WTF is GDPR?

https://techcrunch.com/2018/01/20/wtf-is-gdpr/
GDPR is a significant piece of legislation whose full impact will clearly take some time to shake out.
A major point of note right off the bat is that GDPR does not merely apply to EU businesses; any entities processing the personal data of EU citizens need to comply. The extra-territorial scope of GDPR casts the European Union as a global pioneer in data protection. Also under GDPR, financial penalties for data protection violations step up massively.
GDPR aims to have every link in the processing chain be a robust one. Companies need to maintain up-to-date records to prove out their compliance and to appoint a data protection officer if they process sensitive data on a large scale or are collecting info on many consumers.
GDPR’s running emphasis on data protection via data security it is implicitly encouraging the use of encryption above and beyond a risk reduction technique. Another major change incoming via GDPR is ‘privacy by design’ no longer being just a nice idea; privacy by design and privacy by default become firm legal requirements.
GDPR also encourages the use of pseudonymization — such as, for example, encrypting personal data and storing the encryption key separately and securely — as a pro-privacy, pro-security technique that can help minimize the risks of processing personal data. Data has to be rendered truly anonymous to be outside the scope of the regulation.

373 Comments

  1. Tomi Engdahl says:

    Critical Open Source vm2 Sandbox Escape Bug Affects Millions
    Attackers could exploit the “Sandbreak” security bug, which has earned a 10 out of 10 on the CVSS scale, to execute a sandbox escape, achieve RCE, and run shell commands on a hosting machine.
    https://www.darkreading.com/application-security/critical-open-source-vm2-sandbox-escape-bug-affects-millions

    Reply
  2. Tomi Engdahl says:

    France fines Clearview AI maximum possible for GDPR breaches
    https://techcrunch.com/2022/10/20/clearview-ai-fined-in-france/?tpcc=tcplusfacebook

    Clearview AI, the controversial facial recognition firm that scrapes selfies and other personal data off the Internet without consent to feed an AI-powered identity-matching service it sells to law enforcement and others, has been hit with another fine in Europe.

    This one comes after it failed to respond to an order last year from the CNIL, France’s privacy watchdog, to stop its unlawful processing of French citizens’ information and delete their data.

    Here’s the CNIL’s summary of Clearview’s breaches:

    Unlawful processing of personal data (breach of Article 6 of the GDPR)
    Individuals’ rights not respected (Articles 12, 15 and 17 of the GDPR)
    Lack of cooperation with the CNIL (Article 31 of the RGPD)
    “Clearview AI had two months to comply with the injunctions formulated in the formal notice and to justify them to the CNIL. However, it did not provide any response to this formal notice,”

    “The chair of the CNIL therefore decided to refer the matter to the restricted committee, which is in charge for issuing sanctions. On the basis of the information brought to its attention, the restricted committee decided to impose a maximum financial penalty of 20 million euros, according to article 83 of the GDPR [General Data Protection Regulation].”

    The EU’s GDPR allows for penalties of up to 4% of a firm’s worldwide annual revenue for the most serious infringements — or €20 million, whichever is higher. But the CNIL’s press release makes clear it’s imposing the maximum amount it possibly can here.

    Whether France will see a penny of this money from Clearview remains an open question, however.

    The U.S.-based privacy-stripper has been issued with a slew of penalties by other data protection agencies across Europe in recent months, including €20M fines from Italy and Greece; and a smaller U.K. penalty. But it’s not clear it’s handed over any money to any of these authorities — and they have limited resources (and legal means) to try to pursue Clearview for payment outside their own borders.

    So the GDPR penalties look mostly like a warning to stay away from Europe.

    Clearview’s PR agency, LakPR Group, sent us this statement following the CNIL’s sanction — which it attributed to CEO Hoan Ton-That:

    There is no way to determine if a person has French citizenship, purely from a public photo from the internet, and therefore it is impossible to delete data from French residents. Clearview AI only collects publicly available information from the internet, just like any other search engine like Google, Bing or DuckDuckGo.

