EU Commission: Using Personal Data In Political Campaigns

29. August 2018

Following the Facebook-Cambridge Analytica case, the EU Commission intends to prohibit the misuse of Collection data of voters in order to influence elections. As the Irish Times reports, the EU Commission is drafting an amendment to existing party funding rules prohibiting parties profiting from data collections of the kind as alleged against Cambridge Analytica.

Cambridge Analytica has been accused of obtaining information of millions Facebook users without the data subjects’ consent by using a personality-analysis app during Donald Trump’s presidential campaign.

It is expected that sanctions will have the extent of approximately 5 percent of the annual budget of a political party. An official said “it is meant to ensure that something like Cambridge Analytica can never happen in the EU”.

Considering the upcoming election of the European Parliament in May 2019, various measures are to be recommended or imposed by the EU Commission that shall be followed by the member states in order to prevent misuse of voters’ personal data or the online manipulation of voters. While it is intended to recommend the governments to watch over and clamp down on groups sending personalized political messages to users of social media without their consent, the member states shall also be stricter about the transparency requirements of political advertisement on national level by amending national law.

Last month, Vera Jourova, EU justice commissioner, said: “voters and citizens should always understand – when something is an online campaign – who runs the campaign, who pays for it and what they want to achieve.”

However, she also made clear that the EU will respect free expression and that the EU is not going to regulate online activities of political parties. “The internet is a zone for free expression. Everybody can be a journalist or an influencer, and these are the things that we don’t want to touch”, she stated.

Luxembourg publishes two new Data Protection Laws

24. August 2018

On August 1st, 2018 the Luxembourg government adopted two new data protection laws implementing certain parts of the General Data Protection Regulation (Regulation (EU) 2016/679 – the “GDPR”) and repeals the former data protection law of 2002. Draft Bill Number 7184 and 7168 were adopted and complement the GDPR, which has been in force since 25 May 2018 throughout the European Union.

The newly implemented laws don’t add any further restrictions to the processing of personal data, but rather serve as implementing provisions required under GDPR.

The new Luxembourg Data Protection Law defines the organisation, missions and competence of the Luxembourg data protection authority (Commission nationale pour la protection des données – CNPD) and provides specific requirements or exceptions. The CNPD has been granted broad investigation powers. The CNPD receives for example the right to obtain access from any controller or processor to all personal data and information necessary to verify compliance under GDPR. The CNPD is also in charge to issue warning, orders and fines to any controller or processor who is not compliant under the provisions of the GDPR.

The second new law, the Luxembourg Law on Criminal Data Processing specifically relates to the protection of individuals with regard to the processing of personal data in criminal matters and national security.

The two laws should be read together, as they jointly extend the competences of the CNPD.

Starting with the new implementations, Luxembourg companies are discharged of the administrative burden of an active notification of personal data processing to the CNPD prior to processing personal data. However, companies should be ready to be controlled by the local regulator and therefore they are obliged to keep a record of the processing of personal data that is carried out under their responsibility.

The final versions were published on August 16th, 2018 in the Official Gazette of Luxembourg.

Database operators in Sweden exempt from GDPR

With the GDPR coming into effect, enterprises in Sweden will also be subject to complying with the European principles and adhering to the GDPR.

However, new amendments and changes to the country’s constitution will be required to harmonise existing laws.

Due to the fact that Sweden emphasizes freedom of press and speech, it will initially make exemptions in cases where elements don’t comply with its Freedom of the Press Act of 1766.

As a consequence, current laws give database operators a broad freedom to gather and release personal data enabling them to collect and distribute personal information from a broad range of sources, including the national tax office.

The database operators and online publishers Eniro, Ratsit and Hitta are some of the companies that will be exempt until an expert group has drafted new and stricter legislation regarding the processing of personal data by these.

It is expected that the relevant laws will be amended in the first half of 2019.

Teenager hacked Apple’s internal network

22. August 2018

A 16-year-old boy from Melbourne, Australia broke into Apple‘s internal computer systems and downloaded 90GB of data, as reported by Australian newspaper The Age. The teenager acquired possession of “authorised keys“ and had access to Apple’s network for approximately a year.

