Category: General

UK: Betting companies had access to millions of data of children

28. January 2020

In the UK, betting companies have gained access to data from 28 million children under 14 and adolescents. The data was stored in a government database and could be used for learning purposes. Access to the platform is granted by the government. A company that was given access is said to have illegally given it to another company, which in turn allowed access for the betting companies. The betting providers used the access, among other things, to check age information online. The company accused of passing on the access denies the allegations, but has not yet made any more specific statements.

The British Department for Education speaks of an unacceptable situation. All access points have been closed and the cooperation has been terminated.

Category: Data breach · General · UK
Tags: , ,

Germany: Large Data leak reveals Personal Data of more than 3 Million Customers

27. January 2020

The German car rental company Buchbinder is responsible for leaking Personal Data of more than 3 Million customers from all over Europe. The data leak exposed more than 10 Terabyte of sensitive customer data over several weeks without the company noticing it.

A German cybersecurity firm was executing routine network scans when it found the data leak. The firm reported it twice to Buchbinder via e-mail, but did not receive a reply. After that, the cybersecurity firm reported the leak to the Bavarian Data Protection Authority (DPA) and informed the German computer magazine c’t and newspaper DIE ZEIT.

According to c’t, a configuration error of a Backup-Server was the cause of the leak. The Personal Data exposed included customers’ names, private addresses, birth dates, telephone numbers, rental data, bank details, accident reports, legal documents, as well as Buchbinder employees’ e-mails and access data to internal networks.

The data leak is particularly serious because of the vast amount of leaked Personal Data that could easily be abused through Spam e-mails, Fraud, Phishing, or Identity theft. It is therefore likely that the German DPA will impose a GDPR fine on the company in the future.

Buchbinder released a press statement apologising for the data leak and promising to enhance the level of their defense and cybersecurity system.

Italian DPA fined Eni Gas e Luce

22. January 2020

The Italian Data Protection Authority ‘Garante‘ fined the gas and electric company ‘Eni Gas es Luce – EGL’ for two violations of the GDPR.

Reason for the overall fine of  €11,5 million is unsolicited telemarketing (€8,5 million) and activation of unsolicited contracts (€3 million).

The santions were determined taking into account the parameters indicated in the GDPR, which include the wide range of subjects involved (about 7200 customers), the pervasiveness of the conduct, the duration of the violation, the economic conditions of EGL.

Besides the fine, the Garante has ordered EGL to adopt corrective measures in order to process personal data in compliance with the GDPR and prohibited the processing of personal data of EGL’s telemarketing list without explicit consent.

The implementations will have to be introduced and communicated to Garante within established timescales, while the payment of sanctions will have to be made within thirty days.

Category: General

CNIL publishes recommendations on how to get users’ cookie consent

21. January 2020

On 14 January 2020, the French data protection authority (“CNIL”) published recommendations on practical modalities for obtaining the consent of users to store or read non-essential cookies and similar technologies on their devices. In addition, the CNIL also published a series of questions and answers on the recommendations.

The purpose of the recommendations is to help private and public organisations to implement the CNIL guidelines on cookies and similar technologies dated 4 July 2019. To this end, CNIL describes the practical arrangements for obtaining users’ consent, gives concrete examples of the user interface to obtain consent and presents “best practices” that also go beyond the rules.

In order to find pragmatic and privacy-friendly solutions, CNIL consulted with organisations representing industries in the ad tech ecosystem and civil society organisations in advance and discussed the issue with them. The recommendations are neither binding or prescriptive nor exhaustive. Organisations may use other methods to obtain user consent, as long as these methods are in accordance with the guidelines.

Among the most important recommendations are:

Information about the purpose of cookies
First, the purposes of the cookies should be listed. The recommendations contain examples of this brief description for the following purposes or types of cookies:
(1) targeted or personalised advertising;
(2) non-personalized advertising;
(3) personalised advertising based on precise geolocation;
(4) customization of content or products and services provided by the Web Publisher;
(5) social media sharing;
(6) audience measurement/analysis.
In addition, the list of purposes should be complemented by a more detailed description of these purposes, which should be directly accessible, e.g. via a drop-down button or hyperlink.

Information on the data controllers
An exhaustive list of data controllers should be directly accessible, e.g. via a drop-down button or hyperlink. When users click on this hyperlink or button, they should receive specific information on data controllers (name and link to their privacy policy). However, web publishers do not have to list all third parties that use cookies on their website or application, but only those who are also data controllers. Therefore, the role of the parties (data controller, joint data controller, or data processor) has to be assessed individually for each cookie. This list should be regularly updated and should be permanently accessible (e.g. through the cookie consent mechanism, which would be available via a static icon or hyperlink at the bottom of each web page). Should a “substantial” addition be made to the list of data controllers, users’ consent should be sought again.

