11. July 2016
On the 8th July 2016, the Vice-President of the EU Commission, Andrus Ansip, and the Commissioner Vera Jourová announced in a joint statement that the EU Member States have approved the updated draft of the EU-U.S. Privacy Shield. However, Austria, Bulgaria, Croatia, and Slovenia abstained from voting.
The statement remarks that the Privacy Shield will ensure a high data protection level for EU citizens, because it imposes stronger obligations for U.S. companies. Specially regarding the bulk collection of personal data from EU citizens by American authorities.
The formal adoption of the Privacy Shield is expected this week.
Although the EU-U.S. Privacy Shield has been approved, the legality of the agreement could be challenged, as occurred with the former Safe Harbor Framework.
7. July 2016
On Wednesday, the EU Commission announced the launch of a public-private partnership with the cybersecurity industry as part of its Digital Single Market strategy. This partnership aims at providing the industry with better equipment and infrastructure to reduce cybersecurity threats.
Recent surveys have revealed that around 80% of European companies have suffered at least one cybersecurity incident during 2015. Worldwide, the number of cybersecurity incidents increased up to 38%. Andrus Ansip, Vice-President for the Digital Single Market, stated that “without trust and security, there can be no Digital Single Market”. Therefore several measures haven been proposed in order to tackle the increasingly sophisticated threats.
The initiative focuses on the following aspects:
- Reinforcement of cooperation across borders and between all sectors of the cybersecurity branch
- Support the development of innovative and secure products and services
- Creation of a possible certification framework for information and communications technology security products
- Ease access to the cybersecurity market for smaller business
- Assessment of the capabilities and mandate of European Union Agency for Network and Information Security (ENISA) to achieve its mission to support EU Member States in reinforcing cyber-resilience
- Evaluation of methods to strengthen cybersecurity cooperation, trainings and education
Both, the EU and the cybersecurity industry actors, represented by the European Cybersecurity Organization (ECSO), will invest around €1.8 billion in this initiative. Members from national, regional and local public administration, as well as research centres and academies will also participate.
The main industry sectors to which this partnership is focused are finance, health, energy and transport.
The EU Digital Single Market strategy also includes the 2013 EU Cybersecurity strategy and the Network and Information Security Directive (NIS Directive), which is expected to be approved within the next weeks.
4. July 2016
The EU Commission and American negotiators reached last week an agreement regarding the final draft of the EU-U.S. Privacy Shield. Now, the EU Commission has sent this draft to the Article 31 WP, who is expected to issue an opinion by tomorrow. If so, the EU-U.S. Privacy Shield will be implemented by the end of this week. Also, the final draft has been sent to the EU Parliament. The EU Parliament can issue an opinion, but cannot block its approval.
The Article 31 WP will meet today to review the text. Normally, the committee has two weeks to issue an opinion but the EU Commission expects an approval already this week.
30. June 2016
The Belgian DPA sued Facebook about a year ago for tracking the online activities of non-users who visit the Facebook´s sites in Belgium without their consent.
In the first instance, the Court ruled that Facebook should stop tracking non-users without their consent or to face a fine of 250,000 euros per day. Facebook appealed this sentence to the Brussels Court of Appeal. The Court of Appeal has now stated that the Belgian DPA has no jurisdiction over Facebook Inc. The Belgian DPA will appeal to the Court of Cassation, which cannot deliver new sentences but throw out previous judgements.
In the meanwhile, Facebook has confirmed that it will not track non-users without their consent when they visit Facebook sites or click the “like” button.
Moreover, Facebook stated that only the Irish DPA has jurisdiction regarding data protection issues that involve Facebook´s use of EU citizens’ personal data, as this is where the European Headquarters are located.
After the decision of the Court of Appeal, the Belgian DPA said that the decision “simply and purely means that the Belgian citizen cannot obtain the protection of his private life through the courts and tribunals when it concerns foreign actors”.
29. June 2016
Although the company stated this week that is has not been the victim of a cyber attack, account passwords from Deutsche Telekom, a German telecommunication company, are for sale on the dark web.
The respective stolen data was estimated to range from 64,000 records to 120,000 records.
Furthermore, the company hinted that the leaked data was obtained from another source, probably stolen via phishing. In its statement the company said that the sample of records were “real and current”.
The mentioned statement goes on by claiming that the company has 156 million global customers and that it has issued a warning due to the stolen data which suggests that all of its customers change their passwords.
Thomas Kremer, Telekom data privacy head, elaborates: “We want to use the event to promote a regular exchange of passwords”
28. June 2016
After several months of negotiations regarding the legitimating instruments to carry out international data transfers, EU and U.S. negotiators agreed last week on the final changes of the proposed EU-U.S. Privacy Shield.
The initial draft of the EU-U.S. Privacy Shield was criticized by several European Institutions such as the Article 29 WP, the EDPS, Article 31 WP and the UK Data Protection Authority (ICO) for not offering enough safeguards for EU citizens regarding the protection of their personal data upon data transfers to the U.S.
The main critic of the EU-U.S. Privacy Shield was focused on the independency of the ombudsman and on the massive surveillance activities from American Authorities. Additionally, a follow up control mechanism regarding compliance with the EU-U.S. Privacy Shield was required by European negotiators.
