23. September 2021
The Ottawa Hospital’s human resources office admitted a data breach caused by a mass email revealing the identities of unvaccinated staff members, CTV News Ottawa reported. The system-generated email was sent on September 8th to employees who had declined the COVID-19 vaccination, making their email addresses inadvertently visible in the recipient section.
The reason for sending the email was the hospital’s expectation that every member would get vaccinated to ensure the safety of the community. To achieve this, education was also to be provided to unvaccinated employees. They were to be invited via email to attend a respective education session.
The hospital already apologized to the affected employees and made efforts to resolve the issue. The contacted IT services immediately recalled the emails, removed it from all inboxes and deleted the copies. Moreover, all those who forwarded the email to personal accounts were asked to delete it. Following an investigation by the hospital’s privacy office, a report to the Information and Privacy Commissioner of Ontario has been made as well.
Allegedly, this data breach involved 391 employees whose names were disclosed. However, the number was not officially confirmed by the hospital.
Conclusively, the hospital said in a statement explaining the case:
Health-care workers have worked tirelessly to protect our communities throughout the pandemic, and they deserve protection and support to enable them to do their jobs safely, and to the best of their abilities.
On Monday, 20 September 2021 the UK Ministry of Defence launched an investigation into a recent data breach. The breach has affected more than 250 Afghan interpreters who have cooperated with Western forces in Afghanistan and who have applied for relocation to the UK. The Ministry sent an e-mail to these Afghan individuals who are still in Afghanistan and are reportedly eligible for relocation. The e-mail included all e-mail addresses, names, and some associated profile pictures in copy (“cc”) instead of blind copy (“bcc”), thus exposing the personal information to all recipients. It was reported that some Afghans have sent reply e-mails to all recipients in the mailing list, even sharing details about their current personal situation.
The following Tuesday, Britain’s Defence Minister Ben Wallace apologised for the data breach publicly in Parliament. He explained that he is aware of the compromise of safety of the Afghan interpreters and has suspended an official as a result of the breach. Upon discovery, the Ministry sent out another e-mail advising the affected individuals to delete the previous e-mail and to change their e-mail addresses. Additionally, the Ministry of Defence will offer extra support to those affected by the incident. The Minister also stated that correspondence processes have already been changed.
In the meantime, a second data breach by the Ministry of Defence was uncovered on Wednesday. This time, an e-mail was sent to 55 people requesting them to update their details after the UK officials were unable to contact them. At least one of the recipients is a member of the Afghan National Army. Again, the e-mail was sent with all recipients in “cc” and not in “bcc”.
Military experts and politicians have criticised the Ministry for the data breaches which unnecessarily endanger the safety of Afghans, many of whom are hiding from the Taliban. The investigation into data handling by the “Afghan Relocation and Assistance Policy” team within the Ministry of Defence is still ongoing, a spokesperson of the Ministry has said.
31. August 2021
Microsoft notified several thousand customers of its Azure cloud service on Aug. 26, 2021, about a serious security vulnerability that allows unauthorized parties to gain full access to customers’ cloud databases. The vulnerability affects the multi-model NoSQL database CosmosDB, which is one of the cloud service’s key products. Microsoft says it has since closed the gap, but affected customers must take steps themselves to prevent unauthorized access.
As Reuters reports, a research team specializing in security from security firm Wiz discovered the vulnerability in the Azure security infrastructure, which allowed them to gain access to access keys, giving them full access to multiple companies’ databases. The vulnerability was discovered by the researchers on August 9th and reported to Microsoft on August 12th,2021. Wiz later published a blog post explaining the vulnerability. Primary read-write keys allow full access to customer databases. Through a feature called Jupyter Notebook, which was integrated into CosmosDB in 2019, it was possible to gain access to such keys from CosmosDB customers. This made it possible to read, modify and even delete all primary databases. CosmosDB is used by a number of Fortune 500 companies to manage massive amounts of data from around the world in near real-time.
