https://techcrunch.com/2018/01/20/wtf-is-gdpr/
GDPR is a significant piece of legislation whose full impact will clearly take some time to shake out.
A major point of note right off the bat is that GDPR does not merely apply to EU businesses; any entities processing the personal data of EU citizens need to comply. The extra-territorial scope of GDPR casts the European Union as a global pioneer in data protection. Also under GDPR, financial penalties for data protection violations step up massively.
GDPR aims to have every link in the processing chain be a robust one. Companies need to maintain up-to-date records to prove out their compliance and to appoint a data protection officer if they process sensitive data on a large scale or are collecting info on many consumers.
GDPR’s running emphasis on data protection via data security it is implicitly encouraging the use of encryption above and beyond a risk reduction technique. Another major change incoming via GDPR is ‘privacy by design’ no longer being just a nice idea; privacy by design and privacy by default become firm legal requirements.
GDPR also encourages the use of pseudonymization — such as, for example, encrypting personal data and storing the encryption key separately and securely — as a pro-privacy, pro-security technique that can help minimize the risks of processing personal data. Data has to be rendered truly anonymous to be outside the scope of the regulation.
373 Comments
Tomi Engdahl says:
Natasha Lomas / TechCrunch:
Irish DPC report: 6 inquiries into multinational tech companies’ GDPR compliance were opened in 2019, bringing major cross-border probes to 21, but no decisions
Lack of big tech GDPR decisions looms large in EU watchdog’s annual report
https://techcrunch.com/2020/02/19/lack-of-big-tech-gdpr-decisions-looms-large-in-eu-watchdogs-annual-report/
The lead European Union privacy regulator for most of big tech has put out its annual report which shows another major bump in complaints filed under the bloc’s updated data protection framework, underlining the ongoing appetite EU citizens have for applying their rights.
But what the report doesn’t show is any firm enforcement of EU data protection rules vis-a-vis big tech.
The report leans heavily on stats to illustrate the volume of work piling up on desks in Dublin. But it’s light on decisions on highly anticipated cross-border cases involving tech giants including Apple, Facebook, Google, LinkedIn and Twitter.
despite Ireland having a large number of open cross-border investigations into the data practices of platform and adtech giants, some of which originated from complaints filed right at the moment GDPR came into force.
In its defence, the DPC does have a horrifying case load. As illustrated by other stats its keen to spotlight — such as saying it received a total of 7,215 complaints in 2019; a 75% increase on the total number (4,113) received in 2018. A full 6,904 of which were dealt with under the GDPR (while 311 complaints were filed under the Data Protection Acts 1988 and 2003).
Tomi Engdahl says:
Under Pressure: New GDPR Rule Makes Data Security a Critical C-Suite Concern
https://www.dfinsolutions.com/insights/article/under-pressure-new-gdpr-rule-makes-data-security-critical-c-suite-concern
Lawmakers in the European Union passed sweeping new measures to protect individual privacy rights, in a way that reaches far beyond the borders of its 28 member states. The result: Data security is now an even more pressing C-suite concern worldwide.
Tomi Engdahl says:
Natasha Lomas / TechCrunch:
European Data Protection Board publishes updated guidelines arguing that scrolling and “cookie walls”, which block users from content, don’t constitute consent — You can’t make access to your website’s content dependant on a visitor agreeing that you can process their data — aka a ‘consent cookie wall’.
No cookie consent walls — and no, scrolling isn’t consent, says EU data protection body
https://techcrunch.com/2020/05/06/no-cookie-consent-walls-and-no-scrolling-isnt-consent-says-eu-data-protection-body/
You can’t make access to your website’s content dependent on a visitor agreeing that you can process their data — aka a ‘consent cookie wall’. Not if you need to be compliant with European data protection law.
Tomi Engdahl says:
http://www.oikeusmedia.uutisparkki.com/2020/05/15/apulaistietosuojavaltuutettu-maarasi-yrityksen-muuttamaan-tapaa-jolla-se-pyytaa-suostumusta-evasteiden-kayttoon/
Tomi Engdahl says:
Suomessa tärkeä gdpr-ennakkotapaus kaksi viranomaista, kaksi täysin
eri tulkintaa
https://www.tivi.fi/uutiset/tv/0b79b269-066e-4abc-8fc2-4d9d766aae09
Euroopan tietosuoja-asetus gdpr astui voimaan kaksi vuotta sitten.
Internetselainten evästeet ovat tärkeitä sivustojen toiminnallisuuden
kannalta. Niissä on myös nurja puolensa: evästeiden avulla sivustoilla
kävijöitä voidaan seurata melko tarkasti, ja mitä enemmän tätä dataa
on, sitä paremman kuvan ihmisestä yritykset voivat muodostaa. Yksi
gdpr-asetuksen tärkeimmistä ominaisuuksista on se, että se rajoittaa
yritysten vapauksia kerätä ihmisistä tätä dataa. Ohjetta voi kuitenkin
tulkita eri tavoin, mikä ei tee niin yritysten kuin viranomaistenkaan
elämästä helppoa. Jotkin kyseenalaiset tulkinnat esimerkiksi pitävät
suostumuksen antamisena sitä, että sivustoa vierittää aloitusruudusta
alaspäin. Tämä on vähintäänkin kyseenalainen tulkinta, sillä
suostumuksen antaminen pitäisi olla selkeä valinta, ei kärsimättömään
käytökseen perustuva tulkinta. Joskus epäselvyyttä käytetään räikeästi
hyödyksi. Jotkin sivustot esimerkiksi estävät kävijää näkemästä
sivuston sisältöä, ennen kuin sivustolle antaa luvan seurata
vierailijaa. Tämän kaltainen suostumukseen kiristävä esto on ehkä lain
kirjaimen, muttei todellakaan sen hengen mukainen tulkinta. Traficomin
ja Tietosuojavaltuutetun toimiston käsittelevät tapaukset olivat
toisistaan erillisiä. Lue myös:
https://www.tivi.fi/uutiset/tv/fbf224ad-0cf4-4758-a5c3-0d6060a0f9a8
Tomi Engdahl says:
BBC:
Court in Netherlands rules that, under GDPR, a woman must delete photos of her grandchildren that she posted on Facebook without their parents’ permission — A woman must delete photographs of her grandchildren that she posted on Facebook and Pinterest without their parents’ permission, a court in the Netherlands has ruled.
