Category: Personal Data

Dynamic IP-addresses are personal data

19. May 2017

The German Federal Court (Bundesgerichtshof, BGH) decided, that dynamic IP-addresses are personal data. Also the BGH decides, that website operators are allowed to store the IP-address.

The judgement precedes on a decision of the European Court of Justice (EuGH) from the last year.

The EuGH decides, that a dynamic IP-address is a personal data, when the person concerned can be identified by means of the IP-address.

A German politician worried about the storing of his IP-address, because different federal institutes and authorities stored unasked his IP-address after he visited their websites. He fears, that the institutes and authorities are able to understand what he read and clicked on in the past times. Therefore his fundamental right on informational self-determination is infringed. He wants the court to decide, that his IP-address can be stored during his visit but not above.

The BGH now established, that the dynamic IP-address is personal data and the fundamental rights of the users should not be infringed, but websites are allowed to invest protocols of the surfers who visited their website, after the visitation, but only on the premise of emergency response. Especially in cases of hacker attacks. A criminal prosecution must be possible. The legal foundation is § 15 Telemediengesetz (TMG). § 15 I TMG must be interpreted compliant to the European law. Collection and processing of personal data must be required for the functionality of the service.

It is good to know that the website operator has no possibility of identifying the user by means of his IP-address, only the internet provider is able to identify the user by means of the IP-address, because the provider allocates the IP-address to the user.

Annual Transparency Report released by the US Intelligence

10. May 2017

In April 2017, the Office of the Director of National Intelligence released its fourth annual Statistical Transparency Report Regarding Use of National Security Authorities for calendar year 2016.

The annual Transparency Report provides information (in form of statistics) about how often the US government uses certain national security authorities for surveillance activities. Further, it explains under which legal basis a surveillance has to be performed and names national security authorities (besides the FISA authorities) that are involved, such as the CIA, FBI or the NSA.

It is shown that based on the applied surveillance activity and the purpose of the investigation, U.S.-persons as well as non-U.S.-persons can be targets. Furthermore, it is described which legal prerequisites have to be fulfilled when investigating a target.

For example, the Transparency Report provides information about the number of issued National Security Letters (NSLs) by the Federal Bureau of Investigation (FBI). The number of NSLs slightly decreased compared to last year. However the number of issued NSLs does not contain the number of individuals or organisations that are the subjects of the NSLs.

During an investigation, personal data may be collected for example telephone numbers or email addresses.

 

Facebook & Instagram improve privacy for user data

10. April 2017

The social networks Facebook and Instagram improve the privacy of their customer data. In the past, a research held by the Civil Liberties Association (ACLU) had revealed data usage by third parties in he Internet analysis company “Geofeedia”, in which the company publicly viewed customer data from Facebook, Instagram and Twitter regarding participation in protest actions, which were evaluated and sold to government agencies. Facebook and Instagram responded by improving the conditions with regard to data usage so that they should be more stringent now. Accordingly, software developers are now expressly forbidden to use data from the networks for monitoring purposes. By the end of 2016 Twitter had already issued appropriate regulations.

Google – “sharing location” option

24. March 2017

On the 22nd of March 2017 Google Maps, came up with a real time sharing location (the newest “share location” option), which now gives its users an opportunity of sharing their whereabouts with each other. It`s range is said to be from 15 minutes till around three days.

Since now on your friends can follow your location (if you will make it visible for them), for example when you attempt to navigate the city’s bus system or while you are stuck in traffic. Its aim is to make the social life like meetings and hang-outs easier by giving your friend an updated information on your localization.

Furthermore, via this new option, it is also possible to create itineraries, see the most popular local businesses hours, track parking spots or special traffic-destroying events around the area.

All of these facilities have their price to be paid though. Namely, if you will activate this option Google is going to get all the information about your daily habits and rituals (on what you are doing, when, where and which is your favorite coffee shop), which could later be sold for instance to advertisers.

However, Erik Gordon, a student of the University of Michigan’s Ross School of Business´ (entrepreneurship and strategy) says: “If you can couch it in social, it’s your friends that can track you—not that Big Brother can track you, not that an ad server can track you, not that Travis Kalanick can track you”.

Google itself stresses the interface makes it clear that the option to share will be entirely and only in the hands of the individual users when it comes to sharing locations.

Category: Personal Data · USA
Tags:

The highest sanctions in Europe so far imposed by the Italian DPA

16. March 2017

Ultimately, the Italian police department (in cooperation with Garante – Italian data protection authority) has carried out an investigation, which has revealed a violation of a data protection legislation and specific actions aimed at introducing the legal circulation of money onto the Chinese market.

Four agent companies and one multinational have turned out to split money transfers for remaining sub-threshold under this perspective. Under these circumstances an unlawful massive personal data processing of unaware individuals (payments and senders) has been performed. What is more, some of the records were up to be filed by not existing individuals or even deceased. Other records however, were left blank.

Taking into account all of the gathered facts, which actually indicated that personal data were used in order to unlawfully avoid the money laundering provisions, a wide-ranging Italian data protection authority sanctioning initiative has been launched. As a result, Garante has issued the highest fines ever in Europe.

Given the number of violations of data protection provisions, the Garante has set the whole amount of sanctions up to a total sum of almost 11,000,000 euros (850,000; 1,260,000; 1,590,000 1,430,000 euros for the agent companies and 5,880,000 euros for the multinational company).