According to Microsoft, the vulnerability was fixed immediately, and no evidence was found that anyone other than Wiz had accessed customer data. Still, Microsoft itself cannot change access keys, so affected customers were emailed on Aug. 26 to change their keys. However, the problem may have affected customers who were not notified. Microsoft has told Wiz that it will pay out $40,000 for reporting the vulnerability.
If you have received a notice from Microsoft and one of your databases is affected that contains personal data, you must assess whether you are required to report this incident to the relevant data protection supervisory authority within 72 hours in accordance with Article 33 of the GDPR. If you believe your organization may be impacted by ChaosDB, please follow the steps described by Wiz in this blog post for detailed instructions on how to protect your environment.
This incident marks the third major security incident involving Microsoft products within 12 months, following the so-called “SolarWinds” hack in December 2020 (please see our blog post) and a large-scale hack of Microsoft Exchange in March 2021 (please see our blog post).
30. August 2021
On August 26, 2021, the UK Department of Culture, Media and Sport (DCMS) published a document in which it indicated the intent to begin making adequacy decisions for UK data transfers to third countries.
As the UK has left the EU, it has the power under Chapter V of the UK General Data Protection Regulation (UK GDPR) to independently assess the standard of data protection in other jurisdictions, and recognize certain jurisdictions as adequate for the purpose of foreign UK data transfers. This was announced by the DCMS in a Mission Statement including reference to international data transfers, “International data transfers: building trust, delivering growth and firing up innovation“.
“In doing so we want to shape global thinking and promote the benefits of secure international exchange of data. This will be integral to global recovery and future growth and prosperity,” writes the UK Secretary of State for Digital, Culture, Media and Sport, Oliver Dowden and Minister for Media and Data John Whittingdale.
The UK has developed and implemented policies and processes for reaching adequacy agreements with its partners. So far it has identified 10 countries as “priority destinations” for these deals. The countries include Australia, Brazil, Columbia, The Dubai International Financial Centre, India, Indonesia, Kenya, The Republic of Korea, Singapore and the USA.
The adequacy of a third country will be determined on the basis of whether the level of protection under the UK GDPR is undermined when UK data is transferred to the respective third country, which requires an assessment of the importing jurisdiction’s data protection laws as well as their implementation, enforcement and supervision. Particularly important for the consideration will be the third country’s respect for rule of law and the fundamental human rights and freedoms.
The Mission Statement specifies four phases in assessing the adequacy of a jurisdiction. In the first phase, the UK Adequacy Assessment team will evaluate if an adequacy assessment will take place. The second phase involves an analysis of the third country’s level of data protection laws, the result of which will influence the third phase, in which the UK Adequacy Assessment team will make a recommendation to the UK Secretary of State. In the fourth and last phase, the relevant regulations will be presented to Parliament to give legal effect to the Secretary of State’s determination.
Adequacy decisions are planned to be reviewed at least once every four years, and may be subject to judicial review.
The developer of the popular app “Angry Birds” is currently under investigation by the New Mexican Attorney General.
On August 25, 2021, New Mexico Attorney General Hector Balderas filed charges against Rovio Entertainment. The company is alleged to have violated the federal Children’s Online Privacy Protection Act (COPPA) and to have intentionally collected the data of players under the age of 13. One of the accusations is that the data was processed for commercial purposes.
COPPA requires app developers to inform parents of children of the appropriate age about their data collection practices. Further, it is required to obtain parental consent for the collection of personal data from children under 13 and to properly record that consent.
The Attorney General’s complaint alleges that children’s data was disclosed to third parties for the purpose of targeted advertising. The data is analyzed, vermacred to third parties, and from then on is also available to an even wider circle of interests. The Angry Bird developer is also said to have failed to obtain parental consent and to have proclaimed it. The privacy policy was also said to be misleading. The company however stated that the Angry Birds app was not for children. Nevertheless, according to the authorities the developers are aware that the application is downloaded and played by a young audience in particular. Even in the event that the privacy policy is not specifically marketed to minors, however, the company must take measures under COPPA to minimize the risk to children.
