Privacy Transformation - Issue 198
Curated privacy news, insights & resources, with a focus on Irish and EU developments.
PRIVACY
EU-US data transfer framework: European privacy authorities put forth caveats
The European Data Protection Board (EDPB) welcomed with reservations the new Data Privacy Framework, meant to provide the legal framework for transatlantic data flows. [Read EDPB Opinion]
🔗 RELATED:
- EDPB welcomes improvements under the EU-U.S. Data Privacy Framework, but concerns remain
- MEPs urge European Commission to reject EU-US adequacy
Royal Mail boss blames rogue managers for tracking devices on workers
The chief executive of Royal Mail has admitted digital tracking devices carried by postal workers were used to pressure them to work faster, blaming rogue managers for using the information in breach of the delivery company’s policy.
The raucous battle over Americans’ online privacy is landing on states
Tech privacy advocates frustrated by failures on Capitol Hill are looking to mine state capitals for legislative victories. A broad bipartisan federal privacy bill that died in Congress last year has quickly become the template for a statehouse-by-statehouse campaign to enact tough new restrictions on how Americans’ personal data can be mined and shared.
🔎 Insights: Credit scores, Algorithms and Automated Decision-making: What could the CJEU Schufa case mean in the US?
CJEU SCHUFA oral hearing discussion release - what to they mean for the scope of profiling and automated decision making under GDPR CPRA CPA and AI law?
EDPB publishes a procedure for the adoption of EDPB Opinions on national criteria for certification and European Data Protection Seals
During its February plenary, the EDPB adopted a procedure for the adoption of EDPB Opinions on national criteria for certification and European Data Protection Seals.
France aims to protect kids from parents oversharing pics online
French parents had better think twice before posting too many pictures of their offspring on social media. Members of the National Assembly's law committee unanimously green-lit draft legislation to protect children's rights to their own images.
🔎 Insights: Only 3% of Companies’ Data Meets Basic Quality Standards
Most managers know, anecdotally at least, that poor quality data is troublesome. Bad data wastes time, increases costs, weakens decision making, angers customers, and makes it more difficult to execute any sort of data strategy. Indeed, data has a credibility problem.
SECURITY & TECH
Signal would 'walk' from UK if Online Safety Bill undermined encryption
The encrypted-messaging app Signal has said it would stop providing services in the UK if a new law undermined encryption.
🔗 RELATED: Signal CEO: We “1,000% won’t participate” in UK law to weaken encryption
Royal Mail schools LockBit in leaked negotiation
The LockBit group has finally given up any prospect of extracting a ransom from Royal Mail and published the files it stole from the company in a recent ransomware attack. The leak brings weeks of negotiations to a close, leaving Royal Mail without a decryptor, and LockBit without a payday.
China hits out at US over TikTok ban on federal devices
China has accused the US of overreacting after federal employees were ordered to remove the video app TikTok from government-issued phones.
🔗 RELATED:
- Canada bans TikTok on government devices
- House panel to vote on bill that would give Biden authority to ban TikTok in US
AI Act: MEPs extend ban on social scoring, reduce AI Office role
The ban on social scoring has been extended to private companies, regulatory sandboxes could be used to demonstrate compliance, and the AI Office’s role has been downsized in a whopping new set of compromise amendments to the upcoming AI Act.
AI is starting to pick who gets laid off
As layoffs ravage the tech industry, algorithms once used to help hire could now be deciding who gets cut.
🔗RELATED: NYC is about to regulate AI in hiring. Critics say the new law doesn’t do much
LastPass says employee’s home computer was hacked and corporate vault taken
Already smarting from a breach that put partially encrypted login data into a threat actor’s hands, LastPass on Monday said that the same attacker hacked an employee’s home computer and obtained a decrypted vault available to only a handful of company developers.
DATA BREACH
Centric Health fined €460,000 over 2019 ransomware attack
Centric Healthcare has been fined €460,000 by the Data Protection Commissioner over a ransomware attack in 2019 that saw patient data encrypted by hackers. The attack, which restricted access to patient data, hit 11 Primacare GP practices, which Centric Health acquired in 2016. At the time, the practices were being integrated into Centric Health’s IT system. The attack affected the data of 70,000 patients. Of those, 2,500 had their data deleted with no backup available during attempts to mitigate the attack.
ENFORCEMENT
DPC Decision: Inquiry into Centric Health Ltd.
Publication of decision in an inquiry into Centric Health Ltd. Fines amounting to €460,000 imposed. This inquiry was commenced following a ransomware attack affecting the patient data of 70,000 persons held on Centric Health’s patient administration system.
HU SA decision in connection with legal compliance of cookie consent management framework of the websites of TV2 Média Csoport Zrt
The practical GDPR compliance of the cookie consent management system was the main focus of the case. The information provided to data subjects was not sufficient and was difficult to access due to the user interface. During the several months procedure the data controller stated it would solve the issues it had acknowledged, but failed to do that and only made minor changes not effecting the merit of the case. An administrative fine was issued equal to approximately EUR 25,000.
ICO: Statement following Scottish Government’s consensual data protection audit
The Scottish Government has committed to implementing a series of recommendations, following an audit from the Information Commissioner’s Office (ICO). This will lead to improvements in the way people’s data is handled by the Scottish Government.
GUIDANCE & OPINIONS
EDPB publishes three guidelines following public consultation
Following public consultation, the EDPB has adopted three sets of guidelines in their final version:
- Guidelines on the Interplay between the application of Art. 3 and the provisions on international transfers as per Chapter V GDPR
- Guidelines 07/2022 on certification as a tool for transfers
- Guidelines on deceptive design patterns in social media platform interfaces
RESOURCES
📗 Report: Unique Identification of 50,000+ Virtual Reality Users from Head & Hand Motion Data
With the recent explosive growth of interest and investment in virtual reality (VR) and the so-called "metaverse," public attention has rightly shifted toward the unique security and privacy threats that these platforms may pose. While it has long been known that people reveal information about themselves via their motion, the extent to which this makes an individual globally identifiable within virtual reality has not yet been widely understood. In this study, we show that a large number of real VR users can be uniquely and reliably identified across multiple sessions using just their head and hand motion relative to virtual objects.
🔗RELATED: New research suggests that privacy in the metaverse might be impossible
📘 Report: ICO publishes SME Data Essentials pilot evaluation report
The ICO have completed a pilot programme with up to 60 SMEs from across the UK, in which they have been trialling an e-learning and self-assessment programme. They have now published the pilot’s evaluation report.
📕 ENISA: Building Effective Governance Frameworks for the Implementation of National Cybersecurity Strategies
This study is focusing on the good practices around the set-up and deployment of a governance framework to support the implementation of the NCSS in the EU.
📙 ENISA: A Governance Framework for National Cybersecurity Strategies
The main aim of this statistical outline is to give an overview of the key findings of the study, link them with the main elements of the proposed governance framework and support them by insightful statistics.
CONTRIBUTE
Have an interesting article, book, video, podcast or other resource that you would like to share with your fellow privacy practitioners? Please do drop me a note!