    The statement goes on to reiterate earlier claims by Clearview that it does not have a place of business in France or in the EU, nor undertake any activities that would “otherwise mean it is subject to the GDPR”, as it puts it — adding: “Clearview AI’s database of publicly available images is lawfully collected, just like any other search engine like Google.”

    (NB: On paper the GDPR has extraterritorial reach so its former arguments are meaningless, while its claim it’s not doing anything that would make it subject to the GDPR looks absurd given its amassed a database of over 20 billion images worldwide and Europe is, er, part of Planet Earth… )

    Each time it has received a sanction from an international regulator it’s done the same thing: Denying it has committed any breach and refuted the foreign body has any jurisdiction over its business — so its strategy for dealing with its own data processing lawlessness appears to be simple non-cooperation with regulators outside the US.

    Reply
  3. Tomi Engdahl says:

    Meta fined $275 million over data scraping practices that violated GDPR https://therecord.media/meta-fined-275-million-over-data-scraping-practices-that-violated-gdpr/
    Irelands Data Protection Commission (DPC) has fined Meta 265 million (about $275 million) after a year-long inquiry into the companys data protection practices. The fines stem from Facebooks practice of making personal data accessible by default through search functions and concern Facebook Contact Importer, Messenger Contact Importer, Instagram Contact Importer and Messenger Search and its variant Messenger Contact Creator features. The features allowed anyone to scrape the social media giant a process where bots are able to gather data online automatically. Typically, the bots are used to scan social media sites like Facebook and copy whatever information is available.

    Reply
  4. Tomi Engdahl says:

    Parmy Olson / Bloomberg:
    The European Commission plans to require that country regulators report six times a year on GDPR investigations and more, after a complaint by rights group ICCL — It’s well established that the European Union has some of the strictest privacy laws in the world, threatening fines of up to 4% of a company’s annual turnover.

    The EU Is About to Take a Bigger Stick to Big Tech
    https://www.bloomberg.com/opinion/articles/2023-01-31/meta-uber-amazon-beware-eu-about-to-get-stricter-with-gdpr-enforcement

    A new auditing regime should make harder to give Meta, Google and Amazon an easy ride on data protection.

    Reply
  5. Tomi Engdahl says:

    Suomessa kehitetty gdpr-työkalu julkaistiin avoimena koodina https://www.tivi.fi/uutiset/tv/19e52f7f-508c-4972-b7e1-6491e4a3a69e
    Nimihirviö GDPR2DSM:n takana on tietosuojavaltuutetun toimiston ja Tietoyhteiskunnan kehittämiskeskus Tieken kaksivuotinen hanke, jolla pyritään tukemaan pk-yrityksiä tietosuojavaatimusten täyttämisessä.
    Hankkeessa kehitettiin verkkotyökalu, jonka avulla yritykset voivat testata, miten heillä toteutuvat tietosuoja-asetuksen eli gdpr:n vaatimukset. Suomeksi, ruotsiksi ja englanniksi saatavilla oleva työkalu on nyt julkaistu avoimena lähdekoodina.

    Reply
  6. Tomi Engdahl says:

    ChatGPT is a data privacy nightmare, and we ought to be concerned https://arstechnica.com/information-technology/2023/02/chatgpt-is-a-data-privacy-nightmare-and-you-ought-to-be-concerned/
    ChatGPT has taken the world by storm. Within two months of its release it reached 100 million active users, making it the fastest-growing consumer application ever launched. Users are attracted to the tools advanced capabilitiesand concerned by its potential to cause disruption in various sectors. A much less discussed implication is the privacy risks ChatGPT poses to each and every one of us. Just yesterday, Google unveiled its own conversational AI called Bard, and others will surely follow. Technology companies working on AI have well and truly entered an arms race. The problem is, its fueled by our personal data.

