WTF is GDPR?

https://techcrunch.com/2018/01/20/wtf-is-gdpr/
GDPR is a significant piece of legislation whose full impact will clearly take some time to shake out.
A major point of note right off the bat is that GDPR does not merely apply to EU businesses; any entities processing the personal data of EU citizens need to comply. The extra-territorial scope of GDPR casts the European Union as a global pioneer in data protection. Also under GDPR, financial penalties for data protection violations step up massively.
GDPR aims to have every link in the processing chain be a robust one. Companies need to maintain up-to-date records to prove out their compliance and to appoint a data protection officer if they process sensitive data on a large scale or are collecting info on many consumers.
GDPR’s running emphasis on data protection via data security it is implicitly encouraging the use of encryption above and beyond a risk reduction technique. Another major change incoming via GDPR is ‘privacy by design’ no longer being just a nice idea; privacy by design and privacy by default become firm legal requirements.
GDPR also encourages the use of pseudonymization — such as, for example, encrypting personal data and storing the encryption key separately and securely — as a pro-privacy, pro-security technique that can help minimize the risks of processing personal data. Data has to be rendered truly anonymous to be outside the scope of the regulation.

116 Comments

  1. Tomi Engdahl says:

    EU parliament calls for Privacy Shield to be pulled until US complies
    https://techcrunch.com/2018/07/05/eu-parliament-calls-for-privacy-shield-to-be-pulled-until-us-complies/

    The European Parliament has been making its presence felt today. As well as reopening democratic debate around a controversial digital copyright reform proposal by voting against it being fast-tracked, MEPs have adopted a resolution calling for the suspension of the EU-US Privacy Shield.

    The parliamentarians’ view is that the data transfer mechanism does not provide the necessary ‘essentially equivalent’ data protection for EU citizens — and should therefore be suspended until US authorities come into compliance.

    “Considers that, unless the US is fully compliant by 1 September 2018, the Commission has failed to act in accordance with Article 45(5) GDPR; calls therefore on the Commission to suspend the Privacy Shield until the US authorities comply with its terms”

    The mechanism is currently used by more than 3,300 organizations to authorize transfers of personal data from the EU to the US, including the likes of Facebook, Google, Microsoft, Amazon and Twitter

    The EU-US Privacy Shield is not yet two years old but has always been controversial

    Privacy Shield was only officially adopted in July 2016, but EU lawmakers have been getting increasingly unhappy because core components of the framework have been left hanging by US authorities.

    “The Cloud Act could have serious implications for the EU as it is far-reaching and creates a potential conflict with the EU data protection laws,”

    Facebook-Cambridge Analytica data misuse scandal. Europeans’ data was among the up to 87M compromised accounts related to that scandal.

    Any sanction or removal from the framework depends on US authorities judging an entity to have breached its obligations under the framework — and taking action.

    The continued presence of any entity on the Privacy Shield list that has demonstrably failed to safeguard EU citizens’ personal data must raise serious questions over how much actual protection the framework affords.

    However only the European Commission can suspend the Privacy Shield mechanism itself.

    And the Commission continues to stand behind the framework it worked with the US to shape and negotiate.

    There’s a wild card here too though: Privacy Shield is now facing serious legal questions in Europe

    Reply
  2. Tomi Engdahl says:

    AI spots legal problems with tech T&Cs in GDPR research project
    https://techcrunch.com/2018/07/04/european-ai-used-to-spot-legal-problems-in-tech-tcs/?sr_share=facebook&utm_source=tcfbpage

    Technology is the proverbial double-edged sword. And an experimental European research project is ensuring this axiom cuts very close to the industry’s bone indeed by applying machine learning technology to critically sift big tech’s privacy policies — to see whether AI can automatically identify violations of data protection law.

    Reply
  3. Tomi Engdahl says:

    German Court Issues First GDPR Ruling
    https://www.natlawreview.com/article/german-court-issues-first-gdpr-ruling

    The case concerns ICANN, an American non-profit company that oversees the global WHOIS database of registered domain names, and EPAG, a German domain registrar. EPAG had a contractual relationship with ICANN to collect personal data from people who bought domain names. Additionally, ICANN wanted EPAG to provide the name and contact details of a technical and administrative contact for the registering entity. EPAG refused to collect the latter information, arguing that doing so would violate Article 5 of GDPR because there was no business need, and therefore no legal basis, to collect and process personal data of technical and administrative contacts.

    Reply
  4. Tomi Engdahl says:

    GDPR “Great Data Protection Rocks”?

    Reply
  5. Tomi Engdahl says:

    Super Robot to the rescue! How robots can help you be GDPR compliant.
    https://lekab.com/how-robots-can-help-you-be-gdpr-ready/?utm=gdpr-rpa-facebook&blog

    Winter might be over, but GDPR is here! If you’re been hibernating to avoid what that entails, it’s time to sort things out, with some help from software robots!

