WTF is GDPR?

https://techcrunch.com/2018/01/20/wtf-is-gdpr/
GDPR is a significant piece of legislation whose full impact will clearly take some time to shake out.
A major point of note right off the bat is that GDPR does not merely apply to EU businesses; any entities processing the personal data of EU citizens need to comply. The extra-territorial scope of GDPR casts the European Union as a global pioneer in data protection. Also under GDPR, financial penalties for data protection violations step up massively.
GDPR aims to have every link in the processing chain be a robust one. Companies need to maintain up-to-date records to prove out their compliance and to appoint a data protection officer if they process sensitive data on a large scale or are collecting info on many consumers.
GDPR’s running emphasis on data protection via data security it is implicitly encouraging the use of encryption above and beyond a risk reduction technique. Another major change incoming via GDPR is ‘privacy by design’ no longer being just a nice idea; privacy by design and privacy by default become firm legal requirements.
GDPR also encourages the use of pseudonymization — such as, for example, encrypting personal data and storing the encryption key separately and securely — as a pro-privacy, pro-security technique that can help minimize the risks of processing personal data. Data has to be rendered truly anonymous to be outside the scope of the regulation.

373 Comments

  1. Tomi Engdahl says:

    Natasha Lomas / TechCrunch:
    Irish DPC report: 6 inquiries into multinational tech companies’ GDPR compliance were opened in 2019, bringing major cross-border probes to 21, but no decisions

    Lack of big tech GDPR decisions looms large in EU watchdog’s annual report
    https://techcrunch.com/2020/02/19/lack-of-big-tech-gdpr-decisions-looms-large-in-eu-watchdogs-annual-report/

    The lead European Union privacy regulator for most of big tech has put out its annual report which shows another major bump in complaints filed under the bloc’s updated data protection framework, underlining the ongoing appetite EU citizens have for applying their rights.

    But what the report doesn’t show is any firm enforcement of EU data protection rules vis-a-vis big tech.

    The report leans heavily on stats to illustrate the volume of work piling up on desks in Dublin. But it’s light on decisions on highly anticipated cross-border cases involving tech giants including Apple, Facebook, Google, LinkedIn and Twitter.

    despite Ireland having a large number of open cross-border investigations into the data practices of platform and adtech giants, some of which originated from complaints filed right at the moment GDPR came into force.

    In its defence, the DPC does have a horrifying case load. As illustrated by other stats its keen to spotlight — such as saying it received a total of 7,215 complaints in 2019; a 75% increase on the total number (4,113) received in 2018. A full 6,904 of which were dealt with under the GDPR (while 311 complaints were filed under the Data Protection Acts 1988 and 2003).

    Reply
  2. Tomi Engdahl says:

    Under Pressure: New GDPR Rule Makes Data Security a Critical C-Suite Concern
    https://www.dfinsolutions.com/insights/article/under-pressure-new-gdpr-rule-makes-data-security-critical-c-suite-concern

    Lawmakers in the European Union passed sweeping new measures to protect individual privacy rights, in a way that reaches far beyond the borders of its 28 member states. The result: Data security is now an even more pressing C-suite concern worldwide.

    Reply
  3. Tomi Engdahl says:

    Natasha Lomas / TechCrunch:
    European Data Protection Board publishes updated guidelines arguing that scrolling and “cookie walls”, which block users from content, don’t constitute consent — You can’t make access to your website’s content dependant on a visitor agreeing that you can process their data — aka a ‘consent cookie wall’.

    No cookie consent walls — and no, scrolling isn’t consent, says EU data protection body
    https://techcrunch.com/2020/05/06/no-cookie-consent-walls-and-no-scrolling-isnt-consent-says-eu-data-protection-body/

    You can’t make access to your website’s content dependent on a visitor agreeing that you can process their data — aka a ‘consent cookie wall’. Not if you need to be compliant with European data protection law.

    Reply
  4. Tomi Engdahl says:

    Suomessa tärkeä gdpr-ennakkotapaus kaksi viranomaista, kaksi täysin
    eri tulkintaa
    https://www.tivi.fi/uutiset/tv/0b79b269-066e-4abc-8fc2-4d9d766aae09
    Euroopan tietosuoja-asetus gdpr astui voimaan kaksi vuotta sitten.
    Internetselainten evästeet ovat tärkeitä sivustojen toiminnallisuuden
    kannalta. Niissä on myös nurja puolensa: evästeiden avulla sivustoilla
    kävijöitä voidaan seurata melko tarkasti, ja mitä enemmän tätä dataa
    on, sitä paremman kuvan ihmisestä yritykset voivat muodostaa. Yksi
    gdpr-asetuksen tärkeimmistä ominaisuuksista on se, että se rajoittaa
    yritysten vapauksia kerätä ihmisistä tätä dataa. Ohjetta voi kuitenkin
    tulkita eri tavoin, mikä ei tee niin yritysten kuin viranomaistenkaan
    elämästä helppoa. Jotkin kyseenalaiset tulkinnat esimerkiksi pitävät
    suostumuksen antamisena sitä, että sivustoa vierittää aloitusruudusta
    alaspäin. Tämä on vähintäänkin kyseenalainen tulkinta, sillä
    suostumuksen antaminen pitäisi olla selkeä valinta, ei kärsimättömään
    käytökseen perustuva tulkinta. Joskus epäselvyyttä käytetään räikeästi
    hyödyksi. Jotkin sivustot esimerkiksi estävät kävijää näkemästä
    sivuston sisältöä, ennen kuin sivustolle antaa luvan seurata
    vierailijaa. Tämän kaltainen suostumukseen kiristävä esto on ehkä lain
    kirjaimen, muttei todellakaan sen hengen mukainen tulkinta. Traficomin
    ja Tietosuojavaltuutetun toimiston käsittelevät tapaukset olivat
    toisistaan erillisiä. Lue myös:
    https://www.tivi.fi/uutiset/tv/fbf224ad-0cf4-4758-a5c3-0d6060a0f9a8

    Reply
  5. Tomi Engdahl says:

    BBC:
    Court in Netherlands rules that, under GDPR, a woman must delete photos of her grandchildren that she posted on Facebook without their parents’ permission — A woman must delete photographs of her grandchildren that she posted on Facebook and Pinterest without their parents’ permission, a court in the Netherlands has ruled.

