Category: General

The California Consumer Privacy Act of 2018

19. July 2018

On June 28th 2018, California passed the California Consumer Privacy Act (CCPA), which is considered to be the strongest privacy protection measure in the U.S. The new California law, which takes effect as of January 1st 2020, grants residents of California a broad protection when it comes to processing their personal data by a profit orientated business.

The new Act has an impact on every company that does business in California or to affiliated, co-branded entities of the business that meets the below criteria even if the affiliate does not have a business in California. For the CCPA to be applicable, the business either

1. has an annual gross Revenue of $25 million or more,
2. collects, busy or sells 50,000 or more consumers’ personal information each year for commercial purposes or
3. dervies 50% or more of their annual Revenue from selling consumers’ personal Information.

After the European General Data Protection Act (GDPR) became effective as of 25th May 2018, businesses who are also dealing with data of Californian residents will have to comply with an additional regulation.

California being the 5th largest global economy behind the United States, China, Japan and Germany (even beating the United Kingdom) companies should take a number of affirmative steps to comply with the new requirements prior to  1st of January 2020.

While both the GDPR and the CCPA address the collection of personal information by businesses, they differ in their obligations and requirements for businesses to be compliant. Unfortunately, the implementations, which came into action for the GDPR, will not be enough for the CCPA regulation.

Even though the CCPA is stricter in some aspects, unlike the GDPR demands, businesses will not be required to get people’s permission to collect their personal data in the first place.

The CCPA however defines personal data more broadly and requires specific disclosures and communication channels that are not required by the GDPR. The CCPA also contains different exceptions to the right to have personal data deleted, establishes broader rights to access personal data and imposes tighter restrictions on data sharing for commercial purposes.

It is advisable that global companies who are impacted by the regulations should try to address the requirements of the GDPR and CCPA simultaneously and holistically.

Category: General

Japan and the EU are establishing an environment of data protection between its citizens (and companies)

18. July 2018

As part of the Economic Partnership Agreement (EPA), the European Union and Japan have signed the 17th July 2018, the two parties recognise each other’s data protection laws as equivalent. In this manner, personal data will flow in the future safely between the EU and Japan.

In Europe, a committee composed of representatives of the EU Member States has to give its consent and the European Data Protection Board (EDPB) publishes its opinion before the European Commission adopts the adequacy decision. Once the agreement is established, EU citizens and 127 Million Japanese consumers will benefit from international trading that includes the high privacy standards of the General Data Protection Regulation (GDPR).

Japanese companies now have to comply some safeguards to fulfil the European data protection level, like the protection of sensitive data, the requirements for transfer of data to a third country or the exercise of individual rights to access individual rights (compared to Art. 12 – 23 of the GDPR). The Japanese watchdog (PPC) will implement these rules as well as a complaint-handling mechanism to investigate and resolve complaints of European citizens concerning the data processing of Japanese controllers.

This agreement is a result of the communication Exchanging and Protecting personal data in a globalised world, announced by the Commission in January 2017.

Data breach at Panini’s online service ‘MyPanini’

2. July 2018

According to a report in the magazine ‘Der Spiegel’, personal data and images of users who wanted to create Panini images with their own photos could be accessed by third parties.

The Italian scrapbook manufacturer for football images Panini has serious problems with the security of their online customer database. Through changing the browser’s URL, unauthorized persons could have accessed personal data of other customers, including pictures of minors. Therefore, the case can be considered as particularly serious.

Through its ‘MyPanini’ service, Panini offers fans the opportunity to upload photos with their own images and have these personalised images sent to them. Until a few days ago, logged in users could have also seen the uploaded images and personal data of other customers. Apparently the full name, the date of birth and partly even the place of residence of the customers are listed.

To a certain degree, the uploaded images showed children and young children from different countries in the private domestic environment, some even with their naked upper body.

The data breach was confirmed and has been known internally for days. Supposedly, the problem has been solved by a security update, but it is not possible to access the website at the moment.

It remains to be seen what financial consequences the data breach has for either Panini or the technical service provider. In accordance with new European General Data Protection Regulation (GDPR) infringements of the provisions can lead to administrative fines up to 10 000 000 EUR or up to 2% of the total worldwide annual turnover of the preceding financial year.

Facebook: EU Data may not have been shared with Cambridge Analytica

27. June 2018

As Bloomberg reports, Facebook said that evidence suggests that EU data may not be shared with Cambridge Analytica at all. Stephen Satterfield, a director on Facebook’s Privacy and Public Policy team told European Union lawmakers in a hearing: “The best information we have suggests that no European user data was shared by Dr. [Aleksandr] Kogan with Cambridge Analytica”. Aleksandr Kogan was the researcher who developed the app that allowed Cambridge Analytica to receive data from millions of Facebook users, which were later sold to the consulting firm working on the Donald Trump U.S. presidential campaign.

