Privacy Transformation - Issue 113

PRIVACY

HSE allowed to question frontline staff about vaccine status following data commissioner ruling

HSE allowed to question frontline staff about vaccine status following data commissioner ruling

Frontline health staff will have to indicate their Covid-19 vaccination status if asked by their employer under a directive due shortly from the HSE. This follows a ruling by the Data Protection Commissioner that vaccination may be considered as a “necessary safety measure” in certain situations, including frontline health services.

'The dead don't have GDPR rights': Woman considers legal action after department denies info request

The Department of Children is failing to apply General Data Protection Regulation (GDPR) correctly as Mother and Baby Home survivors attempt to access personal information, a data compliance expert has said.

EDPB adopts urgent binding decision: Irish SA not to take final measures but to carry out statutory investigation

EDPB adopts urgent binding decision: Irish SA not to take final measures but to carry out statutory investigation

The EDPB adopted its first urgent binding decision pursuant to Art. 66(2) GDPR following a request from the Hamburg supervisory authority (DE-HH SA), after the SA had adopted provisional measures towards Facebook Ireland Ltd (Facebook IE) on the basis of Art. 66 (1) GDPR. The DE-HH SA ordered a ban on processing WhatsApp user data by Facebook IE for their own purposes following a change in the Terms of Service and Privacy Policy applicable to European users of WhatsApp Ireland Ltd.

Irish Government Plugs Gap in Protection under SCCs

Irish Government Plugs Gap in Protection under SCCs

The Irish government has moved swiftly to plug a perceived gap in protection under Irish data protection law that had raised doubts about whether Irish law was fit for purpose as a governing law under EU approved standard contractual clauses (SCCs).

[Note: See Resources section for Statutory Instrument]

Opinion: Irish Credit Bureau fine offers insight into the DPC’s use of its corrective powers

Opinion: Irish Credit Bureau fine offers insight into the DPC’s use of its corrective powers

The Data Protection Commission recently published its decision following the ICB’s notification to the DPC of a personal data breach on the 31 August 2018. The ICB is a credit reference agency that maintains a database on the performance of credit agreements between financial institutions and borrowers.

EDPB: Coordinated German investigation of international data transfers

EDPB: Coordinated German investigation of international data transfers

Nationwide assessment of companies' compliance about Schrems II decision of the European Court of Justice by numerous German data protection supervisory authorities.

UK publishers could be hit by 'right to be forgotten' deletion requests after ECHR judgment

UK publishers could be hit by 'right to be forgotten' deletion requests after ECHR judgment

Press Gazette has been reporting on British journalism without fear or favour since 1965. Our mission is to provide a news and information service which helps the UK journalism.

SECURITY & TECH

A privacy war is raging inside the W3C

A privacy war is raging inside the W3C

The World Wide Web Consortium has become a key battleground in the fight over web privacy and competition.

Ransomware gang websites disappear from internet

Ransomware gang websites disappear from internet

Websites for a Russian-linked ransomware gang blamed for attacks on hundreds of businesses worldwide have gone offline. Monitors say a payment website and a blog run by the REvil group became suddenly unreachable on Tuesday.

Can facial analysis technology create a child-safe internet?

Can facial analysis technology create a child-safe internet?

Determining a person’s age online seems like an intractable problem. But new technology and laws could be on the brink of solving it

Pin resets wipe all data from over 100 UK Treasury mobile phones

The Treasury wiped all data from more than 100 government-issued mobile phones last year because their users, including the department’s boss, entered the wrong pin.

How did my phone number end up for sale on a US database?

How did my phone number end up for sale on a US database?

A journey of discovery into the somewhat opaque, if lucrative, world of contact selling

UK NCSC: Weekly Threat Report

UK NCSC: Weekly Threat Report

The NCSC's weekly threat report is drawn from recent open source reporting.

DATA BREACH

Guess announces breach of employee SSNs and financial data after DarkSide ransomware attack

Guess announces breach of employee SSNs and financial data after DarkSide ransomware attack

The fashion brand admitted that cyber criminals gained access to people's Social Security numbers, driver's license numbers, passport numbers and financial account numbers.

ENFORCEMENT

Danish DPA: Fine for COVID-19 Test Results Sent via Employee WhatsApp Groups

Danish DPA: Fine for COVID-19 Test Results Sent via Employee WhatsApp Groups

The Danish DPA has issued a €80,600 fine for transmission of data relating to COVID-19 tests via WhatsApp employee groups without a risk or needs analysis being performed.

[Note: Press release is in Danish]

ICO finalizes 20M GBP fine against British Airways

ICO finalizes 20M GBP fine against British Airways

The U.K. Information Commissioner's Office served British Airways a 20 million GBP fine over GDPR violations related to a 2018 data breach.

More on the latest GDPR enforcement news can be found on:

enforcementtracker.com

GUIDANCE & OPINIONS

EDPB Guidelines 07/2020 on the concepts of Controller and Processor in the GDPR

This document seeks to provide guidance on the concepts of controller and processor based on the GDPR’s rules on definitions in Article4 and the provisions on obligations in chapter IV. The main aim is to clarify the meaning of the concepts and to clarify the different roles and the distribution of responsibilities between these actors.

EDPB Guidelines 02/2021 on Virtual Voice Assistants

These guidelines identify some of the most relevant compliance challenges for Data Controllers providing Virtual Voice Assistants and provide recommendations to relevant stakeholders on how to address them.

EDPB Guidelines 04/2021 on codes of conduct as tools for transfers, open for public consultation

The aim of these guidelines is to specify the application of Article 40-3 of the GDPR relating to codes of conduct as appropriate safeguards for transfers of personal data to third countries in accordance with Article 46-2-e) of the GDPR

EDPB-EDPS Joint Opinion on  Harmonised Rules for AI

EDPB-EDPS Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act).

EDPB Opinion 20/2021 on Tobacco Traceability System

On foot of a request from the European Commission, the EDPB has issued an opinion on the tobacco traceability system established under Directive 2014/40/EU of the European Parliament and of the Council of 3 April 2014.

EDPB Letter to EU Institutions regarding privacy implications of Digital Euro

The EDPB has issued a letter to European Institutions on the privacy and data protection aspects of a possible digital euro.

RESOURCES

S.I. No. 297of 2021 - Amending the Irish Data Protection Act 2018

European Union (Enforcement of Data Subjects’ Rights on Transfer of Personal Data Outside the European Union) Regulations 2021 (S.I. 297/2021).

LIBE Study: Exchanges of Personal Data After the Schrems II Judgment

LIBE commissioned study examines EU-US data transfers post 'Schrems II'.

CONTRIBUTE

Have an interesting article, book, video, podcast or other resource that you would like to share with fellow privacy practitioners? Please do drop me a note.