Ayottaz Weekly News Roundup

Top news in the world of data privacy, this month, that you do not want to miss.

November 30

Amazon Sidewalk feature raising privacy concerns
Amazon Sidewalk, a feature launching in the U.S. that connects Echo and Ring doorbells to any nearby Alexa device, is raising privacy concerns, Business Insider reports. Customers must opt out of the feature that uses Wi-Fi from neighbors to create “a shared network that helps devices work better.” Amazon said steps have been taken to keep user data private, but some say the feature should be opt-in. “It feels wrong not knowing what your device is connected to,” University of Surrey Professor Alan Woodward said.
Read more

Air Force tests peripheral device tracking
The U.S. Air Force Research Laboratory is testing whether a commercial software platform that taps mobile phones to glean insights from Internet-of-Things devices has potential military applications, The Wall Street Journal reports. The Air Force awarded a $50,000 grant to SignalFrame, a Washington, D.C.–based wireless technology company whose product can turn smartphones into listening devices to determine the location and identity of peripheral devices, like fitness trackers and connected vehicles.
Read more

Israel opens public consultation on Privacy Protection Law amendments
Israel’s Ministry of Justice is seeking to amend the Privacy Protection Law and has opened a public consultation. “In view of the technological and economic changes in the decades since the Privacy Protection Law was enacted, 1981, and in view of the drastic changes in the legal arrangements applicable in the countries of the world for the protection of personal information, the Minister of Justice seeks comprehensive amendments to privacy protection,” the call for public input stated.
Read more

German Presidency: ‘Further work is needed’ on ePrivacy
The German Presidency of the Council of the European Union published a report on its work toward an ePrivacy Regulation agreement. The report acknowledges the latest proposal from the Germans drew “rather mixed” reactions from member states, which broadly supported the removal of legitimate interests, while some delegations felt certain provisions stymied innovation and the processing of metadata. Additionally, while the Germans indicated “further work is needed” from the incoming Portuguese Presidency, member states regard a prior proposal from the Finnish Presidency as “the starting point for future negotiations.”
Read more

Facebook asks Supreme Court to hear user tracking case
MediaPost reports Facebook filed a petition urging the Supreme Court of the United States to review a case on whether tracking users offline through its “Like” button is a violation of the Electronic Communications Privacy Act. After announcing in July its intention to bring the appealed case to the Supreme Court, Facebook argues that upholding the prior against it would leave tech companies liable for “commonplace, lawful business practices that enhance internet users’ experiences.” Meanwhile, Google wants an Illinois’ Biometric Information Privacy suit related to an IBM faceprints database dismissed.
Read more

EU offers new alliance with US on data protection
The Financial Times reports the European Commission outlined a draft plan for renewed cooperation between the EU and U.S. on a variety of matters, including data protection. The proposal aims to create a shared approach to enforcing data protection law and combatting cybersecurity threats, which will “form the backbone of a wider coalition of like-minded democracies,” according to the commission. The plan will be submitted for endorsement at the start of December with hopes of launching the new trans-Atlantic agenda at a potential EU-U.S. summit in 2021.
Read more

Prasad expects finalization of India’s PDPB ‘very soon’
Indian Minister of Communications and Information Technology Ravi Shankar Prasad said Parliament will finalize the Personal Data Protection Bill “very soon,” The Economic Times reports. Prasad noted India’s standing as a “big centre of the data economy” is a leading factor in the upcoming passage of the PDPB. Reports of finalization come as the Joint Parliamentary Committee examining the bill is grappling with whether to exclude non-personal data from the legislation. Also, Google is arguing against data localization provisions in a final bill.
Read more

November 25

Survey: 55% of Americans concerned about location tracking by government agencies
A Harris Poll survey found 55% of Americans are concerned about location tracking through digital devices by government agencies, The Wall Street Journal reports. The survey also found 77% believes the government should obtain a warrant for location data available for purchase on the commercial market, 40% would take steps to block tracking, and 26% would change behavior to be less predictable. Those over 65 were less concerned about government location tracking at 39%, compared to 65% among those 18 to 34.
Read more

Researchers identify vulnerability of internet-connected cars
The COSIC group at the University of Leuven in Belgium found they could hack and steal an $80,000 internet-connected Tesla SUV in minutes through a Bluetooth-connected key fob, The Washington Post reports. It’s a vulnerability not unique to Tesla, Ph.D. student Lennert Wouters said. “Other (key fobs) which have an insecure firmware update mechanism could also be vulnerable to a similar attack,” he said. The researchers said the company is releasing an over-the-air software update to address the issue.
Read more

Digital rights groups say UK government not transparent about Palantir contracts
Privacy International and No Tech for Tyrants said the U.K. government is not being transparent about contracts with U.S.-based surveillance and data analytics company Palantir, Vice reports. Following a joint investigation, the digital rights groups said the government responded to 4 out of 11 freedom-of-information requests that confirmed Palantir contracts but did not include details. “We often do not know what, if any, safeguards are in place to protect our data, and ensure that it is not misused,” they said.
Read more

Brazil unveils DPO requirements
Brazil’s Special Secretariat for Debureaucratization, Management and Digital Government issued instructions for appointing data protection officers under the General Data Protection Law. Under the privacy law, DPOs must have multidisciplinary knowledge in the areas of privacy, data protection and data governance; be located within an organization’s IT team; and be appointed within 30 days of the publication of the instructions.
Read more

