Report: Google denies about 70 to 75 percent of “right to be forgotten” requests

17. May 2016

Two years ago, the Court of Justice of the European Union established the “right to be forgotten”. An organization named Reputation VIP launched a website, forget.me,  that should help consumers in Europe submitting requests to Google and Bing.

Based on the consumer submissions through the site, 130,000 URLs, the company released a new report on the trends of the outcome of the requests of the “right to be forgotten” related to geographic location and success rates of those requests.

The study shows, that with regard to geographical means the top three countries from which requests originate are Germany, the UK and France. In more detail it is to say, that more than half of all requests came from Germany and the UK.

With respect to the success rates of the mentioned requests the report states, that Google denies about 70 percent to 75 percent of them.

Furthermore, the study shows, that Google most frequently denies removal requests concerning professional activity. Whereas the type of request is in 61 % of the cases due to an invasion of privacy.

 

 

The new Dutch data breach notification obligation: 1.500 notifications in 2016

From the 1st January 2016, data controllers located in The Netherlands are obliged to notify serious data breaches according to the Amendment made to Art. 34 of the current Dutch Data Protection Act. This obligation implies:

  • Notifying the Dutch DPA in the cases where there is a considerable probability that the breach hast serious adverse effects on the privacy if the affected individuals; and
  • Notifying the data subjects affected if there is a considerable probability that the privacy of the data subject is negatively affected.

According to a representative of the Dutch DPA, already 1.500 data breach notifications have been received since the new rule entered into force. This is not surprising for the Dutch DPA, as currently more than 130.000 organizations located in the Netherlands are subject to the data breach notification obligation. However, the Dutch DPA suspects that the number of occurred data breaches is actually higher.

In order to review the notifications, the Dutch DPA has implemented a software that separates the notifications that require action from the DPA from those that do not require additional action. The ones that do not require additional action are archived for future references, while the formers are further examined by the Dutch DPA. Nevertheless, the DPA has examined all received notifications, in order to identify the main sources of data breaches, which result to be based on one of the following reasons:

  • Loss of devices that were not encrypted; or
  • Disposal of information without observing adequate security measures, such as the use of a shredder or the disposal in locked containers; or
  • Insecure transfer of information, especially related to sensitive data; or
  • The access by unauthorized third parties to data bases and personal data.

This shows that most of data breaches occur because organizations do not implement adequate technical and organizational security measures or they do not follow the existing obligations regarding IT security and data protection, or employees are not trained in theses aspects.

Moreover, two-thirds of the reports were subject to a further investigation by the Dutch DPA and actions have been already taken against around 70 organizations. Also, in some cases additional information was required from the organization or the individuals had to be notified about the data breach. Information to data subjects is required if sensitive personal data is affected by the breach, the Dutch DPA has enumerated some of the data categories that are included in the definition of sensitive personal data: financial information, data that may lead to an stigmatization or exclusion of the data subject, user names, passwords or data that can be misused for identity fraud.

The new GDPR also regulates the obligation to notify data breaches. According to the Regulation, the DPA should be always notified, unless it is unlikely that the breach results in a risk for the privacy of data subjects. Furthermore, data subjects should be directly notified if the breach could result in a high risk for their privacy, so that the regulation of data breaches in the GDPR is stricter than that in The Netherlands regarding the notification to data subjects.

 

Serious data breach in HIV clinic in London

11. May 2016

A clinic in London has been fined 180.000 GBP due to a “serious data breach”. The clinic offered a service to HIV-patients in order to receive newsletters and test results as well as make appointments via email. It sent an email newsletter to 781 of its patients with all patient emailaddresses in the “To” field and not in the “Bcc” field. 730 of the emailaddresses included the full names of the patients. The newsletter was used to inform the patients about sexual health services and general treatment details. The Information Commissioner´s Office (ICO) said, “the breach caused a great deal of upset to the people affected”. Information about the health or sexual life of a person is considered to be sensitive personal data and should be protected specifically. Chelsea and Westminster Hospital NHS Foundation Trust, which runs the clinic, has been fined 180.000 GBP. The responsible ICO investigation trust discovered, that a similar error had happened already in March 2010. Although some remedial measures were taken at that time, no specific training had taken place since then.

