Privacy Transformation - Issue 113
PRIVACY
HSE allowed to question frontline staff about vaccine status following data commissioner ruling
Frontline health staff will have to indicate their Covid-19 vaccination status if asked by their employer under a directive due shortly from the HSE. This follows a ruling by the Data Protection Commissioner that vaccination may be considered as a “necessary safety measure” in certain situations, including frontline health services.
'The dead don't have GDPR rights': Woman considers legal action after department denies info request
The Department of Children is failing to apply General Data Protection Regulation (GDPR) correctly as Mother and Baby Home survivors attempt to access personal information, a data compliance expert has said.
EDPB adopts urgent binding decision: Irish SA not to take final measures but to carry out statutory investigation
The EDPB adopted its first urgent binding decision pursuant to Art. 66(2) GDPR following a request from the Hamburg supervisory authority (DE-HH SA), after the SA had adopted provisional measures towards Facebook Ireland Ltd (Facebook IE) on the basis of Art. 66 (1) GDPR. The DE-HH SA ordered a ban on processing WhatsApp user data by Facebook IE for their own purposes following a change in the Terms of Service and Privacy Policy applicable to European users of WhatsApp Ireland Ltd.
Irish Government Plugs Gap in Protection under SCCs
The Irish government has moved swiftly to plug a perceived gap in protection under Irish data protection law that had raised doubts about whether Irish law was fit for purpose as a governing law under EU approved standard contractual clauses (SCCs).
[Note: See Resources section for Statutory Instrument]
Opinion: Irish Credit Bureau fine offers insight into the DPC’s use of its corrective powers
The Data Protection Commission recently published its decision following the ICB’s notification to the DPC of a personal data breach on the 31 August 2018. The ICB is a credit reference agency that maintains a database on the performance of credit agreements between financial institutions and borrowers.
EDPB: Coordinated German investigation of international data transfers
Nationwide assessment of companies' compliance about Schrems II decision of the European Court of Justice by numerous German data protection supervisory authorities.
UK publishers could be hit by 'right to be forgotten' deletion requests after ECHR judgment
Press Gazette has been reporting on British journalism without fear or favour since 1965. Our mission is to provide a news and information service which helps the UK journalism.
SECURITY & TECH
A privacy war is raging inside the W3C
The World Wide Web Consortium has become a key battleground in the fight over web privacy and competition.
Ransomware gang websites disappear from internet
Websites for a Russian-linked ransomware gang blamed for attacks on hundreds of businesses worldwide have gone offline. Monitors say a payment website and a blog run by the REvil group became suddenly unreachable on Tuesday.
Can facial analysis technology create a child-safe internet?
Determining a person’s age online seems like an intractable problem. But new technology and laws could be on the brink of solving it
Pin resets wipe all data from over 100 UK Treasury mobile phones
The Treasury wiped all data from more than 100 government-issued mobile phones last year because their users, including the department’s boss, entered the wrong pin.
How did my phone number end up for sale on a US database?
A journey of discovery into the somewhat opaque, if lucrative, world of contact selling
UK NCSC: Weekly Threat Report
The NCSC's weekly threat report is drawn from recent open source reporting.
DATA BREACH
Guess announces breach of employee SSNs and financial data after DarkSide ransomware attack
The fashion brand admitted that cyber criminals gained access to people's Social Security numbers, driver's license numbers, passport numbers and financial account numbers.
ENFORCEMENT
Danish DPA: Fine for COVID-19 Test Results Sent via Employee WhatsApp Groups
The Danish DPA has issued a €80,600 fine for transmission of data relating to COVID-19 tests via WhatsApp employee groups without a risk or needs analysis being performed.
[Note: Press release is in Danish]
ICO finalizes 20M GBP fine against British Airways
The U.K. Information Commissioner's Office served British Airways a 20 million GBP fine over GDPR violations related to a 2018 data breach.
More on the latest GDPR enforcement news can be found on:
GUIDANCE & OPINIONS
EDPB Guidelines 07/2020 on the concepts of Controller and Processor in the GDPR
This document seeks to provide guidance on the concepts of controller and processor based on the GDPR’s rules on definitions in Article4 and the provisions on obligations in chapter IV. The main aim is to clarify the meaning of the concepts and to clarify the different roles and the distribution of responsibilities between these actors.
EDPB Guidelines 02/2021 on Virtual Voice Assistants
These guidelines identify some of the most relevant compliance challenges for Data Controllers providing Virtual Voice Assistants and provide recommendations to relevant stakeholders on how to address them.
EDPB Guidelines 04/2021 on codes of conduct as tools for transfers, open for public consultation
The aim of these guidelines is to specify the application of Article 40-3 of the GDPR relating to codes of conduct as appropriate safeguards for transfers of personal data to third countries in accordance with Article 46-2-e) of the GDPR
EDPB-EDPS Joint Opinion on Harmonised Rules for AI
EDPB-EDPS Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act).
EDPB Opinion 20/2021 on Tobacco Traceability System
On foot of a request from the European Commission, the EDPB has issued an opinion on the tobacco traceability system established under Directive 2014/40/EU of the European Parliament and of the Council of 3 April 2014.
EDPB Letter to EU Institutions regarding privacy implications of Digital Euro
The EDPB has issued a letter to European Institutions on the privacy and data protection aspects of a possible digital euro.
RESOURCES
S.I. No. 297of 2021 - Amending the Irish Data Protection Act 2018
European Union (Enforcement of Data Subjects’ Rights on Transfer of Personal Data Outside the European Union) Regulations 2021 (S.I. 297/2021).
LIBE Study: Exchanges of Personal Data After the Schrems II Judgment
LIBE commissioned study examines EU-US data transfers post 'Schrems II'.
CONTRIBUTE
Have an interesting article, book, video, podcast or other resource that you would like to share with fellow privacy practitioners? Please do drop me a note.