Privacy Transformation - Issue 63

PRIVACY

'Ireland's Data Protection Commissioner needs more staff'

There are many over-the-top, misleading claims made about Ireland's Data Protection Commissioner from foaming critics. But one of them has always been hard to completely refute: the office isn't sufficiently resourced. Cynics and critics say this is done on purpose, a sign of soft regulatory intent to appease mostly US multinationals.

Data Protection Commissioner queries source of details used to block benefit payments

The Data Protection Commissioner has asked the Department of Social Protection to explain how exactly it is getting data it uses to block benefit payments.

Comment: Data privacy ruling makes commission’s work more vital than ever

Ireland’s data protection watchdog is under-resourced at a time when safeguarding the rights and privacy of European citizens is crucial

Firms face scramble for post-Brexit data transfer deals - DecisionMarketing

Firms face scramble for post-Brexit data transfer deals. Companies which use "binding corporate rules" approved by ICO must act now, warns Brussels.

How The New York Times Thinks About Your Privacy

If, dear reader, we met and you invited me to your home, we might end up chatting about your day over a glass of Côtes du Rhône. As you recounted your latest adventures, I would learn about you, but in no way would that be a violation of your privacy.

However, if you happened to catch me listening in through the window as you depicted the same events to someone else, I would be a creep breaching your privacy and would deserve my comeuppance at the hands of your just fury.

SCHREMS II NEWS

NOYB: DPC has no clear time line on enforcing CJEU judgement

Following the CJEU's judgment on EU-US data transfers by Facebook, we requested that the Irish DPC take action. The DPC's first response indicates that it is unwilling to commit to a clear time frame.

EU needs to start enforcing data protection laws properly

After the European Court of Justice (CJEU) handed down another major judgement two weeks ago in the “Schrems 2.0” data protection case, discussion has focused primarily on its potential impact on the well-known companies that gather data and transfer it between the European Union and United States.

Technology, media and telecommunications services after 'Schrems II'

Most companies consider cross-border data transfer restrictions under EU data protection laws a difficult compliance requirement, particularly since July 16, when the Court of Justice of the European Union ruled on the EU-U.S. Privacy Shield and standard contractual clauses. Additionally, companies that offer data-processing services are also facing a difficult sales topic, which commands urgent attention, particularly in the technology, media and telecommunications sectors.

EU Regulators Take Tough Data-Transfer Approach After Ruling

European Union regulators are adopting a much tougher approach to trans-Atlantic data transfers to meet the demands of a landmark ruling last week that warned about potential American surveillance.

SECURITY & TECH

Data from Dutch public broadcaster shows the value of ditching creepy ads

For anyone interested in the contested question of how much ‘value’ — or, well, how little — publishers derive from the privacy-hostile practice of tracking web users to behaviorally target them with ads, pro-privacy browser Brave has published some interesting data, obtained from the Netherland’s public broadcaster, NPO.

The analysis from Brave can be found here.

Ireland needs to take Russian cyber threat seriously

As a key diplomatic influencer and the European headquarters of US tech giants, we are an attractive and poorly defended target.

Garmin Confirms Services Upended by Ransomware Attack

Garmin on Monday confirmed that many of its online services have been disrupted by a cyberattack on its systems that occurred on July 23, 2020. Services disrupted by the attack, which encrypted data on the systems, included website functions, customer support, customer facing applications, and company communications.

New Working Norms Make Securing the Communications Channel a Top Priority

With the growth in BYOD, mobile messaging and a mobile workforce, companies should make it a priority to provide secure communications for data security and compliance.

DATA BREACH

Tech unicorn Dave admits to security breach impacting 7.5 million users

Digital banking app and tech unicorn Dave.com confirmed today a security breach after a hacker published the details of 7,516,625 users on a public forum.

Blackbaud hack: More UK universities confirm breach

More than 20 universities and charities in the UK, US and Canada have confirmed they are victims of a cyber-attack that compromised a software supplier.

ENFORCEMENT

Baden-Wuerttemberg State Commissioner imposes fine on AOK Baden-Wuerttemberg

Due to an infringement of the obligations of secure data processing (Article 32, GDPR), the Department of Fines of the Baden-Wuerttemberg State Commissioner for Data Protection and Freedom of Information (LfDI) has issued a fine of EUR 1,240,000 against the AOK Baden- Wuerttemberg.

Telephone Operators: Italian SA Fines Wind EUR 17 million and Iliad EUR 0.8 million

Italian SA Fines Wind EUR 17 million and Iliad EUR 0.8 million. Complaints were received from users against unsolicited marketing communications made without their consent via texting, emails, faxes, and automated phone calls.

More on the latest GDPR enforcement news can be found on:

enforcementtracker.com

GUIDANCE

EDPB: FAQ on Schrems II Judgement

This document aims at presenting answers to some frequently asked questions received by supervisory authorities (“SAs”) and will be developed and complemented along with further analysis, as the EDPB continues to examine and assess the judgment of the Court of Justice of the European Union (the “Court”).

Spain's data protection authority, the Agencia Española de Protección de Datos, adapted its guide on the use of cookies to meet the consent guidelines revised by the EDPB in May.

EDPS: Data Protection requirements must go hand in hand with the prevention of money laundering and terrorism financing

In its recent Opinion, the EDPS reacted to the European Commission’s action plan for a comprehensive Union policy on preventing money laundering and terrorism financing.

Read the EDPS Opinion here.

ICO launches guidance on AI and data protection

AI offers opportunities that could bring marked improvements for society. But shifting the processing of personal data to these complex and sometimes opaque systems comes with inherent risks.

Read the guidance here.

RESOURCES

NOYB: Next Steps for EU companies & FAQs - Schrems II Judgement

We have summarised the next steps after the CJEU judgement on EU-US data transfers for EU companies and published model requests they can send to your non-EU/EEA providers.