Privacy Transformation - Issue 42
PRIVACY
In Coronavirus Fight, China Gives Citizens a Color Code, With Red Flags
A new system uses software to dictate quarantines — and appears to send personal data to police, in a troubling precedent for automated social control.
Minister claims Data Protection Commission erred in findings on Public Services Card
A challenge by the Minister for Employment Affairs and Social Protection against decisions of the Data Protection Commission on the invalidity of the Public Services Card (PSC) is to be heard in the Circuit Civil Court.
Using a dashcam may be illegal
Might dashcams soon become restricted in Ireland? Are angry cyclists who post videos online of errant car behaviour flagrantly disregarding others' rights? On one reading of the current law, the answer to both questions is yes.
Vatican joins IBM, Microsoft to call for facial recognition regulation
The Vatican joined forces with tech giants Microsoft and IBM on Friday to promote the ethical development of artificial intelligence (AI) and call for regulation of intrusive technologies such as facial recognition.
SECURITY & TECH
GDPR Compliance: Should CISO Serve as DPO?
As organizations settle into the third year of enforcement of the EU’s General Data Protection Regulation, some are struggling to define and understand the role.
CONVERSATION - This article spurred an interesting conversation on LinkedIn about the both the merits and conflict of interest of a CISO being involved in a data protection compliance role.
DATA BREACH
Virgin Media data breach affects 900,000 people
The firm said "insufficient protection" meant customers' details were made accessible for 10 months.
Rail station wi-fi provider exposed traveller data
The unprotected database included phone numbers, email addresses, dates of birth and reasons for travel.
Slickwraps data breach earns scorn for all
The breach earned derision from both the hacker and observers after another hacker exploited the company's vulnerable setup.
ENFORCEMENT
Three Ireland fined for sending unwanted marketing texts
In an enforcement action of sorts, Three Ireland and a pizza chain have pleaded guilty to unlawfully sending customers unwanted marketing text messages and ordered to pay the DPC's costs and make a donation to charity.
ICO - Scottish company hit with maximum fine for making nearly 200 million nuisance calls
The Information Commissioner’s Office (ICO) has fined CRDNN Limited with the maximum £500,000 fine for making more than 193 million automated nuisance calls.
Dutch DPA - Tennis association fined for selling personal data of members
The Dutch data protection authority has announced a €525,000 fine against the Royal Dutch Lawn Tennis Association for unlawfully sharing the personal information of its members with two sponsors. The fine is being appealed.
[Notice (in Dutch)]
Dutch DPA - Decision issued for lack of security - Personal Data on Development Server
It is a scenario likely to play out in many development and testing environments without appropriate controls in place — real-world customer data used in development environments. In this case a development server containing production data was acquired in the process of an acquisition.
*Press release is in Dutch*
Poland, Malta DPAs hand down GDPR fines
The Polish data protection authority has issued a €4,650 fine to a school for biometric processing of students fingerprints without a lawful basis while Malta's DPA has fined the Lands Authority €5,000 for violating Article 32 of the GDPR.
Cathay Pacific fined for failing to protect the security of its customers’ personal data
Cathay Pacific Airways Limited £500,000 for failing to protect the security of its customers’ personal data. Between October 2014 and May 2018 Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed.
Spanish DPA (AEPD) Enforcement Notices
*Notices are in Spanish*
€120,000 - Vodafone Spain was fined for violations of Articles 5(1)(a) and 6(1)(a) GDPR, in particular, processing data without valid consent. [Notice]
€48,000 - Vodafone Spain were issued with a separate fine in relation to insufficient security measures. [Notice]
€3,600 - A company was fined for sending the payroll data of one employee to another employee, resulting in a breach of personal data. [Notice]
€48,000 - A Spanish hospital has been fined for processing based on the invalid consent, deemed gained through the inactivity (not opting out), of a patient. [Notice]
€6,000 - A hotel has been fined for violation of the data minimisation principle of the GDPR (Art. 5.1.c) for processing concerning recording of a public street via CCTV, collecting data beyond the what was necessary. [Notice]
More GDPR enforcement information can be found on:
COURTS, JUDGEMENTS & OPINIONS
First Decision Ever of a French Court Applying GDPR to Facial Recognition
A French court canceled today a decision by the south-east region of France to undertake a series of tests using facial recognition at the entrance of two schools.
CJEU advocate general issues opinion on Romanian consent case
Court of Justice of the European Union Advocate General Maciej Szpunar issued an opinion on a case between the Romanian National Authority for the Supervision of the Processing of Personal Data and telecommunications provider Orange România.
GUIDANCE
DPC - Attendee Lists and Name Tags
The misunderstanding that conferences, workshops and events can’t share the details of attendees because of the GDPR is one that many people may have come across. Attendees of workshops, conferences, or events have been told that the organisers couldn’t share an attendance list, or that name plates or badges couldn’t be produced, because the organisers were worried about the GDPR.
ICO Codes of Conduct and Certification schemes open for business
The ICO has published guidance for organisations wanting to develop GDPR Codes of Conduct or Certification schemes.
UK National Security Centre publishes advice for consumers to help secure internet connected cameras
Owners of smart cameras and baby monitors in the home are being urged to take three steps to protect their devices from cyber criminals.