Tag: data protection
14. March 2019
On May 9th, 2019, the „GPEN“(„Global Privacy Enforcement Network“) shared its “2018 Sweep”, an annual intelligence gathering that looked at how well organisations have implemented data privacy accountability into their internal privacy policies and programmes.
GPEN is a global network of more than 60 data protection agencies. The 2018 Sweep was a collaboration between New Zealand’s (New Zealand Office of the Privacy Commissioner, “OPC”) and UK’s (UK Information Commissioner’s Office, “ICO”) data protection authorities and was carried out by several data protection authorities across the globe.
The participating authorities reached out to 667 companies with a set of pre-determined questions that focus on key elements of responsible data protection. Those elements were:
- The importance of internal policies and procedures for data governance;
- Training and awareness;
- Transparency about data practices;
- The assessment and mitigation of risk;
- Incident Management.
Of the 667 organisations contacted, only 53% (356) provided substantive responses and a large point of those had appointed an individual or a team to ensure compliance with relevant data protection regulations.
The 2018 Sweep shows that many organisations are quite good at providing data protection training to their employees but companies have to ensure that those training are offered to all employees and happen on a regular basis. It was also found that several organisations have processes in place on how to deal with data subject complaints and how to handle data breaches.
Overall, most organisations are aware of data protection and have a good understanding of it. Nevertheless, they have to make sure that they have clear policies and procedures in place and monitor their performance regarding the relevant laws and regulations.
11. March 2019
The Dutch data protection authority, Autoriteit Persoonsgegevens, clarified on 7th of March 2019 that the use of websites must remain accessible when tracking cookies are not accepted. Websites that allow users to access only if they agree to the use of tracking cookies or other similar means to track and record their behavior do not comply with the General Data Protection Regulation, GDPR.
The Dutch DPA’s decision was prompted by numerous complaints from website users who no longer had access to the websites after refusing the usage of tracking cookies.
The Dutch DPA noted that the use of tracking software is generally allowed. Tracking the behaviour of website users, however, must be based on sufficient consent. In order to be compliant with the GDPR, permission must be given freely. In the case of so-called cookie walls the user has no access to the website if he does not agree to the setting of cookies. In this way, pressure is exerted on the user to disclose his personal data. Nevertheless, according to the GDPR a consent has not been given voluntarily if no free or no real choice exists.
With publication of the explanation the Dutch DPA demands organizations to make their practice compliant with the GDPR. The DPA has already written to those organisations about which the users have complained the most. In addition, it announced that it would intensify its monitoring in the near future in order to examine whether the standard is applied correctly in the interest of data protection.
25. February 2019
The European Data Protection Board has published an information note to explain data transfer to organisations and facilitate preparation in the event that no agreement is reached between the EEA and the UK. In case of a no-deal Brexit, the UK becomes a third country for which – as things stand at present – no adequacy decision exists.
EDPB recommends that organisations transferring data to the UK carry out the following five preparation steps:
• Identify what processing activities will imply a personal data transfer to the UK
• Determine the appropriate data transfer instrument for your situation
• Implement the chosen data transfer instrument to be ready for 30 March 2019
• Indicate in your internal documentation that transfers will be made to the UK
• Update your privacy notice accordingly to inform individuals
In addition, EDPB explains which instruments can be used to transfer data to the UK:
– Standard or ad hoc Data Protection Clauses approved by the European Commission can be used.
– Binding Corporate Rules for data processing can be defined.
– A code of conduct or certification mechanism can be established.
Derogations are possible in the cases mentioned by article 49 GDPR. However, they are interpreted very restrictively and mainly relate to processing activities that are occasional and non-repetitive. Further explanations on available derogations and how to apply them can be found in the EDPB Guidelines on Article 49 of GDPR.
The French data protection authority CNIL has published an FAQ based on the information note of the EDPB, explaining the consequences of a no-deal Brexit for the data transfer to the UK and which preparations should be made.
12. February 2019
After TechCrunch initiated investigations that revealed that numerous apps were recording screen usage, Apple called on app developers to remove or at least disclose the screen recording code.
TechCrunch’s investigation revealed that many large companies commission Glassbox, a customer experience analytics firm, to be able to view their users’ screens and thus follow and track keyboard entries and understand in which way the user uses the app. It turned out that during the replay of the session some fields that should have been masked were not masked, so that certain sensitive data, like passport numbers and credit card numbers, could be seen. Furthermore, none of the apps examined informed their users that the screen was being recorded while using the app. Therefore, no specific consent was obtained nor was any reference made to screen recording in the apps’ privacy policy.