    Grandmother ordered to delete Facebook photos under GDPR
    https://www.bbc.com/news/technology-52758787

    A woman must delete photographs of her grandchildren that she posted on Facebook and Pinterest without their parents’ permission, a court in the Netherlands has ruled.

    It ended up in court after a falling-out between the woman and her daughter.

    The judge ruled the matter was within the scope of the EU’s General Data Protection Regulation (GDPR).

    One expert said the ruling reflected the “position that the European Court has taken over many years”.

    The case went to court after the woman refused to delete photographs of her grandchildren which she had posted on social media.

    The mother of the children had asked several times for the pictures to be deleted.

    The GDPR does not apply to the “purely personal” or “household” processing of data.

    However, that exemption did not apply because posting photographs on social media made them available to a wider audience, the ruling said.

    “With Facebook, it cannot be ruled out that placed photos may be distributed and may end up in the hands of third parties,” it said.

    The woman must remove the photos or pay a fine of €50 (£45) for every day that she fails to comply with the order, up to a maximum fine of €1,000.

    If she posts more images of the children in the future, she will be fined an extra €50 a day.

    “I think the ruling will surprise a lot of people who probably don’t think too much before they tweet or post photos,” said Neil Brown, a technology lawyer at Decoded Legal.

    Reply
  6. Tomi Engdahl says:

    Suomessa määrättiin ensi kertaa tietosuojarikkomusmaksuja Postille
    lankesi 100 000 euroa muuttoilmoituskäytännöistä
    https://yle.fi/uutiset/3-11364819
    Postin sadantuhannen euron maksu on seurausta siitä, ettei se kertonut
    muuttoilmoituksen tehneille asiakkailleen oikeudesta muun muassa estää
    tietojen luovuttaminen ilmoituksen yhteydessä. Kymen Vesi sai 16 000
    euron maksun, koska se oli jättänyt tekemättä sijaintitietojen
    käsittelyn vaikutustenarvioinnin. Kolmannessa tapauksessa yritys
    keräsi työnhakijoiden ja työntekijöiden tietoja tarpeettomasti. 12 500
    euron seuraamusmaksun saaneen yrityksen nimeä ei kerrottu
    julkisuuteen.

    Reply
  7. Tomi Engdahl says:

    Tietosuojavaltuutetun toimiston seuraamuskollegio määräsi kolme
    seuraamusmaksua tietosuojarikkomuksista
    https://tietosuoja.fi/artikkeli/-/asset_publisher/tietosuojavaltuutetun-toimiston-seuraamuskollegio-maarasi-kolme-seuraamusmaksua-tietosuojarikkomuksista
    Seuraamuskollegio määräsi 18. toukokuuta seuraamusmaksun kolmelle
    yritykselle tietosuojalainsäädännön rikkomisesta. Rikkomukset koskevat
    puutteellista informointia tietosuojaoikeuksista,
    vaikutustenarvioinnin tekemättä jättämistä ja tarpeettomien
    henkilötietojen keräämistä.

    Reply
  8. Tomi Engdahl says:

    Javier Espinoza / Financial Times:
    Leaked draft of EU report says GDPR rules have been difficult to implement, placing a burden on small and medium-sized companies and hampering tech development
    https://t.co/0XGcma2j43

    Reply
  9. Tomi Engdahl says:

    Only 9% of Visitors Give GDPR Consent To Be Tracked
    https://yro.slashdot.org/story/20/07/07/2214249/only-9-of-visitors-give-gdpr-consent-to-be-tracked?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    Marko Saric, a digital marketing consultant and blogger, conducted his own experiment to find out how many visitors would engage with a GDPR banner and grant GDPR consent to their information being collected and shared. For his study, Saric used Metomic for his GDPR consent banner and tested it on two different websites during June.

    https://markosaric.com/gdpr-consent/

    Most GDPR consent banner implementations are deliberately engineered to be difficult to use and are full of dark patterns that are illegal according to the law.

    I wanted to find out how many visitors would engage with a GDPR banner if it were implemented properly and how many would grant consent to their information being collected and shared.

    Reply
  10. Tomi Engdahl says:

    Legal clouds gather over US cloud services, after CJEU ruling
    https://tcrn.ch/2ZFO5xA

    In the wake of yesterday’s landmark ruling by Europe’s top court — striking down a flagship transatlantic data transfer framework called Privacy Shield, and cranking up the legal uncertainty around processing EU citizens’ data in the U.S. in the process — Europe’s lead data protection regulator has fired its own warning shot at the region’s data protection authorities (DPAs), essentially telling them to get on and do the job of intervening to stop people’s data flowing to third countries where it’s at risk.

    Countries like the U.S.

    The original complaint that led to the Court of Justice of the EU (CJEU) ruling focused on Facebook’s use of a data transfer mechanism called Standard Contractual Clauses (SCCs) to authorize moving EU users’ data to the U.S. for processing.