Facebook clarifies that they cannot be 100 per cent certain about this matter and that they will have to await the results of their own internal investigations, following the conclusion of the investigations of the U.K. Information Commissioner’s Office (ICO) that are being undertaken at the moment. In March this year, the offices of Cambridge Analytica were investigated by the ICO amid the allegations information of Facebook’s user data was obtained without the data subject’s consents.

Richard Allen, Facebook’s vice president of policy solutions, explaining the evidences that led Facebook to the conclusion that European data may not be shared with Cambridge Analytica, said that Kogan’s contract with Cambridge Analytica instructed Kogan to collect data from Americans to be used in the political campaigns. Allan further said, that Kogan may still have collected European data, while most of the people who installed the app were Americans.

“But the data he delivered to Cambridge Analytica were the Americans’ data because that’s all they wanted,” Allan stated.

However, Facebook previously had announced that about 2.7 million Europeans may have had their data shared with Cambridge Analytica. Ursula Pachl, deputy director-general of European consumer group BEUC said: “I have to say I was a bit surprised by the statements,” by further adding, “this is a contradiction, I don’t know how it can be explained.”

European Court of Justice (ECJ): Facebook fanpages will be treated as a case of Joint Control

11. June 2018

With its judgment of June 5 2018, the ECJ decided that both the initiator of the fan pages (e.g. a company) and Facebook are jointly responsible in terms of the General Data Protection Regulation (GDPR) for the personal data collected within the scope of Facebook fan pages.

Fanpages are a Facebook profile of a company that can be used to easily communicate with customers.

Until now, information has been collected from customers who have contacted a company via Facebook. Depending on the type of use of the fan pages, the name and profile of the customer were stored. Facebook has also passed on information collected from users via tracking tools to the respective initiators of the fan pages. In the opinion of the ECJ, the affected users of the respective fan pages were not sufficiently informed about this fact, so that the following requirements must be observed in future:

Who visits a fan page must be informed about which data is collected for which purposes.

In consultation with Facebook, fan page operators must have their own knowledge of what data are collected in order to be able to inform them. This information is obligated pursuant to Art. 13 and 14 of the GDPR.

Before tracking tools and cookies are used, consent must be obtained.

Furthermore, companies and Facebook must become aware of their shared responsibility. It is not yet clear whether this will be done with a contract pursuant to Art. 26 GDPR on Joint Control or with an order data processing agreement pursuant to Art. 28 GDPR. Another solution may also be found.

However, this judgement will not only have consequences for Facebook, but will also affect all social media platforms. This not only affects companies that have their own company presence on Facebook, but also platforms such as LinkedIn, Twitter, Google+ etc., provided that similar tracking functions or other data surveys offer or are included.

Category: General

Under the new GDPR: Complaints against Google, Instagram, WhatsApp and Facebook

1. June 2018

On the 25th of May, the day the General Data Protection Regulation (GDPR) came into force, noyb.eu filed four complaints over “forced consent” against Google (Android), Instagram, WhatsApp and Facebook.

The complaints filed by the organisation (None Of Your Business) led by Austrian activist Schrems could result in penalties worth up to 7 billion euros. Max Schrems has been fighting Facebook over data protection issues for almost ten years. His earlier lawsuit challenged Facebook’s ability to transfer data from the European Union to the United States (“Safe Harbor”).

The activist alleged that people were not given a “free choice” whether to allow companies to use their data. Noyb.eu bases its opinion on the distinction between necessary and unnecessary data usage. “The GDPR explicitly allows any data processing that is strictly necessary for the service – but using the data additionally for advertisement or to sell it on needs the users’ free opt-in consent.” (See https://noyb.eu/wp-content/uploads/2018/05/pa_forcedconsent_en.pdf) The organisation also claims that under Art. 7 (4) of the GDPR forced consent is prohibited.

The broadly similar complaints have been filed in authorities in various countries, regardless of where the companies have their headquarters. Google (Android) in France (data protection authority: CNIL) with a maximum possible penalty in the amount of 3.7 billion euro although its headquarter is in the USA. Instagram (Facebook) in Belgium (DPA). WhatsApp in Hamburg (HmbBfDI) and Facebook in Austria (DSB). All of these last three have their headquarters in Ireland and could face a maximum possible penalty in the amount of 1.3 billion euro.

