Privacy Transformation - Issue 42

PRIVACY

In Coronavirus Fight, China Gives Citizens a Color Code, With Red Flags

A new system uses software to dictate quarantines — and appears to send personal data to police, in a troubling precedent for automated social control.

Minister claims Data Protection Commission erred in findings on Public Services Card

A challenge by the Minister for Employment Affairs and Social Protection against decisions of the Data Protection Commission on the invalidity of the Public Services Card (PSC) is to be heard in the Circuit Civil Court.

Using a dashcam may be illegal

Might dashcams soon become restricted in Ireland? Are angry cyclists who post videos online of errant car behaviour flagrantly disregarding others' rights? On one reading of the current law, the answer to both questions is yes.

Vatican joins IBM, Microsoft to call for facial recognition regulation

The Vatican joined forces with tech giants Microsoft and IBM on Friday to promote the ethical development of artificial intelligence (AI) and call for regulation of intrusive technologies such as facial recognition.

SECURITY & TECH

GDPR Compliance: Should CISO Serve as DPO?

As organizations settle into the third year of enforcement of the EU’s General Data Protection Regulation, some are struggling to define and understand the role.

CONVERSATION - This article spurred an interesting conversation on LinkedIn about the both the merits and conflict of interest of a CISO being involved in a data protection compliance role.

DATA BREACH

Virgin Media data breach affects 900,000 people

The firm said "insufficient protection" meant customers' details were made accessible for 10 months.

Rail station wi-fi provider exposed traveller data

The unprotected database included phone numbers, email addresses, dates of birth and reasons for travel.

Slickwraps data breach earns scorn for all

The breach earned derision from both the hacker and observers after another hacker exploited the company's vulnerable setup.

ENFORCEMENT

Three Ireland fined for sending unwanted marketing texts

In an enforcement action of sorts, Three Ireland and a pizza chain have pleaded guilty to unlawfully sending customers unwanted marketing text messages and ordered to pay the DPC's costs and make a donation to charity.

ICO - Scottish company hit with maximum fine for making nearly 200 million nuisance calls

The Information Commissioner’s Office (ICO) has fined CRDNN Limited with the maximum £500,000 fine for making more than 193 million automated nuisance calls.

Dutch DPA - Tennis association fined for selling personal data of members

The Dutch data protection authority has announced a €525,000 fine against the Royal Dutch Lawn Tennis Association for unlawfully sharing the personal information of its members with two sponsors. The fine is being appealed.

[Notice (in Dutch)]

Dutch DPA - Decision issued for lack of security - Personal Data on Development Server

It is a scenario likely to play out in many development and testing environments without appropriate controls in place — real-world customer data used in development environments. In this case a development server containing production data was acquired in the process of an acquisition.

*Press release is in Dutch*

The Polish data protection authority has issued a €4,650 fine to a school for biometric processing of students fingerprints without a lawful basis while Malta's DPA has fined the Lands Authority €5,000 for violating Article 32 of the GDPR.

Cathay Pacific fined for failing to protect the security of its customers’ personal data

Cathay Pacific Airways Limited £500,000 for failing to protect the security of its customers’ personal data. Between October 2014 and May 2018 Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed.

Spanish DPA (AEPD) Enforcement Notices

*Notices are in Spanish*

€120,000 - Vodafone Spain was fined for violations of Articles 5(1)(a) and 6(1)(a) GDPR, in particular, processing data without valid consent. [Notice]

€48,000 - Vodafone Spain were issued with a separate fine in relation to insufficient security measures. [Notice]

€3,600 - A company was fined for sending the payroll data of one employee to another employee, resulting in a breach of personal data. [Notice]

€48,000 - A Spanish hospital has been fined for processing based on the invalid consent, deemed gained through the inactivity (not opting out), of a patient. [Notice]

€6,000 - A hotel has been fined for violation of the data minimisation principle of the GDPR (Art. 5.1.c) for processing concerning recording of a public street via CCTV, collecting data beyond the what was necessary. [Notice]

More GDPR enforcement information can be found on:

enforcementtracker.com

COURTS, JUDGEMENTS & OPINIONS

First Decision Ever of a French Court Applying GDPR to Facial Recognition

A French court canceled today a decision by the south-east region of France to undertake a series of tests using facial recognition at the entrance of two schools.

CJEU advocate general issues opinion on Romanian consent case

Court of Justice of the European Union Advocate General Maciej Szpunar issued an opinion on a case between the Romanian National Authority for the Supervision of the Processing of Personal Data and telecommunications provider Orange România.

GUIDANCE

DPC - Attendee Lists and Name Tags

The misunderstanding that conferences, workshops and events can’t share the details of attendees because of the GDPR is one that many people may have come across. Attendees of workshops, conferences, or events have been told that the organisers couldn’t share an attendance list, or that name plates or badges couldn’t be produced, because the organisers were worried about the GDPR.