Category: Data Protection

EPRS publishes report on post-Brexit EU-UK Data Transfer Mechanisms

20. April 2021

On April 9th, 2021, the European Parliamentary Research Service (EPRS) published a report on data transfers in the private sector between the EU and the U.K. following Brexit.

The report reviews and assesses trade dealings, adequacy challenges and transfer instruments under the General Data Protection Regulation (GDPR). The report is intended to help take regulatory and business decisions, and in the Press Release the European Parliament stated that “a clear understanding of the state of play and future prospects for EU-UK transfers of personal data is indispensable”.

The report provides in-depth analysis of an adequacy decision for the UK as a viable long-term solution for data flows between the U.K. and the EU, also considering possible mechanisms for data transfer in the potential absence of an adequacy decision, such as Standard Contractual Clauses, Binding Corporate Rules, codes of conduct, and certification mechanism.

In this analysis the EPRS also sheds light on adequacy concerns such as U.K. surveillance laws and practices, shortcomings of the implementation of the GDPR, weak enforcement of data protection laws, and wavering commitment to EU data protection standards.

As part of its conclusion, the EPRS stated that the European Data Protection Board’s (‘EDPB’) opinion on the draft decision, which has just been published (please see our blogpost here), will likely scrutinise the Commission’s approach and provide recommendations on next steps.

Thailand: Another delay of the Personal Data Protection Act

9. April 2021

On May 28th, 2019, the Personal Data Protection Act (“PDPA”) became law in Thailand. It is the country’s very first legislation governing data protection. Originally, a one-year grace period was determined for implementation of the requirements so that companies could prepare for the prospective liabilities in order to become compliant with the PDPA. However, on May 21st, 2020, a Royal Decree extended the implementation of the PDPA’s key provisions for another year, until June 1st, 2021 (we reported). Currently, a further postponement of the PDPA’s enforcement date is being considered.

According to new Digital Economy and Society (“DES”) Minister, consideration may be given to deferring or amending the PDPA, if the public has negative views about it. The aim is to support small and medium-sized businesses affected by the legislation since most of them are still unprepared for the new obligations and have not adjusted their internal processes yet. In addition, there is an unfortunate lack of willingness among companies concerned, as deputy permanent secretary at the DES Ministry stated. These shortcomings are reflected by the fact that some associations, including the travel and automotive industries, have already requested the deferral of the PDPA’s enforcement.

Contrary to what was initially planned, the appointment of members to the Personal Data Protection Committee is also expected to be delayed further. The Committee plays a decisive role in the approval of subsidiary legislation. The drafts for this concern consent procedures, complaint reception and expert panels.

According to the current status, the PDPA needs further adjustments and necessary regulations still need to be drafted, as many issues have been raised for consultation with regard to the PDPA since it came into effect. The main priorities on which the government intends to focus are as follows:

  • Supporting people’s access to innovation and technology
  • Creating an ecosystem conducive to a digital economy
  • Gearing up for digital infrastructure development, particularly 5G and smart city projects
  • Legal development and enforcement to create a trusted digital ecosystem, especially for the PDPA and issues related to electronic transactions and cybersecurity
  • Protecting the public from abuse on social media and the internet.

The DES Ministry expects that full enforcement of the PDPA will likely be delayed until the end of this year.

Ikea France on trial for spying on staff and customers

7. April 2021

Ikea’s French subsidiary and several of its former executives stood trial on Monday, March 22nd, after being sued by former employees on charges of violating privacy rights by surveilling the plaintiffs, job applicants and customers.

Trade unions reported the furniture and household goods company to French authorities in 2012, accusing it of fraudulently collecting personal data and disclosing it without authorization. The subsequent criminal investigation uncovered an extensive espionage system. According to French prosecutors, the company hired a surveillance company, private investigators and even a former military operative to illegally obtain confidential information about its existing and prospective employees as well as customers. The files received contained, inter alia, criminal records and bank statements. The system has been used for years, possibly even over a decade, to identify individuals who were particularly suspicious or working against the company.

After the case caused outrage in 2012, Ikea’s main parent company fired several executives at the French branch, including the former general manager. But the extensive activity in France has again raised questions about data breaches by the company.

At Monday’s trial an employee accused the company of abuse since it had wrongly suspected him of being a bank robber because its investigative system had found prior convictions of a bank robber with the same name. Others claimed the retailer had browsed through employees’ criminal records and used unauthorized data to reveal those driving expensive cars despite low incomes or unemployment benefits. Even an assistant director who had taken a year of medical leave to recover from hepatitis C was monitored to investigate whether she had faked the severity of her illness. Illicit background checks on hundreds of job applicants were also conducted. Moreover, the system was used to track down customers seeking refunds for mismanaged orders.

