Category: General Data Protection Regulation

Microsoft violates the GDPR on a massive scale

20. November 2018

A Data Protection Impact Assessment (DPIA) outsourced by the Dutch Ministry of Justice and Security, concluded that Microsoft collects and stores personal data of Office users on a large scale without informing them. According to this report, Microsoft thus violates the General Data Protection Regulation (GDPR) on a massive scale.

The DPIA was carried out to probe the use of Microsoft Office in the public sector. Most of the Dutch authorities use Microsoft Office 2016, Office 365 or an older version. The Dutch judiciary, police, various ministries and tax offices use Word, Excel, Outlook and PowerPoint. The DPIA found that Microsoft not only collects and stores personal data but also send them to the US. In addition, users are not informed and it is not offered to switch off the collection or to see what data are collected. The Assessment outlined eight different risks and possible risk mitigating measures. One example is the “Lack of Transparency”. A possible measure recommended for Microsoft is the public documentation and the implementation of a data viewer tool because at the moment the content of the diagnostic data (i.e. “all observations stored in event logs about the behaviour of individual users of the services”) is not accessible.

Microsoft stated that -for the examined Office versions- between 23,000 and 25,000 event logs are sent to Microsoft servers and that 20 to 30 development teams analyse the data. The company agreed to change its practices by April 2019 and until then offers “zero exhaust” settings to shut down the data collection. A Microsoft spokesperson told The Register: “We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws.”

In addition to applying the new settings, the DPIA encourages users to deactivate Connected Services and Microsoft’s data sharing system, not use the web-based Office 365, SharePoint, or OneDrive, delete the directory of the system, and consider using alternative software.

Privacy International accuses seven companies of violating the GDPR

13. November 2018

On November 8th, Privacy International – a British non-governmental organisation – has filed complaints against seven data brokers (Axiom, Oracle), ad-tech companies (Criteo, Quandcast, Tapad) and credit referencing agencies (Equifax, Experian) with data protection authorities in France, Ireland and the UK.

Privacy International accuses those companies of violating the GDPR: They all collect personal data from a wide variety of sources and merge them into individual profiles. Therefore, information from different areas of an individual’s life flow together to create a comprehensive picture e.g. online and offline shopping behaviour, hobbies, health, social life, income situation.

According to Privacy International, the companies not only deal with the collected data, but also with the conclusions they draw about their data subjects: Life situation, personality, creditworthiness. Among their customers are other companies, individuals and governments. Privacy International accuses them to violate data protection principals such as transparency, purpose limitation, data minimisation, integrity and confidentiality.

Furthermore, the companies have no valid legal basis for the processing of personal data, in particular for the purpose of profiling. According to Privacy International, where those companies claim to have the consent of the data subjects, they cannot prove how this consent was given, nor that the data subjects voluntarily provided it after sufficient and clear information.

“Without urgent and continuous action, data will be used in ways that people cannot now even imagine, to define and manipulate our lives without us being to understand why or being able to effectively fight back,” Frederike Kaltheuner, Privacy International’s data exploitation programme lead, said.

With its complaint, Privacy International takes advantage of a new possibility for collective enforcement of data protection created by the GDPR. The Regulation allows non-profit organisations or associations to use supervisory procedures to represent data subjects (Art. 80 GDPR).

EDPB Publishes Opinions on National DPIA Lists

17. October 2018

Regarding the data protection impact assessment (“DPIA”) the European Data Protection Board (“EDPB”) recently published 22 Opinions on the draft lists of Supervisory Authority (“SAs”) in EU Member States. This is supposed to clarify which processing operations are subject to the requirement of conducting a DPIA under the EU General Data Protection Regulation (“GDPR”).

The European Data Protection Board is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. The Supervisory Authorities will now be given two weeks to decide whether they want to amend their draft list or maintain them and explain their decision.

Article 35(4) of the GDPR states that the SAs of the EU Member States must establish, publish and communicate to the EDPB a list of processing operations that trigger the DPIA requirement under the GDPR. Several EU Members States provided their list: Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Sweden and the United Kingdom.

The national lists can vary because the SAs must take into account not only their national legislation but also the national or regional context.

