https://techcrunch.com/2018/01/20/wtf-is-gdpr/
GDPR is a significant piece of legislation whose full impact will clearly take some time to shake out.
A major point of note right off the bat is that GDPR does not merely apply to EU businesses; any entities processing the personal data of EU citizens need to comply. The extra-territorial scope of GDPR casts the European Union as a global pioneer in data protection. Also under GDPR, financial penalties for data protection violations step up massively.
GDPR aims to have every link in the processing chain be a robust one. Companies need to maintain up-to-date records to prove out their compliance and to appoint a data protection officer if they process sensitive data on a large scale or are collecting info on many consumers.
GDPR’s running emphasis on data protection via data security it is implicitly encouraging the use of encryption above and beyond a risk reduction technique. Another major change incoming via GDPR is ‘privacy by design’ no longer being just a nice idea; privacy by design and privacy by default become firm legal requirements.
GDPR also encourages the use of pseudonymization — such as, for example, encrypting personal data and storing the encryption key separately and securely — as a pro-privacy, pro-security technique that can help minimize the risks of processing personal data. Data has to be rendered truly anonymous to be outside the scope of the regulation.
373 Comments
Tomi Engdahl says:
Microsoft menaced with GDPR mega-fines in Europe for ‘large scale and covert’ gathering of people’s info via Office
Telemetry data slurp broke the law, Dutch govt eggheads say
https://www.theregister.co.uk/2018/11/16/microsoft_gdpr/
Microsoft broke Euro privacy rules by carrying out the “large scale and covert” gathering of private data through its Office apps.
That’s according to a report out this month [PDF] that was commissioned by the Dutch government into how information handled by 300,000 of its workers was processed by Microsoft’s Office ProPlus suite. This software is installed on PCs and connects to Office 365 servers.
The dossier’s authors found that the Windows goliath was collecting telemetry and other content from its Office applications, including email titles and sentences where translation or spellchecker was used, and secretly storing the data on systems in the United States. That’s a no-no.
Those actions break Europe’s new GDPR privacy safeguards, it is claimed, and may put Microsoft on the hook for potentially tens of millions of dollars in fines.
https://regmedia.co.uk/2018/11/16/microsoft-office-gdpr-fail.pdf
Tomi Engdahl says:
Domain name ‘admin’ role eyed up as latest victim of Whois system’s GDPRmeggdon
https://www.theregister.co.uk/2018/11/27/gdpr_icann_whois/
Plus anonymous email and all personal info to be redacted
Tomi Engdahl says:
Domain name ‘admin’ role eyed up as latest victim of Whois system’s GDPRmeggdon
Plus anonymous email and all personal info to be redacted
https://www.theregister.co.uk/2018/11/27/gdpr_icann_whois/
Tomi Engdahl says:
German chat site faces fine under GDPR after data breach
https://www.welivesecurity.com/2018/11/27/german-chat-site-faces-fine-gdpr/
The country’s first fine under GDPR is lower than might have been expected, however, as the company was acknowledged for its post-incident cooperation and enhanced security measures
Tomi Engdahl says:
How much are the first fines for GDPR infringement?
https://www.pandasecurity.com/mediacenter/news/first-sanctions-gdpr-infractions/
2018 has been the year par excellence for data protection, when data leaks, exfiltrations, and abuses have made headlines all over the world. And against this backdrop of increased awareness about the challenges that working with sensitive data can entail, there is one regulation that has come to the fore: the GDPR (General Data Protection Regulation), which has been mandatory since May 25 this year.
Infringement of this regulation can incur fines of up to 4% of a company’s annual global turnover, or up to €20 million. It is therefore perhaps unsurprising that companies are now examining their data with a fine tooth comb in order to stay on the right side of the legislation. However, in spite of this exigency, to date, only 29% of organizations have implemented all measures necessary to comply with the GDPR.