    Complainant Max Schrems asked the Irish Data Protection Commission (DPC) to suspend Facebook’s SCC data transfers in light of U.S. government mass surveillance programs. Instead, the regulator went to court to raise wider concerns about the legality of the transfer mechanism.

    That in turn led Europe’s top judges to nuke the Commission’s adequacy decision, which underpinned the EU-U.S. Privacy Shield — meaning the U.S. no longer has a special arrangement greasing the flow of personal data from the EU. Yet, at the time of writing, Facebook is still using SCCs to process EU users’ data in the U.S. Much has changed, but the data hasn’t stopped flowing — yet.

    Yesterday the tech giant said it would “carefully consider” the findings and implications of the CJEU decision on Privacy Shield, adding that it looked forward to “regulatory guidance.” It certainly didn’t offer to proactively flip a kill switch and stop the processing itself.

    The DPC’s statement also only went so far as to say the use of SCCs for taking data to the U.S. for processing is “questionable” — adding that case by case analysis would be key.

    The regulator remains the focus of sustained criticism in Europe over its enforcement record for major cross-border data protection complaints — with still zero decisions issued more than two years after the EU’s General Data Protection Regulation (GDPR) came into force, and an ever-growing backlog of open investigations into the data processing activities of platform giants.

    The painstaking pace of enforcement around Europe’s flagship data protection framework remains a problem for EU lawmakers — whose two-year review last month called for uniformly “vigorous” enforcement by regulators.

    “European supervisory authorities have the duty to diligently enforce the applicable data protection legislation and, where appropriate, to suspend or prohibit transfers of data to a third country,” writes EDPS Wojciech Wiewiórowski, in a statement, which warns against further dithering or can-kicking on the intervention front.

    “As the supervisory authority of the EU institutions, bodies, offices and agencies, the EDPS is carefully analysing the consequences of the judgment on the contracts concluded by EU institutions, bodies, offices and agencies. The example of the recent EDPS’ own-initiative investigation into European institutions’ use of Microsoft products and services confirms the importance of this challenge,” he adds.

    Part of the complexity of enforcement of Europe’s data protection rules is the lack of a single authority; a varied patchwork of supervisory authorities responsible for investigating complaints and issuing decisions.

    In the statement, Hamburg’s data commissioner, Johannes Caspar, added: “Difficult times are looming for international data traffic.”

    In a press note today, Berlin’s DPA also took a tough line, warning that data transfers to third countries would only be permitted if they have a level of data protection essentially equivalent to that offered within the EU.

    In the case of the U.S. — home to the largest and most used cloud services — Europe’s top judges yesterday reiterated very clearly that that is not in fact the case.

    “The times when personal data could be transferred to the U.S. for convenience or cost savings are over after this judgment,” she added.

    “Now is the time for Europe’s digital independence,” she added.

    Short of radical changes to U.S. surveillance law, it’s tough to see how any new framework could be made to legally stick, though. Privacy Shield’s predecessor arrangement, Safe Harbour, stood for around 15 years. Its shiny “new and improved” replacement didn’t even last five.

    In the wake of the CJEU ruling, data exporters and importers are required to carry out an assessment of a country’s data regime to assess adequacy with EU legal standards before using SCCs to transfer data there.

    “When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The examination of the latter shall be done in light of the non-exhaustive factors set out under Art 45(2) GDPR,” Jelinek writes.

    “If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of.”

    One thing is crystal clear: Any sense of legal certainty U.S. cloud services were deriving from the existence of the EU-U.S. Privacy Shield — with its flawed claim of data protection adequacy — has vanished like summer rain.

    In its place, a sense of déjà vu and a lot more work for lawyers.

    Reply
  11. Tomi Engdahl says:

    Uusi tutkimus: Suomen Findata olisi erinomainen esikuva Facebookin ja muiden jättien GDPR-linjaukselle [https://algorithmwatch.org/en/governing-platforms-ivir-study-june-2020/](https://algorithmwatch.org/en/governing-platforms-ivir-study-june-2020/)

    Reply
  12. Tomi Engdahl says:

    AlgorithmWatch Study debunks Facebook’s GDPR Claims
    https://algorithmwatch.org/en/governing-platforms-ivir-study-june-2020/

    A new study published by AlgorithmWatch in cooperation with the European Policy Centre and the University of Amsterdam’s Institute for Information Law shows that the GDPR needn’t stand in the way of meaningful research access to platform data; looks to health and environmental sectors for best practices in privacy-respecting data sharing frameworks.

    Reply
  13. Tomi Engdahl says:

    Processing Data to Protect Data: Resolving the Breach Detection
    Paradox
    https://script-ed.org/article/processing-data-to-protect-data-resolving-the-breach-detection-paradox/
    Most privacy laws contain two obligations: that processing of personal
    data must be minimised, and that security breaches must be detected
    and mitigated as quickly as possible. These two requirements appear to
    conflict, since detecting breaches requires additional processing of
    logfiles and other personal data to determine what went wrong.
    Fortunately Europes General Data Protection Regulation (GDPR)
    considered the strictest such law recognises this paradox and
    suggests how both requirements can be satisfied. This paper assesses
    security breach detection in the light of the principles of purpose
    limitation and necessity, finding that properly-conducted breach
    detection should satisfy both principles,

    Reply
  14. Tomi Engdahl says:

    Taloyhtiö asensi sähkölukot, mutta mokasi gdpr:n kanssa näin päätti
    tietosuojavaltuutettu
    https://www.tivi.fi/uutiset/tv/a7401466-c107-43f3-a3e9-86514efd28d4
    Taloyhtiön asentama sähkölukkojärjestelmä on
    apulaistietosuojavaltuutetun näkemyksen mukaan luvaton, sillä gdpr:n
    vaatimuksia ei noudateta. Apulaistietosuojavaltuutetun päätös ei ole
    lainvoimainen, vaan siitä voi valittaa hallinto-oikeuteen.. Lue myös:
    https://www.is.fi/digitoday/tietoturva/art-2000006600839.html

    Reply
  15. Tomi Engdahl says:

    Oracle and Salesforce hit with GDPR class action lawsuits over cookie tracking consent
    https://techcrunch.com/2020/08/14/oracle-and-salesforce-hit-with-gdpr-class-action-lawsuits-over-cookie-tracking-consent/?tpcc=ECFB2020

    The use of third party cookies for ad tracking and targeting by data broker giants Oracle and Salesforce is the focus of class action style litigation announced today in the UK and the Netherlands.

    The suits will argue that mass surveillance of Internet users to carry out real-time bidding ad auctions cannot possibly be compatible with strict EU laws around consent to process personal data.

    The litigants believe the collective claims could exceed €10BN, should they eventually prevail in their arguments — though such legal actions can take several years to work their way through the courts.

    In the UK, the case may also face some legal hurdles given the lack of an established model for pursuing collective damages in cases relating to data rights. Though there are signs that’s changing.

    Under GDPR, consent for processing EU citizens’ personal data must be informed, specific and freely given. The regulation also confers rights on individuals around their data — such as the ability to receive a copy of their personal information.

    Per Oracle marketing materials, its Data Cloud and BlueKai Marketplace provider partners with access to some 2BN global consumer profiles. (Meanwhile, as we reported in June, BlueKai suffered a data breach that exposed billions of those records to the open web.)

    While Salesforce claims its marketing cloud ‘interacts’ with more than 3BN browsers and devices monthly.

    Reply
  16. Tomi Engdahl says:

    Zoom native client reads your Chrome browser cookies and adds an everlogin cookie that lasts 10 years.

    Clearly Zoom still don’t understand GDPR.
    https://www.threatspike.com/blog/zoom_cookies.html

    Your average user takes it for granted that websites know when you’ve visited before, whether you were logged in and even what you had in your basket last time you shopped. In most cases this magic customisation is possible through the use of Cookies. Cookies are small pieces of information that are stored on devices by websites in order to identify users – this allows websites to customise the content they deliver to each person.

    Although some functionality afforded by cookies can be helpful in increasing the security and accessibility of websites, there have long been privacy concerns with companies being able to track you across the Internet. Many concerns are related to the use of tracking and advertising cookies, and how companies use and abuse this data to manipulate customers. Since the introduction of the ePrivacy Directive and the GDPR, cookies have received a lot of attention in discussions about online privacy.

    During the last month, Threatspike EDR detected the widely used Zoom Windows client accessing the Google Chrome cookie file during the uninstall process.

    Reply
  17. Tomi Engdahl says:

    Facebook told it may have to suspend EU data transfers after Schrems II ruling
    https://tcrn.ch/3bH83fC

    Ireland’s data protection watchdog, the DPC, has sent Facebook a preliminary order to suspend data transfers from the EU to the US, the Wall Street Journal reports, citing people familiar with the matter and including a confirmation from Facebook’s VP of global affairs, Nick Clegg.

    The preliminary suspension order follows a landmark ruling by Europe’s top court this summer which both struck down a flagship data transfer arrangement between the EU and the US and cast doubt on the legality of an alternative transfer mechanism (aka SCCs) — certainly in cases where data is flowing to a non-EU entity that falls under US surveillance law.

    Facebook’s use of Standard Contractual Clauses to claim a legal basis for EU data transfers therefore looks to be fast running out of borrowed time.

    “The Irish Data Protection Commission has commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers,” Cleggs writes. “While this approach is subject to further process, if followed, it could have a far reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.”

    Reply
  18. Tomi Engdahl says:

    Facebook to be forced to stop sending EU data to the US
    https://www.politico.eu/article/facebook-privacy-data-us/

    The Irish regulator is expected to stop the social media giant from moving data to the US because of privacy concerns.

    Ireland’s privacy watchdog has told Facebook that it will soon have to stop transferring its European users’ data to the United States because the social media giant’s current procedures fall foul of EU law.

    Facebook was told in early August that the Irish privacy regulator was reviewing how it moved data to the U.S., according to two people with knowledge of the case who spoke on the condition of anonymity because they were not authorized to speak publicly.

    In a statement, Nick Clegg, Facebook’s head lobbyist, confirmed Ireland’s expected decision, saying that the pending ruling would be felt across the transatlantic economy.

    “A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU,” Clegg said. “We will continue to transfer data in compliance with the recent CJEU ruling and until we receive further guidance.”

    Securing the Long Term Stability of Cross-Border Data Flows
    https://about.fb.com/news/2020/09/securing-the-long-term-stability-of-cross-border-data-flows/

    Reply
  19. Tomi Engdahl says:

    Is Facebook going to ban all European users because it does not like what some EU persons in charge think about privacy?

    European regulators are cracking down on Facebook’s ability to transfer data across the Atlantic. Now the tech giant is threatening to pull its services from more than 400 million European users.

