Privacy Transformation - Issue 157
PRIVACY
Delay in European Commission response to Irish data inquiry
The European Commission has delayed its response to an EU Ombudsman investigation into the monitoring of data protection regulations in Ireland.
Google sued for using the NHS data of 1.6 million Britons 'without their knowledge or consent'
The Royal Free NHS Trust in London, which gave Google the patient data, was previously told the move was illegal following an investigation by the Information Commissioner's Office.
Privacy fears over Garda purchase of 11 drones for training ahead of digital recording bill
Gardaí have purchased 11 drones ahead of a new bill which will permit their use in operations, a move which has sparked privacy concerns.
Data Marketplace Selling Info About Who Uses Period Tracking Apps
The data could be a potential first step to identifying the users of a specific app in a post-abortion rights America.
Google joined as notice party in High Court action over personal data
Google has been added to a High Court action where it is alleged the Data Protection Commission (DPC) has failed to fully investigate a complaint about how the internet giant and digital marketing association IAB Europe process personal data.
'Absolute clarity' over Limerick's use of CCTV needed, says minister
A Fine Gael TD contacted Justice Minister Helen McEntee telling her that there should be “absolute clarity” that Limerick City and County Council be allowed to share CCTV footage with the gardaí.
SECURITY & TECH
HSE finds recruiting cyber security staff 'difficult'
The Health Service Executive has said it is "especially difficult" to recruit cyber security staff right now because of the competition for talent.
Europe Agrees to Adopt New NIS2 Directive Aimed at Hardening Cybersecurity
The European Parliament announced a "provisional agreement" on NIS2, a new directive that aims to improve cybersecurity by setting stricter rules.
What Happens When Cookies and DeviceIDs Go Away?
Marketers have been told to panic about the upcoming "cookie-pocalypse." That refers to third party ("3P") cookies going away in 2023, when the most common browser, Chrome, does away with 3P cookies entirely.
Meta temporarily cuts photo filters to sidestep biometric data privacy lawsuits
Meta says it is working on a new opt-in experience for the relevant filters and avatars that will explain how the software involved is not facial recognition.
It's Coming: Digital ID with Facial Recognition
In Norway a new system for digital ID with fingerprint and facial recognition is coming as BankID on mobile is being phased out
Mastercard launches ‘smile to pay’ system amid privacy concerns
Mastercard is rolling out a controversial programme that will allow shoppers to pay at the till with a mere smile or wave of the hand, as it tries to secure a slice of the $18bn (£14.4bn) biometrics market.
ENFORCEMENT
Diverging fining policies of European DPAs: is there room for coherent enforcement of the GDPR?
While it was expected that independent DPAs would give the criteria different weight in their enforcement proceedings, depending on their own legal and cultural context, the past four years of enforcement experience have shown that fining policies and practices vary considerably among EU DPAs.
Record GDPR fine by the Hungarian Data Protection Authority for the unlawful use of artificial intelligence
The Hungarian Data Protection Authority has recently published its annual report in which it presented a case where the Authority imposed the highest fine to date of ca. EUR 670,000 . The case involved the personal data processing of a bank.
Ministry of Foreign Affairs fined for inadequately securing visa applications
The Dutch SA fined the Dutch Ministry of Foreign Affairs €565,000 for long-term, large-scale, serious infringements of the General Data Protection Regulation (GDPR) in its visa-issuing process.
Tax Administration fined for fraud ‘black list’
The Dutch SA has imposed a €3.7 million fine on the Tax Administration for illegally processing personal data over a period of years in its ‘fraud identification facility’ (FSV). The €3.7 million fine comprises multiple fines for six violations
Icelandic SA: Municipality fined for the use of the Seesaw educational system
Key findings of the Icelandic SA’s decision were that the processing agreement between Reykjavík and Seesaw was insufficient, that the municipality could not demonstrate a specified, explicit and legitimate purpose for the processing in question, which was therefore considered unlawful, that the processing was neither fair nor transparent, that the principles of data minimisation and storage limitations were not implemented nor data protection by design and by default.
More on the latest GDPR enforcement news can be found on:
GUIDANCE & OPINIONS
EDPB adopts Guidelines on calculation of fines & Guidelines on the use of facial recognition technology in the area of law enforcement
The EDPB adopted new Guidelines on the calculation of administrative fines, harmonising the methodology data protection authorities (DPAs) use. The guidelines also include harmonised ‘starting points’ for the calculation of a fine.
RESOURCES
Report: Automated Decision-Making Under the GDPR - A Comprehensive Case-Law Analysis
The Future of Privacy Forum launched a comprehensive Report analyzing case-law under the General Data Protection Regulation (GDPR) applied to real-life cases involving Automated Decision Making (ADM). The Report is informed by extensive research covering more than 70 Court judgments, decisions from Data Protection Authorities (DPAs), specific Guidance and other policy documents issued by regulators.
ICCL Report on the scale of Real-Time Bidding data broadcasts in the U.S. and Europe
Real-Time Bidding (RTB) is $117+ billion industry that operates behind the scenes on websites and apps. It tracks what you are looking at, no matter how private or sensitive, and it records where you go. Every day it broadcasts this data about you to a host of companies continuously, enabling them to profile you. This report presents the scale of this data breach for the first time.
RELATED: Google Is Sharing Our Data at a Startling Scale
Study: Leaky Forms - A Study of Email and Password Exfiltration Before Form Submission
Email addresses—or identifiers derived from them—are known to be used by data brokers and advertisers for cross-site, cross-platform, and persistent identification of potentially unsuspecting individuals. In order to find out whether access to online forms are misused by online trackers, we present a measurement of email and password collection that occur before form submission on the top 100K websites.
UK NCSC Report - Organisational use of Enterprise Connected Devices
Assessing the cyber security threat to UK organisations using Enterprise Connected Devices.
CONTRIBUTE
Have an interesting article, book, video, podcast or other resource that you would like to share with fellow privacy practitioners? Please do drop me a note.