One of the defendants, the former head of Ikea France’s risk management department, has testified at the hearing that EUR 530.000 to 630.000 a year had been earmarked for such investigations. The former CEOs and Chief Financial Officer as well as store managers are also on trial. In addition, four police officers are accused of handing over confidential information from police files.

Ikea France said in a statement that it takes the protection of its employees’ and customers’ data very seriously. The company added that it adopted compliance and training procedures to prevent illegal activity and changed internal policies after the criminal investigation had been initiated. But at Monday’s hearing, Ikea France’s lawyers denied a system-wide surveillance. The case was also called “a fairy tale” invented by trade union activists.

The deputy prosecutor claimed, Ikea France had illegally monitored at least 400 people and used the information to its advantage. She is asking for a fine of EUR 2.000.000 against the company, prison sentences of at least one year for two former CEOs and a private investigator, as well as fines for some store managers and police officers. A total of 15 people have been charged. The company also faces potential claims for damages from civil lawsuits filed by unions and several employees.

The trial ended on April 2nd. A verdict by a panel of judges is scheduled for June 15th.

CNIL plans to start enforcement on Ad Tracker Guideline

Starting from April 1st, 2021, the French supervisory authority the Commission Nationale de l’Informatique et des Libertés (CNIL) is planning on starting its enforcement of Ad Tracker usage across the internet.

Following its Ad Tracker Guideline, the CNIL gave companies a time frame to adjust ad tracker usage and ensure compliance with the Guideline as well as the GDPR. This chance for the companies to adjust their ad tracker usage has ended on March 31st, 2021.

The new rules on cookies and ad trackers mainly revolve around the chance for the user to give active, free and informed consent. User consent for advertising cookies must be granted by a “clear and positive act”. This encompasses actions such as clicking an “I accept” button and no longer can be agreed to by simply continuing to use the website.

In addition, cookie banners must not only give the option to accept, they also have to give the option to reject. The act to reject cookie has to be as simple and easy as the act to accept cookies. Referring to “Cookie Options” is no longer a valid form of rejection, as it makes the user have to go through an extra step which may dissuade them from rejecting cookies. A valid option remains rejecting cookies by closing the Cookie Banner, but it has to be ensured that unless the cookies are indeed accepted, none but the essential cookies are activated.

Lastly, the Cookie Banner has to give a short information on the usage of the cookies. The CNIL’s Guideline allows for a more detailed information to be linked in the Cookie Banner, however companies should also give a short information in the Cookie Banner in order to be able to obtain “informed” consent.

At the beginning of March, the CNIL announced that “compliance with the rules applicable to cookies and other trackers” would be one of its three priorities for 2021, along with cybersecurity and the protection of health data. In a first act to follow that goal, the CNIL will now begin to conduct checks to ensure websites are in compliance with advertising tracker guidelines.

It is expected that companies that did not adjust their cookie and ad tracker usages will face fines according to the level of lacking compliance.

EDPB released a new Guidance on Virtual Voice Assistants

31. March 2021

In recent years, Virtual Voice Assistants (VVA) have enjoyed increased popularity among technophile consumers. VVAs are integrated in modern smartphones like Siri on Apple or Google Assistant on Android mobile devices, but can also be found in seperate terminal devices like Alexa on the Amazon Echo device. With Smart Homes trending, VVAs are finding their ways into many homes.

However, in light of their general mode of operation and their specific usage, VVAs potentially have access to a large amount of personal data. They furthermore use new technologies such as machine learning and artificial intelligence in order to improve their services.

As both private households and corporate businesses are increasingly using VVAs and questions on data protection arise, the European Data Protection Board (EDPB) sought to provide guidance to the relevant data controllers. Therefore, the EDPB published a guidance on Virtual Voice Assistants earlier this month.

In its guidance, the EDPB specifically addresses VVA providers and VVA application developers. It encourages them to take considerations of data protection into account when designing their VVA service, as layed out by the principle of data protection by design and default under Art. 25 GDPR. The EDPB suggests that, for example, controllers could fulfil their information obligations pursuant to Art. 13/14 GDPR using voice based notifications if the VVA works with a screenless terminal device. VVA designers could also enable users to initiate a data subject request though easy-to-follow voice commands.

Moreover, the EDPB states that in their opinion, providing VVA services will require a Data Protection Impact Assessment according to Art. 35 GDPR. The guidance also gives further advice on complying with general data protection principles and is still open for public consultation until 23 April 2021.

Microsoft Exchange Target of Hacks

29. March 2021

Microsoft’s Exchange Servers are exposed to an ever-increasing number of attacks. This is the second major cyberattack on Microsoft in recent months, following the so-called SolarWinds hack (please see our blog post). The new attacks are based on vulnerabilities that have been in the code for some time but have only recently been discovered.