    In a court filing in Dublin, Facebook said that a decision by Ireland’s Data Protection Commission (DPC) would force the company to pull up stakes and leave the 410 million people without Facebook and Instagram.

    https://www.vice.com/en_us/article/889pk3/facebook-threatens-to-pull-out-of-europe-if-it-doesnt-get-its-way?utm_source=vicenewsfacebook

    Facebook’s head of global policy has denied the tech giant could close its service to Europeans if local regulators order it to suspend data transfers to the US following a landmark Court of Justice ruling in July that has cemented the schism between US surveillance laws and EU privacy rights.

    https://social.techcrunch.com/2020/09/23/facebook-denies-it-will-pull-service-in-europe-over-data-transfer-ban/

    Reply
  20. Tomi Engdahl says:

    “Yrityksen on varmistettava, että suostumuksen peruminen on yhtä helppoa kuin evästeiden hyväksyminen.” Lähde: https://europa.eu/youreurope/business/dealing-with-customers/data-protection/online-privacy/index_fi.htm

    Oletteko sitä mieltä, että onnistuitte toteuttamaan vaatimuksen?

    Reply
  21. Tomi Engdahl says:

    H&M-vaatekauppaketju sai 35 miljoonan euron sakon työntekijöidensä henkilökohtaisten tietojen keräämisestä Saksassa
    Johtajien käyttöön kerätyssä tietopankissa listattiin muun muassa sairauksiin ja uskontoon liittyviä asioita.
    https://yle.fi/uutiset/3-11574720

    Ylös oli kirjattu esimerkiksi yksityiskohtaisia kuvailuja työntekijöiden oireista ja diagnooseista. Tietoihin pääsi käsiksi noin 50 johtotehtävissä toimivaa.

    Tiedonkeruu tietokantaan oli jatkunut ainakin vuodesta 2014 alkaen kunnes se paljastui lokakuussa 2019 tietokonehäiriön myötä. Häiriö aiheutti sen, että tiedot olivat muutaman tunnin ajan laajemman joukon nähtävissä.

    Viranomaisten mukaan tiedonkeruu rikkoi työntekijöiden tietosuojaa.

    Britannian viranomaiset määräsivät heinäkuussa 2019 British Airwaysin maksamaan 201 miljoonaa euroa tietomurron jälkeen. Google sai puolestaan Ranskan viranomaisilta tammikuussa 2019 50 miljoonan euron rangaistuksen laiminlyönneistä tiedonkeruusta informoimisessa.

    Vuonna 2018 voimaan tullut EU:n tietosuoja-asetus(siirryt toiseen palveluun) määrää, että tiedonkeruuseen tarvitaan erikseen annettu lupa henkilöltä, jota se koskee tai että tiedonkeruu täyttää jonkun muun asetetuista vaatimuksista.

    Reply
  22. Tomi Engdahl says:

    UK Fines British Airways for Failures in 2018 Data Hack
    https://www.securityweek.com/uk-fines-british-airways-failures-2018-data-hack

    Britain’s information commissioner has fined British Airways 20 million pounds ($25 million) for failing to protect personal data for some 400,000 customers, the largest fine the agency has ever issued.

    The ICO said in a statement Friday that the airline was processing personal data without adequate security measures. It also noted that it did not detect a 2018 cyber attack for two months.

    Information Commissioner Elizabeth Denham said says BA’s “failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result.”

    Reply
  23. Tomi Engdahl says:

    Tietomurron seurauksena yli 400000 asiakkaan henkilötiedot päätyivät
    verkkoon Lentoyhtiö sai roiman alennuksen sakkoonsa
    https://www.kauppalehti.fi/uutiset/tietomurron-seurauksena-yli-400000-asiakkaan-henkilotiedot-paatyivat-verkkoon-lentoyhtio-sai-roiman-alennuksen-sakkoonsa/457dee3f-1eb7-4265-b5cb-cbee4047b7f8
    Britannian tietovalvontakeskus alentaa lentoyhtiö British Airwaysin
    tietomurron sakon 20 miljoonaan puntaan eli reiluun 22 miljoonaan
    euroon, Tech Crunch kirjoittaa. Alunperin sakon suuruudeksi oli
    määrätty 184 miljoonaa puntaa eli yli 200 miljoonaa euroa.

    Reply
  24. Tomi Engdahl says:

    Civil Liberties Group Urges EU To Limit Data Transfers To The UK Post-Brexit
    https://www.forbes.com/sites/carlypage/2020/10/12/civil-liberties-group-urges-eu-to-limit-data-transfers-to-the-uk-post-brexit/#8071a6a698ca

    The Irish Council of Civil Liberties (ICCL) has urged the European Commission (EC) to limit EU data transfers to the UK after Brexit because of the “dismal record” of the UK Information Commissioner’s Office (ICO). 

    He claims the ICO cannot be tried on to protect European’s data rights, a duty is established in Article 45 of the GDPR legislation. 

    “The ICO has failed over the last two years to take any substantive action against the largest data breach that the UK and EU have ever experienced. It would be unreasonable to anticipate that it will perform any better after Brexit is complete,” Ryan wrote in the letter, which was sent to to three European Commissioners, Margrethe Vestager (Competition and Digital), Didier Reynders (Justice) and Thierry Breton (Internal Market).

    “The UK lacks an effective independent supervisory authority that is capable of enforcing compliance with data protection law and vindicating data subjects’ rights. As a consequence, the personal data of data subjects in the union do not at present have an adequate level of protection in the UK.

    Reply
  25. Tomi Engdahl says:

    The state of privacy in Europe: what changed in 2020?
    https://cybernews.com/editorial/the-state-of-privacy-in-europe-what-changed-in-2020/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=privacy_europe_change&fbclid=IwAR0vLeZWsWU8gruhtVrhQbobCQFm2eQJY73gz0O97A33p02SFHFi8WXGUg4

    Across the EU, this has been an eventful year in the world of privacy, with new regulations, controversial court rulings and conflict with major internet platforms.
    One of the biggest changes has been the demise of Privacy Shield, the arrangement under which EU data has in the past been legally transferred to the US.

