3. May 2019
According to research by Human Rights Watch, China’s state and party leaders have had an app developed with which the security authorities in Xinjiang can monitor their inhabitants on a massive scale.
When police officers log into the app, they can see which “conspicuous” behaviours of individual residents have been recorded. According to the published report, the authorities are using the app for illegal mass surveillance and arbitrary arrest of the Uighur Muslim minority living in Xinjiang Province. Up to one million Uighurs are currently said to be imprisoned in “re-education camps”.
Users of the app are asked to enter a variety of information about citizens and explain the circumstances under which it was collected. This includes information such as name or identity card number, but also information such as religious beliefs, blood group or the absence of smartphones. According to Human Rights Watch, the app should also be connected to other databases and alert users if a citizen consumes too much electricity or a mobile phone does not log on to the network for a long time. Citizens should also make themselves “suspicious” if they have little contact with neighbours or do not often enter buildings through the front door.
Human Rights Watch is convinced that this procedure is also illegal in China and that the collected data must be deleted. It remains to be seen whether the Chinese – or other governments will react to the disclosures.
2. May 2019
Sensitive data of 80 million US households are unprotected available in the internet. The data are stored on an openly accessible database whose owner is unknown.
Affected are 65 % of all US households, in numbers, 80 million households. The database includes detailed information regarding the number of persons living in a household, their names, marital status, age, date of birth, residential address including GPS data for localization and household income.
The number of affected US-citizens cannot be named due to the fact, that in one household can live a different amount of people. Because of this it is possible that over 100 million people are affected.
On the basis of the accessible data an identification of individuals is easily possible because hackers or thefts of identity can find out the mailaddresses and connect this information with free accessible information from e.g. social media.
Regarding the owner of the database no information is known. It is presumed that it is a company from the health or insurance sector.
The owner need to be find, otherwise the leak cannot be closed.
29. April 2019
The British food store chain VM Morrison Supermarkets PLC (“Morrisons”) has been granted permission by the Supreme Court to appeal the data protection class action brought against it and to challenge the judgment for all its grounds. The case is important as it’s the first to be filed in the UK for a data breach and its outcome may affect the number of class actions for data breaches.
An employee who worked as a senior IT auditor for Morrsisons copied the payroll data of almost 100,000 employees onto a USB stick and published it on a file-sharing website. He then reported the violation anonymously to three newspapers. The employee himself was sentenced to eight years in prison for various crimes.
5,518 employees filed a class action lawsuit against Morrisons for the violation. It claimed both primary and representative liability for the company. The Supreme Court dismissed all primary liability claims under the Data Protection Act (“DPA”), as it concluded that the employee had acted independently of Morrisons in violation of the DPA.
However, the court found that Morrisons is vicariously liable for its employee’s actions, although the DPA does not explicitly foresee vicarious liability. The company appealed the decision.
The Court of Appeals dismissed the appeal and upheld the Supreme Court’s ruling that the Company is vicariously liable for its employee’s data breach, even though it was itself acquitted of any misconduct.
In the future appeal of the Supreme Court, it will have to examine, among other things, whether there is deputy liability under the DPA and whether the Court of Appeal’s conclusion that the employee disclosed the data during his employment was incorrect.
26. April 2019
Recently, the Dutch Data Portection Authority (Autoriteit Personensgegevens) published six recommendations for companies when outlining their privacy policies for the purpose of Art. 24 para 2 of the General Data Protection Regulation (the “GDPR”).
The authorities’ recommendations are a result of their investigation of companies’ privacy policies, which focused on companies that mainly process special categories of personal data, e.g. health data or data relating to individuals’ political beliefs.
The Dutch DPA reviewed privacy policies of several companies such as blood banks or local political parties and it focused on three main points 1) the description of the categories of the personal data 2) the description of the purposes of the processing and 3) the information about data subjects’ rights. They discovered that the descriptions of the data categories and purposes were incomplete or too superficial and thus released six recommendations that companies shall take into consideration when outlining privacy policies.
