Category: General

Luxembourg publishes two new Data Protection Laws

24. August 2018

On August 1st, 2018 the Luxembourg government adopted two new data protection laws implementing certain parts of the General Data Protection Regulation (Regulation (EU) 2016/679 – the “GDPR”) and repeals the former data protection law of 2002. Draft Bill Number 7184 and 7168 were adopted and complement the GDPR, which has been in force since 25 May 2018 throughout the European Union.

The newly implemented laws don’t add any further restrictions to the processing of personal data, but rather serve as implementing provisions required under GDPR.

The new Luxembourg Data Protection Law defines the organisation, missions and competence of the Luxembourg data protection authority (Commission nationale pour la protection des données – CNPD) and provides specific requirements or exceptions. The CNPD has been granted broad investigation powers. The CNPD receives for example the right to obtain access from any controller or processor to all personal data and information necessary to verify compliance under GDPR. The CNPD is also in charge to issue warning, orders and fines to any controller or processor who is not compliant under the provisions of the GDPR.

The second new law, the Luxembourg Law on Criminal Data Processing specifically relates to the protection of individuals with regard to the processing of personal data in criminal matters and national security.

The two laws should be read together, as they jointly extend the competences of the CNPD.

Starting with the new implementations, Luxembourg companies are discharged of the administrative burden of an active notification of personal data processing to the CNPD prior to processing personal data. However, companies should be ready to be controlled by the local regulator and therefore they are obliged to keep a record of the processing of personal data that is carried out under their responsibility.

The final versions were published on August 16th, 2018 in the Official Gazette of Luxembourg.

Database operators in Sweden exempt from GDPR

With the GDPR coming into effect, enterprises in Sweden will also be subject to complying with the European principles and adhering to the GDPR.

However, new amendments and changes to the country’s constitution will be required to harmonise existing laws.

Due to the fact that Sweden emphasizes freedom of press and speech, it will initially make exemptions in cases where elements don’t comply with its Freedom of the Press Act of 1766.

As a consequence, current laws give database operators a broad freedom to gather and release personal data enabling them to collect and distribute personal information from a broad range of sources, including the national tax office.

The database operators and online publishers Eniro, Ratsit and Hitta are some of the companies that will be exempt until an expert group has drafted new and stricter legislation regarding the processing of personal data by these.

It is expected that the relevant laws will be amended in the first half of 2019.

Brazilian General Data Protection Law

17. August 2018

On August 14th, a new data protection law was passed in Brazil and is named Brazilian General Data Protection Law (LGPD). The law will come into effect in early 2020.

The new legal framework deals with personal data in Brazil, both online and offline as well as in the private and public sectors. Until now the country has more than 40 legal norms at the federal level which are replaced and/or supplementing the previous regulations.

The new law aims to help Brazil enter the roll of more than 120 countries that today may be considered to have an adequate level of protection of privacy and the use of personal data, so that Brazil can compete on the global market.

As next step a DPA is created and will be an independent public authority responsible for the supervision of the law and enforcement. The authority is able to establish guidelines for the promotion of protection of personal data in Brazil.

Apple’s Taiwanese key chip supplier TSMC was struck by a virus

7. August 2018

Taiwan Semiconductor Manufacturing Co Ltd (TSMC), the largest contract chipmaker worldwide and one of Apple’s key suppliers, has warned of a 150 million EURO hit to revenue and delays to shipments after its factories were hit with a computer virus targeting Windows computers.

TSMC, which supplies the majority of the processors for Apple’s iPads and iPhones (iPhone 8 and X), claims that parts of its production facilities in Taiwan were forced to resume production after the outbreak of a virus last Friday night.

The virus is a variation of WannaCry. The ransomware attack aimed at computers running Microsoft Windows and threatened to erase files unless the attackers were paid in the cryptocurrency Bitcoin.

According to the company 80% of the company’s affected computers had been fixed on Sunday and neither its client information nor its data manufacturing base were implicated.
Since the manufacturer does not exclusively work for Apple, it also fabricates chips for lots of other companies which also have been notified. TSMC stated that it would have to delay shipments of chips to some customers. This would decrease their third quarter revenue up to 2% which is equivalent to 150 million EURO.

Category: Cyber security · General
Tags: ,

Data of patients disclosed in Singapore’s largest data breach in history

30. July 2018

A cyberattack has impacted data of 1.5 Mio patients of SingHealth clinics by stealing name, ID Card number, address, gender, race and date of birth as reported by ARN Net.

Due to “operational security reasons”, the authorities haven’t disclosed the identity of the responsibles behind the attack.

Even Singapore’s Prime Minister, Lee Hsien Loong, “had his personal particulars stolen as well as his outpatient dispensed medicines record.”

The report further states that all patients, whether or not they were affected will receive an SMS notification over the next five days, with patients also able to access the Health Buddy mobile app or SingHealth website to check if they are affected by this incident.

According to Channel Asia the SingHealth IT system was compromised through an initial breach on a particular front-end workstation, gaining privileged account credentials to gain access to the database.

It is believed that the attack began on June 27th, 2018 and was detected on July 4th, 2018. Apparently, no further illegal exfiltration has been detected since and all Patient records in SingHealth’s IT system remain intact.

Several measures have been taken in terms of IT-security such as controls on workstations and servers, resetting user and systems accounts and installment of additional system monitoring controls.

New Zealand: Privacy after death does matter

27. July 2018

Data protection rights generally refer to living persons only. Among others, the European General Data Protection Regulation (GDPR) explicitly mentions in its Recital 27 that the Regulation does not apply to the personal data of deceased persons.

However, the Recital also contains an opening clause for the EU Member States, stating that these may provide for specific rules for such cases. The GDPR hereby acknowledges that there might be cases that need to be tackled individually.

