Privacy Transformation - Issue 40

The Irish Data Protection Commission today released their Annual Report for 2019 (see Resources section). Of note in the report are the significant increases in the reporting of complaints (75% over 2018) and data security breaches (71% increase over 2018).

The DPC, despite resource constraints concluded 5,496 complaints in 2019 and as of year end, they had 70 statutory inquiries on hand, including 49 domestic and 6 statutory inquiries open in relation to multinational technology companies’ compliance with the GDPR.

PRIVACY

Data Protection Commissioner signals blockbuster fines for multinationals on the way

Data Protection Commissioner signals blockbuster fines for multinationals on the way

The Irish Data Protection Commissioner has given the clearest signal yet that huge fines may be imposed on technology multinational firms under investigation here.

Garda chief wants new law to allow 'back door' access to personal devices

Garda chief wants new law to allow 'back door' access to personal devices

iPhones, Whatsapp and online storage should have a 'back door key' to allow police to fight serious crime, Garda Commissioner Drew Harris has said.

Opinion: Why has the State invested €70m in a private company to look at our genetic data?

Opinion: Why has the State invested €70m in a private company to look at our genetic data?

Dr Ciara Staunton says it is “unfathomable” that the government has funded the collection of 400,000 Irish genomes, shutting them off from most researchers.

Marty Meany triggers GDPR probe into Catholic Church records in Dublin

Marty Meany triggers GDPR probe into Catholic Church records in Dublin

The Catholic Church in Ireland is facing a data protection inquiry over its failure to delete records under the General Data Protection Regulation (GDPR), as requested by people who have renounced the

Hamburg DPA Annual Report - Press Release

"Instead of harmonised enforcement, a highly diverse and non-transparent milieu of enforcement cultures is emerging. Instead of establishing legal protection for data subjects, proceedings are postponed until they are almost forgotten."

Read the full press release here.

Met removes hundreds from gangs matrix after breaking data laws

Met removes hundreds from gangs matrix after breaking data laws

How list is compiled also to be reviewed amid claims it blights life chances and is discriminatory.

Revealed: how drugs giants can access your health records

Revealed: how drugs giants can access your health records

Experts say information sold on by Department of Health and Social Care can be traced back to individual medical records

Privacy Experts Skeptical of Proposed US Data Protection Agenc

Privacy Experts Skeptical of Proposed US Data Protection Agenc

A new Data Protection Agency would overhaul federal regulation efforts around data privacy – but experts are skeptical that the U.S. government can get it right.

Don’t be fooled by Facebook’s ‘regulate us, please’ media blitz

Don’t be fooled by Facebook’s ‘regulate us, please’ media blitz

Playing the free speech card, Zuckerberg wants his own idea of beneficial-to-Facebook ‘regulation’

SECURITY & TECH

Exclusive: Google users in UK to lose EU data protection - sources - Reuters

Exclusive: Google users in UK to lose EU data protection - sources - Reuters

Google is planning to move its British users' accounts out of the control of European Union privacy regulators, placing them under U.S. jurisdiction instead, sources said.

Automated facial recognition breaches GDPR, says EU digital chief

Automated facial recognition breaches GDPR, says EU digital chief

The EU’s digital and competition chief has said that automated facial recognition breaches GDPR as it doesn't gain consent

Internet privacy: the apps that protect you from your apps

Internet privacy: the apps that protect you from your apps

Worried about the data collected about you? A new generation of startups is making apps to put your privacy settings straight

GDPR Cookie Consent Plugin Vulnerable, Thousands of WordPress Sites at Risk

The GDPR Cookie Consent plugin plugin for WordPress has turned out to be vulnerable, exposing website owners to critical security issues.

Is Anyone Paying Attention to Healthcare Security?

Is Anyone Paying Attention to Healthcare Security?

According to a recent report in TechCrunch, over one billion medical images from patients around the world — including CT scans, X-Rays, ultrasounds — are available online for download to anyone with "an internet connection and free-to-download software.” It’s a jarring number but will this revelation change anything?

