Category: Countries
31. August 2016
On its blog Google Analytics announced on the 29th of August that they have self-certified to the EU-U.S. Privacy Shield.
The statement describes the EU-U.S. Privacy Shield as a new framework for transfers of personal data from Europe to the United States, which can be seen as a significant milestone for the protection of Europeans’ personal data, legal certainty of transatlantic businesses, and trust in the digital economy.
Therefore, Google has now committed that they comply with the Privacy Shield’s principles and furthermore that they will safeguard the transfers of personal data, whereas no action is required from their customers.
30. August 2016
The ICO just published a statement relating to the fact that WhatsApp is about to share user information with Facebook.
Elizabeth Denham who was appointed Information Commissioner in July 2016, said that “The changes WhatsApp and Facebook are making will affect a lot of people. Some might consider it’ll give them a better service, others may be concerned by the lack of control.” She continued by saying “Our role is to pull back the curtain on things like this, ensuring that companies are being transparent with the public about how their personal data is being shared, and protecting consumers by making sure the law is being followed.” Denham concluded “We’ve been informed of the changes. Organisations do not need to get prior approval from the ICO to change their approaches, but they do need to stay within data protection laws. We are looking into this.”
During the IAPP Europe Data Protection Congress taking place on the 7-10 of November in Brussels Denham will contibute and also give a speech.
26. August 2016
Jan Koum, one of WhatsApp’s founders, stated shortly after selling WhatsApp to Facebook in 2014 that the deal would not affect the digital privacy of his mobile messaging service with millions of users.
However, according to the New York Times WhatsApp is about to share user information with Facebook. This week, WhatsApp published a statement saying that it will start to disclose phone numbers and analytics data of its users to Facebook. By doing so, it will be the first time that WhatsApp will connect the data of its users to Facebook.
Furthermoere, due to the fact that WhatsApp begins to built a profitable business after its previous little emphasis on revenue, it is now changing its privacy policy to the extent that WhatsApp wants to allow businesses to contact customers directly through its platform.
WhatsApp commented on the new privacy policy “We want to explore ways for you to communicate with businesses that matter to you, too, while still giving you an experience without third-party banner ads and spam”.
The new privacy policy will allow Facebook to use a users’s phone number to improve other Facebook-operated services like making new Facebook friend suggestions or better-tailored advertising.
However, WhatsApp underlines that neither it nor Facebook will be able to read users’ encrypted messages and emphasizes that individual phone numbers will not be given to advertisers.
Koum explained that “Our values and our respect for your privacy continue to guide the decisions we make at WhatsApp” and went on “It’s why we’ve rolled out end-to-end encryption, which means no one can read your messages other than the people you talk to. Not us, not Facebook, nor anyone else” and concluded “Our focus is the same as it’s always been — giving you a fast, simple and reliable way to stay in touch with friends and loved ones around the world.”
WhatsApp’s new privacy policy raises concerns due to the lack of data protection. Therefore, the president of the Electronic Privacy Information Center, Marc Rotenberg commented that it is about to file a complaint next week with the Federal Trade Commission in order to prevent WhatsApp from sharing users’ data with Facebook. Rotenberg justified this approach as “Many users signed up for WhatsApp and not Facebook, precisely because WhatsApp offered, at the time, better privacy practices” he explained “If the F.T.C. does not bring an enforcement action, it means that even when users choose better privacy services, there is no guarantee their data will be protected.”
19. August 2016
The ICO fined Hampshire County Council with 100,000 GBP due to a data breach.
The fine was the result of missing measures protecting personal information against unauthorized access: Documents containing personal information of more than 100 data subjects were stored in an abandoned building. Furthermore, 45 bags of confidential waste were also found.
Hampshire County Council released a statement saying that “We are very sorry that this incident occurred. Hampshire County Council takes the management and protection of its data very seriously. Accordingly, appropriate procedures were in place at the time, but unfortunately, on this occasion, the process was not fully adhered to. However, at no time was any information disclosed outside of the site”.
Furthermore the statemet points out that “Immediate steps were taken to investigate the matter fully, and remedial action was taken. This has included strengthened and improved processes in the removal of, and destruction of, confidential waste from vacated buildings.”
The statement highlights that Hampshire County Council reported the incident to the ICO as soon as they became aware of it and that they have cooperated fully at all stages of the ICO’s investigation.