Irish government offers take on EU non-personal data regulation
Ireland’s Department of the Environment, Climate and Communications published details on its implementation of the EU’s Framework for the Free Flow of Non-Personal Data. The law requires, among other things, that invalid data localization efforts across EU member states be repealed by May 30, 2021, to promote the free movement and broad availability of data. DECC indicates the framework, along with the EU General Data Protection Regulation, will “ensure a comprehensive and coherent approach to the free movement of all data in the EU.”
Read more

European Parliament endorses collective actions for data protection violations
A law endorsed by the European Parliament would allow consumers to bring collective actions against organizations accused of violating EU rules. Under the law, citizens would be able to file a lawsuit against organizations for alleged failures to comply with rules in a number of areas, including data protection, financial services, energy and communication. The new class-action model would allow consumer organizations to represent group parties rather than law firms.
Read more

European Commission proposes new data governance rules
The European Commission proposed a new set of data governance rules to help facilitate data sharing across the European Union. The proposed regulation includes several measures to increase trust in data sharing, rules on neutrality to allow “novel data intermediaries” to function as safe data-sharing organizers, and practices to give Europeans more control over how their data is used. The commission also published a frequently asked question page to coincide with the announcement.
Read more

November 24

New AI powers creation of simulated, fake images
In a report for the New York Times, Kashmir Hill and Jeremy White analyzed the growing trend of creating simulated or fake images of people that do not exist. Websites sell these images to individuals and groups that carry varying motives in relation to how they’ll use them. The images are produced by generative adversarial networks, which is a type of artificial intelligence that generates a facial image based on computer analysis of real photos submitted to the system.
Read more

ADGM to continue recognizing UK’s adequacy following Brexit transition period
The Abu Dhabi Global Market Office of Data Protection announced it will continue to recognize the U.K.’s adequacy status for data transfers once the Brexit transition period ends Dec. 31. The ADGM said data controllers that transfer information to the U.K. should not expect to make any major changes to their practices once the transition deadline passes.
Read more

President Xi pitches QR codes as answer to COVID-19 travel bans
BBC News reports Chinese President Xi Jinping suggested a “global mechanism” based on quick response codes could help open up international travel once again. Speaking at the G20 summit, Xi said nations need to “establish ‘fast tracks’ to facilitate the orderly flow of people” and that the codes could be used to identify “health certificates based on nucleic acid test results.” Human Rights Watch Executive Director Kenneth Roth said the proposal could become “a Trojan Horse for broader political monitoring and exclusion.”
Read more

Chinese wildlife park to delete facial images after court order
Hangzhou Fuyang People’s Court ruled that Hangzhou Safari Park must delete images collected by its facial recognition technology and pay 1,038 yuan in damages, South China Morning Post reports. The case brought forward by Zhejiang Sci-tech University Associate Law Professor Guo Bing alleged that he and his wife did not consent to have their images collected by facial recognition when they entered the park. The court said the use of facial recognition “exceeded the legally necessary requirements.”
Read more

South Korean PIPC releases three-year data protection plan
The South Korean Personal Information Protection Committee has released its plan for how the country will approach data protection over the next three years. The plan includes self-regulation of data protection initiatives, improving transborder data flow, the major policy directions the country expects to follow, and the government’s blueprint for safeguarding citizen’s information.
Read more

EDPB issues statement on ePrivacy Regulation
The European Data Protection Board issued a statement on the proposed ePrivacy Regulation. The EDPB said “under no circumstances” should the ePrivacy Regulation offer a lower level of protection than the current ePrivacy Directive. The board also said the ePrivacy Regulation should lay out a framework for the “cooperation between data protection authorities as supervisory authorities competent under GDPR and authorities having the appropriate expertise, so their cooperation could function effectively.”
Read more

Swedish court rejects Google’s appeal in RTBF case
The Administrative Court of Stockholm confirmed Google violated the EU General Data Protection Regulation; however, the court also reduced the fine issued by the Swedish data protection authority. The court found Google did not properly exercise consumers’ right to be forgotten as laid out in the GDPR. It also determined the Swedish DPA’s initial fine of SEK 75 million was too high, and ordered the penalty to be reduced to SEK 52 million.
Read more

November 23

Rental platform executive resigned over Chinese data sharing, sources say
The Wall Street Journal reports Airbnb’s first “chief trust officer” resigned last year, six months into the role, over concerns with how the rental platform shares user data with Chinese authorities. Sources said Sean Joyce was concerned Airbnb was not fully transparent about data sharing with China and that it was willing to consider more expansive data requests from the country.
Read more

Retailer, e-commerce platform reach proposed settlement in data breach lawsuit
Hanna Andersson and Salesforce.com have reached a proposed agreement in a class-action lawsuit related to a 2019 data breach, Reuters reports. According to a motion for preliminary approval filed in San Francisco federal court, Hanna Andersson agreed to pay $400,000 and take corrective measures. The suit claimed the children’s clothing retailer and e-commerce platform violated the California Consumer Privacy Act.
Read more