NOYB Complaint: Amazon doesn’t allow baseline TLS security

NOYB Complaint: Amazon doesn’t allow baseline TLS security

A complaint made by NOYB, Max Schrems' not-for-profit agency to pursue data protection regulation violation on behalf of data subjects, notes that Amazon doesn't allow TLS security for messages sent via its marketplace platform.

DATA BREACH

Ireland ranked second in Europe for data breach notifications

Ireland ranked second in Europe for data breach notifications

Over 160,000 notifications reported across European Economic Area since GDPR began

DPC: 75 separate data breaches by Tusla

DPC: 75 separate data breaches by Tusla

Tusla is the subject of an inquiry by the Data Protection Commission after the contact and location details of a mother and child victim were “accidentally” disclosed to their alleged abuser.

Credit-score scandal fear as 15,000 given wrong rating during data breach

Credit-score scandal fear as 15,000 given wrong rating during data breach

More than 15,000 people may be due substantial compensation after the State’s biggest financial credit rating body admitted mixing up sensitive credit scores during a data breach.

Plastic Surgery Database Exposed

Plastic Surgery Database Exposed

An unsecured database belonging to a French technology firm that supplies video and digital equipment to plastic surgery and dermatology clinics exposed content on

MGM hack exposes personal data of 10.6 million guests

MGM hack exposes personal data of 10.6 million guests

The hack was first reported by ZDNet on Wednesday, which said the stolen information was posted to a hacking forum this week. MGM confirmed the attack took place to the BBC.

ENFORCEMENT

French DPA (CNIL) - Enforcement Notices Served on Electric Companies

French DPA (CNIL) - Enforcement Notices Served on Electric Companies

The CNIL found both companies do not meet certain conditions for obtaining consent related to personal data collection from Linky smart meters. EDF and ENGIE have been given three months to make changes, after which the CNIL would close the inquiries.

*Notice is in French*

Spanish DPA Enforcement Notices

AEPD enforcements continue at a clip., with the most recent including:

*Notices are in Spanish*

€1,500 - The AEPD found that the company did not publish a privacy statement on its website and that its legal notice did not sufficiently identify itself. - [Notice]

€2,500 - The controller had disclosed personal data to a third party in a property purchase agreement (breach of principles of integrity and confidentiality of personal data) - [Notice]

€3,000 - The decision of the data protection authority states that the school transferred pictures (and therefore personal data) to third parties, who published them without legal basis. - [Notice]

€50,000 - Iberdola Clientes, an electricity company, terminated the data subject's contract without its consent, concluded three new contracts with the data subject, processed his personal data unlawfully and transferred the plaintiff's personal data to a third party without legal basis. - [Notice]

€42,000 - The complainant had access to third party data in his personal Vodafone profile. - [Notice]

€30,000 - The AEPD found that a third party had access to the name, telephone number and address of another customer. - [Notice]

More GDPR enforcement information can be found on:

enforcementtracker.com

GUIDANCE

Irish DPA - Guidance for Controllers on Data Security

The DPC has released guidance for Controllers on Data Security.

RESOURCES

Irish Data Protection Commission 2019 Annual Report

Irish Data Protection Commission 2019 Annual Report

Commissioner for Data Protection, Helen Dixon, today launched the Irish Data Protection Commission’s Annual Report for 2019, detailing the work of the DPC for the first full calendar year since the introduction of the General Data Protection Regulation (GDPR).

Report available here.

Privacy By Design Toolkit: Thinking GDPR in the user experience

The Franch data protection authority CNIL has released a toolkit designed to aid in the approach to privacy by design. The toolkit is available in English and French.

European Commission publishes data strategy, AI white paper

European Commission publishes data strategy, AI white paper

The European Commission and U.K. Information Commissioner’s Office both took steps to address the developments and challenges around data and artificial artificial intelligence.

Whitepaper available here.