Political parties will be sanctioned for data breaches

22. January 2019

On Wednesday, 16th January 2019, EU Parliament and member state negotiators agreed that parties or political foundations can be sanctioned for data protection breaches during election campaigns. This regulation is intended to prevent any influence on the forthcoming European elections in May. It was decided that in such cases affected institutions would have to pay up to five percent of their annual budget in future.

One of the reasons for the new regulation was the data scandal surrounding Facebook and Cambridge Analytica. During the US election campaign, Facebook gained unauthorized access to the data of millions of its users. With this data, Cambridge Analytica is said to have tried to prevent potential Clinton supporters from voting and to mobilise Trump voters by means of advertising and contributions (we reported).

In future, data protection violations that are deliberately accepted in order to influence the outcome of European elections will be severely sanctioned. National supervisory authorities are to decide whether a party has violated the regulation. The Authority for European Political Parties and European Political Foundations must then review the decision and, if necessary, impose the appropriate sanction. Moreover, those found to be in breach could not apply for funds from the general budget of the European Union in the year in which the fine is imposed.

The text adopted on Wednesday still has to be formally adopted by Parliament and the Council of Member States.

Brexit: Impact on data protection after “May’s deal” has been rejected

18. January 2019

Prime Minister Theresa May’s draft withdrawal agreement to regulate Brexit was rejected by a clear majority of parliamentarians on 15th January. The draft withdrawal agreement has been agreed in November 2018 by the United Kingdom (UK) and the European Union (EU) – we reported: Brexit: Draft withdrawal agreement – GDPR remains applicable for foreseeable future – containing a transition period of 21-months in order to facilitate business sectors in their planning. Because of the recent rejection of the withdrawal agreement by the British Parliament, the scenario of the UK disorderly leaving the EU has now become quite likely. Among various economic and EU law issues, Brexit has also a concrete impact on data protection.

In case of a Brexit without corresponding transitional rules, the UK would be regarded as a third country under the General Data Protection Regulation of the EU (GDPR) as of 29th March 2019. This was also confirmed by Prof. Dr. Dieter Kugelmann, the State Data Protection Officer of Rheinland-Pfalz: “The fact is that the United Kingdom will become a “third country” within the meaning of the GDPR after leaving the EU.” Thus, an adaquacy decision would be required to transfer personal data of EU citizens or from the EU to the UK in the absence of any other mechanisms ensuring an adequate level of data protection according to Art. 44 ff. GDPR.

Since many companies currently transfer customer or employee data to the UK as well as a lot of data centres of service providers are located there, the Brexit will cause a need for adaption in terms of data protection matters. After the Brexit these Companies must ensure that there is an adequate legal basis for the relevant data transfers to the UK. Furthermore, according to Art. 13, 14 GDPR, the data subjects must be informed regarding the transfer of personal data outside the EU/EEA. All privacy policies on websites, privacy notices to employees etc. therefore would have to be adjusted. In the event of a data subject’s request for information, Art. 15 GDPR stipulates that the data subject must be informed about the transfer of his/her personal data to a third country. When personal data are transferred to the UK deemed as a third country, companies would eventually have to adjust their records of processing activities pursuant to Art. 30 GDPR.

It is recommended that in particular those companies transferring a lot of personal data to the UK at least are aware of these potentially required adaptations in order to further ensure compliance with EU data protection laws. As the GDPR, principally does not privilege any group of companies, the aforementioned recommendation also apply to data flows within such groups.

Dataset with stolen login information appeared

An 87 gigabyte dataset with stolen login information has appeared on the Internet. This affects 773 million e-mail addresses and over 21 million passwords.

According to initial information, the data do not originate from a single hack, but have been gathered from various hacks. The data set contains information from 12,000 domains and various web services.

The existence of the data set was made public by the Australian IT security expert Troy Hunt on his homepage, who calls it Collection #1. The expert writes that he was first made aware of the record by acquaintances and that the data was originally available from a file hosting provider, where it can no longer be found.

You have the option of checking for yourself whether your data is affected. To check this, simply enter your own address in the search field and click on “pwned?”. The verification service published by the Australian security researcher Troy Hunt is considered trustworthy by the Federal Office for Information Security (BSI). If you are affected, we recommend that you change your password as soon as possible.

CNIL publishes guidance on data sharing

At the end of last year, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés”, the “CNIL”) published guidance on sharing data with business partners or third parties. The CNIL stated that many companies that collect data from individuals transfer this data to “business partners” or other organisations especially to send prospecting emails. In case of a transmission the data subjects must maintain control over their personal data .

The published guidance state the following five requirements:

• Prior consent: Before sharing data with business partners or third parties such as data brokers, organisations must request the individual’s consent.

• Identification of the partners: The individuals must be informed of the specific partner(s) who may receive the data. According to the CNIL’s guidance, the organisation can either publish a complete and updated list containing the organisation’s partners directly on the data collection form or if such a list would be too long, it can integrate a link to the collection form. This should be inserted together with a link to their respective privacy policies.

