Category: Personal Data
10. April 2017
The social networks Facebook and Instagram improve the privacy of their customer data. In the past, a research held by the Civil Liberties Association (ACLU) had revealed data usage by third parties in he Internet analysis company “Geofeedia”, in which the company publicly viewed customer data from Facebook, Instagram and Twitter regarding participation in protest actions, which were evaluated and sold to government agencies. Facebook and Instagram responded by improving the conditions with regard to data usage so that they should be more stringent now. Accordingly, software developers are now expressly forbidden to use data from the networks for monitoring purposes. By the end of 2016 Twitter had already issued appropriate regulations.
24. March 2017
On the 22nd of March 2017 Google Maps, came up with a real time sharing location (the newest “share location” option), which now gives its users an opportunity of sharing their whereabouts with each other. It`s range is said to be from 15 minutes till around three days.
Since now on your friends can follow your location (if you will make it visible for them), for example when you attempt to navigate the city’s bus system or while you are stuck in traffic. Its aim is to make the social life like meetings and hang-outs easier by giving your friend an updated information on your localization.
Furthermore, via this new option, it is also possible to create itineraries, see the most popular local businesses hours, track parking spots or special traffic-destroying events around the area.
All of these facilities have their price to be paid though. Namely, if you will activate this option Google is going to get all the information about your daily habits and rituals (on what you are doing, when, where and which is your favorite coffee shop), which could later be sold for instance to advertisers.
However, Erik Gordon, a student of the University of Michigan’s Ross School of Business´ (entrepreneurship and strategy) says: “If you can couch it in social, it’s your friends that can track you—not that Big Brother can track you, not that an ad server can track you, not that Travis Kalanick can track you”.
Google itself stresses the interface makes it clear that the option to share will be entirely and only in the hands of the individual users when it comes to sharing locations.
16. March 2017
Ultimately, the Italian police department (in cooperation with Garante – Italian data protection authority) has carried out an investigation, which has revealed a violation of a data protection legislation and specific actions aimed at introducing the legal circulation of money onto the Chinese market.
Four agent companies and one multinational have turned out to split money transfers for remaining sub-threshold under this perspective. Under these circumstances an unlawful massive personal data processing of unaware individuals (payments and senders) has been performed. What is more, some of the records were up to be filed by not existing individuals or even deceased. Other records however, were left blank.
Taking into account all of the gathered facts, which actually indicated that personal data were used in order to unlawfully avoid the money laundering provisions, a wide-ranging Italian data protection authority sanctioning initiative has been launched. As a result, Garante has issued the highest fines ever in Europe.
Given the number of violations of data protection provisions, the Garante has set the whole amount of sanctions up to a total sum of almost 11,000,000 euros (850,000; 1,260,000; 1,590,000 1,430,000 euros for the agent companies and 5,880,000 euros for the multinational company).
It is believed that such a strict data protection authorities sanction will encourage individual data controllers and companies to accelerate their compliance with the upcoming GDPR (May 2018).
2. March 2017
Yet another toy maker named Spiral Toys hit the headlines. The company suffered a big data breach with its stuffed animals called CloudPets resulting in the disclosure of 800,000 users’ personal data such as email addresses, passwords, profile pictures and 2 million voice recordings.
Spiral Toys’ CloudPets are able to connect to an app on a smartphone via Bluetooth so that parents can provide the toy with voice messages for their children.
The personal data were stored in an online database without authentication requirements so that hackers could easily access the database. According to Troy Hunt, a web security expert, the passwords were encrypted but Spiral Toys set no requirements for the password strength. That means hackers “could crack a large number of passwords, log on to accounts and pull down the voice recordings”.
Spiral Toys’ Mark Meyers denied that voice records were stolen. Still the company wants to increase the requirements for the password strength after the data breach was made public.
Both the decision of the German Federal Network Agency to take the doll “My friend Cayla” off the market in Germany and the data breach suffered by Spiral Toys, show that the privacy concerns smart toy producers are exposed to, should be taken seriously.
22. February 2017
There still exists a European data protection authorities´ concern on the data collection practices in Windows 10. Even though the letter to Microsoft has been sent by the Article 29 Working Party (or WP29), the UK Information Commissioner’s Office (ICO) has expressed its serious worries.
Microsoft was therefore asked to explain in a very clear way the purposes and kinds of personal data, which are under processing, as this is still an issue, which remains unclear.
Last July even France`s CNIL has demanded Microsoft to “halt the excessive collection of data and the tracking of users’ browsing without their consent”, as it accused Microsoft of numerous data protection laws infractions, such as too wide personal data collection under the telemetry programme and tracking tool default activation (intended to the targeted advertising delivery) without consent or user knowledge.
