Privacy Transformation - Issue 127

PRIVACY

Ireland’s Facebook decision triggers argument over limits of GDPR

Ireland’s Facebook decision triggers argument over limits of GDPR

EU officials are gearing up for a fight over how much leeway companies should have to process personal data after a decision targeting Facebook from Ireland’s privacy regulator prompted pushback from campaigners.

DPC asks NOYB to remove draft decision on Facebook from website

DPC asks NOYB to remove draft decision on Facebook from website

Ireland’s Data Protection Commission (DPC) has written to Max Schrems’s NOYB organisation asking it to remove a draft decision that it had published on its website.

The commission was investigating a complaint by NOYB that Facebook has “bypassed the GDPR” by changing terms and conditions for users so that it no longer needs consent to process personal data. It is alleged it has done this by relabelling agreements on data use as a “contract”.

RELATED:

Irish regulators support Facebook's 'consent bypass' legal maneuver, suggest $42 million fine for GDPR violations

DPC sent "take down request" to noyb

Looks Like Facebook Found a Way to Bypass Europe’s Privacy Rules

Facebook Should Clarify Terms of Service, Irish Privacy Regulator Says

EDPB launches first coordinated action

EDPB launches first coordinated action

Following the EDPB’s decision to set up a Coordinated Enforcement Framework in October 2020, the EDPB has now decided to launch the proposal for its first coordinated action on the use of Cloud based services by the public sector.

Slovenian Administrative Court upholds the decision of the Slovenian SA: right of erasure does not enable an individual to have his personal data erased from Baptismal Register

Slovenian Administrative Court upholds the decision of the Slovenian SA: right of erasure does not enable an individual to have his personal data erased from Baptismal Register

A parish of the Roman Catholic Church was processing the application of an individual on the right of erasure. The individual requested his personal data to be erased from the Baptismal Register, because he was no longer a member of the church. In his opinion, the collected data are no longer necessary in relation to the purposes for which they were collected.

SECURITY & TECH

German Pirate Party member claims EU plans for a GDPR-compliant Whois v2 will lead to 'doxxing and death lists'

German Pirate Party member claims EU plans for a GDPR-compliant Whois v2 will lead to 'doxxing and death lists'

The European Union has drawn the ire of privacy activists for proposals to put real names and contact details back into Whois lookups, as part of its Network and Information Systems (NIS) Directive.

Neighbour wins privacy row over smart doorbell and cameras

Neighbour wins privacy row over smart doorbell and cameras

A judge has ruled that security cameras and a Ring doorbell installed in a house in Oxfordshire "unjustifiably invaded" the privacy of a neighbour. Dr Mary Fairhurst claimed that the devices installed on the house of neighbour Jon Woodard broke data laws and contributed to harassment.

Fraudsters Cloned Company Director’s Voice In $35 Million Bank Heist, Police Find

Fraudsters Cloned Company Director’s Voice In $35 Million Bank Heist, Police Find

AI voice cloning is used in a huge heist in the U.A.E., according to Dubai investigators, amidst warnings about cybercriminal use of the new technology.

Gartner predicts privacy law changes, consolidation of cybersecurity services and ransomware laws for next 4 years

Gartner predicts privacy law changes, consolidation of cybersecurity services and ransomware laws for next 4 years

Gartner analysts released their list of cybersecurity and privacy predictions for the next few years, floating a number of potential ideas about how the world will respond to certain problems over the next decade.

Moscow adds facial recognition payment system to more than 240 metro stations

Moscow adds facial recognition payment system to more than 240 metro stations

Moscow introduced a new facial recognition payment system called Face Pay to 240 metro stations on Friday. The new system is designed to shorten lines and wait times, but could be a vulnerable hacking target and a privacy risk.

Imagine if Your Therapist Could Access Data From Your Smartphone

Imagine if Your Therapist Could Access Data From Your Smartphone

Researchers are studying tools that could give therapists a stream of patient information between sessions—and intervene if necessary.

Brave is launching its own search engine with the help of ex-Cliqz devs and tech

Brave is launching its own search engine with the help of ex-Cliqz devs and tech

Brave, the privacy-focused browser co-founded by ex-Mozilla CEO Brendan Eich, is getting ready to launch an own-brand search engine for desktop and mobile.

UK NCSC: Weekly Threat Report

UK NCSC: Weekly Threat Report

The NCSC's weekly threat report is drawn from recent open source reporting.

DATA BREACH

Twitch says passwords weren’t exposed in massive data breach

Twitch says passwords weren’t exposed in massive data breach

Twitch has definitively stated that passwords weren’t exposed in last week’s major data breach. It also confirmed that the data primarily consisted of documents from its source code repository.

3D printing site Thingiverse suffers breach of 228,000 email addresses amid sluggish disclosure

3D printing site Thingiverse suffers breach of 228,000 email addresses amid sluggish disclosure

So says Have I Been Pwned's maintainer - but site claims breach only impacted 'handful of users'

Centre for Computing History apologises to customers for 'embarrassing' breach

Centre for Computing History apologises to customers for 'embarrassing' breach

The Centre for Computing History (CCH) in Cambridge, England, has apologised for an "embarrassing" breach in its online customer datafile, though thankfully no payment card information was exposed.

ENFORCEMENT

DPC: Confirmation of Fine – Twitter International

DPC: Confirmation of Fine – Twitter International

The Irish Data Protection Commission (DPC) today had the decision to impose an administrative fine on Twitter International Company confirmed in the Dublin Circuit Court. The application to confirm the decision to impose an administrative fine of €450,000 was made pursuant to Section 143 of the Data Protection Act 2018.

RELATED: Dublin Circuit Court confirms €450,000 fine for Twitter delay in reporting data breach

Amazon Fights Record $865 Million EU Data-Protection Fine

Amazon Fights Record $865 Million EU Data-Protection Fine

Amazon.com Inc. appealed a record 746 million-euro ($865 million) penalty for allegedly violating the European Union’s tough data-protection rules.

More on the latest GDPR enforcement news can be found on:

enforcementtracker.com

GUIDANCE & OPINIONS

EDPB adopts Guidelines on restrictions of data subject rights under Article 23 GDPR

EDPB adopts Guidelines on restrictions of data subject rights under Article 23 GDPR

During its October plenary, the EDPB adopted a final version of the Guidelines on restrictions of data subject rights under Art. 23 GDPR following public consultation.

[Read Guidelines]

EDPS Opinion on the European Comission’s draft internal rules on digital verification of Covid-19 certificates

EDPS Opinion on the European Comission’s draft internal rules on digital verification of Covid-19 certificates

EDPS Opinion on the European Comission’s draft internal rules on digital verification of Covid-19 certificates

[Read Opinion]

RESOURCES

White Paper: Building a Comprehensive Health Care Privacy Program

White Paper: Building a Comprehensive Health Care Privacy Program

This paper provides a comprehensive framework for building and managing a health care privacy program.

Podcast: The EU's Failure to Protect Our Online Privacy and Data Rights, with Dr. Johnny Ryan

Podcast: The EU's Failure to Protect Our Online Privacy and Data Rights, with Dr. Johnny Ryan

Stream The EU's Failure to Protect Our Online Privacy and Data Rights, with Dr. Johnny Ryan by Martens Centre.

Podcast: EDPS on the future of privacy

Podcast: EDPS on the future of privacy

We have asked the European Data Protection Supervisor Wojciech Wiewiorowski about its recent proposal to organise a conference to review the enforcement of GDPR, the EU privacy law.

CONTRIBUTE

Have an interesting article, book, video, podcast or other resource that you would like to share with fellow privacy practitioners? Please do drop me a note.