Big Tech urges Biden to craft facial recognition legislation
Microsoft President Brad Smith and IBM CEO Arvind Krishna pitched U.S. President-elect Joe Biden on the idea of drafting federal facial recognition regulations, Wired reports. In separate congratulatory messages to Biden, Smith and Krishna suggested the president-elect take a look at potential rules around the biometric technology. Smith wrote, “We need new laws fit for the future,” while Krishna explained that he was “ready to work” with Biden to limit potential harms stemming from facial recognition.
Read more

PCLOB review reveals extent EU used US terrorist finance surveillance program
A review of the U.S. Department of the Treasury’s Terrorist Finance Tracking Program conducted by the Privacy and Civil Liberties Oversight Board revealed how often the program was used by European authorities, The Wall Street Journal reports. PCLOB found 40% of the searches made by the Treasury department were on behalf of EU member states or the European Union Agency for Law Enforcement Cooperation. PCLOB Chairman Adam Klein said in a statement about 80,000 leads were shared with the EU from January 2016 to November 2018.
Read more

Combating child exploitation online an ePrivacy hurdle
Politico reports the EU remains in a stalemate as to whether scans for evidence of online child exploitation should be allowed under an ePrivacy Regulation agreement. Those in favor of continuing scans believe there is no privacy infringement based on the use of random algorithms and other anonymization practices. On the other hand, privacy advocates and EU privacy officials, including the European Data Protection Supervisor, see the scans as a violation of EU citizens’ fundamental right to privacy.
Read more

November 20

Philippines’ NPC urges contact-tracing app developers to ‘act as privacy watchers’
The Philippines National Privacy Commission’s Data Security and Compliance Office issued recommendations for developers of COVID-19 contact-tracing applications to incorporate privacy by design and enable users to opt in and out. “Build security into contact-tracing apps by adopting best privacy practices, such as transparency on how the data is used, collecting only necessary details and having proper disposal mechanism,” said Privacy Commissioner Raymund Liboro, who urged developers to “act as privacy watchers.”
Read more

U.S. Senate passes Internet of Things Cybersecurity Improvement Act
The U.S. Senate passed the Internet of Things Cybersecurity Improvement Act, mandating certain security requirements for IoT devices purchased by the federal government, FCW reports. The bill passed the House of Representatives in September. If it is signed by President Donald Trump, the Office of Management and Budget would issue guidelines to federal agencies consistent with recommendations to be developed by the National Institute of Standards and Technology for secure development, identity management, patching and configuration management for IoT devices.
Read more

Apple explains delay in iOS 14 privacy updates
Bloomberg reports Apple continued its defense against advocacy groups on a delay to privacy updates for iPhone user-tracking practices. Apple Senior Director of Global Privacy Law and Policy Jane Horvath, CIPP/G, CIPP/US, said the delay aimed to give developers “the time they indicated they needed to properly update their systems and data practices.
Read more

Privacy advocates seek probe into data analytics firm
The Foundation for Market Information Research is calling for an investigation into Palantir’s data privacy practices, Computer Weekly reports. The Dutch privacy group said the U.S.-based data analytics firm and European agencies using its technology have not shared information on how the company accesses citizens’ data, who uses it and what for. The group seeks to “make sure that all European citizens are well protected from random or uncontrollable practices and that the integrity of EU surveillance operations will not be compromised by un(known) non-European entities.”
Read more

November 19

UN backs privacy protections for COVID-19 data usage
The United Nations and UN System Organizations released a joint statement supporting continued considerations for data protection and privacy with data usage associated with curbing the spread of COVID-19. UN Privacy Policy Group Co-Chair Robert Kirkpatrick said the UN’s statement “reinforces its commitment to using data and new technologies in ways that respect the right to privacy and other human rights” while also noting “trust, science and solidarity” are keys to beating the virus.
Read more

Abu Dhabi launches consultation on proposed privacy law
The Abu Dhabi Global Market opened a public consultation on the economic area’s proposed data protection law. The aim of the legislation is to align standards with the EU General Data Protection Regulation, which ADGM believes is one of “the appropriate best practice benchmarks for robust data protection legislation.” ADGM also noted the establishment of a data protection authority as a key provision of its proposed legislation.
Read more

Consumer Reports study gauges evolving attitude toward privacy
Consumer Reports and the Omidyar Network released a report on the changing consumer attitude toward privacy over the years and privacy’s overall market impact. The report looks at how early internet users viewed privacy in 1995 and compared it to online patrons today. Consumer Reports polled 5,085 U.S. adult citizens earlier this year, finding 62% of smart device owners are concerned about the potential loss of privacy when purchasing a product, and 96% said companies need to do more to protect the privacy of their customers.
Read more

NZ privacy commissioner develops model contracts for data transfers
New Zealand’s Office of the Privacy Commissioner developed a set of model contract clauses for global data transfers. The clauses were created to help organizations comply with privacy principle 12 within the Privacy Act 2020, which requires organizations to ensure that any data sent outside of New Zealand has the proper safeguards in place. The OPC said in the announcement the clauses can be inserted into contracts with overseas data recipients and are similar to standard contractual clauses used under the EU General Data Protection Regulation.
Read more

Facebook, Google discuss Australian data requests, encryption
Facebook and Google appeared before an Australian House of Representatives Standing Committee on Social Policy and Legal Affairs to speak on a range of privacy and data security matters, ZDNet reports. The Big Tech companies each revealed they declined 20% of law enforcement data requests in 2019 due to a lack of jurisdiction or general vagueness of the request. Additionally, Facebook was also pressed about its plan for end-to-end encryption for its Messenger platform.
Read more