Sanctions start to appear
2019 will bring new figures
The economic sanctions that we have seen so far are clearly relatively conservative compared to the highest possible penalties, but with the recent spate of high profile data leaks – Marriott, British Airways, Quora – it won’t be long before harsher fines start to appear.
What can you do to avoid a fine – be it millions of Euros or more moderate? The most important thing to bear in mind is that prevention is better than a cure, and by having appropriate protection for the personal data that your company manages, you can avoid sanctions. Start by knowing exactly where this data is stored and who has access to it. To do so, it is vital to have advanced cybersecurity solutions.
Tomi Engdahl says:
This early GDPR adtech strike puts the spotlight on consent
Choice isn’t optional.
https://techcrunch.com/2018/12/13/this-early-gdpr-adtech-strike-puts-the-spotlight-on-consent/?utm_source=tcfbpage&sr_share=facebook
What oes consent as a valid legal basis for processing personal data look like under Europe’s updated privacy rules? It may sound like an abstract concern but for online services that rely on things being done with user data in order to monetize free-to-access content this is a key question now the region’s General Data Protection Regulation is firmly fixed in place.
The GDPR is actually clear about consent.
Confusing and/or incomplete consent flows aren’t yet extinct, sadly. But it’s fair to say those that don’t offer full opt-in choice are on borrowed time.
Because if your service or app relies on obtaining consent to process EU users’ personal data — as many free at the point-of-use, ad-supported apps do — then the GDPR states consent must be freely given, specific, informed and unambiguous.
Tomi Engdahl says:
Onko yrityksenne tietosuojatekemisen kypsyys jo riittävä?
https://www.talentbase.fi/blogi/yrityksen-riittava-tietosuoja/?utm_source=facebook&utm_medium=cpc&utm_campaign=adv-yrityksen-riittava-tietosuoja-blogi-sponsoroitu-julkaisu
Tomi Engdahl says:
Gdpr voi vaatia uuden tietojärjestelmän
https://www.tivi.fi/Kaikki_uutiset/gdpr-voi-vaatia-uuden-tietojarjestelman-6753692
Yritykset näkivät valtavasti vaivaa, mutta kuluttajalle muutos näkyi lähinnä päivitettyinä käyttöehtoina. Luetaanko niitä nyt huolellisemmin?
”Kukaan ei ikinä lue”, Nurmi vastaa.
Esimerkkinä hyvin toteutetusta nykyaikaisesta sivusta hän pitää BBC:n kirjautumissivua, jossa käyttäjältä kysytään yksi tieto kerrallaan ja tehdään selväksi, mihin tarkoitukseen mitäkin tietoa käytetään.
”Yksilöidyn lisätiedon aika on sitten, kun käyttäjä on aktiivisesti vieraillut sivustolla jo jonkin aikaa.”
Tomi Engdahl says:
VALEHENKILÖILLE UUSI MELLASTUSKENTTÄ?
https://www.telia.fi/yrityksille/tuotteet/tietoliikenne/varmenne-ja-luottamuspalvelut/tunnistuspalvelu/artikkeli/valehenkiloille-uusi-mellastuskentta-newsroom?utm_source=facebook&utm_campaign=B2B+sisältö+nostot+Q3-Q4+2018+buP11160004019&utm_medium=social_paid&utm_content=link+%7C+Valehenkilöille+uusi+mellastuskenttä&utm_term=SERVICES+%7C+pros+%7C+Valehenkilöille+uusi+mellastuskenttä+%7C+native+%7C+julkishallinto+%7C+5665
Asiakas soittaa yritykseesi, vetoaa uuteen tietosuoja-asetukseen ja pyytää saada tietonsa nähtäviksi rekistereistänne. Miten varmistat, että kysyjä on juuri se, joka hän kertoo olevansa eivätkä lähetetyt tiedot vuoda muille?
Tomi Engdahl says:
Data Protection Laws Will Change How Electronics Systems are Designed
https://www.eeweb.com/profile/loucovey/articles/data-protection-laws-will-change-how-electronics-systems-are-designed
The advent of 5G cellular service is upon us (see “The 5G Future Begins Now!”). This is great news for the chip and electronic system industries and — possibly — outstanding news for the digital security industry.
