Category: European Data Protection

FBI statistic: 87% of the needed data could be accessed in 2016

15. November 2016

Motherboard online just published numbers that were disclosed by the FBI concerning whether the FBI is able to unlock most devices they need to get into.

According to General Counsel Jim Baker the FBI is able to unlock or/and access data stored on both smartphones and computers. This statement is supported by the numbers that were released.

In 2016 the FBI

  • has encountered passwords or passcodes in 2,095 out of 6,814 – 31%,
  • with regard to the 2,095 devices that were locked, the investigators were able to get access in 1,210 cases and
  • couldn’t unlock around 880 devices.
  • In conclusion, in the vast majority of cases, namely 87%, the FBI was able to access the data that was needed.

Concidering that the FBI and Apple fought in court earlier this year regarding the FBI’s request to help breaking into the iPhone of an alleged terrorist who killed 14 people in a shooting and that this case led to a battle on encryption in which the FBI argued that encryption, which cannot be broken, supports criminal investigations rather than making them harder due to the fact that access to the data can sometimes lead to important evidence on a suspect or on a victim’s phone or computer.

However, the mentioned numbers, that have so far never been published, “demonstrate that even with encryption turned on by default on all newer iPhones and some Android phones, it is posing a problem in a relatively small number of cases – while that same encryption is presumably preventing a wide range of crimes”, according to Kevin Bankston, the director of the New America.

 

INTERPOL suggests that governments share terrorists’ biometric data

11. November 2016

The IAPP just published an article saying that INTERPOL calls on governments around the world to share terrorists’ biometric data in order to increase global security.

This statement was issued by INTERPOL’s General Assembly saying that it currently possesses information about 9,000 terrorists. However, only 10 percent of these files include biometric information. INTERPOL’s Secretary General, Jürgen Stock, explaines that this can be seen as “a weak link” in the prevention of terrorism.

On one side, some countries – among these are multiple ASEAN countries – have taken big steps with regard to data sharing as they have recently agreed to share biometric data for the purposes of counter-terrorism. On the other side, many governments are still discussing how to handle biometric data domestically. So the sharing of data would be one step ahead.

However, governments worldwide becoming more and more interested in biometric security which might help to fight terrorism. The mentioned suggestion of INTERPOL might also increase this kind of cooperation.

 

Mass Audit in Germany concerning 500 firms’ cloud transfers

8. November 2016

As the IAPP just published online, 10 of the 16 German Data Protection Authorities, have begun to assess firms’ transfer of personal data to cloud services based outside of the EU.

According to a joint statement of the respective Data Protection Authorities this is due to the fact that cross-border personal data transfers are growing massively, because of globalization and the rise of software-as-a-service.

Therefore, a mass audit is conducted, which takes about 500 randomly selected companies of various sizes into account. This audit is based on questionnaires asking about their transfers of employee and customer personal data to third countries, in particular to the U.S. while using services such as:

  • office apps,
  • cloud storage,
  • email and other communications platforms,
  • customer service ticketing,
  • support systems and
  • risk management and compliance systems.

In case a company transfers personal data to third countries, it has to show the legal grounds they are using, for example Standard Contractual Clauses or the EU-U.S. Privacy Shield.

The Article 29 Working Party talks about the EU-U.S. Umbrella Agreement

2. November 2016

The Article 29 Working Party published a statement on the EU-U.S. Umbrella agreement at the end of October.

On one side, the statement shows signs of support for the EU-U.S. Umbrella Agreement. However on the other side, it delivers recommendations in order to make sure that the agreement is compliant with European data protection law.

In general, the Article 29 Working Party supports the creaction of a general data protection framework in order for international data transfers to be compliant with national, European and international data protection laws.  Therefore, the Article 29 Working Party elaborates that the respective agreement “considerably strengthens the safeguards in existing law enforcement bilateral treaties with the U.S., some of which were concluded before the development of the EU data protection framework”. 

However, it is also mentioned that clarification is needed in terms of definitions, for example how to define personal data and data processing, due to the fact that European and U.S law have different opinions on what is meant by these terms.

The Article 29 Working Party put a bad light on Yahoo and WhatsApp

31. October 2016

The IAPP reported, that the Article 29 Working Party issued a warning concerning possible violations of European data protection regulations in form of a letter to both Yahoo and Whatsapp.

Both companies have been topic of public debate due to the way they handle the personal data of users. The concerns of the Article 29 Working Party regarding WhatsApp are that the company shares data with Facebook. Whereas, the objections towards Yahoo are raised due to both data breaches in 2014 and due to the allegation that the company scans incoming user emails for U.S. law enforcement agencies.

Therefore, the Article 29 Working Party requests that both companies provide more information on the problems. It can not be ruled out that investigations are launched and fines are imposed.

