Category: Personal Data

Mass Audit in Germany concerning 500 firms’ cloud transfers

8. November 2016

As the IAPP just published online, 10 of the 16 German Data Protection Authorities, have begun to assess firms’ transfer of personal data to cloud services based outside of the EU.

According to a joint statement of the respective Data Protection Authorities this is due to the fact that cross-border personal data transfers are growing massively, because of globalization and the rise of software-as-a-service.

Therefore, a mass audit is conducted, which takes about 500 randomly selected companies of various sizes into account. This audit is based on questionnaires asking about their transfers of employee and customer personal data to third countries, in particular to the U.S. while using services such as:

  • office apps,
  • cloud storage,
  • email and other communications platforms,
  • customer service ticketing,
  • support systems and
  • risk management and compliance systems.

In case a company transfers personal data to third countries, it has to show the legal grounds they are using, for example Standard Contractual Clauses or the EU-U.S. Privacy Shield.

The Article 29 Working Party talks about the EU-U.S. Umbrella Agreement

2. November 2016

The Article 29 Working Party published a statement on the EU-U.S. Umbrella agreement at the end of October.

On one side, the statement shows signs of support for the EU-U.S. Umbrella Agreement. However on the other side, it delivers recommendations in order to make sure that the agreement is compliant with European data protection law.

In general, the Article 29 Working Party supports the creaction of a general data protection framework in order for international data transfers to be compliant with national, European and international data protection laws.  Therefore, the Article 29 Working Party elaborates that the respective agreement “considerably strengthens the safeguards in existing law enforcement bilateral treaties with the U.S., some of which were concluded before the development of the EU data protection framework”. 

However, it is also mentioned that clarification is needed in terms of definitions, for example how to define personal data and data processing, due to the fact that European and U.S law have different opinions on what is meant by these terms.

According to a global survey companies are not ready for the GDPR

12. October 2016

Dell just published the results of a global survey about the GDPR perceptions and readiness. Among other findings, the main result is the lack of awareness of the requirements, the preparation and the impact:

  • More than 60 % answered that they are aware that something is going on with the GDPR. However, they said that they do not know what exactly is happening.
  • Just 4 % outside of Europe commented that they are very knowledgeable about the details of the GDPR. Nevertheless, only 6 % of those in Europe answered that they are very familiar with the requirements.
  • On top of this, less than 1 of 3 companies feel that they are prepared for the GDPR.
  • Furthermore, about 70 % said that their company is definitely not, or do not know if their company is, prepared for the GDPR today. However, only 3 % of them have a plan in order to get ready.
  • Fewer than 50 % commented that they feel confident to be ready in time when the GDPR comes into effect in 2018. Nevertheless,  just 9 % expect to be fully prepared.

 

Spains DPA: Investigations due to WhatsApp sharing data with Facebook

10. October 2016

After Hamburg’s Data Protection Commissioner strongly recommended that Facebook should stop processing German data gained from WhatsApp, after the U.K. Information Commissioner, the ICO, also started to investigate the agreement betweent WhatsApp and Facebook and after Italy’s data protection authority, the Garante, has started to look into this issue, now Spain’s data protection authority, the AEPD, raises concerns.

Therefore, Spain’s data protection authority advises users to read the terms and conditions especially before accepting them. Furthermore, it offers guidance on changing the respective settings.

MasterCard: Biometric Corporate Card Program is now also available in Germany

7. October 2016

A new biometric corporate credit card programm, called Identity Check Mobile, has been released by BMO Financial Group (BMO) and MasterCard in Canada and in the U.S. at the beginning of the year.

This programm enables cardholders to verify their transactions by using facial recognition and fingerprint biometrics in case they purchase online.

Introducing this verification process will increase security when purchasing without a face-to-face interaction so that the possibility of a card being used by anyone who is not the cardholder will be reduced.

Steve Pedersen, Vice President, Head, North American Corporate Card Products, BMO Financial Group commented on the programm by saying “The use of biometric technology has become more common for consumers looking for convenient and secure ways to make purchases using their smartphones, so this was the natural next step for us as innovators in the payment security space” he continued  “Mitigating the risk of fraud is always our top priority, and the inclusion of this technology is going to make payment authentication easier, and strengthen the security of the entire payments ecosystem.”

MasterCard just published that starting from the 4th Octobre 2016 this form of payment is also available in Germany.

Apple offers hackers up to $200,000

29. September 2016

Forbes just released an article saying that Apple invited some of the best hackers to its headquarter in Cupertino.

Among them:

  • the 19-year-old teenage prodigy who was the first to jailbreak an iPhone 7, and therefore now being a world-renowned iOS hacker as well as an
  • ex-NSA employee who has repeatedly found security lacks concerning Mac OS X  Luca Todesco.

The meeting should have been secret and kept confidential, but unfortunately some details leaked. So for example that Apple plans to brief them on the launch of its bug bounty program. The hackers will be rewarded with up to $200,000 in case they can provide Apple with information on vulnerabilities about its laptops and phones. Furthermore, the mentioned program is expected to be put into effect before the end of the month due to the fact that this has been promised at the Black Hat security conference in Las Vegas last months. Nevertheless, Apple pursues an invite-only list-strategy in order to get quality over quantity.

Hamburg Data Protection Commissioner issues statement on the data exchange between Facebook and WhatsApp

27. September 2016

Today, the Hamburg Data Protection Commissioner (DPA) issued a press release announcing an administrative order that aims at prohibiting the data exchange between Facebook and WhatsApp.