Grandmother ordered to delete Facebook photos under GDPR
https://www.bbc.com/news/technology-52758787
A woman must delete photographs of her grandchildren that she posted on Facebook and Pinterest without their parents’ permission, a court in the Netherlands has ruled.
It ended up in court after a falling-out between the woman and her daughter.
The judge ruled the matter was within the scope of the EU’s General Data Protection Regulation (GDPR).
One expert said the ruling reflected the “position that the European Court has taken over many years”.
The case went to court after the woman refused to delete photographs of her grandchildren which she had posted on social media.
The mother of the children had asked several times for the pictures to be deleted.
The GDPR does not apply to the “purely personal” or “household” processing of data.
However, that exemption did not apply because posting photographs on social media made them available to a wider audience, the ruling said.
“With Facebook, it cannot be ruled out that placed photos may be distributed and may end up in the hands of third parties,” it said.
The woman must remove the photos or pay a fine of €50 (£45) for every day that she fails to comply with the order, up to a maximum fine of €1,000.
If she posts more images of the children in the future, she will be fined an extra €50 a day.
“I think the ruling will surprise a lot of people who probably don’t think too much before they tweet or post photos,” said Neil Brown, a technology lawyer at Decoded Legal.
Tomi Engdahl says:
http://www.oikeusmedia.uutisparkki.com/2020/05/22/tietosuojavaltuutetun-toimiston-seuraamuskollegio-maarasi-kolme-seuraamusmaksua-tietosuojarikkomuksista/
Tomi Engdahl says:
https://techcrunch.com/2020/05/13/googles-android-ad-id-targeted-in-strategic-gdpr-tracking-complaint/
Tomi Engdahl says:
Suomessa määrättiin ensi kertaa tietosuojarikkomusmaksuja Postille
lankesi 100 000 euroa muuttoilmoituskäytännöistä
https://yle.fi/uutiset/3-11364819
Postin sadantuhannen euron maksu on seurausta siitä, ettei se kertonut
muuttoilmoituksen tehneille asiakkailleen oikeudesta muun muassa estää
tietojen luovuttaminen ilmoituksen yhteydessä. Kymen Vesi sai 16 000
euron maksun, koska se oli jättänyt tekemättä sijaintitietojen
käsittelyn vaikutustenarvioinnin. Kolmannessa tapauksessa yritys
keräsi työnhakijoiden ja työntekijöiden tietoja tarpeettomasti. 12 500
euron seuraamusmaksun saaneen yrityksen nimeä ei kerrottu
julkisuuteen.
Tomi Engdahl says:
Tietosuojavaltuutetun toimiston seuraamuskollegio määräsi kolme
seuraamusmaksua tietosuojarikkomuksista
https://tietosuoja.fi/artikkeli/-/asset_publisher/tietosuojavaltuutetun-toimiston-seuraamuskollegio-maarasi-kolme-seuraamusmaksua-tietosuojarikkomuksista
Seuraamuskollegio määräsi 18. toukokuuta seuraamusmaksun kolmelle
yritykselle tietosuojalainsäädännön rikkomisesta. Rikkomukset koskevat
puutteellista informointia tietosuojaoikeuksista,
vaikutustenarvioinnin tekemättä jättämistä ja tarpeettomien
henkilötietojen keräämistä.
Tomi Engdahl says:
Javier Espinoza / Financial Times:
Leaked draft of EU report says GDPR rules have been difficult to implement, placing a burden on small and medium-sized companies and hampering tech development
https://t.co/0XGcma2j43
Tomi Engdahl says:
Only 9% of Visitors Give GDPR Consent To Be Tracked
https://yro.slashdot.org/story/20/07/07/2214249/only-9-of-visitors-give-gdpr-consent-to-be-tracked?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Marko Saric, a digital marketing consultant and blogger, conducted his own experiment to find out how many visitors would engage with a GDPR banner and grant GDPR consent to their information being collected and shared. For his study, Saric used Metomic for his GDPR consent banner and tested it on two different websites during June.
https://markosaric.com/gdpr-consent/
Most GDPR consent banner implementations are deliberately engineered to be difficult to use and are full of dark patterns that are illegal according to the law.
I wanted to find out how many visitors would engage with a GDPR banner if it were implemented properly and how many would grant consent to their information being collected and shared.
Tomi Engdahl says:
Legal clouds gather over US cloud services, after CJEU ruling
https://tcrn.ch/2ZFO5xA
In the wake of yesterday’s landmark ruling by Europe’s top court — striking down a flagship transatlantic data transfer framework called Privacy Shield, and cranking up the legal uncertainty around processing EU citizens’ data in the U.S. in the process — Europe’s lead data protection regulator has fired its own warning shot at the region’s data protection authorities (DPAs), essentially telling them to get on and do the job of intervening to stop people’s data flowing to third countries where it’s at risk.
Countries like the U.S.