Australia seeks public comment on Digital Identity
The Australian government opened a public consultation on the privacy and consumer safeguards being considered for the update and expansion of the country’s Digital Identity legislation. The program is used to simplify identity verification for Australian citizens. In particular, stakeholders will be asked to comment on the standards for the program’s Trusted Digital Identity Framework, which upholds consumer protection principles.
Read more

Irish government departments reported 799 breaches in past year
Seventeen government departments in Ireland reported a total of 799 breaches last year, the Irish Examiner reports. The Department of Social Protection was responsible for 374 breaches, 46.8% of all complaints, while the Rural and Community Development department recorded no breaches. State departments accounted for 39% of the 712 breaches referred to the Irish Data Protection Commission. Minister for Justice Helen McEntee said most were “a result of human error” with “just under half” posing no risks to the individuals involved.
Read more

Privacy advocates seek probe into data analytics firm
The Foundation for Market Information Research is calling for an investigation into Palantir’s data privacy practices, Computer Weekly reports. The Dutch privacy group said the U.S.-based data analytics firm and European agencies using its technology have not shared information on how the company accesses citizens’ data, who uses it and what for. The group seeks to “make sure that all European citizens are well protected from random or uncontrollable practices and that the integrity of EU surveillance operations will not be compromised by un(known) non-European entities.”
Read more

November 18

Researchers find disaster apps track locations, share personal data
Applications designed to alert individuals in the path of a disaster, like a hurricane or wildfire, may be tracking users’ locations or providing personal information to third parties, Tech Xplore reports. A research team examining 15 apps found many violate their own privacy policies, default to collect location data and don’t identify third parties. “You might need a hurricane app during a hurricane, but you certainly don’t need it tracking you for the next three to five years,” University of Illinois at Urbana-Champaign School of Information Sciences Professor Madelyn Sanfilippo said.
Read more

House not expected to pass data protection bill this session
Indonesia’s House of Representatives is not expected to pass the anticipated Personal Data Protection Bill before the current session ends Dec. 15, The Jakarta Post reports. The House had hoped to fast-track the legislation during this session, but concerns over the proposal and a recess period stalled progress, according to Deputy Chairman of House Commission I Abdul Kharis Almasyhari. “Looking at the progress, we think it’s impossible for us to conclude the deliberation of the bill with the government this month,” he said.
Read more

WhatsApp braces for DPC’s GDPR fine
Facebook-owned messenger service WhatsApp has set aside 77.5 million euros in anticipation of a potential EU General Data Protection Regulation fine from Ireland’s Data Protection Commission, The Irish Times reports. WhatsApp Ireland acknowledged the reallocation of finances relates to “possible administrative fines arising from regulatory compliance matters presently under investigation.” The company also noted the amount put aside is in part for a fine, but it would also cover costs for any potential measures that are ordered with the DPC’s fine.
Read more

TikTok expands parental controls
TikTok expanded its Family Pairing parental controls, TechCrunch reports. Parents can now manage various aspects of their teen’s account, like turning off access to the application’s search bar and limiting who can comment on videos. They can also set an account to private. Designed for parents with children 13 or older, the feature first launched in April, enabling parents to link their account to their teen’s. The expanded controls are being offered to users worldwide.
Read more

November 17

Zeotap raises $18.5M for privacy-focused customer ID platform
Zeotap raised $18.5 million in an extension of a Series C round of funding for a customer identity platform, TechCrunch reports. The platform uses a company’s first-party data combined with other sources to help understand users. “Managing consent is top of mind here, while making the most of first-party assets,” Founder and Chief Privacy Officer Projjol Banerjea, CIPT, said. Meanwhile, startup OSOM plans to introduce privacy-focused hardware and software in 2021 that gives users more control over their data.
Read more

Traffic light–mounted cameras raise privacy concerns
A $2.5 million plan to install more than 300 traffic light–mounted cameras in Detroit, Michigan, by October 2021 is raising concerns that it infringes on privacy rights or may lead to issues of racial discrimination, The Detroit News reports. Officials said the cameras cannot identify people but could be used by police in criminal investigations or for safety reasons. Detroit Will Breathe organizer Tristan Taylor said residents must be assured use of the technology will “stay limited.”
Read more

Military purchasing location data from everyday apps
Vice reports the U.S. military improved its tracking of people around the world via location data generated by various third-party applications. These streams of sensitive data are obtained from data broker X-Mode, which collects the data from apps and then flips them to contractors that maintain military ties. Among the biggest sources for data is a Muslim prayer app that has accrued more than 98 million downloads, leaving those users open to potential tracking.
Read more

EFF asks colleges to protect privacy with COVID-19 contact tracing
The Electronic Frontier Foundation is urging universities across the world to practice transparency and maintain privacy safeguards as they deploy COVID-19 contact-tracing programs on campuses. While EFF supports efforts to curb the pandemic, doing so without informing students and staff about data collection and tracking “is the wrong way to go about it.” EFF also advocated for the adoption of its University App Mandate Pledge, which outlines key transparency and privacy-preserving policies “help ensure a higher standard of protection” for personal information.
Read more

