Privacy Transformation - Issue 196
Curated privacy news, insights & resources, with a focus on Irish and EU developments.
PRIVACY
Leinster House use of CCTV will be reviewed due to spying fears
A “best practice” review of CCTV cameras at Leinster House will be undertaken following concerns being raised that they are being used to spy on behalf of China. The Office of Public Works (OPW), which has responsibility for public buildings including the Leinster House complex, has said that in light of recent developments regarding CCTV, it is to review its policies.
🔗 RELATED:
- National Cyber Security Centre drafting IT infrastructure procurement guidelines amid CCTV concerns
- CCTV cameras in Leinster House could be reporting to China
- ICCL calls for immediate removal of Hikvision cameras from Oireachtas - Irish Council for Civil Liberties
- OPW to review best practice on CCTV cameras
- Chinese cameras leave British police vulnerable to spying, says watchdog
MEPs urge European Commission to reject EU-US adequacy
The European Parliament Committee on Civil Liberties, Justice and Home Affairs does not want the European Commission to extend an adequacy decision to the U.S. based on the proposed EU-U.S. Data Privacy Framework. The committee made as much clear in its draft opinion on the EU-U.S. adequacy published Feb. 14.
💡Insights: CJEU issues ruling on DPOs and conflict of interest
Data protection officers can maintain other tasks and duties within their role, if they do not result in a conflict of interest, the Court of Justice of the European Union has affirmed. [Read CJEU Decision]
SECURITY & TECH
US senators question Zuckerberg on Chinese, Russian access to user data
Senators Mark Warner and Marco Rubio, chair and vice chair of the US Senate Select Committee on Intelligence, wrote to Facebook parent Meta Platforms on Monday (6 February) about documents that show it knew developers in China and Russia had access to user data that could be used for espionage.
University of Zurich hit with ‘serious’ cyberattack
The University of Zurich has become the latest in a long line of German-language institutions to be hit by a cyberattack in recent weeks. The university says it isn’t aware of any data being encrypted or extracted and IT services are continuing to operate as normal following the attack, which took the university’s website offline earlier today.
RELATED: Statement by University of Zurich
Increase in ransomware attacks at the end of last year - report
The Kroll Threat Landscape Report shows that as 2022 drew to a close there was an increase in attacks impacting the manufacturing, healthcare, technology and telecommunications industries.
📣 Opinion: The UK Online Safety Bill: An attack on encryption
We all want to be able to address abuse on the internet. In the UK, the government is trying to achieve this through the Online Safety Bill (OSB). Developing such a bill is difficult as technology evolves far faster than legislation. But even allowing for that challenge, and that the OSB has some genuinely good intentions, the proposed legislation is still remarkably poor.
Quantum Tech Needed To Secure Critical Data From Quantum Decryption
In 2021, Booz Allen Hamilton analysts surmised that China will surpass Europe and the US in quantum-related research and development and that Chinese hackers could soon target heavily encrypted datasets such as weapon designs or details of undercover intelligence officers with a view to unlocking them at a later date when quantum computing makes decryption possible.
📣 Opinion: ChatGPT is a data privacy nightmare. If you’ve ever posted online, you ought to be concerned
ChatGPT has taken the world by storm. Within two months of its release it reached 100 million active users, making it the fastest-growing consumer application ever launched. Users are attracted to the tool’s advanced capabilities – and concerned by its potential to cause disruption in various sectors.
🔗 RELATED:
- Generative AI ChatGPT Can Disturbingly Gobble Up Your Private And Confidential Data, Forewarns AI Ethics And AI Law
- ChatGPT vs GDPR – what AI chatbots mean for data privacy
Google’s privacy-focused ad tracking solution hits Android in beta
Google is rolling out a beta of Privacy Sandbox for Android. The program is the company’s attempt to blend user privacy with targeted advertising, something the search giant has worked on for years in its planned shift away from cookie-based web tracking.
Dutch intelligence to analyze TikTok use on government phones
The Dutch government instructed its intelligence services to study the risks of the use of video app TikTok on government phones.
AI Act: All the open political questions in the European Parliament
The European Parliament’s rapporteurs on the AI Act circulated on Monday (13 February) an agenda for a key political meeting which includes new compromises on AI definition, scope, prohibited practices, and high-risk categories.
