Tag: data protection

Irish DPC launches investigation into Facebook data leak

26. April 2021

On April 14th, 2021, Ireland’s Data Protection Commission (DPC) announced it launched an investigation into Facebook’s data leak reported earlier this month (please see our blog post here). The inquiry was initiated on the Irish DPC’s own volition according to section 110 of the Irish Data Protection Act. It comes after a dataset of 533 million Facebook users worldwide was made available on the internet.

The Irish DPC indicated in a statement that, “having considered the information provided by Facebook Ireland regarding this matter to date, the DPC is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users’ personal data”. The Irish DPC further stated that they had engaged with Facebook Ireland in relation to this reported issue, raising queries in relation to GDPR compliance, to which Facebook Ireland furnished a number of responses.

The launch of an investigation by the Irish authorities is significant due to the fact that Ireland remains home to Facebook’s European headquarters. This means the Irish DPC would act as the lead regulator within the European Union on all matters related to it. However, Ireland’s data watchdog has faced criticism from privacy advocates for being too slow with its GDPR investigations into large tech companies. In fact, the inquiry comes after the European Commission intervened to apply pressure on Ireland’s data protection commissioner.

Facebook’s statement on the inquiry has been shared through multiple media, and it has announced that Facebook is “cooperating fully with the DPC in its enquiry, which relates to features that make it easier for people to find and connect with friends on our services. These features are common to many apps and we look forward to explaining them and the protections we have put in place.”

Ikea France on trial for spying on staff and customers

7. April 2021

Ikea’s French subsidiary and several of its former executives stood trial on Monday, March 22nd, 2021, after being sued by former employees on charges of violating privacy rights by surveilling the plaintiffs, job applicants and customers.

Trade unions reported the furniture and household goods company to French authorities in 2012, accusing it of fraudulently collecting personal data and disclosing it without authorization. The subsequent criminal investigation uncovered an extensive espionage system. According to French prosecutors, the company hired a surveillance company, private investigators and even a former military operative to illegally obtain confidential information about its existing and prospective employees as well as customers. The files received contained, inter alia, criminal records and bank statements. The system has been used for years, possibly even over a decade, to identify individuals who were particularly suspicious or working against the company.

After the case caused outrage in 2012, Ikea’s main parent company fired several executives at the French branch, including the former general manager. But the extensive activity in France has again raised questions about data breaches by the company.

At Monday’s trial an employee accused the company of abuse since it had wrongly suspected him of being a bank robber because its investigative system had found prior convictions of a bank robber with the same name. Others claimed the retailer had browsed through employees’ criminal records and used unauthorized data to reveal those driving expensive cars despite low incomes or unemployment benefits. Even an assistant director who had taken a year of medical leave to recover from hepatitis C was monitored to investigate whether she had faked the severity of her illness. Illicit background checks on hundreds of job applicants were also conducted. Moreover, the system was used to track down customers seeking refunds for mismanaged orders.

One of the defendants, the former head of Ikea France’s risk management department, has testified at the hearing that EUR 530.000 to 630.000 a year had been earmarked for such investigations. The former CEOs and Chief Financial Officer as well as store managers are also on trial. In addition, four police officers are accused of handing over confidential information from police files.

Ikea France said in a statement that it takes the protection of its employees’ and customers’ data very seriously. The company added that it adopted compliance and training procedures to prevent illegal activity and changed internal policies after the criminal investigation had been initiated. But at Monday’s hearing, Ikea France’s lawyers denied a system-wide surveillance. The case was also called “a fairy tale” invented by trade union activists.

The deputy prosecutor claimed, Ikea France had illegally monitored at least 400 people and used the information to its advantage. She is asking for a fine of EUR 2.000.000 against the company, prison sentences of at least one year for two former CEOs and a private investigator, as well as fines for some store managers and police officers. A total of 15 people have been charged. The company also faces potential claims for damages from civil lawsuits filed by unions and several employees.

The trial ended on April 2nd. A verdict by a panel of judges is scheduled for June 15th.

