Category: Personal Data
28. December 2018
The Association of National Advertisers (ANA) is urging the Federal Trade Commission (FTC) to work towards a national privacy legislation and prevent fragmentation of the U.S. privacy landscape.
In its plea, the ANA specifically raises concerns about current developments regarding the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). It deems both legislations to be overly restrictive and threatening to the free flow of information that “is vital to delivering the products and services that consumers value and expect” and asks the FTC to carry out a detailed review of the effects of the GDPR and the CCPA on competition and consumers.
The ANA is worried as “other states are considering additional and potentially inconsistent privacy and data security laws” and has been working with member companies and other industry groups to develop a new privacy paradigm that would be enforced by the FTC as a single national standard.
The approach involves allowing companies to use data considered “per se reasonable,” and prohibiting uses of data deemed “per se unreasonable.”
The reasonable practices “could include the collection and use of non-sensitive data for advertising purposes with consumer transparency and choice,” the ANA writes. Unreasonable ones “could include determining adverse terms or conditions or ineligibility for an individual’s: employment; credit; health care treatment; insurance; education and financial aid”.
The comments were filed in response to a request for input on the February 2019 FTC Hearing on Competition and Consumer Protection in the 21st Century, which will focus on consumer privacy.
27. December 2018
Uber’s major data breach of 2016 still has consequences as it has also been addressed by the French Data Protection Authority “CNIL”.
As reported in November 2017 and September 2018, the company had tried to hide that personal data of 50 million Uber customers had been stolen and chose to pay the hackers instead of disclosing the incident to the public.
1,4 million French customers were affected as well which is why the CNIL has now fined Uber 400K Euros (next to the settlement with the US authorities amounting to $148 Million).
The CNIL came to find out that the breach could have been avoided by implementing certain basic security measures such as stronger authentication.
Great Britain and the Netherlands have also already imposed a fine totalling €1 million.
14. December 2018
According to the German information portal mobilsicher.de, about 30 % of all Android apps contact Facebook as soon as you start them. This also includes apps that are directly related to religion, sexual orientation or health. The user has usually no idea of this connection.
Mobilsicher.de tested out several Android app versions, which were available in the Play-Store on November 29, 2018. For example the Apps of the German political parties CDU and SPD.
App developers integrate so-called Software Development Kits (SDK) into their apps because they include the helpful “Facebook Analytics” function. This function provides the app operator with information on how users use the app. Facebook, on the other hand, receive the user’s advertising ID, which is individually assigned to each smartphone and, if available, can link this ID to the corresponding Facebook account. This leads to the fact that someone who has downloaded for example a pregnancy guide app now getting ads for baby clothes displayed on Facebook.
Facebook accesses user data even if they do not have a Facebook account at all. Upon request, the company confirmed that it is not clear to the user which data is transferred to Facebook. A tool called “Clear History”, announced by Mark Zuckerberg in May 2018, which should help this lack of transparency, is still not available.
Facebook itself does not consider this type of collecting data a problem, as users would have the option of opting out of personalized advertising and deactivating it either on their smartphone or in their Facebook account.
„If a person utilizes one of these controls, then Facebook will not use data gathered on these third-party apps (e.g. through Facebook Audience Network), for ad targeting”, the company replied to the question of whether the information would be deleted after the transfer. If someone decides against personalized advertising, Facebook still transfers the data, but with a corresponding note. Nevertheless, the user’s data will be collected.
20. November 2018
A Data Protection Impact Assessment (DPIA) outsourced by the Dutch Ministry of Justice and Security, concluded that Microsoft collects and stores personal data of Office users on a large scale without informing them. According to this report, Microsoft thus violates the General Data Protection Regulation (GDPR) on a massive scale.
The DPIA was carried out to probe the use of Microsoft Office in the public sector. Most of the Dutch authorities use Microsoft Office 2016, Office 365 or an older version. The Dutch judiciary, police, various ministries and tax offices use Word, Excel, Outlook and PowerPoint. The DPIA found that Microsoft not only collects and stores personal data but also send them to the US. In addition, users are not informed and it is not offered to switch off the collection or to see what data are collected. The Assessment outlined eight different risks and possible risk mitigating measures. One example is the “Lack of Transparency”. A possible measure recommended for Microsoft is the public documentation and the implementation of a data viewer tool because at the moment the content of the diagnostic data (i.e. “all observations stored in event logs about the behaviour of individual users of the services”) is not accessible.