• Information of changes to the list of partners: The organisations have to notify the individuals of any changes to the list of partners, especially if they may share the data with new partners. Therefore, they may provide an updated list of their partners within each marketing message sent to the individual and each new partner that receives the individual’s data must inform him or her of such processing in its first communication to the data subject.

• No “transfer” of the consent: Companies may not share the information they receive with their own partners without obtaining the consent of individuals, in particular with regard to the identity of new companies that would become recipients of the subject’s data.

• Information to be provided by the partner(s): The partner who received the individual’s data for their own marketing purposes must inform the data subject of the origin (name of the organisation who shared the data with them) and inform them of their data subject rights, in particular the right to object to the processing.

Category: EU · French DPA
Tags: , ,

Massachusetts Approved Amendments to Data Breach Notification Law

15. January 2019

Massachusetts’ data breach law has been significantly amended by the legislation signed by Gov. Charlie Baker on 10th January becoming effective as of 11th April this year. An overview of the key changes can be found following.

The amended law requires companies to provide certain additional information when notifying the Massachusetts Attorney General and the Office of Consumer Affairs and Business Regulation about a breach of security or the reasonable believe of the existence such a breach. This information include, but are not limited to “the nature of the breach of  security or unauthorized acquisition or use”, the types of personal information compromised (e.g. social security numbers), “the number of residents affected by the incident at the time of notification”, the person responsible for the breach – if known -, and whether the entity maintains a written information security program according to Massachusetts 201 CMR § 17.03.

A further update concerns the notice of the affected individuals. The amended law explicitly sets out a rolling notification to individuals under certain circumstances and prohibits therefore a company from delaying notice to affected individuals referring to the ground that the total number of individuals affected has not yet been determined. “In such case, and where otherwise necessary to update or correct the information required, a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information.”
If the company experiencing a data security incident is owned by another entity, the particular notification to the affected individual must specify “the name of the parent or affiliated corporation”.

Another significant change to the data breach law refers to the requirement of providing an offer of complimentary credit monitoring for “a period of not less than 18 months” (42 months, if the company is a consumer reporting agency) when a Massachusetts resident’s Social Security number has been compromised, or is reasonably believed to have been compromised, in a data security incident.  Also, Companies must certify their credit monitoring services to the Massachusetts attorney general and the Director of the Office of Consumer Affairs and Business Regulation in order to demonstrate compliance with the respective Massachusetts state law. Companies must eventually provide the credit monitoring services at no costs to the affected residents and are prohibited from asking them to waive their right to a private action as a condition for the reception of such services.

However, when these amendments become effective, beside Connecticut and Delaware, Massachusetts will have become one of those states providing a credit monitoring obligation when residents’ Social Security numbers are concerned by a breach of security. In fact, according to Public Act No. 18-90 that substitutes Senate Bill No. 472, Connecticut recently increased the required period of credit monitoring to be provided to the affected individuals from 12 to 24 months.

Brazil changes new Data Protection Law and creates a Data Protection Authority

On August 14, 2018, Brazil’s former president Michel Termer signed the new General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais or “LGPD”) (we reported). Although the law enlarges the country’s data protection framework, the final text did not contain the creation of a data protection authority.

On December 28, 2018, Temer signed a last-minute executive order (Medida Provisória no. 869/18), which made important changes to the LGPD including the implementation of the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados or “ANPD”).

Despite the ANPD being an independent entity and being capable of freely handling and evaluating data protection and privacy issues, the authority still is part of the federal government and linked to the office of the President of Brazil.

According to the Executive Order no. 869/18 the ANPD has, among other things, the authority to:

  • Release rules and regulations regarding privacy and data protection;
  • Exclusively be responsible for monitoring and applying fines to non-compliant organizations;
  • Within the administrative field, exclusively interpret the LGPD, including cases in which the law remain silent; and
  • Promote privacy and data protection within the Brazilian society.

The new agency would consist of 28 members, five of them to be chosen by the president to constitute the board of directors and 23 members including public, private and third sector representatives to constitute an advisory board.

The order also establishes other important changes to the LGPD. For example that:

  • The LGPD will come into force in August 2020, six months after the originally scheduled date. Until then the ANPD will have an advisory and collaborative function.
  • The Data Protection Officer does not need to be an individual person. The tasks could be performed by an internal committee or department or could be outsourced to third parties such as specialized companies and law firms.

The executive order came into force immediately but must be voted into law by the Brazilian Congress to remain valid and become permanent.

Austrian DPA dismisses complaint concerning validity of Cookie Consent Solution

14. January 2019

The Austrian Data Privacy Authority (“DPA”) decided on a complaint, lodged by an individual, concerning the compliance of the cookie consent solution of an Austrian newspaper with the General Data Protection Regulation (“GDPR”).