The procedure may entail civil penalties, restitution, and other relief.
Children’s data also receive special protection within the EU. According to Art. 8 of the GDPR, this protection even applies up to the age of 16. However, the state legislators are free to set this limit at the age of 13.
27. August 2021
The Mongolian legislation on the protection of personal data is currently limited to two laws: the Law on Personal Secrets and the Law on Organisational Secrets, both enacted in 1995. The provisions are considered vague, ambiguous and insufficient, which makes them rarely used in practice. This leads to the lack of interpretation and application. Therefore, the not well developed data protection legislation requires systematic and consistent reforms in order to meet the various societal challenges and to comply with international standards.
Within the framework of the “Action Plan of the Government of Mongolia for 2020-2021” a draft law on the protection of personal data is in the process of being approved. In this regard, the parliament of Mongolia, the State Great Khural, has recently announced discussions on several draft laws. They include the Law on Public Information, the Law on Protection of Personal Data, the Law on Cyber Security, and the Law on Electronic Signatures.
The discussions were jointly held by the Standing Committee on Innovation and e-Policy and the Standing Committee on Legal Affairs on August 10th, 2021. Now, the Mongolian government is responsible for preparing the revised drafts.
The draft Law on Protection of Personal Data aims to regulate relations with regard to the collection, processing, and use of personal data as well as to ensure their security. It outlines rights and obligations of data processors and controllers, contains data subject rights and includes provisions for international data transfers.
The bill is an important step towards alignment with international data protection standards. If passed, the law will come into force on November 1st, 2021.
25. August 2021
Privacy Activist Max Schrems’ data protection organization noyb (an acronym for “none of your business”) announced on August 13th, 2021, they filed complaints against the cookie paywalls of seven major German and Austrian news websites. In the statement, they question whether consent can be “voluntarily” given if you have to pay to keep your data.
An increasing amount of websites asks their users to either agree to data being passed on to hundreds of tracking companies (which generates a few cents of revenue for the website) or take out a subscription (for up to € 80 per year). Can consent be considered “freely given” if the alternative is to pay 10, 20 or 100 times the market price of your data to keep it to yourself?
With these paywalls, the user must decide whether to agree to the use of his or her own data for advertising purposes or to enter into a paid subscription with the respective publisher. However, personal data may only be processed if there is a legal basis for doing so. Such a legal basis may arise, for example, from Article 6 (1) (a) of the GDPR, if the data subject has given his or her consent to this processing. Such consent must be “freely given”. According to Rectical 42, sentence 5, “consent is not regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.” noyb is of the opinion that the paywall solution lacks the necessary voluntariness for consent and thus also lacks a legal basis according to Art. 6 (1) a) DSGVO.
Art. 7 (4) GDPR demands, “when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
In contrast, in a decision on November 30th, 2018, the Austrian data protection authority did not see a violation of the GDPR in a paywall system, as the data subject receives a recognizable benefit, and expressed that the decision was thus voluntary after all.
Accordingly, users’ personal data could be considered a “means of payment” with which they pay for a paid subscription instead of a monetary benefit. Consent to data processing would thus be necessary for fulfillment, as it represents the quid pro quo the data subject, in other words, the purchase price. How the responsible data protection authorities will ultimately decide remains to be seen.
These complaints by noyb represent the organization’s second major campaign this month. On August 10, they have already filed 422 formal complaints with 10 European regulators based on inadequate cookie banners.
20. August 2021
On 30 July 2021, in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), the UK High Court handed down a judgment that the claimant could not (for the time being) recover damages for data protection breaches.
The litigation was based on the following case: In 2018, DSG Retail Limited (“DSG”) was the victim of a cyber-attack. Hackers had gained access to DSG’s systems and installed malware. DSG was fined £500,000 (EUR 530,000) by the UK Data Protection Authority for failing to take adequate technical and organisational security measures. The company is accused of breaching the seventh data protection principle (“DPP7”) of the Data Protection Act 1998 (“DPA”). This fine has been appealed and is currently under legal review.
