https://techcrunch.com/2018/01/20/wtf-is-gdpr/
GDPR is a significant piece of legislation whose full impact will clearly take some time to shake out.
A major point of note right off the bat is that GDPR does not merely apply to EU businesses; any entities processing the personal data of EU citizens need to comply. The extra-territorial scope of GDPR casts the European Union as a global pioneer in data protection. Also under GDPR, financial penalties for data protection violations step up massively.
GDPR aims to have every link in the processing chain be a robust one. Companies need to maintain up-to-date records to prove out their compliance and to appoint a data protection officer if they process sensitive data on a large scale or are collecting info on many consumers.
GDPR’s running emphasis on data protection via data security it is implicitly encouraging the use of encryption above and beyond a risk reduction technique. Another major change incoming via GDPR is ‘privacy by design’ no longer being just a nice idea; privacy by design and privacy by default become firm legal requirements.
GDPR also encourages the use of pseudonymization — such as, for example, encrypting personal data and storing the encryption key separately and securely — as a pro-privacy, pro-security technique that can help minimize the risks of processing personal data. Data has to be rendered truly anonymous to be outside the scope of the regulation.
373 Comments
Tomi Engdahl says:
Mark Scott / Politico:
Activists and some legislators say that a GDPR-like bill to give Washington state some of the toughest privacy standards in the US was diluted by tech lobbyists
How lobbyists rewrote Washington state’s privacy law
https://www.politico.eu/article/how-lobbyists-rewrote-washington-state-privacy-law-microsoft-amazon-regulation/
Washington state was writing European-style legislation. Then corporate lobbyists got involved.
Tomi Engdahl says:
GDPR Conformance Does Not Excuse Companies from Vicarious Liability
https://www.securityweek.com/gdpr-conformance-does-not-excuse-companies-vicarious-liability
The UK supermarket chain Morrisons’ legal battle with 5,500 of its own employees over vicarious liability introduces a new threat element to the already complex and confusing demands of the EU’s General Data Protection Regulation (GDPR).
Tomi Engdahl says:
Steve Ranger / ZDNet:
UK’s tax authority to delete records of ~5M people from its Voice ID biometric voice security system because it did not have clear user consent, violating GDPR
HMRC to delete five million biometric voice records
https://www.zdnet.com/article/hmrc-to-delete-five-million-biometric-voice-records/
‘Biggest ever’ deletion of biometric data by government comes after HMRC obtained data “unlawfully” according to privacy regulator.
Steve Ranger
Tomi Engdahl says:
UK taxman falls foul of GDPR, agrees to wipe 5 million voice recordings used to make biometric IDs
Yes, yes, yes, we’ve told the ICO we are doing so, says HMRC
https://www.theregister.co.uk/2019/05/03/hmrc_bashed_for_5m_voice_slurp/
Tomi Engdahl says:
Pitääkö data poistaa nauhaltakin, jos joku pyytää? – näin gdpr vaikuttaa varmistusnauhoihin
https://www.tivi.fi/uutiset/tv/a1d81059-6027-44a4-8e54-77e787b7915f
EU on säätänyt kansalaisille mahdollisuuden vaatia verkkopalveluilta omien tietojensa poistamista.
Tallennuslaitteita myyvän MultiComin toimitusjohtajan Timo Danilotschkin mukaan tietojen poistamiseen liittyy dilemma: tietojen säilyttämisvelvollisuudet voivat olla ristiriidassa EU:n suoman oikeuden tulla unohdetuksi kanssa.
”Jos datanpoistopyyntö on oikeutettu ja niin tehdään, voidaan samalla loukata tiedon historiallista eheyttä koskevia tai muita säädöksiä, kuten esimerkiksi kirjanpidon talleaikoihin liittyviä säädöksiä. Myöhemmin voisi olla oikeustapaus, jossa tarvitsisi todistaa, että mitä tallennettu tieto oli aiemmin, niin silloin jouduttaisiin ongelmiin, jos tietoa on jälkikäteen käpälöity”, Danilotchkin selittää.
Ainoa käytännöllinen tapa noudattaa molempia säädöksiä samaan aikaan olisi pitää operatiivinen ja varmistuskäytössä oleva data erillään.