EU-U.S. Privacy Shield is being challenged

28. October 2016

As the website of the European Court of Justice just released, is the EU-U.S. Privacy Shield being challenged by Digital Rights Ireland, an Irish privacy advocacy group.

The facts of this case (Digital Rights Ireland v Commission; Case T-670/16) are as follows:

  • Digital Rights Ireland has filed an action for annulment against the European Commission’s adequacy decision on the EU-U.S. Privacy Shield.
  • There has been no comment from Digital Rights Ireland yet.
  • No documents have been published with regard to the case so far.
  • However, as HuntonPrivacyBlog reported “(…) media sources quote a spokesperson for the European Commission acknowledging the case and stressing the European Commission’s conviction that the Privacy Shield meets all legal requirements.”

Amendments to adequacy decisions and decisions on European Model Clauses?

25. October 2016

After a meeting of the Article 31 Committee, the European Commission disclosed two drafts concerning the implementation of amendments to the existing adequacy decisions and decisions on EU Model Clauses.

First of all, adequacy decisions determine whether a third country provides adequate safeguards in order to protect personal data. These decisions are made by the Commission after an assessment of the national laws and international commitments in terms of data protection of the respective country. In the following, countries which are established to be adequate are added to the Commission’s “white list”. Therefore, data transfers can be made from the EEA to that country without any further legal requirements.

The opinion concerning these amendments is divided. Some European Member States which participated at the Article 31 Committee meeting were for implemnting theses amendments. However, other European Member States requested more time in order to consider the proposed changes.

Due to this conflict another meeting has to be scheduled to which the  Article 29 Working Party will be aksed to contribute by presenting its views on the respective changes.

European Court of Justice defines personal data

20. October 2016

The European Court of Justice clarified the definition and the scope of personal data.

The original case, known as the Breyer case, concerned the issue whether dynamic IP addresses are personal data within the meaning of Article 2(a) of Directive 95/46/EC. The European Court of Justice now ruled that IP addresses can be seen as personal data although the information may have to be sought from third parties in order to identify the data subjects.

In detail, the European Court of Justice concludes:

  • According to the approach adopted by the Bundesgerichtshof (Federal Court of Justice), a dynamic IP address is not sufficient, in itself, to identify the user who has accessed a web page through it. If the provider of a service on the Internet could, on the contrary, identify the user through the dynamic IP address, it would, no doubt, be personal data within the meaning of Directive 95/46.
  • The heart of the question referred is therefore concerned with whether it is relevant, in order to classify dynamic IP addresses as personal data, that a very specific third party — the Internet access service provider — has additional data which, combined with those addresses, may identify a user who has visited a particular web page.
  • Therefore, as a first conclusion, I consider that Article 2(a) of Directive 95/46 must be interpreted as meaning that an IP address stored by a service provider in connection with access to its web page constitutes personal data for that service provider, insofar as an Internet service provider has available additional data which make it possible to identify the data subject.

Therefore, the question which is raised due to this ruling is: Will this defintion stand once the GDPR comes into force in 2018?

However, it is highly probable that from now on it will be more difficult for organizations to pseudonymize or anonymize personal data.

Decision in Microsoft case about to be challenged

18. October 2016

As the Washington Post reported, the Justice Department asked the appeals court for the Southern District of New York to look at the decision concerning Microsoft’s refusal to comply with a search warrant for an alleged drug trafficker’s emails stored on a server in Ireland.

The case which this ruling was based on dealt with Microsoft receiving a warrant in December 2013. However, although it originally has been a case of compliance with a federal law enforcement request, now turned out to be a discussion over government access to digital data held overseas. This is due to increasing challenges to governments if they try to intercept data across borders.

Therefore, Microsoft and a number of tech firms and privacy groups reason that in case the government’s view will be applied, the outcome will be that U.S.-american businesses might lose billions of dollars in revenue.

 

According to a global survey companies are not ready for the GDPR

12. October 2016

Dell just published the results of a global survey about the GDPR perceptions and readiness. Among other findings, the main result is the lack of awareness of the requirements, the preparation and the impact:

  • More than 60 % answered that they are aware that something is going on with the GDPR. However, they said that they do not know what exactly is happening.
  • Just 4 % outside of Europe commented that they are very knowledgeable about the details of the GDPR. Nevertheless, only 6 % of those in Europe answered that they are very familiar with the requirements.
  • On top of this, less than 1 of 3 companies feel that they are prepared for the GDPR.
  • Furthermore, about 70 % said that their company is definitely not, or do not know if their company is, prepared for the GDPR today. However, only 3 % of them have a plan in order to get ready.
  • Fewer than 50 % commented that they feel confident to be ready in time when the GDPR comes into effect in 2018. Nevertheless,  just 9 % expect to be fully prepared.

 

Pages: Prev 1 2 3 4 5 6 7 8 9 Next
1 3 4 5 6 7 9