The state of Virginia is second state in the USA to enact major Data Protection Legislation

17. March 2021

On March 2nd, 2021, Virginia’s Governor, Ralph Northam, signed the Consumer Data Protection Act into law without any further amendments.

This makes the state of Virginia the second US state to enact a major privacy law, next to California’s CCPA enacted in 2018. At the point of the law passing to the Senate, there was debate that the bills were flawed as they are not including a private right of action and leaving all enforcement to the Office of the Attorney General. This caused some senators to oppose the bills, however it was ultimately passed by a vote of 32 to 7. The Consumer Data Protection Act will take effect on January 1st, 2023.

The bill establishes a comprehensive framework for controlling and processing personal data of Virginia residents. In addition, it provides Virginia residents with certain rights with respect to their personal data, including rights of access, correction, deletion, portability, the right to opt out of certain processing operations, as well as the right to appeal a controller’s decision regarding a rights request. The bill further states requirements relating to the principles of data minimization, processing limitations, data security, non-discrimination, third-party contracting and data protection assessments, as well as imposes certain requirements directly on entities who act as processors of data on behalf of a controller.

However, the law also includes a number of exemptions at entity level, such as exemptions for financial institutions subject to the Gramm-Leach-Bliley Act and also includes some data or context specific exemptions, such as an exemption for HR-related data processing.

The Attorney General’s office, as the enforcing entity, has to provide 30 days’ notice of any violation and allow an opportunity for the controller to cure any violation. In case a controller does not oblige and leaves the violation uncured, the Attorney General is able to file an action seeking $7,500 per violation.

French Government seeks to disregard CJEU data retention of surveillance data ruling

9. March 2021

On March 3rd, POLITICO reported that the French government seeks to bypass the Court of Justice of the European Union’s (CJEU) ruling on limiting member states’ surveillance activities of phone and internet data, stating governments can only retain mass amounts of data when facing a “serious threat to national security”.

According to POLITICO, the French government has requested the country’s highest administrative court, the Council of State, to not follow the CJEU’s ruling in the matter.

Last year in October, the CJEU ruled that several national data retention rules were not compliant with EU law. This ruling included retention times set forth by the French government in matters of national security.

The French case in question opposes the government against digital rights NGOs La Quadrature du Net and Privacy International. After the CJEU’s ruling, it is now in the hands of the Council of State in France, which will have to decide on the matter.

A hearing date has not yet been decided, however POLITICO sources state that the French government is trying to bypass the CJEU’s ruling by presenting the argument of the ruling going against the country’s “constitutional identity”. This argument, first used back in 2006, is seldomly used, however can be referred to in order to avoid applying EU law at national level.

In addition, the French government accuses the CJEU to have ruled out of its competence, as matters of national security remain solely part of national competence.

The French government did not want to comment on the ongoing process, however has had a history of refusing to adopt EU court rulings into national law.

Dutch data scandal: illegal trade of COVID-19 patient data

19. February 2021

In recent months, a RTL Nieuws reporter Daniël Verlaan has discovered widespread trade in the personal data of Dutch COVID-19 test subjects. He found ads consisting of photos of computer screens listing data of Dutch citizens. Apparently, the data had been offered for sale on various instant messaging apps such as Telegram, Snapchat and Wickr. The prices ranged from €30 to €50 per person. The data included home addresses, email addresses, telephone numbers, dates of birth and BSN identifiers (Dutch social security number).

The personal data were registered in the two main IT systems of the Dutch Municipal Health Service (GGD) – CoronIT, containing details about citizens who took a COVID-19 test, and HPzone Light, a contact-tracing system, which contains the personal data of people infected with the coronavirus.

After becoming aware of the illegal trade, the GGD reported it to the Dutch Data Protection Authority and the police. The cybercrime team of the Midden-Nederland police immediately started an investigation. It showed that at least two GGD employees had maliciously stolen the data, as they had access to the official Dutch government COVID-19 systems and databases. Within 24 hours of the complaint, two men were arrested. Several days later, a third suspect was tracked down as well. The investigation continues, since the extent of the data theft is unclear and whether the suspects in fact managed to sell the data. Therefore, more arrests are certainly not excluded.

