Privacy Transformation - Issue 24
PRIVACY
Facebook agrees to pay fine over Cambridge Analytica scandal
Facebook has agreed to pay a £500,000 fine, the highest possible, to the Information Commissioner’s Office over the Cambridge Analytica scandal, ending more than a year of litigation between the regulator and social network.
A statement by the ICO can be found here.
Data protection experts want watchdog to investigate Conservative and Labour parties
Data protection experts have called on the watchdog to investigate political parties' use of data, after internal Labour and Conservative records revealed how they will target voters in a general election.
Finland eyes ePrivacy agreement before year's end
The Presidency of the EU Council is expected to propose yet another iteration of the ePrivacy text for the next meeting of the Working Party on Telecommunications and Information Society Nov. 7.
EU-U.S. Privacy Shield: Third review welcomes progress while identifying steps for improvement
The third review of the EU-US Privacy Shield has taken place, with resulting recomendations including:
- Further strengthening the re-certification process for companies who want to participate by shortening the time of the re-certification process;
- expanding compliance checks, including concerning false claims of participation in the framework;
- developing additional guidance for companies related to human resources data.
Embedding accountability – we want to hear from you - ICO
The ICO have announced a consultation on developing an accountability toolkit.
Civil servants plotting mobile phone 'facial recognition' to boost sign-ups for controversial MyGovId platform
You need a PSC to get a MyGovId, and senior civil servants have looking at expanding the services available on it.
CNIL bans high schools' facial-recognition programs
The French data protection authority, the CNIL, announced it has ordered high schools in Nice and Marseille to end their facial-recognition programs. Following a review, the CNIL found the schools' deployment of the software was not in line with the EU General Data Protection Regulation's principles on proportionality and data minimisation.
Irish data protection commissioner set to issue decisions on Twitter and Whatsapp probes by end of year
The Irish data protection commissioner expects to issue decisions on investigations into Twitter and Whatsapp by the end of the year, a spokeswoman has said.
Tech solutions to customs crux fraught with data issues says Dixon
Data Protection Commissioner Helen Dixon has said it is pointless to have strong guarantees on personal data under EU law if an organisation can bypass these by transferring data to another jurisdiction with lower guarantees.
SECURITY & TECH
Why WhatsApp is pushing back on NSO Group hacking
At WhatsApp, we believe people have a fundamental right to privacy and that no one else should have access to your private conversations, not even us.
Public keys are not enough for SSH security
If your organization uses SSH public keys, it’s entirely possible you have already mislaid one. There is a file sitting in a backup or on a former employee’s computer which grants the holder access to your infrastructure. If you share SSH keys between employees it’s likely only a few keys are enough to give an attacker access to your entire system. If you don’t share them, it’s likely your team has generated so many keys you long lost track of at least one.
Getting Cash for Our Data Could Actually Make Things Worse
Jaron Lanier and E. Glen Weyl suggest that data dignity-the ability to sell our own data on a free market-will create a better digital society, but experts disagree.
Facebook alters video to make people invisible to facial recognition
Facebook AI Research says it's created the first machine learning system that can stop a facial recognition network from identifying people in videos.
Why passwords don't work, and what will replace them
Passwords can be insecure, easy to lose and easier to forget, so can new tech protect us?
Georgia hit by massive cyber-attack
A huge cyber-attack has knocked out more than 2,000 websites - as well as the national TV station - in the country of Georgia.
POLITICAL ADVERTISING:
Read the Letter Facebook Employees Sent to Mark Zuckerberg About Political Ads
Hundreds of Facebook employees signed a letter decrying the decision to let politicians post any claims they wanted — even false ones — in ads on the site.
Twitter will stop running political ads ahead of 2020 election
Twitter will stop accepting political ads, the company's CEO, Jack Dorsey, announced Wednesday.
DATA BREACH
Adobe left 7.5 million Creative Cloud user records exposed online
Exposed data primarily includes emails, but not passwords or financial information.
After Twitter Allegations, Nord VPN Discloses 2018 Breach
A virtual private network that markets its “advanced security” said on Monday that one of its services had been compromised last year. - This article contains additional context to last weeks article on the NordVPN Breach.
ENFORCEMENT
EUR 800 in non-material damages under Art 82 GDPR awarded by Austrian Court for the processing of party preferences without legal basis
The Court of Feldkirch (Austria) awards a natural person the personal data (“party preference”) of which has been processed by the Austrian Postal Corp. without legal basis EUR 800,-- in non-material damages according to Art 82 GDPR.
Enforcement Notice - Insufficient legal basis for data processing
The Austrian Post had created profiles of more than three million Austrians, which included information about their home addresses, personal preferences, habits and possible party affinity - which were subsequently resold, for example to political parties and companies.
EUR 9400 fine imposed on Mayor of Polish city
No data processing agreement was concluded with the company whose servers contained the resources of the Public Information Bulletin (BIP) of the Municipal Office in Aleksandrów Kujawski. For this reason, a fine of 40.000 PLN (9400 EUR) was imposed on the mayor of the city.
GUIDELINES
DPC - Updated Guidance for Organisations Engaging Cloud Service Providers
The DPC has updated their guidance for organisations engaging Cloud Service Providers
RESOURCES
Records Register - European Data Protection Supervisor - European Data Protection Supervisor
The European Data Protection Supervisor has published its records of processing activities to comply with Article 31 of Regulation 2018/1725 (the regulation that EU Institutions are subject to, comparable to Article 30 of the GDPR).
Opinion of the Data Ethics Commission
The Data Ethics Commission presented its Opinion to the Federal Government on 23 October 2019 at a closing ceremony at the Federal Ministry of Justice and Consumer Protection.