    That thorn in Facebook’s side, Austrian campaigner Max Schrems, this summer challenged Privacy Shield’s validity on the grounds that US national security laws did not protect EU citizens’ data from government spies – and won.

    The decision has left EU-US data transfers in doubt. Many organisations are now attempting to use mechanisms such as Standard Contractual Clauses (SCCs) to legitimise their activities – but this, too has come under question.

    “The court was explicit that you cannot use the SCCs when the recipient in the US falls under these mass surveillance laws,” says Schrems. “It seems US companies are still trying to convince their EU customers of the opposite. This is more than shady.”

    Unsurprisingly, these rulings have not been welcomed by the internet giants.

    Surveillance concerns
    In another major privacy-related judgement, the Court of Justice of the European Union (CJEU) recently ruled that France, the UK, Belgium and other European countries cannot require internet service providers to store all their customers’ traffic and location data for intelligence purposes.

    Reply
  26. Tomi Engdahl says:

    Vastaamon tapaus ei ole kunniaksi Suomelle, mutta useimmat yritykset tekevät parhaansa
    http://pjarvinen.blogspot.com/2020/10/vastaamon-tapaus-ei-ole-kunniaksi.html

    Case Vastaamo antaisi loputtomasti aiheita blogikirjoituksiin. Valitsen tänään yhden: Suomen maine ja yritysten vastuu.

    Suomea on pidetty tietosuojan mallimaana. Meillä on parhaat viranomaisrekisterit ja otimme GDPR-sääntelyn pilkuntarkasti, liki saksalaiseen tapaan (toisin kuin esim. Ruotsi). Ennen GDPR-siirtymäkauden loppua järjestettiin varmaan tuhansia tilaisuuksia, joissa it-ammattilaisia muistutettiin tietosuojan olemuksesta ja lain ankarista sanktioista. Oli ilmaisia ja maksullisia seminaareja, monen päivän koulutusohjelmia, nettisivuja… Lopulta GDPR tuntui pursuavan jo korvista ulos ja kun odotettu 25.5. viimein koitti, kaikki olivat varmaan helpottuneita siitä, että asia siirtyi jos ei nyt hoidettujen pinoon niin ainakin taustalle.

    Jo monta vuotta olemme olleet huolissamme Googlen ja Facebookin tiedonurkinnasta. Ne loukkaavat yksityisyyttä ja urkkivat tietojamme. Samaan aikaan yritykset ovat käyttäneet miljoonia euroja erilaisiin GDPR-tietosuojalausekkeisiin ja evästekyselyihin, jotka lähinnä häiritsevät käyttäjiä ja pikemmin vähentävät kuin lisäävät kiinnostusta omaan tietosuojaan.

    Riitelimme lillukanvarsista, kuten mikä on GDRP:n ja tulevan ePrivacyn mukainen riittävä suostumus evästeiden käyttämisestä — pitääkö olla nimenomainen suostumus joka kerta, vai riittävätkö selaimen evästeasetukset.

    Vastaamon järkyttävän tietovuodon jälkeen kaikki tämä tuntuu akateemiselta puuhastelulta. Miljoonat eurot olisi kannattanut käyttää todellisen tietosuojan parantamiseen. Olemme pelänneet nettijättejä, vaikka todellinen mörkö on ollut ihan lähellä. Liian lähellä.

    Reply
  27. Tomi Engdahl says:

    Marriott fined £0.05 for each of the 339 million hotel guests whose data crooks were stealing for four years
    UK watchdog’s mooted £99m penalty comes in at just £18.4m
    https://www.theregister.com/2020/10/30/marriott_starwood_hack_fine_just_18_4bn/

    Your name, address, phone number, email address, passport number, date of birth, and sex are worth just £0.05 in the eyes of the UK Information Commissioner’s Office, which has fined Marriott £18.4m after 339 million people’s data was stolen from the hotel chain.

    The fine was imposed as a regulatory punishment for the 2018 Starwood Hotels megabreach despite Marriott not accepting liability for wrongdoing.

    Reply
  28. Tomi Engdahl says:

    Where GDPR went wrong
    https://www.youtube.com/watch?v=v_W0wR4AClk

    GDPR has been in effect for almost 3 years, with limited success. Let’s break down what the EU originally set out to do, and how well they actually achieved their goals with it. Including actually taking a look at cookie banners and privacy policies for once.

    Reply
  29. Tomi Engdahl says:

    Datan vapaa liikkuvuus hyväksyttiin selvin numeroin
    https://etn.fi/index.php/13-news/11940-datan-vapaa-liikkuvuus-hyvaksyttiin-selvin-numeroin

    Euroopan parlamentti hyväksyi eilisessä istunnossaan päätöslauselman, jonka mukaan datan vapaa liikkuvuus Euroopan unionissa on varmistettava eurooppalaisten yritysten, yliopistojen ja tutkijoiden globaalin kilpailukyvyn takaamiseksi. Miapetra Kumpula-Natrin valmistelema päätöslauselma hyväksyttiin äänin 602-8.

    Päätöslauselmassa sanotaan, että datayhteiskuntien tulee rakentua EU:ssa tunnustetuille oikeuksille ja arvoille, kuten läpinäkyvyydelle ja yksityisyyden ja perusoikeuksien kunnioittamiselle. Lisäksi niiden tulee voida mahdollistaa paremmat ja automatisoidut reaaliaikaiset palvelut, kestävä kasvu ja laadukkaat työpaikat.

