Privacy Transformation - Issue 39
PRIVACY
Data and privacy will be Brexit battlegrounds
RTÉ's Europe Editor Tony Connelly examines the potential problems ahead for Ireland if the EU and Britain struggle to agree a new data sharing deal.
PSC data protection policy updated after Doherty loses seat
The Department of Employment Affairs and Social Protection has updated its key data protection policy with regard to the Public Services Card on foot of a negative report regarding the card carried out by the Data Protection Commissioner, Helen Dixon.
EU Data Protection Seal
The EDPB have published a document on the procedure for the approval of certification criteria by the EDPB resulting in a common certification: The European Data Protection Seal.
Do Sports Clubs' WhatsApp Groups Breach the GDPR?
Following on from the headline story of Issue #37 on the GAAs decision to abandon its usage of WhatsApp over data protection concerns, this article by William Fry takes a look at the core data protection issues at play, WhatsApp's response, and the solutions under consideration.
What powers will Ofcom have to regulate the internet?
Ofcom, the UK regulator for communications services is to be tasked with policing web platforms for illegal and harmful content, giving it the ability to fine online platforms that do not protect users from harmful content.
EU backs away from proposed five-year facial recognition ban
The European Union won't issue a ban on facial recognition tech, as it once proposed. In a previous draft of a paper on artificial intelligence, the European Commission suggested a five-year moratorium on facial recognition, so that the technology's impact could be studied.
Facebook postpones EU dating service launch amid DPC concerns
Facebook has postponed the roll-out of its new dating services in the EU, scheduled for tomorrow, after Ireland's Data Protection Commissioner raised concerns about the launch.
A statement by the DPC can be found here.
PODCAST - The End of Privacy as We Know It?
An unregulated facial recognition app can probably tell the police your name, and help them find out where you live and who your friends are.
SECURITY & TECH
Equifax: US charges four Chinese military officers over huge hack
Nearly 150 million Americans had personal data compromised in the hack of the credit rating giant.
This new working group looks to tackle adtech, RTB issues
The U.K. Information Commissioner's Office put the advertising technology industry on notice last summer. The message was simple: The entire industry has been operating illegally. Organizations were not properly gathering consent to serve targeted ads, and the agency cited a lack of transparency in how data is processed and sold in real-time bidding scenarios.
ENISA - Do you know who is who in EU cybersecurity?
The ENISA - EU Cybersecurity Institutional Map is an attempt to depict the complex landscape of actors involved in cybersecurity at the EU level. This map aims to provide a clear picture of the responsibilities and roles of the different EU institutions, agencies and bodies in cybersecurity.
Map available here.
DATA BREACH
Passport office had 100 data breaches
The Passport Service reported almost 100 data breaches to the Data Protection Commission last year, including more than 30 instances where passports were sent to the wrong addresses.
However, the service insists that the breaches represent a tiny fraction of its total workload and notes that steps are being taken to minimise any such issues of data and personal documents being misplaced or lost.
Facebook was repeatedly warned of security flaw that led to biggest data breach in its history
Facebook knew about a huge security flaw that let hackers to steal personal data from millions of its users almost one year before the crime, yet failed to fix it in time.
ENFORCEMENT
The Spanish DPA have been particularly active since the new year as you will note below. Much of this information is made available from enforcementtracker.com, an excellent resource for keeping up to date on notices of the latest enforcements.
Norwegian DPA - Fine imposed on the Municipality of Oslo, the Education Agency
In October 2019, an administrative fine was imposed on the Municipality of Oslo, the Education Agency, as a result of poor security of processing in the ‘Skolemelding’ mobile app. The app is used for communication between school employees, parents and pupils.
Fine of €120,000.
Spanish DPA - Surveillance Cameras, Insufficient legal basis
The AEPD found that the Nagasaki Cafetería did not comply with its obligations under the GDPR, as it placed its surveillance cameras in such a way as to monitor the public space outside its premises, which disproportionately affected pedestrians.
Fine of €1,500.
