Category: USA
28. June 2016
After several months of negotiations regarding the legitimating instruments to carry out international data transfers, EU and U.S. negotiators agreed last week on the final changes of the proposed EU-U.S. Privacy Shield.
The initial draft of the EU-U.S. Privacy Shield was criticized by several European Institutions such as the Article 29 WP, the EDPS, Article 31 WP and the UK Data Protection Authority (ICO) for not offering enough safeguards for EU citizens regarding the protection of their personal data upon data transfers to the U.S.
The main critic of the EU-U.S. Privacy Shield was focused on the independency of the ombudsman and on the massive surveillance activities from American Authorities. Additionally, a follow up control mechanism regarding compliance with the EU-U.S. Privacy Shield was required by European negotiators.
EU and U.S. negotiators have agreed to improve the above mentioned aspects in order to ensure more guarantees on the protection of EU citizens’ personal data:
- The White House committed in writing to collect EU personal data only under certain circumstances and for targeted purposes.
- Data retention periods have been defined concretely: organizations will be obliged to delete personal data that is no longer needed for the purposes for which it was originally collected.
- The proposal will include a specification that the ombudsman will be an independent institution.
As a next step, the Article 31 WP, made up of representatives of the EU Member States, will decide if the amended text complies with European Data Protection legislation. Both, the EU Commission and the U.S. Government hope that the EU-U.S. Privacy Shield enters into force by August 2016.
Implications for the UK
After UK citizens have voted to leave the EU, a two-year-negotiation between the EU and the UK Government will take place. During this time, UK organizations will have to comply with European legislation, also regarding international data transfers. When the UK ceases to be an EU Member State, it will be considered as being a third country in terms of international data transfers and will have to ensure enough safeguards regarding the protection of personal data.
7. June 2016
The Data Protection Authority of Hamburg just announced in a press statement that it checked the data transfers of 35 international organizations that are based in Hamburg.
After the judgment declaring the former Safe Harbor Framework by the European Commission invalid in October 2015 by the European Court of Justice, the DPA contacted organizations in Hamburg operating also in the U.S. and reviewed the transfer of personal data to the U.S. in order to determine whether other instruments are used than the Safe Harbor Framework. According to the mentioned press statement, the review has revelied that the majority of the companies had changed the legal basis of their transfers of data by implementing standard contractual clauses (SCC).
However, according to a report by Spiegel Online, there were three companies that did not change their legal basis for data transfer. Therefore, the three companies were fined:
Adobe (8.000 Euros), Punica (9.000 Euros) and Unilever (11.000 Euros)
As all three companies have changed the legal basis for data transfering during the proceeding, the DPA imposed a fine that was significantly smaller than the maximum of 300.000 Euros.
6. June 2016
On the 2nd June, the so called “Umbrella-Agreement” was signed between the EU and the U.S. This agreement aims at creating a cooperation framework between the EU and the U.S. regarding criminal law enforcement and the prevention of serious crime and terrorism.
Personal data covered under this agreement includes data exchanged between police and criminal Authorities of the EU Member States and the US Authorities for the purpose of prevention, investigation, detection and prosecution of criminal offences as well as terrorist acts. The data transfers will be carried out according to the existing legal frameworks and enough safeguards will be provided.
The agreement provides EU citizens an equal treatment with U.S. citizens before American courts regarding judicial redress and a full respect for fundamental rights.
However, this agreement does not provide a legal basis for data transfers but it is a complement to the existing and future frameworks between law enforcement authorities.
1. June 2016
The European Parliament approved a resolution concerning the European Commission reopening negotiations with US authorities on the EU-US Privacy Shield last week. Furthermore, the resolution intends to implement the recommendations of the Article 29 Working Party on the draft Privacy Shield adequacy decision.
The resolution that was approved by the majority of members of the European Parliament says that the executive still needs to improve the data transfer deal allowing US authorities to collect EU citizens’ data.
Although the Parliament’s opinion is not binding, it builds up pressure on the Commission in order to increase the level of data protection in the much discussed agreement.
After the Safe Harbour agreement was declared invalid last October due to the fact that it did not protect European citizens’ data once they were sent to the USA, the executive is now behind schedule as EU Justice Commissioner Vera Jourova and Digital Commissioner Günther Oettinger initially stated that the new agreement should go into effect by the end of June. However, in order for that to happen a group of diplomats from European member states have to sign their approval first. Nevertheless, although the diplomats were expected to vote on the Privacy Shield last week, they delayed their final decision as they scheduled new meetings up until the end of June.
Generally, the Commission has already finished the negotiations concerning the Privacy Shield with US authorities, though clarification on some points is needed. Commission spokesman Christian Wigand described the clarifications as realistic changes and not a drastic renegotiation of the agreement.
However, the Parliament’s resolution intends to take criticism from national privacy protectors of the European member states “fully” into account.
25. May 2016
Most of the market leaders in smartphone manufacturing have been developing fingerprint sensors as a security measure in order to protect the smartphone against unauthorized access. However, legal complications might force them to reconsider this security measure.
As NBC reported, a woman in California was compelled by a search warrant to unlock her iPhone via fingerprint in February. Some experts say, that this falls in a legal gray area.
Although it has not been clarified why the FBI wanted the iPhone of the woman in California, as the search warrant did not specify the reason the FBI wanted access to the phone, only that it was granted. The smartphone, however, was found in the home of the boyfriend, who is a suspected gang member, as the Los Angeles Times reported in April.
Is there a difference in opening the smartphone via passcode and via fingerprint?
