“What’s at stake is individual control of one’s data when they are combined by internet giants”

1. September 2016

The concern due to WhatsApp sharing user information with Facebook is rising, especially in Europe.

As the Wall Street Journal reported, European privacy regulators are investigating WhatsApp’s plan to share the information of their users with its parent company Facebook.

The Article 29 Working Party representing the 28 national data protection authorities released a statement at the beginning of this week saying that its members were following “with great vigilance” the upcoming changes to the privacy policy of WhatsApp due to the fact that the new privacy policy allows WhatsApp to share data with Facebook, whereas the privacy policy only gives existing WhatsApp users the right to opt out of part of the data sharing. Therefore, the Article 29 Working Party concluded “What’s at stake is individual control of one’s data when they are combined by internet giants”.

Furthermore,

  • the ICO also issued a statement last week raising concerns due to the “lack of control”,
  • at the beginning of this week the consumer privacy advocates in the U.S. filed a complaint with the Federal Trade Commission due to the fact that WhatsApp promised that “nothing would change” when Facebook acquired WhatsAPP two years ago and on top of that
  • the Electronic Privacy Information Center and the Center for Digital Democracy turned to the Federal Trade Commission in order to get the confirmation that the upcoming changes to the privacy policy can be seen as “marketing practices” that are “unfair and deceptive trade practices”.
Category: Article 29 WP · EU · UK · USA
Tags: , , ,

Trust in current mechanisms to carry out international data transfer decreases

According to a survey conducted recently by the International Association of Privacy Professionals (IAPP), trust in current legal mechanisms to carry out data transfers to third countries, such as Standard Contractual Clauses and the EU-U.S. Privacy Shield, has decreased.

The results of this survey reveal that 80 percent of companies relies on the Standard Contractual Clauses approved by the EU Commission to carry out international data transfers, especially to the U.S.A. However, there is currently uncertainty regarding the validity of the Standard Contractual Clauses, which may be also invalidated by the ECJ, as already occurred with the former Safe Harbor framework.

Regarding the EU-U.S. Privacy Shield, which is operative since 1st August, the survey reveals that only 42 percent of U.S. companies plan to self-certify through this new framework, compared to the 73 percent that conducted self-certification with the Safe Harbor framework. The main reason for this may be related to the uncertainty regarding its validity. The Article 29 WP stated recently that the first annual review of the Privacy Shield will be decisive.

Finally, Binding Corporate Rules (BCR) are also used by companies to carry out intra-group data transfers. However, there are several reasons why not many companies implement them. One of these reasons relates to the high costs involved with the implementation. Moreover, the implementation process can last over one year. Also, BCR can be only used for international data transfers within the group, so that other mechanisms shall be used if data transfers outside the group take place.

Google Analytics joins EU-U.S. Privacy Shield

31. August 2016

On its blog Google Analytics announced on the 29th of August that they have self-certified to the EU-U.S. Privacy Shield.

The statement describes the EU-U.S. Privacy Shield as a new framework for transfers of personal data from Europe to the United States, which can be seen as a significant milestone for the protection of Europeans’ personal data, legal certainty of transatlantic businesses, and trust in the digital economy.

Therefore, Google has now committed that they comply with the Privacy Shield’s principles and furthermore that they will safeguard the transfers of personal data, whereas no action is required from their customers.

ICO: Statement on WhatsApp sharing information with Facebook

30. August 2016

The ICO just published a statement relating to the fact that WhatsApp is about to share user information with Facebook.

Elizabeth Denham who was appointed Information Commissioner in July 2016, said that “The changes WhatsApp and Facebook are making will affect a lot of people. Some might consider it’ll give them a better service, others may be concerned by the lack of control.” She continued by saying “Our role is to pull back the curtain on things like this, ensuring that companies are being transparent with the public about how their personal data is being shared, and protecting consumers by making sure the law is being followed.” Denham concluded “We’ve been informed of the changes. Organisations do not need to get prior approval from the ICO to change their approaches, but they do need to stay within data protection laws. We are looking into this.”

During the IAPP Europe Data Protection Congress taking place on the 7-10 of November in Brussels Denham will contibute and also give a speech.

WhatsApp will share user information with Facebook

26. August 2016

Jan Koum, one of WhatsApp’s founders, stated shortly after selling WhatsApp to Facebook in 2014 that the deal would not affect the digital privacy of his mobile messaging service with millions of users.

However, according to the New York Times WhatsApp is about to share user information with Facebook. This week, WhatsApp published a statement saying that it will start to disclose phone numbers and analytics data of its users to Facebook. By doing so, it will be the first time that WhatsApp will connect the data of its users to Facebook.

Furthermoere, due to the fact that WhatsApp begins to built a profitable business after its previous little emphasis on revenue, it is now changing its privacy policy to the extent that WhatsApp wants to allow businesses to contact customers directly through its platform.

WhatsApp commented on the new privacy policy “We want to explore ways for you to communicate with businesses that matter to you, too, while still giving you an experience without third-party banner ads and spam”.

The new privacy policy will allow Facebook to use a users’s phone number to improve other Facebook-operated services like making new Facebook friend suggestions or better-tailored advertising.

However, WhatsApp underlines that neither it nor Facebook will be able to read users’ encrypted messages and emphasizes that individual phone numbers will not be given to advertisers.

Koum explained that “Our values and our respect for your privacy continue to guide the decisions we make at WhatsApp” and went on “It’s why we’ve rolled out end-to-end encryption, which means no one can read your messages other than the people you talk to. Not us, not Facebook, nor anyone else” and concluded “Our focus is the same as it’s always been — giving you a fast, simple and reliable way to stay in touch with friends and loved ones around the world.”

