it is possible that over 100 million people are affected.

On the basis of the accessible data an identification of individuals is easily possible because hackers or thefts of identity can find out the mailaddresses and connect this information with free accessible information from e.g. social media.

Regarding the owner of the database no information is known. It is presumed that it is a company from the health or insurance sector.

The owner need to be find, otherwise the leak cannot be closed.

Category: Cyber Security · Data Breach · USA

Morrisons is Allowed to Appeal Data Protection Class Action

29. April 2019

The British food store chain VM Morrison Supermarkets PLC (“Morrisons”) has been granted permission by the Supreme Court to appeal the data protection class action brought against it and to challenge the judgment for all its grounds. The case is important as it’s the first to be filed in the UK for a data breach and its outcome may affect the number of class actions for data breaches.

An employee who worked as a senior IT auditor for Morrsisons copied the payroll data of almost 100,000 employees onto a USB stick and published it on a file-sharing website. He then reported the violation anonymously to three newspapers. The employee himself was sentenced to eight years in prison for various crimes.

5,518 employees filed a class action lawsuit against Morrisons for the violation. It claimed both primary and representative liability for the company. The Supreme Court dismissed all primary liability claims under the Data Protection Act (“DPA”), as it concluded that the employee had acted independently of Morrisons in violation of the DPA.

However, the court found that Morrisons is vicariously liable for its employee’s actions, although the DPA does not explicitly foresee vicarious liability. The company appealed the decision.

The Court of Appeals dismissed the appeal and upheld the Supreme Court’s ruling that the Company is vicariously liable for its employee’s data breach, even though it was itself acquitted of any misconduct.

In the future appeal of the Supreme Court, it will have to examine, among other things, whether there is deputy liability under the DPA and whether the Court of Appeal’s conclusion that the employee disclosed the data during his employment was incorrect.

Brexit: Deal or “No-deal”

12. March 2019

Yesterday evening, shortly before the vote of the UK parliament on the circumstances and if necessary a postponement of the Brexit, Theresa May met again with Jean-Claude Juncker in Strasbourg. Both sides could agree on “clarifications and legal guarantees” regarding the fall-back solution for Northern Ireland.

These (slightly) expand the United Kingdom’s (UK) opportunity to appeal to an arbitration court in the event that the EU should “hold the UK hostage” in terms of the membership of the customs union by means of the Backstop-Clause beyond 2020. This “legally binding instrument”, as Juncker said, intends to clarify that the Backstop-Clause on the Irish border is not to be regarded as a permanent solution. This shall also be confirmed in a joint political declaration on the future relations between the two sides. However, the wording of the complementary regulation is legally vague.

May is nevertheless confident that the British Parliament will approve the “new” agreement to be voted on tonight. Meanwhile, Jeremy Corbyn, Labour Party leader, has announced and urged to vote against the agreement. In any case, Juncker has already rejected further negotiations on adjustments to the current version of the withdrawal agreement, emphasizing that there will be no “third chance”. By 23rd May, when the EU elections begin, the Kingdom shall have left the EU.

The vote on “how” and “when” of the Brexit will be taken in the next few days, starting tonight at 8 p.m. CET. If the withdrawal agreement will be rejected again today, the parliament will vote on a no-deal Brexit tomorrow (the UK would then be a third country in the sense of the GDPR as of 30th March). In case this will also be rejected, on 14th March the parliament will eventually vote on a delay of the Brexit date. A postponement could then lead to a new referendum and thus to a renewed decision on the question of “whether” a Brexit will actually take place.

Category: EU · GDPR · General · UK
Tags:

EDPB publishes information note on data transfer in the event of a no-deal Brexit

25. February 2019

The European Data Protection Board has published an information note to explain data transfer to organisations and facilitate preparation in the event that no agreement is reached between the EEA and the UK. In case of a no-deal Brexit, the UK becomes a third country for which – as things stand at present – no adequacy decision exists.

EDPB recommends that organisations transferring data to the UK carry out the following five preparation steps:

• Identify what processing activities will imply a personal data transfer to the UK
• Determine the appropriate data transfer instrument for your situation
• Implement the chosen data transfer instrument to be ready for 30 March 2019
• Indicate in your internal documentation that transfers will be made to the UK
• Update your privacy notice accordingly to inform individuals

In addition, EDPB explains which instruments can be used to transfer data to the UK:
– Standard or ad hoc Data Protection Clauses approved by the European Commission can be used.
– Binding Corporate Rules for data processing can be defined.
– A code of conduct or certification mechanism can be established.

Derogations are possible in the cases mentioned by article 49 GDPR. However, they are interpreted very restrictively and mainly relate to processing activities that are occasional and non-repetitive. Further explanations on available derogations and how to apply them can be found in the EDPB Guidelines on Article 49 of GDPR.