For example, requests can be made in order to find out whether the deceased had suffered from a hereditary disease. This information is not to be seen as protected for the offspring that might be affected by it.

Consequently, there will be situations that contain mixed information on both the deceased and the requestor.

The Privacy Commissioner’s Office (OPC) of New Zealand has now released a statement regarding the privacy of deceased persons on July 24th, 2018 taking up this exact issue.

Whereas the Privacy Act of New Zealand also defines an individual as a “natural person, other than a deceased person”, the OPC states that “sometimes it will be inappropriate to release the personal information of the dead”.

The OPC further says that “some information is inherently sensitive, for example mental or sexual health information. It could be unfair to release such information to those who are just curious and have no good reason to see it.”

Ultimately, it will often be necessary to balance the rights and elaborate case by case, also taking into consideration the wishes of the deceased person to some extent.

One year after the massive data breach at Equifax

Last year at this time the Credit Bureau Equifax has been hacked and the sensitive data of approximately 143 million consumers has been affected.

The data breach is considered to be the worst data breach in US history, according to the scale and the nature of the information exposed. Hackers have entered the system and stole data like consumer’s name, social security numbers, birth dates, addresses and in some cases also driver’s license numbers, as well as credit card numbers.

After the data breach, the company had to be determined that they were not prepared for such an event, measures had to be taken. So what happened during the past year?

Equifax has remained fairly quiet amidst class action suits, congressional scrutiny, a Federal Trade Commission probe, and a wave of new state regulations designed to ensure that Equifax substantially improves its security defenses. Beyond others, in February a new Chief Information Security Officer, Jamil Farshchi, was hired. Farshchi had managed information security at high-stakes companies and cleaned up data breaches before. Furthermore, Equifax invested $200 million on data security infrastructure.

So the transformation is in process to create a world-class security program at Equifax.

Data breach exposes data including trade secrets from several large carmakers

24. July 2018

A security researcher from the UpGuard Cyber Risk Team detected that various data from carmakers like Volkswagen, Ford and Toyota were exposed. UpGuard is an Australian cybersecurity group that among other things detects data breaches.

The source of the data leak is a small Canadian company called Level One Robotics and Controls. On a publicly accessible backup server of the engineering company were files from more than a hundred companies in business with said company. Belonging to the group of companies affected by the leak are some of the biggest carmakers like Tesla, VW, Toyota, General Motors, Chrysler and ThyssenKrupp.

The 47.000 unsecured files contained inter alia product designs, invoices, bank accounts and contracts. Some of these data are among the industry’s most closely guarded and confidential trade secrets. In addition, a number of non-disclosure agreements explaining the sensitivity of the leaked information formed part of the exposed data.

The researcher issued a leakage warning and since then the accessible information was taken offline within 24 hours.

The California Consumer Privacy Act of 2018

19. July 2018

On June 28th 2018, California passed the California Consumer Privacy Act (CCPA), which is considered to be the strongest privacy protection measure in the U.S. The new California law, which takes effect as of January 1st 2020, grants residents of California a broad protection when it comes to processing their personal data by a profit orientated business.

The new Act has an impact on every company that does business in California or to affiliated, co-branded entities of the business that meets the below criteria even if the affiliate does not have a business in California. For the CCPA to be applicable, the business either

1. has an annual gross Revenue of $25 million or more,
2. collects, busy or sells 50,000 or more consumers’ personal information each year for commercial purposes or
3. dervies 50% or more of their annual Revenue from selling consumers’ personal Information.

After the European General Data Protection Act (GDPR) became effective as of 25th May 2018, businesses who are also dealing with data of Californian residents will have to comply with an additional regulation.

California being the 5th largest global economy behind the United States, China, Japan and Germany (even beating the United Kingdom) companies should take a number of affirmative steps to comply with the new requirements prior to  1st of January 2020.

While both the GDPR and the CCPA address the collection of personal information by businesses, they differ in their obligations and requirements for businesses to be compliant. Unfortunately, the implementations, which came into action for the GDPR, will not be enough for the CCPA regulation.

Even though the CCPA is stricter in some aspects, unlike the GDPR demands, businesses will not be required to get people’s permission to collect their personal data in the first place.

The CCPA however defines personal data more broadly and requires specific disclosures and communication channels that are not required by the GDPR. The CCPA also contains different exceptions to the right to have personal data deleted, establishes broader rights to access personal data and imposes tighter restrictions on data sharing for commercial purposes.

It is advisable that global companies who are impacted by the regulations should try to address the requirements of the GDPR and CCPA simultaneously and holistically.

Category: General

Japan and the EU are establishing an environment of data protection between its citizens (and companies)

18. July 2018

As part of the Economic Partnership Agreement (EPA), the European Union and Japan have signed the 17th July 2018, the two parties recognise each other’s data protection laws as equivalent. In this manner, personal data will flow in the future safely between the EU and Japan.

In Europe, a committee composed of representatives of the EU Member States has to give its consent and the European Data Protection Board (EDPB) publishes its opinion before the European Commission adopts the adequacy decision. Once the agreement is established, EU citizens and 127 Million Japanese consumers will benefit from international trading that includes the high privacy standards of the General Data Protection Regulation (GDPR).

Japanese companies now have to comply some safeguards to fulfil the European data protection level, like the protection of sensitive data, the requirements for transfer of data to a third country or the exercise of individual rights to access individual rights (compared to Art. 12 – 23 of the GDPR). The Japanese watchdog (PPC) will implement these rules as well as a complaint-handling mechanism to investigate and resolve complaints of European citizens concerning the data processing of Japanese controllers.

This agreement is a result of the communication Exchanging and Protecting personal data in a globalised world, announced by the Commission in January 2017.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 12 13 14 Next
1 6 7 8 9 10 14