    Reply
  7. Tomi Engdahl says:

    AWS-kriisi piinaa Tanskaa – yli 2 miljoonan käyttäjän järjestelmä rikkoo gdpr:ää
    Aleksi Kolehmainen20.2.202312:34|päivitetty20.2.202313:32TIETOSUOJA-ASETUSJULKISEN HALLINNON ICTPILVIALUSTAT
    Tanskan tietosuojavaltuutettu on vaatinut AWS:n kanssa solmitun sopimuksen neuvottelemista uudelleen. Asiasta laajasti uutisoineen Version2-lehden mukaan AWS on kuitenkin jo kaksi kertaa jättänyt noudattamatta sille annettua määräaikaa.
    https://www.tivi.fi/uutiset/aws-kriisi-piinaa-tanskaa-yli-2-miljoonan-kayttajan-jarjestelma-rikkoo-gdpraa/a0eaefb7-e58a-4685-a678-e2c606972a03

    Tanskassa on noussut kohu varhaiskasvatuksessa ja kouluissa käytettävän Aula-tietojärjestelmän toimimisesta Amazon Web Servicesin (AWS) pilvialustan päällä. Aulan idea on vastaava kuin esimerkiksi Suomessa käytettävällä Wilma-järjestelmällä. Sen avulla vanhemmat ja henkilökunta voivat viestiä toistensa kanssa.

    Reply
  8. Tomi Engdahl says:

    Brussels sets out to fix the GDPR
    https://www.politico.eu/article/brussels-plans-new-privacy-enforcement-law-by-summer/
    New law to solve enforcement flaws of the GDPR could open a Pandora’s box of lobbying and regulators’ infighting.

    Reply
  9. Tomi Engdahl says:

    Tällaisia lunnaita nettikiristäjät vaativat suomalaisyrityksiltä Gdpr on vain pahentanut tilannetta
    https://www.tivi.fi/uutiset/tv/1f13080d-0204-4809-b0e3-094937e53c52
    Pandemia ja kryptovaluutat ovat palvelleet nettikiristäjiä, mutta myös gdpr on tarjonnut rosvoille yllättävän uuden vipuvarren.
    Ammattirikolliset nettoavat yhä suurempia summia niin kauan kuin lunnaita maksetaan. Kiristyshaittaohjelma pysäytti Yhdysvaltain suurimman polttoaineenjakeluverkoston. Psykoterapiakeskus Vastaamon asiakkaita kiristettiin varastetuilla potilastiedoilla. Kauppaketju Coopin kassajärjestelmä jumiutui viikoksi Ruotsissa. Uusista kiristyshyökkäyksistä uutisoidaan viikoittain. Kahdessa vuodessa myös vaaditut lunnaat ovat moninkertaistuneet. Suurin yksittäiseen yhtiöön kohdistunut lunnasvaatimus on 50 miljoonaa dollaria, jota kiristettiin tietokonejätti Acerilta maaliskuussa 2021

    Reply
  10. Tomi Engdahl says:

    Natasha Lomas / TechCrunch:
    The CJEU clarifies GDPR compensation and data access rights, including saying that there is no non-material damage threshold to confer a right to compensation

    Europe’s top court clarifies GDPR compensation and data access rights
    https://techcrunch.com/2023/05/04/cjeu-gdpr-damages-access-rights/

    he European Union’s top court has handed down a couple of notable rulings today in the arena of data protection.

    One (Case C-300/21) deals with compensation for breaches of the bloc’s General Data Protection Regulation (GDPR); and the second (Case C-487/21) clarifies the nature of information that individuals exercising GDPR rights to obtain a copy of data held on them should expect to receive.

    No automatic right to damages — but no threshold for harm either

    The CJEU’s GDPR compensation ruling relates to a referral from an Austrian court where an individual sought to sue the national postal service for damages after it used an algorithm to predict the political views of citizens according to socio-demographic criteria without their knowledge or consent — leaving the individual feeling exposed, upset and with a knock to their confidence, per the Court’s press release.