I pointed out that weaknesses in data security exist in the technologies that are purchased by media and retail companies. Even if those companies do everything in their power to protect customer data, a hacker can access that data through the equipment anyway. I asked how long he thought it would be before the EU went after the equipment providers for data breaches or if their customers would seek financial relief from them if they were fined. His face went white for a few seconds and then red. “I think this interview is over,” he said, and then he walked away.
Here’s the revelation that he had: In the EU, the fine for violating the GDPR is €20 million, or 4% of a company’s annual global revenue, whichever is greater. Read that again just to let it sink in. Let’s say that Apple had a breach in their devices that was exploited by a group of hackers working for the Chinese government, giving access to the data of a couple of thousand customers in Europe. The fine for that is more than €2 billion.
Could that happen? Well, before the GDPR went into effect, researchers discovered the Meltdown/Spectre hole in every commercial processor on the market, including all Apple products. As I wrote several times last year (see my “The Illusion of Security” columns), the hole was quickly patched at a significant cost to device performance.
Apple and the rest of the device world is safe from the GDPR at the moment. This is because no one is thinking about applying it to devices and also because the EU regulation is an “opt-in” service. Users have to choose to have the protection, and the patch protects the device world from liability. he patches, however, can be turned off voluntarily, which constitutes a decision to opt out of the protection. This will protect them with the CCPA in 2020 because that law is opt-out, and turning off the patches could constitute a decision to opt out.
The problem comes in when tech support doesn’t tell users that bypassing the patch to regain performance will eliminate their protection. Guess what? They don’t. That will have to change because when the CCPA goes into effect, the financial penalties could kill a company.
The handwriting is on the wall about what data breaches will cost in the next decade, and it’s time for the hardware industry to get very serious about dealing with this issue.
Tomi Engdahl says:
Natasha Lomas / TechCrunch:
Max Schrems files GDPR complaints against Amazon, Apple, Netflix, Spotify, YouTube, others for failing to provide required info about data they collect on users — European privacy campaigner Max Schrems has filed a fresh batch of strategic complaints at tech giants, including Amazon, Apple, Netflix, Spotify and YouTube.
Privacy campaigner Schrems slaps Amazon, Apple, Netflix, others with GDPR data access complaints
Natasha Lomas
https://techcrunch.com/2019/01/18/privacy-campaigner-schrems-slaps-amazon-apple-netflix-others-with-gdpr-data-access-complaints/
European privacy campaigner Max Schrems has filed a fresh batch of strategic complaints at tech giants, including Amazon, Apple, Netflix, Spotify and YouTube.
The complaints, filed via his nonprofit privacy and digital rights organization, noyb, relate to how the services respond to data access requests, per regional data protection rules.
Article 15 of Europe’s General Data Protection Regulation (GDPR) provides for a right of access by the data subject to information held on them.
The complaints contend tech firms are structurally violating this right — having built automated systems to respond to data access requests which, after being tested by noyb, failed to provide the user with all the relevant information to which they are legally entitled.
Indeed, noyb tested eight companies in all, in eight different countries in Europe, and says it found none of the services provided a satisfactory response.
Tomi Engdahl says:
Romain Dillet / TechCrunch:
Google fined €50M by French watchdog CNIL under GDPR for alleged lack of transparency, info, and consent about ads personalization in Android’s onboarding flow
French data protection watchdog fines Google $57 million under the GDPR
https://techcrunch.com/2019/01/21/french-data-protection-watchdog-fines-google-57-million-under-the-gdpr/
Tomi Engdahl says:
GDPR Complaints Filed Against Eight International Streaming Companies
https://www.securityweek.com/gdpr-complaints-filed-against-eight-international-streaming-companies
European NGO noyb (‘none of your business’) filed ten GDPR-related complaints against eight international streaming services on January 18, 2019. The complaints allege that the concerned streaming services have not fully — and in some cases not at all — responded to the lawful ‘right of access by the data subject’ (Article 15 of GDPR) with ‘transparent information, communication and modalities’ (Article 12); and are therefore in breach of GDPR.