Neil Richards, a privacy law professor at Washington University, said that opening the smartphone with a passcode violates the Fifth Amendment protection against self-incrimination, whereas the use of a fingerprint provides law enforcement some legal cover. He went on “Most people don’t draw a distinction between a fingerprint and a password, but the law does”. The problem is due to the fact that the laws have been made before smartphones were invented. According to the respected law, it is allowed to collect physical evidence during the course of an arrest, such as DNA evidence or fingerprints. Therefore, typing a passcode, for example 1-2-3-4, in order to access a smartphone counts as testimonial whereas the fingerprint sensor that also opens the smartphone, only with biometric data instead of a password, can be seen as physical evidence.
Due to the fact that eight people are killed and 1,161 are injured every day in the USA as a result of distracted driving, there is the discussion to implement a test for texting while driving. As the New York times reported that the state legislature considers roadside tests called the Textalyzer. Police officers would be able to plug a cellphone into a laptop and determine if it was used while driving. However, in case a police officer looks at the content of a phone the Textalyzer could cause a number of privacy problems.
Richards concluded “They’re going to start thinking twice about nudging people toward just using fingerprints. It is secure against private parties, but under current law, it’s not as secure against the government.”
23. May 2016
On the 19th May, the Article 31 Committee, made up of representatives of the EU Member States, met in order to discuss the implications of the proposed draft of the EU-U.S. Privacy Shield. The Article 31 was created in order to reach decisions that require the approval of the EU Member States according to the Data Protection Directive 95/46/EC. This is the case, for example of the adoption of adequacy decisions, such as Safe Harbor in the past or the EU-U.S. Privacy Shield currently.
Article 31 concluded that it needed more time to reach a decision about the proposal. Moreover, a source of the Commission affirmed that further meetings in May and early June will take place. Also, the recommendations of the Article 29 WP are being taken into consideration before reaching a decision.
The decision of the Article 31 is expected by the end of June. The EU-U.S. Privacy Shield can be only adopted if a qualified majority of 16 Member States representing 65 percent of the EU population votes for the adoption of the Privacy Shield.
Until a decision is reached, Standard Contractual Clauses and Binding Corporate Rules can still be used to carry out international data transfers on a legal basis.
10. May 2016
Dataminr is used as a tool that analyzes and traces social media posts and notifies users about breaking news in real time, such as the terror attack in Brussel´s airport in March. This analysis is carried out by using key words, patterns, or geotags.
Twitter, that owns 5% of Dataminr, has now blocked U.S. intelligence services from its Dataminr service, in order not to appear to support the surveillance activities of the U.S. Intelligence services.
Dataminr services where used by the American Government in 2013 to detect any risks on the inauguration of U.S. President Obama´s second term. However, it is not clear how Dataminr provided this service to the U.S. Intelligence services, as Twitter´s privacy policy prohibits selling its data to governmental agencies.
29. April 2016
The U.S. House of Representatives voted unanimously on Wednesday about the Email Privacy Bill. The bill aims at updating the current Electronic Communications Privacy Act (ECPA) from 1986. Under the ECPA, U.S. Authorities can access email communications directly from service providers with just a subpoena, if data is more than 180 old. However, under the new Email Privacy Act, they will need furthermore a warrant to access emails or other electronic communications no matter how old they are.
Currently, access to electronic communications from U.S. authorities is being subject to debate at an international level. Specially, after some weeks ago the FBI requested Apple to develop a software that allows to extract data from an iPhone device that belonged to the San Bernardino terrorist.
The Email Privacy Bill will have to be voted by the Senate, but the position of the upper chamber towards the bill is still not clear.
28. April 2016
As BBC just reported the data of more than a million members of the dating website www.beauftifulpeole.com has been sold online. The traded data not only included the weight, height, job, and phone numbers of members but further more income, sexual preferences, smoking and drinking habits and relationship status. The firm stated that the data belonged to members, who joined before July 2015 and that no passwords or financial information were included.
The data has now been sold on the online black market, said security expert Troy Hunt, an Australian security expert, who runs the website HaveIBeenPwned.com, where people can verify whether their data has been leaked. Although he does not know exactly where or for how much money the data was sold, he stated that by selling data tens of thousands of dollars can be earned, bearing in mind that the data originally can cost as little as $300.
Chris Vickery, security researcher, told the BBC that the affected company acted quickly after notifying them that he had discovered it. However, the data had then already been sold. He went on by saying that “they published it openly to the world with no protection whatsoever”. This is a contradiction to the company’s statement that the content was from a test server. Therefore, Vickery added that “whether or not it’s in the test database makes no difference if it’s real data”. His analysis is further supported as a second researcher had identified the same weakness on the same day.
However in a statement BeautifulPeople said that “the breach involves data that was provided by members prior to mid-July 2015. No more recent user data or any data relating to users who joined from mid-July 2015 onward is affected”.
David Emm, principal security researcher at Kaspersky Lab commented on the stolen and sold data by summarizing “now it’s public, cybercriminals have the opportunity to use this information to steal personal identities or more” and added “unfortunately, once a breach of this nature has been made, there is not much that can be done.”
Emm went by giving the advise that “organisations need to take action and use more data, analytical insights and triangulation of multiple-identity proofing techniques to minimise the potential effects of identity theft for both the user and the businesses serving them”.
26. April 2016
NBC News reports that FBI Director James Comey might have disclosed how much the agency spent for cracking the iPhone of the San Bernardino attackers.
Comey commented on the case so that the organization paid “a lot, more than I will make in the remainder of this job, which is seven years and four months, for sure” at a security conference in London. He went on that it “was in my view worth it” and that the FBI will now be able to crack any other iPhone 5s with IOS 9 by using the developed software.
Based on this given timeframe and by multiplying his salary of $180,000 per year, NBC News comes to a figure of $1.3 million. However, there was no official comment on part of the FBI.
Pages: Prev 1 2 3 ... 5 6 7 8 9 10 11 12 13 14 15 Next