Category: General

CNIL fines French insurance company

26. July 2019

The French Data Protection Authority (CNIL) imposed a € 180.000 fine on a French insurance company for violating customer data security on their website.

Active Assurance is an insurance intermediary and distributor of motor insurances to customers. On their website, people can request offers, subscribe to contracts and access their personal space.

In 2018, CNIL received a complaint from an Active Assurance customer, saying that he had been able access other users’ data. The other accounts were accessible via hypertext links referred on a search engine. Customers’ documents were also available by slightly changing the URL. Among those records were drivers’ licences, bank statements and documents revealing whether someone has been subject of a licence withdrawal or hit and run.

CNIL informed the company about the violations and a few days later, the company stated that measures had been taken to rectify the infringements. After an on-site audit at the company’s premises, CNIL found that the measures taken were not sufficient and that Active Assurance violates Art. 32 GDPR. Active Assurance should have ensured that only authorized persons had access to the documents. The company should have also instructed the customers to use strong passwords and it should not have send them the passwords in plain text by e-mail.

Based on the seriousness of the breach and the number of people involved, CNIL imposed a fine of € 180.000.

Hackers steal millions of Bulgarians’ financial data

18. July 2019

After a cyberattack on the Bulgarian’s tax agency (NRA) millions of taxpayers’ financial data has been stolen. In an estimate, it is said that most working adults in the 7 million country are affected by some of their data being compromised. The stolen data included names, adresses, income and social security information.

The attack happened in June, but an E-mail from the self-proclaimed perpetrator was sent to Bulgarian media on Monday. It stated that more than 110 databases of the agency had been compromised, the hacker calling the NRA’s cybersecurity a parody. The Bulgarian media were further offered access to the stolen data. One stolen file, e-mailed to the newspaper 24 Chasa,  contained up to 1,1 million personal identification numbers with income, social security and healthcare figures.

The country’s finance minister Vladislav Goranov has appologized in parliament and to the Bulgarian citizens, adding that about 3% of the tax agency’s database had been affected. He made clear that whoever attempted to exploit the stolen data would fall under the impact of Bulgarian law.

In result to this hacking attack, the Bulgarian tax agency now faces a fine of up to 20 million euros by the Commission of Personal Data Protection (CPDP). In addition, the issue has reignited an old debate about the lax cybersecurity standards in Bulgaria, and its adjustement to the modern times.

Google data breach notification sent to IDPC

Google may face further investigations under the General Data Protection Regulation(GDPR), after unauthorized audio recordings have been forwarded to subcontractors. The Irish Data Protection Commission (IDPC) has confirmed through a spokesperson that they have received a data breach notification concerning the issue last week.

The recordings were exposed by the Belgian broadcast VRT, said to affect 1000 clips of conversations in the region of Belgium and the Netherlands. Being logged by Google Assistant, the recordings were then sent to Google’s subcontractors for review. At least 153 of those recordings were not authorized by Google’s wake phrase “Ok/Hey, Google,” and were never meant to be recorded in the first place. They contained personal data reaching from family conversations over bedroom chatter to business calls with confidential information.

Google has addressed this violation of their data security policies in a blog post. It said that the audio recordings were sent to experts, who understand nuances and accents, in order to refine Home’s linguistic abilities, which is a critical part in the process of building speech technology. Google stresses that the storing of recorded data on its services is turned off by default, and only sends audio data to Google once its wake phrase is said. The recordings in question were most likely initiated by the users saying a phrase that sounded similar to “Ok/Hey, Google,” therefore confusing Google Assistant and turning it on.

According to Google’s statement, Security and Privacy teams are working on the issue and will fully review its safeguards to prevent this sort of misconduct from happening again. If, however, following investigations by the IDPC discover a GDPR violation on the matter, it could result in significant financial penalty for the tech giant.

Hearing on the legal challenge of SCC and US-EU Privacy Shield before CJEU

17. July 2019

On Tuesday last week, the European Court of Justice (CJEU) held the hearing on case 311/18, commonly known as “Schrems II”, following a complaint to the Irish Data Protection Commission (DPC) by Maximilian Schrems about the transfer of his personal data from Facebook Ireland to Facebook in the U.S. The case deals with two consecutive questions. The initial question refers to whether U.S. law, the Foreign Intelligence Service Act (FISA), that consists a legal ground for national security agencies to access the personal data of citizens of the European Union (EU) violates EU data protection laws. If confirmed, this would raise the second question namely whether current legal data transfer mechanisms could be invalid (we already reported on the backgrounds).

If both, the US-EU Privacy Shield and the EU Standard Contractual Clauses (SCCs) as currently primeraly used transfer mechanisms, were ruled invalid, businesses would probably have to deal with a complex and diffucult scenario. As Gabriela Zanfir-Fortuna, senior counsel at Future of Privacy Forum said, the hearing would have had a particularly higher impact than the first Schrems/EU-US Safe Harbor case, because this time it could affect not only data transfers from the EU to the U.S., but from the EU to all countries around the world where international data transfers are based on the SCCs.