Tomi Engdahl says:
”Gdpr vaikutti paljon” – tietosuojavaltuutetun työmäärä kasvoi voimakkaasti
https://www.tivi.fi/uutiset/tv/d9517940-c8ac-4ee3-ae70-a28dbdf9c676
Tomi Engdahl says:
Where GDPR goes next: How digital privacy is taking over the world
https://www.zdnet.com/article/where-gdpr-goes-next-how-digital-privacy-is-taking-over-the-world/
One year on from the EU introducing its data protection laws, the impact is spreading around the world.
Designed to update the privacy rights of internet users and ensure organisations are transparent and responsible when handling the personal information of customers and clients, the European Union’s General Data Protection Regulation (GDPR) laws came into force on May 25 last year.
GDPR was designed to protect EU citizens’ data, but the open nature of the web inevitably means it has an impact beyond its own shores. Even companies outside of the EU will often have to comply with the data protection legislation – for example, if they offer goods or services to EU citizens or if they have a branch somewhere within the trading bloc.
This extended reach of GDPR has lead to some unexpected outcomes. One example: European internet users looking to visit some US-based news publications may find that they can’t view the websites – instead being met with pages explaining the publication didn’t comply with the new legislation and blocked them out instead.
Some eventually found solutions to this, while a year on from the legislation being introduced some US publications continue to only show a holding page to European visitors.
“To a large extent in the US, most users attribute GDPR with an influx of cookie notifications and see it as an annoyance, rather than what it is: an attempt by regulators to give the consumer a level of visibility and control over what data is being collected about them,” says Tim Mackey, senior technical evangelist at Synopsys.
But soon enough, even for businesses that have no involvement with the EU, there may be no hiding from data protection legislation as countries and regions around the world look to implement their own privacy laws, including Brazil, Japan, South Korea, India and others.
One of those is the home of Silicon Valley, California, which is set to introduce the California Consumer Privacy Act as of January 1 2020.
Apple CEO Tim Cook has called for the US to introduce an equivalent to GDPR to prevent data being weaponised against users. Facebook CEO Mark Zuckerberg recently spoke about how privacy will be the future of Facebook – even although he admits himself that some may find that hard to believe.
Tomi Engdahl says:
Alfred Ng / CNET:
On the first anniversary of GDPR, Microsoft calls for a similar privacy law in the US that puts the burden on the companies that collect and use sensitive data — Microsoft’s idea of a US privacy law would make it easier for people to protect their data. — The company’s corporate vice president …
Microsoft wants a US privacy law that puts the burden on tech companies
https://www.cnet.com/news/microsoft-wants-a-us-privacy-law-that-puts-the-burden-on-tech-companies/
Europe’s privacy law went into effect nearly a year ago. It’s time for the US to catch up, the tech giant says.
Tomi Engdahl says:
Matthew Wall / BBC:
Since GDPR, Ireland’s Data Protection Commission says it has launched 19 cross-border investigations, 11 of which focus on Facebook, WhatsApp, and Instagram — Social media giant Facebook and its subsidiaries Instagram and WhatsApp have been the subject of most data investigations in the Republic …
How Ireland became Europe’s data watchdog
https://www.bbc.com/news/business-48357772
Social media giant Facebook and its subsidiaries Instagram and WhatsApp have been the subject of most data investigations in the Republic of Ireland since the European Union’s new data protection regulation came into force a year ago.
Tomi Engdahl says:
Philip Nabben / Lexology:
In the year since GDPR took effect, a look at the first wave of decisions and fines issued by data protection authorities in EU countries — European Union, France, Germany — On Saturday 25 May 2019, the EU General Data Protection Regulation (GDPR), which aims to protect personal data including …
The GDPR: one year on
https://www.lexology.com/library/detail.aspx?g=c04317e4-4fc9-43b4-ab6d-bb19210c812d
Tomi Engdahl says:
One Year on, EU’s GDPR Sets Global Standard for Data Protection
https://www.securityweek.com/one-year-eus-gdpr-sets-global-standard-data-protection
The EU’s strict data laws have set the global benchmark for protecting personal information online since coming into force a year ago, but some worry that many users have barely noticed the change.
