Privacy Transformation - Issue 211

Curated privacy news, insights & resources, with a focus on Irish and EU developments.


PRIVACY

Why did the Irish data regulator not want to fine Meta?

Data Protection Commissioner initially planned not to fine Meta for data breaches but fines are arguably the most dissuasive tool in the GDPR toolkit.

Irish State may face damages claims over unlawful data gathering from Public Services Card

The State may face damages claims after the Department of Social Protection (DSP) was found to have improperly gathered data through the controversial Public Service Card.

Frontex risk analyses based on unreliable information, EU watchdog says

The EU border management agency Frontex produces untrustworthy risk analyses on migration due to the ‘low reliability of the data collected’, an investigation conducted by the European Data Protection Supervisor found.

✍🏻 Opinion: The Irish Times view on the fifth anniversary of GDPR: vital protections

Five years ago, one of the EU’s most globally influential and consequential pieces of legislation came into effect: the General Data Protection Regulation (GDPR). This ground-breaking law reshaped and fortified the data protection and privacy landscape overnight. While it has its imperfections and exasperations, GDPR has given EU citizens unprecedented, tangible safeguards and rights.

🔗 RELATED: ✍🏻 Have EU laws to protect our privacy online worked?


SECURITY & TECH

Cybersecurity sector braces for tug-of-war over AI

The continued development of AI brings both challenges and opportunities to the cybersecurity sector, a series of experts told EURACTIV, who highlighted that while risks will increase, avenues for defence will too.

🔗 RELATED:

When data breaches went from being an occasional threat to a persistent fact of life during the early 2010s, one question would come up again and again as victim organizations, cybersecurity researchers, law enforcement, and regular people assessed the fallout from each incident: Which password hashing algorithm had the target used to protect its users’ passwords?

TikTok Creators’ Financial Info, Social Security Numbers Have Been Stored In China

TikTok has stored the most sensitive financial data of its biggest stars — including those in its “Creator Fund” — on servers in China. Earlier this year, CEO Shou Chew told Congress “American data has always been stored in Virginia and Singapore.”

Microsoft Ireland revised its cookie policy for the Bing search engine in France after it received a reprimand from the country's data protection agency for privacy violations.


DATA BREACH

Capita cyber-attack: 90 organisations report data breaches

About 90 organisations have reported breaches of personal information held by Capita after the outsourcing group suffered a cyber-attack, Britain’s data watchdog has said.

🔗 RELATED: Downstream breaches of Capita customers spreading

NHS trusts are sharing intimate details about patients’ medical conditions, appointments and treatments with Facebook without consent and despite promising never to do so.

Dutch watchdog looking into alleged Tesla data breach

The data protection watchdog for the Netherlands said on Friday it was aware of possible Tesla data protection breaches, but it was too early for further comment.


ENFORCEMENT

Amazon to pay $25m over child privacy violations

Amazon is to pay $25m (£20m) to settle allegations that it violated children's privacy rights with its Alexa voice assistant. The company agreed to pay the US Federal Trade Commission (FTC) after it was accused of failing to delete Alexa recordings at the request of parents. It was found to have kept hold of sensitive data for years. Amazon's doorbell camera unit Ring will also pay out after giving employees unrestricted access to customers' data.

Berlin SA imposes 300 000 euro fine against bank after lack of transparency over automated rejection of credit card application

An applicant for a credit card applied via a Berlin-based banks website, providing various data including income, occupation and personal details to do so. Based on the information requested and additional data from external sources, the bank's algorithm rejected the customer's application without any particular justification. The algorithm was based on criteria and rules previously defined by the bank. Since the applicant had a good credit rating and a regular high income, he doubted the automated rejection and complained to the Berlin data protection commissioner.

Europe’s privacy regime: 5 years in 5 charts

Europe's most famous technology law, the General Data Protection Regulation has turned 5. The law has prompted businesses — from tech giants to hotel chains, cellphone companies to mom-and-pop businesses — to tighten their privacy policies. Many have cleaned up how they handle people’s personal data, encouraged by the prospect of being fined up to 4 percent of their annual revenue.

🔗 RELATED: GDPR 5 years on: Spain, Ireland lead in issuing fines; Meta hit hardest


RESOURCES

📗 Paper: Necessity, Proportionality, and Executive Order 14086

An examination of how Executive Order (EO) 14086 addresses the Schrems II concerns regarding necessity and proportionality, including consideration of questions raised in the EDPB's opinion.

📜 EDPS: Keynote Speech - Annual Privacy Forum 2023

Wojciech Wiewiórowski speaking at the ENISA Annual Privacy Forum 2023 in Lyon, France.


CONTRIBUTE
Have an interesting article, book, video, podcast or other resource that you would like to share with your fellow privacy practitioners? Please do drop me a note!