    Reply
  6. Tomi Engdahl says:

    You Should Still Care About GDPR
    https://www.securityweek.com/you-should-still-care-about-gdpr

    GDPR Forces Companies to Examine How They Treat Data

    In the days leading up to May 25, email inboxes were filled with updated privacy notices and requests for marketing consent. Web browsers saw more banners about “cookies” than they had since broadband became ubiquitous, and businesses began to consider how they were going to comply with the far-reaching regulation – never mind that the drop-dead date for compliance was well announced, covered by global media and discussed at conferences for at least 365 days prior-to.

    In the era of Europe’s General Data Protection Regulation (GDPR), any company that handles EU data must comply with the regulations. If found non-compliant, companies are slapped with nasty fines (2%-4% of global revenue) and barred from doing business in the EU until they can prove the issues have been fixed. Not complying is a high stakes game. In fact, some smaller firms, such as UnRoll.me and Verve, shut down their services to European users rather than contend with the anxiety surrounding potential non-compliance. Similarly, prominent media outlets in the United States blocked traffic from the EU altogether on May 26, rather than risk being labelled non-compliant.

    Reply
  7. Tomi Engdahl says:

    Shan Wang / Nieman Lab:
    Researchers find fewer third-party cookies on 200+ EU news sites post-GDPR; sites load 27% fewer cookies for optimization and 14% fewer for ads

    Has the GDPR law actually gotten European news outlets to cut down on rampant third-party cookies and content on their sites? It seems so
    http://www.niemanlab.org/2018/08/has-the-gdpr-law-actually-gotten-european-news-outlets-to-cut-down-on-rampant-third-party-cookies-and-content-on-their-sites-it-seems-so/

    Some third-party cookies were still present, of course. But there was a decrease in third-party content loaded from social media platforms and from content recommendation widgets.

    It seems that a fairly severe, sweeping data privacy law in Europe could be just the incentive news organizations needed to trim the number of third-party cookies and content loading on their sites before readers have a chance to give explicit consent, according to a Reuters Institute report on a wide selection of news sites in Finland, France, Germany, Italy, Poland, Spain, and the U.K.

    This time around, researchers found declines in cookie prevalence on the 200-plus news sites they tracked, across several categories, from cookies related to advertising and marketing to ones related to design optimization

    Some third-party cookies were still present, both before and after GDPR: “We saw almost no change in the percentages of pages with at least one instance of third-party advertising, audience measurement, content recommendation, design optimization, and hosting,” the researchers note. But it seems that a significant number of the news sites sampled did remove third-party content loaded from social media platforms and from content recommendation widgets

    Reply
  8. Tomi Engdahl says:

    German Court Issues First GDPR Ruling
    https://www.natlawreview.com/article/german-court-issues-first-gdpr-ruling?ref=hvper.com

    In the first decision (available in German only) applying the General Data Protection Regulation (GDPR), a German court held that data collection that exceeds what is necessary to achieve legitimate business purposes violates one of the basic tenets of the GDPR. Article 5 of the GDPR states that personal data collection shall be “for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes,”

    EPAG had a contractual relationship with ICANN to collect personal data from people who bought domain names. Additionally, ICANN wanted EPAG to provide the name and contact details of a technical and administrative contact for the registering entity. EPAG refused to collect the latter information, arguing that doing so would violate Article 5 of GDPR because there was no business need, and therefore no legal basis, to collect and process personal data of technical and administrative contacts.

    ICANN filed suit in Germany seeking an injunction to compel EPAG to collect the technical and administration contact information. ICANN argued that contact information was necessary to address problems

    Rejecting ICANN’s request, the Regional Court of Bonn held that collecting data on technical and administrative contacts would violate the data minimization rule. In support of its finding, the court noted that registrants had not previously been required to provide technical and administrative contact details, and ICANN failed to provide adequate evidence that such data collection was necessary.

    Reply
  9. Tomi Engdahl says:

    UK data protection complaints more than double under new GDPR rules
    https://techcrunch.com/2018/08/28/uk-data-protection-complaints-spike-under-new-gdpr-rules/?utm_source=tcfbpage&sr_share=facebook

    The number of complaints filed with the U.K. data protection watchdog has more than doubled since the introduction of new European regulations.

    There were 6,281 complaints filed with the Information Commissioner’s Office between May 25, when the new GDPR rules went into effect, and July 3, a rise of more than double from the 2,417 complaints during the same period a year earlier.

    The ICO, which enforces the new rules in the U.K., did not say if the bulk of the new cases are GDPR-related as the watchdog doesn’t separate out its complaints by type, but said that the agency expects the figures will continue to climb.