The “General Data Protection Regulation” (GDPR), launched on May 25 last year, enhances the rights of internet users and imposes a wide range of obligations on companies, including that they request explicit consent to use personal data collected or processed in the European Union.
Tomi Engdahl says:
One Year on, EU’s GDPR Sets Global Standard for Data Protection
https://www.securityweek.com/one-year-eus-gdpr-sets-global-standard-data-protection
The EU’s strict data laws have set the global benchmark for protecting personal information online since coming into force a year ago, but some worry that many users have barely noticed the change.
Tomi Engdahl says:
Analysis Shows Poor GDPR Compliance in European Websites
https://www.securityweek.com/analysis-shows-poor-gdpr-compliance-european-websites
Marking the one-year anniversary of GDPR coming into force (May 25, 2018), a web-scanning service has analyzed the visible GDPR compliance of the 100 most popular websites in each of the 28 European member states. The scan is non-intrusive. As a result, it cannot say that an organization is compliant (non-compliance can occur deep in the system), but it can say if an organization is not compliant simply by examining the parts that are visible over the internet.
The firm concerned, ImmuniWeb (formerly High-Tech Bridge), has added GDPR scan components to its existing website security test, and made this a free offering. The four visible elements of GDPR compliance that it checks are access to the privacy policy, insecure use of cookies, outdated or vulnerable content management system (CMS) components, and lack of HTTPS encryption (or use of SSLv3, which is more than 20 years old and should have finally died with the POODLE attack in 2014).
The results are surprisingly inconsistent across the different countries, and generally not very reassuring. However, website security and use of HTTPS are promising, with an average of just 6.75% and 5.96% failures. Greece is the worst nation for website security, with a 38% failure rate. Malta is worst on HTTPS with a 29% failing.
It is difficult to draw clear conclusions from this survey — but two things do stand out. Firstly, not a single European country displays complete GDPR conformance across all its websites. Secondly, website operators seem to draw a distinction between security and compliance. Website security issues are given higher importance (an overall 6.75% failing) than cookie protection and privacy policy issues (78.25% and 51.5% failing respectively).
Tomi Engdahl says:
GDPR: One Year Down…Now What?
https://www.securityweek.com/gdpr-one-year-down%E2%80%A6now-what
Tomi Engdahl says:
https://truthonthemarket.com/2019/05/24/gdpr-after-one-year-costs-and-unintended-consequences/
Tomi Engdahl says:
http://www.oikeusmedia.uutisparkki.com/2019/05/22/vuosi-eun-yleisen-tietosuoja-asetuksen-soveltamista-66-suomalaisista-kuullut-tietosuoja-asetuksesta-tietoisuus-tietosuojavaltuutetun-toiminnasta-lisaantynyt/
Tomi Engdahl says:
A Year Later, Many Sites Are Still Failing To Meet Basic GDPR Requirements
https://www.forbes.com/sites/ajdellinger/2019/05/31/a-year-later-many-sites-are-still-failing-to-meet-basic-gdpr-requirements/
Tomi Engdahl says:
Google faces Irish inquiry over possible breach of privacy laws
Technology firm’s Ad Exchange processing of users’ personal data being investigated
https://www.theguardian.com/world/2019/may/22/irish-statutory-inquiry-to-investigate-if-google-flouted-privacy-laws
Tomi Engdahl says:
UK’s ICO fines British Airways a record £183M over GDPR breach that leaked data from 500,000 users
https://techcrunch.com/2019/07/08/uks-ico-fines-british-airways-a-record-183m-over-gdpr-breach-that-leaked-data-from-500000-users/
The UK’s Information Commissioner is starting off the week with a GDPR bang: this morning, it announced that it has fined British Airways and its parent International Airlines Group (IAG) £183.39 million ($230 million) in connection with a data breach that took place last year that affected a whopping 500,000 customers browsing and booking tickets online. In an investigation, the ICO said that it found “that a variety of information was compromised by poor security arrangements at [BA], including log in, payment card, and travel booking details as well name and address information.”
