Privacy Transformation - Issue 175

PRIVACY

EU court adviser: Competition bodies may consider data protection breaches in their probes

EU court adviser: Competition bodies may consider data protection breaches in their probes

A non-binding opinion by the advocate general, an influential adviser to the EU’s top court, might open the door for antitrust watchdogs to assess compliance with data protection rules in future investigations.

European Parliament group says relationship with State’s data chief ‘not always easy’

European Parliament group says relationship with State’s data chief ‘not always easy’

Despite DPC resources being comparable with continental counterparts the organisation is not delivering same number of ‘clear results’, claims French MEP.

RELATED: Director dismisses criticism of Irish data protection watchdog

Germany’s bulk data retention law is illegal, EU court finds

Germany’s bulk data retention law is illegal, EU court finds

The European Court of Justice said the ‘general and indiscriminate retention’ of traffic and location data is only allowed when there is a ‘serious threat to national security’.

[ Read Judgment of the Court of Justice in Joined Cases C-793/19, C-794/19 SpaceNet]

US border forces are seizing Americans' phone data and storing it for 15 years

US border forces are seizing Americans' phone data and storing it for 15 years

If a traveler's phone, tablet or computer ever gets searched at an airport, American border authorities could add data from their device to a massive database that can be accessed by thousands of government officials.

Comment: Big Tech regulation risks upheaval after EU court opinion on citing GDPR in antitrust probes

Comment: Big Tech regulation risks upheaval after EU court opinion on citing GDPR in antitrust probes

Meta, Google and other Big Tech companies could face increased scrutiny of their data-collection practices if the EU’s highest court follows a legal opinion that antitrust watchdogs can “take account” of privacy violations in competition cases.

Sexual assault victim whose DNA was used to arrest her sues San Francisco

Sexual assault victim whose DNA was used to arrest her sues San Francisco

A woman whose DNA from a rape kit was later used to arrest her is taking San Francisco to court.

The Revised Swiss Data Protection Act – What's New?

The Revised Swiss Data Protection Act – What's New?

In September 2020, the Swiss parliament adopted the new Federal Data Act on Protection ("FADP"). The law is expected to enter into force in September 2023, although the respective ordinance, which will provide for more details, was still being drafted at the time of publication of this article.

On 16 September 2022, the EDPS requested that the Court of Justice of the European Union (CJEU) annuls two provisions of the newly amended Europol Regulation, which came into force on 28 June 2022.

SECURITY & TECH

Danish DPA: Use of Google Analytics for web analytics

Danish DPA: Use of Google Analytics for web analytics

The Danish Data Protection Agency has looked into the tool Google Analytics, its settings, and the terms under which the tool is provided. On the basis of this review, the Danish Data Protection Agency concludes that the tool cannot, without more, be used lawfully. Lawful use requires the implementation of supplementary measures in addition to the settings provided by Google.

Irish Cyber chief: Hacktivism and espionage being monitored across Europe by online national security

Irish Cyber chief: Hacktivism and espionage being monitored across Europe by online national security

Beyond the more high profile ransomware attacks, Richard Browne of NCSC said, there is hacktivism and espionage across Europe.

New EU cybersecurity rules ensure more secure hardware and software products

New EU cybersecurity rules ensure more secure hardware and software products

Today, the Commission has presented a proposal for a new Cyber Resilience Act to protect consumers and businesses from products with inadequate security features. A first ever EU-wide legislation of its kind, it introduces mandatory cybersecurity requirements for products with digital elements, throughout their whole lifecycle.

[Read proposed EU Cyber Resilience Act]

DATA BREACH

Revolut breach: personal and banking data exposed

Revolut breach: personal and banking data exposed

A highly-targeted cyberattack on a financial technology company might have affected over 50,000 customers. Revolut told Cybernews that card details were hashed and therefore protected.

Uber investigating hack on its computer systems

Uber investigating hack on its computer systems

The ride-hailing company said it was investigating after several internal communications and engineering systems had been compromised.

IHG hack: 'Vindictive' couple deleted hotel chain data for fun

IHG hack: 'Vindictive' couple deleted hotel chain data for fun

The pair, who say they are from Vietnam, wiped out IHG group data after a foiled ransomware attack.