Chair of the Dutch Institute for Vulnerability Disclosure, Victor Gevers, told ZDNet in an interview:

Because people are working from home, they can easily take photos of their screens. This is one of the issues when your administrative staff is working from home.

Many people expressed their disapproval of the insufficient security measures concerning the COVID-19 systems. Since the databases include very sensitive data, the government has a duty to protect these properly in order to prevent criminal misuse. People must be able to rely on their personal data being treated confidentially.

In a press release, the Dutch police also raised awareness of the cybercrime risks, like scam or identity fraud. Moreover, they informed about the possibilities of protection against such crimes and the need to report them. This prevents victims and allows the police to immediately track down suspects and stop their criminal practices.

Giant database leak exposes data on 220 million Brazilians

28. January 2021

On January 19th, 2021, the dfndr lab, PSafe’s cybersecurity laboratory, reported a leak in a Brazilian database that may have exposed the CPF number and other confidential information of millions of people.

According to the cybersecurity experts, who use artificial intelligence techniques to identify malicious links and fake news, the leaked data they have found contains detailed information on 104 million vehicles and about 40 million companies. Overall, the leak poses a risk to close to 220 million Brazilians.

The personal data contained in the affected database includes names, birthdates and individual taxpayer registry identification, with distinct vehicle information, including license plate numbers, municipality, colour, make, model, year of manufacture, engine capacity and even the type of fuel used. The breach both affects almost all Brazilian citizens, as well as authorities.

In a press release, the director of the dfndr lab, Emilio Simoni, explained that the biggest risk following this data leak is that this data will be used in phishing scams, in which a person is induced to provide more personal information on a fake page.

In their statement, PSafe does not disclose either the name of the company involved or how the information was leaked, whether it was due to a security breach, hacker invasion or easy access. However, regardless of the cause of the leak, the new Brazilian Data Protection Security Law provides for fines that can reach R $ 50 million for an infraction of this type.

Clubhouse Data Protection issues

Clubhouse is a new social networking app by the US company Alpha Exploration Co. available for iOS devices. Registered users can open rooms for others to talk about various topics. Participation is possible both as a speaker and as a mere listener. These rooms can be available for the public or as closed groups. The moderators speak live in the rooms and the listeners can then join the virtual room. Participants are initially muted and can be unmuted by the moderators to talk. In addition, the moderators can also mute the participants or exclude them from the respective room. As of now, new users need to be invited by other users, the popularity of these invitations started to rise in autumn 2020 when US celebrities started to use the app. With increasing popularity also in the EU, Clubhouse has come under criticism from a data protection perspective.

As mentioned Clubhouse can only be used upon an invitation. To use the option to invite friends, users must share their address book with Clubhouse. In this way, Alpha Exploration can collect personal data from contacts who have not previously consented to the processing of their data and who do not use the app. Not only Alpha Exploration, but also users may be acting unlawfully when they give the app access to their contacts. The user may also be responsible for the data processing associated with the sharing of address books. Therefore, it is not only the responsibility of Alpha Exploration, but also of the user to ensure that consent has been obtained from the contacts whose personal data is being processed. From a data protection perspective, it is advisable not to grant the Clubhouse app access to this data unless the consent of the respective data subjects has been obtained and ideally documented. Currently, this data is transferred to US servers without the consent of the data subjects in the said address books. Furthermore, it is not apparent in what form and for what purposes the collected contact and account information of third parties is processed in the USA.

