Privacy Transformation - Issue 102
PRIVACY
Data Protection Commissioner criticised for inefficient decision-making on GDPR matters
The Data Protection Commissioner (DPC) has defended her office from accusations of consistent inertia as “relying on very sensationalist statements based on inaccurate information”. A hearing of the justice committee on Tuesday (27th) focused on GDPR and heard from DPC Helen Dixon along with three witnesses who spoke critically of the regulator’s performance.
RELATED:
Video: DPC hearing at the Oireachtas Joint Committee on Justice
Max Schrems and Helen Dixon clash over Irish GDPR enforcement on big tech
Ireland 'bottleneck of GDPR investigation and enforcement' in EU
Sinn Féin in breach of two data protection rules - but McDonald defends voter database
Sinn Féin President Mary Lou McDonald has admitted the party was in breach of data protection rules on two counts. Speaking on Thursday night, she said the party has only now appointed a data protection officer and that it has only just carried out a risk assessment on how its database is operated.
RELATED:
Most political parties in Ireland have breached data protection rules
Social Democrats appointed data protection officer after Sinn Féin Abú row
Data Protection Commissioner makes first public comments since Sinn Féin secret Abú database
Bad software sent postal workers to jail, because no one wanted to admit it could be wrong
Data from a computer system used by the UK Post Office was used to convict people of stealing or mismanaging money. It turns out that the computers just made it up, and now those accused want justice.
China uses cover of Covid to expand Big Brother surveillance and coercion
The systems deploy rewards, penalties and public shaming to manipulate and coerce the behaviour of residents in what was already the world’s strictest surveillance state.
Thread: Covid-19 tech + surveillance in Singapore
A thread that illustrates the expanding application of surveillance technology in Singapore on the back of the introduction of technology to combat the Covid-19 pandemic.
Portuguese DPA Orders Suspension of U.S. Data Transfers by National Institute of Statistics
On April 27, 2021, the Portuguese Data Protection Authority ordered the National Institute of Statistics (INE) to suspend any international data transfers of personal data to the U.S., as well as other countries without an adequate level of protection, within 12 hours.
Return to office ‘a perfect storm’ of privacy issues for businesses
Offices around the world closed their doors more than one year ago as many sent employees to work from home while the COVID-19 pandemic unfolded. As vaccinations continue to progress at a steady pace, many employers and employees are eager to get back into the office.
SECURITY & TECH
EDPS on Artificial Intelligence Act: a welcomed initiative, but ban on remote biometric identification in public space is necessary
The European Commission’s legislative proposal for an Artificial Intelligence Act is the first initiative, worldwide, that provides a legal framework for Artificial Intelligence (AI). The EDPS welcomes and supports the European Union’s (EU) leadership aiming to ensure that AI solutions are shaped according to the EU’s values and legal principles.
Signal founder: I hacked police phone-cracking tool Cellebrite
The CEO of the messaging app Signal claims to have hacked the phone-cracking tools used by police in Britain and around the world to extract information from seized devices.
RELATED:
Reliability of police mobile phone evidence questioned after hack
Signal’s epic hack of Cellebrite already already has major consequences
Opinion: How the NSPCC rigged its report on the dangers of end-to-end encryption
The NSPCC claims to have a delivered a ‘balanced’ report on the dangers of end-to-end encryption — but it was anything but ‘balanced’.
Apple releases iOS 14.5 with stricter app tracking privacy
The new software notably introduces a previously delayed system that requires permission for advertiser device IDs. Apple says this will improve your privacy by limiting tracking, but Facebook has complained that it will hurt ad revenue.
RELATED: Facebook now has to ask permission to track your iPhone. Here’s how to stop it.
UK NCSC: Weekly Threat Report
The NCSC's weekly threat report is drawn from recent open source reporting.
DATA BREACH
DigitalOcean says customer billing data accessed in data breach
DigitalOcean (a cloud infrastructure provider) has emailed customers warning of a data breach involving customers’ billing data.
ENFORCEMENT
Spanish DPA: Equifax fined 1M for processing without sufficient legal basis
The AEPD has fined Equifax for the inclusion of personal data of individuals associated with alleged debts in the File of Judicial Claims and Public Bodies without their consent, and in some instances, without the data being accurate.
EU countries have seen over €30 million in GDPR fines in 2021
Companies in Spain and Germany were hit hardest, making up 78.53% of all penalties. In Spain, regulators imposed €15.7M worth of fines for total of 34 breaches. In Germany, regulators fined three organizations a grand total of €10.7M.
More on the latest GDPR enforcement news can be found on:
GUIDANCE & OPINIONS
Guidelines 8/2020 on the targeting of social media users
The main aim of these guidelines is therefore to clarify the roles and responsibilities among the social media provider and the targeter.
Draft Guidelines 03/2021 on the application of Article 65(1)(a)
These Guidelines clarify the application of Article 65(1)(a) GDPR. In particular, they clarify the application of the relevant provisions of the GDPR and Rules of Procedure, delineate the main stages of the procedure and clarify the competence of the EDPB when adopting a legally binding decision on the basis of Article 65(1)(a) GDPR. The Guidelines also include a description of the applicable procedural safeguards and remedies.
RESOURCES
AEPD-EDPS joint paper on 10 misunderstandings related to anonymisation
The objective of this document is to raise awareness about some misunderstandings about anonymisation, and to motivate its readers to check assertions about the technology, rather than accepting them without verification.
EDPS Report: Remote audit of information provided to data subjects when they sign up to newsletters and other subscriptions
Report detailing the outcome of the EDPS' remote audit on how European institutions, bodies and agencies (EUIs) inform individuals about the way their personal data is processed when signing up to newsletters.
DPC Ireland Regulatory Strategy: Draft for Consultation
In its Draft Regulatory Strategy for 2021-2026, the Irish Data Protection Commission sets out an ambitious vision for what it believes will be five crucial years in the evolution of data protection law, regulation and culture.
[Read the Regulatory Strategy]
CONTRIBUTE
Have an interesting article, book, video, podcast or other resource that you would like to share with fellow privacy practitioners? Please do drop me a note.