The complainant argued that the consent was not given voluntarily, since the website was no longer accessible after the revocation of consent to marketing cookies. Further use of the website required payment. Therefore, according to the complainant, provision of the service depends on consent to the processing of personal data.

The Austrian newspaper grants users free access to the content of the website, provided that they agree to the use of cookies for advertising purposes. If this consent is revoked, the website will no longer be usable and the window for giving consent will reappear. Alternatively, in the same window, users can choose to subscribe to a paid subscription. For currently 6 euros per month users get access to the entire content of the site, without data tracking.

The DPA explained that consent is only given involuntarily if a disadvantage is to be expected if consent is not given. Referring to Article 29 Working Party’s Guidelines on Consent, the DPA stated that such a disadvantage arises when there is a risk of deception, intimidation, coercion or significant adverse consequences. Yet there is no such disadvantage here. In fact, after giving consent, the user of the website even gains an advantage because he gets full access to the newspaper’s services. Furthermore, if the user does not wish to give his consent, he can still use another online newspaper.

With its decision, the Austrian DPA set a welcome signal for other online newspapers that finance themselves through advertising revenues.

Massive data attack targeting hundreds of German politicians and celebrities

8. January 2019

Following the hacker attack on hundreds of politicians and celebrities, investigators have arrested a 20-year-old suspect today. The apartment of the suspect had been searched and he has been taken into custody. This was reported by the central agency of the attorney general in Frankfurt am Main (Zentralstelle zur Bekämpfung der Internetkriminalität der Generalstaatsanwaltschaft Frankfurt am Main) and the Federal Criminal Police Office (BKA).

On January 7, prior to the arrest, the household of a 19-year-old IT worker, who is being treated as a witness, was searched and technical equipment was confiscated. He claimed that he knows the hacker.

On Friday, January 4, Germany’s Federal Office for IT Safety (BSI) revealed that it was investigating a data leak concerning hundreds of German politicians, journalists and celebrities published on the platform Twitter. The authorities were working together with the Irish Data Protection Commissioner to stop the spreading of the affected data. The hack targeted all of Germany’s political parties represented in the federal parliament at the moment, except for the far-right Alternative for Germany (AfD).

The data was published via a Twitter account, followed by more than 17,000 people at the time, in the style of an advent calendar over the course of December 2018. It included mobile phone numbers, contact info and private chats. Furthermore, ID cards as well as banking and financial details, for example credit card details, were leaked.

Update regarding the data breach at Marriott

7. January 2019

Marriott International Inc, the world’s largest hotel company, based in the USA, which was hit by a data breach in 2018, has announced new information regarding the breach in which unauthorized access to the Marriott subsidiary Starwood’s reservation database was made (we reported).

Contrary to initial statements, not 500 million records of hotel guests but only 383 million are affected. It should be noted that for a guest who has stayed several times in one of the hotels belonging to the Marriott Group, there is one record for each overnight stay. According to this, not 383 million people were affected, but fewer. However, the Marriott Group cannot give the exact number of people affected.

In addition to the corrected number of victims, Marriott announced that some confidential data such as passport and credit card numbers were unencrypted. About 5,25 million unencrypted and about 20,3 million encrypted passport numbers could be viewed by unauthorized persons. According to the company, the master key for decryption was not copied.

In addition, around 8,6 million encrypted credit card numbers were affected, of which only 345.000 were still valid. Here, too, the master key could not be captured. At the moment, it is still being investigated whether credit card numbers entered in the wrong fields and thus stored unencrypted are affected.

CNIL fines Telecom Operator

The French Data Protection Authority CNIL imposed a fine of €250.000,00 on telecom operator BOUYGUES TELECOM for not taking required security measures to protect the personal data of its clients.

BOUYGUES TELECOM offered their clients an option to create a profile on their webpage to have easier access to their contract details and telephone bills.

In March 2018, CNIL was informed that a lack of security measures gave free access to personal data of clients of B&You, a subsidiary company of BOUYGUES TELECOM. Each profile had its own URL address, which involved the first and last name of the client. Just by exchanging the name in the URL address, one gained free access to first and last name, date of birth, e-mail address, address and phone number as well as contracts and bills. The violation of data security went on for two years and had an impact on over two million clients.

Shortly after CNIL was informed, BOUYGUES TELECOM notified the data breach to CNIL. The company explained that the incident occurred after the computer code, which depends on user authentication, was deactivated for a test phase, but was forgotten to be re-activated after completion of the test phase. After noticing the data breach, the company quickly blocked the access to the personal data.

Nevertheless, CNIL stated that the company failed to protect the personal data of its clients and violated its obligation to take all required security measures, especially as appropriate measures would have revealed the data breach earlier.

As the incident occurred before the legal validity of GDPR, CNIL decided to impose a fine of €250.000,00 on BOUYGUES TELECOM.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 31 32 33 Next
1 2 3 4 5 33