GDPR is a significant piece of legislation whose full impact will clearly take some time to shake out.
A major point of note right off the bat is that GDPR does not merely apply to EU businesses; any entities processing the personal data of EU citizens need to comply. The extra-territorial scope of GDPR casts the European Union as a global pioneer in data protection. Also under GDPR, financial penalties for data protection violations step up massively.
GDPR aims to have every link in the processing chain be a robust one. Companies need to maintain up-to-date records to prove out their compliance and to appoint a data protection officer if they process sensitive data on a large scale or are collecting info on many consumers.
GDPR’s running emphasis on data protection via data security it is implicitly encouraging the use of encryption above and beyond a risk reduction technique. Another major change incoming via GDPR is ‘privacy by design’ no longer being just a nice idea; privacy by design and privacy by default become firm legal requirements.
GDPR also encourages the use of pseudonymization — such as, for example, encrypting personal data and storing the encryption key separately and securely — as a pro-privacy, pro-security technique that can help minimize the risks of processing personal data. Data has to be rendered truly anonymous to be outside the scope of the regulation.


  1. Tomi Engdahl says:

    Critical Open Source vm2 Sandbox Escape Bug Affects Millions
    Attackers could exploit the “Sandbreak” security bug, which has earned a 10 out of 10 on the CVSS scale, to execute a sandbox escape, achieve RCE, and run shell commands on a hosting machine.

  2. Tomi Engdahl says:

    France fines Clearview AI maximum possible for GDPR breaches

    Clearview AI, the controversial facial recognition firm that scrapes selfies and other personal data off the Internet without consent to feed an AI-powered identity-matching service it sells to law enforcement and others, has been hit with another fine in Europe.

    This one comes after it failed to respond to an order last year from the CNIL, France’s privacy watchdog, to stop its unlawful processing of French citizens’ information and delete their data.

    Here’s the CNIL’s summary of Clearview’s breaches:

    Unlawful processing of personal data (breach of Article 6 of the GDPR)
    Individuals’ rights not respected (Articles 12, 15 and 17 of the GDPR)
    Lack of cooperation with the CNIL (Article 31 of the RGPD)
    “Clearview AI had two months to comply with the injunctions formulated in the formal notice and to justify them to the CNIL. However, it did not provide any response to this formal notice,”

    “The chair of the CNIL therefore decided to refer the matter to the restricted committee, which is in charge for issuing sanctions. On the basis of the information brought to its attention, the restricted committee decided to impose a maximum financial penalty of 20 million euros, according to article 83 of the GDPR [General Data Protection Regulation].”

    The EU’s GDPR allows for penalties of up to 4% of a firm’s worldwide annual revenue for the most serious infringements — or €20 million, whichever is higher. But the CNIL’s press release makes clear it’s imposing the maximum amount it possibly can here.

    Whether France will see a penny of this money from Clearview remains an open question, however.

    The U.S.-based privacy-stripper has been issued with a slew of penalties by other data protection agencies across Europe in recent months, including €20M fines from Italy and Greece; and a smaller U.K. penalty. But it’s not clear it’s handed over any money to any of these authorities — and they have limited resources (and legal means) to try to pursue Clearview for payment outside their own borders.

    So the GDPR penalties look mostly like a warning to stay away from Europe.

    Clearview’s PR agency, LakPR Group, sent us this statement following the CNIL’s sanction — which it attributed to CEO Hoan Ton-That:

    There is no way to determine if a person has French citizenship, purely from a public photo from the internet, and therefore it is impossible to delete data from French residents. Clearview AI only collects publicly available information from the internet, just like any other search engine like Google, Bing or DuckDuckGo.

    The statement goes on to reiterate earlier claims by Clearview that it does not have a place of business in France or in the EU, nor undertake any activities that would “otherwise mean it is subject to the GDPR”, as it puts it — adding: “Clearview AI’s database of publicly available images is lawfully collected, just like any other search engine like Google.”

    (NB: On paper the GDPR has extraterritorial reach so its former arguments are meaningless, while its claim it’s not doing anything that would make it subject to the GDPR looks absurd given its amassed a database of over 20 billion images worldwide and Europe is, er, part of Planet Earth… )

    Each time it has received a sanction from an international regulator it’s done the same thing: Denying it has committed any breach and refuted the foreign body has any jurisdiction over its business — so its strategy for dealing with its own data processing lawlessness appears to be simple non-cooperation with regulators outside the US.

  3. Tomi Engdahl says:

    Meta fined $275 million over data scraping practices that violated GDPR
    Irelands Data Protection Commission (DPC) has fined Meta 265 million (about $275 million) after a year-long inquiry into the companys data protection practices. The fines stem from Facebooks practice of making personal data accessible by default through search functions and concern Facebook Contact Importer, Messenger Contact Importer, Instagram Contact Importer and Messenger Search and its variant Messenger Contact Creator features. The features allowed anyone to scrape the social media giant a process where bots are able to gather data online automatically. Typically, the bots are used to scan social media sites like Facebook and copy whatever information is available.

  4. Tomi Engdahl says:

    Parmy Olson / Bloomberg:
    The European Commission plans to require that country regulators report six times a year on GDPR investigations and more, after a complaint by rights group ICCL — It’s well established that the European Union has some of the strictest privacy laws in the world, threatening fines of up to 4% of a company’s annual turnover.

    The EU Is About to Take a Bigger Stick to Big Tech

    A new auditing regime should make harder to give Meta, Google and Amazon an easy ride on data protection.


Leave a Comment

Your email address will not be published. Required fields are marked *