Last year Apple reported the incident to the FBI who then pointed it out to the Australian Federal Police (AFP). They found the sensitive documents in a computer folder named “hacky hack hack“. Apple succeeded to keep this incident out of media until the court proceedings last week.

The 16-year-old boy has pleaded guilty. According to his lawyer, the teenager broke into the network because he is a huge apple fan who wants to work for the company in the future. A verdict is expected at the end of September.

Apple is now trying to reassure its customers. According to a spokesman of the company, no personal data was compromised.

Brazilian General Data Protection Law

17. August 2018

On August 14th, a new data protection law was passed in Brazil and is named Brazilian General Data Protection Law (LGPD). The law will come into effect in early 2020.

The new legal framework deals with personal data in Brazil, both online and offline as well as in the private and public sectors. Until now the country has more than 40 legal norms at the federal level which are replaced and/or supplementing the previous regulations.

The new law aims to help Brazil enter the roll of more than 120 countries that today may be considered to have an adequate level of protection of privacy and the use of personal data, so that Brazil can compete on the global market.

As next step a DPA is created and will be an independent public authority responsible for the supervision of the law and enforcement. The authority is able to establish guidelines for the promotion of protection of personal data in Brazil.

Apple’s Taiwanese key chip supplier TSMC was struck by a virus

7. August 2018

Taiwan Semiconductor Manufacturing Co Ltd (TSMC), the largest contract chipmaker worldwide and one of Apple’s key suppliers, has warned of a 150 million EURO hit to revenue and delays to shipments after its factories were hit with a computer virus targeting Windows computers.

TSMC, which supplies the majority of the processors for Apple’s iPads and iPhones (iPhone 8 and X), claims that parts of its production facilities in Taiwan were forced to resume production after the outbreak of a virus last Friday night.

The virus is a variation of WannaCry. The ransomware attack aimed at computers running Microsoft Windows and threatened to erase files unless the attackers were paid in the cryptocurrency Bitcoin.

According to the company 80% of the company’s affected computers had been fixed on Sunday and neither its client information nor its data manufacturing base were implicated.
Since the manufacturer does not exclusively work for Apple, it also fabricates chips for lots of other companies which also have been notified. TSMC stated that it would have to delay shipments of chips to some customers. This would decrease their third quarter revenue up to 2% which is equivalent to 150 million EURO.

Category: Cyber security · General
Tags: ,

France’s GDPR implementation law

3. August 2018

In June, France enacted the French Data Protection Act 2 (FDPA2), which implements the General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679 – and the Directive (EU) 2016/680.

The French government decided not to repeal the French Data Protection Act of 1978 (FDPA). FDA2 amends the former FDPA. FDPA2 replaces the logic of prior formalities with the philosophy introduced by the GDPR of enhanced accountability of stakeholders.

The FDPA2 does not take full advantage of all the opening clauses provided by the GDPR. In November 2017, when the draft bill was published, the CNIL considered that this selection was judiciously made. It includes the following provisions:

  • The clarification of the scope of application of national law (Art. 10)
  • An open data approach for judicial decisions (Art. 13)
  • The definition of the age for “digital majority” (Art. 20)
  • The broadening of class-action’s scope to compensation (Art. 25)
  • The possibility for the Conseil d’Etat to temporarily suspend international data transfer at the request of the CNIL (Art. 27)

Article 32 of the FDPA2 empowers the government to proceed by ordinance to a general rewriting of the FDPA in order to improve the intelligibility and consistency with all legislation relating to the protection of personal data. It is therefore to be expected that the FDPA2 will undergo major changes in the near future but without any debate before the Parliament.

Dutch Data Protection Authority: Randomly selected companies will be subject to GDPR-compliance investigations

31. July 2018

This month, the Data Protection Authority (DPA) of the Netherlands has launched an investigation according to Art. 57 (1) a GDPR which obliges the supervisory authorities to “monitor and enforce compliance” with the EU General Data Protection Regulation (GDPR). The Dutch DPA thereby verifies compliance with Art. 30 GDPR (records of processing activities) in 30 randomly selected large companies of the private sector (i.e. which have more than 250 employees) rooted in 10 different branches: industry, water supply, construction, retail, hospitality, travel, communications, finance, business services, and health care across the Netherlands. Its investigative powers in terms of this investigation derive from Art. 58 (1) a GDPR which enables the DPAs “to order the controller and the processor, and, where applicable the controller’s or the processor’s representative, to provide any information the supervisory authority requires for the performance of its tasks”.

