WTF is GDPR?

https://techcrunch.com/2018/01/20/wtf-is-gdpr/
GDPR is a significant piece of legislation whose full impact will clearly take some time to shake out.
A major point of note right off the bat is that GDPR does not merely apply to EU businesses; any entities processing the personal data of EU citizens need to comply. The extra-territorial scope of GDPR casts the European Union as a global pioneer in data protection. Also under GDPR, financial penalties for data protection violations step up massively.
GDPR aims to have every link in the processing chain be a robust one. Companies need to maintain up-to-date records to prove out their compliance and to appoint a data protection officer if they process sensitive data on a large scale or are collecting info on many consumers.
GDPR’s running emphasis on data protection via data security it is implicitly encouraging the use of encryption above and beyond a risk reduction technique. Another major change incoming via GDPR is ‘privacy by design’ no longer being just a nice idea; privacy by design and privacy by default become firm legal requirements.
GDPR also encourages the use of pseudonymization — such as, for example, encrypting personal data and storing the encryption key separately and securely — as a pro-privacy, pro-security technique that can help minimize the risks of processing personal data. Data has to be rendered truly anonymous to be outside the scope of the regulation.

260 Comments

  1. Tomi Engdahl says:

    Natasha Lomas / TechCrunch:
    Irish DPC report: 6 inquiries into multinational tech companies’ GDPR compliance were opened in 2019, bringing major cross-border probes to 21, but no decisions

    Lack of big tech GDPR decisions looms large in EU watchdog’s annual report
    https://techcrunch.com/2020/02/19/lack-of-big-tech-gdpr-decisions-looms-large-in-eu-watchdogs-annual-report/

    The lead European Union privacy regulator for most of big tech has put out its annual report which shows another major bump in complaints filed under the bloc’s updated data protection framework, underlining the ongoing appetite EU citizens have for applying their rights.

    But what the report doesn’t show is any firm enforcement of EU data protection rules vis-a-vis big tech.

    The report leans heavily on stats to illustrate the volume of work piling up on desks in Dublin. But it’s light on decisions on highly anticipated cross-border cases involving tech giants including Apple, Facebook, Google, LinkedIn and Twitter.

    despite Ireland having a large number of open cross-border investigations into the data practices of platform and adtech giants, some of which originated from complaints filed right at the moment GDPR came into force.

    In its defence, the DPC does have a horrifying case load. As illustrated by other stats its keen to spotlight — such as saying it received a total of 7,215 complaints in 2019; a 75% increase on the total number (4,113) received in 2018. A full 6,904 of which were dealt with under the GDPR (while 311 complaints were filed under the Data Protection Acts 1988 and 2003).

    Reply
  2. Tomi Engdahl says:

    Under Pressure: New GDPR Rule Makes Data Security a Critical C-Suite Concern
    https://www.dfinsolutions.com/insights/article/under-pressure-new-gdpr-rule-makes-data-security-critical-c-suite-concern

    Lawmakers in the European Union passed sweeping new measures to protect individual privacy rights, in a way that reaches far beyond the borders of its 28 member states. The result: Data security is now an even more pressing C-suite concern worldwide.

    Reply
  3. Tomi Engdahl says:

    Natasha Lomas / TechCrunch:
    European Data Protection Board publishes updated guidelines arguing that scrolling and “cookie walls”, which block users from content, don’t constitute consent — You can’t make access to your website’s content dependant on a visitor agreeing that you can process their data — aka a ‘consent cookie wall’.

    No cookie consent walls — and no, scrolling isn’t consent, says EU data protection body
    https://techcrunch.com/2020/05/06/no-cookie-consent-walls-and-no-scrolling-isnt-consent-says-eu-data-protection-body/

    You can’t make access to your website’s content dependent on a visitor agreeing that you can process their data — aka a ‘consent cookie wall’. Not if you need to be compliant with European data protection law.

    Reply
  4. Tomi Engdahl says:

    Suomessa tärkeä gdpr-ennakkotapaus kaksi viranomaista, kaksi täysin
    eri tulkintaa
    https://www.tivi.fi/uutiset/tv/0b79b269-066e-4abc-8fc2-4d9d766aae09
    Euroopan tietosuoja-asetus gdpr astui voimaan kaksi vuotta sitten.
    Internetselainten evästeet ovat tärkeitä sivustojen toiminnallisuuden
    kannalta. Niissä on myös nurja puolensa: evästeiden avulla sivustoilla
    kävijöitä voidaan seurata melko tarkasti, ja mitä enemmän tätä dataa
    on, sitä paremman kuvan ihmisestä yritykset voivat muodostaa. Yksi
    gdpr-asetuksen tärkeimmistä ominaisuuksista on se, että se rajoittaa
    yritysten vapauksia kerätä ihmisistä tätä dataa. Ohjetta voi kuitenkin
    tulkita eri tavoin, mikä ei tee niin yritysten kuin viranomaistenkaan
    elämästä helppoa. Jotkin kyseenalaiset tulkinnat esimerkiksi pitävät
    suostumuksen antamisena sitä, että sivustoa vierittää aloitusruudusta
    alaspäin. Tämä on vähintäänkin kyseenalainen tulkinta, sillä
    suostumuksen antaminen pitäisi olla selkeä valinta, ei kärsimättömään
    käytökseen perustuva tulkinta. Joskus epäselvyyttä käytetään räikeästi
    hyödyksi. Jotkin sivustot esimerkiksi estävät kävijää näkemästä
    sivuston sisältöä, ennen kuin sivustolle antaa luvan seurata
    vierailijaa. Tämän kaltainen suostumukseen kiristävä esto on ehkä lain
    kirjaimen, muttei todellakaan sen hengen mukainen tulkinta. Traficomin
    ja Tietosuojavaltuutetun toimiston käsittelevät tapaukset olivat
    toisistaan erillisiä. Lue myös:
    https://www.tivi.fi/uutiset/tv/fbf224ad-0cf4-4758-a5c3-0d6060a0f9a8

    Reply
  5. Tomi Engdahl says:

    BBC:
    Court in Netherlands rules that, under GDPR, a woman must delete photos of her grandchildren that she posted on Facebook without their parents’ permission — A woman must delete photographs of her grandchildren that she posted on Facebook and Pinterest without their parents’ permission, a court in the Netherlands has ruled.

    Grandmother ordered to delete Facebook photos under GDPR
    https://www.bbc.com/news/technology-52758787

    A woman must delete photographs of her grandchildren that she posted on Facebook and Pinterest without their parents’ permission, a court in the Netherlands has ruled.

    It ended up in court after a falling-out between the woman and her daughter.

    The judge ruled the matter was within the scope of the EU’s General Data Protection Regulation (GDPR).

    One expert said the ruling reflected the “position that the European Court has taken over many years”.

    The case went to court after the woman refused to delete photographs of her grandchildren which she had posted on social media.

    The mother of the children had asked several times for the pictures to be deleted.

    The GDPR does not apply to the “purely personal” or “household” processing of data.

    However, that exemption did not apply because posting photographs on social media made them available to a wider audience, the ruling said.

    “With Facebook, it cannot be ruled out that placed photos may be distributed and may end up in the hands of third parties,” it said.

    The woman must remove the photos or pay a fine of €50 (£45) for every day that she fails to comply with the order, up to a maximum fine of €1,000.

    If she posts more images of the children in the future, she will be fined an extra €50 a day.

    “I think the ruling will surprise a lot of people who probably don’t think too much before they tweet or post photos,” said Neil Brown, a technology lawyer at Decoded Legal.

    Reply
  6. Tomi Engdahl says:

    Suomessa määrättiin ensi kertaa tietosuojarikkomusmaksuja Postille
    lankesi 100 000 euroa muuttoilmoituskäytännöistä
    https://yle.fi/uutiset/3-11364819
    Postin sadantuhannen euron maksu on seurausta siitä, ettei se kertonut
    muuttoilmoituksen tehneille asiakkailleen oikeudesta muun muassa estää
    tietojen luovuttaminen ilmoituksen yhteydessä. Kymen Vesi sai 16 000
    euron maksun, koska se oli jättänyt tekemättä sijaintitietojen
    käsittelyn vaikutustenarvioinnin. Kolmannessa tapauksessa yritys
    keräsi työnhakijoiden ja työntekijöiden tietoja tarpeettomasti. 12 500
    euron seuraamusmaksun saaneen yrityksen nimeä ei kerrottu
    julkisuuteen.

    Reply
  7. Tomi Engdahl says:

    Tietosuojavaltuutetun toimiston seuraamuskollegio määräsi kolme
    seuraamusmaksua tietosuojarikkomuksista
    https://tietosuoja.fi/artikkeli/-/asset_publisher/tietosuojavaltuutetun-toimiston-seuraamuskollegio-maarasi-kolme-seuraamusmaksua-tietosuojarikkomuksista
    Seuraamuskollegio määräsi 18. toukokuuta seuraamusmaksun kolmelle
    yritykselle tietosuojalainsäädännön rikkomisesta. Rikkomukset koskevat
    puutteellista informointia tietosuojaoikeuksista,
    vaikutustenarvioinnin tekemättä jättämistä ja tarpeettomien
    henkilötietojen keräämistä.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*