The original complaint that led to the Court of Justice of the EU (CJEU) ruling focused on Facebook’s use of a data transfer mechanism called Standard Contractual Clauses (SCCs) to authorize moving EU users’ data to the U.S. for processing.
Complainant Max Schrems asked the Irish Data Protection Commission (DPC) to suspend Facebook’s SCC data transfers in light of U.S. government mass surveillance programs. Instead, the regulator went to court to raise wider concerns about the legality of the transfer mechanism.
That in turn led Europe’s top judges to nuke the Commission’s adequacy decision, which underpinned the EU-U.S. Privacy Shield — meaning the U.S. no longer has a special arrangement greasing the flow of personal data from the EU. Yet, at the time of writing, Facebook is still using SCCs to process EU users’ data in the U.S. Much has changed, but the data hasn’t stopped flowing — yet.
Yesterday the tech giant said it would “carefully consider” the findings and implications of the CJEU decision on Privacy Shield, adding that it looked forward to “regulatory guidance.” It certainly didn’t offer to proactively flip a kill switch and stop the processing itself.
The DPC’s statement also only went so far as to say the use of SCCs for taking data to the U.S. for processing is “questionable” — adding that case by case analysis would be key.
The regulator remains the focus of sustained criticism in Europe over its enforcement record for major cross-border data protection complaints — with still zero decisions issued more than two years after the EU’s General Data Protection Regulation (GDPR) came into force, and an ever-growing backlog of open investigations into the data processing activities of platform giants.
The painstaking pace of enforcement around Europe’s flagship data protection framework remains a problem for EU lawmakers — whose two-year review last month called for uniformly “vigorous” enforcement by regulators.
“European supervisory authorities have the duty to diligently enforce the applicable data protection legislation and, where appropriate, to suspend or prohibit transfers of data to a third country,” writes EDPS Wojciech Wiewiórowski, in a statement, which warns against further dithering or can-kicking on the intervention front.
“As the supervisory authority of the EU institutions, bodies, offices and agencies, the EDPS is carefully analysing the consequences of the judgment on the contracts concluded by EU institutions, bodies, offices and agencies. The example of the recent EDPS’ own-initiative investigation into European institutions’ use of Microsoft products and services confirms the importance of this challenge,” he adds.
Part of the complexity of enforcement of Europe’s data protection rules is the lack of a single authority; a varied patchwork of supervisory authorities responsible for investigating complaints and issuing decisions.
In the statement, Hamburg’s data commissioner, Johannes Caspar, added: “Difficult times are looming for international data traffic.”
In a press note today, Berlin’s DPA also took a tough line, warning that data transfers to third countries would only be permitted if they have a level of data protection essentially equivalent to that offered within the EU.
In the case of the U.S. — home to the largest and most used cloud services — Europe’s top judges yesterday reiterated very clearly that that is not in fact the case.
“The times when personal data could be transferred to the U.S. for convenience or cost savings are over after this judgment,” she added.
“Now is the time for Europe’s digital independence,” she added.
Short of radical changes to U.S. surveillance law, it’s tough to see how any new framework could be made to legally stick, though. Privacy Shield’s predecessor arrangement, Safe Harbour, stood for around 15 years. Its shiny “new and improved” replacement didn’t even last five.
In the wake of the CJEU ruling, data exporters and importers are required to carry out an assessment of a country’s data regime to assess adequacy with EU legal standards before using SCCs to transfer data there.
“When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The examination of the latter shall be done in light of the non-exhaustive factors set out under Art 45(2) GDPR,” Jelinek writes.
“If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of.”
One thing is crystal clear: Any sense of legal certainty U.S. cloud services were deriving from the existence of the EU-U.S. Privacy Shield — with its flawed claim of data protection adequacy — has vanished like summer rain.
In its place, a sense of déjà vu and a lot more work for lawyers.
Tomi Engdahl says:
No grace period after Schrems II Privacy Shield ruling, warn EU data watchdogs
https://techcrunch.com/2020/07/24/no-grace-period-after-schrems-ii-privacy-shield-ruling-warn-eu-data-watchdogs/
Tomi Engdahl says:
Uusi tutkimus: Suomen Findata olisi erinomainen esikuva Facebookin ja muiden jättien GDPR-linjaukselle [https://algorithmwatch.org/en/governing-platforms-ivir-study-june-2020/](https://algorithmwatch.org/en/governing-platforms-ivir-study-june-2020/)
Tomi Engdahl says:
AlgorithmWatch Study debunks Facebook’s GDPR Claims
https://algorithmwatch.org/en/governing-platforms-ivir-study-june-2020/
A new study published by AlgorithmWatch in cooperation with the European Policy Centre and the University of Amsterdam’s Institute for Information Law shows that the GDPR needn’t stand in the way of meaningful research access to platform data; looks to health and environmental sectors for best practices in privacy-respecting data sharing frameworks.
Tomi Engdahl says:
Processing Data to Protect Data: Resolving the Breach Detection
Paradox
https://script-ed.org/article/processing-data-to-protect-data-resolving-the-breach-detection-paradox/
Most privacy laws contain two obligations: that processing of personal
data must be minimised, and that security breaches must be detected
and mitigated as quickly as possible. These two requirements appear to
conflict, since detecting breaches requires additional processing of
logfiles and other personal data to determine what went wrong.