Is an exam personal data?

EU data protection legislation has been lately updated in several aspects. Last week, the GDPR was finally published in the Official Journal of the EU, also the Passenger Name Record (PNR) Directive and the Directive related to criminal records held by authorities have been published in the Official Journal of the EU.

In this evolving landscape, new questions related to the application of EU data protection legislation are arising. Recently, the Irish Supreme Court raised a question to the ECJ related to the scope of application of the definition of personal data. A man that took an accounting exam exercised his right to data subject access request regarding this exam on the basis of Irish Data Protection Laws. However, this access request was refused based on the argument that the data he wrote on the accounting exam could not be referred to as “personal data”, as it was not his “own” personal data, but data related to the subject of the exam in question.

According to the EU definition, personal data is “any information relating to an identified or identifiable natural person”. The scope of this definition is essential in order to determine if data protection laws are applicable or not. In this case, the ECJ will have to answer to this question in a preliminary ruling. In a similar case, an applicant for a Dutch residence permit exercised an access request, which had been refused. The refusal was based on a legal opinion. The ECJ stated that a legal opinion refers to a situation and not to personal data. However, counter-arguments may be given in order to support the inclusion of an exam in the definition of personal data, such as the person´s handwriting or the remarks of the examiner that may be related to the person who wrote the exam, etc.

The ECJ will have to decide whether such data is subject to data protection legislation and, therefore, the data subject access request should be accepted.

Twitter blocks U.S. Intelligence Agencies from Dataminr service

10. May 2016

Dataminr is used as a tool that analyzes and traces social media posts and notifies users about breaking news in real time, such as the terror attack in Brussel´s airport in March. This analysis is carried out by using key words, patterns, or geotags.

Twitter, that owns 5% of Dataminr, has now blocked U.S. intelligence services from its Dataminr service, in order not to appear to support the surveillance activities of the U.S. Intelligence services.

Dataminr services where used by the American Government in 2013 to detect any risks on the inauguration of U.S. President Obama´s second term. However, it is not clear how Dataminr provided this service to the U.S. Intelligence services, as Twitter´s privacy policy prohibits selling its data to governmental agencies.

Category: General · USA
Tags: ,

GDPR published in the Official Journal of the EU

9. May 2016

After the EU Parliament voted the final draft of the GDPR on April 14th and the EU Commission signed it, the GDPR was finally published in the Official Journal of the EU on May 4th. The GDPR will harmonize several aspects of data protection in order to achieve a higher data protection level within the EU.

The Regulation will enter into force 20 days after publication in the Official Journal of the EU but will be directly applicable two years after its entry into force, this is ending May 2018. This means that organizations have two years to implement the provisions of the GDPR and be compliant.

Korea updates its Data Protection Act

4. May 2016

Korea´s Personal Information Protection Act (“PIPA”) has been recently updated. The modifications reflect the increasing importance of privacy and data protection issues in this country. The most relevant amendments refer to the following points:

  • The legal grounds for the processing of RRN (Residence Registration Number) and the applicable security measures have been strengthened. It will be possible to process RRN data only in the cases stipulated by law. Moreover, it is mandatory to encrypt this data. However, this will be done gradually depending on the number of RRN held by the data controller. Inspections will be also carried out by the competent authorities.
  • The technical and organizational security measures that should be implemented have been also strengthened regarding sensitive information.
  • A notification obligation to data subjects regarding third party transfers has been also introduced. The notification should include the organization from which the data was received and the purposes for which the personal data will be used by the recipient. Previously, the data controller was the responsible for informing and obtaining consent from data subjects regarding data transfers to third parties, or the recipients upon the data subject´s request.
  • The amount of fines will increase considerably in cases of data breach (loss, theft, destruction, alteration etc.) and data subjects affected by the data breach will do not even have to prove actual damages.

