Tag: data protection

Android apps share sensitive information with Facebook

14. December 2018

According to the German information portal mobilsicher.de, about 30 % of all Android apps contact Facebook as soon as you start them. This also includes apps that are directly related to religion, sexual orientation or health. The user has usually no idea of this connection.

Mobilsicher.de tested out several Android app versions, which were available in the Play-Store on November 29, 2018. For example the Apps of the German political parties CDU and SPD.

App developers integrate so-called Software Development Kits (SDK) into their apps because they include the helpful “Facebook Analytics” function. This function provides the app operator with information on how users use the app. Facebook, on the other hand, receive the user’s advertising ID, which is individually assigned to each smartphone and, if available, can link this ID to the corresponding Facebook account. This leads to the fact that someone who has downloaded for example a pregnancy guide app now getting ads for baby clothes displayed on Facebook.

Facebook accesses user data even if they do not have a Facebook account at all. Upon request, the company confirmed that it is not clear to the user which data is transferred to Facebook. A tool called “Clear History”, announced by Mark Zuckerberg in May 2018, which should help this lack of transparency, is still not available.

Facebook itself does not consider this type of collecting data a problem, as users would have the option of opting out of personalized advertising and deactivating it either on their smartphone or in their Facebook account.

„If a person utilizes one of these controls, then Facebook will not use data gathered on these third-party apps (e.g. through Facebook Audience Network), for ad targeting”, the company replied to the question of whether the information would be deleted after the transfer. If someone decides against personalized advertising, Facebook still transfers the data, but with a corresponding note. Nevertheless, the user’s data will be collected.

ICO fines companies for not paying the data protection fee

4. December 2018

The UK’s Information Commissioner’s Office (ICO) fines the first companies for not paying the data protection fee. Unless they are exempt, all organisations, companies and sole traders who process personal data have to pay an annual data protection fee.

Depending on their maximum turnover, number of employees and whether they are a charity or public authority, the fee varies from £40 to £2,900. Whereas the fine for not paying varies from £400 to £4,000. The fines recovered go to the Treasury’s Consolidated Fund. The regulations came into force together with the new Data Protection Act on 25 May 2018.

“Following numerous attempts to collect the fees via our robust collection process, we are now left with no option but to issue fines to these organisations. They must now pay these fines within 28 days or risk further legal action. (…) You are breaking the law if you process personal data or are responsible for processing it and do not pay the data protection fee to the ICO”, said Paul Arnold, Deputy Chief Executive Officer at the ICO.

More than 900 fine notices have been issued by the ICO since September and more are set to follow. Companies can check if their fee is due to renewal on the ICO’s website.

Category: General · UK
Tags: ,

India publishes draft of a data protection bill

14. September 2018

After the Hon’ble Supreme Court declared in its landmark decision that privacy is a “guaranteed fundamental right”, the Sikrishna Committee drafted a Personal Data Protection Bill, 2018.

In contrast to the terms “data subjects” and “controllers” chosen in the GDPR, the Indian draft designates the individuals whose personal data is processed “data principals” and the organisations responsible for the processing “data fiduciaries”.

With the new data protection bill, data principals have a variety of rights such as rights to access, rectification or the right to be forgotten. In order to ensure data compliance, the concept of an annual data audit, which will be carried out by organisations through independent data auditors, was also introduced. In addition to data fiduciaries who are based in India, the regulations also apply to those who systematically offer goods and services to data principals in India, or those whose work involves profiling of Indian data principals.

The new data protection bill also introduces the figure of the Data Protection Officer (DPO) for India. Organisations must appoint a DPO if they are “significant data fiduciaries”, i.e. if they are involved in high-risk processing activities, or if they are not present in India but covered by the bill. Those organisations shall appoint a DPO who is based in India. In contrast to the GDPR there is however no requirement of the independence of the DPO.

For cross-border data transfers, it is required that at least one copy of personal data is stored on servers or data centres located in India. Data classified as “critical personal data” may only be processed in a server or data centre located in India.

According to the Sikrishna Committee, the draft could be seen as a template for developing countries all over the world.