Microsoft stated that -for the examined Office versions- between 23,000 and 25,000 event logs are sent to Microsoft servers and that 20 to 30 development teams analyse the data. The company agreed to change its practices by April 2019 and until then offers “zero exhaust” settings to shut down the data collection. A Microsoft spokesperson told The Register: “We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws.”
In addition to applying the new settings, the DPIA encourages users to deactivate Connected Services and Microsoft’s data sharing system, not use the web-based Office 365, SharePoint, or OneDrive, delete the directory of the system, and consider using alternative software.
13. November 2018
On November 8th, Privacy International – a British non-governmental organisation – has filed complaints against seven data brokers (Axiom, Oracle), ad-tech companies (Criteo, Quandcast, Tapad) and credit referencing agencies (Equifax, Experian) with data protection authorities in France, Ireland and the UK.
Privacy International accuses those companies of violating the GDPR: They all collect personal data from a wide variety of sources and merge them into individual profiles. Therefore, information from different areas of an individual’s life flow together to create a comprehensive picture e.g. online and offline shopping behaviour, hobbies, health, social life, income situation.
According to Privacy International, the companies not only deal with the collected data, but also with the conclusions they draw about their data subjects: Life situation, personality, creditworthiness. Among their customers are other companies, individuals and governments. Privacy International accuses them to violate data protection principals such as transparency, purpose limitation, data minimisation, integrity and confidentiality.
Furthermore, the companies have no valid legal basis for the processing of personal data, in particular for the purpose of profiling. According to Privacy International, where those companies claim to have the consent of the data subjects, they cannot prove how this consent was given, nor that the data subjects voluntarily provided it after sufficient and clear information.
“Without urgent and continuous action, data will be used in ways that people cannot now even imagine, to define and manipulate our lives without us being to understand why or being able to effectively fight back,” Frederike Kaltheuner, Privacy International’s data exploitation programme lead, said.
With its complaint, Privacy International takes advantage of a new possibility for collective enforcement of data protection created by the GDPR. The Regulation allows non-profit organisations or associations to use supervisory procedures to represent data subjects (Art. 80 GDPR).
12. November 2018
The Vietnamese Ministry of Public Security has published a draft decree on its website earlier this November that shall come into effect on January 1st, 2019.
International internet companies like Facebook and Google shall, for instance, be obliged to store at least 36 months of local users’ data in Vietnam.
The law also intends to ban any use of social media when it comes to organizing anti-state activities, spreading false information or creating difficulties for authorities.
The new legal requirements have sparked off a widespread controversy among Vietnamese institutions such as bipartisan members of the government.
Main concerns are that communist authorities may then be granted access to private data and even have an impact on online free speech.
Google and Facebook have not stated any comments as of yet.
6. November 2018
At the 4oth International Conference of Data Protection and Privacy Commissioners (ICDPPC) Apple CEO Tim Cook and other prominent representatives of leading tech companies, all expressed their endorsement of a more GDPR-like privacy legislation around the globe and particularly the US. The ICDPPC takes place in Brussels once a year and apart from independent data protection authorities as accredited members, the attendees include representatives of states without independent data protection supervisory bodies, international organisations, non-governmental organisations as well as representatives from science and industry.
On this platform, Cook strongly supported the idea of introducing similar data protection standards to those of the GDPR in the US and encouraged his fellow tech companies to do so as well. The Apple CEO warned of a danger of a “data industrial complex”, where information about individuals is being weaponized against humanity “with military efficiency”. Cook pointed out that scraps of personal data are “carefully assembled, synthesized, traded and sold” creating an “enduring digital profile which lets companies know individuals better than they may know themselves”, since businesses would use these information to make billions and billions of dollars. As this would end up in surveillance while those stockpiles of data only serve to enrich companies, he ensures Apple’s “full support of a comprehensive federal privacy law in the United States”.
