Privacy Transformation - Issue 211
Curated privacy news, insights & resources, with a focus on Irish and EU developments.
PRIVACY
Why did the Irish data regulator not want to fine Meta?
Data Protection Commissioner initially planned not to fine Meta for data breaches but fines are arguably the most dissuasive tool in the GDPR toolkit.
Irish State may face damages claims over unlawful data gathering from Public Services Card
The State may face damages claims after the Department of Social Protection (DSP) was found to have improperly gathered data through the controversial Public Service Card.
Frontex risk analyses based on unreliable information, EU watchdog says
The EU border management agency Frontex produces untrustworthy risk analyses on migration due to the ‘low reliability of the data collected’, an investigation conducted by the European Data Protection Supervisor found.
✍🏻 Opinion: The Irish Times view on the fifth anniversary of GDPR: vital protections
Five years ago, one of the EU’s most globally influential and consequential pieces of legislation came into effect: the General Data Protection Regulation (GDPR). This ground-breaking law reshaped and fortified the data protection and privacy landscape overnight. While it has its imperfections and exasperations, GDPR has given EU citizens unprecedented, tangible safeguards and rights.
🔗 RELATED: ✍🏻 Have EU laws to protect our privacy online worked?
SECURITY & TECH
Cybersecurity sector braces for tug-of-war over AI
The continued development of AI brings both challenges and opportunities to the cybersecurity sector, a series of experts told EURACTIV, who highlighted that while risks will increase, avenues for defence will too.
🔗 RELATED:
- ChatGPT-maker U-turns on threat to leave EU over AI law
- AI Act to impact EU countries asymmetrically, Slovak expert says
- EU Commission issues internal guidelines on ChatGPT, generative AI
A Popular Password Hashing Algorithm Starts Its Long Goodbye
When data breaches went from being an occasional threat to a persistent fact of life during the early 2010s, one question would come up again and again as victim organizations, cybersecurity researchers, law enforcement, and regular people assessed the fallout from each incident: Which password hashing algorithm had the target used to protect its users’ passwords?
TikTok Creators’ Financial Info, Social Security Numbers Have Been Stored In China
TikTok has stored the most sensitive financial data of its biggest stars — including those in its “Creator Fund” — on servers in China. Earlier this year, CEO Shou Chew told Congress “American data has always been stored in Virginia and Singapore.”
Microsoft Revises Bing Cookie Policy in France
Microsoft Ireland revised its cookie policy for the Bing search engine in France after it received a reprimand from the country's data protection agency for privacy violations.
DATA BREACH
Capita cyber-attack: 90 organisations report data breaches
About 90 organisations have reported breaches of personal information held by Capita after the outsourcing group suffered a cyber-attack, Britain’s data watchdog has said.
🔗 RELATED: Downstream breaches of Capita customers spreading
NHS data breach: trusts shared patient details with Facebook without consent
NHS trusts are sharing intimate details about patients’ medical conditions, appointments and treatments with Facebook without consent and despite promising never to do so.
Dutch watchdog looking into alleged Tesla data breach
The data protection watchdog for the Netherlands said on Friday it was aware of possible Tesla data protection breaches, but it was too early for further comment.
ENFORCEMENT
Amazon to pay $25m over child privacy violations
Amazon is to pay $25m (£20m) to settle allegations that it violated children's privacy rights with its Alexa voice assistant. The company agreed to pay the US Federal Trade Commission (FTC) after it was accused of failing to delete Alexa recordings at the request of parents. It was found to have kept hold of sensitive data for years. Amazon's doorbell camera unit Ring will also pay out after giving employees unrestricted access to customers' data.
Berlin SA imposes 300 000 euro fine against bank after lack of transparency over automated rejection of credit card application
An applicant for a credit card applied via a Berlin-based banks website, providing various data including income, occupation and personal details to do so. Based on the information requested and additional data from external sources, the bank's algorithm rejected the customer's application without any particular justification. The algorithm was based on criteria and rules previously defined by the bank. Since the applicant had a good credit rating and a regular high income, he doubted the automated rejection and complained to the Berlin data protection commissioner.
Europe’s privacy regime: 5 years in 5 charts
Europe's most famous technology law, the General Data Protection Regulation has turned 5. The law has prompted businesses — from tech giants to hotel chains, cellphone companies to mom-and-pop businesses — to tighten their privacy policies. Many have cleaned up how they handle people’s personal data, encouraged by the prospect of being fined up to 4 percent of their annual revenue.
🔗 RELATED: GDPR 5 years on: Spain, Ireland lead in issuing fines; Meta hit hardest
RESOURCES
📗 Paper: Necessity, Proportionality, and Executive Order 14086
An examination of how Executive Order (EO) 14086 addresses the Schrems II concerns regarding necessity and proportionality, including consideration of questions raised in the EDPB's opinion.
📜 EDPS: Keynote Speech - Annual Privacy Forum 2023
Wojciech Wiewiórowski speaking at the ENISA Annual Privacy Forum 2023 in Lyon, France.
CONTRIBUTE
Have an interesting article, book, video, podcast or other resource that you would like to share with your fellow privacy practitioners? Please do drop me a note!