Category: India · Personal Data
Tags:

Belgium publishes new data protection law

12. September 2018

On September 5 2018, the new data protection law (“Law of 30 July”) was published in the Belgian Official Gazette (“Belgisch Staatsblad”) and entered into force with this publication.

After the “Law of 3 December 2017”, which replaced the Belgian Privacy Commission with the Belgian Data Protection Authority (“Gegevensbeschermingsautoriteit”), the Law of 30 July is the second law that implements the General Data Protection Regulation (GDPR).

The laws regulate various essential areas of data protection. New regulations are for instance, the reducing of the age of consent from 16 (as regulated in GDPR) to 13 years old for information society services or the requirement to list persons who have access to genetic, biometric and health-related data. Therewith, Belgium has also made use of the possibility to deviate from the GDPR in different scopes.

With the law of 30 July, Belgium has thus completed the incorporation of the GDPR into national law. The Law is available in French and Dutch.

Category: Belgium · GDPR
Tags: ,

Singapore: Collecting NRIC numbers will be prohibited for organisations

5. September 2018

From September 2019, there will be stricter rules for the protection of personal data in Singapore hence the collection, use and disclosure of NRIC numbers of individuals and making copies of their NRIC cards will be illegal for organisations.

In the past years, it was not unusual for shopping malls and other places to collect the NRIC number of a customer for instance when registering for memberships.

From the unique section of numbers and letters of the Singapore National Registration Identification Card (“NRIC”) an individual can be precisely identified. Therefore, the NRIC number is considered personal data. Besides the number, the physical NRIC card contains the individual’s full name, photograph, thumbprint and residential address.

Apart from the prohibition of collecting, using and disclosing of NRIC numbers it will also be generally forbidden to collect, use or disclose individual’s birth certificate numbers, foreign identification numbers and work permit numbers. Exemptions are regulated in the new PDPC guidance (issued 31 August 2018) and will only apply where it is required by law or when it is necessary to verify an individual’s identity ”to a high degree of fidelity” (e.g. transactions involving healthcare).

If an organisation already collected those data they should proof whether they need to retain the numbers or not. In case they need to keep the data they have to ensure that there is adequate protection or they should anonymise the NRIC. The new regulation does not apply to the government or public agencies or organisations acting on its behalf, but organisations can be fined up to $ 1 million for disobeying the act.

Turkey – Starting dates for registration obligation for processing data has been announced

3. September 2018

The data protection authority in turkey has announced in his decision 2018/88 starting dates to register as a data controller on VERBIS prior to processing personal data, the online registration system VERBIS can be found on the homepage of the Turkish data protection authority. 

Earliest starting date for the registration process will be the 1st of October 2018.

 

Following start dates have been announced

a) 1st of October 2018 – 30th of September 2019, for data controllers that employ more than 50 employees and whose annual financial statement exceeds TRY 25 million

b) 1st of October 2018 – 30th of September 2019, for data controllers established outside of Turkey

c) 1st of January 2019 – 31st of March2019, for data controllers that employ less than 50 employees, whose financial statement does not exceed TRY 25 million, but whose core business includes the processing of sensitive data

d) 1st of April – 30th June, for public institutions and organizations that act as data controllers

 

Data controllers should take the necessary action and register with VERBIS during the applicable period.

Data Protection in the UK after the “Brexit”

4. April 2017

After the Brexit, keeping data by the UK companies and organizations is expected to become more certain locally than globally.

Elizabeth Denham, the UK’s Information Commissioner, recently commented before the House of Lords EU Home Affairs Sub-Committee, that the UK should apply to the European Commission for a full “adequacy” decision in terms of proving the adequate data protection measures as UK will become soon a non-EU country.

British government comments on the free trade deal with these words: “no deal for the UK is better than a bad deal for the UK”.

In the context of Brexit, it is crucial for the industry of the UK to keep the data-flows unhindered though.

British politician David Davis indicates that the UK and EU are now on their way to find and maintain equivalence (and not identity) in their relations (especially when it comes to business) in order to keep up their common interest.

Even though Davis is not using the “adequacy” term in his speech, this is what the UK technology industry is asking for.

Government assures that if no accord in that matter will be reached, there are still many alternatives to adequacy.

Category: UK
Tags: ,