Fortunately Europes General Data Protection Regulation (GDPR)
considered the strictest such law recognises this paradox and
suggests how both requirements can be satisfied. This paper assesses
security breach detection in the light of the principles of purpose
limitation and necessity, finding that properly-conducted breach
detection should satisfy both principles,
Tomi Engdahl says:
Taloyhtiö asensi sähkölukot, mutta mokasi gdpr:n kanssa näin päätti
tietosuojavaltuutettu
https://www.tivi.fi/uutiset/tv/a7401466-c107-43f3-a3e9-86514efd28d4
Taloyhtiön asentama sähkölukkojärjestelmä on
apulaistietosuojavaltuutetun näkemyksen mukaan luvaton, sillä gdpr:n
vaatimuksia ei noudateta. Apulaistietosuojavaltuutetun päätös ei ole
lainvoimainen, vaan siitä voi valittaa hallinto-oikeuteen.. Lue myös:
https://www.is.fi/digitoday/tietoturva/art-2000006600839.html
Tomi Engdahl says:
Oracle and Salesforce hit with GDPR class action lawsuits over cookie tracking consent
https://techcrunch.com/2020/08/14/oracle-and-salesforce-hit-with-gdpr-class-action-lawsuits-over-cookie-tracking-consent/?tpcc=ECFB2020
The use of third party cookies for ad tracking and targeting by data broker giants Oracle and Salesforce is the focus of class action style litigation announced today in the UK and the Netherlands.
The suits will argue that mass surveillance of Internet users to carry out real-time bidding ad auctions cannot possibly be compatible with strict EU laws around consent to process personal data.
The litigants believe the collective claims could exceed €10BN, should they eventually prevail in their arguments — though such legal actions can take several years to work their way through the courts.
In the UK, the case may also face some legal hurdles given the lack of an established model for pursuing collective damages in cases relating to data rights. Though there are signs that’s changing.
Under GDPR, consent for processing EU citizens’ personal data must be informed, specific and freely given. The regulation also confers rights on individuals around their data — such as the ability to receive a copy of their personal information.
Per Oracle marketing materials, its Data Cloud and BlueKai Marketplace provider partners with access to some 2BN global consumer profiles. (Meanwhile, as we reported in June, BlueKai suffered a data breach that exposed billions of those records to the open web.)
While Salesforce claims its marketing cloud ‘interacts’ with more than 3BN browsers and devices monthly.
Tomi Engdahl says:
Zoom native client reads your Chrome browser cookies and adds an everlogin cookie that lasts 10 years.
Clearly Zoom still don’t understand GDPR.
https://www.threatspike.com/blog/zoom_cookies.html
Your average user takes it for granted that websites know when you’ve visited before, whether you were logged in and even what you had in your basket last time you shopped. In most cases this magic customisation is possible through the use of Cookies. Cookies are small pieces of information that are stored on devices by websites in order to identify users – this allows websites to customise the content they deliver to each person.
Although some functionality afforded by cookies can be helpful in increasing the security and accessibility of websites, there have long been privacy concerns with companies being able to track you across the Internet. Many concerns are related to the use of tracking and advertising cookies, and how companies use and abuse this data to manipulate customers. Since the introduction of the ePrivacy Directive and the GDPR, cookies have received a lot of attention in discussions about online privacy.
During the last month, Threatspike EDR detected the widely used Zoom Windows client accessing the Google Chrome cookie file during the uninstall process.
Tomi Engdahl says:
Facebook told it may have to suspend EU data transfers after Schrems II ruling
https://tcrn.ch/3bH83fC
Ireland’s data protection watchdog, the DPC, has sent Facebook a preliminary order to suspend data transfers from the EU to the US, the Wall Street Journal reports, citing people familiar with the matter and including a confirmation from Facebook’s VP of global affairs, Nick Clegg.
The preliminary suspension order follows a landmark ruling by Europe’s top court this summer which both struck down a flagship data transfer arrangement between the EU and the US and cast doubt on the legality of an alternative transfer mechanism (aka SCCs) — certainly in cases where data is flowing to a non-EU entity that falls under US surveillance law.
Facebook’s use of Standard Contractual Clauses to claim a legal basis for EU data transfers therefore looks to be fast running out of borrowed time.
“The Irish Data Protection Commission has commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers,” Cleggs writes. “While this approach is subject to further process, if followed, it could have a far reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.”
Tomi Engdahl says:
Facebook to be forced to stop sending EU data to the US
https://www.politico.eu/article/facebook-privacy-data-us/
The Irish regulator is expected to stop the social media giant from moving data to the US because of privacy concerns.
Ireland’s privacy watchdog has told Facebook that it will soon have to stop transferring its European users’ data to the United States because the social media giant’s current procedures fall foul of EU law.
Facebook was told in early August that the Irish privacy regulator was reviewing how it moved data to the U.S., according to two people with knowledge of the case who spoke on the condition of anonymity because they were not authorized to speak publicly.
In a statement, Nick Clegg, Facebook’s head lobbyist, confirmed Ireland’s expected decision, saying that the pending ruling would be felt across the transatlantic economy.
“A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU,” Clegg said. “We will continue to transfer data in compliance with the recent CJEU ruling and until we receive further guidance.”
Securing the Long Term Stability of Cross-Border Data Flows
https://about.fb.com/news/2020/09/securing-the-long-term-stability-of-cross-border-data-flows/
Tomi Engdahl says:
https://etn.fi/index.php/13-news/11065-suomessa-maaratty-vain-nelja-gdpr-sakkoa
Tomi Engdahl says:
Is Facebook going to ban all European users because it does not like what some EU persons in charge think about privacy?
European regulators are cracking down on Facebook’s ability to transfer data across the Atlantic. Now the tech giant is threatening to pull its services from more than 400 million European users.