The fine — 1.5% of BA’s total revenues for the year that ended December 31, 2018
Tomi Engdahl says:
Marriott to face $123 million fine by UK authorities over data breach
https://techcrunch.com/2019/07/09/marriott-data-breach-uk-fine/
The U.K. data protection authority said it will serve hotel giant Marriott with a £99 million ($123M) fine for a data breach that exposed up to 383 million guests.
Tomi Engdahl says:
The big picture: Privacy laws, including Europe’s mammoth General Data Protection Regulation and California’s recently passed regulations, often include provisions to allow people to request the personal information that companies have compiled on them.
Yes, but: These laws have not generally done a good job clarifying acceptable ways to do this safely.
Details: James Pavur, a Ph.D. student at Oxford University, bet his fiancee he could use GDPR to steal her personal information.
He contacted around 150 companies, requesting her data via a fake email account in her name. 83 of the firms had her data, and roughly 1/4 of those provided it to him, no questions asked.
“Companies are afraid under GDPR of telling you no.”
— James Pavur
Source
https://www.axios.com/newsletters/axios-codebook-7869eb9d-4d90-4630-92ac-e3c5c90fd362.html
Tomi Engdahl says:
https://techcrunch.com/2019/07/29/europes-top-court-sharpens-guidance-for-sites-using-leaky-social-plug-ins/
Tomi Engdahl says:
Sites using Facebook ‘Like’ button liable for data, EU court rules
https://www.euractiv.com/section/digital/news/sites-using-facebook-like-button-liable-for-data-eu-court-rules/
Europe’s top court ruled Monday (30 July) that companies that embed Facebook’s “Like” button on their websites must seek users’ consent to transfer their personal data to the US social network, in line with the bloc’s data privacy laws
According to the European Court of Justice ruling, a site that embeds the Facebook “like” icon and link on its pages also sends user data to the US web giant.
Tomi Engdahl says:
“No matter what transfer mechanism you use, you end up with a conflict. The U.S. laws allow espionage against EU citizens” – Max Schrems, lawyer and privacy activist
https://www.politico.eu/article/max-schrems-facebook-europe-data-protection-privacy/
Tomi Engdahl says:
Preclusio uses machine learning to comply with GDPR, other privacy regulations
https://tcrn.ch/2KAt3HW
Tomi Engdahl says:
Leo Kelion / BBC:
Researcher says one in four UK- and US-based companies contacted to test a GDPR “right of access” request made in someone else’s name revealed personal data
Black Hat: GDPR privacy law exploited to reveal personal data
https://www.bbc.com/news/technology-49252501
About one in four companies revealed personal information to a woman’s partner, who had made a bogus demand for the data by citing an EU privacy law.
The security expert contacted dozens of UK and US-based firms to test how they would handle a “right of access” request made in someone else’s name.
It is one of the first tests of its kind to exploit the EU’s General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.
“Generally if it was an extremely large company – especially tech ones – they tended to do really well,” he told the BBC.
“Small companies tended to ignore me.
“But the kind of mid-sized businesses that knew about GDPR, but maybe didn’t have much of a specialised process [to handle requests], failed.”
Tomi Engdahl says:
Avoid the chaos of GDPR in the realm of IoT
https://www.nabto.com/gdpr-in-iot/
Faced with stricter regulations on data processing under the EU’s GDPR (General Data Protection Regulation) and a growing demand for IoT-functionality within the field of consumer devices, companies now have an important decision to make when it comes to choosing the correct IoT platform.
In this blog post, we’ll boil it down to just one important choice you have to make.
Failing to comply with these new regulations can result in a hefty fine of up 20 million Euros or 4 percent of gross annual turnover, depending on which sum is higher. In addition to a financial penalty, non-compliance can severely tarnish a company’s reputation and reduce trust among its customer base.
The degree to which GDPR complicates data processing depends on the type of data collected and the way it is processed. GDPR applies to sensitive personal data, but in the field of IoT it is not always clear what this constitutes. In addition, your choice of platform dictates whether you will be affected by GDPR.
Database-driven or P2P IoT: an important decision for any company
Keep it simple – and secure
The alternative to the cloud is a P2P IoT platform. Here, the client interacts directly with the device and no data is stored in the cloud.