As a response Microsoft has released to the market (in January) a new Windows 10 update – so called “Creators Update”. It includes a dashboard based on web, which allows users to choose the desired data-sharing level.
At the conference in Australia, which took place this Monday, Microsoft has also announced a second major Windows 10 release this year (with the Neon user-interface design elements project).
According to the WP29 though: “Even considering the proposed changes to Windows 10, the Working Party remains concerned about the level of protection of users’ personal data”.
“Microsoft should clearly explain what kinds of personal data are processed for what purposes. Without such information, consent cannot be informed, and therefore, not valid.”
Apart from Windows, the WP29 has also taken Facebook, WhatsApp and Yahoo under its magnifier, which are being suspected of data-protection laws violations.
21. February 2017
The German Federal Network Agency took the “My friend Cayla” doll off the market due to privacy concerns. The doll, which is equipped with a microphone, can answer children’s questions by the use of the Internet. Thus it was deemed as “concealed listening device” in accordance with section 90 Telecommunications Act (“Telekommunikationsgesetz”).
The Agency stated that the doll could be used for recording and transmitting children’s conversations without parents’ knowledge. Besides, it shall be possible to listen to children’s conversations by connecting with the doll via an unsecured radio link (Bluetooth).
After complaints were also filed in the US, the Federal Trade Commission decided not to take any action.
Meanwhile, the doll’s German distributor stated that “My friend Cayla” is not an espionage device and that they will challenge the Agency’s decision in court.
14. February 2017
Last month, the Pennsylvania Superior Court dismissed a class action lawsuit, which was filed against the University of Pittsburg Medical Center and ruled that the University has no responsibility in protecting employee data.
In this incident, the following data was compromised: dates of birth, names, social security numbers, addresses, salary, tax and bank information.
According to the court documents, the University had a breach in 2014, which finally resulted in approximately 788 tax fraud victims by compromising the information of nearly 62,000 UMPC employees.
Even though the University of Pittsburg Medical Center has been ruled not to have any legal duty to protect the personal and financial information of its employees under state law, the ruling is contradictory to a similar case of Texas hospital, which was penalized $3.2 million after a breach of data.
Last week Google contacted millions of app developers informing them about their apps’ violation of Google’s User Data policy.
According to this policy, apps which handle personal or sensitive user data must post a privacy policy in the designated field in the Play Developer Console, as well as within the app itself and handle the user data securely, for example by using cryptography for transmitting them.
Millions of apps handling with personal data do not have a privacy policy and thus do not contribute to providing a clear and transparent experience for Play Store users. Google set a time limit of 5 weeks, until March 15 this year for the apps to comply with the User Data policy. Either the developers shall include a link to a valid privacy policy or remove any requests for sensitive permissions or user data. Otherwise Google might limit the visibility of those apps or even remove them from its Google Play Store.
27. January 2017
The Russian data protection authority “Roskomnadzor” sent on November, 17 2016 an order to the telecommunication companies to block access to LinkedIn within Russia. The reason for this step was, according to Roskomnadzor, that LinkedIn does not protect subjects’ data rights in a way that complies with the Russian data protection law.
The order of Roskomnadzor refers to a Moscow District court decision from August, 4 2016.
The case of LinkedIn is the first major test of the Russian law, which is on effect since September, 1 2015.
Roskomnadzor judges, that LinkedIn not only violates against the data localization requirement furthermore LinkedIn also violates a number of other requirements such as collecting personal data from non-users without their consent before they complete the registration process.
Now LinkedIn can take action against this decision within the six-month period to the Moscow Court and then appeal to the Russian Supreme Court. However, LinkedIn has not announced its intentions yet.
16. January 2017
As a recent study shows (published by French research group Eleas in October), more than a third of French workers use their devices everyday in order to work out-of-hours.
Despite the fact that checking professional emails after work gives employees a sort of autonomy and flexibility speaking of working outside the office mode, such a habit may also lead to the „info-obesity“ (according to a report submitted in September 2015 by labour minister Myriam El Khomri).
Computing and work-life balance expert Anna Cox (University of College London – UCL) says: “Some of the challenges that come with flexibility are managing those boundaries between work and home and being able to say ‘actually I am not working now’.
From 1st of January therefore, French companies should guarantee a „right to disconnect“ to their employees, which means that the new employment law has just entered into force. Since then, all the organisations that employ over 50 workers will be obliged to define employees „disconection from technology“ rights.
Its aim is to minimise an overuse of digital devices by employees after their working hours, which lately surged in unpaid overtime.
To diminish the problem, some steps have already been taken, among which there are an automatic erasure of emails for employees on holiday or email connections cutoff.
Eventhough no sanction for a breach of this obligation is foreseen, the company should publish a charter with employees out-of-hours demands and rights.