    As regards regional damages for privacy violations, there have been a number of attempts to bring class action–style suits seeking compensation for data protection breaches in recent years. This CJEU ruling may make it easier to do so within the EU, although the court has put one limit on such claims since the judges have ruled that just the fact of an infringement of the GDPR does not automatically give rise to a right of compensation — meaning there is an onus on litigants to demonstrate personal harm.

    At the same time, the CJEU has ruled there is no requirement for the nonmaterial damage suffered to reach a certain threshold of seriousness in order to confer a right to compensation.

    So, in other words, the court has avoided setting a bar on how much/what type of harm needs to be demonstrated to file a compensation claim. Which looks like a big deal.

    “[T]he Court holds that the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness,” it writes in a press release accompanying the judgment. “The GDPR does not contain any such requirement and such a restriction would be contrary to the broad conception of ‘damage,’ adopted by the EU legislature. Indeed, the graduation of such a threshold, on which the possibility or otherwise of obtaining that compensation woulda depend, would be liable to fluctuate according to the assessment of the courts seised.”

    Since the GDPR does not contain any rules for assessing damages, the judges say it is up to courts in EU Member States to define criteria for determining the extent of any compensation payable — while noting that such rules must comply with GDPR principles of equivalence and effectiveness, so as to ensure individuals can obtain full and effective compensation for damages suffered.

    This sets up for a patchwork of outcomes on damages for privacy breaches, depending on where in the EU a user is able to sue, based on how national courts interpret the mandate.

    Reply
  11. Tomi Engdahl says:

    EU slaps Meta with $1.3 billion fine for moving data to US servers https://www.bleepingcomputer.com/news/technology/eu-slaps-meta-with-13-billion-fine-for-moving-data-to-us-servers/
    The Irish Data Protection Commission (DPC) has announced a $1.3 billion fine on Facebook after claiming that the company violated Article 46(1) of the GDPR (General Data Protection Regulation). More specifically, it was found that Facebook transferred data of EU-based users of the platform to the United States, where data protection regulations vary per state and have been deemed inadequate to protect the rights of EU data subjects

    Reply
  12. Tomi Engdahl says:

    Are Your APIs Leaking Sensitive Data?
    https://thehackernews.com/2023/05/are-your-apis-leaking-sensitive-data.html
    It’s no secret that data leaks have become a major concern for both citizens and institutions across the globe. They can cause serious damage to an organization’s reputation, induce considerable financial losses, and even have serious legal repercussions. From the infamous Cambridge Analytica scandal to the Equifax data breach, there have been some pretty high-profile leaks resulting in massive consequences for the world’s biggest brands. To make things more interesting, the most prominent attack vector is likely not what you or anyone thinks.
    Believe it or not, application programming interfaces (APIs) are a leading culprit of exposure and compromise

    Reply
  13. Tomi Engdahl says:

    Google Analyticsin käytöstä annettiin Suomessa jo huomautus – gdpr-sakot uhkaavat organisaatioita
    TIVI16.6.202316:40|päivitetty16.6.202316:42TIETOSUOJA
    Helmet-kirjastot saivat tammikuussa apulaistietosuojavaltuutetun huomautuksen. Nyt kaikkien organisaatioiden täytyy tarkistaa, miten ja mitä henkilötietoja ne keräävät.
    https://www.tivi.fi/uutiset/google-analyticsin-kaytosta-annettiin-suomessa-jo-huomautus-gdpr-sakot-uhkaavat-organisaatioita/57381235-c118-4058-a0de-927f004755fa

    Reply
  14. Tomi Engdahl says:

    Natasha Lomas / TechCrunch:
    Sweden’s privacy watchdog says that “companies must stop using Google Analytics” and fines local online retailer CDON less than $30K and telco Tele2 over $1.1M — Sweden’s data protection watchdog has issued a couple of fines in relation to exports of European users’ data via Google Analytics …