WhatsApp’s new privacy policy raises concerns due to the lack of data protection. Therefore, the president of the Electronic Privacy Information Center, Marc Rotenberg commented that it is about to file a complaint next week with the Federal Trade Commission in order to prevent WhatsApp from sharing users’ data with Facebook. Rotenberg justified this approach as “Many users signed up for WhatsApp and not Facebook, precisely because WhatsApp offered, at the time, better privacy practices” he explained “If the F.T.C. does not bring an enforcement action, it means that even when users choose better privacy services, there is no guarantee their data will be protected.”

 

Request for European Commission to investigate “Pokemon Go”

25. August 2016

A Belgian Minister of European Parliament wants that the European Commission investigates the App “Pokemon Go” in order to determine whether the App is compliant with European data protection law and furthermore, to warn European citizens of the dangers caused by the App.

Therefore, the respective Minister of European Parliament, Marc Tarabella, commented that the App violates not only the General Data Protection Regulation but furthermore, that it might violate the Europeans E-Privacy Directive due to the fact that the App stores cookies and trackers on users’ smartphones. He added  “In their eyes, tracking personal data of people is clearly considered a game and a source of research or revenue” and concluded “In Europe, the protection of privacy remains a fundamental right. We have to react, warn and strongly condemn these massive scams.”

How to join the EU-U.S. Privacy Shield?

23. August 2016

In order to join the EU-U.S. Privacy Shield a company has to self-certify and therefore ensure the following requirements:

     1. The eligibility of the company has to be confirmed in order to participate in the

          EU-U.S. Privacy Shield.

     2. Development of a Privacy Policy that is compliant to the EU-U.S. Privacy Shield.

  • The Privacy Policy has to comply with the EU-U.S. Privacy Shield Principles.
  • The Privacy Policy has to refer to the Privacy Shield Compliance.
  • An accurate location for the Privacy Policy has to be provided and made sure that it is publicly available.

    3. Independent recourse mechanisms need to be identified.

  • Enforcement and Liability Principle: the company has to provide an independent recourse mechanism available to investigate unresolved complaints at no cost to the individual.

   4. Verification mechanisms need to be in place.

  • The company is required to have procedures in place for verifying compliance through self-assessments or third party assessments.

     5. Implementation of a person of contact.

  • The company is required to provide a contact with regard to questions, complaints, access requests, and any other issues arising under the EU-U.S. Privacy Shield.

 

Furthermore, the company has to pay a fee depending on the annual revenue:

Company’s Annual RevenueFee
$0 to $5 million$250
Over $5 million to $25 million$650
Over $25 million to $500 million$1,000
Over $500 million to $5 billion$2,500
Over $5 billion$3,250

Thomas de Maiziere aims to introduce a facial recognition software at train stations and airports in Germany

22. August 2016

Thomas de Maiziere, Germany’s Interior Minister, aims to introduce a facial recognition software at train stations and airports in order to support the identification of terror suspects. This suggestion was prompted by two Islamist attacks in Germany last month.

Due to the fact that internet software is able to determine whether individuals shown in photographs were celebrities or politicians Thomas de Maiziere commented that “I would like to use this kind of facial recognition technology in video cameras at airports and train stations. Then, if a suspect appears and is recognized, it will show up in the system”. He went on by explaining that such a system is already being tested in terms of the identification of unattended luggage, so that the camera reports the respective luggage to an authority after a certain number of minutes.

However, although other countries are also testing a similiar technology, Germany has been sceptical and has shown caution in terms of the introduction of surveillance due to historical events such as the abuses by the Stasi secret police in East Germany and the Gestapo under the Nazis.

 

 

ICO fined Hampshire County Council with 100,000 GBP

19. August 2016

The ICO fined Hampshire County Council with 100,000 GBP due to a data breach.

The fine was the result of missing measures protecting personal information against unauthorized access: Documents containing personal information of more than 100 data subjects were stored in an abandoned building. Furthermore, 45 bags of confidential waste were also found.

Hampshire County Council released a statement saying that “We are very sorry that this incident occurred. Hampshire County Council takes the management and protection of its data very seriously. Accordingly, appropriate procedures were in place at the time, but unfortunately, on this occasion, the process was not fully adhered to. However, at no time was any information disclosed outside of the site”.

Furthermore the statemet points out that “Immediate steps were taken to investigate the matter fully, and remedial action was taken. This has included strengthened and improved processes in the removal of, and destruction of, confidential waste from vacated buildings.”

The statement highlights that Hampshire County Council reported the incident to the ICO as soon as they became aware of it and that they have cooperated fully at all stages of the ICO’s investigation.

Category: Countries · Data breach · UK
Tags:

Draft of the E-Privacy Directive to be released in September

18. August 2016

The Guardian just reported that the European Commission is about to release an update of the draft of the E-Privacy Directive in September.

This draft will probably inlcude that Apps like Skype and WhatsApp be treated the same in terms of the privacy regulations as SMS text messages and both mobile and landline calls. According to Jan Philipp Albrecht, Green MEP, this is due to the fact that “It was obvious that there needs to be an adjustment to the reality of today” he went on that “We see telecoms providers being replaced and those companies who seek to replace them need to be treated in the same way.” Furthermore, he mentioned that a focus of the new law lies in upholding strong encryption.

However, there are critics raising concerns as the law might decrease economic innovation and that it is “well-nigh impossible” to fit older legislation in newer technology.

 

Pages: Prev 1 2 3 ... 28 29 30 31 32 33 34 ... 39 40 41 Next
1 29 30 31 32 33 41