To some extent, the EDPB requests that the SAs include processing activities in their list or specify additional criteria that, when combined, would satisfy the DPIA requirement. Furthermore, the EDPB requests that the SAs remove some processing activities or criteria not considered to present a high risk to individuals. The objective of the EDPB opinions is to ensure consistent application of the GDPR’s DPIA requirement and to limit inconsistencies among the EU States with respect to this requirement.

Facebook may face up to $1.63 Billion Fine in Europe after Data Breach

2. October 2018

Ireland’s Data Protection Commission, the company’s lead privacy regulator in the EU, could fine Facebook Inc. up to $1.63 billion for a data breach disclosed Friday, reports the Wall Street Journal. Hackers compromised the accounts of at least 50 million users, bypassing security measures and possibly giving them full control of both profiles and linked apps.

The Commission is now requesting more information on the scale and nature of the data breach in order to find out which EU residents could be affected. Facebook announced that it would respond to follow-up questions. The incident results in the latest legal threat Facebook is facing from U.S. and European officials over its handling of user data and is a severe setback to their efforts to regain trust after a series of privacy and security breaches.

The way in which this data breach is handled by data protection authorities could mark one of the first important tests under the GDPR, which came into force in May earlier this year. The handling could provide conclusions regarding the application of breach-notifications and data-security provisions by companies in the future.
The law requires companies to notify data protection authorities of breaches within 72 hours, under threat of a maximum fine of 2% of worldwide revenue. Furthermore, under the GDPR companies that fail to safeguard their users’ data risk a maximum fine of €20 million ($23 million), or 4% of a firm’s global annual revenue for the prior year, whichever is higher. Taking the larger calculation as a basis Facebook’s maximum fine would be $1.63 billion.

Database operators in Sweden exempt from GDPR

24. August 2018

With the GDPR coming into effect, enterprises in Sweden will also be subject to complying with the European principles and adhering to the GDPR.

However, new amendments and changes to the country’s constitution will be required to harmonise existing laws.

Due to the fact that Sweden emphasizes freedom of press and speech, it will initially make exemptions in cases where elements don’t comply with its Freedom of the Press Act of 1766.

As a consequence, current laws give database operators a broad freedom to gather and release personal data enabling them to collect and distribute personal information from a broad range of sources, including the national tax office.

The database operators and online publishers Eniro, Ratsit and Hitta are some of the companies that will be exempt until an expert group has drafted new and stricter legislation regarding the processing of personal data by these.

It is expected that the relevant laws will be amended in the first half of 2019.

France’s GDPR implementation law

3. August 2018

In June, France enacted the French Data Protection Act 2 (FDPA2), which implements the General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679 – and the Directive (EU) 2016/680.

The French government decided not to repeal the French Data Protection Act of 1978 (FDPA). FDA2 amends the former FDPA. FDPA2 replaces the logic of prior formalities with the philosophy introduced by the GDPR of enhanced accountability of stakeholders.

The FDPA2 does not take full advantage of all the opening clauses provided by the GDPR. In November 2017, when the draft bill was published, the CNIL considered that this selection was judiciously made. It includes the following provisions:

  • The clarification of the scope of application of national law (Art. 10)
  • An open data approach for judicial decisions (Art. 13)
  • The definition of the age for “digital majority” (Art. 20)
  • The broadening of class-action’s scope to compensation (Art. 25)
  • The possibility for the Conseil d’Etat to temporarily suspend international data transfer at the request of the CNIL (Art. 27)

Article 32 of the FDPA2 empowers the government to proceed by ordinance to a general rewriting of the FDPA in order to improve the intelligibility and consistency with all legislation relating to the protection of personal data. It is therefore to be expected that the FDPA2 will undergo major changes in the near future but without any debate before the Parliament.

Data of patients disclosed in Singapore’s largest data breach in history

30. July 2018

A cyberattack has impacted data of 1.5 Mio patients of SingHealth clinics by stealing name, ID Card number, address, gender, race and date of birth as reported by ARN Net.

Due to “operational security reasons”, the authorities haven’t disclosed the identity of the responsibles behind the attack.