    Stop using Google Analytics, warns Sweden’s privacy watchdog, as it issues over $1M in fines
    https://techcrunch.com/2023/07/03/google-analytics-sweden-gdpr-fines/

    Reply
  15. Tomi Engdahl says:

    Google Analytics data transfer to U.S. brings $1 million fine to Swedish firms https://www.bleepingcomputer.com/news/security/google-analytics-data-transfer-to-us-brings-1-million-fine-to-swedish-firms/

    The Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten –
    IMY) has fined two companies with 12.3 million SEK (€1 million/$1.1 million) for using Google Analytics and warned two others about the same practice.

    In a decision published yesterday, the agency explains that by using Google Analytics to generate web statistics the firms were breaching European Union’s General Data Protection Regulation (GDPR).

    Specifically, the companies were in violation of the GDPR Article 46(1), which forbids the transfer of personal data to countries or international organizations that lack safeguards that warrant safety and legal remediation mechanisms.

    Reply
  16. Tomi Engdahl says:

    New Python tool checks NPM packages for manifest confusion issues https://www.bleepingcomputer.com/news/security/new-python-tool-checks-npm-packages-for-manifest-confusion-issues/

    A security researcher and system administrator has developed a tool that can help users check for manifest mismatches in packages from the NPM JavaScript software registry.

    Last week, a former engineering manager at GitHub and NPM, Darcy Clarke, warned about “manifest confusion” problems that could introduce the risk of malware hiding in dependencies or executing scripts during installation.

    Reply
  17. Tomi Engdahl says:

    Privacy
    Europe Signs Off on a New Privacy Pact That Allows People’s Data to Keep Flowing to US
    https://www.securityweek.com/europe-signs-off-on-a-new-privacy-pact-that-allows-peoples-data-to-keep-flowing-to-us/

    The EU signed off on a new agreement over the privacy of people’s personal information that gets pinged across the Atlantic, aiming to ease European concerns about electronic spying by American intelligence agencies.

    The European Union signed off Monday on a new agreement over the privacy of people’s personal information that gets pinged across the Atlantic, aiming to ease European concerns about electronic spying by American intelligence agencies.

    The EU-U.S. Data Privacy Framework has an adequate level of protection for personal data, the EU’s executive commission said. That means it’s comparable to the 27-nation’s own stringent data protection standards, so companies can use it to move information from Europe to the United States without adding extra security.

    U.S. President Joe Biden signed an executive order in October to implement the deal after reaching a preliminary agreement with European Commission President Ursula von der Leyen. Washington and Brussels made an effort to resolve their yearslong battle over the safety of EU citizens’ data that tech companies store in the U.S. after two earlier data transfer agreements were thrown out.

    “Personal data can now flow freely and safely from the European Economic Area to the United States without any further conditions or authorizations,” EU Justice Commissioner Didier Reynders said at a press briefing in Brussels.

    Reply
  18. Tomi Engdahl says:

    GDPR-sakkoja maksettiin alkuvuonna 1,5 miljardilla eurolla
    https://etn.fi/index.php/13-news/15163-gdpr-sakkoja-maksettiin-alkuvuonna-1-5-miljjardilla-eurolla

    Euroopan unionin tietosuoja-asetus GDPR on ollut voimassa hieman yli viisi vuotta. Tämän vuoden tammi-kesäkuussa asetuksen perusteella määrättiin sakkoja yli 1,5 miljardilla eurolla. Koko viiden vuoden aikana yritysten on täytynyt pulittaa tietosuojarikkomuksista lähes neljä miljardia euroa.

    Alkuvuoden sakkosummat on koonnut yhteen tietoturvayritys Atlas VPN. Kaikkiaan toukokuun 2018 jälkeen asetuksen perusteella on määrätty 1679 sakkoa. Luvut perustuvat GDPR Enforcement Trackerin tilastoihin.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*