Privacy Transformation - Issue 136

PRIVACY

HSE given stolen data, including medical records, taken by criminals during cyber attack in May

HSE given stolen data, including medical records, taken by criminals during cyber attack in May

The HSE has been given stolen data, including medical records, obtained by criminals during the May cyber attack, it emerged today.

RELATED:

Tusla confirms its data among that stolen during HSE cyberattack

Four months before all people who had data stolen in cyber attack are contacted, says HSE

Sinn Féin should tell voters about internal party database - Data Protection Commission

Sinn Féin should tell voters about internal party database - Data Protection Commission

Sinn Féin should draw the attention of voters to the existence of its Abú electoral database the Data Protection Commissioner has said in a report published on Monday.

[See Resources Section for DPC Audit Report]

EU adopts adequacy decision with South Korea

EU adopts adequacy decision with South Korea

European Commissioner for Justice Didier Reynders and South Korea Personal Information Protection Commission Chair Yoon Jong In formally announced an adequacy agreement between the EU and South Korea for transfers of personal data.

RELATED: How the EU determines if a non-EU country has an adequate level of data protection

ICO invites comments on how it uses its powers to investigate, regulate and enforce

ICO invites comments on how it uses its powers to investigate, regulate and enforce

The UK Information Commissioner’s Office has launched a consultation to gather the views of stakeholders and the public on how it regulates the laws it monitors and enforces. People will have 14 weeks to comment on three documents, which are all designed to give direction and focus to the organisations it regulates.

Naming on forest site notices ‘an invasion of privacy’

Naming on forest site notices ‘an invasion of privacy’

The Data Protection Commission has advised the Department to remove the requirement for a named individual on forest site notices.

SECURITY & TECH

Ireland frets as criticism over Big Tech links goes mainstream

Ireland's besieged data privacy regulator is fast becoming a problem too big for Dublin to ignore. The Irish Data Protection Commission has long faced accusations of being too soft on the legions of U.S. tech companies, including Facebook, Google and Apple, that it is charged with regulating.

Facebook’s internal assessment of EU-US data transfers shows it has no legal leg to stand on, says noyb

In its latest (and last) pre-Christmas document reveal, European privacy advocacy group noyb has published details of an 86-page internal assessment by Facebook of its (continued) transfers of European’s personal data to the U.S. — and the resulting conclusion can be best summed up as “The Emperor, Mark Zuckerberg, Has No Clothes”.

Adtech vendors still tracking EU users who deny consent via IAB’s TCF, study suggests

New research examining what happens after Internet users in Europe land on an ad-supported website and express their “privacy choices” — using a flagship ad industry consent management platform which is supposed to allow them to control the types of ads they receive (i.e. non-tracking vs “personalized”).

Opinion: The problem with Consent Management Platforms is they are unlawful by design

OK so let's get started with a controversial albeit accurate statement - any Consent Management Platform (CMP) which sets a cookie for anything other than cookies which are not strictly necessary that the user has consented to - is breaking EU law.

Nearly 50,000 Facebook users may have been targets of private surveillance, company says

Nearly 50,000 Facebook users may have been targets of private surveillance, company says

Facebook is notifying nearly 50,000 users in more than 100 countries that they may have been targets of hacking attempts by private surveillance companies working for government agencies, the company said Thursday.

How cut-and-pasted programming is putting the internet and society at risk

How cut-and-pasted programming is putting the internet and society at risk

A vulnerability has been exposed in Minecraft, the bestselling video game of all time – and the security implications outside the world of gaming are vast.

Palantir to localize UK data operations as privacy regulations tighten

Palantir to localize UK data operations as privacy regulations tighten

Palantir Technologies Inc said on Friday it plans to shift its entire UK data processing out of the United States, at a time when data privacy regulations are tightening across the globe.

DuckDuckGo is working on a privacy-focused desktop browser

DuckDuckGo is working on a privacy-focused desktop browser

DuckDuckGo has offered a preview of what its upcoming desktop browsing app will look like. The privacy-focused company claims that its browser is faster, safer, and neater than Google Chrome.

UK NCSC: Weekly Threat Report

UK NCSC: Weekly Threat Report

The NCSC's weekly threat report is drawn from recent open source reporting.

ENFORCEMENT

ICO and NHS Test and Trace agree data protection improvements following consensual audit

The ICO has issued NHS Test and Trace with recommendations to strengthen the protection of people’s personal data, so it can continue to  play a vital role in tackling the pandemic.

GDPR complaint: Airbnb hosts at the mercy of algorithms

GDPR complaint: Airbnb hosts at the mercy of algorithms

Complaint against Airbnb: The online market place for vacation rentals downgraded the complainant’s rating as a host, solely through automated decision making.

German court rules cookie preference service that shared IP addresses with US firm should be halted

A German court has ruled that sharing IP addresses with US-based servers for the purpose of cookie consent is unlawful under EU data protection law and the EU Court of Justice Schrems II ruling.

Ruling is part of a wider case over €746 million fine Luxembourg's data protection watchdog imposed on Amazon

More on the latest GDPR enforcement news can be found on:

enforcementtracker.com

RESOURCES

DPC publishes Regulatory Strategy for 2022-2027

DPC publishes Regulatory Strategy for 2022-2027

In its Strategy for 2022-2027, the Data Protection Commission sets out its vision for what they believe will be five crucial years in the evolution of data protection law, regulation and culture.

Data Protection Commission publishes report on data protection audit of political parties in Ireland

Data Protection Commission publishes report on data protection audit of political parties in Ireland

The Data Protection Commission has published a report entitled “Data Protection Audit of Political Parties in Ireland.” The report was compiled following data protection audits conducted this year by the Data Protection Commission in twenty-six registered political parties in Ireland.

IPEN webinar: “Pseudonymous data: processing personal data while mitigating risks” (recording available)

IPEN webinar: “Pseudonymous data: processing personal data while mitigating risks” (recording available)

The EDPS organised on 9 December 2021 an Internet Privacy Engineering Network (IPEN) webinar entitled: “Pseudonymous data: processing personal data while mitigating risks”.

Podcast: Data Protection Commissioner, Helen Dixon

Podcast: Data Protection Commissioner, Helen Dixon

Gavin speaks to the Data Protection Commissioner, Helen Dixon, about EU criticism and the government's climbdown over the public services card.

Data Protection Officer Requirements by Country

Data Protection Officer Requirements by Country

Increasingly, privacy and data protection laws around the world require organizations to designate a data protection officer to translate legal protections into practical reality. This chart catalogues those requirements but does not include the many additional instances in which a DPO is recommended but not required.

CONTRIBUTE

Have an interesting article, book, video, podcast or other resource that you would like to share with fellow privacy practitioners? Please do drop me a note.