Apple issues response to privacy concerns around Mac security protocols
Apple responded to privacy concerns surrounding the security protocol it uses to examine software, The Verge reports. The technology company faced questions about the data it collects via its Gatekeeper protocol, which verifies an application developer’s certificate, after Mac users reported trouble opening apps on their devices. The tech company said users’ Apple IDs and device identities are not part of the checks and IP addresses are no longer included when Developer IDs are scanned, adding it plans to change its future handling of the process.
Read more

EPIC submits brief to Mass. Supreme Court in Facebook privacy suit
The Electronic Privacy Information Center filed an amicus brief to the Massachusetts Supreme Judicial Court urging Facebook to disclose details of privacy violations by third-party applications in connection with the 2018 Cambridge Analytica scandal. The state attorney general’s office had previously asked for the disclosures as part of its original investigation before filing a lawsuit. “Facebook will continue to evade accountability and the harmful effects of Facebook’s business practices could go undetected,” EPIC wrote in regards to any further withholdings by the social network.
Read more

Canada introduces new federal privacy bill
Canadian Minister of Innovation, Science and Industry Navdeep Bains introduced new federal privacy legislation Tuesday, which includes significant fining authority for noncompliant businesses. The proposed law would also give citizens enhanced data subject rights, require organizations to be transparent with the decision-making capabilities of algorithms and artificial intelligence, and provide the Office of the Privacy Commissioner of Canada broad order-making powers. IAPP Editorial Director Jedidiah Bracy, CIPP, has more details on the wide-ranging bill, as well as early reaction, including insight from nNovation’s Constantine Karbaliotis, CIPP/C, CIPP/C, CIPP/US, CIPM, CIPT, FIP.
Read more

MEP Sippel says no ePrivacy deal by December deadline
German Member of European Parliament Birgit Sippel acknowledged an agreement on a proposed ePrivacy Regulation will not come before the European Commission’s Dec. 21 deadline, Politico Pro reports. The deadline was set to align an agreement with the EU Electronic Communications Code taking effect. Sippel said the hope is to have ePrivacy agreed to by the start of 2021. In the meantime, internet communications services and user consent to process communications will be regulated by the ePrivacy Directive.
Read more

November 16

Blackbaud breach claims another 78K individuals
Delaware-based health provider Bayhealth announced 78,000 patients and donors were involved in the Blackbaud data breach that has affected organizations across the U.S., Government Technology reports. Bayhealth Spokeswoman Danielle Pro-Hudson said letters were sent in November informing individuals of potential data exposure. Information about a hospitalization, such as physician name or department of hospital service, may have been accessed, in addition to more publicly accessible information, including an individual’s name, gender, mailing address, email address and phone number.
Read more

Use of ancestry kits, data rising amid privacy concerns
As law enforcement increasingly use DNA databases to solve cold cases, and with the at-home ancestry-testing kits expected to hit 100 million customers by the end of 2021, experts say users should take privacy into account, reports U.S. News & World Report. “There are serious privacy implications when people willingly provide their DNA to private companies,” Case Western Reserve University School of Law’s Andrew Geronimo said, including how information is stored or removed and how companies would respond to a request from law enforcement.
Read more

Colleges, employers using wearable tracking tech to fight COVID-19
Colleges, large employers and more in the U.S. are using wearable COVID-19-tracking devices that continuously monitor users, The New York Times reports. While some say the trackers are a way to enhance safety during the pandemic, civil rights and privacy advocates warn they could lead to new forms of surveillance. “It’s chilling that these invasive and unproven devices could become a condition for keeping our jobs, attending school or taking part in public life,” Surveillance Technology Oversight Project Executive Director Albert Fox Cahn said.
Read more

NGO files ePrivacy Directive complaints in Spain, Berlin
Reuters reports NOYB filed complaints with data protection authorities in Spain and Berlin against Apple for alleged violations of the ePrivacy Directive. The nonprofit group claims Apple’s Identifier for Advertisers, a code that is used for targeted advertising purposes, functions similarly to a cookie and is placed on the user’s device without their consent.
Read more

November 13

Canada to introduce new federal privacy law
Minister of Innovation, Science and Industry Navdeep Bains will introduce a bill to modernize Canada’s privacy laws. Bains will present “An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts” Monday.
Read more

OCR announces latest HIPAA Right of Access Initiative settlement
The U.S. Department of Health and Human Services’ Office for Civil Rights issued a $15,000 fine and ordered corrective actions to a New York–based private practitioner over Health Insurance Portability and Accountability Act violations. The settlement marks the 11th by OCR under the HIPAA Right of Access Initiative. “Doctor’s offices, large and small, must provide patients their medical records in a timely fashion. We will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message,” OCR Director Roger Severino said.
Read more

ICO fines Ticketmaster UK 1.25M GBP over GDPR violations
The U.K. Information Commissioner’s Office announced a 1.25 million GBP fine against Ticketmaster UK related to EU General Data Protection Regulation violations stemming from a data breach discovered in 2018. The ICO found the company did not install sufficient data security measures around its online payments page, which led to the exposure of credit card information belonging to 9.4 million EU citizens, including 1.5 million U.K. individuals. ICO Deputy Commissioner James Dipple-Johnstone said the penalty “will send a message” in regards to properly safeguarding customer data.
Read more