It is believed that such a strict data protection authorities sanction will encourage individual data controllers and companies to accelerate their compliance with the upcoming GDPR (May 2018).

Hundreds of thousands of users affected by CloudPets data breach

2. March 2017

Yet another toy maker named Spiral Toys hit the headlines. The company suffered a big data breach with its stuffed animals called CloudPets resulting in the disclosure of 800,000 users’ personal data such as email addresses, passwords, profile pictures and 2 million voice recordings.

Spiral Toys’ CloudPets are able to connect to an app on a smartphone via Bluetooth so that parents can provide the toy with voice messages for their children.

The personal data were stored in an online database without authentication requirements so that hackers could easily access the database. According to Troy Hunt, a web security expert, the passwords were encrypted but Spiral Toys set no requirements for the password strength. That means hackers “could crack a large number of passwords, log on to accounts and pull down the voice recordings”.

Spiral Toys’ Mark Meyers denied that voice records were stolen. Still the company wants to increase the requirements for the password strength after the data breach was made public.

Both the decision of the German Federal Network Agency to take the doll “My friend Cayla” off the market in Germany and the data breach suffered by Spiral Toys, show that the privacy concerns smart toy producers are exposed to, should be taken seriously.

Existing concerns on Windows data protection laws infractions

22. February 2017

There still exists a European data protection authorities´ concern on the data collection practices in Windows 10. Even though the letter to Microsoft has been sent by the Article 29 Working Party (or WP29), the UK Information Commissioner’s Office (ICO) has expressed its serious worries.

Microsoft was therefore asked to explain in a very clear way the purposes and kinds of personal data, which are under processing, as this is still an issue, which remains unclear.

Last July even France`s CNIL has demanded Microsoft to “halt the excessive collection of data and the tracking of users’ browsing without their consent”, as it accused Microsoft of numerous data protection laws infractions, such as too wide personal data collection under the telemetry programme and tracking tool default activation (intended to the targeted advertising delivery) without consent or user knowledge.

As a response Microsoft has released to the market (in January) a new Windows 10 update – so called “Creators Update”. It includes a dashboard based on web, which allows users to choose the desired data-sharing level.

At the conference in Australia, which took place this Monday, Microsoft has also announced a second major Windows 10 release this year (with the Neon user-interface design elements project).

According to the WP29 though: “Even considering the proposed changes to Windows 10, the Working Party remains concerned about the level of protection of users’ personal data”.

“Microsoft should clearly explain what kinds of personal data are processed for what purposes. Without such information, consent cannot be informed, and therefore, not valid.”

Apart from Windows, the WP29 has also taken Facebook, WhatsApp and Yahoo under its magnifier, which are being suspected of data-protection laws violations.

Category: Article 29 WP · EU · Personal Data · UK
Tags:

Talking doll deemed to be “concealed listening device”

21. February 2017

The German Federal Network Agency took the “My friend Cayla” doll off the market due to privacy concerns. The doll, which is equipped with a microphone, can answer children’s questions by the use of the Internet. Thus it was deemed as “concealed listening device” in accordance with section 90 Telecommunications Act (“Telekommunikationsgesetz”).

The Agency stated that the doll could be used for recording and transmitting children’s conversations without parents’ knowledge. Besides, it shall be possible to listen to children’s conversations by connecting with the doll via an unsecured radio link (Bluetooth).

After complaints were also filed in the US, the Federal Trade Commission decided not to take any action.

Meanwhile, the doll’s German distributor stated that “My friend Cayla” is not an espionage device and that they will challenge the Agency’s decision in court.

University of Pittsburgh Medical Center found not responsible for employee data securance

14. February 2017

Last month, the Pennsylvania Superior Court dismissed a class action lawsuit, which was filed against the University of Pittsburg Medical Center and ruled that the University has no responsibility in protecting employee data.

In this incident, the following data was compromised: dates of birth, names, social security numbers, addresses, salary, tax and bank information.

According to the court documents, the University had a breach in 2014, which finally resulted in approximately 788 tax fraud victims by compromising the information of nearly 62,000 UMPC employees.

Even though the University of Pittsburg Medical Center has been ruled not to have any legal duty to protect the personal and financial information of its employees under state law, the ruling is contradictory to a similar case of Texas hospital, which was penalized $3.2 million after a breach of data.

Category: Data breach · Personal Data · USA

Google may remove millions of apps from its Play Store

Last week Google contacted millions of app developers informing them about their apps’ violation of Google’s User Data policy.

According to this policy, apps which handle personal or sensitive user data must post a privacy policy in the designated field in the Play Developer Console, as well as within the app itself and handle the user data securely, for example by using cryptography for transmitting them.

Millions of apps handling with personal data do not have a privacy policy and thus do not contribute to providing a clear and transparent experience for Play Store users. Google set a time limit of 5 weeks, until March 15 this year for the apps to comply with the User Data policy. Either the developers shall include a link to a valid privacy policy or remove any requests for sensitive permissions or user data. Otherwise Google might limit the visibility of those apps or even remove them from its Google Play Store.

Pages: Prev 1 2 3 4 5 6 7 8 9 Next
1 4 5 6 7 8 9