EU and U.S. negotiators have agreed to improve the above mentioned aspects in order to ensure more guarantees on the protection of EU citizens’ personal data:
- The White House committed in writing to collect EU personal data only under certain circumstances and for targeted purposes.
- Data retention periods have been defined concretely: organizations will be obliged to delete personal data that is no longer needed for the purposes for which it was originally collected.
- The proposal will include a specification that the ombudsman will be an independent institution.
As a next step, the Article 31 WP, made up of representatives of the EU Member States, will decide if the amended text complies with European Data Protection legislation. Both, the EU Commission and the U.S. Government hope that the EU-U.S. Privacy Shield enters into force by August 2016.
Implications for the UK
After UK citizens have voted to leave the EU, a two-year-negotiation between the EU and the UK Government will take place. During this time, UK organizations will have to comply with European legislation, also regarding international data transfers. When the UK ceases to be an EU Member State, it will be considered as being a third country in terms of international data transfers and will have to ensure enough safeguards regarding the protection of personal data.
A Berlin Court ruled that WhatsApp failed to comply with the German Telemedia Act and another court upheld this judgment recently. The claim is about WhatsApp forcing German users to agree to terms of service in the English language and therefore breaking consumer protection rules. According to this ruling, WhatsApp violates Germany’s Telemedia Act, as it does not provide consumers with a German company representative in case any questions or concerns occur.
In case the decision will be lawful, WhatsApp will be required to translate the entire terms of service and the privacy policy into German or be fined $283,000.
The CEO of the Federation of German Consumer Organizations, Klaus Müller, said that companies complicate their terms and conditions so that it is difficult for consumers to understand them. He goes on by saying that millions of WhatsApp users in Germany have an even harder time reading and understanding them in English.
Therefore, the problem is that consumers tend to accept the terms and conditions without really knowing what they signed up for.
However, up until today it is not known if WhatsApp will appeal the ruling one last time.
27. June 2016
On the 23rd June, UK celebrated a referendum to vote about UK´s EU membership. About 52% of the participants, voted for leaving the EU. The process of withdrawal from the EU will have to be done according to Art. 50 of the Treaty on the European Union and will take about two years until the process is completed.
The withdrawal of the UK´s membership will also have an impact on data protection rules. First of all, the GDPR will enter into force on the 25th May 2018, so that by this time, the UK will still be in process to leave the EU. This means that UK businesses will have to prepare and be compliant with the GDPR.
Additionally, if UK businesses trade in the EU, a similar framework to that of the GDPR will be required in order to carry out data transfers within the EU member states. The British DPA, ICO, published a statement regarding the existing data protection framework in the UK. According to ICO, “if the UK wants to trade with the Single Market on equal terms we would have to prove adequacy – in other words UK data protection standards would have to be equivalent to the EU´s General Data Protection Regulation framework starting in 2018”.
Currently, the GDPR is the reference in terms of data protection and organizations will have to prepare to be compliant and, even if the GDPR is not applicable to UK, a similar framework should be in place by the time the GDPR enters into force.
21. June 2016
In June 2016, a public consultation process about the GDPR was opened by the French DPA (CNIL). The consultation is based on the topics that the WP 29 identified as having priority in its action plan for the implementation of the GDPR, published beginning 2016.
The consultation aims at encouraging stakeholders to formulate questions regarding the GDPR in order to identify potential interpretation difficulties. Once the main questions and difficulties have been addressed, the WP 29 will issue guidelines regarding the relevant topics. The CNIL also offers the possibility to formulate questions about other topics, which are not directly mentioned in the consultation.
The main topics that are object of the current consultation are the institution of the DPO, Privacy Impact Assessments (PIA), data protection certifications and the right to data portability.
The consultation is opened until the 15th July 2016 and stakeholders can participate through the CNIL´s website. After that, the French DPA will publish a summary with the contributions.
20. June 2016
Verizon, a company that provides communication and technology services, has recently published the 2016 Data Breach Investigations Report (DBIR). The report reveals the trends regarding the sources and reasons for incidents and data breaches. It also provides recommendations on how to prevent or minimize the risk to be victim of a data breach.
The study has been developed by using data from 100.000 occurred data breaches provided by different industries. The study showed that the most affected industries are such as accommodation, finance, retail or the public sector. According to the report, the most common cause for attacks is directly or indirectly financial. Additionally, when it comes to a data disclosure, the attacker is usually an external person, not directly from inside.
The report describes nine main types of vulnerabilities that involve a risk for companies and persons. Phishing attacks have increased considerable in the last year and constitute together with stolen credentials the main cause of data breaches. Phishing attacks aim at tricking the victim by sending an e-mail so that he/she clicks on a link that contains malware in order to obtain certain personal or confidential information.
The report remarks that 30% of the phishing messages were opened and even 12% of people tested clicked on the phishing attachment. Moreover, only 3% reported management about the phishing e-mail. Phishing messages mostly aim at stealing credentials such as ID and password authentication. 63% of the confirmed data breaches involved stolen passwords.
In order to minimize the risk of being victim of a phishing attack, the report gives the following recommendations:
- Filter your e-mail and test its implementation
- Rise employee awareness and offer means to report such events
- Protect your network by segmenting it and implement strong authentication mechanisms between the user and the networks
- Monitor external connections
McAffee also provides useful recommendations regarding the identification and prevention of phishing attacks and the use of effective passwords.