DATA BREACH
HSE to notify 100,000 patients over cyberattack data breach
The HSE has sent 32,000 letters to patients whose data was breached during the cyberattack on its network in 2021, but only 220 people have responded.
🔗 RELATED: HSE cyber attack: 32,000 notified of stolen data
Munster Technological University data leak includes big quantity of staff and student details
Data leaked from Munster Technological University (MTU) during last week’s cyberattack comprises vast amounts of staff and student information, including financial details.
🔗 RELATED: Data stolen in Munster Technological University cyberattack appears on 'dark web'
LockBit's Royal Mail ransom deadline flies by. No data released
The notorious LockBit ransomware gang has taken credit for an attack on the Royal Mail – but a deadline it gave for payment has come and gone with nothing exposed to the web except the group's claims.
Pepsi Bottling Ventures suffers data breach after malware attack
Pepsi Bottling Ventures LLC suffered a data breach caused by a network intrusion that resulted in the installation of information-stealing malware and the extraction of data from its IT systems.
ENFORCEMENT
Dutch DPA: Fine for failing to conduct a risk analysis before using camera cars in Rotterdam
The Dutch Data Protection Authority (DPA) has imposed a fine of €50,000 on the police for using camera cars in Rotterdam to monitor compliance with coronavirus measures without first assessing the privacy risks this might entail. As the cars drove around they collected and saved detailed images of people.
GUIDANCE & OPINIONS
EDPS: Opinion 6/2023 on the Proposals for Regulations on the collection and transfer of advance passenger information (API)
The EDPS has issued an Opinion on two legislative Proposals on the collection and transfer of advance passenger information (API), which includes air passengers’ personal data included in their travel documents (passport or identity cards) that is collected during check-in. The Proposals have two different aims: the first one, to facilitate effective border checks and to combat illegal immigration, and the other one, to prevent, detect, investigate, and prosecute terrorist offences and serious crime. [Read Press Release]
RESOURCES
📙 Guide: UN Guide on Privacy-Enhancing Technologies for Official Statistics
This document explores current approaches to data protection (e.g., data de-identification, input party computation, contractual controls and agreements) and their associated limitations. In order to facilitate experimentation on pilot projects and effective collaboration on “real world” use cases, the UN Privacy Preserving Techniques Task Team founded the UN PET Lab.
🔗 RELATED: UN Handbook on Privacy-Preserving Computation Techniques
🗞 Published: ISO/IEC 23894:2023 - Information technology — Artificial intelligence — Guidance on risk management
This document provides guidance on how organizations that develop, produce, deploy or use products, systems and services that utilize artificial intelligence (AI) can manage risk specifically related to AI. The guidance also aims to assist organizations to integrate risk management into their AI-related activities and functions. It moreover describes processes for the effective implementation and integration of AI risk management.
📕 Report: ENISA: Sustained Activity by Threat Actors
ENISA, the EU Agency for Cybersecurity, and CERT-EU, the Computer Emergency Response Team of all the EU institutions, bodies and agencies (EUIBAs), have issued a joint publication to alert on sustained activity by particular threat actors.
📗 Report: ENISA: Developing National Vulnerabilities Programmes
This report shows that, despite recent efforts by national governments in developing Coordinated Vulnerability Disclosure policies, some industry players have taken the lead and developed vulnerability policies and programmes at organisation level.
📄 EuroParl Think Tank: Online age verification methods for children
Protecting children online is becoming increasingly vital. For over two decades, there has been a limited range of online age verification methods available to protect children from accessing online content unsuitable for their age. A number of countries are introducing legislation and/or codes of practice to address this situation. At EU level too, there are increasing efforts in this regard, with a code of practice in the pipeline. Challenges abound, however, in the areas of privacy, monitoring and the need to improve parents' and children's digital skills.
📄 EuroParl Think Tank: Data collection and sharing relating to short-term accommodation rental services
The European Commission published on 7 November 2022 a proposal for a regulation on data collection and sharing relating to short-term accommodation rental services. The proposal contributes to the Commission's priorities to make the EU fit for the digital age, and to build a future-ready economy that works for people and builds on the recent Digital Services Act, the proposal regulates online platforms, which connect hosts and guests for short-term accommodation rentals.
CONTRIBUTE
Have an interesting article, book, video, podcast or other resource that you would like to share with your fellow privacy practitioners? Please do drop me a note!