Based on these findings, Apple immediately asked the app developers to remove or properly disclose the analytics code that enables them to record screen usage. Apples App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity. In addition, Apple expressly prohibits the covert recording without the consent of the app users.
According to TechCrunch, Apple has already pointed out to some app developers that they have broken Apple’s rules. One was even explicitly asked to remove the code from the app, pointing to the Apple Store Guidelines. The developer was given less than a day to do so. Otherwise, Apple would remove the app from the App Store.
25. January 2019
On 21st of January 2019, the French Data Protection Authority CNIL imposed a fine of € 50 Million on Google for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.
On 25th and 28th of May 2018, CNIL received complaints from the associations None of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). The associations accused Google of not having a valid legal basis to process the personal data of the users of its services.
CNIL carried out online inspections in September 2018, analysing a user’s browsing pattern and the documents he could access.
The committee first noted that the information provided by Google is not easily accessible to a user. Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are spread across multiple documents. The user receives relevant information only after carrying out several steps, sometimes up to six are required. According to this, the scheme selected by Google is not compatible with the General Data Protection Regulation (GDPR). In addition, the committee noted that some information was unclear and not comprehensive. It does not allow the user to fully understand the extent of the processing done by Google. Moreover, the purposes of the processing are described too generally and vaguely, as are the categories of data processed for these purposes. Finally, the user is not informed about the storage periods of some data.
Google has stated that it always seeks the consent of users, in particular for the processing of data to personalise advertisements. However, CNIL declared that the consent was not valid. On the one hand, the consent was based on insufficient information. On the other hand, the consent obtained was neither specific nor unambiguous, as the user gives his or her consent for all the processing operations purposes at once, although the GDPR provides that the consent has to be given specifically for each purpose.
This is the first time CNIL has imposed a penalty under the GDPR. The authority justified the amount of the fine with the gravity of the violations against the essential principles of the GDPR: transparency, information and consent. Furthermore, the infringement was not a one-off, time-limited incident, but a continuous breach of the Regulation. In this regard, according to CNIL, the application of the new GDPR sanction limits is appropriate.
Update: Meanwhile, Google has appealed, due to this a court must decide on the fine in the near future.
7. January 2019
The French Data Protection Authority CNIL imposed a fine of €250.000,00 on telecom operator BOUYGUES TELECOM for not taking required security measures to protect the personal data of its clients.
BOUYGUES TELECOM offered their clients an option to create a profile on their webpage to have easier access to their contract details and telephone bills.
In March 2018, CNIL was informed that a lack of security measures gave free access to personal data of clients of B&You, a subsidiary company of BOUYGUES TELECOM. Each profile had its own URL address, which involved the first and last name of the client. Just by exchanging the name in the URL address, one gained free access to first and last name, date of birth, e-mail address, address and phone number as well as contracts and bills. The violation of data security went on for two years and had an impact on over two million clients.
Shortly after CNIL was informed, BOUYGUES TELECOM notified the data breach to CNIL. The company explained that the incident occurred after the computer code, which depends on user authentication, was deactivated for a test phase, but was forgotten to be re-activated after completion of the test phase. After noticing the data breach, the company quickly blocked the access to the personal data.
Nevertheless, CNIL stated that the company failed to protect the personal data of its clients and violated its obligation to take all required security measures, especially as appropriate measures would have revealed the data breach earlier.
As the incident occurred before the legal validity of GDPR, CNIL decided to impose a fine of €250.000,00 on BOUYGUES TELECOM.
4. January 2019
In the last weeks, several data breaches in different US states were discovered. The latest one occurred in the Choice Rehabilitation Center based in Missouri. Data of 4,309 patients was breached in a hack on a corporate email account from July 1 until the end of September. Choice discovered the hack in November and started an investigation after consulting with Microsoft. Provider’s emails were forwarded to a personal account, which was later deactivated.
The sent emails contained billing data for different medical services such as physical or speech therapy services. These included for example patient names, medical record numbers, treatment information, diagnoses and the beginning and end of treatment dates.
Just a few weeks before, the largest healthcare breach of 2018 became public. Due to a cyberattack on the health’s systems billing vendor AccuDoc Solutions, data of more than 2.65 million Atrium Health patients was breached. AccuDoc Solutions prepares bills and operates the online billing system for Atrium Health, which is a hospital network that comprises 44 hospitals in Georgia, North Carolina and South Carolina.