Tomi Engdahl says:
Google fined €50 million for violating EU data privacy rules
https://www.welivesecurity.com/2019/01/22/google-fined-violating-eu-data-privacy-rules/
France’s data protection watchdog issues the first major penalty under the EU’s new privacy regime
Tomi Engdahl says:
Gdpr vauhditti kybervakuutusten myyntiä Suomessa
https://www.tivi.fi/Kaikki_uutiset/gdpr-vauhditti-kybervakuutusten-myyntia-suomessa-6755624
”Tietomurto sinänsä ei ole ongelma, mutta sen huono hoito on.”
Tomi Engdahl says:
French data protection watchdog fines Google $57 million under the GDPR
https://techcrunch.com/2019/01/21/french-data-protection-watchdog-fines-google-57-million-under-the-gdpr/
The CNIL, the French data protection watchdog, has issued its first GDPR fine of $57 million (€50 million). The regulatory body claims that Google has failed to comply with the General Data Protection Regulation (GDPR) when new Android users set up a new phone and follow Android’s onboarding process.
Two nonprofit organizations called ‘None Of Your Business’ (noyb) and La Quadrature du Net had originally filed a complaint back in May 2018 — noyb originally filed a complaint against Google and Facebook, so let’s see what happens to Facebook next. Under the GDPR, complaints are transferred to local data protection watchdogs.
Tomi Engdahl says:
Google to Appeal 50-Million-Euro French Data Consent Fine
https://www.securityweek.com/google-appeal-50-million-euro-french-data-consent-fine
Google said Wednesday it would appeal a record 50-million-euro fine imposed by France’s data regulator for failing to meet the EU’s strict new General Data Protection Regulation (GDPR).
“We’ve worked hard to create a GDPR consent process for personalised ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing,” the company said in a statement.
“We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond,” it added.
“For all these reasons, we’ve now decided to appeal.”
Tomi Engdahl says:
GDPR Compliance Brings Other Benefits: Cisco Study
https://www.securityweek.com/gdpr-compliance-brings-other-benefits-cisco-study
Companies that are ready for the EU’s General Data Protection Regulation (GDPR) have reported shorter sales delays and fewer or less serious data breaches, according to Cisco’s 2019 Data Privacy Benchmark Study.
The Data Privacy Benchmark Study shows that organizations that have invested in customer privacy requirements, mainly to become GDPR compliant and to avoid fines and penalties, are seeing some benefits beyond GDPR compliance.
According to Cisco, 59% of respondents said their organization had met GDPR requirements and 29% expect to become compliant within one year.
Tomi Engdahl says:
Agence France-Presse:
European Commission says that more than 95K complaints have been filed with data regulators since adoption of GDPR in May
Flood of complaints to EU countries since data law adopted
https://phys.org/news/2019-01-complaints-eu-countries-law.html
More than 95,000 complaints have been filed with EU countries since the bloc’s flagship data protection laws took effect eight months ago, the executive European Commission said Friday.
The complaints have already triggered three financial penalties, including France’s record 50 million euros fine Monday on US giant Google for not doing enough inform users on how their data is used.
Read more at: https://phys.org/news/2019-01-complaints-eu-countries-law.html#jCp
Tomi Engdahl says:
Natasha Lomas / TechCrunch:
GDPR complaint against Google and IAB by privacy advocates claims that ad category lists enable mass broadcasting of intimate personal data
Google and IAB ad category lists show ‘massive leakage of highly intimate data,’ GDPR complaint claims
https://techcrunch.com/2019/01/27/google-and-iab-ad-category-lists-show-massive-leakage-of-highly-intimate-data-gdpr-complaint-claims/
Tomi Engdahl says:
GDPR Today
https://www.gdprtoday.org
Tomi Engdahl says:
Synopsys’ Taylor Armerding takes a look at what the next year holds for open source, from changes in license terms to the impact of GDPR and a broader coalition dealing with security issues.