In a court filing in Dublin, Facebook said that a decision by Ireland’s Data Protection Commission (DPC) would force the company to pull up stakes and leave the 410 million people without Facebook and Instagram.
https://www.vice.com/en_us/article/889pk3/facebook-threatens-to-pull-out-of-europe-if-it-doesnt-get-its-way?utm_source=vicenewsfacebook
Facebook’s head of global policy has denied the tech giant could close its service to Europeans if local regulators order it to suspend data transfers to the US following a landmark Court of Justice ruling in July that has cemented the schism between US surveillance laws and EU privacy rights.
https://social.techcrunch.com/2020/09/23/facebook-denies-it-will-pull-service-in-europe-over-data-transfer-ban/
Tomi Engdahl says:
“Yrityksen on varmistettava, että suostumuksen peruminen on yhtä helppoa kuin evästeiden hyväksyminen.” Lähde: https://europa.eu/youreurope/business/dealing-with-customers/data-protection/online-privacy/index_fi.htm
Oletteko sitä mieltä, että onnistuitte toteuttamaan vaatimuksen?
Tomi Engdahl says:
H&M-vaatekauppaketju sai 35 miljoonan euron sakon työntekijöidensä henkilökohtaisten tietojen keräämisestä Saksassa
Johtajien käyttöön kerätyssä tietopankissa listattiin muun muassa sairauksiin ja uskontoon liittyviä asioita.
https://yle.fi/uutiset/3-11574720
Ylös oli kirjattu esimerkiksi yksityiskohtaisia kuvailuja työntekijöiden oireista ja diagnooseista. Tietoihin pääsi käsiksi noin 50 johtotehtävissä toimivaa.
Tiedonkeruu tietokantaan oli jatkunut ainakin vuodesta 2014 alkaen kunnes se paljastui lokakuussa 2019 tietokonehäiriön myötä. Häiriö aiheutti sen, että tiedot olivat muutaman tunnin ajan laajemman joukon nähtävissä.
Viranomaisten mukaan tiedonkeruu rikkoi työntekijöiden tietosuojaa.
Britannian viranomaiset määräsivät heinäkuussa 2019 British Airwaysin maksamaan 201 miljoonaa euroa tietomurron jälkeen. Google sai puolestaan Ranskan viranomaisilta tammikuussa 2019 50 miljoonan euron rangaistuksen laiminlyönneistä tiedonkeruusta informoimisessa.
Vuonna 2018 voimaan tullut EU:n tietosuoja-asetus(siirryt toiseen palveluun) määrää, että tiedonkeruuseen tarvitaan erikseen annettu lupa henkilöltä, jota se koskee tai että tiedonkeruu täyttää jonkun muun asetetuista vaatimuksista.
Tomi Engdahl says:
https://www.karhuhelsinki.fi/blogi/privacy-shield-jarjestely-ja-eurooppalainen-gdpr-lainsaadanto?utm_source=facebook&utm_medium=display&fbclid=IwAR0LKOy32XvqtkcA5WOV2ApxbaItlomkIBcN1kfANz0J2cOrTFCqlVRMdHM
Tomi Engdahl says:
UK Fines British Airways for Failures in 2018 Data Hack
https://www.securityweek.com/uk-fines-british-airways-failures-2018-data-hack
Britain’s information commissioner has fined British Airways 20 million pounds ($25 million) for failing to protect personal data for some 400,000 customers, the largest fine the agency has ever issued.
The ICO said in a statement Friday that the airline was processing personal data without adequate security measures. It also noted that it did not detect a 2018 cyber attack for two months.
Information Commissioner Elizabeth Denham said says BA’s “failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result.”
Tomi Engdahl says:
Tietomurron seurauksena yli 400000 asiakkaan henkilötiedot päätyivät
verkkoon Lentoyhtiö sai roiman alennuksen sakkoonsa
https://www.kauppalehti.fi/uutiset/tietomurron-seurauksena-yli-400000-asiakkaan-henkilotiedot-paatyivat-verkkoon-lentoyhtio-sai-roiman-alennuksen-sakkoonsa/457dee3f-1eb7-4265-b5cb-cbee4047b7f8
Britannian tietovalvontakeskus alentaa lentoyhtiö British Airwaysin
tietomurron sakon 20 miljoonaan puntaan eli reiluun 22 miljoonaan
euroon, Tech Crunch kirjoittaa. Alunperin sakon suuruudeksi oli
määrätty 184 miljoonaa puntaa eli yli 200 miljoonaa euroa.
Tomi Engdahl says:
Civil Liberties Group Urges EU To Limit Data Transfers To The UK Post-Brexit
https://www.forbes.com/sites/carlypage/2020/10/12/civil-liberties-group-urges-eu-to-limit-data-transfers-to-the-uk-post-brexit/#8071a6a698ca
The Irish Council of Civil Liberties (ICCL) has urged the European Commission (EC) to limit EU data transfers to the UK after Brexit because of the “dismal record” of the UK Information Commissioner’s Office (ICO).
He claims the ICO cannot be tried on to protect European’s data rights, a duty is established in Article 45 of the GDPR legislation.
“The ICO has failed over the last two years to take any substantive action against the largest data breach that the UK and EU have ever experienced. It would be unreasonable to anticipate that it will perform any better after Brexit is complete,” Ryan wrote in the letter, which was sent to to three European Commissioners, Margrethe Vestager (Competition and Digital), Didier Reynders (Justice) and Thierry Breton (Internal Market).
“The UK lacks an effective independent supervisory authority that is capable of enforcing compliance with data protection law and vindicating data subjects’ rights. As a consequence, the personal data of data subjects in the union do not at present have an adequate level of protection in the UK.
Tomi Engdahl says:
The state of privacy in Europe: what changed in 2020?
https://cybernews.com/editorial/the-state-of-privacy-in-europe-what-changed-in-2020/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=privacy_europe_change&fbclid=IwAR0vLeZWsWU8gruhtVrhQbobCQFm2eQJY73gz0O97A33p02SFHFi8WXGUg4
Across the EU, this has been an eventful year in the world of privacy, with new regulations, controversial court rulings and conflict with major internet platforms.