For those investigations it is not necessary that a complaint has been lodged or any other indication of non-compliance occurs. In particular, the Dutch DPA regularly carries out such “ex officio” investigations focusing on certain enforcement priorities depending on the sector or the topic. With their investigation strategy they aim to focus on the compliance with certain requirements of the GDPR that may typically create adequate safeguards in organizations to issue and maintain compliance with the general Principles of the GDPR (Art. 5 et seqq GDPR).

Therefore, the authorities decided for the private sector that the records of processing activities (Art. 30 GDPR) are the key drivers for GDPR compliance, since these records eventually enable an organization knowing about what personal data they process and for which purposes. Since the results of the investigation will most probably be published anonymously (e.g. numbers and other details of the violation in specific sectors), they might hope to create a ripple effect on other organizations of the respective sectors.

A prediction of the crucial penalties that may be the result of this “ex officio” investigations of the Dutch DPA is basically not possible, as the organizations involved and the state of their GDPR compliance are unknown. But it might be interesting that the Dutch DPA is also allowed to issue a so-called “enforcement notice under penalty” according to the Dutch GDPR Execution Act if an organization has been established non-compliant. This enforcement notice can contain an order for the respective organization to comply and demonstrate compliance within a fixed time frame. For each day or week that they fail to comply with such an order, a fixed penalty may apply.

Such an enforcement order may be issued in the event of a violation of Art. 30 GDPR that is not likely to result in a risk for the data subjects. Where the investigation shows that non-compliance may result in a risk for the freedoms and rights of the data subjects or is potentially deemed unfair, the penalty could also result in the maximum category of possible fines.

 

Category: GDPR · The Netherlands

Data of patients disclosed in Singapore’s largest data breach in history

30. July 2018

A cyberattack has impacted data of 1.5 Mio patients of SingHealth clinics by stealing name, ID Card number, address, gender, race and date of birth as reported by ARN Net.

Due to “operational security reasons”, the authorities haven’t disclosed the identity of the responsibles behind the attack.

Even Singapore’s Prime Minister, Lee Hsien Loong, “had his personal particulars stolen as well as his outpatient dispensed medicines record.”

The report further states that all patients, whether or not they were affected will receive an SMS notification over the next five days, with patients also able to access the Health Buddy mobile app or SingHealth website to check if they are affected by this incident.

According to Channel Asia the SingHealth IT system was compromised through an initial breach on a particular front-end workstation, gaining privileged account credentials to gain access to the database.

It is believed that the attack began on June 27th, 2018 and was detected on July 4th, 2018. Apparently, no further illegal exfiltration has been detected since and all Patient records in SingHealth’s IT system remain intact.

Several measures have been taken in terms of IT-security such as controls on workstations and servers, resetting user and systems accounts and installment of additional system monitoring controls.

New Zealand: Privacy after death does matter

27. July 2018

Data protection rights generally refer to living persons only. Among others, the European General Data Protection Regulation (GDPR) explicitly mentions in its Recital 27 that the Regulation does not apply to the personal data of deceased persons.

However, the Recital also contains an opening clause for the EU Member States, stating that these may provide for specific rules for such cases. The GDPR hereby acknowledges that there might be cases that need to be tackled individually.

For example, requests can be made in order to find out whether the deceased had suffered from a hereditary disease. This information is not to be seen as protected for the offspring that might be affected by it.

Consequently, there will be situations that contain mixed information on both the deceased and the requestor.

The Privacy Commissioner’s Office (OPC) of New Zealand has now released a statement regarding the privacy of deceased persons on July 24th, 2018 taking up this exact issue.

Whereas the Privacy Act of New Zealand also defines an individual as a “natural person, other than a deceased person”, the OPC states that “sometimes it will be inappropriate to release the personal information of the dead”.

The OPC further says that “some information is inherently sensitive, for example mental or sexual health information. It could be unfair to release such information to those who are just curious and have no good reason to see it.”

Ultimately, it will often be necessary to balance the rights and elaborate case by case, also taking into consideration the wishes of the deceased person to some extent.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 28 29 30 Next
1 3 4 5 6 7 30