In a blog post published on March 2nd, 2021, Microsoft explains the hack and a total of four found vulnerabilities. The first vulnerability allows attackers to gain access to a Microsoft Exchange Server, the second vulnerability allows them to execute their code on the system, and the third and fourth vulnerabilities allow the hacker write access to arbitrary files on the server. Microsoft Exchange Server versions 2019, 2016, 2013 and 2010 are affected, and Microsoft released a security update for all of them on March 2nd, even though support for Microsoft Exchange Server 2010 ended in October 2020.

Reportedly, Microsoft was informed about the vulnerability in January. Since then, a growing number of hacker groups have started to use the exploit. The initial campaign is attributed to HAFNIUM, a group believed to be state-sponsored and operating out of China. According to Microsoft, the vulnerabilities have been in the code for many years without being discovered. Only recently has Microsoft become aware of these vulnerabilities and begun working on them. Microsoft shared information on the vulnerability through the Microsoft Active Protections Program (Mapp), where they share information with a group of 80 security companies. The attacks began shortly after Microsoft began working to resolve the vulnerabilities. There are many similarities between the code Microsoft shared through Mapp and the code the attackers are using.

In an article about a recently published One-Click Exchange On-premises Mitigation Tool (EOMT), Microsoft developers describe how admins can secure Exchange servers against the current attacks within a very short amount of time. The tool only serves as an initial protective measure. For comprehensive protection, available security updates must be installed. In addition, it must be checked whether the hackers have already exploited existing gaps to leave behind backdoors and malware. This is because the updates close the gaps, but do not eliminate an infection that has already occurred. Hackers often do not use gaps immediately for an attack, but to gain access later, for example for large-scale blackmail.

Under the General Data Protection Regulation (GDPR), organizations affected by an attack on personal data must, in certain circumstances, report such an incident to the relevant supervisory authority and possibly to the affected individuals. Even after a successful patch, it should be kept in mind that affected organizations were vulnerable in the meantime. Pursuant to Art. 33 of the GDPR, system compromises that may affect personal data and result in a risk to data subjects must be notified to the competent supervisory authority. For such a notification, the time of discovery of the security breach, the origin of the security breach, the possible scope of the personal data affected, and the first measures taken must be documented.

SMS flaw lets hackers take control of individuals’ phones for $16

24. March 2021

Hackers have discovered a new method of gaining access to individuals’ mobile devices via text message rerouting, Vice reports. Apparently, all it takes is $16 to retrieve a person’s messages from a third-party provider and then take over the phone number and, with it, various associated accounts.

All of that is possible due to a text messaging service called Sakari that allows businesses to send SMS reminders, alerts, confirmations and marketing campaigns. The company lets business users import their own phone number in order to be contacted by the businesses. However, the service has a significant security vulnerability. Its use is enabled by purchasing Sakari’s $16 per month plan and then filling out a document saying that the signer has authority to change phone numbers. Although the document points out that the user should not conduct any unlawful, harassing or inappropriate behavior, there is no subsequent call or text notification from Sakari asking the user to confirm the consent to the transfer. That’s why it is largely effortless to simply sign up with another person’s phone number and receive their text messages instead. From that moment on, it can be trivial to hack into other accounts associated with that phone number by sending login requests, as they rely on SMS codes.

This overlooked security flaw shows how frighteningly easy it is to gain access to the tools necessary to seize phone numbers. It requires less technical skill or knowledge than, for instance, SIM jacking. It demonstrates not only the insufficient regulation of commercial SMS tools but also gaping holes in the telecommunications infrastructure, since a hacker only needs to pretend having the user’s consent.

The attack method has implications for cybercrime and poses an enormous threat to safety and security. It enables criminals to harass people, drain their bank account, tear through their digital lives or intercept sensitive information or personal secrets. At this time, it is not clear to what extent this attack method is being applied to mobile numbers.

CTIA, a trade association representing the wireless industry, stated that they immediately launched an investigation into the matter and took precautionary measures. Adam Horsman, co-founder of Sakari, responded to the insufficient authentication of their customers by saying that Sakari added a security feature where a number will receive an automated call in order to confirm the consent given. Moreover, Sakari will verify all existing text-enabled numbers. But Sakari is just one company. And there are plenty of others in this industry. As this method raises serious concerns, it is important for mobile carriers to do more to protect their customers’ privacy and security, such as notifications when registering a new device or a two-factor-authentication.

Data Breach made 136,000 COVID-19 test results publicly accessible

18. March 2021

Personal health data are considered a special category of personal data under Art. 9 of the GDPR and are therefore given special protections. A group of IT experts, including members of the German Chaos Computer Club (CCC), has now revealed security gaps in the software for test centres by which more than 136,000 COVID-19 test results of more than 80,000 data subjects have apparently been unprotected on the internet for weeks.