One of the biggest changes has been the demise of Privacy Shield, the arrangement under which EU data has in the past been legally transferred to the US.
That thorn in Facebook’s side, Austrian campaigner Max Schrems, this summer challenged Privacy Shield’s validity on the grounds that US national security laws did not protect EU citizens’ data from government spies – and won.
The decision has left EU-US data transfers in doubt. Many organisations are now attempting to use mechanisms such as Standard Contractual Clauses (SCCs) to legitimise their activities – but this, too has come under question.
“The court was explicit that you cannot use the SCCs when the recipient in the US falls under these mass surveillance laws,” says Schrems. “It seems US companies are still trying to convince their EU customers of the opposite. This is more than shady.”
Unsurprisingly, these rulings have not been welcomed by the internet giants.
Surveillance concerns
In another major privacy-related judgement, the Court of Justice of the European Union (CJEU) recently ruled that France, the UK, Belgium and other European countries cannot require internet service providers to store all their customers’ traffic and location data for intelligence purposes.
Tomi Engdahl says:
Vastaamon tapaus ei ole kunniaksi Suomelle, mutta useimmat yritykset tekevät parhaansa
http://pjarvinen.blogspot.com/2020/10/vastaamon-tapaus-ei-ole-kunniaksi.html
Case Vastaamo antaisi loputtomasti aiheita blogikirjoituksiin. Valitsen tänään yhden: Suomen maine ja yritysten vastuu.
Suomea on pidetty tietosuojan mallimaana. Meillä on parhaat viranomaisrekisterit ja otimme GDPR-sääntelyn pilkuntarkasti, liki saksalaiseen tapaan (toisin kuin esim. Ruotsi). Ennen GDPR-siirtymäkauden loppua järjestettiin varmaan tuhansia tilaisuuksia, joissa it-ammattilaisia muistutettiin tietosuojan olemuksesta ja lain ankarista sanktioista. Oli ilmaisia ja maksullisia seminaareja, monen päivän koulutusohjelmia, nettisivuja… Lopulta GDPR tuntui pursuavan jo korvista ulos ja kun odotettu 25.5. viimein koitti, kaikki olivat varmaan helpottuneita siitä, että asia siirtyi jos ei nyt hoidettujen pinoon niin ainakin taustalle.
Jo monta vuotta olemme olleet huolissamme Googlen ja Facebookin tiedonurkinnasta. Ne loukkaavat yksityisyyttä ja urkkivat tietojamme. Samaan aikaan yritykset ovat käyttäneet miljoonia euroja erilaisiin GDPR-tietosuojalausekkeisiin ja evästekyselyihin, jotka lähinnä häiritsevät käyttäjiä ja pikemmin vähentävät kuin lisäävät kiinnostusta omaan tietosuojaan.
Riitelimme lillukanvarsista, kuten mikä on GDRP:n ja tulevan ePrivacyn mukainen riittävä suostumus evästeiden käyttämisestä — pitääkö olla nimenomainen suostumus joka kerta, vai riittävätkö selaimen evästeasetukset.
Vastaamon järkyttävän tietovuodon jälkeen kaikki tämä tuntuu akateemiselta puuhastelulta. Miljoonat eurot olisi kannattanut käyttää todellisen tietosuojan parantamiseen. Olemme pelänneet nettijättejä, vaikka todellinen mörkö on ollut ihan lähellä. Liian lähellä.
Tomi Engdahl says:
https://www.karhuhelsinki.fi/blogi/privacy-shield-jarjestely-ja-eurooppalainen-gdpr-lainsaadanto
Tomi Engdahl says:
Marriott fined £0.05 for each of the 339 million hotel guests whose data crooks were stealing for four years
UK watchdog’s mooted £99m penalty comes in at just £18.4m
https://www.theregister.com/2020/10/30/marriott_starwood_hack_fine_just_18_4bn/
Your name, address, phone number, email address, passport number, date of birth, and sex are worth just £0.05 in the eyes of the UK Information Commissioner’s Office, which has fined Marriott £18.4m after 339 million people’s data was stolen from the hotel chain.
The fine was imposed as a regulatory punishment for the 2018 Starwood Hotels megabreach despite Marriott not accepting liability for wrongdoing.
Tomi Engdahl says:
https://www.infosecurity-magazine.com/news/british-airways-plans-3bn-breach/
Tomi Engdahl says:
https://etn.fi/index.php/13-news/11829-rikkovatko-keksit-gdpr-saannoksia
Tomi Engdahl says:
Where GDPR went wrong
https://www.youtube.com/watch?v=v_W0wR4AClk
GDPR has been in effect for almost 3 years, with limited success. Let’s break down what the EU originally set out to do, and how well they actually achieved their goals with it. Including actually taking a look at cookie banners and privacy policies for once.
Tomi Engdahl says:
Datan vapaa liikkuvuus hyväksyttiin selvin numeroin
https://etn.fi/index.php/13-news/11940-datan-vapaa-liikkuvuus-hyvaksyttiin-selvin-numeroin
Euroopan parlamentti hyväksyi eilisessä istunnossaan päätöslauselman, jonka mukaan datan vapaa liikkuvuus Euroopan unionissa on varmistettava eurooppalaisten yritysten, yliopistojen ja tutkijoiden globaalin kilpailukyvyn takaamiseksi. Miapetra Kumpula-Natrin valmistelema päätöslauselma hyväksyttiin äänin 602-8.