We also use the cloud, but the P2P technology we run simply acts like a telephone switchboard – mediating direct, end-to-end encrypted connections between the client (app on a smartphone or tablet) and the IoT device. Once this connection is established, the cloud server is out of the loop, and the connection is only between the client and the IoT device.
Tomi Engdahl says:
https://www.kpflaki.com/post/est%C3%A4%C3%A4k%C3%B6-gdpr-ker%C3%A4%C3%A4m%C3%A4st%C3%A4-n%C3%A4pistelij%C3%B6iden-tietoja-varkauksien-ehk%C3%A4isemiseksi
Tomi Engdahl says:
Brave uncovers Google’s GDPR workaround
https://brave.com/google-gdpr-workaround/
Tomi Engdahl says:
Miksi markkinointilupa on tärkeä myös tulevaisuudessa?
https://matter.fi/markkinointiluvan-tarkeys/
Tomi Engdahl says:
CJEU on cookies: ‘Consent or be tracked’ is not an option
By EDRi
https://edri.org/cjeu-cookies-consent-or-be-tracked-not-an-option/
Today, on 1 October 2019, the Court of Justice of the European Union (CJEU) gave its ruling on “cookie consent” requirements. European Digital Rights (EDRi) welcomes the CJEU’s confirmation that under the current data protection framework, cookies can only be set if users have given consent that is valid under the General Data Protection Regulation (GDPR). This means consent needs to be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of a user’s agreement.
Tomi Engdahl says:
https://techcrunch.com/2019/11/14/californias-new-data-privacy-law-brings-u-s-closer-to-gdpr/?tpcc=ECFB2019
Tomi Engdahl says:
Gigantin sivuston tietoturva-aukko ehti olla auki kuukauden,
sivustolta pääsi hakemaan henkilötietoja
https://www.hs.fi/kotimaa/art-2000006312024.html
Gigantti-klubi-nimisen etuasiakkuuden rekisteröintisivulla pystyi
hakemaan puhelinnumerolla tietokannasta ihmisten henkilötietoja.
Kyseinen tietokanta on markkina- ja luottotietoyhtiö Bisnoden
yhteystieto- ja henkilömarkkinointirekisteri.. Gigantin
markkinointijohtaja Sami Särkelä kertoi HS:lle sunnuntaina, että
rekisteröintisivun lomake on ollut käytössä noin kuukauden ajan..
Valitettavasti meille selvisi eilen lauantaina, että
asiakastietolomakkeen koodissa oleva virhe on mahdollistanut
sellaisten tietojen näkymisen, joka ei ole tietosuojan mukaista,
Särkelä kertoi sähköpostitse. Hänen mukaansa järjestelmä on nyt
suljettu, ja koodia korjataan parhaillaan.
Tomi Engdahl says:
Natasha Lomas / TechCrunch:
EU data regulator issues first-ever sanction of an EU institution, against the European parliament over its use of US-based NationBuilder to process voter data
European parliament’s NationBuilder contract under investigation by data regulator
https://techcrunch.com/2019/11/28/european-parliaments-nationbuilder-contract-under-investigation-by-data-regulator/
Tomi Engdahl says:
The CJEU rules on consent to cookies under data protection law
http://eulawanalysis.blogspot.com/2019/10/the-cjeu-rules-on-consent-to-cookies.html
Last week’s CJEU ruling in Planet49 is an important Grand Chamber decision concerning the use of cookies and the meaning of consent under the e-Privacy Directive in the light of the Data Protection Directive but also the General Data Protection Regulation (Regulation 2016/679)(GDPR). The judgment is therefore relevant for understanding the cookie obligations in the new regime as well as the old.
Judgment
The case concerned an online lottery. To participate, users had to enter their name and address and were shown two checkboxes in relation to consent for data processing before they could participate in the lottery.