Spanish DPA - Unlawfully Processing of Data, Insufficient legal basis
According to the data protection authority, XFERA MOVILES has violated Article 6(1) of the GDPR, as the company has unlawfully processed data, including bank details, customer address and name of the data subjects.
Fine of €60,000.
Spanish DPA - Transfer of data to third party without the data subject's knowledge or consent
The fine preceded the complaint by the data subject, who argued that Vodafone España had signed a contract for the transfer of a telephone subscription with a third party without the data subject's knowledge or consent and that, as a result, he, the data subject, had received an e-mail from the third party for a purchase made by him.
Fine of €75,000.
Spanish DPA - Personal Data Being Processed Without Consent
The fine was preceded by a complaint from the data subject, who argued that he had received an e-mail from Vodafone España, which contained the billing of a telephone line that the data subject had never requested, which led to his personal data being processed without his consent. As a result, the data subject's personal data were incorporated into the information systems of Vodafone España without Vodafone being able to show that the data subject had consented to the collection and subsequent processing of his personal data.
The fine of 100,000 EUR was reduced to 60,000 EUR due to a voluntary payment.
Spanish DPA - Breach of Personal Data
The fine was preceded by a complaint from a data subject who argued that Vodafone España had sent invoices containing his personal data, such as name, identity card and address, to its neighbour.
Fine of €50,000.
Spanish DPA - Unsolicited Electronic Communications
Iberia continued to send e-mails to the data subject, despite the data subject had requested the withdrawal of his consent and the erasure of his personal data and that the execution of these measures had already been confirmed to him.
Fine of €20,000
Spanish DPA - Repeated Incorrect Mailings
The data subject, a former customer of the company, continued to receive invoice notifications, although at that time there was neither a contractual relationship nor any payment overdue from the expired contractual relationship. As a reason for the incorrect mailings Vodafone indicated a technical error.
Fine of €75,000
Spanish DPA - Unsolicited Marketing
The company repeatedly sent advertising messages to a data subject, although the data subject had objected to the processing of his data.
Fine of €6,670.
Spanish DPA - Processing Personal Data Without Required Consent
The company processed personal data of customers without required consent.
Fine of €5,000.
Spanish DPA - Insufficient legal basis for Data Processing
An employee created a fake profile about a female colleague on an erotic portal, which contained, among other things, her contact details, a photo of her and information about her sexual nature. Based on the profile, the data subject received several phone calls from people who wanted to contact her regarding the information provided on the website.
As the private person was found to have a personality disorder, the fine was reduced from initial EUR 1,000 to EUR 800.
COURTS, JUDGEMENTS & OPINIONS
Courts Service breached data law by publishing man’s name
The Courts Service was guilty of a data protection breach when it published a man’s name in a High Court judgment contrary to an order made by the judge who both made the order and wrote the judgment.
GUIDANCE
EDPB Guidelines on processing personal data in the context of connected vehicles and mobility related applications
Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications.
EDPB Guidelines on processing of personal data through video devices
Guidelines 3/2019 on processing of personal data through video devices.
EDPB Guidelines on personal data and electronic communications in the EU institutions
These guidelines are intended to provide practical advice and instruction to the EU institutions on the processing of personal information in the use of eCommunications tools, to ensure that they comply with their data protection obligations as set out in the Data Protection Regulation (EU) 2018/1725 applicable to the EU institutions.
AEPD Guidelines on GDPR compliance for data processing used in AI
The AEPD (Spanish DPA) has published guidelines on GDPR compliance for data processing when using Artificial Intelligence (AI).
*Note: Text is in Spanish*
UK NCSC's new Phishing Guidance
Phishing represents a huge threat to everyone's online security, and the NCSC spends a lot of time combating it in different ways. This guidance is an important addition to our portfolio of anti-phishing measures.
EU representative on 'How to operationalize Article 27'
The EU General Data Protection Regulation requires organizations based outside of the European Union but subject to the GDPR to appoint an EU representative. What does this mean in practice?