Privacy Transformation - Issue 35
PRIVACY
Controversial cameras needed at children’s hospital ‘to prevent babies being taken’
Controversial facial recognition technology is being installed in the new national children’s hospital in order to prevent babies being snatched, local politicians in Dublin has been told.
This story comes on the heels of Politico reporting that the EU considering a temporary ban on facial recognition in public spaces.
Data Protection Commission criticised as WhatsApp decision nears
Data protection authorities in Europe issued fines worth a combined €410 million to organisations last year for violations but none originated in the Republic, despite it being home to many of the world’s biggest technology companies.
Three GDPR Complaints filed against Grindr, Twitter and the AdTech companies Smaato, OpenX, AdColony and AT&T’s AppNexus
NOYB, the organisation founded by privacy activist Max Schrems to highlight violations of privacy rights reports that the Norwegian Consumer Council has filed three formal complaints against the dating app Grindr and five adtech companies that were receiving personal data through the app.
The Verge and the BBC are also reporting on this story.
Grindr shares personal data with ad companies in violation of GDPR, complaint alleges
Grindr is sharing user’s personal data in violation of the EU’s GDPR legislation, a new complaint claims. A Norwegian nonprofit has filed three complaints against the service, along with five adtech companies that receive its data.
The BBC also writes that Grindr and Twitter face 'out of control' complaint.
US lawmakers concerned by accuracy of facial recognition
US Lawmakers have heard testimony on the risks of facial recognition programs which are largely unregulated.
Microsoft's new Office 365 terms: 'We won't use your data for advertising or profiling'
Microsoft has rolled out a new version of its Online Services Terms in response to gripes raised by the Dutch Ministry of Justice over telemetry data that Microsoft collected from Office 365 Plus and Office 365 users.
Cookies crumbling as Google phases them out
Google is to restrict the number of advertising cookies on websites accessed via its Chrome browser, in response to calls for greater privacy controls.
SECURITY & TECH
Building a more private web: A path towards making third party cookies obsolete
The official Google blog post announcing their update to how cookies will be treated by their browser.
Recently, security analyst Troy Hunt, discussed the 'Promiscuous Cookies and Their Impending Death via the SameSite Policy'
Microsoft listened to Skype calls with 'no security' to protect recordings, report says
Microsoft uses human reviewers to improve voice services like Skype and Cortana, but a report says it had "no security measures" in place to guard data.
Apple's new privacy features have further rattled the location-based ad market
The pivot to privacy is roiling the location-based ad market, calling into question its future direction at a time when people are alert about the collection of their geographic information.
US National Security Agency discovers flaw in Microsoft's Windows 10
Microsoft has rolled out an important security fix after the US National Security Agency tipped off the company to a serious flaw in its widely used Windows operating system, officials said.
Ransomware Shuts Down Michigan School District
Systems that were affected by the ransomware attack included the district’s phones, copiers, classroom technology and heating.
DATA BREACH
A billion medical images are exposed online, as doctors ignore warnings
Hundreds of hospitals, medical offices and imaging centers are running insecure storage systems, allowing anyone with an internet connection and free-to-download software to access over 1 billion medical images of patients across the world.
Amazon fires employees for leaking customer email addresses and phone numbers
Amazon has fired a number of employees after they shared customer email address and phone numbers with a third-party “in violation of our policies.”
ENFORCEMENT
Romanian DPA - Insufficient legal basis for data processing fine
The Romanian DPA has issued a fine of €6,000 to a company reponsible for unlawfully processing an individual's personal data. They were unble to prove that they had obtained the individual's consent to send e-mail notifications.
Cypriot DPA - Controller fined for insufficient technical and organisational measures
The Cypriot DPA has fined a controller €9,000 for granting the police access to personal data and failing to take adequate measures to secure the data.
*Story is in Greek*
Cypriot DPA - Controller fined for insufficient legal basis for data processing
The Cypriot DPA has fined a controller €1,000 for sending SMS marketing messages without consent.
*Notice is in Greek*
Spanish DPA - Fine for insufficient cooperation with supervisory authority
The AEPD has imposed a €3,000 fine for failure to provide information to the AEPD within the required timeframe in violation of Article 58.
*Notice is in Spanish*
Spanish DPA - Fine for non-compliance with general data processing principles
The company had sent a contract with personal data, including the applicant's name, address and telephone number, to the wrong recipient.
*Notice is in Spanish*
Spanish DPA - Fine for insufficient legal basis for data processing
The Spanish DPA has issued a fine of €75,000 to a company that processed personal data such as first and last name, tax number, address and mobile phone number without the consent of the data subject.
*Notice is in Spanish*
Spanish DPA - Fine for insufficient legal basis for data processing
The Spanish DPA has issued a fine of €75,000 to a company that processed personal data in connection with a gas contract without the consent of the applicant.
*Notice is in Spanish*
Spanish DPA - Fine for insufficient legal basis for data processing
The Spanish DPA has issued a fine of €10,000 to an organisation that processed the personal data of its members, despite having been warned by the AEPD that it carried out the processing without the consent of the data subjects.
*Notice is in Spanish*
RESOURCES
Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence
New consent management platforms (CMPs) have been introduced to the web to conform with the EU's General Data Protection Regulation, particularly its requirements for consent when companies collect and process users' personal data. This work analyses how the most prevalent CMP designs affect people's consent choices.
Nationl DPA Blacklists
This resource summarises the 'black lists' submitted by EU National Supervisory Authorities that set out criteria that should be considered when determining whether processing involves a "high risk"
UK NCSC Guidance - Secure communications principles: alpha release
Guidance to help you assess the security of voice, video and messaging communication services