The compromised database contained data of patients and guarantors, comprising full names, addresses, dates of birth, insurance policy details, medical record numbers, account balances and dates of service. 700,000 patient’s social security numbers were also among the hacked data.
However, financial data such as credit card numbers are not affected. Even though the data breach is contained to AccuDoc Solutions, Atrium Health has hired a team to investigate the occurrence and has reviewed its security precautions. Those patients whose Social Security numbers were hacked are being offered one year of free credit monitoring.
14. December 2018
According to the German information portal mobilsicher.de, about 30 % of all Android apps contact Facebook as soon as you start them. This also includes apps that are directly related to religion, sexual orientation or health. The user has usually no idea of this connection.
Mobilsicher.de tested out several Android app versions, which were available in the Play-Store on November 29, 2018. For example the Apps of the German political parties CDU and SPD.
App developers integrate so-called Software Development Kits (SDK) into their apps because they include the helpful “Facebook Analytics” function. This function provides the app operator with information on how users use the app. Facebook, on the other hand, receive the user’s advertising ID, which is individually assigned to each smartphone and, if available, can link this ID to the corresponding Facebook account. This leads to the fact that someone who has downloaded for example a pregnancy guide app now getting ads for baby clothes displayed on Facebook.
Facebook accesses user data even if they do not have a Facebook account at all. Upon request, the company confirmed that it is not clear to the user which data is transferred to Facebook. A tool called “Clear History”, announced by Mark Zuckerberg in May 2018, which should help this lack of transparency, is still not available.
Facebook itself does not consider this type of collecting data a problem, as users would have the option of opting out of personalized advertising and deactivating it either on their smartphone or in their Facebook account.
„If a person utilizes one of these controls, then Facebook will not use data gathered on these third-party apps (e.g. through Facebook Audience Network), for ad targeting”, the company replied to the question of whether the information would be deleted after the transfer. If someone decides against personalized advertising, Facebook still transfers the data, but with a corresponding note. Nevertheless, the user’s data will be collected.
4. December 2018
The UK’s Information Commissioner’s Office (ICO) fines the first companies for not paying the data protection fee. Unless they are exempt, all organisations, companies and sole traders who process personal data have to pay an annual data protection fee.
Depending on their maximum turnover, number of employees and whether they are a charity or public authority, the fee varies from £40 to £2,900. Whereas the fine for not paying varies from £400 to £4,000. The fines recovered go to the Treasury’s Consolidated Fund. The regulations came into force together with the new Data Protection Act on 25 May 2018.
“Following numerous attempts to collect the fees via our robust collection process, we are now left with no option but to issue fines to these organisations. They must now pay these fines within 28 days or risk further legal action. (…) You are breaking the law if you process personal data or are responsible for processing it and do not pay the data protection fee to the ICO”, said Paul Arnold, Deputy Chief Executive Officer at the ICO.
More than 900 fine notices have been issued by the ICO since September and more are set to follow. Companies can check if their fee is due to renewal on the ICO’s website.
14. September 2018
After the Hon’ble Supreme Court declared in its landmark decision that privacy is a “guaranteed fundamental right”, the Sikrishna Committee drafted a Personal Data Protection Bill, 2018.
In contrast to the terms “data subjects” and “controllers” chosen in the GDPR, the Indian draft designates the individuals whose personal data is processed “data principals” and the organisations responsible for the processing “data fiduciaries”.
With the new data protection bill, data principals have a variety of rights such as rights to access, rectification or the right to be forgotten. In order to ensure data compliance, the concept of an annual data audit, which will be carried out by organisations through independent data auditors, was also introduced. In addition to data fiduciaries who are based in India, the regulations also apply to those who systematically offer goods and services to data principals in India, or those whose work involves profiling of Indian data principals.
The new data protection bill also introduces the figure of the Data Protection Officer (DPO) for India. Organisations must appoint a DPO if they are “significant data fiduciaries”, i.e. if they are involved in high-risk processing activities, or if they are not present in India but covered by the bill. Those organisations shall appoint a DPO who is based in India. In contrast to the GDPR there is however no requirement of the independence of the DPO.
For cross-border data transfers, it is required that at least one copy of personal data is stored on servers or data centres located in India. Data classified as “critical personal data” may only be processed in a server or data centre located in India.
According to the Sikrishna Committee, the draft could be seen as a template for developing countries all over the world.
Pages: Prev 1 2 3 4 5 6 7 8 9 Next