18. August 2016
The Guardian just reported that the European Commission is about to release an update of the draft of the E-Privacy Directive in September.
This draft will probably inlcude that Apps like Skype and WhatsApp be treated the same in terms of the privacy regulations as SMS text messages and both mobile and landline calls. According to Jan Philipp Albrecht, Green MEP, this is due to the fact that “It was obvious that there needs to be an adjustment to the reality of today” he went on that “We see telecoms providers being replaced and those companies who seek to replace them need to be treated in the same way.” Furthermore, he mentioned that a focus of the new law lies in upholding strong encryption.
However, there are critics raising concerns as the law might decrease economic innovation and that it is “well-nigh impossible” to fit older legislation in newer technology.
17. August 2016
Concerning U.S.-American Companies:
- Annual self-certification that they meet the requirements
- Displaying the privacy policy on their website
- Replying in a reasonable period of time to any complaints
- In case human resources data is processed: cooperation and compliance with European Data Protection Authorities
Concerning European Individuals:
- More transparency about the transfer of personal data to the U.S. and an increase of the protection level of this data.
- Cheaper and easier redress possibilities in case of complaints: either directly towards the company or with the support of the respective Data Protection Authority.
16. August 2016
A list was released last week containig about 40 companies that have been approved under the EU-U.S. Privacy Shield.
A spokesman of the Department of Commerce commented that this list would be updated continuously. He went on by saying that “There are nearly 200 applications currently involved in our rigorous review process.”
Nevertheless, the Wall Street Journal just released an article mentioning that due to the lack of legal uncertainty of the EU-U.S. Privacy Shield, companies demonstrate restraint in joining the agreement.
However, “we don’t expect a stampede to join it in the next few days, but rather a steadily growing wave over the long run, especially if European companies begin to favor Privacy Shield membership in competitive bids” concluded Jay Cline working with PwC.
15. August 2016
One of the biggest US-American insurance companies namely the American International Group just declared that it will be the first insurer to offer standalone primary coverage for property damage, bodily injury, business interruption and product liability caused by cyber attacks.
Due to the fact that “Cyber is a peril [that] can no longer be considered a risk covered by traditional network security insurance product[s]” AIG released the new product CyberEdge Plus.
AIG commented on the new product as followed:
“CyberEdge can provide companies with protection against the following:
- Third-party claims arising from a failure of the insured’s network security or a failure to protect data. Insurance also responds to regulatory actions in connection with a security failure, privacy breach, or the failure to disclose a security failure or privacy breach.
- Direct first-party costs of responding to a security failure or privacy breach by paying costs of notifications, public relations, and other services to assist in managing and mitigating a cyber incident. Forensic investigations, legal consultations, and identity monitoring costs for victims of a breach are all covered.
- Business interruption caused by a network security failure by reimbursing for resulting lost income and operating expenses.
- Threats made against a company’s computer network and confidential information by an outsider attempting to extort money, securities, or other valuables. Coverage includes monies paid to end the threat and the cost of an investigation to determine the cause of the threat.
- Liability faced by companies for content distributed on their website. Coverage is provided for numerous media perils including copyright infringement, trademark infringement, defamation, and invasion of privacy.”
Furthermore, the coverage has a limit of up to $100 million.
12. August 2016
Due to the fact that the smartphone App called Pokemon Go inserts the animated creatures into real-life surroundings by using real-time GPS data and phone cameras the concern about the safety and privacy implications of location-based games and apps was raised.
- In the US armed criminals using Pokemon Go lured teenage victims to an isolated place where they were robbed last month.
- Iran became the first country to ban the game because of unspecified “security concerns” last week.
- Also, the contract customers must agree to before using the game has been questioned by consumer watchdogs across Europe due to the fact that Pokemon Go’s terms of service abandon a player’s rights to courtroom representation as a plaintiff or class action member unless the player opts out within a month of the download.
A spokesman for Ireland’s Data Protection Commissioner commented that in regard to Pokemon Go “It was not aware of any specific data protection issues arising at this stage”. He continued by saing “However, like any smartphone app that seeks permissions in respect of users’ personal data, such as location data or for advertising or personalising services, there are privacy implications and users should make themselves aware of the terms to which they are agreeing in downloading and installing the app”.
The spokesman concluded that “In respect of location data, this office will be publishing detailed guidance early next week to assist individuals in understanding how organisations collect and process information relating to their location and their rights to the protection of their personal data.”
The ICO fines Regal Chambers Surgery with 40,000 GBP due to the fact that personal medical information was handed out.
Regal Chambers Surgery disclosed medical file to a man regarding his son containing 62 pages not only of personal data but also including information on the ex-partner, her parents, and an older child he was not related to. However, although the man requested the records under Section 7 of the Data Protection Act, Regal Chambers had no process implemented to determine whether the data should be handed out.