This is what also Facebook lawyer, Paul Gallagher, argued. He told the CJEU that if SCCs were hold invalid, “the effect on trade would be immense.” He added that not all U.S. companies would be covered by FISA – that would allow them to provide the law enforcement agencies with EU personal data. In particular, Facebook could not be hold responsible for unduly handing personal data over to national security agencies, as there was no evidence of that.

Eileen Barrington, lawyer of the US government assured, of course, by referring to a “hypothetical scenario” in which the US would tap data streams from a cable in the Atlantic, it was not about “undirected” mass surveillance. But about “targeted” collection of data – a lesson that would have been learned from the Snowden revelations according to which the US wanted to regain the trust of Europeans. Only suspicious material would be filtered out using particular selectors. She also had a message for the European feeling of security: “It has been proven that there is an essential benefit to the signal intelligence of the USA – for the security of American as well as EU citizens”.

The crucial factor for the outcome of the proceedings is likely to be how valid the CJEU considers the availability of legal remedies to EU data subjects. Throughout the hearing, there were serious doubts about this. The monitoring of non-US citizens data is essentially based on a presidential directive and an executive order, i.e. government orders and not on formal laws. However, EU citizens will be none the wiser, as particularly, referring to many critisists’ conlusion, they do not know whether they will be actually surveilled or not. It remains the issue regarding the independence of the ombudsperson which the US has committed itself to establish in the Privacy Shield Agreement. Of course, he or she may be independent in terms of the intelligence agencies, but most likely not of the government.

However, Henrik Saugmandsgaard Øe, the Advocate General responsible for the case, intends to present his proposal, which is not binding on the Judges, on December 12th. The court’s decision is then expected in early 2020. Referring to CJEU judge and judge-rapporteur in the case, Thomas von Danwitz, the digital services and networking would be considerably compromised, anyways, if the CJEU would declare the current content of the SCC ineffective.

 

 

Record fine by ICO for British Airways data breach

11. July 2019

After a data breach in 2018, which affected 500 000 customers, British Airways (BA) has now been fined a record £183m by the UK’s Information Commissioners Office (ICO). According to the BBC, Alex Cruz, chairman and CEO of British Airways, said he was “surprised and disappointed” by the ICO’s initial findings.

The breach happened by a hacking attack that managed to get a script on to the BA website. Unsuspecting users trying to access the BA website had been diverted to a false website, which collected their information. This information included e-mail addresses, names and credit card information. While BA had stated that they would reimburse every customer that had been affected, its owner IAG declared through its chief executive that they would take “all appropriate steps to defend the airline’s position”.

The ICO said that it was the biggest penalty that they had ever handed out and made public under the new rules of the GDPR. “When an organization fails to protect personal data from loss, damage or theft, it is more than an inconvenience,” ICO Commissioner Elizabeth Dunham said to the press.

In fact, the GDPR allows companies to be fined up to 4% of their annual turnover over data protection infringements. In relation, the fine of £183m British Airways received equals to 1,5% of its worldwide turnover for the year 2017, which lies under the possible maximum of 4%.

BA can still put forth an appeal in regards to the findings and the scale of the fine, before the ICO’s final decision is made.

China: Tourist mobile phones are scanned by an app

8. July 2019

Foreign tourists who want to enter the Chinese province of Xinjiang by land are spied out via an app.
For the first time, employees of the Süddeutsche Zeitung, Motherboard Vice and various other media portals in cooperation with IT-experts of the Ruhr University Bochum have succeeded in decrypting a Chinese surveillance software that also targets foreigners.

It has been known for some time that the Chinese authorities use apps to monitor the Uighur residents of Xinjiang province (we reported). What is new is that foreign tourists and businessmen coming from Kyrgyzstan to Xinjiang by land have to hand in their mobile phones at the borders and then get the Android app “Fengcai” (“collecting bees”) installed. They are not explicitly informed about this.

The app gets access to the contacts, the calendar, the SMS, the location or the call lists and transmits them to a computer of the border police. In addition, the app scans the phone for over 70,000  files that are suspicious from Chineses government’s point of view. Many scanned files refer to extremist content related to the Islamic state, but also harmless religious content or files related to Taiwan, Tibet or the Dalai Lama are part of the list. If the app discovers anything, it emits a warning tone and thereby informs the border police.

The app also scans the phones to see which apps were installed by the user and even extract usernames but several antivirus firms already updated their products to identify the app as malware.

Neither the Chinese authorities nor the company that developed the app reacted to a request for comment.

Category: General · Personal Data
Tags: ,

Texas amends Data Breach Notification Law

2. July 2019

The Governor of Texas, Greg Abbott, recently signed the House Bill 4390 (HB 4390), which modifies the state’s current Data Breach Notification law and introduces an advisory council (“Texas Privacy Privacy Protection Advisory Council”) charged with studying data privacy laws in Texas, other states and relevant other jurisdictions.

Prior to the new amendment, businesses had to disclose Data Breaches to the Data Subjects “as quickly as possible”. Now, a concrete time period for notifying individuals whose sensitive personal information was acquired by an unauthorized person is determined by the bill. Individual notice must now be provided within 60 days after discovering the breach.