17. August 2016
Concerning U.S.-American Companies:
- Annual self-certification that they meet the requirements
- Displaying the privacy policy on their website
- Replying in a reasonable period of time to any complaints
- In case human resources data is processed: cooperation and compliance with European Data Protection Authorities
Concerning European Individuals:
- More transparency about the transfer of personal data to the U.S. and an increase of the protection level of this data.
- Cheaper and easier redress possibilities in case of complaints: either directly towards the company or with the support of the respective Data Protection Authority.
16. August 2016
A list was released last week containig about 40 companies that have been approved under the EU-U.S. Privacy Shield.
A spokesman of the Department of Commerce commented that this list would be updated continuously. He went on by saying that “There are nearly 200 applications currently involved in our rigorous review process.”
Nevertheless, the Wall Street Journal just released an article mentioning that due to the lack of legal uncertainty of the EU-U.S. Privacy Shield, companies demonstrate restraint in joining the agreement.
However, “we don’t expect a stampede to join it in the next few days, but rather a steadily growing wave over the long run, especially if European companies begin to favor Privacy Shield membership in competitive bids” concluded Jay Cline working with PwC.
12. August 2016
The ICO fines Regal Chambers Surgery with 40,000 GBP due to the fact that personal medical information was handed out.
Regal Chambers Surgery disclosed medical file to a man regarding his son containing 62 pages not only of personal data but also including information on the ex-partner, her parents, and an older child he was not related to. However, although the man requested the records under Section 7 of the Data Protection Act, Regal Chambers had no process implemented to determine whether the data should be handed out.
The ICO’s Head of Enforcement, Steve Eckersley commented that “Most people would be horrified to think the information they entrust to their GP was being treated with anything less than the utmost care. In this case a patient reinforced this, however her pleas went unheeded”.
4. August 2016
Although companies began submitting their application to join the EU-U.S. Privacy Shield, the U.S. Department of Commerce did not immediately list their compliance.
Among others, Microsoft was one of the first businesses to certify that it complied with the new rules for transferring European Union citizens’ personal data to the U.S.
On its blog Microsoft published a statement by Vice President for EU Government Affairs John Frank saying “We expect it to be approved in the coming days”. Furthermore, he said “Going forward, any data which we will transfer from Europe to the U.S. will be protected by the Privacy Shield’s safeguards.”
The process for joining the EU-U.S. Privacy Shield includes a self-certification, which is charged by the U.S. Department of Commerce. The fee for processing their annual applications and adding them to the register ranges from $250 for organizations with revenue under US$5 million up to $3,250 for those with revenue over $5 billion.
However, organizations also have to pay in order to join an arbitration service or in terms of data protection authorities dealing with complaints.
27. July 2016
Last week the U.S. Court of Appeals for the Second Circuit held that Microsoft Corporation cannot be compelled to turn over customer emails stored outside the U.S. to U.S. law enforcement authorities.
The original case addressed a search warrant concerning the contents of all emails, records and other information regarding one of Microsoft’s email users. Although Microsoft generally complied, it refused to turn over the contents of the emails stored on a server in Ireland. Microsoft opinion was that U.S. courts are not authorized to issue such warrants. However, in April 2014 a judge in the U.S. District Court for the Southern District of New York held that Microsoft has to turn over the contents of the emails to U.S. law enforcement in case of search warrant is issued under the Stored Communications Act and although the data is stored outside of the U.S.
The Second Circuit ruled that “Congress did not intend the (Stored Communications Act’s) warrant provisions to apply extraterritorially…(and) the Stored Communications Act does not authorize a U.S. court to issue and enforce an Stored Communications Act warrant against a United States‐based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States.”
22. July 2016
The ICO has advised organisations to implement internal data breach procedures, which should be encouraged by employee trainings, in order to be prepared as soon as the General Data Protection Directive (GDPR) comes into effect in 2018.
Therefore, the recommendation made by the ICO in terms of its breach notification recommendation instruct companies to be compliant from the first day the GDPR is implemented. Furthermore, the recommendation states that “You should make sure that your staff understands what constitutes a data breach, and that this is more than a loss of personal data” and goes on by saying that “You should ensure that you have an internal breach reporting procedure in place. This will facilitate decision making about whether you need to notify the relevant supervisory authority or the public. In light of the tight timescales for reporting a breach, it is important to have robust breach detection, investigation and internal reporting procedures in place.” On top of this, the ICO points out that companies will not have much time to notify the authorities of any data breach due to the fact that article 33 of the GDPR requires notification to take place “without undue delay and, where feasible, not later than 72 hours after having become aware of it (…) unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”.
A personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
