Privacy Transformation - Issue 9
This week saw the EDPB release its 2018 annual report and the ICO issue guidance on Controllers and processors. Both are worth a read.
In continuing fallout for Facebook from the Cambridge Analytica scandal, the Federal Trade Commission has reportedly voted to approve fining Facebook roughly $5bn to settle an investigation into the company’s privacy violations.
Enjoy reading these stories and more as part of your weekly privacy news roundup.
- Alan
PRIVACY
AI photo editor FaceApp goes viral again on iOS, raises questions about photo library access
The privacy news story that seemed to be reaching everyone this week was that of the Russian-developed FaceApp that went viral recently due to a feature that enabled people to see what an older version of themselves might look like. With biometric data being processed, the app soon had privacy specialists concerned about what it was doing with the data collected and what other processing might be occuring with it.
Microsoft Office 365: Banned in German schools over privacy fears
Schools in the central German state of Hesse have been have been told it's now illegal to use Microsoft Office 365. The state's data-protection commissioner has ruled that using the popular cloud platform's standard configuration exposes personal information about students and teachers "to possible access by US officials".
NIST Privacy Framework nearing completion
A new U.S. privacy framework is quickly approaching completion. The National Institute of Standards and Technology, which holds the drafting pen, is encouraging stakeholders to share their feedback soon.
SECURITY
ENISA releases its 2019 Annual Report on trust services security incidents
The document gives an aggregated overview of security breaches with significant impact reported in 2018 by EU national supervisory bodies. It shows root causes, statistics and trends, and marks the third round of security incident reporting for the EU’s trust services sector.
Thinking through ACL-aware data processing Related reading: Aggregating over anonymised data
Large cloud computing services are generally run for multiple users. In a few cases, all the data processed by that service is public. In virtually all cases, users have an expectation that some of the information about them is kept private. Even if the data store itself is public, logs about access to that data are generally not. Keeping each person’s information separate is most simple in the primary data stores, where each object can easily have its own access control list.
DATA BREACHES
Google Data Breach Faces Review by DPC
Google faces a possible investigation by Irish data privacy regulators related to reports that contractors had been able to listen to audio of users of its digital assistant technology.
Credit Untion Group Desjardins to offer all members free, lifelong protection after data breach
Desjardins Group, the largest federation of credit unions in North America had a data breach in June affecting roughly 2.7 million individuals. They have offered offer all affected members free, lifelong protection after the data breach.
This is interesting to see in the light of Equifax's bungled rollout of protection initially lasting 90 days and eventually extending to one year. Organisations with robust responses to breach incidents that focus on limiting potential harm to affected individuals also benefit from limiting reputational damage to their brand.
Hacker steals data of millions of Bulgarians, emails it to local media
A hacker has stolen the personal details of millions of Bulgarians and has emailed download links to the stolen data to local news publications.
ENFORCEMENT
‘2019 is the year of enforcement’: GDPR fines have begun
This week the Information Commissioner's Office levied fines against British Airways and Marriott International for violating the GDPR.
Facebook to be fined $5bn for Cambridge Analytica privacy violations
The $5bn fine would be the largest ever levied by the Federal Trade Commission against a technology company
GUIDELINES
Controllers and Processors Guidance from the ICO
The provided checklists set out indicators as to whether you are a controller, a processor or a joint controller. The more boxes you tick, the more likely you are to fall within the relevant category.
Accountability on the ground: Guidance on documenting processing operations for EU institutions, bodies and agencies
These documents provide provisional guidance for controllers and DPO's in the EU Institutions on how to generate records for their processing operations, how to decide whether they need to carry out data protection impact assessments (DPIAs), how to do DPIAs and when to do prior consultations to the EDPS (Articles 31, 39 and 40 of Regulation (EU) 2018/1725).
Opinion on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment
The European Data Protection Board determined in an opinion the competence for a lead supervisory authority to act can be switched to another supervisory authority in the event of a documented change related to a main or single establishment.
Requesting Personal Data from Prospective Tenants
The Irish Data Protection Commission (DPC) is frequently asked about whether it is lawful from a data protection perspective for landlords (or letting agents acting on their behalf) to require certain information or documentation from prospective tenants. The purpose of this guidance is to assist both landlords (or letting agents acting on their behalf) and tenants in understanding which information may be appropriate to request at the initial application stage for a residential tenancy.
RESOURCES
EDBP 2018 Annual Report
The European Data Protection Board released its 2018 annual report entitled 'Cooperation & Transparency' with overviews of its activities for the year including guideliens released, ePrivacy status, DPA co-operation and highlighting national cases of note.
2019 goals for the EDPB are also defined and include releasing further clarifying guidance and consideration of technologies such as connected vehicles, blockchain, artificial intelligence and digital assistants, video surveillance, search engine delisting and data protection by design and by default.