The future of open source software: More of everything
Posted by Taylor Armerding on January 24, 2019
https://www.synopsys.com/blogs/software-security/future-of-open-source-predictions/
The past decade charts the reach of open source into every industry. But what does the future of open source hold? Here are some open source predictions.
More mergers and acquisitions following on the megadeals of IBM buying Red Hat and Microsoft buying GitHub. More organizations using more of it. More vulnerabilities, corresponding with more efforts by hackers to take advantage of those vulnerabilities. More licensing squabbles and lawsuits. More Linux everywhere, present in the cloud, the IoT, AI, big data, DevOps and blockchain.
Indeed, the 2018 Synopsys OSSRA (Open Source Security and Risk Analysis) report found that of more than 1,100 codebases audited, 77% of IoT codebases had open source components with an average of 677 vulnerabilities per application. Of all the codebases scanned, 74% had open source components with license conflicts.
From a governance perspective, 2018 was the year of GDPR (General Data Protection Regulation).
Future of open source in democracy
On our end, we recently became an open source voting machine manufacturer—at least for a little bit. We are incubating VotingWorks, which aims to be a completely open source—software, hardware, docs via CC—voting systems manufacturer. This is similar to Los Angeles County’s VSAP (Voting Systems for All People) project, which has already produced a voting machine and intends to make it completely open.
More industries, better compliance, but mixed maturity
Tomi Engdahl says:
Data Protection Laws Will Change How Electronics Systems are Designed
https://www.eeweb.com/profile/loucovey/articles/data-protection-laws-will-change-how-electronics-systems-are-designed
The handwriting is on the wall about what data breaches will cost in the next decade; it’s time for the hardware industry to get serious about dealing with this issue
The advent of 5G cellular service is upon us (see “The 5G Future Begins Now!”). This is great news for the chip and electronic system industries and — possibly — outstanding news for the digital security industry.
The potential for designing secure mobile services is tremendous. Much of the most effective technology is available today. The question is whether providers are willing to make the additional expense. So far, the answer is “No!” Communications providers are loath to make their services secure because doing so hasn’t been cheap, and it is much easier to pass the blame onto others — specifically, the users for their lax security. That changed in May of last year with the launch of the General Data Protection Regulation (GDPR) in the European Union, and things will become more expensive in California when the California Consumer Protection Act (CCPA) takes effect in 2020. Both laws are targeted at the usual suspects in the data collection domain — like social media and online retailers — so the hardware and software industries are not really thinking about it. They should be.
Tomi Engdahl says:
Facebook warned over privacy risks of merging messaging platforms
https://techcrunch.com/2019/02/02/facebook-warned-over-privacy-risks-of-merging-messaging-platforms/?utm_source=tcfbpage&sr_share=facebook
Facebook’s lead data protection regulator in Europe has asked the company for an “urgent briefing” regarding plans to integrate the underlying infrastructure of its three social messaging platforms.
Tomi Engdahl says:
59,000 Breaches Disclosed in First Eight Months of GDPR
https://www.securityweek.com/59000-breaches-disclosed-first-eight-months-gdpr
There have been more than 59,000 personal data breaches reported to European data protection regulators in the first eight months following the enforcement of GDPR. From available data, the precise figure is calculated at 59,430.
Global law firm DLA Piper compiled the details from statistics made available by the different European regulators. It found that the greatest number of reported breaches occurred in the Netherlands (15,400), followed by Germany (12,600) and the UK (10,600).
