Privacy Transformation - Issue 7
I was speaking with a colleague today about the definitive uptick we're seeing in enforcement actions relating to the GDPR. You will see that enforcement stories are well-represented in this weeks edition. Data Protection Authorities are opening and concluding investigations at an increasing clip.
The Irish DPC has over 20 open investigations into multinational technology companies and the expectation is that we will start to see conclusions to some of those this summer.
It is important that enforcement, as one of the tools available to data protection authorities, is seen to be used where appropriate and that it is not only large tech companies that are the focus of such actions, but rather that data subject complaints and risk to individuals drive priorities.
With my thoughts on enforcement out of the way, it's time for the rest of this weeks roundup in data privacy news.
- Alan
PRIVACY
Superhuman is Spying on You
Real Time Bidding (RTB) and the advertising industry have been receiving a lot of attention recently for their tracking practices and misuse of personal data. Another form of pervasive tracking that has been going on for many years is within our own emails.
This story concerns Super Human (email client software), but email automation tooling has been re-writing links in emails for years to add tracking capability, enabling the mail campaign providers and third parties to build profiles on the recipients of their emails.
A study on the privacy implications of email tracking can be found here.
An estimated 500K organizations have registered DPOs across Europe
New IAPP research indicates that an estimated 500,000 organizations have registered data protection officers across Europe under the GDPR.
Should police body cameras have facial recognition tech? Axon, the largest U.S. maker of devices, says no
America's largest maker of police body cameras said Thursday that it would not add a facial recognition feature to its cameras, a response to concerns that the technology could lead to false identifications.
SECURITY
Five Steps To Secure Cloud-based Environments
Cloud-based environments offer many advantages to organisations; however, they also introduce a number of technical security risks which organisations should be aware of, including data breaches, hijacking of accounts, and unauthorised access to personal data.
ENISA plays an active role at the first of its kind cyber crisis exercise, Blue OLEx 2019
On July 2 and 3, the EU Agency for Cybersecurity, the European Commission and 23 Member States are gathering for the first time at a high level exercise in Paris under the name Blue OLEx 2019.
ENFORCEMENT
Germany fines Facebook for under-reporting complaints
German authorities have fined Facebook 2 million euros ($2.3 million) for under-reporting complaints about illegal content on its social media platform in breach of the country's law on internet transparency.
Facebook fined €1M over Cambridge Analytica scandal
Italy's privacy regulator fined Facebook €1 million for violations connected to the Cambridge Analytica scandal — the largest fine against the social networking giant connected to that case.
CNIL Publishes Action Plan Regarding Online Targeted Advertising
On June 28, 2019, the French data protection authority published its action plan for 2019-2020 to specify the rules applicable to online targeted advertising and to support businesses in their compliance efforts.
You can read CNIL's press release here.
Data Protection Commission opens privacy investigation into Apple
Apple's main regulator in the European Union, Ireland's Data Protection Commissioner (DPC), has opened a third privacy investigation into the iPhone maker over the last few weeks, a spokesman for the DPC said.
TikTok under investigation over child data use
The UK ICO has opened investigation into video-sharing app TikTok and its practices for handling children's data.
First GDPR fine issued by Romanian DPA against Unicredit Bank
The fine was issued as a result of a failure to implement appropriate technical and organisational measures, both within the determination of the processing means and processing operations themselves, designed to effectively implement data protection principles, such as data minimisation, and to integrate the necessary safeguards in the processing, in order to meet the GDPR requirements and to protect the rights of the data subjects.
Former company director believed to have profited by more than £1.4 million after selling personal data illegally
A former company director found guilty of illegally obtaining people’s personal data and selling it to solicitors chasing personal injury claims, has been fined for breaches of data protection and issued with a confiscation order under the Proceeds of Crime Act 2002.
DATA BREACHES
Confirmed: 2 Billion Records Exposed In Massive Smart Home Device Breach
Smart IoT devices are increasingly being purchased to bolster home, and business, security. Which is all well and good until a device management company forgets to password protect the user database and leaves 2 billion passwords and other data open to anyone...
GUIDANCE
Cookies take centre stage this week
This week there has been a wave of cookie guidance released. A previous issue included the story of the ICO agreeing that it's own website did not meet the GDPR standard for cookie consent.
They followed up shortly after with an update to their website cookie management tool and this week have issued detailed cookie guidance.
The Irish DPC has also updated their somewhat more concise guidance.
CNIL, the French Data Protection Authority have indicated that they will be releasing updated cookie guidance of their own this month.
Cookies – what does ‘good’ look like?
Cookies can seem a complex issue. The rules on their use are in the Privacy and Electronic Communications Regulations (PECR), not the GDPR. However, some of PECR’s key concepts now come from the GDPR – such as the standard of consent.
RESOURCES
How E-Commerce Sites Manipulate You Into Buying Things You May Not Want
Research released this week finds that many online retailers use so-called dark patterns to influence what shoppers decide to purchase. Cracking down on the practice could be difficult.
How Privacy Tech Is Bought and Deployed 2019
For the second year running, the IAPP together with TrustArc surveyed 345 privacy professionals around the globe to gain an understanding of how privacy technology products are purchased and deployed within an organisation.