Privacy Transformation - Issue 40
The Irish Data Protection Commission today released their Annual Report for 2019 (see Resources section). Of note in the report are the significant increases in the reporting of complaints (75% over 2018) and data security breaches (71% increase over 2018).
The DPC, despite resource constraints concluded 5,496 complaints in 2019 and as of year end, they had 70 statutory inquiries on hand, including 49 domestic and 6 statutory inquiries open in relation to multinational technology companies’ compliance with the GDPR.
PRIVACY
Data Protection Commissioner signals blockbuster fines for multinationals on the way
The Irish Data Protection Commissioner has given the clearest signal yet that huge fines may be imposed on technology multinational firms under investigation here.
Garda chief wants new law to allow 'back door' access to personal devices
iPhones, Whatsapp and online storage should have a 'back door key' to allow police to fight serious crime, Garda Commissioner Drew Harris has said.
Opinion: Why has the State invested €70m in a private company to look at our genetic data?
Dr Ciara Staunton says it is “unfathomable” that the government has funded the collection of 400,000 Irish genomes, shutting them off from most researchers.
Marty Meany triggers GDPR probe into Catholic Church records in Dublin
The Catholic Church in Ireland is facing a data protection inquiry over its failure to delete records under the General Data Protection Regulation (GDPR), as requested by people who have renounced the
Hamburg DPA Annual Report - Press Release
"Instead of harmonised enforcement, a highly diverse and non-transparent milieu of enforcement cultures is emerging. Instead of establishing legal protection for data subjects, proceedings are postponed until they are almost forgotten."
Read the full press release here.
Met removes hundreds from gangs matrix after breaking data laws
How list is compiled also to be reviewed amid claims it blights life chances and is discriminatory.
Revealed: how drugs giants can access your health records
Experts say information sold on by Department of Health and Social Care can be traced back to individual medical records
Privacy Experts Skeptical of Proposed US Data Protection Agenc
A new Data Protection Agency would overhaul federal regulation efforts around data privacy – but experts are skeptical that the U.S. government can get it right.
Don’t be fooled by Facebook’s ‘regulate us, please’ media blitz
Playing the free speech card, Zuckerberg wants his own idea of beneficial-to-Facebook ‘regulation’
SECURITY & TECH
Exclusive: Google users in UK to lose EU data protection - sources - Reuters
Google is planning to move its British users' accounts out of the control of European Union privacy regulators, placing them under U.S. jurisdiction instead, sources said.
Automated facial recognition breaches GDPR, says EU digital chief
The EU’s digital and competition chief has said that automated facial recognition breaches GDPR as it doesn't gain consent
Internet privacy: the apps that protect you from your apps
Worried about the data collected about you? A new generation of startups is making apps to put your privacy settings straight
GDPR Cookie Consent Plugin Vulnerable, Thousands of WordPress Sites at Risk
The GDPR Cookie Consent plugin plugin for WordPress has turned out to be vulnerable, exposing website owners to critical security issues.
Is Anyone Paying Attention to Healthcare Security?
According to a recent report in TechCrunch, over one billion medical images from patients around the world — including CT scans, X-Rays, ultrasounds — are available online for download to anyone with "an internet connection and free-to-download software.” It’s a jarring number but will this revelation change anything?
NOYB Complaint: Amazon doesn’t allow baseline TLS security
A complaint made by NOYB, Max Schrems' not-for-profit agency to pursue data protection regulation violation on behalf of data subjects, notes that Amazon doesn't allow TLS security for messages sent via its marketplace platform.
DATA BREACH
Ireland ranked second in Europe for data breach notifications
Over 160,000 notifications reported across European Economic Area since GDPR began
DPC: 75 separate data breaches by Tusla
Tusla is the subject of an inquiry by the Data Protection Commission after the contact and location details of a mother and child victim were “accidentally” disclosed to their alleged abuser.
Credit-score scandal fear as 15,000 given wrong rating during data breach
More than 15,000 people may be due substantial compensation after the State’s biggest financial credit rating body admitted mixing up sensitive credit scores during a data breach.
Plastic Surgery Database Exposed
An unsecured database belonging to a French technology firm that supplies video and digital equipment to plastic surgery and dermatology clinics exposed content on
MGM hack exposes personal data of 10.6 million guests
The hack was first reported by ZDNet on Wednesday, which said the stolen information was posted to a hacking forum this week. MGM confirmed the attack took place to the BBC.
ENFORCEMENT
French DPA (CNIL) - Enforcement Notices Served on Electric Companies
The CNIL found both companies do not meet certain conditions for obtaining consent related to personal data collection from Linky smart meters. EDF and ENGIE have been given three months to make changes, after which the CNIL would close the inquiries.
*Notice is in French*
Spanish DPA Enforcement Notices
AEPD enforcements continue at a clip., with the most recent including:
*Notices are in Spanish*
€1,500 - The AEPD found that the company did not publish a privacy statement on its website and that its legal notice did not sufficiently identify itself. - [Notice]
€2,500 - The controller had disclosed personal data to a third party in a property purchase agreement (breach of principles of integrity and confidentiality of personal data) - [Notice]
€3,000 - The decision of the data protection authority states that the school transferred pictures (and therefore personal data) to third parties, who published them without legal basis. - [Notice]
€50,000 - Iberdola Clientes, an electricity company, terminated the data subject's contract without its consent, concluded three new contracts with the data subject, processed his personal data unlawfully and transferred the plaintiff's personal data to a third party without legal basis. - [Notice]
€42,000 - The complainant had access to third party data in his personal Vodafone profile. - [Notice]
€30,000 - The AEPD found that a third party had access to the name, telephone number and address of another customer. - [Notice]
More GDPR enforcement information can be found on:
GUIDANCE
Irish DPA - Guidance for Controllers on Data Security
The DPC has released guidance for Controllers on Data Security.
RESOURCES
Irish Data Protection Commission 2019 Annual Report
Commissioner for Data Protection, Helen Dixon, today launched the Irish Data Protection Commission’s Annual Report for 2019, detailing the work of the DPC for the first full calendar year since the introduction of the General Data Protection Regulation (GDPR).
Report available here.
Privacy By Design Toolkit: Thinking GDPR in the user experience
The Franch data protection authority CNIL has released a toolkit designed to aid in the approach to privacy by design. The toolkit is available in English and French.
European Commission publishes data strategy, AI white paper
The European Commission and U.K. Information Commissioner’s Office both took steps to address the developments and challenges around data and artificial artificial intelligence.
Whitepaper available here.