Tomi Engdahl says:
Gdpr-rikkomuksista jaellaan sakkoja, näin paljon niitä on tähän
mennessä lähetelty: “Pk-yrityksillä hyvin vähän resursseja seurata
lainsäädännön kehitystä”
https://www.mikrobitti.fi/uutiset/gdpr-rikkomuksista-jaellaan-sakkoja-nain-paljon-niita-on-tahan-mennessa-lahetelty-pk-yrityksilla-hyvin-vahan-resursseja-seurata-lainsaadannon-kehitysta/4ca38c89-d008-4651-b2b7-6978d63d2102
“Varsinkin pienillä ja keskisuurilla yrityksillä saattaa olla hyvin
vähän resursseja seurata aktiivisesti lainsäädännön kehitystä”, sanoo
Keskuskauppakamarin lakimies Erkko Meri. Euroopan unionin yleinen
tietosuoja-asetus (gdpr) on ollut voimassa puolitoista vuotta.
Lokakuuhun mennessä unionin alueella on annettu ainakin 82 sakkoa
asetuksen vastaisista toimista. Esimerkiksi Unkarissa eräälle
yritykselle määrättiin yli 15 000 euron sakko, kun henkilötietoja
sisältänyt yrityksen työntekijän muistitikku oli kadonnut, eikä yritys
ollut täyttänyt ilmoitusvelvollisuuttaan. “EU-kansalaisten tietoisuus
tietosuojaan liittyvistä kysymyksistä on noussut. Kansalliset
viranomaiset ovat antaneet useissa jäsenvaltioissa huomattavia sakkoja
asetuksen vastaisista toimista. Saksassa yritykselle määrättiin lähes
200 000 euron sakko, sillä yritys ei ollut muun muassa poistanut
sellaisten rekisteröityjen tietoja, jotka eivät olleet enää vuosiin
olleet yrityksen . Keskuskauppakamari kertoo muun muassa
tietosuoja-asetuksesta juridiikkakatsauksessaan, jossa perataan
ajankohtaisia lainsäädännön muutoksia. Järjestyksessään ensimmäinen
katsaus keskittyy työaikalakiin liittyviin lainsäädäntömuutoksiin ja
EU-sääntelyyn. Lue myös:
https://kauppakamari.fi/wp-content/uploads/2019/11/kauppakamarin-juridiikkakatsaus.pdf
Tomi Engdahl says:
Web Hosting Firm Slapped With $10 Million GDPR Fine
https://www.securityweek.com/web-hosting-firm-slapped-10-million-gdpr-fine
$10 Million GDPR Fine Imposed on German Telco 1&1
The German data protection regulator, the Federal Commissioner for Data Protection and Freedom of Information (BfDI), has imposed a €9.55 million ($10.64) GDPR fine on German telecoms provider 1&1 Telecom GmbH. This is described as being “in the lower range of possible fines” primarily because of 1&1′s cooperative response to the regulator’s investigation.
The fine was imposed under Article 32 of GDPR. Paragraph 2 states, “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”
BfDI said in a statement, “In connection with their telephone customer service, the company had not taken sufficient technical and organizational measures to prevent unauthorized persons from being able to obtain customer information.”
The investigation commenced following a complaint from a customer whose personal mobile phone number was given by 1&1′s customer helpline to a former life partner in 2018.
Despite saying the fine was in the lower range of possibilities, it remains a major GDPR fine against a European company. Germany had earlier imposed a fine of €14.5 million ($16.15 million) on a German real estate company for storing personal data without a legal basis, and for not implementing privacy by design. The highest fine so far was by the UK regulator against British Airways ($230 million in 2018). However, the 1&1 fine is significant for both its size, and because it does not directly relate to the organization’s computer systems, but to verbal and curated access to personal data stored on those systems.
Tomi Engdahl says:
Henkilökohtainen data alkaa liikkua organisaatioiden välillä
http://etn.fi/index.php?option=com_content&view=article&id=10245&via=n&datum=2019-12-16_15:38:21&mottagare=31202
Tomi Engdahl says:
Operaattori ei vaivautunut suojaamaan asiakasdataansa, sai lähes 10
miljoonan euron gdpr-sakot
https://www.kauppalehti.fi/uutiset/operaattori-ei-vaivautunut-suojaamaan-asiakasdataansa-sai-lahes-10-miljoonan-euron-gdpr-sakot/56761224-361d-4563-ab10-928301d27501
Saksalainen teleoperaattori 1&1 Telecommunications sai vakavasta
gdpr-rikkomuksesta 9, 55 miljoonan euron sakot. Lue myös:
https://www.zdnet.com/article/data-privacy-germans-dish-out-one-of-biggest-gdpr-fines-yet-over-lax-call-centers/
Tomi Engdahl says:
”Ei saa antaa tuumaakaan periksi” – Trafin tietosuojaongelmien jälkipyykki on nyt pesty
https://www.tivi.fi/uutiset/tv/2cdca48b-af33-4dba-ad93-d059d6bc3066
Vuosi sitten silloisen Liikenteen turvallisuusvirasto Trafin uudesta verkkopalvelusta löytyi ongelma, jonka jälkipuintia on riittänyt vuodeksi.