The French data protection authority CNIL has published an FAQ based on the information note of the EDPB, explaining the consequences of a no-deal Brexit for the data transfer to the UK and which preparations should be made.

The European Data Protection Board presents Work Program for 2019/2020

14. February 2019

On February 12, 2019 the European Data Protection Board (EDPB) released on their website a document containing a two-year Work Program.

The EDPB acts as an independent European body and is established by the General Data Protection Regulation (GDPR). The board is formed of representatives of the national EU and EEA EFTA data protection supervisory authorities, and the European Data Protection Supervisor (EDPS).

The tasks of the EDPB are to issue guidelines on the interpretation of key ideas of the GDPR as well as the ruling by binding decisions on disputes regarding cross-border processing activities. Its objective is to ensure a consistent application of EU rules to avoid the same case potentially being dealt with differently across various jurisdictions. It promotes cooperation between EEA EFTA and the EU data protection supervisory authorities.

The EDPB work program is based on the needs identified by the members as priority for individuals, stakeholders, as well as the EU legislator- planned activities. It contains Guidelines, Consistency opinions, other types of activities, recurrent activities and possible topics.

Furthermore, the EDPB released an information note about data transfers if a no-deal Brexit occurs. As discussed earlier, in this case the UK will become a so-called “third country” for EU member countries beginning from March 30. According to the UK Government, the transfer of data from the UK to the EEA will remain unaffected, permitting personal data to flow freely in the future.

The Dutch DPA (Autoriteit Persoonsgevens) investigates several Data Processing Agreements

23. January 2019

Since the EU General Data Protection Regulation (GDPR) entered into force on May 25, 2018, the Dutch DPA regularly reviews whether organizations comply with data protection regulations. For example, the DPA previously investigated organizations (inter alia hospitals, banks, insurers) regarding their data protection officers and/or whether they keep a register of processing activities.

The Dutch Data Protection Authortiy, the so called Autoriteit Persoonsgevens, announced last week on its website that it had asked 30 private organizations to provide their Data Processing Agreements in use. The organizations in question mainly operate in the field of energy, media and trade.

Art. 28 GDPR states that a data controller must have a data processing agreement (DPA) with a data processor when the ladder is carrying out the data processing on behalf of the controller. This is for example the case when an organization outsources IT facilities. The controller remains responsible for the protection of the personal data and is only allowed to engage processors which can offer sufficient guarantees to ensure those requirements. Especially, the agreement must specify the type and categories of data that will be processed and the duration as well as the nature and purpose of the processing.

Brexit: Impact on data protection after “May’s deal” has been rejected

18. January 2019

Prime Minister Theresa May’s draft withdrawal agreement to regulate Brexit was rejected by a clear majority of parliamentarians on 15th January. The draft withdrawal agreement has been agreed in November 2018 by the United Kingdom (UK) and the European Union (EU) – we reported: Brexit: Draft withdrawal agreement – GDPR remains applicable for foreseeable future – containing a transition period of 21-months in order to facilitate business sectors in their planning. Because of the recent rejection of the withdrawal agreement by the British Parliament, the scenario of the UK disorderly leaving the EU has now become quite likely. Among various economic and EU law issues, Brexit has also a concrete impact on data protection.

In case of a Brexit without corresponding transitional rules, the UK would be regarded as a third country under the General Data Protection Regulation of the EU (GDPR) as of 29th March 2019. This was also confirmed by Prof. Dr. Dieter Kugelmann, the State Data Protection Officer of Rheinland-Pfalz: “The fact is that the United Kingdom will become a “third country” within the meaning of the GDPR after leaving the EU.” Thus, an adaquacy decision would be required to transfer personal data of EU citizens or from the EU to the UK in the absence of any other mechanisms ensuring an adequate level of data protection according to Art. 44 ff. GDPR.

Since many companies currently transfer customer or employee data to the UK as well as a lot of data centres of service providers are located there, the Brexit will cause a need for adaption in terms of data protection matters. After the Brexit these Companies must ensure that there is an adequate legal basis for the relevant data transfers to the UK. Furthermore, according to Art. 13, 14 GDPR, the data subjects must be informed regarding the transfer of personal data outside the EU/EEA. All privacy policies on websites, privacy notices to employees etc. therefore would have to be adjusted. In the event of a data subject’s request for information, Art. 15 GDPR stipulates that the data subject must be informed about the transfer of his/her personal data to a third country. When personal data are transferred to the UK deemed as a third country, companies would eventually have to adjust their records of processing activities pursuant to Art. 30 GDPR.

It is recommended that in particular those companies transferring a lot of personal data to the UK at least are aware of these potentially required adaptations in order to further ensure compliance with EU data protection laws. As the GDPR, principally does not privilege any group of companies, the aforementioned recommendation also apply to data flows within such groups.

Pages: Prev 1 2 3 ... 8 9 10 11 12 13 14 ... 21 22 23 Next
1 9 10 11 12 13 23