Additionally, the Act on the Promotion of IT Network Use and Information Protection (IT Network Act) has been updated and will enter into force in September 2016. This Act relates to telecommunications service providers and the amendments aim at enforcing security of IT networks and of data protection

Spotify denies having suffered a data breach

29. April 2016

During this week credential data from hundreds of Spotify users was posted on the internet. This data includes country of registration, user name, password and type of account.

However, Spotify denied having suffered a data security breach. Furthermore, a company spokesman stated that they monitor certain websites regularly in order to find out if user credentials have been stolen and check if these credentials are authentic. If so, they inform the user and request a password change. Despite the statement of the spokesman, several users confirmed that their playlists had been accessed and their passwords and associated e-mails changed.

Spotify has suffered during the last years several hacker attacks. The last occurred in November 2015 and also user data was made public. Regarding the data posted online this week, the company states that it could affect data related to previous hack attacks.

Category: Data breach · General
Tags:

U.S. House of Representatives passes Email Privacy Bill

The U.S. House of Representatives voted unanimously on Wednesday about the Email Privacy Bill. The bill aims at updating the current Electronic Communications Privacy Act (ECPA) from 1986. Under the ECPA, U.S. Authorities can access email communications directly from service providers with just a subpoena, if data is more than 180 old. However, under the new Email Privacy Act, they will need furthermore a warrant to access emails or other electronic communications no matter how old they are.

Currently, access to electronic communications from U.S. authorities is being subject to debate at an international level. Specially, after some weeks ago the FBI requested Apple to develop a software that allows to extract data from an iPhone device that belonged to the San Bernardino terrorist.

The Email Privacy Bill will have to be voted by the Senate, but the position of the upper chamber towards the bill is still not clear.

Category: USA
Tags: ,

Data from dating website stolen and sold

28. April 2016

As BBC just reported the data of more than a million members of the dating website www.beauftifulpeole.com has been sold online. The traded data not only included the weight, height, job, and phone numbers of members but further more income, sexual preferences, smoking and drinking habits and relationship status. The firm stated that the data belonged to members, who joined before July 2015 and that no passwords or financial information were included.

The data has now been sold on the online black market, said security expert Troy Hunt, an Australian security expert, who runs the website HaveIBeenPwned.com, where people can verify whether their data has been leaked. Although he does not know exactly where or for how much money the data was sold, he stated that by selling data tens of thousands of dollars can be earned, bearing in mind that the data originally can cost as little as $300.

Chris Vickery, security researcher, told the BBC that the affected company acted quickly after notifying them that he had discovered it. However, the data had then already been sold. He went on by saying that “they published it openly to the world with no protection whatsoever”. This is a contradiction to the company’s statement that the content was from a test server. Therefore, Vickery added that “whether or not it’s in the test database makes no difference if it’s real data”. His analysis is further supported as a second researcher had identified the same weakness on the same day.

However in a statement BeautifulPeople said that “the breach involves data that was provided by members prior to mid-July 2015. No more recent user data or any data relating to users who joined from mid-July 2015 onward is affected”.

David Emm, principal security researcher at Kaspersky Lab commented on the stolen and sold data by summarizing “now it’s public, cybercriminals have the opportunity to use this information to steal personal identities or more” and added “unfortunately, once a breach of this nature has been made, there is not much that can be done.”

Emm went by giving the advise that “organisations need to take action and use more data, analytical insights and triangulation of multiple-identity proofing techniques to minimise the potential effects of identity theft for both the user and the businesses serving them”.

 

Category: USA
Tags:
Pages: Prev 1 2 3 ... 25 26 27 28 29 30 31 32 33 34 35 Next
1 29 30 31 32 33 35