Nyt on saatu valmiiksi loppuraportti, jonka yksityiskohdista liikenne- ja viestintäministeriön tiedote ei kerro oikeastaan mitään.
ymmärryksen tietosuojasta, tietoturvasta ja riskienhallinnasta tulee kuulua jokaisen virkamiehen perusosaamiseen.
Tomi Engdahl says:
Cookie consent tools are being used to undermine EU privacy rules, study suggests
https://techcrunch.com/2020/01/10/cookie-consent-tools-are-being-used-to-undermine-eu-privacy-rules-study-suggests/
Most cookie consent pop-ups served to internet users in the European Union — ostensibly seeking permission to track people’s web activity — are likely to be flouting regional privacy laws, a new study by researchers at MIT, UCL and Aarhus University suggests.
“The results of our empirical survey of CMPs [consent management platforms] today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to — or worse, incentivising — clearly illegal configurations of their systems,” the researchers argue, adding that: “Enforcement in this area is sorely lacking.”
Tomi Engdahl says:
When consent is being relied upon as the legal basis for processing web users’ personal data, the bar for valid (i.e. legal) consent that’s set by the EU’s General Data Protection Regulation (GDPR) is clear: It must be informed, specific and freely given.
Tomi Engdahl says:
Interestingly, the introduction of General Data Protection Regulation (GDPR) in May 2018 negatively impacted 42% of businesses, reducing their databases of leads. Furthermore, 44% believe GDPR made it extremely difficult to capture new leads and effectively market to them.
https://www.forbes.com/sites/kimberlywhitler/2020/01/04/new-study-suggests-lead-generation-is-a-key-growth-challenge-for-most-companies/
Tomi Engdahl says:
Dixons fined £500,000 by ICO for crap security that exposed 5.6
million customers’ payment cards
https://www.theregister.co.uk/2020/01/09/dixons_store_group_fined_500000_by_ico_for_crap_security_that_exposed_56_millino_customers_payment_cards/
The fine is the maximum the ICO could levy under the previous data
laws but had it occured following the roll-out of GDPR legislation
Dixons may have found itself slapped with a bigger fine, he added.
Tomi Engdahl says:
Kashmir Hill / New York Times:
As companies comply with privacy laws like GDPR and CCPA, many have insecure practices for giving users their data and some outsource user identity verification
What’s the Price of Getting Your Data? More Data
https://www.nytimes.com/2020/01/15/technology/data-privacy-law-access.html
The new year ushered in a landmark California privacy law that gives residents more control over how their digital data is used. The Golden State isn’t the only beneficiary, though, because many companies are extending the protections — the most important being the right to see and delete the personal data a company has — to all their customers in the United States.
In the fall, I took the right of access for a test drive, asking companies in the business of profiling and scoring consumers for their files on me. One of the companies, Sift, which assesses a user’s trustworthiness, sent me a 400-page file that contained years’ worth of my Airbnb messages, Yelp orders and Coinbase activity. Soon after my article was published, Sift was deluged with over 16,000 requests, forcing it to hire a vendor to deal with the crush.
Tomi Engdahl says:
Douglas Busvine / Reuters:
Report: European regulators have imposed €114M in fines for data breaches since GDPR came into force in 2018; France’s €50M fine against Google is the biggest
Fines for European privacy breaches reach 114 million euros: report
https://www.reuters.com/article/us-europe-privacy/fines-for-european-privacy-breaches-reach-114-million-euros-report-idUSKBN1ZJ00Z
European regulators have imposed 114 million euros ($126 million) in fines for data breaches since tougher privacy rules came into force in mid-2018, with approaches varying widely from country to country.
