Privacy Transformation - Issue 198

Curated privacy news, insights & resources, with a focus on Irish and EU developments.


PRIVACY

EU-US data transfer framework: European privacy authorities put forth caveats

The European Data Protection Board (EDPB) welcomed with reservations the new Data Privacy Framework, meant to provide the legal framework for transatlantic data flows. [Read EDPB Opinion]

🔗 RELATED:

Royal Mail boss blames rogue managers for tracking devices on workers

The chief executive of Royal Mail has admitted digital tracking devices carried by postal workers were used to pressure them to work faster, blaming rogue managers for using the information in breach of the delivery company’s policy.

The raucous battle over Americans’ online privacy is landing on states

Tech privacy advocates frustrated by failures on Capitol Hill are looking to mine state capitals for legislative victories. A broad bipartisan federal privacy bill that died in Congress last year has quickly become the template for a statehouse-by-statehouse campaign to enact tough new restrictions on how Americans’ personal data can be mined and shared.

🔎 Insights: Credit scores, Algorithms and Automated Decision-making: What could the CJEU Schufa case mean in the US?

CJEU SCHUFA oral hearing discussion release - what to they mean for the scope of profiling and automated decision making under GDPR CPRA CPA and AI law?

EDPB publishes a procedure for the adoption of EDPB Opinions on national criteria for certification and European Data Protection Seals

During its February plenary, the EDPB adopted a procedure for the adoption of EDPB Opinions on national criteria for certification and European Data Protection Seals.

France aims to protect kids from parents oversharing pics online

French parents had better think twice before posting too many pictures of their offspring on social media. Members of the National Assembly's law committee unanimously green-lit draft legislation to protect children's rights to their own images.

🔎 Insights: Only 3% of Companies’ Data Meets Basic Quality Standards

Most managers know, anecdotally at least, that poor quality data is troublesome. Bad data wastes time, increases costs, weakens decision making, angers customers, and makes it more difficult to execute any sort of data strategy. Indeed, data has a credibility problem.


SECURITY & TECH

Signal would 'walk' from UK if Online Safety Bill undermined encryption

The encrypted-messaging app Signal has said it would stop providing services in the UK if a new law undermined encryption.

🔗 RELATED: Signal CEO: We “1,000% won’t participate” in UK law to weaken encryption

Royal Mail schools LockBit in leaked negotiation

The LockBit group has finally given up any prospect of extracting a ransom from Royal Mail and published the files it stole from the company in a recent ransomware attack. The leak brings weeks of negotiations to a close, leaving Royal Mail without a decryptor, and LockBit without a payday.

China hits out at US over TikTok ban on federal devices

China has accused the US of overreacting after federal employees were ordered to remove the video app TikTok from government-issued phones.

🔗 RELATED:

AI Act: MEPs extend ban on social scoring, reduce AI Office role

The ban on social scoring has been extended to private companies, regulatory sandboxes could be used to demonstrate compliance, and the AI Office’s role has been downsized in a whopping new set of compromise amendments to the upcoming AI Act.

AI is starting to pick who gets laid off

As layoffs ravage the tech industry, algorithms once used to help hire could now be deciding who gets cut.

🔗RELATED: NYC is about to regulate AI in hiring. Critics say the new law doesn’t do much

LastPass says employee’s home computer was hacked and corporate vault taken

Already smarting from a breach that put partially encrypted login data into a threat actor’s hands, LastPass on Monday said that the same attacker hacked an employee’s home computer and obtained a decrypted vault available to only a handful of company developers.


DATA BREACH

Centric Health fined €460,000 over 2019 ransomware attack

Centric Healthcare has been fined €460,000 by the Data Protection Commissioner over a ransomware attack in 2019 that saw patient data encrypted by hackers. The attack, which restricted access to patient data, hit 11 Primacare GP practices, which Centric Health acquired in 2016. At the time, the practices were being integrated into Centric Health’s IT system. The attack affected the data of 70,000 patients. Of those, 2,500 had their data deleted with no backup available during attempts to mitigate the attack.


ENFORCEMENT

DPC Decision: Inquiry into Centric Health Ltd.

Publication of decision in an inquiry into Centric Health Ltd. Fines amounting to €460,000 imposed. This inquiry was commenced following a ransomware attack affecting the patient data of 70,000 persons held on Centric Health’s patient administration system.

The practical GDPR compliance of the cookie consent management system was the main focus of the case. The information provided to data subjects was not sufficient and was difficult to access due to the user interface. During the several months procedure the data controller stated it would solve the issues it had acknowledged, but failed to do that and only made minor changes not effecting the merit of the case. An administrative fine was issued equal to approximately EUR 25,000.

ICO: Statement following Scottish Government’s consensual data protection audit

The Scottish Government has committed to implementing a series of recommendations, following an audit from the Information Commissioner’s Office (ICO). This will lead to improvements in the way people’s data is handled by the Scottish Government.

[Read Report]


GUIDANCE & OPINIONS

EDPB publishes three guidelines following public consultation

Following public consultation, the EDPB has adopted three sets of guidelines in their final version:


RESOURCES

📗 Report: Unique Identification of 50,000+ Virtual Reality Users from Head & Hand Motion Data

With the recent explosive growth of interest and investment in virtual reality (VR) and the so-called "metaverse," public attention has rightly shifted toward the unique security and privacy threats that these platforms may pose. While it has long been known that people reveal information about themselves via their motion, the extent to which this makes an individual globally identifiable within virtual reality has not yet been widely understood. In this study, we show that a large number of real VR users can be uniquely and reliably identified across multiple sessions using just their head and hand motion relative to virtual objects.

🔗RELATED: New research suggests that privacy in the metaverse might be impossible

📘 Report: ICO publishes SME Data Essentials pilot evaluation report

The ICO have completed a pilot programme with up to 60 SMEs from across the UK, in which they have been trialling an e-learning and self-assessment programme. They have now published the pilot’s evaluation report.

📕 ENISA: Building Effective Governance Frameworks for the Implementation of National Cybersecurity Strategies

This study is focusing on the good practices around the set-up and deployment of a governance framework to support the implementation of the NCSS in the EU.

📙 ENISA: A Governance Framework for National Cybersecurity Strategies

The main aim of this statistical outline is to give an overview of the key findings of the study, link them with the main elements of the proposed governance framework and support them by insightful statistics.


CONTRIBUTE
Have an interesting article, book, video, podcast or other resource that you would like to share with your fellow privacy practitioners? Please do drop me a note!