New York ambulance service discloses data breach after ransomware attack

New York ambulance service discloses data breach after ransomware attack

Empress EMS (Emergency Medical Services), a New York-based emergency response and ambulance service provider, has disclosed a data breach that exposed customer information.

American Airlines discloses data breach after employee email compromise

American Airlines discloses data breach after employee email compromise

American Airlines has notified customers of a recent data breach after attackers compromised an undisclosed number of employee email accounts and gained access to sensitive personal information.

ENFORCEMENT

The French SA fines the economic interest group INFOGREFFE EUR 250,000

The French SA fines the economic interest group INFOGREFFE EUR 250,000

Following a complaint, the CNIL, French Supervisory Authority, carried out an online investigation of the infogreffe.fr website, which allows users to consult legal information on companies and order documents certified by the commercial court registries. The investigations focused in particular on the data retention periods defined and the security measures implemented by the economic interest group INFOGREFFE, which provides the legal and official information publishing service on companies via the website.

Employees’ right of access: Italian SA fines Unicredit S.p.A. and orders corrective measures

Employees’ right of access: Italian SA fines Unicredit S.p.A. and orders corrective measures

The case followed a complaint against the failure by the controller (the complainant’s employer) to reply to an access request.

More on the latest GDPR enforcement news can be found on:

enforcementtracker.com

GUIDANCE & OPINIONS

EDPB Opinion 25/2022 regarding the European Privacy Seal (EuroPriSe ) certification criteria for the certification of processing operations by processors

The EDPB opinion aims to ensure the consistency and correct application of certification criteria among DPAs in the European Economic Area. To this end, the EDPB considers that the EuroPriSe certification criteria may lead to an inconsistent application of the GDPR and a number of changes need to be made in order to fulfill the requirements imposed by Art. 42 GDPR.

[Read Opinion]

ICO: Sharing personal data in an emergency – a guide for universities and colleges

The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

RESOURCES

AEPD-EDPS Joint Paper - 10 Misunderstandings about Machine Learning

AEPD-EDPS Joint Paper - 10 Misunderstandings about Machine Learning

The EU has identified artificial intelligence (AI) as one of the most relevant technologies of the 21st century and highlighted 1 its importance on the strategy for EU’s digital transformation. Having a wide range of applications, AI can contribute in areas as disparate as helping in the treatment of chronic diseases, fighting climate change or anticipating cybersecurity threats.

ENISA: European Cybersecurity Skills Framework Role Profiles

ENISA: European Cybersecurity Skills Framework Role Profiles

The ECSF role profiles document lists the 12 typical cybersecurity professional role profiles along with their identified titles, missions, tasks, skills, knowledge, competences. The main purpose of this framework is to create a common understanding between individuals, employers and providers of learning programmes across EU Member States, making it a valuable tool to bridge the gap between the cybersecurity professional workplace and learning environments.

ENISA: European Cybersecurity Skills Framework (ECSF) - User Manual

ENISA: European Cybersecurity Skills Framework (ECSF) - User Manual

The ECSF User Manual provides a comprehensive overview of the ECSF’s main scope, framework principles and application opportunities. The primary purpose of the manual is to make the ECSF easily accessible by, understandable for, and usable by all stakeholders with an active role or a need for appropriately skilled cybersecurity professionals

Anonymizing facial images to improve patient privacy

Anonymizing facial images to improve patient privacy

To minimize the risks of inappropriately disclosing facial images of patients, we developed the digital mask to erase identifiable features while retaining disease-relevant features needed for diagnosis. The digital mask has shown the ability to evade recognition by human researchers and existing facial-recognition algorithms, and improves patients’ willingness to share medical information.

EFF: How to Ditch Facebook Without Losing Your Friends (Or Family, Customers or Communities)

EFF: How to Ditch Facebook Without Losing Your Friends (Or Family, Customers or Communities)

Today, we launch “How to Ditch Facebook Without Losing Your Friends” - a narrated slideshow and essay explaining how Facebook locks in its users, how interoperability can free them, and what it would feel like to use an “interoperable Facebook” of the future, such as the one contemplated by the US ACCESS Act.

CONTRIBUTE

Have an interesting article, book, video, podcast or other resource that you would like to share with fellow privacy practitioners? Please do drop me a note.