This cyber attack also affected the data of the plaintiff Darren Lee Warren.
He based the lawsuit on the theories of breach of confidence (“BoC”), misuse of private information (“MPI”), breach of the Data Protection Agreement (DPA) and common law negligence. The data breach affected data such as name, address, phone number, date of birth and email address.
Warren, however, failed to convince the court with any of his arguments. DSG successfully defended itself against the claim by arguing that it had not itself committed an active unlawful act, but that the breach was caused by an external attack. It also argued that negligence claims were not possible if breaches of the DPA were alleged at the same time. In addition, the DSG argued that a negligence claim required the assertion of compensable damages. Warren was not able to assert such damages.
However, the question of whether a claim for breach of DPP7 could be affirmed was stayed pending a final decision on DSG’s appeal of the ICO fine. Nevertheless, the claim was dismissed on all other points.
On the Android Developers Blog, Google has announced further details for the upcoming new safety section in its Play Store. It aims at presenting the security of the offered apps in a simple way to give users a deeper insight into privacy and security practices of the developers. This should allow users to see what data the app may be collecting and why, even before the installation. In order to achieve this, apps in the Google Play Store will be required to publish the corresponding information in the safety section.
The new summary will be displayed to users on an app’s store listing page. It is intended to highlight details such as:
- What type of data is collected and shared, e.g. location, contacts, name, email address, financial information,
- How the data will be used, e.g. for app functionality or personalization,
- Whether the data collection is optional or mandatory for the use of an app,
- Security practices, e.g. data encryption,
- Compliance with the family policy,
- Validation from an independent source against a global security standard.
To support the safety section, policy changes are being made which should lead to more transparency to users. Thus, all developers will be required to provide a privacy notice. Previously, only apps that collected personal and sensitive user data had to do so. The innovation applies to all apps published on Google Play, including Google’s own apps.
Developers will be able to submit information to the Google Play Console for review in October. However, by April 2022 at the latest, the safety section must be approved for their apps. The reason for this is that the new section is scheduled to be rolled out and visible to users in Q1 2022.
Aside from sharing additional information for developers on how to get prepared, Google has also assured that more guidance will be released over the next few months.
11. August 2021
On August 6, 2021, Amazon disclosed the ruling of the Luxembourg data protection authority Commission nationale pour la protection des donées (CNPD) in an SEC filing, which imposed a record-breaking €746 million fine on Amazon Europe Core S.à.r.l. for alleged violations of the EU General Data Protection Regulation (GDPR) on July 16, 2021.
Based on press reports and Amazon’s public statements, the fine appears to relate to Amazon’s use of customer data for targeted advertising purposes.
The penalty is the result of a 2018 complaint by French privacy rights group La Quadrature du Net, a group that aims to represent the interests of thousands of Europeans to ensure their data is used according to data protection law in an attempt to avoid Big Tech companies manipulating their behavior for political or commercial purposes. The complaint also targets Apple, Facebook, Google and LinkedIn and was filed on behalf of more than 10,000 customers and alleges that Amazon manipulates customers for commercial means by choosing what advertising and information they receive.
Amazon stated that they „strongly disagree with the CNPD’s ruling“ and intend to appeal. „The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”
The amount of the fine is substantially higher than the proposed fine in a draft decision that was previously reported in the press. The French data protection authority (CNIL) said Luxembourg’s decision, which is “of an unprecedented scale and marks a turning point in the application of the GDPR and the protection of the rights of European nationals.“
The CNIL confirmed the CNPD fined Amazon, and other European member states agreed to the Luxembourg decision. Amazon will have six months to correct the issue.
Pages: Prev 1 2 3 ... 7 8 9 10 11 12 13 ... 67 68 69 Next