The ICO’s Head of Enforcement, Steve Eckersley commented that “Most people would be horrified to think the information they entrust to their GP was being treated with anything less than the utmost care. In this case a patient reinforced this, however her pleas went unheeded”.
11. August 2016
The Ponemon Institute has recently published a study about security gaps and the protection of corporate data. The study was carried within U.S. and European organizations in France, Germany and the United Kingdom. The study aims at identifying gaps in organizations that may lead to data breaches.
The study reveals data theft by “insiders” as being the main reason for data breaches within organizations. A vast majority of the participants stated that their organization had suffered from such insider theft over the past two years.
Furthermore, respondents of the IT field confirmed that insider theft is twice more likely to compromise corporate information as any other external attack. Regarding this, the study reveals that data breaches by insiders is increasing due to the fact that employees require wide access rights to perform their job and, therefore, they have access to confidential and sensitive information of their organization.
The report suggests that companies should improve their tracking possibilities, in order to identify access and use of data by its employees and to detect in a shorter timeframe the intents of employees to access information and data which they are not authorized to see.
5. August 2016
Having in mind that the European Court of Justice declared Privacy Shield’s predecessor, Safe Harbor, invalid, the Head of the Hamburg data protection authority, Prof. Dr. Johannes Caspar, would like to ask the European Court of Justice whether it thinks that the Commission’s decision to strike the data-transfer deal was valid.
Due to the fact that there might be upoming legal changes in Germany Caspar hopes that those will make it possible for the country’s DPAs to challenge adequacy decisions.
An E-Mail was published quoting Caspar saying that “The decision of the EU Commission concerning the Privacy Shield constitutes a new legal ground for data subjects, which is a binding document for all members of the [Article 29 Working Party of data protection authorities],” and going on “On the other hand, I have serious doubts whether this adequacy decision meets the legal requirements of the principle of proportionality and judicial redress in the [CJEU’s] Safe Harbor judgement.” Caspar went on commenting that “It is expected that sooner or later the CJEU will assess whether the access by public U.S. authorities to personal data transferred under the Privacy Shield is limited to what is strictly necessary and proportionate in a democratic society. If there is a legal way to seek reference to the CJEU – and we hope that the national lawmaker will enact a law for national DPAs soon – we will take all appropriate steps for getting a ruling on the validity of the Commission’s decision.”
Due to the fact that the GDPR is a regulation rather than a directive, it does not require transposition into national laws. However, the German government debates about new legislation in order to make German data protection law compliant with the GDPR. However, in July the German government issued a statement saying it is working on the new legislation but not mentioning whether this also includes that DPAs are able to challenge adequacy decisions.
Furthermore, Caspar commented that the Article 29 Working Party’s next opportunity to question the Privacy Shield will come in a year’s time, “if the Shield will still be in force”.
However, not only Caspar shows a sceptical point of view towards the Privacy Shield, Thomas Jansen, a partner with DLA Piper in Munich stated that “Many [European] data protection and privacy experts see a high risk that the Privacy Shield will be invalidated”.
4. August 2016
Although companies began submitting their application to join the EU-U.S. Privacy Shield, the U.S. Department of Commerce did not immediately list their compliance.
Among others, Microsoft was one of the first businesses to certify that it complied with the new rules for transferring European Union citizens’ personal data to the U.S.
On its blog Microsoft published a statement by Vice President for EU Government Affairs John Frank saying “We expect it to be approved in the coming days”. Furthermore, he said “Going forward, any data which we will transfer from Europe to the U.S. will be protected by the Privacy Shield’s safeguards.”
The process for joining the EU-U.S. Privacy Shield includes a self-certification, which is charged by the U.S. Department of Commerce. The fee for processing their annual applications and adding them to the register ranges from $250 for organizations with revenue under US$5 million up to $3,250 for those with revenue over $5 billion.
However, organizations also have to pay in order to join an arbitration service or in terms of data protection authorities dealing with complaints.
Recently, the IAPP (International Association for Privacy Professionals) published the results of a survey carried out by Baker & McKenzie regarding the perspectives and expectations that Privacy Professionals have about the changing legislative scope in the field of Data Protection.
The participants were senior managers and individuals involved in the fields of data protection and data security that belonged to multi-national organizations, government agencies, regulatory bodies or policy and academic institutions.
Most of the respondents acknowledge that both, GDPR and Privacy Shield, imply that organizations have to implement an action-plan accordingly. This will imply higher costs and efforts. Furthermore, 70% of the respondents stated that the most difficult requirements of the GDPR to comply with are consent, data mapping and international data transfers. A 45% stated that their organization does not have adequate tools currently to be compliant and implementing the required tools may be involved with significant costs.
Moreover, the majority of the participants recommended organizations to self-certify as soon as possible, so that they would still have nine months to make contractors also comply with the principles. Also, they believe that the Privacy Shield should be complemented by other mechanisms to transfer personal data such as Binding Corporate Rules or Standard Contractual Clauses.