Category: General

Serious data breach in HIV clinic in London

11. May 2016

A clinic in London has been fined 180.000 GBP due to a “serious data breach”. The clinic offered a service to HIV-patients in order to receive newsletters and test results as well as make appointments via email. It sent an email newsletter to 781 of its patients with all patient emailaddresses in the “To” field and not in the “Bcc” field. 730 of the emailaddresses included the full names of the patients. The newsletter was used to inform the patients about sexual health services and general treatment details. The Information Commissioner´s Office (ICO) said, “the breach caused a great deal of upset to the people affected”. Information about the health or sexual life of a person is considered to be sensitive personal data and should be protected specifically. Chelsea and Westminster Hospital NHS Foundation Trust, which runs the clinic, has been fined 180.000 GBP. The responsible ICO investigation trust discovered, that a similar error had happened already in March 2010. Although some remedial measures were taken at that time, no specific training had taken place since then.

Twitter blocks U.S. Intelligence Agencies from Dataminr service

10. May 2016

Dataminr is used as a tool that analyzes and traces social media posts and notifies users about breaking news in real time, such as the terror attack in Brussel´s airport in March. This analysis is carried out by using key words, patterns, or geotags.

Twitter, that owns 5% of Dataminr, has now blocked U.S. intelligence services from its Dataminr service, in order not to appear to support the surveillance activities of the U.S. Intelligence services.

Dataminr services where used by the American Government in 2013 to detect any risks on the inauguration of U.S. President Obama´s second term. However, it is not clear how Dataminr provided this service to the U.S. Intelligence services, as Twitter´s privacy policy prohibits selling its data to governmental agencies.

Category: General · USA
Tags: ,

Spotify denies having suffered a data breach

29. April 2016

During this week credential data from hundreds of Spotify users was posted on the internet. This data includes country of registration, user name, password and type of account.

However, Spotify denied having suffered a data security breach. Furthermore, a company spokesman stated that they monitor certain websites regularly in order to find out if user credentials have been stolen and check if these credentials are authentic. If so, they inform the user and request a password change. Despite the statement of the spokesman, several users confirmed that their playlists had been accessed and their passwords and associated e-mails changed.

Spotify has suffered during the last years several hacker attacks. The last occurred in November 2015 and also user data was made public. Regarding the data posted online this week, the company states that it could affect data related to previous hack attacks.

Category: Data breach · General
Tags:

Council of Ministers votes on latest draft of GDPR

12. April 2016

In the past week, the EU national governments endorsed the latest draft of the European Union’s General Data Protection Regulation (GDPR) in a vote held by the Council of Ministers. It is now expected that the European Parliament will approve the GDPR within this week, along with a new Data Protection Directive for police and criminal justice authorities.

According to a press release of the Council of Ministers, which was published shortly after the vote last week, one of the main benefits of the Regulation is the fact that it provides for a single set of rules, which are valid across the EU and applicable both to European and non-European companies offering online services in the EU. Thus, the regulation provides the framework for increased cooperation between EU member states to ensure coherent application of the data protection rules.

The regulation follows a risk-based approach, which means that data controllers will be able to implement measures according to the risk involved in the data processing operations they perform. This will likely reduce administrative costs, as companies will not be forced to implement a “one-size-fits all“ solution.

The French DPA fines Google

29. March 2016

The French Data Protection Authority (“CNIL”) fines Google for data protection violation. In May 2014, the European Court of Justice had decided, that citizens could request search engines to delist inadequate or irrelevant web search results of themselves; the so-called “right-to-be-forgotten” was born.

The CNIL has now fined the US search engine 100.000 Euros over the right-to-be-forgotten, since Google just delisted web search results regionally, for instance only accross their European websites, such as google.fr and not also on the google.com website. By delisting web search results of a person only regionally, the data subject will practically not be able to exercise her/his right-to-be-forgotten efficiently. Search engines should instead delist search results from all their domains.

Turkish parliament passes personal data protection law

With the refugee crisis, a new capital between Turkey and the EU has started. In order to receive visa liberalization for Turkish citizens in the EU, Turkey has to fulfill certain criteria. One of the required criteria for Turkey was to pass a personal data protection law. On March 24, the Turkish parliament has finally passed a personal data protection bill.