November 12

Tech companies concerned with critical infrastructure bill amendments
Microsoft, Salesforce and Cisco are raising concerns with Australia’s proposed Security Legislation Amendment (Critical Infrastructure) Bill 2020, ZDNet reports. Amendments would expand coverage of the Security of Critical Infrastructure Act 2018 to the communications and data storage and processing sectors, among others.
Read more

Australia plans facial recognition validation system rollout for next year
Australia plans to roll out a new facial recognition system as part of its new countrywide identity system to replace myGov, the Australian Financial Review reports. Individuals would be asked to submit an image of their face to validate their identity and prove they are not a bot looking to spoof the service. The facial recognition validation would be used before anyone can access sensitive information, such as health or personal tax records.
Read more

OPC offers guidance on CCTV footage requests
New Zealand’s Office of the Privacy Commissioner outlined how organizations should handle individuals’ requests for closed-circuit TV footage. The OPC suggested not only considering requests on a case-by-case basis, but also finding a way to balance the access rights of a requester with the rights of individuals also caught on camera. Additionally, organizations were advised to avoid invoking policies prohibiting access to CCTV footage and never automatically deny a request based on multiple individuals being filmed besides a requester.
Read more

A look at the tech measures India has used to curb the spread of COVID-19
Reuters reports on the technical measures India has implemented to track the spread of the COVID-19 pandemic. Indian officials have called upon local companies to develop technology powered by artificial intelligence to help in these efforts. One such initiative sponsored by the federal government would use thermal cameras to track whether a person is wearing a mask. Municipal workers in northern Chandigarh were ordered earlier this year to wear GPS devices to track their efficiency, which sparked concerns from privacy advocates.
Read more

French court upholds employee dismissal over confidentiality breach
According to Covington & Burling’s Inside Privacy blog, the French Court of Cassation ruled in favor of an employer who had fired an employee over breach of contract despite an invasion of the employee’s privacy. In its decision, the court noted the employer was “not disloyal” in discovering a confidentiality agreement breach via a social media post.
Read more

Luxembourg introduces law to regulate government data access
The Luxembourg Times reports legislation proposed to Luxembourg’s Chamber of Deputies aims to limit government access to personal information. Minister of Justice Sam Tanson said the law would better and more clearly detail what information government entities can look at and under what circumstances they will be allowed access data.
Read more

Dutch minister calls for DSA regulation against short-term rental market
Dutch Deputy Prime Minister Kajsa Ollongren called for governments to have better access to data from participants in the short-term rental market under the EU Digital Services Act, Euractiv reports. Ollongren said Airbnb and similar companies need to be subject to the Digital Services Act due to the short term rental market’s “negative” impact on housing prices and “social cohesion.”
Read more

Norway delays implementation of Intelligence Services Act chapters on metadata collection
Norway’s Ministry of Defense announced the postponement of two chapters in the country’s Intelligence Services Act, which is set to go into effect Jan. 1, 2021. The two chapters deal with the bulk collection of metadata and the ability to conduct targeted searches within the information. The decision to delay the chapters comes in response to the Court of Justice of the European Union ordering member states to curb surveillance practices.
Read more

46M records compromised in kids’ game developer breach
Hackers accessed a database belonging to online playground Animal Jam, stealing approximately 46 million account records, Infosecurity Magazine reports. Animal Jam developer WildWorks, based in Utah, said it learned of the breach from security researchers who saw the data posted on a hacker forum, including 7 million email addresses used to create parent accounts for users and 32 million usernames. More than 12,000 of the accounts included parents’ full names and billing addresses.
Read more

Consumer group calls for LGPD breach notification procedure
Convergência Digital reports Brazilian consumer protection group Procon-SP called on electric company Enel to follow data breach notification requirements set out under Brazil’s General Data Protection Law. The call comes days after Enel publicly announced a data breach involving the personal information of approximately 300,000 customers. Under the LGPD, Enel must verify its data security practices and present evidence of its incident response.
Read more

European Commission releases draft implementing decision on SCCs
The European Commission Thursday released its draft implementing decision on standard contractual clauses for the transfer of data to third countries. The European Commission also released an annex to the implementing decision. The feedback period for the draft documents is open until Dec. 10. The news comes a day after the European Data Protection Board published its anxiously awaited recommendations on supplementary measures alongside a second document on EU essential guarantees.
Read more

November 11

NGOs accuse EU of aiding nations’ surveillance efforts
Reuters reports a dozen non-government organizations allege the EU has helped fellow nations undermine individuals’ privacy by boosting their surveillance efforts. A report filed by Privacy International claims EU member states have helped facilitate increased surveillance, including social media tracking in Algeria and phone tracking in Niger. “European governments… must ensure they are not providing the tools of repression to governments around the world,” the European and African civil society groups wrote in a letter to the European Commission.
Read more

CJEU rules against pre-ticked box consent
The Court of Justice of the European Union ruled pre-ticked boxes are not a valid form of consent as telecommunications providers seek to collect or store customer data. The ruling stems from Romanian-based telecom Orange România’s consent practices within contracts, which led to a fine by Romania’s data protection authority, the National Supervisory Authority For Personal Data Processing. The CJEU noted that consent “must be freely given, specific, informed and unambiguous.”
Read more