Even Singapore’s Prime Minister, Lee Hsien Loong, “had his personal particulars stolen as well as his outpatient dispensed medicines record.”

The report further states that all patients, whether or not they were affected will receive an SMS notification over the next five days, with patients also able to access the Health Buddy mobile app or SingHealth website to check if they are affected by this incident.

According to Channel Asia the SingHealth IT system was compromised through an initial breach on a particular front-end workstation, gaining privileged account credentials to gain access to the database.

It is believed that the attack began on June 27th, 2018 and was detected on July 4th, 2018. Apparently, no further illegal exfiltration has been detected since and all Patient records in SingHealth’s IT system remain intact.

Several measures have been taken in terms of IT-security such as controls on workstations and servers, resetting user and systems accounts and installment of additional system monitoring controls.

New Zealand: Privacy after death does matter

27. July 2018

Data protection rights generally refer to living persons only. Among others, the European General Data Protection Regulation (GDPR) explicitly mentions in its Recital 27 that the Regulation does not apply to the personal data of deceased persons.

However, the Recital also contains an opening clause for the EU Member States, stating that these may provide for specific rules for such cases. The GDPR hereby acknowledges that there might be cases that need to be tackled individually.

For example, requests can be made in order to find out whether the deceased had suffered from a hereditary disease. This information is not to be seen as protected for the offspring that might be affected by it.

Consequently, there will be situations that contain mixed information on both the deceased and the requestor.

The Privacy Commissioner’s Office (OPC) of New Zealand has now released a statement regarding the privacy of deceased persons on July 24th, 2018 taking up this exact issue.

Whereas the Privacy Act of New Zealand also defines an individual as a “natural person, other than a deceased person”, the OPC states that “sometimes it will be inappropriate to release the personal information of the dead”.

The OPC further says that “some information is inherently sensitive, for example mental or sexual health information. It could be unfair to release such information to those who are just curious and have no good reason to see it.”

Ultimately, it will often be necessary to balance the rights and elaborate case by case, also taking into consideration the wishes of the deceased person to some extent.

Japan and the EU are establishing an environment of data protection between its citizens (and companies)

18. July 2018

As part of the Economic Partnership Agreement (EPA), the European Union and Japan have signed the 17th July 2018, the two parties recognise each other’s data protection laws as equivalent. In this manner, personal data will flow in the future safely between the EU and Japan.

In Europe, a committee composed of representatives of the EU Member States has to give its consent and the European Data Protection Board (EDPB) publishes its opinion before the European Commission adopts the adequacy decision. Once the agreement is established, EU citizens and 127 Million Japanese consumers will benefit from international trading that includes the high privacy standards of the General Data Protection Regulation (GDPR).

Japanese companies now have to comply some safeguards to fulfil the European data protection level, like the protection of sensitive data, the requirements for transfer of data to a third country or the exercise of individual rights to access individual rights (compared to Art. 12 – 23 of the GDPR). The Japanese watchdog (PPC) will implement these rules as well as a complaint-handling mechanism to investigate and resolve complaints of European citizens concerning the data processing of Japanese controllers.

This agreement is a result of the communication Exchanging and Protecting personal data in a globalised world, announced by the Commission in January 2017.

The EEA EFTA States incorporate the General Data Protection Regulation (GDPR) soon

9. July 2018

On 20th of July 2018 the European Data Law will come into effect also in the three EFTA States (Iceland, Norway and Liechtenstein). This has been the result of the incorporation Agreement by the EEA Joint Committee in Brussels on July 6th 2018.

Before the GDPR becomes applicable throughout all three states, each of the states shall notify the agreement by a parliamentary process.

As usual for the EEA Joint Agreements, the EFTA States are obligated to implement the EU Regulation and they are affected by the Jurisdiction of the European Court of Justice (ECJ). The supervisory authority of the EFTA States also participates in the activities of the European Data Protection Board, without having the right to vote and to stand for election as chair or deputy chairs of the board.

Switzerland is not part of this agreement and has its own legal basis for data protection.

Pages: 1 2 3 4 5 6 Next
1 2 3 6