Privacy Transformation - Issue 32
Welcome to the final Privacy Transformation issue for 2019 in what was a significant year for the implementation and enforcement of the General Data Protection Regulation as well as the raising of privacy awareness among citizens worldwide.
At the same time, advances in areas such as facial recognition and online and offline tracking of individuals continue to highlight the importance of having effective regulation, enforcement and awareness to provide needed oversight.
In Ireland, the fallout from the Public Services Card investigation highlighted the challenges faced by an independent regulator providing oversight of same entity that they rely on for funding. Despite these challenges, the DPC has shown that steady and measured progress can be made in enforcing data protection regulation, as it continues to carve out its place as a key regulator for many of Europe’s biggest tech giants.
2020 promises to be another milestone year as we monitor the progress of the ePrivacy regulation and await the outcome of significant investigations by data protection authorities.
I hope this weekly digest continues to be an increasingly valuable resource for your privacy news into the year ahead.
Wishing you all the best for 2020.
- Alan
PRIVACY
‘Enormous amount at stake’ in Irish murder data appeal case
There is an "enormous amount at stake" in an appeal against a High Court decision that found the police's capturing of mobile phone metadata in relation to a murder case breached EU law, Ireland's Supreme Court has heard.
Adtech and the data protection debate – where next?
The ICO has reached the end of a six month review period after therelease of their AdTech Update Report. In this latest blog post, they note that they are now reviewing their findings. Real time bidding (RTB) has been in the crosshairs in 2019 as there has been a greater awareness of the privacy implications of the practice and regulators have begin to take notice.
Statement on ICO-approved certification schemes
The ICO has announced it will be working with UK Accreditation Service (UKAS) to deliver the ICO-approved certification schemes.
The ICO will approve and publish the certification schemes and, as the UK national accreditation body, UKAS will accredit certification bodies to deliver those schemes.
Press release available here.
Dutch Data Protection Authority advances Certification Mechanism for Data Processing
The Dutch data protection authority announced that it has signed an information protocol with the Dutch Accreditation Council for the joint approval of certification with the aim of approving the compliance of certain components or processes with the General Data Protection Regulation. [Press Release in Dutch]
SECURITY & TECH
It Seemed Like a Popular Chat App. It’s Secretly a Spy Tool
ToTok, an Emirati messaging app that has been downloaded to millions of phones, is the latest escalation of a digital arms race.
Facebook to stop using phone numbers to recommend 'friends'
Facebook is to stop using members' phone numbers in its friends recommendation system in 2020 following concern about privacy implications.
Every move you make, I’ll be watching you: Privacy implications of the Apple U1 chip and ultra-wideband
The concerning trend of tracking of user’s location through their mobile phones has very serious privacy implications. This article explores a new technology called ultra-wideband communications (UWB) which has the potential to track an individuals indoor location with high accuracy, prompting a new raft of privacy concerns.
China's APT20 Hacks Detected Bypassing Two-Factor in Attacks
A Chinese hacking group believed to operate on behalf of the Beijing government has learned how to bypass two-factor authentication (2FA) in attacks on government and industry targets.
DATA BREACH
Wawa says data breach may have collected thousands of customer card numbers and names
The Wawa convenience store chain says a data breach may have collected debit and credit card information from thousands of customers.
ENFORCEMENT
London pharmacy fined after “careless” storage of patient data
The Information Commissioner’s Office (ICO) has issued their first fine under the GDPR to a London-based pharmacy £275,000 for failing to ensure the security of special category data.
COURTS, JUDGEMENTS & OPINIONS
Decision on standard contractual clauses for the transfer of personal data to processors established in third countries is valid
Press release of Advocate General, CJEU, detailing an opinion on the validity of personal data transfers using standard contractual clauses.
GUIDANCE
EDPS Guidance on Assessing Proportionality
The EDPS has issued guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data.
CNIL & Facial recognition: for a debate living up to the challenges
Facial recognition is raising new questions about societal choices and, as such, interest in this technology is growing on national, European and global public agendas alike.
CNIL, the French data protection authority has issued a note regarding the technical, legal and ethical aspects to be considered as well as the role that CNIL plays in the process.