Privacy Transformation - Issue 140
PRIVACY
As its data flows woes grow, Google lobbies for quickie fix to EU-US transfers
As the legal uncertainty in Europe clouding use of US cloud services cranks up, Google has responded by firing up its lobbying engines to call for US and European lawmakers to get a move on and come up a new rubberstamp to grease transatlantic data flows as usual as the bloc’s regulators finally start to find their banhammers.
RELATED:
Google: It’s time for a new EU-US data transfer framework
Europe’s Move Against Google Analytics Is Just the Beginning
UK Gov't Plans Publicity Blitz to Undermine Chat Privacy
The UK government is set to launch a multi-pronged publicity attack on end-to-end encryption, Rolling Stone has learned. One key objective: mobilizing public opinion against Facebook's decision to encrypt its Messenger app.
DPC received almost 7,000 complaints from Irish last year
Irish people lodged almost 7,000 complaints with data protection watchdogs last year, the sixth-highest number in Europe, lawyers say. A report from global law firm DLA Piper says European states fined businesses and other organisations €1.1 billion for data breaches in 2021, six times the €158.5 million in penalties imposed by authorities the previous year.
[See Resources Section for Report]
Faith in GDPR wanes as admin burden causes compliance anxiety
The findings in the 2022 joint McCann FitzGerald/Mazars GDPR-impact survey suggest a hardening of views towards the 2018 data-protection regulation, stemming from its knock-on effects during the pandemic.
[See Resources Section for Survey]
Bulgaria's surveillance laws breach European human rights convention-ECHR
Bulgaria violates the European Convention of Human Rights when it comes to secret surveillance and retention and accessing of communication data, the European Court of Human Rights ruled on Tuesday.
A data ‘black hole’: Europol ordered to delete vast store of personal data
EU police body accused of unlawfully holding information and aspiring to become an NSA-style mass surveillance agency.
Analysis: The Irish DPC Publishes Final Version of its Children’s Fundamentals
On 17 December 2021, the Irish Data Protection Commission (“DPC”) published the final version of its guidance “Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing”. The Fundamentals seek to enhance the level of protection afforded to children, both online and offline.
EDPB adopts Guidelines on Right of Access and letter on cookie consent
During its January plenary session, the EDPB adopted Guidelines on the Right of Access. The Guidelines aim to analyse the various aspects of the right of access and to provide more precise guidance on how the right of access has to be implemented in different situations.
SECURITY & TECH
REvil ransomware gang arrested in Russia
Russian authorities dismantle the notorious cyber-crime gang at the request of the United States.
Encryption service ‘linked to cyber attacks’ taken down in international sting
Encryption service ‘linked to cyber attacks’ taken down in international sting.
EU carriers want Apple's Private Relay blocked
Four European carriers have written to the European Commission claiming that Apple's Private Relay in iOS 15 undermines "digital sovereignty," and that it should be stopped.
WhatsApp Ordered To Help U.S. Agents Spy On Chinese Phones—No Explanation Required
The U.S. doesn't need to know whom they're targeting or show probable cause when ordering Facebook, WhatsApp or any tech company to help agencies spy on users in secret, newly unsealed court documents show.
Covid tracker app used by few to identify close contacts
Only 4 per cent of people who tested positive for Covid-19 uploaded their close contact details to the Covid tracker app for tracing purposes, according to data published in the Irish Medical Journal.
UK NCSC: Weekly Threat Report
The NCSC's weekly threat report is drawn from recent open source reporting.
DATA BREACH
Clare County Council Confirms Data Breach Involving Release Of Personal Information Of Former Tenants
Clare County Council has confirmed a data breach which involved the release of personal information of 72 people, as well as 13 who have passed away. The local authority says the data was released in error, as part of a response to a Freedom of Information request about vacant Council houses.
Goodwill discloses data breach on its ShopGoodwill platform
American nonprofit Goodwill has disclosed a data breach that affected the accounts of customers using its ShopGoodwill.com e-commerce auction platform.
ENFORCEMENT
Teaching Council fined after teacher data leaked in phishing scam
Teaching Council fined €60,000 after teacher data leaked in phishing scam.
Austrian DSB: EU-US data transfers to Google Analytics illegal
In a groundbreaking decision, the Austrian Data Protection Authority has decided on a model case by noyb that the continuous use of Google Analytics violates the GDPR.
Lisbon’s mayor office fined for over $1.4 million for data protection breaches over protests
The mayor's office violated the General Data Protection Regulation 225 times, the national data protection commission ruled.
Polish DPA imposes a fine on Warsaw University of Technology
The proceedings against the Warsaw University of Technology was initiated after the Polish Data Protection Authority received a data breach notification. As it was indicated, an unauthorized person downloaded from the controller's IT network resources a database containing personal data of students and lecturers (over 5 thousand people).
More on the latest GDPR enforcement news can be found on:
GUIDANCE & OPINIONS
DPC: Data Protection Considerations Relating to Multi-Unit Developments and Owners’ Management Companies
An increasing proportion of Ireland’s population lives in apartments and houses situated in multi-unit developments (MUDs) and estates having shared spaces and services. In most cases these common areas and shared facilities are owned and controlled by an owners’ management company (OMC) which is typically a not-for-profit legal structure established for the management of multi-unit developments under the Multi-Unit Developments Act 2011 (the MUDs Act). This guidance sets out general advice on common data protection issues that may arise in the course of interaction between OMCs and concerned parties.
EDPS: Online targeting for political advertising: stricter rules are necessary
The EDPS has published today his Opinion on the EU legislators’ proposed Regulation on transparency and targeting for political advertising.
RESOURCES
EDPB: Legal study on Government access to data in third countries
The present report is part of a study analysing the implications for the work of the European Union / European Economic Area data protection supervisory authorities in relation to transfers of personal data to third countries after the Court of Justice of the European Union (CJEU) judgment C-311/18 on Data Protection Commissioner v. Facebook Ireland Ltd, Maximilian Schrems (Schrems II).
Translation: Personal Information Protection Law of the People's Republic of China
On August 20, 2021, the top legislative body in the People's Republic of China, the Standing Committee of the National People's Congress, passed the Personal Information Protection Law. The law went into effect Nov. 1, 2021. This English translation of the law is published by the Stanford DigiChina Cyber Policy Center.
Paper: Phishing in Organizations: Findings from a Large-Scale and Long-Term Study
In this paper, we present findings from a largescale and long-term phishing experiment that we conducted in collaboration with a partner company. Our experiment ran for 15 months during which time more than 14,000 study participants (employees of the company) received different simulated phishing emails in their normal working context.
Survey: Impact of GDPR and its effect on organisations in Ireland
Around two-thirds (64%) of organisations believe that employers should be permitted access to the vaccine status of their employees, while a majority (56%) said that the inability to process employees’ vaccine status data had impacted on a return to the office. The results come from this year’s edition of an annual survey on the impact of the GDPR on organisations in Ireland, jointly published today by leading law firm McCann FitzGerald LLP and Mazars.
Report: DLA Piper GDPR fines and data breach survey: January 2022
Data protection supervisory authorities across Europe have issued a total of nearly EUR1.1 billion (USD1.2 / GBP0.9 billion) in fines since 28 January 2021, according to international law firm DLA Piper.
CONTRIBUTE
Have an interesting article, book, video, podcast or other resource that you would like to share with fellow privacy practitioners? Please do drop me a note.