DLA Piper GDPR data breach survey: February 2019
Over 59,000 personal data breaches reported across Europe since introduction of GDPR
https://www.dlapiper.com/en/uk/insights/publications/2019/01/gdpr-data-breach-survey/
Tomi Engdahl says:
GDPR = THE DEATH OF EMAIL MARKETING?
https://bizwell.se/gdpr-the-death-of-email-marketing/?lang=en
A lot of customers has asked us the question “Can I still buy email lists considering GDPR?” and also quite a few business owners on the receiving end of the email has contacted us with a somewhat wrong understanding of GDPR saying things like “You don’t have any right to send me an email!”. In this article our goal is to sort out some misunderstandings specifically about GDPR and what you could call “Cold email marketing” which refers to people who have not actively chosen to opt-in to receive emails from your company.
Tomi Engdahl says:
Encrypted malware: a threat facilitated by the GDPR?
https://www.pandasecurity.com/mediacenter/malware/encrypted-malware-facilitated-gdpr/
One of the positive consequences of the increased concern for personal and corporate cybersecurity is the fact that Internet user are increasingly vigilant with their data and who they share it with. At the same time, online platforms have intensified their efforts to provide secure, private browsing in order to safeguard their and their users’ information.
And this trend is on the up. According to the Global Internet Phenomena Report, written by Sandvine, even very conservative estimates suggest that over 50% of Internet traffic is encrypted. And more and more platforms are turning to end-to-end encryption to ensure that their communications are private.
The GDPR encourages even more encryption
Tomi Engdahl says:
PERSONAL DATA PROTECTION ON THE INTERNET OF THINGS AN EU PERSPECTIVE
https://helda.helsinki.fi/handle/10138/263707
Distributed Computing for the Internet of Things Using IoT Hubs
https://helda.helsinki.fi/handle/10138/234236?_ga=2.176686117.1246319293.1545156563-507306469.1545156563
Tomi Engdahl says:
The real GDPR risks lie with SMEs, not corporates
https://spectrum.ieee.org/tech-talk/computing/networks/whats-in-a-blockchain-with-these-new-tools-anyone-can-find-out
Tomi Engdahl says:
https://tietosuoja.fi/artikkeli/-/asset_publisher/tietosuojavaltuutetun-toimistolle-on-ilmoitettu-jo-2700-henkilotietojen-tietoturvaloukkausta
Tomi Engdahl says:
California Introduces New Data Breach Notification Law
https://www.securityweek.com/california-introduces-new-data-breach-notification-law
California Attorney General Xavier Becerra and Assemblymember Marc Levine last week introduced a new piece of legislation that would require organizations to notify consumers if their passport or biometric information has been compromised in a data breach.
In 2003, California passed a data breach notification law requiring businesses to inform consumers if their personal data was or may have been stolen as a result of security breach. This data includes social security numbers, credit card numbers, driver’s license numbers, and medical and health insurance information.
Tomi Engdahl says:
GAO gives Congress go-ahead for a GDPR-like privacy legislation
https://www.zdnet.com/article/gao-gives-congress-go-ahead-for-a-gdpr-like-privacy-legislation/
Government officials, academia, and advocacy groups say it’s time for the US to get its own GDPR-type law
Tomi Engdahl says:
US Lawmakers Kick Off Debate Over Online Privacy
https://www.securityweek.com/us-lawmakers-kick-debate-over-online-privacy
US lawmakers opened a debate Tuesday over privacy legislation in the first step by Congress toward regulation addressing a series of troublesome data protection abuses by tech firms.
Tomi Engdahl says:
A European data privacy office has 15 open investigations. Ten are about Facebook.
https://www.nbcnews.com/tech/tech-news/european-data-privacy-office-has-15-open-investigations-ten-are-n977436
The report underscores how much Facebook’s handling of sensitive personal data is dominating legal and policy debates about privacy.
Tomi Engdahl says:
ICANN and GDPR – nowhere near compliance
https://edri.org/icann-and-gdpr-nowhere-near-compliance/
The Internet Corporation for Assigned Names and Numbers (ICANN) Initial Report of the Expedited Policy Development Process (EPDP) on the Temporary Specification for generic Top Level Domain (gTLD) Registration Data Team makes for difficult reading. This is because, though it contains a serious attempt at complying with the General Data Protection Regulation (GDPR) compliance, it ignores fundamental criticism by European data protection authorities it has been made aware of as early as fifteen years ago.