Real choice between accepting or rejecting cookies
Users must be offered a real choice between accepting or rejecting cookies. This can be done by means of two (not pre-ticked) checkboxes or buttons (“accept” / “reject”, “allow” / “deny”, etc.) or equivalent elements such as “on”/”off” sliders, which should be disabled by default. These checkboxes, buttons or sliders should have the same format and be presented at the same level. Users should have such a choice for each type or category of cookie.

The ability for users to delay this selection
A “cross” button should be included so that users can close the consent interface and do not have to make a choice. If the user closes the interface, no consent cookies should be set. However, consent could be obtained again until the user makes a choice and accepts or rejects cookies.

Overall consent for multiple sites
It is acceptable to obtain user consent for a group of sites rather than individually for each site. However, this requires that users are informed of the exact scope of their consent (i.e., by providing them with a list of sites to which their consent applies) and that they have the ability to refuse all cookies on those sites altogether (e.g., if there is a “refuse all” button along with an “accept all” button). To this end, the examples given in the recommendations include three buttons: “Personalize My Choice” (where users can make a more precise selection based on the purpose or type of cookies), “Reject All” and “Accept All”.

Duration of validity of the consent
It is recommended that users re-submit their consent at regular intervals. CNIL considers a period of 6 months to be appropriate.

Proof of consent
Data controllers should be able to provide individual proof of users’ consent and to demonstrate that their consent mechanism allows a valid consent to be obtained.

The recommendations are open for public consultation until 25 February 2020. A new version of the recommendations will then be submitted to the members of CNIL for adoption during a plenary session. CNIL will carry out enforcement inspections six months after the adoption of the recommendations. The final recommendations may also be updated and completed over time to take account of new technological developments and the responses to the questions raised by professionals and individuals on this subject.

German Officials warn Travellers to China of Espionage

17. January 2020

The German Federal Office for the Protection of the Constitution (BfV) sees a significant risk for the security of personal data when accessing local WiFi networks and the mobile network in China. A request from the German newspaper “Handelsblatt” to the BfV revealed that the Officials warn travellers to China of an increasing risk of espionage.

For the stay in China, the BfV discourages travellers from using laptops and smartphones that contain personal data, especially contact information. Instead, the BfV recommends to acquire a travel laptop and a prepaid mobile phone that could be resetted or even be disposed of after leaving China.

According to Handelsblatt, the warning stems from cases in which the Chinese border police conducted mobile phone controls at the Chinese border of Xinjiang and installed a surveillance App on tourists’ smartphones.

In 2016, the BfV already cautioned of potential espionage by Chinese secret services targetting students and researchers.

More US States are pushing on with new Privacy Legislation

3. January 2020

The California Consumer Privacy Act (CCPA) came into effect on January 1, 2020 and will be the first step in the United States in regulating data privacy on the Internet. Currently, the US does not have a federal-level general consumer data privacy law that is comparable to that of the privacy laws in EU countries or even the supranational European GDPR.

But now, several other US States have taken inspiration from the CCPA and are in the process of bringing forth their own state legislation on consumer privacy protections on the Internet, including

  • The Massachusetts Data Privacy Law “S-120“,
  • The New York Privacy Act “S5642“,
  • The Hawaii Consumer Privacy Protection Act “SB 418“,
  • The Maryland Online Consumer Protection Act “SB 613“, and
  • The North Dakota Bill “HB 1485“.

Like the CCPA, most of these new privacy laws have a broad definition of the term “Personal Information” and are aimed at protecting consumer data by strenghtening consumer rights.

However, the various law proposals differ in the scope of the consumer rights. All of them grant consumers the ‘right to access’ their data held by businesses. There will also be a ‘right to delete’ in most of these states, but only some give consumers a private ‘right of action’ for violations.

There are other differences with regards to the businesses that will be covered by the privacy laws. In some states, the proposed laws will apply to all businesses, while in other states the laws will only apply to businesses with yearly revenues of over 10 or 25 Million US-Dollars.

As more US states are beginning to introduce privacy laws, there is an increasing possiblity of a federal US privacy law in the near future. Proposals from several members of Congress already exist (Congresswomen Eshoo and Lofgren’s Proposal and Senators Cantwell/Schatz/Klobuchar/Markey’s Proposal and Senator Wicker’s Proposal).

Happy New Year!

1. January 2020

Dear readers,

the team of the blog privacy-ticker.com wish you a happy new year and all the best for 2020.

Once again this year we will keep you up to date on the subject of data protection.

Best regards,

privacy-ticker.com

Category: General

NIST examines the effect of demographic differences on face recognition

31. December 2019

As part of its Face Recognition Vendor Test (FRVT) program, the U.S. National Institute of Standards and Technology (NIST) conducted a study that evaluated face recognition algorithms submitted by industry and academic developers for their ability to perform various tasks. The study evaluated 189 software algorithms submitted by 99 developers. It focuses on how well each algorithm performs one of two different tasks that are among the most common applications of face recognition.

The two tasks are “one-to-one” matching, i.e. confirming that a photo matches another photo of the same person in a database. This is used, for example, when unlocking a smartphone or checking a passport. The second task involved “one-to-many” matching, i.e. determining whether the person in the photo matches any database. This is used to identify a person of interest.