Under Clubouse’s Terms of Service, and in many cases according to several national laws, users are prohibited from recording or otherwise storing conversations without the consent of all parties involved. Nevertheless, the same Terms of Service include the sentence “By using the service, you consent to having your audio temporarily recorded when you speak in a room.” According to Clubhouse’s Privacy Policy, these recordings are used to punish violations of the Terms of Service, the Community Guidelines and legal regulations. The data is said to be deleted when the room in question is closed without any violations having been reported. Again, consent to data processing should be treated as the general rule. This consent must be so-called informed consent. In view of the fact that the scope and purpose of the storage are not apparent and are vaguely formulated, there are doubts about this. Checking one’s own platform for legal violations is in principle, if not a legal obligation in individual cases, at least a so-called legitimate interest (Art. 6 (1) (f) GDPR) of the platform operator. As long as recordings are limited to this, they are compliant with the GDPR. The platform operator who records the conversations is primarily responsible for this data processing. However, users who use Clubhouse for conversations with third parties may be jointly responsible, even though they do not record themselves. This is unlikely to play a major role in the private sphere, but all the more so if the use is in a business context.

It is suspected that Clubhouse creates shadow profiles in its own network. These are profiles for people who appear in the address books of Clubhouse users but are not themselves registered with Clubhouse. For this reason, Clubhouse considers numbers like “Mobile-Box” to be well-connected potential users. So far, there is no easy way to object to Clubhouse’s creation of shadow profiles that include name, number, and potential contacts.

Clubhouse’s Terms of Use and Privacy Policy do not mention the GDPR. There is also no address for data protection information requests in the EU. However, this is mandatory, as personal data of EU citizens is also processed. In addition, according to Art. 14 GDPR, EU data subjects must be informed about how their data is processed. This information must be provided to data subjects before their personal data is processed. That is, before the data subject is invited via Clubhouse and personal data is thereby stored on Alpha Exploration’s servers. This information does not take place. There must be a simple opt-out option, it is questionable whether one exists. According to the GDPR, companies that process data of European citizens must also designate responsible persons for this in Europe. So far, it is not apparent that Clubhouse even has such data controllers in Europe.

The german “Verbraucherzentrale Bundesverband” (“VZBV”), the german federate Consumer Organisation, has issued a written warning (in German) to Alpha Exploration, complaining that Clubhouse is operated without the required imprint and that the terms of use and privacy policy are only available in English, not in German as required. The warning includes a penalty-based cease-and-desist declaration relating to Alpha Exploration’s claim of the right to extensive use of the uploaded contact information. Official responses from European data protection authorities regarding Clubhouse are currently not available. The main data protection authority in this case is the Irish Data Protection Commissioner.

So far, it appears that Clubhouse’s data protection is based solely on the CCPA and not the GDPR. Business use of Clubhouse within the scope of the GDPR should be done with extreme caution, if at all.

16 Million brazilian COVID-19 patients’ personal data exposed online

7. December 2020

In November 2020, personal and sensitive health data of about 16 Million brazilian COVID-19 patients has been leaked on the online platform GitHub. The cause was a hospital employee, that uploaded a spreadsheet with usernames, passwords, and access keys to sensitive government systems on the online platforms. Under those affected were also the brazilian President Jair Bolsonaro and his family as well as seven ministers and 17 provincial governors.

Under the exposed systems were two government databases used to store information on COVID-19 patients. The first “E-SUS-VE” was used for recording COVID-19 patients with mild symptoms, while the second “Sivep-Gripe” was used to keep track of hospitalized cases across the country.

However, both systems contained highly sensitive personal information such as patient names, addresses, telephone numbers, individual taxpayer’s ID information, but also healthcare records such as medical history and medication regimes.

The leak was discovered after a GitHub user spotted the spreadsheet containing the password information on the personal GitHub account of an employee of the Albert Einstein Hospital in Sao Paolo. The user informed the Brazilian newspaper Estadao, which analysed the information shared on the platform before it notified the hospital and the health ministry of Brazil.

The spreadsheet was ultimately removed from GitHub, while government officials changed passwords and revoked access keys to secure their systems after the leak.

However, Estadao reporters confirmed that the leaked data included personal data of Brazilians across all 27 states.

EU offers new alliance with the USA on data protection

4. December 2020

The European Commission and the High Representative of the Union for Foreign Affairs and Security Policy outlined a new EU-US agenda for global change, which was published on December 2nd, 2020. It constitutes a proposal for a new, forward-looking transatlantic cooperation covering a variety of matters, including data protection.