    Reply
  10. Tomi Engdahl says:

    Special interests push U.S. Congress to override ICANN’s Whois policy process
    https://www.internetgovernance.org/2018/08/29/special-interests-push-u-s-congress-to-override-icanns-whois-policy-process/

    Ever since ICANN’s creation, there has been a clash between the protection of personal data and its contractually-required Whois service. Under ICANN contracts, registrars were required to publish sensitive information about domain name registrants. The email addresses, names and other contact information of domain holders was available to anyone in the world who requested it. This indiscriminate access to sensitive data was proven to exacerbate spam problems, aid domain name hijackers and in a few cases facilitate stalkers.

    The implementation of Europe’s General Data Protection Regulation this year finally knocked some sense into the ICANN regime. In an emergency temporary specification issued in May, the ICANN board authorized its contracted registries and registrars to redact sensitive data from their Whois output.

    The Internet still functions as before. There is no discernable change in internet security. And there are some clear security gains

    Reply
  11. Tomi Engdahl says:

    How GDPR is Unintentionally Driving the Next Decade of Technology
    https://www.securityweek.com/how-gdpr-unintentionally-driving-next-decade-technology

    Companies, organizations and sometimes even government agencies have been careless with the personal information they have traditionally collected. In their defense, personally identifiable information, sometimes simply called PII, wasn’t historically much of a target for hackers and criminals. Today however, PII is like gold for many attackers because of their ability to leverage things like a person’s name, birthdate, social security number, credit card data or other unique information to commit secondary crimes such as phishing attacks and identity theft.

    While information protection laws within the United States have mostly been non-existent, or confined to narrowly defined industries like with the Health Insurance Portability and Accountability Act (HIPAA) in healthcare, the steady drumbeat of constant breaches like the massive data theft at Equifax and the ubiquitous monitoring of consumer behavior have forced Europe to act.

    Reply
  12. Tomi Engdahl says:

    German Court Issues First GDPR Ruling
    https://www.natlawreview.com/article/german-court-issues-first-gdpr-ruling?ref=hvper.com

    In the first decision (available in German only) applying the General Data Protection Regulation (GDPR), a German court held that data collection that exceeds what is necessary to achieve legitimate business purposes violates one of the basic tenets of the GDPR. Article 5 of the GDPR states that personal data collection shall be “for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes,” and “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

    The case concerns ICANN, an American non-profit company that oversees the global WHOIS database of registered domain names, and EPAG, a German domain registrar. EPAG had a contractual relationship with ICANN to collect personal data from people who bought domain names. Additionally, ICANN wanted EPAG to provide the name and contact details of a technical and administrative contact for the registering entity. EPAG refused to collect the latter information, arguing that doing so would violate Article 5 of GDPR because there was no business need, and therefore no legal basis, to collect and process personal data of technical and administrative contacts.

    ICANN filed suit in Germany seeking an injunction

    Rejecting ICANN’s request, the Regional Court of Bonn held that collecting data on technical and administrative contacts would violate the data minimization rule

    Reply
  13. Tomi Engdahl says:

    Generally Disclosing Pretty Rapidly: GDPR strapped a jet engine on hacked British Airways
    Suddenly, corps in a rush to fess up to e-break-ins
    https://www.theregister.co.uk/2018/09/12/ba_equifax_breach_notification_speed/

    Analysis If Equifax’s mother-of-all-security-disasters last year underlined one thing, it was that big companies think they can weather just about anything cybercriminals – and regulators – can throw at them.

    It all stands in fascinating contrast to what is happening in the UK and Europe, where the mood over database security breaches is darkening. It’s not that there are necessarily more of them so much as the speed with which they are being revealed.

    Last week’s British Airways hack makes an interesting case study, not simply because of the technically embarrassing fact cybercriminals were able to skim up to 380,000 transactions in real time but the speed with which the company owned up to the calamity.

    Confessions
    According to BA, the attack began at 22.58 BST on August 21, and was stopped at 21:45 BTS on September 5. This meant BA had taken 15 days to notice hackers were grabbing its customers’ card numbers, but under 24 hours to tell the world via Twitter and email – a contender for a world record for computer security breach confessions.

    Security analysts RiskIQ have speculated that the same gang was behind June’s Ticketmaster web breach, which took a still fairly rapid five days to surface after being discovered on June 23.

    Compare this haste to Equifax, which detected its breach on July 29 last year, but only told the world months later on September 7.

    Why the sudden hurry? In the case of BA, officially, the answer is Article 33 of Europe’s GDPR, under which cyber-break-ins involving personal data must be reported within 72 hours.

    “This is definitely due to the awareness and the run up to the GDPR,”

    “Crisis management is a relatively new yet vitally important area to focus on. As more chief staff realise that it’s a case of when rather than if a breach occurs, it is highly possible that more businesses have a ready-made crisis procedure waiting for a potential strike,” said ESET security specialist, Jake Moore.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*