    Päätöslauselmassa huomautetaan myös, että kansalaisilla tulisi olla täysi oikeus hallita omaa dataansa ja päättää sen käytöstä. Suomi on ajanut tähän omaa MyData-lähestymistapaansa, mutta EUn tasolla on auki, miten kansalaisten oikeus hallita omaa dataansa järjestetään.

    Reply
  30. Tomi Engdahl says:

    Websites of EU Mobile Providers Fail to Properly Secure User Data: Report
    https://www.securityweek.com/websites-eu-mobile-providers-fail-properly-secure-user-data-report

    Sensitive data pertaining to the customers of top mobile services providers in the European Union is at risk of compromise due to improperly secured websites, data security and privacy firm Tala reveals.

    An analysis of the websites of 13 of the top mobile telecom companies in the EU has revealed that none of them has in place even the minimum necessary protections to be considered secure.

    “With over 235 million customers between them, none of the mobile providers scored a passing grade for website security. Where a score of 80+ is considered reasonable and 50 is barely a passing grade, none of the mobile providers analyzed comes close,” Tala says in a new report.

    Despite the lack of proper website protections, however, during online sign-up, the telcos collect a significant amount of sensitive data from their customers, including names, emails, addresses, dates of birth, passport numbers, payslips, and even banking details in some cases.

    All of the gathered data, Tala claims, might be at risk of compromise through vulnerabilities and the use of third-party code: the average number of JavaScript integrations was found to be 162, while forms were found exposed to an average of 19 third parties.

    All of the websites, the report reveals, use dangerous JavaScript functions that open the door to cross-site scripting (XSS), the most common type of website vulnerability. The highest number of JavaScript integrations on a single site was 735.

    Reply
  31. Tomi Engdahl says:

    Dutch Data Protection Authority Fines Booking.com Over Incident Notification
    https://www.securityweek.com/dutch-data-protection-authority-fines-bookingcom-over-incident-notification

    The Dutch Data Protection Authority announced on Wednesday that it has issued a fine of €475,000 (roughly $550,000) to online travel agency Booking.com for failing to report a data security incident within the required timeframe.

    According to the privacy watchdog, the incident took place in December 2018 and it involved cybercriminals using voice phishing (vishing) and social engineering to trick the employees of 40 hotels in the United Arab Emirates into handing over their credentials for their Booking.com accounts.

    The cybercrooks then used that access to obtain information on more than 4,000 individuals who had booked a hotel through Booking.com. They also managed to access payment card information belonging to nearly 300 people and attempted to phish the card information of others by posing as Booking.com employees over the phone or email.

    Reply
  32. Tomi Engdahl says:

    Facebook data leak now under EU data regulator investigation
    https://www.bleepingcomputer.com/news/security/facebook-data-leak-now-under-eu-data-regulator-investigation/
    Ireland’s Data Protection Commission (DPC) is investigating a massive
    data leak concerning a database containing personal information
    belonging to more than 530 million Facebook users. “Because the
    scraping took place prior to GDPR, Facebook chose not to notify this
    as a personal data breach under GDPR.”

    Reply
  33. Tomi Engdahl says:

    Facebook is under investigation in the EU for its massive leak of 533 million people’s data — and it could face a fine in the billions
    https://trib.al/rSfalDL

    A European regulator announced that it’s investigating Facebook over a leak of 533 million people’s data.
    Ireland’s Data Protection Commission will probe whether Facebook broke EU privacy laws.
    Facebook could face a fine of up to 4% of its $86 billion global revenue if found responsible.

    Reply
  34. Tomi Engdahl says:

    When the GDPR Meets (Public) Blockchains: Looking through the Lens of Public Communications to Users

    https://pentestmag.com/when-the-gdpr-meets-public-blockchains-looking-through-the-lens-of-public-communications-to-users/

    #pentest #magazine #pentestmag #pentestblog #PTblog #GDPR #EU #blochain #dataprotection #cybersecurity #infosecurity #infosec

    Reply
  35. Tomi Engdahl says:

    A Dutch City Gets A €600,000 Fine For WiFi Tracking
    https://hackaday.com/2021/05/08/a-dutch-city-gets-a-e600000-fine-for-wifi-tracking/

    Enschede is an unremarkable but pleasant city in the east of the country

    They’ve been caught tracking their citizens using WiFi, and since this contravenes Dutch privacy law they’ve been fined €600,000 (about $723,000) by the Netherlands data protection authorities.

    The events in Enschede are already having a knock-on effect in the rest of the Netherlands as other municipalities race to ensure compliance and turn off any offending trackers, but perhaps more importantly they have the potential to reverberate throughout the entire European Union as well.

    Reply
  36. Tomi Engdahl says:

    EU Privacy Groups Set Sights on Facial Recognition Firm
    https://www.securityweek.com/eu-privacy-groups-set-sights-facial-recognition-firm

    Privacy organisations on Thursday complained to regulators in five European countries over the practices of Clearview AI, a company that has built a powerful facial recognition database using images “scraped” from the web.

    Clearview’s use of images — including those from people’s social media accounts — to offer biometrics services to private companies and law enforcement “goes far beyond what we could ever expect as online users”, Ioannis Kouvakas, legal officer at Privacy International, said in a statement.

    While Clearview touts its technology’s ability to help law enforcement, its critics say facial recognition is open to abuse and could ultimately eliminate anonymity in public spaces — pointing to cases like China’s massive public surveillance system.