The draft plan states the following guiding principles:

  • Advance of global common goods, providing a solid base for stronger multilateral action and institutions that will support all like-minded partners to join.
  • Pursuing common interests and leverage collective strength to deliver results on strategic priorities.
  • Looking for solutions that respect common values of fairness, openness and competition – including where there are bilateral differences.

As said in the draft plan, it is a “once-in-a-generation” opportunity to forge a new global alliance. It includes an appeal for the EU and US to bury the hatchet on persistent sources of transatlantic tension and join forces to shape the digital regulatory environment. The proposal aims to create a shared approach to enforcing data protection law and combatting cybersecurity threats, which could also include possible restrictive measures against attributed attackers from third countries. Moreover, a transatlantic agreement concerning Artificial Intelligence forms a part of the recommendation. The purpose is setting a blueprint for regional and global standards. The EU also wants to openly discuss diverging views on data governance and facilitate free data flow with trust on the basis of high safeguards. Furthermore, the creation of a specific dialogue with the US on the responsibility of online platforms and Big Tech is included in the proposal as well as the development of a common approach to protecting critical technologies.

The draft plan is expected to be submitted for endorsement by the European Council at a meeting on December 10-11th, 2020. It suggests an EU-US Summit in the first half of 2021 as the moment to launch the new transatlantic agenda.

China issued new Draft for Personal Information Protection Law

23. November 2020

At the end of October 2020, China issued a draft for a new „Personal Information Protection Law” (PIPL). This new draft is the introduction of a comprehensive system in terms of data protection, which seems to have taken inspiration from the European General Data Protection Regulation (GDPR).

With the new draft, China’s regulations regarding data protection will be consisting of China’s Cybersecurity Law, Data Security Law (draft) and Draft PIPL. The new draft legislation contains provisions relating to issues presented by new technology and applications, all of this in around 70 articles. The fines written in the draft for non-compliance are quite high, and will bring significant impact to companies with operations in China or targeting China as a market.

The data protection principles drawn out in the draft PIPL include transparency, fairness, purpose limitation, data minimization, limited retention, data accuracy and accountability. The topics that are covered include personal information processing, the cross-border transfer of personal information, the rights of data subjects in relation to data processing, obligations of data processors, the authority in charge of personal information as well as legal liabilities.

Unlike China’s Cybersecurity Law, which provides limited extraterritorial application, the draft PIPL proposes clear and specific extraterritorial application to overseas entities and individuals that process the personal data of data subjects in China.

Further, the definition of “personal data” and “processing” under the draft PIPL are very similar to its equivalent term under the GDPR. Organizations or individuals outside China that fall into the scope of the draft PIPL are also required to set up a dedicated organization or appoint a representative in China, in addition to also report relevant information of their domestic organization or representative to Chinese regulators.

In comparison to the GDPR, the draft PIPL extends the term of “sensitive data” to also include nationality, financial accounts, as well as personal whereabouts. However, sensitive personal information is defined as information that once leaked or abused may cause damage to personal reputation or seriously endanger personal and property safety, which opens the potential for further interpretation.

The draft legislation also regulates cross-border transfers of personal information, which shall be possible if it is certified by recognized institutions, or the data processor executes a cross-border transfer agreement with the recipient located outside of China, to ensure that the processing meets the protection standard provided under the draft PIPL. Where the data processor is categorized as a critical information infrastructure operator or the volume of data processed by the data processor exceeds the level stipulated by the Cyberspace Administration of China (CAC), the cross-border transfer of personal information must pass a security assessment conducted by the CAC.

It further to keep in mind that the draft PIPL enlarges the range of penalties beyond those provided in the Cybersecurity Law, which will put a much higher pressure on liabilities for Controllers operating in China.

Currently, the period established to receive open comments on the draft legislation has ended, but the next steps have not yet been reported, and it not yet sure when the draft legislation will come into full effect.

Pages: Prev 1 2 3 4 5 6 7 Next
1 2 3 4 7