Päätöslauselmassa sanotaan, että datayhteiskuntien tulee rakentua EU:ssa tunnustetuille oikeuksille ja arvoille, kuten läpinäkyvyydelle ja yksityisyyden ja perusoikeuksien kunnioittamiselle. Lisäksi niiden tulee voida mahdollistaa paremmat ja automatisoidut reaaliaikaiset palvelut, kestävä kasvu ja laadukkaat työpaikat.
Päätöslauselmassa huomautetaan myös, että kansalaisilla tulisi olla täysi oikeus hallita omaa dataansa ja päättää sen käytöstä. Suomi on ajanut tähän omaa MyData-lähestymistapaansa, mutta EUn tasolla on auki, miten kansalaisten oikeus hallita omaa dataansa järjestetään.
Tomi Engdahl says:
Websites of EU Mobile Providers Fail to Properly Secure User Data: Report
https://www.securityweek.com/websites-eu-mobile-providers-fail-properly-secure-user-data-report
Sensitive data pertaining to the customers of top mobile services providers in the European Union is at risk of compromise due to improperly secured websites, data security and privacy firm Tala reveals.
An analysis of the websites of 13 of the top mobile telecom companies in the EU has revealed that none of them has in place even the minimum necessary protections to be considered secure.
“With over 235 million customers between them, none of the mobile providers scored a passing grade for website security. Where a score of 80+ is considered reasonable and 50 is barely a passing grade, none of the mobile providers analyzed comes close,” Tala says in a new report.
Despite the lack of proper website protections, however, during online sign-up, the telcos collect a significant amount of sensitive data from their customers, including names, emails, addresses, dates of birth, passport numbers, payslips, and even banking details in some cases.
All of the gathered data, Tala claims, might be at risk of compromise through vulnerabilities and the use of third-party code: the average number of JavaScript integrations was found to be 162, while forms were found exposed to an average of 19 third parties.
All of the websites, the report reveals, use dangerous JavaScript functions that open the door to cross-site scripting (XSS), the most common type of website vulnerability. The highest number of JavaScript integrations on a single site was 735.
Tomi Engdahl says:
Dutch Data Protection Authority Fines Booking.com Over Incident Notification
https://www.securityweek.com/dutch-data-protection-authority-fines-bookingcom-over-incident-notification
The Dutch Data Protection Authority announced on Wednesday that it has issued a fine of €475,000 (roughly $550,000) to online travel agency Booking.com for failing to report a data security incident within the required timeframe.
According to the privacy watchdog, the incident took place in December 2018 and it involved cybercriminals using voice phishing (vishing) and social engineering to trick the employees of 40 hotels in the United Arab Emirates into handing over their credentials for their Booking.com accounts.
The cybercrooks then used that access to obtain information on more than 4,000 individuals who had booked a hotel through Booking.com. They also managed to access payment card information belonging to nearly 300 people and attempted to phish the card information of others by posing as Booking.com employees over the phone or email.
Tomi Engdahl says:
Facebook data leak now under EU data regulator investigation
https://www.bleepingcomputer.com/news/security/facebook-data-leak-now-under-eu-data-regulator-investigation/
Ireland’s Data Protection Commission (DPC) is investigating a massive
data leak concerning a database containing personal information
belonging to more than 530 million Facebook users. “Because the
scraping took place prior to GDPR, Facebook chose not to notify this
as a personal data breach under GDPR.”
Tomi Engdahl says:
Facebook is under investigation in the EU for its massive leak of 533 million people’s data — and it could face a fine in the billions
https://trib.al/rSfalDL
A European regulator announced that it’s investigating Facebook over a leak of 533 million people’s data.
Ireland’s Data Protection Commission will probe whether Facebook broke EU privacy laws.
Facebook could face a fine of up to 4% of its $86 billion global revenue if found responsible.
Tomi Engdahl says:
When the GDPR Meets (Public) Blockchains: Looking through the Lens of Public Communications to Users
https://pentestmag.com/when-the-gdpr-meets-public-blockchains-looking-through-the-lens-of-public-communications-to-users/
#pentest #magazine #pentestmag #pentestblog #PTblog #GDPR #EU #blochain #dataprotection #cybersecurity #infosecurity #infosec
Tomi Engdahl says:
A Dutch City Gets A €600,000 Fine For WiFi Tracking
https://hackaday.com/2021/05/08/a-dutch-city-gets-a-e600000-fine-for-wifi-tracking/
Enschede is an unremarkable but pleasant city in the east of the country
They’ve been caught tracking their citizens using WiFi, and since this contravenes Dutch privacy law they’ve been fined €600,000 (about $723,000) by the Netherlands data protection authorities.
The events in Enschede are already having a knock-on effect in the rest of the Netherlands as other municipalities race to ensure compliance and turn off any offending trackers, but perhaps more importantly they have the potential to reverberate throughout the entire European Union as well.
Tomi Engdahl says:
Evästelupakysely asiallisesti – esimerkkejä verkkokaupoista
https://vierityspalkki.fi/2021/04/09/evastelupakysely-asiallisesti-esimerkkeja-verkkokaupoista/
Tomi Engdahl says:
EU Privacy Groups Set Sights on Facial Recognition Firm
https://www.securityweek.com/eu-privacy-groups-set-sights-facial-recognition-firm
Privacy organisations on Thursday complained to regulators in five European countries over the practices of Clearview AI, a company that has built a powerful facial recognition database using images “scraped” from the web.
Clearview’s use of images — including those from people’s social media accounts — to offer biometrics services to private companies and law enforcement “goes far beyond what we could ever expect as online users”, Ioannis Kouvakas, legal officer at Privacy International, said in a statement.