Those are the six recommendations:
- Companies should evaluate whether they have to implement privacy policies (taking into account the nature, scope, context and purposes of the processing, as well as the risks for the rights and freedoms of natural persons)
- Companies should consult internal and/or external expertise such as data protection officers when implementing privacy policies
- The policy should be outlined in a single document to avoid fragmentation of information
- The policy should be concrete and specific and therefore not only repeating the provisions of the GDPR
- The DPA recommends to publish the privacy policies so that data subjects are aware of how the company handles personal data
- The DPA also suggests to draft a privacy policy even if it is not mandatory to demonstrate that the company is willing to protect personal data
25. April 2019
Since May 2016 Facebook uploaded email-contacts without respectively against the will of 1,5 million users.
Facebook itself discovered the mistake in March 2019 and according to it’s own statement has now corrected it. The data was uploaded unintentionally and not shared with third parties. The data will be deleted and Facebook will contact the concerned users.
Facebook was able to read the email-contacts of 1,5 million users, but the concerned amount of data subjects is a lot higher due to that many users have thousands of contacts. Facebook denied that e-mails have been accessed by its employees. It expects a fine of three to five billion dollar in the USA.
10. April 2019
The European Data Protection Supervisor (EDPS) is the supervisory authority for all EU institutions and therefore responsible for their compliance with data protection laws. It is currently investigating the compliance of contractual agreements between EU institutions and Microsoft as the different institutions use Microsoft products and services to conduct their day-to-day businesses including the processing of huge amounts of personal data.
The EDPS refers to a Data Processing Impact Assessment carried out last November by the Dutch Ministry of Justice and Security (we reported) in which they concluded that Microsoft collects and stores personal data of Office users on a large scale without informing them.
Wojciech Wiewiórowski, Assistant EDPS, said: “New data protection rules for the EU institutions and bodies came into force on 11 December 2018. Regulation 2018/1725 introduced significant changes to the rules governing outsourcing. Contractors now have direct responsibilities when it comes to ensuring compliance. However, when relying on third parties to provide services, the EU institutions remain accountable for any data processing carried out on their behalf. They also have a duty to ensure that any contractual arrangements respect the new rules and to identify and mitigate any risks. It is with this in mind that the contractual relationship between the EU institutions and Microsoft is now under EDPS scrutiny.”
The investigation should reveal which products and systems are used right now and whether the existing contractual agreements are compliant with current Data Protection Laws, especially the GDPR.
9. April 2019
The French data protection authority CNIL has published a model regulation which regulates under which conditions devices for access control through biometric authentication may be introduced at the workplace.
Pursuant to Article 4 paragraph 14 of the General Data Protection Regulation (GDPR), biometric data are personal data relating to the physical, physiological or behavioural characteristics of a natural person, obtained by means of specific technical processes, which enable or confirm the unambiguous identification of that natural person. According to Article 9 paragraph 4 GDPR, the member states of the European Union may introduce or maintain additional conditions, including restrictions, as far as the processing of biometric data is concerned.
The basic requirement under the model regulation is that the controller proves that biometric data processing is necessary. To this end, the controller must explain why the use of other means of identification or organisational and technical safeguards is not appropriate to achieve the required level of security.
Moreover, the choice of biometric types must be specifically explained and documented by the employer. This also includes the justification for the choice of one biometric feature over another. Processing must be carried out for the purpose of controlling access to premises classified by the company as restricted or of controlling access to computer devices and applications.
Furthermore, the model regulation of the CNIL describes which types of personal data may be collected, which storage periods and conditions apply and which specific technical and organisational measures must be taken to guarantee the security of personal data. In addition, CNIL states that before implementing data processing, the controller must always carry out an impact assessment and a risk assessment of the rights and freedoms of the individual. This risk assessment must be repeated every three years for updating purposes.
The data protection authority also points out that the model regulation does not exempt from compliance with the regulations of the GDPR, since it is not intended to replace its regulations, but to supplement or specify them.
