Privacy Transformation - Issue 175
PRIVACY
EU court adviser: Competition bodies may consider data protection breaches in their probes
A non-binding opinion by the advocate general, an influential adviser to the EU’s top court, might open the door for antitrust watchdogs to assess compliance with data protection rules in future investigations.
European Parliament group says relationship with State’s data chief ‘not always easy’
Despite DPC resources being comparable with continental counterparts the organisation is not delivering same number of ‘clear results’, claims French MEP.
RELATED: Director dismisses criticism of Irish data protection watchdog
Germany’s bulk data retention law is illegal, EU court finds
The European Court of Justice said the ‘general and indiscriminate retention’ of traffic and location data is only allowed when there is a ‘serious threat to national security’.
[ Read Judgment of the Court of Justice in Joined Cases C-793/19, C-794/19 SpaceNet]
US border forces are seizing Americans' phone data and storing it for 15 years
If a traveler's phone, tablet or computer ever gets searched at an airport, American border authorities could add data from their device to a massive database that can be accessed by thousands of government officials.
Comment: Big Tech regulation risks upheaval after EU court opinion on citing GDPR in antitrust probes
Meta, Google and other Big Tech companies could face increased scrutiny of their data-collection practices if the EU’s highest court follows a legal opinion that antitrust watchdogs can “take account” of privacy violations in competition cases.
Sexual assault victim whose DNA was used to arrest her sues San Francisco
A woman whose DNA from a rape kit was later used to arrest her is taking San Francisco to court.
The Revised Swiss Data Protection Act – What's New?
In September 2020, the Swiss parliament adopted the new Federal Data Act on Protection ("FADP"). The law is expected to enter into force in September 2023, although the respective ordinance, which will provide for more details, was still being drafted at the time of publication of this article.
EDPS takes legal action as new Europol Regulation puts rule of law and EDPS independence under threat
On 16 September 2022, the EDPS requested that the Court of Justice of the European Union (CJEU) annuls two provisions of the newly amended Europol Regulation, which came into force on 28 June 2022.
SECURITY & TECH
Danish DPA: Use of Google Analytics for web analytics
The Danish Data Protection Agency has looked into the tool Google Analytics, its settings, and the terms under which the tool is provided. On the basis of this review, the Danish Data Protection Agency concludes that the tool cannot, without more, be used lawfully. Lawful use requires the implementation of supplementary measures in addition to the settings provided by Google.
Irish Cyber chief: Hacktivism and espionage being monitored across Europe by online national security
Beyond the more high profile ransomware attacks, Richard Browne of NCSC said, there is hacktivism and espionage across Europe.
New EU cybersecurity rules ensure more secure hardware and software products
Today, the Commission has presented a proposal for a new Cyber Resilience Act to protect consumers and businesses from products with inadequate security features. A first ever EU-wide legislation of its kind, it introduces mandatory cybersecurity requirements for products with digital elements, throughout their whole lifecycle.
[Read proposed EU Cyber Resilience Act]
DATA BREACH
Revolut breach: personal and banking data exposed
A highly-targeted cyberattack on a financial technology company might have affected over 50,000 customers. Revolut told Cybernews that card details were hashed and therefore protected.
Uber investigating hack on its computer systems
The ride-hailing company said it was investigating after several internal communications and engineering systems had been compromised.
IHG hack: 'Vindictive' couple deleted hotel chain data for fun
The pair, who say they are from Vietnam, wiped out IHG group data after a foiled ransomware attack.
New York ambulance service discloses data breach after ransomware attack
Empress EMS (Emergency Medical Services), a New York-based emergency response and ambulance service provider, has disclosed a data breach that exposed customer information.
American Airlines discloses data breach after employee email compromise
American Airlines has notified customers of a recent data breach after attackers compromised an undisclosed number of employee email accounts and gained access to sensitive personal information.
ENFORCEMENT
The French SA fines the economic interest group INFOGREFFE EUR 250,000
Following a complaint, the CNIL, French Supervisory Authority, carried out an online investigation of the infogreffe.fr website, which allows users to consult legal information on companies and order documents certified by the commercial court registries. The investigations focused in particular on the data retention periods defined and the security measures implemented by the economic interest group INFOGREFFE, which provides the legal and official information publishing service on companies via the website.
Employees’ right of access: Italian SA fines Unicredit S.p.A. and orders corrective measures
The case followed a complaint against the failure by the controller (the complainant’s employer) to reply to an access request.
More on the latest GDPR enforcement news can be found on:
GUIDANCE & OPINIONS
EDPB Opinion 25/2022 regarding the European Privacy Seal (EuroPriSe ) certification criteria for the certification of processing operations by processors
The EDPB opinion aims to ensure the consistency and correct application of certification criteria among DPAs in the European Economic Area. To this end, the EDPB considers that the EuroPriSe certification criteria may lead to an inconsistent application of the GDPR and a number of changes need to be made in order to fulfill the requirements imposed by Art. 42 GDPR.
ICO: Sharing personal data in an emergency – a guide for universities and colleges
The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
RESOURCES
AEPD-EDPS Joint Paper - 10 Misunderstandings about Machine Learning
The EU has identified artificial intelligence (AI) as one of the most relevant technologies of the 21st century and highlighted 1 its importance on the strategy for EU’s digital transformation. Having a wide range of applications, AI can contribute in areas as disparate as helping in the treatment of chronic diseases, fighting climate change or anticipating cybersecurity threats.
ENISA: European Cybersecurity Skills Framework Role Profiles
The ECSF role profiles document lists the 12 typical cybersecurity professional role profiles along with their identified titles, missions, tasks, skills, knowledge, competences. The main purpose of this framework is to create a common understanding between individuals, employers and providers of learning programmes across EU Member States, making it a valuable tool to bridge the gap between the cybersecurity professional workplace and learning environments.
ENISA: European Cybersecurity Skills Framework (ECSF) - User Manual
The ECSF User Manual provides a comprehensive overview of the ECSF’s main scope, framework principles and application opportunities. The primary purpose of the manual is to make the ECSF easily accessible by, understandable for, and usable by all stakeholders with an active role or a need for appropriately skilled cybersecurity professionals
Anonymizing facial images to improve patient privacy
To minimize the risks of inappropriately disclosing facial images of patients, we developed the digital mask to erase identifiable features while retaining disease-relevant features needed for diagnosis. The digital mask has shown the ability to evade recognition by human researchers and existing facial-recognition algorithms, and improves patients’ willingness to share medical information.
EFF: How to Ditch Facebook Without Losing Your Friends (Or Family, Customers or Communities)
Today, we launch “How to Ditch Facebook Without Losing Your Friends” - a narrated slideshow and essay explaining how Facebook locks in its users, how interoperability can free them, and what it would feel like to use an “interoperable Facebook” of the future, such as the one contemplated by the US ACCESS Act.
CONTRIBUTE
Have an interesting article, book, video, podcast or other resource that you would like to share with fellow privacy practitioners? Please do drop me a note.