While Clearview touts its technology’s ability to help law enforcement, its critics say facial recognition is open to abuse and could ultimately eliminate anonymity in public spaces — pointing to cases like China’s massive public surveillance system.
Tomi Engdahl says:
GDPR-sakkoja maksettu lähes 300 miljoonaa euroa
https://etn.fi/index.php/13-news/12231-gdpr-sakkoja-maksettu-lahes-300-miljoonaa-euroa
EU:n yleinen tietosuoja-asetus GDPR (The General Data Protection Regulation) tuli voimaan 25. toukokuuta vuonna 2018. Atlas VPN -yrityksen keräämien tilastojen mukaan asetuksen perusteella on kolmen vuoden aikana määrätty sakkoja yhteensä 283,7 miljoonalla eurolla.
Kaikkiaan Euroopan unioni on määrännyt 648 rangaistusta organisaatioille, jotka rikkovat tietosuojalakia.
Suomessa tietosuojavaltuutetun toimisto määräsi viime vuonna viidet sakot GDPR-rikkomuksista. Suurin sakko oli satatuhatta euroa.
GDPR fines nearly hit 300 million euros in three years
https://atlasvpn.com/blog/gdpr-fines-nearly-hit-300-million-euros-in-three-years
Tomi Engdahl says:
When the GDPR Meets (Public) Blockchains: Looking through the Lens of Public Communications to Users
https://pentestmag.com/when-the-gdpr-meets-public-blockchains-looking-through-the-lens-of-public-communications-to-users/
As a very recent regulation, the GDPR introduces a number of new principles and legal requirements to the landscape of data protection law. Examples include ‘the right to erasure’ (also known as ‘the right to be forgotten’), the requirement for explicit consent, and a significantly increased maximum penalty fine for non-compliance, which have been key highlights in public media. Some data protection principles and legal requirements defined in the GDPR have led to a tension with some new and emerging technologies. One such technology is about distributed ledgers, more commonly known as blockchains.
A blockchain is a distributed (peer-to-peer) database where data is stored not on a central server, but among all its users. A distributed consensus protocol (e.g., proof of work) and some special incentivisation mechanisms (mostly in the form of a cryptocurrency) are normally used to encourage participation of users to make the system self-sustainable. Blockchains follow the distributed trust model and embrace transparency (all can see the data), security and anonymity (the use of cryptography and pseudonymous IDs for addresses).
The first and the most widely used blockchain system (and cryptocurrency) is Bitcoin, which was invented and implemented by someone with the pseudonymous name Satoshi Nakamoto in 2008. Since Bitcoin, many blockchain systems and cryptocurrencies have emerged, mostly after the second half of the 2010s, e.g., the currently second largest blockchain system Ethereum went live in 2015. According to who can read and write to the distributed ledger, blockchain systems can be classified into three major categories: public (permissionless) – anyone on the blockchain network, permissioned – only a number of privileged nodes with the right permission, and private – a single or several private users.
One unique technical feature of almost all existing blockchain systems is that, once a piece of data is stored on chain, it will remain there permanently. This feature is particularly important for public blockchains due to the lack of a centralised trusted party. It cannot be easily fixed by tweaking a blockchain system’s design and implementation details. This immediately leads to a direct conflict with the right to be forgotten defined in the GDPR, and users would have to give up this right forever if they want to use a blockchain system.
In addition, blockchain systems, especially public ones, also have other tricky GDPR compliance issues to address, such as how to define the data controllers and data processors (who are responsible for data protection), how to obtain explicit consents and support withdrawal of consents, etc. It deserves noting that, due to the distributed and (pseudo)anonymous nature of most public blockchain systems, and according to the territorial scope of the GDPR (see the 2019 dedicated guidelines from the European Data Protection Board), the GDPR should apply because data subjects and/or data controllers/processors can be from the EU or EEA.
The tension between blockchains and the GDPR has been noticed by the blockchain community. In October 2018, the EU Blockchain Observatory & Forum published a thematic report “Blockchain and the GDPR” to summarise the collective understanding of the community on this issue. This report acknowledges that the problem is particularly problematic for public blockchains, and recommends storing personal data off chain when possible or at least in an encrypted/anonymised form. The report also recommends that blockchain system developers and service providers should “be as clear and transparent as possible with users”
Tomi Engdahl says:
Stephanie Bodoni / Bloomberg:
EU’s top court says Facebook can’t avoid potential EU-wide privacy orders from data protection authorities beyond its legal watchdog in Ireland
https://www.bloomberg.com/news/articles/2021-06-15/facebook-can-t-dodge-eu-wide-privacy-orders-top-court-rules
Tomi Engdahl says:
Adtech ‘data breach’ GDPR complaint is headed to court in EU
https://techcrunch.com/2021/06/16/adtech-data-breach-gdpr-complaint-is-headed-to-court-in-eu/?tpcc=ECFB2021
New York-based IAB Tech Labs, a standards body for the digital advertising industry, is being taken to court in Germany by the Irish Council for Civil Liberties (ICCL) in a piece of privacy litigation that’s targeted at the high speed online ad auction process known as real-time bidding (RTB).
The driving force behind the lawsuit is Dr Johnny Ryan, a former adtech insider turned whistleblower who’s now a senior fellow a the ICCL — and who has dubbed RTB the biggest data breach of all time.
He points to the IAB Tech Lab’s audience taxonomy documents which provide codes for what can be extremely sensitive information that’s being gathered about Internet users, based on their browsing activity, such as political affiliation, medical conditions, household income, or even whether they may be a parent to a special needs child.
The lawsuit contends that other industry documents vis-a-vis the ad auction system confirm there are no technical measures to limit what companies can do with people’s data, nor who they might pass it on to.