Just recently, a German Labour Court (LAG Baden-Württemberg) has decided on the extent of Article 15 of the European General Data Protection Regulation (GDPR) with regard to the information that is supposed to be handed out to the data subject in case such a claim is made.
The decision literally reflects the wording of Art. 15 (1) GDPR which, amongst other things, requires information on
- the purposes of data processing,
- the categories of personal data concerned,
- the recipients or categories of recipient to whom the personal data have been or will be disclosed
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
- where the personal data are not collected from the data subject, any available information as to their source.
In contrast to the previous views of the local data protection authorities, which – in the context of information about recipients of personal data – deem sufficient that the data controller discloses recipient categories, the LAG Baden-Württemberg also obliged the data controller to provide the data subject with information about each individual recipient.
In addition, the LAG Baden-Württemberg ordered the data controller to make available to the data subject a copy of all his personal performance data. However, the court did not comment on the extent of copies that are to be made. It is therefore questionable whether, in addition to information from the systems used in the company, copies of all e-mails containing personal data of the person concerned must also be made available to the data subject.
Since the court has admitted the appeal to the Federal Labour Court (BAG) regarding this issue, it remains to be seen whether such an approach will still be valid after a Federal Labour Court decision.
The Dutch Data Protection Authority, Autoriteit Persoonsgegevens (Dutch DPA), announced an update on its policy regarding administrative fines.
In addition to the Dutch GDPR implementation law the published policy provides insides on how the Dutch DPA will use its fining powers. According to the policy the DPA differentiats three or four categories of infringements. Each infringement is fined with a basic fine and a specific penalty bandwidth.
The DPA calculates the fine in two steps. First the basic fine is applied, second the basic fine is increased or decreased according to the classification to the different categories. Various aspects are included in the calculation of the fine, such as:
- the nature, the seriousness and duration of the violation,
- the number of data subjects affected,
- the extent of the damage and of the data compromised,
- the intentional or negligent nature of the violation,
- the measures adopted to mitigate the damages,
- the measures that were implemented to ensure compliance with the GDPR, including information security measures,
- prior violations,
- the level of cooperation with the DPA,
- the types of data involved,
- how the DPA became aware of the violation, including whether (and if so, to what extent) the data controller or processor reported the violation,
- adherence to approved codes of conduct an certification mechanisms,
- any other applicable aggravating or mitigating factors.
The maximum amount in general is €1.000.000,00, but the fine can be higher in case the Dutch DPA decides that the calculated maximum amount is inappropriate in the particular case.
29. March 2019
The President of the Polish Supervisory Authority (Personal Data Protection Office, UODO) imposed the first fine for the amount of PLN 943,000, which is around € 220,000.
A Warsaw-based company received this fine for not being compliant with GDPR, particularly for failure to meet the information obligation of Article 14. The fined company commercially processes data from more than six million entrepreneurs, which it obtained from publicly available sources, such as the Central Electronic Register and Information on Economic Activity (CEIDG). The company’s database is often used by banks to verify the creditworthiness of the data subjects. According to the Polish Authority, the company did not provide the data subjects with the information requested in Art. 14 para 1-3 GDPR (e.g. the source of their data, the purpose of the data processing, the data subject’s rights under GDPR), hence the data subjects had no possibility to object to further processing of their data or to request their rectification or erasure.
Out of the six million data subjects only 90 000 were informed by the company via e-mail (more than 12 000 of them objected to the processing of their data). For the remaining subjects (whose e-mails were unknown) the company only presented the information clause on its website and therefore failed to comply with Art. 14 GDPR.
“The controller was aware of its obligation to provide information. Hence the decision to impose a fine of this amount on this entity”, said Dr Edyta Bielak-Jomaa, President of UODO. The company claimed that information by registered mail would be associated with disproportionate costs and thus relies on the vaguely worded exception of Art. 14 (5) GDPR, which states that the provision of such information proves impossible or would involve a disproportionate effort. The supervisory authority however, finds this explanation insufficient as they could have called the data subjects or inform them by regular mail.
Pages: Prev 1 2 3 ... 33 34 35 36 37 38 39 ... 67 68 69 Next 
