Privacy Transformation - Issue 193

Curated privacy news, insights & resources, with a focus on Irish and EU developments.


PRIVACY

DPC in dispute with Dáil committee over 'inaccurate data' in report

An Oireachtas Committee has told the Data Protection Commission it is “satisfied” with how it produced a report which the DPC has claimed, in a letter sent almost 18 months after it was published, contains “a number of inaccuracies”.

Protect independence of privacy watchdog, EU Parliament to tell Greece

The European Parliament’s PEGA committee is expected to call on the Greek government to protect the independence of the authority responsible for privacy issues (ADAE) and shed light on the so-called “Greek Watergate”, a wiretapping scandal which has shaken domestic politics for months.

Swedish presidency tries to close in on the Data Act

The Swedish presidency of the EU Council circulated a new compromise on the Data Act, a proposed data law regulating how data is accessed, ported and shared.

RELATED: Germany’s position on the Data Act

ICCL: Does the European Parliament use Facial Recognition Technology?

ICCL has obtained 32 documents from the European Parliament about its use of CCTV cameras. We have learned that the European Parliament, which opposes facial recognition technology (FRT), had itself tendered for facial recognition capable cameras in 2015.


SECURITY & TECH

Committee told radical overhaul of HSE tech systems needed

The Health Service Executive has said that its technology and eHealth systems need to be radically overhauled, in order to provide the type of solutions needed for a modern health service.

EU Commission to create common oncology imaging database

The European Commission launched its European Cancer Imaging Initiative on Monday (23 January), which aims to create a common digital infrastructure across the EU to facilitate data sharing on the disease.

RELATED: Europe's Beating Cancer Plan: Launch of the European Cancer Imaging Initiative

New stronger rules start to apply for the cyber and physical resilience of critical entities and networks

Two key directives on critical and digital infrastructure have just entered into force and will strengthen the EU's resilience against online and offline threats, from cyberattacks to crime, risks to public health or natural disasters.

LastPass owner GoTo says hackers stole customers' backups

LastPass’ parent company GoTo — formerly LogMeIn — has confirmed that cybercriminals stole customers’ encrypted backups during a recent breach of its systems.

DOJ Sues Google, Seeking to Break Up Online Advertising Business

The Justice Department is seeking the breakup of Google’s business brokering digital advertising across much of the internet, a major expansion of the legal challenges the company faces to its business in the U.S. and abroad.


DATA BREACH

HSE employee seeks to compel DPC to investigate alleged work phone data breach

A HSE employee wants the court to compel the Data Protection Commission (DPC) to investigate his complaint that personal data on his work mobile phone was accessed as part of the 2021 cyberattack on the health service's computer system.

U.S. ‘No Fly List’ Leaks After Being Left in an Unsecured Airline Server

A copy of the U.S. No Fly List has leaked after being stored on an unsecure server connected to a commercial airline. The No Fly List is an official list maintained by the U.S. government of people it has banned from traveling in or out of the United States on commercial flights.

PayPal accounts breached in large-scale credential stuffing attack

PayPal is sending out data breach notifications to thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data.

T-Mobile hacked to steal data of 37 million accounts in API data breach

T-Mobile disclosed a new data breach after a threat actor stole the personal information of 37 million current postpaid and prepaid customer accounts through one of its Application Programming Interfaces (APIs).

Major App Flaw Exposed the Data of Millions of Indian Students

A security lapse in an app operated by India’s Education Ministry exposed the personally identifying information of millions of students and teachers for over a year.


ENFORCEMENT

DPC: Inquiry into An Garda Síochána

The data breach the subject of this inquiry concerned the personal data of “persons of interest” to An Garda Síochána in the context of ongoing investigations, which was processed on an Intelligence Bulletin board located in a room in a Garda station, to which any person other than a Garda should not have had unaccompanied access. The personal data was ultimately shared on social media.

Norwegian SA fines Recover AS for violation of privacy

The background to the fine is a complaint from a private individual who was subjected to a credit assessment without any form of customer relationship or other connection to the company Recover AS.

Clubhouse fined EUR 2 million by the Italian SA

The proceeding originated from an Italian SA’s own volition inquiry following press reports and an alert lodged by a consumer association on several data protection issues relating to Clubhouse, a social media platform provided by the USA-based company Alpha Exploration Inc.

EDPB publishes Binding Decision concerning WhatsApp

In its Binding Decision, the EDPB instructed the IE DPA to amend its draft decision with respect to the findings concerning lawfulness of the processing and the principle of fairness, and to the corrective measures envisaged.

[Read Decision]


RESOURCES

Introducing the Design Process Standard

Published by the Institute of Operational Privacy Design, this standard details the components necessary in a design process to incorporate privacy considerations and reduce privacy risks to individuals.

Report: ICO — Empowering people to foster trust in tomorrow’s technological advancements

The ICO's Tech Horizons Report looks at technologies emerging over the next two to five years and warns that the significant benefits they offer could be lost if people feel companies are misusing their data.

[Read Report]

Lawmakers are more aware than ever of the risks posed by automated surveillance systems which track our faces, bodies and movements across time and place. In the EU's AI Act, facial and other biometric systems which can identify people at scale are referred to as 'Remote Biometric Identification', or RBI. But what exactly is RBI, and how can you tell the difference between an acceptable and unacceptable use of a biometric system?

White Paper: IAPP 2023 Global Legislative Predictions

The IAPP gathered predictions from privacy professionals in 56 jurisdictions across six continents and presented them in this white paper so you can see what may play out across the world from on-the-ground experts.


CONTRIBUTE
Have an interesting article, book, video, podcast or other resource that you would like to share with your fellow privacy practitioners? Please do drop me a note!