ICO: Political parties need to improve data practices
The U.K. Information Commissioner’s Office published the results of its audit into major political parties’ data practices. The ICO found all seven political parties it analyzed need improvement and offered a series of recommendations to shore up how they handle data and their management of data protection. The agency advises parties be more transparent with how they use citizens’ data and to check with third parties and processors to ensure they are in compliance with data protection requirements.
Read more

LIBE issues draft opinion on EU data strategy
European Parliament’s Committee on Civil Liberties, Justice and Home Affairs published its suggestions regarding the EU data strategy. Above all, the committee urges that the strategy should carry an “absolute respect” of citizens’ fundamental right to privacy and data protection. With respect to data transfers, LIBE calls on the strategy to ensure transfers abide by the EU General Data Protection Regulation and emphasizes the need to “draw clear boundaries between the treatment of personal and of non-personal data” in specific sectors.
Read more

Software gives law enforcement access to home security cameras
Police in a handful of U.S. states are utilizing software that taps into home security cameras with consumers’ consent, Business Insider reports. Departments in California, Illinois, Minnesota and Mississippi are attempting to better fight crime with their access to the real-time footage, including streams from Amazon Ring cameras, through the program devised by developer Fusus. Fight for the Future Deputy Director Evan Greer is among the privacy advocates against the software, noting that “it’s a worst-case-scenario for civil liberties.”
Read more

Data breach suit against Macy’s dismissed
The U.S. District Court of Massachusetts has thrown out a class-action lawsuit against Macy’s related to a 2019 data breach, Law Street Media reports. Following Macy’s motion for dismissal in May, the court found that arguments of the harm brought to customers by the breach were unproven given there have been no allegations of fraudulent or attempted use of personal information that had been exposed.
Read more

November 10

Privacy concerns arise as Brookline, Mass. police consider body cameras
Police in Brookline, Massachusetts, are considering deploying body cameras, raising privacy concerns, Wicked Local reports. American Civil Liberties Union of Massachusetts Policy Counsel Emiliano Falcon-Morano said, if done right, the technology can provide oversight and accountability. Without policies and procedures, he said it risks becoming “another surveillance technology in the hands of the government.”
Read more

Draft data protection bill set for assembly debate
Ecuador’s National Assembly announced its International Relations Commission voted to approve a report on the country’s draft Organic Law on Protection of Personal Data. The draft now moves to the presidency of the assembly, which will then table the bill for debate among lawmakers in a plenary session. The draft law lays out principles for data rights and security, definitions for categories of data, and provisions for data transfers and access to personal data by third parties.
Read more

Council of EU draft resolution addresses access to end-to-end encrypted messages
A draft resolution from the Council of the European Union would give member states more legal avenues to access communications protected by end-to-end encryption sent by messaging applications, Euractiv reports. The draft resolution aims to allow for more access to assist with law enforcement investigations and acknowledges technical solutions will need to be discussed with the companies behind the messaging apps. According to the report, “civil society organizations fear this could put a ‘nail in the coffin’ into end-to-end encryption.”
Read more

Hotel booking platform, news outlet hit with data breaches
Infosecurity Magazine reports the Cloud Hospitality platform of Spanish-based developer Prestige Software exposed the data of millions of customers dating back to 2013. Website Planet discovered Prestige’s open cloud database containing more than 10 million customer log files that included full names, email addresses, national ID numbers, phone numbers and credit card information.
Read more

Alberta introduces amendments to Health Information Act
The Legislative Assembly of Alberta introduced “Bill 46: Health Statutes Amendment Act, 2020” to amend several pieces of health care legislation within the province, including the Health Information Act. The amendments allow for broader use of health information and increased penalties for the misuse of information.
Read more

Air Force data ‘sanitizer’ will facilitate safe sharing
TechLink reports the U.S. Air Force Research Laboratory devised a “rough set sanitizer” that breaks up “the path of inference between non-sensitive information” potentially associated with non-sensitive information in a dataset. The tool ensures subtle connections to redacted sensitive data won’t result in a leak, allowing data to flow freely and safely between government and private entities. Air Force Research Electronics Engineer Laurent Njilla said “work needs to be done in terms of data interpretation and data integration” before the sanitizer is launched.
Read more

Public Citizen urges privacy framework for next presidential administration
Saying the United States faces “an unprecedented privacy and data justice crisis,” Public Citizen and its partners released a policy framework for the next presidential administration on “Privacy and Digital Rights For All.” The coalition of privacy, civil rights and consumer organizations urges the adoption of 10 action items, including enacting a comprehensive federal privacy law, establishing a data protection agency, and recognizing privacy and surveillance as racial justice issues. “We urgently need a new approach to privacy and data protection,” the groups wrote.
Read more

November 9

Authorities, activists have differing takes on facial recognition use
Authorities and rights activists are at odds over the more than 105,000 facial recognition cameras in Moscow, Reuters reports. Authorities said facial recognition has improved security and helped to enforce COVID-19 restrictions, though rights activists argue its use comes with lost privacy and increased surveillance. Activists have brought forward several lawsuits, including a case alleging illegal access to the surveillance system, saying the technology has been used to monitor political rallies and expressing concerns over a lack of clear regulations.
Read more