Tomi Engdahl says:
Cookie walls don’t comply with GDPR, says Dutch DPA
https://techcrunch.com/2019/03/08/cookie-walls-dont-comply-with-gdpr-says-dutch-dpa/
Cookie walls that demand a website visitor agrees to their Internet browsing being tracked for ad-targeting as the ‘price’ of entry to the site are not compliant with European data protection law, the Dutch data protection agency clarified yesterday.
Of course consent is not the only legal basis for processing personal data but many websites do rely on asking Internet visitors for consent to ad cookies as they arrive.
And the Dutch DPA’s guidance makes it clear Internet visitors must be asked for permission in advance for any tracking software to be placed — such as third party tracking cookies; tracking pixels; and browser fingerprinting tech — and that that permission must be freely obtained. Ergo, a free choice must be offered.
Tomi Engdahl says:
Cookie Walls Do Not Comply with the GDPR According to Dutch Watchdog
https://www.bleepingcomputer.com/news/security/cookie-walls-do-not-comply-with-the-gdpr-according-to-dutch-watchdog/
Cookie walls used by websites, app, and services to force their visitors to accept tracking cookies before being able to gain access do not comply with EU’s General Data Protection Regulation (GDPR) said the Dutch Data Protection Authority (DPA) in a statement published on Thursday.
This is based on GDPR’s requirements which ask companies to first request permission before being able to track people with cookies, tracking software or other digital methods.
The GDPR also forbids the use of other techniques and tools such as Javascripts, Flash cookies, HTML5-local storage and/or web beacons for tracing users while browsing the web without valid consent for ad targeting or other similar purposes.
Tomi Engdahl says:
GDPR – Improving Data Privacy and Cyber Resilience?
https://www.securityweek.com/gdpr-improving-data-privacy-and-cyber-resilience
GDPR’s Policy Enforcement Will Likely be Tested on a Broad Scale in 2019
Tomi Engdahl says:
Sample IT policies, disclaimers and notices
Sample privacy notice
https://www.nibusinessinfo.co.uk/content/sample-privacy-notice
How to write a GDPR privacy notice?
If you collect personal data from the individuals themselves, you must include the following in your privacy notice at the time you obtain the data:
the data controller’s identity and contact details
details of your data protection officer (if you are required to have one)
the purpose and legal basis for data processing
where the legal basis for processing is legitimate interest, what that interest is
where the legal basis is consent, the right to withdraw consent at any time
the existence of individual’s rights (known as data subject rights)
with whom you will share personal data (named parties or categories of recipients)
whether you plan to transfer data to third countries and what safeguards will exist
how long you will keep the personal data for (or details of your retention criteria)
the right to lodge a complaint with the Information Commissioner’s Office
if there is a statutory or contractual requirement for the data subject to provide personal data, and if so, the consequences of failing to provide data
if you intend to carry out any automated decision making (eg profiling), how you will make these decisions, their significance and possible consequences
In addition to the above, if you collect data from a third party (ie from a source other than the data subject), you must also include in the privacy notice:
categories of personal data concerned
the source of data (and whether it came from publicly available sources
Tomi Engdahl says:
How to (and How NOT to) Create a GDPR Notice
https://termsfeed.com/blog/gdpr-notice/
Tomi Engdahl says:
European Government Websites Are Delivering Tracking Cookies to Visitors
https://www.securityweek.com/european-government-websites-are-delivering-tracking-cookies-visitors
Governments within the European Union appear to be flouting their own GDPR laws. Many official government websites are harboring and delivering tracking cookies from the ad tech industry even though they don’t rely on any advertising income. Eighty-nine percent of 184,683 pages delivered tracking cookies. Twenty-five of the 28 member states have websites with tracking cookies — only the Spanish, German and Dutch sites had no trackers.