Without mentioning them, the Apple CEO refers in particular to the data giants Google and Facebook by emphasizing their responsibility of creating adequate data protection standards. Both of them have been in the focus of a global discussion on whether they provide their users with adequate privacy settings. However, Facebook’s CPO Erin Egan replied, unequivocally, “yes”, when she was asked whether she would support a GDPR-like data protection law in the U.S. as well as Google General Counsel Kent Walker said, “we’ve been on record for some time calling for comprehensive privacy legislation in the past years” when he was asked about Google’s position on a U.S. federal privacy bill. Walker also pointed to Google’s recent release of principles it supports as part of a federal bill.
Last but not least, Microsoft Corporate Vice President and Deputy General Counsel Julie Brill eventually stated that Microsoft has extended many of the GDPR’s protection measures to their entire customer base and has been a supporter of a U.S. federal privacy bill since 2005. In particular, Brill endorsed a “strong, robust, and horizontally effective baseline privacy legislation.” She further ensured that at Microsoft people are using their voice as strongly as they could to encourage that to take place.
Bearing in mind the data scandals around – in particular – Google and Facebook, and the rather low data protection standards in the U.S., it seems that at least four representatives of the top seven tech companies in the world endorse a new U.S. federal privacy bill and will encourage in supporting an adequate privacy standard around the globe. Regarding the actual stance of the Trump administration, FTC Commissioner and recent Trump appointee Noah Phillips, gave an indication about how this subject will be treated. According to his personal opinion, such a regulation should be done “only if necessary and then very carefully.” Being asked whether the U.S. has the right laws in place to regulate technology appropriately, or whether there were any gaps, he replied, “that is a big question we are debating right now in the United States.”
5. November 2018
According to a BBC report, more than 81.000 Facebook profiles were hacked. Private messages and other information was offered for 10 cents per account.
The BBC had the allegations checked by the IT security company Digital Shadows, who confirmed that over 81.000 of the profiles posted online contained private messenger messages. Furthermore, data from more than 176.000 accounts, including e-mail addresses and telephone numbers were available. This information did not necessarily have to come from a hack, as some of it was also open on public Facebook profiles
The BBC Russian Service also emailed the address that offered the data. The respondent – someone called “John Smith”- wrote that the offered data was neither from profiles involved in the Cambridge Analytica scandal nor of the recent security breach revealed in September. He said that his hacker group could offer data from 20 million users, of whom 2.7 million were Russians. But Digital Shadows doubts this because Facebook should have noticed such a big leak.
Facebook reported that its security has not been compromised. The data might be obtained through malicious browser extensions. According to Facebook executive Guy Rosen, they “have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores”.
25. October 2018
As the Hong Kong airline Cathay Pacific announced on October 24, unauthorised access to a system containing data of up to 9.4 million passengers has been discovered. The data leak was detected during a routine check and immediately reported to the authorities and the police. As reported by the airline, no personal information has been misused.
According to Cathay Pacific CEO Rupert Hogg, the airline immediately initiated a thorough investigation with the support of a cybersecurity firm and wants to further strengthen their IT security measures.
Among the concerned data are: passenger names; nationalities; phone numbers; passport numbers and identity card numbers. But “no –one’s travel or loyalty profile was accessed in full, and no passwords were compromised”, said Hogg.
In its statement, Cathay Pacific underlined that the systems concerned are completely separate from the flight operating system and that flight safety is not affected.
24. October 2018
The Portuguese data protection supervisory authority CNPD (Comissão Nacional de Protecção de Dados) recently announced that the hospital Barreiro Montijo is to pay a fine of 400,000€ for incompliancy with the EU General Data Protection Regulation (GDPR). This is the first time that a high fine has been imposed in Europe based on the new GDPR framework of fines.
According to Portuguese newspaper Público, the hospital has violated the GDPR by allowing too many users to have access to patient data in the hospital’s patient management system, even though they should only have been visible to medical doctors. In addition, too many profiles of physicians have been created in the hospital system. The CNPD discovered that 985 users with the access rights of a medical doctor were registered, although only 296 physicians were employed in 2018.
The hospital now wants to take legal action against the fine.