A special focus of this study was that it also looked at the performance of the individual algorithms taking demographic factors into account. For one-to-one matching, only a few previous studies examined demographic effects; for one-to-many matching, there were none.

To evaluate the algorithms, the NIST team used four photo collections containing 18.27 million images of 8.49 million people. All were taken from operational databases of the State Department, Department of Homeland Security and the FBI. The team did not use images taken directly from Internet sources such as social media or from video surveillance. The photos in the databases contained metadata information that indicated the age, gender, and either race or country of birth of the person.

The study found that the result depends ultimately on the algorithm at the heart of the system, the application that uses it, and the data it is fed with. But the majority of face recognition algorithms exhibit demographic differences. In one-to-one matching, the algorithm rated photos of two different people more often as one person if they were Asian or African-American than if they were white. In algorithms developed by Americans, the same error occurred when the person was a Native American. In contrast, algorithms developed in Asia did not show such a significant difference in one-to-one matching results between Asian and Caucasian faces. However, these results show that algorithms can be trained to achieve correct face recognition results by using a wide range of data.

Austrian Regional Court grants an Austrian man 800€ in GDPR compensation

20. December 2019

The Austrian Regional Court, Landesgericht Feldkirch, has ruled that the major Austrian postal service Österreichische Post (ÖPAG) has to pay an Austrian man 800 Euros in compensation because of violating the GDPR (LG Feldkirch, Beschl. v. 07.08.2019 – Az.: 57 Cg 30/19b – 15). It is one of the first rulings in Europe in which a civil court granted a data subject compensation based on a GDPR violation. Parallel to this court ruling, ÖPAG is facing an 18 Mio Euro fine from the Austrian Data Protection Authorities.

Based on people’s statements in anonymised surveys, ÖPAG had created marketing groups and used algorithms to calculate the probability of the political affinities that people with certain socioeconomic and regional backgrounds might have. ÖPAG then ascribed customers to these marketing groups and thus also stored data about their calculated political affinities. Among these customers was the plaintiff of this case.

The court ruled that this combination is “personal data revealing political opinions” according to Art. 9 GDPR. Since ÖPAG neither obtained the plaintiff’s consent to process his sensitive data on political opinions nor informed him about the processing itself, ÖPAG violated the plaintiff’s individual rights.

While the plaintiff demanded 2.500 Euros in compensation from ÖPAG, the court granted the plaintiff only a non-material damage compensation of 800 Euros after weighing up the circumstances of the individual case.

The case was appealed and will be tried at the Higher Regional Court Innsbruck.

Advocate General releases opinion on the validity of SCCs in case of Third Country Transfers

19. December 2019

Today, Thursday 19 of December, the European Court of Justice’s (CJEU) Advocate General Henrik Saugmandsgaard Øe released his opinion on the validity of Standard Contractual Clauses (SCCs) in cases of personal data transfers to processors situated in third countries.

The background of the case, on which the opinion builds on, originates in the proceedings initiated by Mr. Maximillian Schrems, where he stepped up against Facebook’s business practice of transferring the personal data of its European subscribers to servers located in the United States. The case (Schrems I) led the CJEU on October 6, 2015, to invalidate the Safe Harbor arrangement, which up to that point governed data transfers between the EU and the U.S.A.

Following the ruling, Mr. Schrems decided to challenge the transfers performed on the basis of the EU SCCs, the alternative mechanism Facebook has chosen to rely on to legitimize its EU-U.S. data flows, on the basis of similar arguments to those raised in the Schrems I case. The Irish DPA brought proceedings before the Irish High Court, which referred 11 questions to the CJEU for a preliminary ruling, the Schrems II case.

In the newly published opinion, the Advocate General validates the established SCCs in case of a commercial transfer, despite the possibility of public authorities in the third country processing the personal data for national security reasons. Furthermore, the Advocate General states that the continuity of the high level of protection is not only guaranteed by the adequacy decision of the court, but just as well by the contractual safeguards which the exporter has in place that need to match that level of protection. Therefore, the SCCs represent a general mechanism applicable to transfers, no matter the third country and its adequacy of protection. In addition, and in light of the Charter, there is an obligation for the controller as well as the supervisory authority to suspend any third country transfer if, because of a conflict between the SCCs and the laws in the third country, the SCCs cannot be complied with.

In the end, the Advocate General also clarified that the EU-U.S. Privacy Shield decision of 12 July 2016 is not part of the current proceedings, since those only cover the SCCs under Decision 2010/87, taking the questions of the validity of the Privacy Shield off the table.

While the Advocate General’s opinion is not binding, it represents the suggestion of a legal solution for cases for which the CJEU is responsible. However, the CJEU’s decision on the matter is not expected until early 2020, setting the curiosity on the outcome of the case high.

Pages: Prev 1 2 3 ... 7 8 9 10 11 12 13 ... 22 23 24 Next
1 8 9 10 11 12 24