The critical opinion of the Hamburg DPA is based on the following arguments:

  • Facebook and WhatsApp are legally independent companies, each of which has its own service terms and conditions.
  • This data exchange infringes German Data Protection Law, as a legal basis for the collection and processing of personal data is required. In this case, the Hamburg DPA does not identify a legal basis for this data exchange.
  • The legal basis is neither based on the user’s consent because Facebook has not obtained the effective consent of WhatsApp’s users.
  • The ECJ has recently ruled that if a subsidiary processes personal data on behalf of its mother company, the national data protection laws are applicable. Facebook has its subsidiary for German speaking countries in Hamburg. According to this ruling, German data protection law is applicable in this case.

Johannes Caspar, Commissioner of the Hamburg DPA, has remarked that the administrative order protects personal data of around 35 million WhatsApp users in Germany, who have not given their consent for the processing of their personal data by Facebook. Upon this data exchange Facebook would receive personal data of WhatsApp users that do not even have a Facebook account.

WhatsApp will share user information with Facebook

26. August 2016

Jan Koum, one of WhatsApp’s founders, stated shortly after selling WhatsApp to Facebook in 2014 that the deal would not affect the digital privacy of his mobile messaging service with millions of users.

However, according to the New York Times WhatsApp is about to share user information with Facebook. This week, WhatsApp published a statement saying that it will start to disclose phone numbers and analytics data of its users to Facebook. By doing so, it will be the first time that WhatsApp will connect the data of its users to Facebook.

Furthermoere, due to the fact that WhatsApp begins to built a profitable business after its previous little emphasis on revenue, it is now changing its privacy policy to the extent that WhatsApp wants to allow businesses to contact customers directly through its platform.

WhatsApp commented on the new privacy policy “We want to explore ways for you to communicate with businesses that matter to you, too, while still giving you an experience without third-party banner ads and spam”.

The new privacy policy will allow Facebook to use a users’s phone number to improve other Facebook-operated services like making new Facebook friend suggestions or better-tailored advertising.

However, WhatsApp underlines that neither it nor Facebook will be able to read users’ encrypted messages and emphasizes that individual phone numbers will not be given to advertisers.

Koum explained that “Our values and our respect for your privacy continue to guide the decisions we make at WhatsApp” and went on “It’s why we’ve rolled out end-to-end encryption, which means no one can read your messages other than the people you talk to. Not us, not Facebook, nor anyone else” and concluded “Our focus is the same as it’s always been — giving you a fast, simple and reliable way to stay in touch with friends and loved ones around the world.”

WhatsApp’s new privacy policy raises concerns due to the lack of data protection. Therefore, the president of the Electronic Privacy Information Center, Marc Rotenberg commented that it is about to file a complaint next week with the Federal Trade Commission in order to prevent WhatsApp from sharing users’ data with Facebook. Rotenberg justified this approach as “Many users signed up for WhatsApp and not Facebook, precisely because WhatsApp offered, at the time, better privacy practices” he explained “If the F.T.C. does not bring an enforcement action, it means that even when users choose better privacy services, there is no guarantee their data will be protected.”

 

Microsoft acquires LinkedIn: privacy issues arise

16. June 2016

Early this week, Microsoft announced the acquisition of LinkedIn, a professional network with more than 400 million users. This makes LinkedIn to be one of the largest databases worldwide. The acquisition will allow Microsoft to have access to the professional profiles of LinkedIn users.

According to Microsoft´s CEO, Satiya Nadella, this operation will make possible that, for example, LinkedIn´s newsfeed shows articles related to the project the user is working on and on the other hand, Office may suggest professionals in LinkedIn who are experts in the task that is being completed at the time.

However, privacy related issues have aroused upon the acquisition, especially regarding the amount of personal data that LinkedIn processes. Dimitri Sirota, CEO of BigID, a customer data protection company, states that Microsoft should show that this acquisition “can enrich the software offerings from Microsoft in areas such as CRM, communication, productivity, etc.” He also remarks the importance of personal data management, so that there is no infringement of local data privacy legislations.

Software companies, such as Microsoft, gain marketing, sales and intelligence value through these kind of operations, but they also have to deal with privacy risk and compliance legislation.

In this scenario, LinkedIn should continue handling personal data as stipulated in its terms of service. This does not prevent Microsoft from signing a data transfer agreement with LinkedIn in order to have access to the data. Such access would allow Microsoft to analyze the personal data received.

Several IT-Security experts agree on the fact that data privacy and data protection should stay at the foreground.

Is an exam personal data?

11. May 2016

EU data protection legislation has been lately updated in several aspects. Last week, the GDPR was finally published in the Official Journal of the EU, also the Passenger Name Record (PNR) Directive and the Directive related to criminal records held by authorities have been published in the Official Journal of the EU.

In this evolving landscape, new questions related to the application of EU data protection legislation are arising. Recently, the Irish Supreme Court raised a question to the ECJ related to the scope of application of the definition of personal data. A man that took an accounting exam exercised his right to data subject access request regarding this exam on the basis of Irish Data Protection Laws. However, this access request was refused based on the argument that the data he wrote on the accounting exam could not be referred to as “personal data”, as it was not his “own” personal data, but data related to the subject of the exam in question.

According to the EU definition, personal data is “any information relating to an identified or identifiable natural person”. The scope of this definition is essential in order to determine if data protection laws are applicable or not. In this case, the ECJ will have to answer to this question in a preliminary ruling. In a similar case, an applicant for a Dutch residence permit exercised an access request, which had been refused. The refusal was based on a legal opinion. The ECJ stated that a legal opinion refers to a situation and not to personal data. However, counter-arguments may be given in order to support the inclusion of an exam in the definition of personal data, such as the person´s handwriting or the remarks of the examiner that may be related to the person who wrote the exam, etc.

The ECJ will have to decide whether such data is subject to data protection legislation and, therefore, the data subject access request should be accepted.

Pages: Prev 1 2 3 ... 12 13 14 15 16 17 18 19 20 21 22
1 20 21 22