If more than 250 residents of Texas are subject to a Data Breach the Texas Attorney General must also be notified within 60 days. Such a notification must include:
– A detailed description of the nature and circumstances of the data breach;
– The number of the affected residents at that time;
– The measures taken regarding the breach and any measures the responsible person intends to take after the notification;
– Information on whether the law enforcement is engaged in investigating the breach.

The amendments take effect on January, 1 2020.

Category: General · USA
Tags: , ,

Italian DPA fines Facebook

The Italian Data Protection Authority Garante (Garante per la protezione dei dati personali) fined Facebook due to the Cambridge Analytica Scandal of 2015, which was discovered in 2018. The Cambridge Analytica Scandal is connected to the presidential campaign of the current president of the USA Donald Trump.

The Garante has imposed a fine of EUR 1.000.000 for abusing the use of data of more than 200.000 Italian Facebook users and their Facebook friends. According to the Garante, the abused data has not been transferred to Cambridge Analytica, which was also confirmed by a Facebook spokesman.  Nevertheless, the high fine was imposed.

The fine is still based on the old Italian Data Protection law because at the time of the abusive use the GDPR, which now applies throughout Europe, was not yet in force.

Facebook has to answer to the scandal not only in Italy. Legal consequences are also looming in the USA.

 

Consumers should know how much their data is worth

27. June 2019

US Senators Mark R. Warner (Democrats) and Josh Hawley (Republicans) want to know from Facebook, Google and Co. exactly how much the data of their users, measured in dollars and cents, is worth to them.

Last Sunday, the two senators announced their intention for the first time in a US talk show: Every three months, each user is to receive an overview of which data has been collected and stored and how the respective provider rates it. In addition, the aggregated value of all user data is to be reported annually to the US Securities and Exchange Commission. In this report, the companies are to disclose how they store, process and protect data and how and with which partner companies they generate sales with the data. All companies with more than 100 million users per month will be affected.

The value of user data has risen enormously in recent years; so far, companies have protected their internal calculations as company secrets. In addition, there is no recognized method for quantifying the value of user data; only when a company is sold or valued by means of an initial public offering (IPO) does it become obvious. In the case of the WhatsApp takeover it was  $ 55 per user, in the case of Skype it was $ 200.

But one can doubt the significance of these figures. A further indication can be the advertising revenues, which are disclosed by companies per quarter. At the end of 2018, Facebook earned around $6 per user worldwide, while Amazon earned $752 per user. These figures are likely to rise in the future.  “For years, social media companies have told consumers that their products are free to the user. But that’s not true – you are paying with your data instead of your wallet,” said Senator Warner. “But the overall lack of transparency and disclosure in this market have made it impossible for users to know what they’re giving up, who else their data is being shared with, or what it’s worth to the platform. […]” Experts believe it is important for consumers to know the value of their data, because only when you know the value of a good you are able to value it.

On Monday, Warner and Rawley plan to introduce the  Designing Accounting Safeguards to Help Broaden Oversight And Regulations on Data (DASHBOARD) Act to the parliament for its first reading. It remains to be seen whether their plans will meet with the approval of the other senators.

German Data Protection Authority of Baden-Württemberg fines an employee of a public body

24. June 2019

According to an announcement of the LfDI Baden-Würtemberg, which is one of the 16 German State Data Protection Authorities (DPA), a first fine of 1,400 Euro has been filed against an employee of a public body. The police officer unlawfully retrieved personal data in the context of his job solely for private purposes. Referring to the DPA’s statement, this was the first fine imposed on an employee of a public body after the EU General Data Protection Regulation (GDPR) has become applicable.

The police officer used his official user ID to file a request for the owner data relating to a license plate of a private coincidental aquaintance, without reference to his official duties. Using the personal data obtained in this way, he then carried out a second enquiry with the Federal Network Agency. By doing so, he then not only requested the personal data of the data subject, but also the fixed line and mobile numbers. Without the data subject’s official request or consent, the police officer finally used the obtained mobile number to contact the injured party by phone.

By filing the aforementioned requests for private puproses and the usage of the mobile number obtained in this way to make a private contact, the police officer autonomously processed personal data for non-legal purposes. Therefore, the police officer’s department cannot be hold responsible, as this action has not been taken in the course of the official duties of the police officer. As a consequence, the police officer is responsible for this breach of the GDPR as an individual. Neither the public body, which cannot be subject to sanctions according to the State Data Protection Act, is responsible nor the police officer is classified as a public body in the sense of this law.

Taking into account that it was the first of such a violation of the data protection laws, a fine of 1,400 Euro pursuant to Article 83 Paragraph 5 GDPR was considered to be appropriate. However, this case shows that even an employee of a public body might become subject to a fine if this person unlawfully processes personal data for private purposes only.

Category: GDPR · General
Tags:
Pages: Prev 1 2 3 4 5 6 7 8 9 10 11 12 13 Next
1 2 3 4 13