    Reply
  37. Tomi Engdahl says:

    GDPR-sakkoja maksettu lähes 300 miljoonaa euroa
    https://etn.fi/index.php/13-news/12231-gdpr-sakkoja-maksettu-lahes-300-miljoonaa-euroa

    EU:n yleinen tietosuoja-asetus GDPR (The General Data Protection Regulation) tuli voimaan 25. toukokuuta vuonna 2018. Atlas VPN -yrityksen keräämien tilastojen mukaan asetuksen perusteella on kolmen vuoden aikana määrätty sakkoja yhteensä 283,7 miljoonalla eurolla.

    Kaikkiaan Euroopan unioni on määrännyt 648 rangaistusta organisaatioille, jotka rikkovat tietosuojalakia.

    Suomessa tietosuojavaltuutetun toimisto määräsi viime vuonna viidet sakot GDPR-rikkomuksista. Suurin sakko oli satatuhatta euroa.

    GDPR fines nearly hit 300 million euros in three years
    https://atlasvpn.com/blog/gdpr-fines-nearly-hit-300-million-euros-in-three-years

    Reply
  38. Tomi Engdahl says:

    When the GDPR Meets (Public) Blockchains: Looking through the Lens of Public Communications to Users
    https://pentestmag.com/when-the-gdpr-meets-public-blockchains-looking-through-the-lens-of-public-communications-to-users/

    As a very recent regulation, the GDPR introduces a number of new principles and legal requirements to the landscape of data protection law. Examples include ‘the right to erasure’ (also known as ‘the right to be forgotten’), the requirement for explicit consent, and a significantly increased maximum penalty fine for non-compliance, which have been key highlights in public media. Some data protection principles and legal requirements defined in the GDPR have led to a tension with some new and emerging technologies. One such technology is about distributed ledgers, more commonly known as blockchains.

    A blockchain is a distributed (peer-to-peer) database where data is stored not on a central server, but among all its users. A distributed consensus protocol (e.g., proof of work) and some special incentivisation mechanisms (mostly in the form of a cryptocurrency) are normally used to encourage participation of users to make the system self-sustainable. Blockchains follow the distributed trust model and embrace transparency (all can see the data), security and anonymity (the use of cryptography and pseudonymous IDs for addresses).

    The first and the most widely used blockchain system (and cryptocurrency) is Bitcoin, which was invented and implemented by someone with the pseudonymous name Satoshi Nakamoto in 2008. Since Bitcoin, many blockchain systems and cryptocurrencies have emerged, mostly after the second half of the 2010s, e.g., the currently second largest blockchain system Ethereum went live in 2015. According to who can read and write to the distributed ledger, blockchain systems can be classified into three major categories: public (permissionless) – anyone on the blockchain network, permissioned – only a number of privileged nodes with the right permission, and private – a single or several private users.

    One unique technical feature of almost all existing blockchain systems is that, once a piece of data is stored on chain, it will remain there permanently. This feature is particularly important for public blockchains due to the lack of a centralised trusted party. It cannot be easily fixed by tweaking a blockchain system’s design and implementation details. This immediately leads to a direct conflict with the right to be forgotten defined in the GDPR, and users would have to give up this right forever if they want to use a blockchain system.

    In addition, blockchain systems, especially public ones, also have other tricky GDPR compliance issues to address, such as how to define the data controllers and data processors (who are responsible for data protection), how to obtain explicit consents and support withdrawal of consents, etc. It deserves noting that, due to the distributed and (pseudo)anonymous nature of most public blockchain systems, and according to the territorial scope of the GDPR (see the 2019 dedicated guidelines from the European Data Protection Board), the GDPR should apply because data subjects and/or data controllers/processors can be from the EU or EEA.

    The tension between blockchains and the GDPR has been noticed by the blockchain community. In October 2018, the EU Blockchain Observatory & Forum published a thematic report “Blockchain and the GDPR” to summarise the collective understanding of the community on this issue. This report acknowledges that the problem is particularly problematic for public blockchains, and recommends storing personal data off chain when possible or at least in an encrypted/anonymised form. The report also recommends that blockchain system developers and service providers should “be as clear and transparent as possible with users”

    Reply
  39. Tomi Engdahl says:

    Stephanie Bodoni / Bloomberg:
    EU’s top court says Facebook can’t avoid potential EU-wide privacy orders from data protection authorities beyond its legal watchdog in Ireland

    https://www.bloomberg.com/news/articles/2021-06-15/facebook-can-t-dodge-eu-wide-privacy-orders-top-court-rules

    Reply
  40. Tomi Engdahl says:

    Adtech ‘data breach’ GDPR complaint is headed to court in EU
    https://techcrunch.com/2021/06/16/adtech-data-breach-gdpr-complaint-is-headed-to-court-in-eu/?tpcc=ECFB2021

    New York-based IAB Tech Labs, a standards body for the digital advertising industry, is being taken to court in Germany by the Irish Council for Civil Liberties (ICCL) in a piece of privacy litigation that’s targeted at the high speed online ad auction process known as real-time bidding (RTB).

    The driving force behind the lawsuit is Dr Johnny Ryan, a former adtech insider turned whistleblower who’s now a senior fellow a the ICCL — and who has dubbed RTB the biggest data breach of all time.

    He points to the IAB Tech Lab’s audience taxonomy documents which provide codes for what can be extremely sensitive information that’s being gathered about Internet users, based on their browsing activity, such as political affiliation, medical conditions, household income, or even whether they may be a parent to a special needs child.

    The lawsuit contends that other industry documents vis-a-vis the ad auction system confirm there are no technical measures to limit what companies can do with people’s data, nor who they might pass it on to.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*