The IT-Security experts’ findings concern the software “SafePlay” of the Austrian company Medicus AI. Many test centres use this software to allocate appointments and to make test results digitally available to those tested. In fact, more than 100 test centres and mobile test teams in Germany and Austria are affected by the recent data breach. These include public facilities in Munich, Berlin, Mannheim as well as fixed and temporary testing stations in companies, schools and daycare centres.

In order to view the test results unlawfully, one only needed to create an account for a COVID-19 test. The URL for the test result contained the number of the test. If this number was simply counted up or down, the “test certificates” of other people became freely accessible. In addition to the test result, the test certificate also contained the name, date of birth, private address, nationality and ID number of the person concerned.

It remains unresolved whether the vulnerabilities have been exploited prior to the discovery by the CCC. The CCC notified both Medius AI and the Data Protection Authorities about the leak which led to a quick response by the company. However, IT experts and Privacy-focused NGOs commented that Medicus AI was irresponsible and grossly negligent with respect to their security measures leading to the potential disclosure of an enormous amount of sensitive personal health data.

The state of Virginia is second state in the USA to enact major Data Protection Legislation

17. March 2021

On March 2nd, 2021, Virginia’s Governor, Ralph Northam, signed the Consumer Data Protection Act into law without any further amendments.

This makes the state of Virginia the second US state to enact a major privacy law, next to California’s CCPA enacted in 2018. At the point of the law passing to the Senate, there was debate that the bills were flawed as they are not including a private right of action and leaving all enforcement to the Office of the Attorney General. This caused some senators to oppose the bills, however it was ultimately passed by a vote of 32 to 7. The Consumer Data Protection Act will take effect on January 1st, 2023.

The bill establishes a comprehensive framework for controlling and processing personal data of Virginia residents. In addition, it provides Virginia residents with certain rights with respect to their personal data, including rights of access, correction, deletion, portability, the right to opt out of certain processing operations, as well as the right to appeal a controller’s decision regarding a rights request. The bill further states requirements relating to the principles of data minimization, processing limitations, data security, non-discrimination, third-party contracting and data protection assessments, as well as imposes certain requirements directly on entities who act as processors of data on behalf of a controller.

However, the law also includes a number of exemptions at entity level, such as exemptions for financial institutions subject to the Gramm-Leach-Bliley Act and also includes some data or context specific exemptions, such as an exemption for HR-related data processing.

The Attorney General’s office, as the enforcing entity, has to provide 30 days’ notice of any violation and allow an opportunity for the controller to cure any violation. In case a controller does not oblige and leaves the violation uncured, the Attorney General is able to file an action seeking $7,500 per violation.

Firefox introduces new tool to prevent cookie-based tracking

12. March 2021

Mozilla has announced the introduction of a new privacy tool for its Firefox browser, “Total Cookie Protection”, aimed at blocking cookie-based tracking by ad-tech companies. The new feature prevents cross-site tracking by confining cookies to the website where they were created and placing them into a so-called “cookie jar”.

Mozilla refers to cookies as “a useful technology, but also a serious privacy vulnerability” because they are shared between websites which enables tracking user’s browsing behavior. This approach allows advertising companies, in particular, to gather information about users, their browsing habits and interests as well as create detailed personal profiles.

Total Cookie Protection works by maintaining a separate “cookie jar”, assigned to each website visited. This procedure prohibits the deposited cookie from being shared with any other website. A limited exception only applies to cross-site cookies needed for non-tracking purposes.

Firefox has blocked some cookies used by ad-tech companies for years in an effort to fight against cookie abuse and web tracking. In order to achieve this goal, “Enhanced Tracking Protection” (ETP) was introduced in 2019. It blocks many of the companies identified as trackers by Mozilla’s partners at Disconnect. Despite being an effective strategy to stop tracking, this form of cookie blocking has its limitations, Johann Hofmann and Tim Huang remark on the developer blog Mozilla Hacks:

ETP protects users from the 3000 most common and pervasive identified trackers, but its protection relies on the fact that the list is complete and always up-to-date. Ensuring completeness is difficult, and trackers can try to circumvent the list by registering new domain names. Additionally, identifying trackers is a time-consuming task and commonly adds a delay on a scale of months before a new tracking domain is added to the list.

With this in view, Total Cookie Protection has been built into ETP as a new privacy advance. The feature intends to address the limitations of ETP and provide more comprehensive protection. It is complemented by Supercookie Protections rolled out last month, which shall eliminate the usage of non-traditional storage mechanisms (“supercookies”) as a tracking vector.

In conclusion, Mozilla stated:

Together these features prevent websites from being able to “tag” your browser, thereby eliminating the most pervasive cross-site tracking technique.

Pages: 1 2 3 Next
1 2 3