In principle, regulators can impose fines of 2% or, in some cases 4%, of global turnover. In practice, they will have to judge whether such a heavy penalty would stand up in court, said DLA Piper partner Ross McKean.
“It’s going to take time – the regulators are going to be wary about going to 4% because they are going to get appealed,” McKean told Reuters. “And you lose credibility as a regulator if you’re blown up on appeal.”
The largest single penalty threatened so far has been in Britain, where the regulator has proposed a fine of 183 million pounds ($239 million) against British Airways owner IAG over the theft of data of half a million customers.
Tomi Engdahl says:
‘Every cloud has a GDPR lining’
Tomi Engdahl says:
“On erittäin vaikea saada nimensä pois yritysten rekistereistä”
https://www.kauppalehti.fi/uutiset/on-erittain-vaikea-saada-nimensa-pois-yritysten-rekistereista/86bd8919-b645-48a0-9820-437273791c55
Ongelma tulisi ratkaista mieluiten maailmanlaajuisesti tai ainakin
EU:ssa luomalla yksi osoite, johon kaikkien rekisterinpitäjien ja
etenkin ihmisten tietoja myyvien yritysten tulee rekisteröityä ja
johon ihmiset voivat lähettää tiedustelut ja poistopyynnöt,
kirjoittaja ehdottaa mielipidekirjoituksessaan.
Tomi Engdahl says:
“Advocates of automated decision making typically make their case by saying “well, given a request that meets conditions X, Y and Z, it is obvious that the data should be disclosed.” The fallacy in that argument is that if a query is automated, no one knows whether conditions X, Y and Z are actually met. The only way to find out is to engage in extensive ex post audits, long after the data has been disclosed, a weak and largely impractical safeguard.”
Can we Automate GDPR compliance? Time for public comment on Whois reform
https://www.internetgovernance.org/2020/02/12/can-we-automate-gdpr-compliance-time-for-public-comment-on-whois-reform/
Tomi Engdahl says:
Mika Huhtamäki: MyData tuo kestävän dataliiketoiminnan GDPR:n jälkeiseen maailmaan
https://www.dna.fi/yrityksille/blogi/-/blogs/mika-huhtamaki-mydata-tuo-kestavan-dataliiketoiminnan-gdpr-n-jalkeiseen-maailmaan?utm_source=facebook&utm_medium=linkad&utm_content=artikkeli_mika_huhtamaki_mydata_tuo_kestavan_dataliiketoiminnan_gdpr_n_jalkeiseen_maailmaan&utm_campaign=pk_jatkuva_trendit2020_20
Olemme ehdollistuneet lukematta hyväksymään käyttäjäehtoja ja jakamaan tietojamme avoimesti, koska sille ei oikein ole järkevää vaihtoehtoa. GDPR toi tähän hyvän vastavoiman ja perustellut rajoitteet, mutta samalla se painaa datatalouden jarrua liiankin kovaa, sanoo data-aktivisti ja varatoimitusjohtaja Mika Huhtamäki
Mika Huhtamäki, joka on digitaalisia ihmisoikeuksia edistävän MyData Global -järjestön yksi perustajajäsenistä ja Vastuu Groupin varatoimitusjohtaja.
”Data on viimeinkin ymmärretty samanlaiseksi yritysvastuukysymykseksi kuin ympäristöasiatkin. Liiketoiminnassa data ja sen käyttö vaikuttavat ihmisiin. Cambridge Analytican kaltaiset skandaalit ovat olleet vain jäävuoren huippu, kun todelliset ongelmat ovat paljon syvemmällä ja lähempänä arkipäivää”, sanoo Huhtamäki.
Vastuu Group tunnettiin aiemmin nimellä Suomen Tilaajavastuu. Se edistää rakennetun ympäristön digitalisaatiota ja auttaa alalla toimivia yrityksiä lain velvoitteiden hoidossa. Lisäksi yhtiö kehittää kestävän datatalouden palveluita esimerkiksi tunnistamista varten.