The US Senate votes in favor of restoring Net Neutrality rules

17. May 2018

On June 11, anti-net-neutrality is set to take effect in the USA. In a resolution, the Senate has now declared itself in favour of its preservation. The U.S. Senate on Wednesday voted narrowly (52 to 47) to reverse the Federal Communications Commission (FCC) decision in December 2017 to repeal net neutrality rules. Three Republicans voted with all 47 Democrats and two Democratic-leaning senators to back the measure.

The FCC resolution is under the rarely used Congressional Review Act. It is a law that allows Congress, with a simple-majority vote in both houses, to repeal new regulations by federal agencies within 60 legislative days of implementation. Despite the Senate’s passing of the resolution, the measure is unlikely to be approved by the House of Representatives because at least two dozen Republicans must vote against the party line.

Net neutrality is the concept that internet service providers (or governments) treat all data on the internet the same regardless of content, user, platform, application or device. Network neutrality prevents all internet service providers from slowing down connections for people attempting to access certain sites, apps and services, and blocking legal content.

Category: General · USA
Tags:

In China National Standard on Personal Information Security (GB/T 35273-2017) Went into Effect

14. May 2018

On May 1, 2018, the Information Security Technology – Personal Information Security Specification (the “Specification”) went into effect in China. The Specification not mandatory and it is not possible to enforce it directly. Nonetheless, it could become important in the sense of guideline or reference for their administration and enforcement agencies.
The “Specification” embodies a framework concerning the collection, retention, use, sharing and transfer of personal information.

The Information Security Technology – Personal Information Security Specification establishes primary rules for personal information security, notice and consent requirements, security measures, rights of data subjects and requirements related to internal administration and management.
It distinguishes between personal information and sensitive personal information. For the latter exist specific obligations for its collection and use.
Under the the „Specification“, sensitive personal information means information such as personal identity information (ID card or passport number), financial information (bank account number or credit information) and biological identifying information (fingerprint or iris information).

Even though the “Specification” is not binding it may become significant within China because it constitutes benchmarks for the processing of personal information by a wide variety of entities and organizations. Companies that collect or process personal information should make sure that their practices in China are in compliance with the „Specification“.

Category: General · Personal Data
Tags:

WP29 Guidelines on the notion of consent according to the GDPR – Part 2

3. April 2018

Continued from the article about the Working Party 29 (WP29) guidelines on consent, additional elements of the term should be considered as consent plays a key role for the processing of personal data.

The GDPR requires consent to further be specific, i.e. the data subject must be informed about the purpose of the processing and be safeguarded against function creep. The data controller has to, again, be granular when it comes to multiple consent requests and clearly separate information regarding consent from other matters.

In case the data controller wishes to process the data for a new purpose, he will have to seek new consent from the data subject and cannot use the original consent as a legitimisation for processing of further or new purposes.

Consent will also be invalid if the data controller doesn’t comply with the requirements for informed consent. The WP29 lists six key points for consent to be informed focussing on the aspect that the data subject genuinely needs to understand the processing operations at hand. Information has to be provided in a clear and plain language and should not be hidden in general terms and conditions.

Furthermore, consent has to be an unambiguous indication of wishes, i.e. it must always be given through an active motion or declaration. For example, the use of pre-ticked opt-in boxes is invalid.

However, explicit consent is required in situations where serious data protection risks emerge such as the processing of Special categories of data pursuant to Art. 9 GDPR.

In general, the burden of proof will be on the data controller according to Art. 7 GDPR, without prescribing any specific methods. The WP29 recommends that consent should be refreshed at appropriate intervals.

Concerning the withdrawal of consent, it has to be as easy as giving consent and should be possible without detriment.

The WP29 also recommends that data controllers assess whether processing of data is appropriate irrespective of data subjects’ requests.

Cambridge Analytica and Facebook under investigation

27. March 2018

As Bloomberg reports, the offices of Cambridge Analytica were investigated by the U.K. Information Commissioner’s Office (ICO) amid allegations that information of millions of Facebook’s users data was obtained without the data subject’s consents. Personal information from about 50 million people should be affected because 270.000 Facebook user should have used a personality-analysis app, which should not only have the permission to enter the users’ data, but also those of the users’ friends.

According to the ICO, the investigation should be a part of a larger look into “the use of personal data and analytics by political campaigns, parties, social media companies and other commercial actors”.

Facebook, because of this revelation not only lost a significant amount of its stock shares. As Forbes reports, the U.S. Federal Trade Commission (FTC) confirmed the launch of an own investigation against Facebook. It is said that according to Tom Pahl, the director of the FTC’s Bureau of Consumer Protection, the “FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook” and that “the FTC is confirming that it has an open non-public investigation into these practices.”

 

 

Category: General
Pages: 1 2 3 4 5 6 Next
1 2 3 6