The Turkish personal data protection law will e. g. define personal data and sensitive personal data. Among others, it will also regulate data transfers and individual rights of the data subject.

Since the law has passed now, a next step will be creating a nine-member Committee of Personal Data Protection under the Personal Data Protection Institute, affiliated with the Prime Ministry.

German Court rules against Facebook Like button

16. March 2016

The Consumer Protection Association of North-Rhine Westphalia submitted a formal complaint against the Fashion ID, run by Peek & Cloppenburg. The Düsseldorf District Court in Germany had to rule, whether Peek & Cloppenburg was allowed to have the Facebook Like button on their shopping website. The court decided, that in this case the Facebook Like button was violating German and EU Data Protection Law. The Fashion ID was transferring the gathered information of its consumers to the social media, irrespective of whether the consumer was signed on Facebook or not. Furthermore, it was criticized, that the information of the personal data subject was also transferred to Facebook, without even clicking the Facebook Like button before.

The Court decided, that such a procedure is not compliant with the applicable law. Companies should therefore implement measures, that safeguard the personal data of the consumer and not transfer the gained information to other parties, without the informed consent of the data subject.

Chinese privacy law

2. March 2016

According to an article on the International Association of Privacy website, Chinese privacy laws are still in their early stages and the existing laws are similar to international norms like notice and security. Nevertheless, the development of Chinese privacy law should not be ignored by companies, who wish to enter the Chinese market, since China is the growing economic power and has a wide consumer range. To understand Chinese privacy awareness, companies have to understand the cultural background and Chinese consumer expectations.

First of all, there should be a focus on community values, because the Chinese put a lot of importance to values and ethics. It is relevant to develop corporate policies, which show an understanding for the community values. For Chinese people it is important, that privacy law protects their private lives from community exposure.

Secondly, companies should try to understand the expectations of the Chinese consumers. The Chinese may be more open to data processing, especially if the processing leads to pragmatic outcomes, such as tailored features. Also, the Chinese may have fewer expectations towards privacy compared with other values, such as corporate transparency. Therefore companies should adjust their policies and put emphasis on transparency reports.

Category: General
Tags:

WP29 – Statement on 2016 Action Plan for the GDPR

16. February 2016

The WP29 has recently published a statement with regards to the action plan in order to implement the EU GDPR (General Data Protection Regulation). The 2016 Action Plan is based on the following four priorities, which are relevant for the tasks of the WP29 and their subgroups.

1. Building up the EDPB (European Data Protection Board) structure and its administration

The main task will be developing IT systems. The European Data Protection Supervisor and the WP29 will furthermore cooperate to set up human resources, a budget and future procedures of the EDPB.

2. Setting up the One-Stop-Shop and the consistency mechanism

In order to prepare the One-Stop-Shop several measures will be necessary, e. g. a lead DPO will have to be designated and the EDPB consistency mechanisms need to be developed.

3. Publishing guidelines for data controllers and processors

The WP29 will publish different guidelines to assist data controllers and data processors in order to fulfil their duties according to the GDPR, such as the new right to portability, “Data Protection Impact Assessment”, and the announcement of a DPO.

4. Communication around the EDPB and the GDPR

The WP29 intends to create an online communication tool, to reinforce the relationship between the EU institutions and to participate in external events to promote the new governance model.

The subgroups of the WP29 will continue fulfilling their tasks. The International Transfers subgroup for instance will carry on analyzing the judgement of the European Court of Justice concerning e.g. the Schrems case. Furthermore, they will be analyzing the EU-U.S. Privacy Shield and its impact on the international data transfers once it has been released.

The WP29 will examine the 2016 Action Plan regularly in order to complete it in 2017.

 

New Safe Harbor Agreement

2. February 2016

European officials and the U.S. agreed today on a new safe harbor agreement. The EU Article 29 Working Group had set a deadline until the end of January 2016 to find an alternative agreement, which was missed. The agreement still needs to be approved by the 28 member states. Further information on the new safe harbor agreement is expected after the EU Article 29 Working Group meeting, which is supposed to take place today and tomorrow.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 Next
1 7 8 9 10