Tomi Engdahl says:
Synopsys’ Taylor Armerding follows up on European privacy regulation GDPR and finds while the number of fines levied is not huge and neither so far are the penalties, the quiet start is not expected to last.
GDPR: Not heavy-handed yet, but driving data breaches into the open
https://www.synopsys.com/blogs/software-security/gdpr-fines-still-small/
The GDPR fines issued so far have been small, but breach notifications are up. As GDPR continues to ramp up, it seems likely to achieve its goals of privacy.
Among its multiple mandates, GDPR requires that organizations report a breach within 72 hours of becoming aware of it. Failure to do that can bring more punitive sanctions than a breach itself.
Given that the law is new, it’s impossible to say exactly how many organizations would have “forgotten” to report breaches they are now hastening to report.
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/9252-tutkimus-gdpr-vaikuttanut-negatiivisesti-bisnekseen
Tomi Engdahl says:
GDPR’s First Year: How Has It Affected Events?
https://www.zkipster.com/blog/gdpr-for-events-in-2019/#what-event-professionals-should-look-out-for-in-2019-and-beyond
Tomi Engdahl says:
Natasha Lomas / TechCrunch:
Poland fines Bisnode ~€220K for GDPR violations, while the data broker says contacting people for whom they only have a home address may cost it €8M+ in postage
Covert data-scraping on watch as EU DPA lays down “radical” GDPR red-line
https://techcrunch.com/2019/03/30/covert-data-scraping-on-watch-as-eu-dpa-lays-down-radical-gdpr-red-line/
An interesting decision came out of Poland’s data protection agency this week after the watchdog issued its first fine under Europe’s General Data Protection Regulation (GDPR).
On the surface the enforcement doesn’t look so remarkable: A ‘small’ ~€220K fine was handed to a Sweden-headquartered European digital marketing company, Bisnode, which has an office in Poland, after the national Personal Data Protection Office (UODO) decided the company had failed to comply with data subject rights obligations set out in Article 14 of the GDPR.
Tomi Engdahl says:
EU to check for GDPR violations in Microsoft’s contracts with EU institutions
https://www.zdnet.com/article/eu-to-check-for-gdpr-violations-in-microsoft-products-across-eu-institutions/
EU starts investigation of Microsoft’s contracts with EU institutions after Dutch government report.
Tomi Engdahl says:
EU to check for GDPR violations in Microsoft’s contracts with EU institutions
EU starts investigation of Microsoft’s contracts with EU institutions after Dutch government report.
https://www.zdnet.com/article/eu-to-check-for-gdpr-violations-in-microsoft-products-across-eu-institutions/
Tomi Engdahl says:
European Commission Weighs in on the Side of Privacy in WHOIS
https://www.internetgovernance.org/2019/04/22/european-commission-weighs-in-on-the-side-of-privacy-in-whois/
The EPDP is reforming WHOIS to make it consistent with GDPR and privacy rights. The EC comments, we are happy to report, are well aligned with the positions of privacy advocates.
One of the purposes for Whois outlined in the EPDP report was Purpose #2, which was enabling responses to lawful data disclosure requests. Having “disclosure” as a purpose was a compromise we had to make to bring intellectual property, government and security researcher interests to a consensus.
Tomi Engdahl says:
https://www.politico.eu/interactive/ireland-blocks-the-world-on-data-privacy/
Last May, Europe imposed new data privacy guidelines that carry the hopes of hundreds of millions of people around the world — including in the United States — to rein in abuses by big tech companies.
Almost a year later, it’s apparent that the new rules have a significant loophole: The designated lead regulator — the tiny nation of Ireland — has yet to bring an enforcement action against a big tech firm.
Tomi Engdahl says:
Facebook Custom Audience illegal without explicit user consent
https://edri.org/facebook-custom-audience-illegal-without-explicit-user-consent/
Online shops and marketers routinely share customer data with Facebook to reach them with targeted advertising. Turns out that in many cases this is illegal.