EU telecoms oppose latest ePrivacy proposal
Mobile World Live reports the European Telecommunications Network Operators’ Association and GSMA Europe issued a joint statement asking EU member states to reject the latest ePrivacy Regulation proposal from the Council of the European Union. The telecom associations wrote the newest proposal “fails to bridge the gap between protecting privacy and confidentiality and stimulating innovation in European service providers.” Additionally, the groups are awaiting a framework that is “conducive to strengthening the EU’s data economy.”
Read more

Breach compromises data of millions
The sensitive data of millions of Indian internet grocer Bigbasket users has been stolen in a data breach, Bloomberg News reports. The data, including mobile phone numbers and addresses, was placed for sale for more than $40,000 on the dark web. Bigbasket Co-Founder and CEO Hari Menon said further details could not be disclosed as the breach is under investigation. Meanwhile, in the U.S., Mayo Clinic patients whose health records were improperly accessed by a former employee are mounting a class-action lawsuit against the health care provider.
Read more

FTC reaches settlement with Zoom over alleged misleading security practices
The U.S. Federal Trade Commission announced it reached a settlement with Zoom over allegations the video-conferencing platform did not offer the level of security it had previously advertised. As part of the settlement, Zoom will be required to implement robust security measures to its platform. The FTC approved the settlement by a 3–2 vote, with commissioners Rohit Chopra and Rebecca Kelly Slaughter dissenting.
Read more

November 6

ICO issues guidance on criminal offense data
The U.K. Information Commissioner’s Office released guidance on the processing of criminal offense data. The regulator notes the guidance is meant for data protection officers and individuals with specific data protection responsibilities in larger organizations that have “detailed questions” or seek “a deeper understanding of the rules” for this particular processing.
Read more

November 5

AEPD approves first code of conduct under GDPR
Spain’s data protection authority, the Agencia Española de Protección de Datos, approved the first code of conduct under the EU General Data Protection Regulation. The code of conduct was submitted by the Association for the Self-Regulation of Commercial Communication and covers data processing for advertising activities.
Read more

French court upholds employer’s decision to fire employee over Facebook post
The French Court of Cassation ruled in favor of an employer who fired a staff member over a Facebook post, according to Covington’s “Inside Privacy.” The employee was fired after posting confidential material on their Facebook page.
Read more

Dublin court confirms Irish DPC’s GDPR fine against Tusla
The Dublin Circuit Court confirmed the Irish Data Protection Commission’s 75,000 euro fine against Tusla Child and Family Agency for violations of the EU General Data Protection Regulation. The penalty was administered following investigations into three separate data breaches and was the first GDPR fine to be handed down by the agency.
Read more

Swedish insurer accidentally leaks info of 1M customers
The largest insurer in Sweden, Folksam, announced it accidentally shared the data of about 1 million customers to several large technology companies, Reuters reports. The insurer shared the information with Google, Facebook, Microsoft and LinkedIn.
Read more

ISO publishes series of standards for big data reference architecture
The International Organization for Standardization published its five-part ISO/IEC 20547 series of standards for big data reference architecture and framework that organizations can use to address challenges and opportunities of big data.
Read more

Council of EU takes collective redress position
The Council of the European Union announced it adopted its position on the draft directive for representative actions related to the protection of consumers’ collective interests. The directive requires member states to put in place a system of representative actions while empowering designated qualified entities to seek injunctions and redress on a variety of matters, including data protection.
Read more

New ePrivacy draft covers metadata processing, removes legitimate interest provision
The German Presidency of the Council of the European Union created a new draft of the proposed ePrivacy Regulation, Euractiv reports. The latest draft would allow for the processing of online communications metadata during “natural or man-made disasters” and for “monitoring epidemics.” The legitimate interest provision for processing general metadata that had been seen in previous drafts was not included in this iteration.
Read more

November 4

Commerce department warns against lack of EU-US data transfer clarity
Euractiv reports U.S. Department of Commerce Secretary Wilbur Ross opened up about the negative economic effects that could come to light if the EU and U.S. don’t find common ground on cross-border data transfers. Speaking on a webinar, Ross indicated the unaddressed “legal burdens and uncertainty” that remain on EU-U.S. data transfers will create “severe economic consequences.”
Read more

Proposed Russian bill seeks to expand biometric collection program
The Russian State Duma announced a bill has been introduced that aims to amend laws on biometric data. The bill calls for a reorganization and expansion of genomic registration with the federal government. Specifically, the proposal outlines a move to include biometric data belonging to convicted felons with hopes to improve the detection and investigation of crimes.
Read more

November 3

Telangana HC orders notice to govt on privacy issues on Dharani portal
A two-judge panel of the Telangana High Court comprising the Chief Justice Raghavendra Singh Chauhan and Justice B. Vijaysen Reddy directed the State government to not to insist upon data which violates the privacy of its citizens pertaining to Dharani portal. The panel was dealing with a public interest writ petition filed by Mora Krishna Reddy and others.
Read more

November 2

CNIL: British Airways, Marriott fines ‘reminder’ of GDPR’s role
France’s data protection authority, the Commission nationale de l’informatique et des libertés, said two record fines issued by the U.K. Information Commissioner’s Office to British Airways and Marriott are “a reminder” of the EU General Data Protection Regulation’s role in cybersecurity.
Read more

Ayottaz can you help you in building up a robust data privacy protection system with our principles of Learn – Identify – Protect.

No comments to show.

Leave a Reply

Your email address will not be published. Required fields are marked *