Privacy Transformation - Issue 41
PRIVACY
Critics on Croatia's ePrivacy proposal: Legitimate interest provisions not legitimate
The Croatian presidency published its first draft proposal to break the ePrivacy Regulation deadlock. The proposal would allow for metadata to be processed on the grounds of legitimate interest.
Critisism of the proposal was hot on its heels, with data protection professionals saying it is dead in the water.
No one sanctioned for Tusla data breach
Nobody has been sanctioned in Tusla for serious data breaches being investigated by the Data Protection Commissioner, it has emerged.
Last year, the child and family agency detected and reported 137 data breaches to the commissioner, Helen Dixon, and that resulted in her office opening up three separate investigations.
RTE reports that Tusla is trying to address its system to "mitigate security risks".
Podcast: Irish Data Protection Commissioner, Helen Dixon Interview
Helex Dixon was recently a guest on the Today Show with Sean O'Rourke a segment covering the Tusla data breach and GDPR enforcement.
Irish DPC: DPOs feeling a lot of 'stress, tension'
For all the changes the EU General Data Protection Regulation ushered in, the requirement that applicable organizations must hire a data protection officer h...
Google's decision to shift control of UK user data to the US looks like a calculated political bet that Brexit will be a privacy disaster
Google is shipping control of its UK user data to the US, with serious privacy implications. Sources told Reuters that Google's decision was prompted by uncertainty surrounding Britain's exit from the EU, because it is now unclear whether the UK will adopt GDPR-like rules or set its own standards on data protection.
FACIAL RECOGNITION
Two stories caught my eye this week in this area as the UK's Met Police Chief attacked critics of facial recognition technology, while a leaked report shows that EU police aim to create an international facial recognition database. This report comes not long after the European Commission announced that it was considering a five year ban on the technology.
EDPS Opinion - The opening of negotiations for a new partnership with the UK
The EDPS has published an opinion on the opening of negotiations for a new partnership with the UK. The document considers the critical concern of an adequacy decision, drawing attention to the fact that any such decision would need to take account of the Law Enforcement Directive, which experts note would pose a challenge to achieving adequacy under the GDPR.
Banks need steer on data protection vs money-laundering rules: industry bodies
European banking industry representatives are calling for more legal guidance on how banks should interpret data protection rules in their anti-money-laundering work.
11 drafting flaws for the European Commission to address in its upcoming GDPR review
In May 2020, the European Commission is scheduled to deliver its first review report on the EU General Data Protection Regulation. The preparations are well underway, but rumor has it the commission does not intend to draft proposals to reform the GDPR and does not even intend to repair apparent flaws in the drafting.
SECURITY & TECH
Facebook pauses election day reminders in the EU
The social network likes to nudge its users to go to the polls. But after concerns raised by the Irish Data Protection Commission, Facebook announces it will stop the feature.
The DPC has released a statement on its notification to FB regarding its concerns.
EDPB releases statement on privacy implications of Googles acquisition of Fitbit
The EDPB have released a statement expressing concerns regarding the acquisition of Fitbit by Google and the implications of possible further combination and accumulation of sensitive personal data regarding people in Europe by the tech company.
Mozilla Rolls Out Encrypted Browsing by Default for U.S. Firefox Users
Mozilla has flipped the switch to turn on encrypted DNS over HTTPS for U.S. users by default. If you’re unfamiliar with the tech, the pitch is this feature will help prevent internet service providers from tracking the sites you go to.
We must beware Big Tech companies seeking regulation
World View: In pushing for digital regulation, such firms hope to shape it in their own interests.
Google is indexing WhatsApp group chat links, making private groups discoverable
Invitations to WhatsApp group chats are being indexed by Google, making the invite links, including links to private group chats, discoverable and available to anyone who wants to join.
DATA BREACH
Data Breach Occurs at Agency in Charge of Secure White House Communications
A leak at the Defense Information Systems Agency exposed personal information of government employees, including social security numbers.
Israeli Marketing Company Exposes Contacts Database
An Israeli marketing company left the authentication credentials for a database online, exposing more than 140 GB worth of names, email addresses and phone numbers.
COURTS, JUDGEMENTS & OPINIONS
Supreme Court to refer Graham Dwyer data retention appeal to the EU's Court of Justice
Chief Justice Frank Clarke said the three central questions in the case “each involve difficult issues”.
High Court finds use of CCTV evidence breached data rights in staff disciplinary investigation
A hospice employee has won a High Court appeal over the use of data from CCTV footage in a disciplinary investigation.
French court rules against schools' facial-recognition plans
According to French digital rights group La Quadrature du Net, the Administrative Court of Marseille has ruled against two French high schools installing facial-recognition technology at their entrances.
GUIDANCE
Belgian Data Protection Authority Releases Direct Marketing Guidance
On February 10, 2020, the Belgian Data Protection Authority published its Recommendation on data processing activities for direct marketing purposes. The Recommendation aims to clarify the complex rules relating to processing personal data for direct marketing purposes.
The guidance document is available in French and Dutch.
ENISA - Procurement Guidelines for Cybersecurity in Hospitals
As cybersecurity becomes more of a priority for hospitals, it is essential that it is integrated holistically in the different processes, components and stages influencing the healthcare ICT ecosystem.
EDPB - Transfers of personal data from EEA public authorities or bodies to public bodies in third countries or international organisations
EDPB guidance convering the application of Articles 46 (2) (a) and 46 (3) (b) of the General Data Protection Regulation (GDPR) on transfers of personal data from EEA public authorities or bodies (hereafter “public bodies”) to public bodies in third countries or to international organisations.
RESOURCES
EDPB - Eighteenth Plenary Session: adopted documents
The eighteenth plenary session of the EDPB covered:
- EDPB evaluation and review of the GDPR;
- Adopted draft guidelines addressing transfers of personal data from EEA public authorities or bodies to public bodies in third countries or to international organisations, where these transfers are not covered by an adequacy decision;
- Statement on privacy implications of mergers, considering Google's acquisition Fitbit.
Press release and adopted documents.
Microsoft launches open-source privacy mapping tool
Microsoft has launched a new open-source tool mapping ISO's global privacy standard, ISO/IEC 27701, to nine different privacy laws from around the world.
Video: ICO Webinar - Draft guidance on the AI auditing framework webinar
The ICO has released a webinar that takes a look at the draft guidance on the AI Auditing Framework they have produced.