Top news in the world of data privacy, this month, that you do not want to miss.
Plan to document babies’ biometrics raises privacy concerns in South Africa
Digital rights groups are concerned a new registration system under which detailed biometrics of every baby born in South Africa would be captured could result in data leaks and identity theft, Thomson Reuters Foundation reports. Children would receive a digital number, and data would be linked to their parents’ identity numbers. ID4Africa Executive Chairman Joseph Atick said the “threat to privacy is real. That is why we promote the development of data protection and privacy laws and frameworks before embracing digital identity.”
British Airways begins talks on potential breach settlement
Infosecurity Magazine reports British Airways is prepared for negotiations on a data breach settlement over its 2018 data breach affecting more than 400,000 customers. Your Lawyers, the representing firm in the class suit, said the airline would like to begin talks on a deal during the first quarter of 2021. BA said it is “vigorously defending the litigation. … and do not recognize the damages figures that Your Lawyers has put forward, and they have not appeared in the claims.” Talks follow a 20 million GBP fine to the airline from the U.K. Information Commissioner’s Office in October 2020.
CMA to investigate impact of Google’s Privacy Sandbox
The U.K. Competition and Markets Authority announced it will investigate Google’s Privacy Sandbox privacy changes. The CMA seeks to assess how the changes, which will disable third-party cookies in the Chrome browser and replace them with new tools for targeted advertising, will impact the advertising ecosystem. The CMA has engaged with the technology company to better understand the Privacy Sandbox proposals and will work with the U.K. Information Commissioner’s Office on the probe.
Saskatchewan health system hit with ransomware attack
The Office of the Saskatchewan Information and Privacy Commissioner announced eHealth Saskatchewan, the Saskatchewan Health Authority and the Ministry of Health endured a ransomware attack involving systems holding about 50 million files. The IPC reported scans of the affected databases show approximately 5.5 million files may have contained personal information. In addition to finding the three entities had insufficient data safeguards, the IPC alleges they did not report the breach in a timely manner or properly respond to early threats.
Installation of surveillance cameras in Kabul raises privacy concerns
Human rights groups are raising privacy concerns as surveillance cameras are planned to be installed around Kabul, Afghanistan, Reuters reports. An Interior Ministry spokesman said the cameras are being installed to “curb criminal and terrorist activities.” Peace and Human Rights Organization’s Mohammad Nizam said, “Under current circumstances, honestly, it would be quite difficult for the masses to have full faith and trust that their privacy would not be harmed with the installation of these security cameras.”
WhatsApp to share user data with Facebook
South Korea issues final draft PIPA amendments
South Korea’s Personal Information Protection Committee released the final draft of amendments to the Personal Information Protection Act 2011 for public consultation. The amendments include added requirements for data transfers outside South Korea, data portability rights, provisions on data protection related to surveillance and more. The consultation period will close Feb. 16.
NIST addressing COVID-19 effects on facial recognition
The U.S. National Institute of Standards and Technology is working to amend its guidance on facial recognition algorithms based on factors related to COVID-19, Federal News Network reports. NIST Computer Scientist Patrick Grother said “two or three different bits of work” have begun to address questions or issues raised by the pandemic, including how to approach scans of individuals wearing face masks. Grother also mentioned a focus on the accuracy of algorithms.
Financial regulators propose breach notification requirement
The U.S Federal Deposit Insurance Corporation, Department of the Treasury, and Federal Reserve System issued a notice of proposed rulemaking Dec. 18 for a 36-hour data breach reporting requirement. The rule aims to help agencies receive “an early warning of significant computer security incidents” from banking organizations, which will receive immediate incident notifications from service providers under the new rules. The deadline for public comments on the proposal is March 18.
Hong Kong launches digital identity program
Hong Kong’s government announced Dec. 29 its personalized digital services platform is now available for use. The iAM Smart mobile application invokes a digital identity program that aids and expedites user authentication, form filling, personalized notifications and digital signing required for more than 20 online services initially before potentially extending to 110 services by the middle of 2021. The government’s advisory includes brief notes on the system’s data privacy and security practices.
Trump signs executive order banning eight Chinese-based transaction apps
U.S. President Donald Trump signed an executive order banning transactions with eight Chinese-based applications, The Wall Street Journal reports. Trump claims the apps have the ability to access users’ private information. The order goes into effect in 45 days.
Portuguese presidency publishes new ePrivacy draft
The Portuguese Presidency of the Council of the European Union published the latest draft of the proposed ePrivacy Regulation, according to Covington’s “Inside Privacy” blog. It is the first draft put forth by the Portuguese presidency and the 14th overall. The new draft proposes to “simplify the text and to further align it with the (EU General Data Protection Regulation)” and widen the territorial scope of ePrivacy for it to apply to data processing by a controller not established in the European Economic Area.
NY lawmakers introduce biometric privacy law
A group of New York lawmakers introduced the Biometric Privacy Act. The proposed bill would require private entities in possession of biometric information to develop written policies outlining data retention and deletion schedules, as well as obtain consent before sharing any data. The bill would also prohibit organizations from selling, leasing, trading and profiting from biometric data they hold.
Google plans to comply with Apple’s Privacy Labels policy in upcoming days
TechCrunch reports Google plans to comply with Apple’s Store Privacy Labels policy in the upcoming days. A Google spokesperson said the company has developed a strategy to add the labels across its App Store in short order, although an exact date was not made public. Meanwhile, the Financial Times reports application developers are looking for ways to sidestep Apple’s rules on tracking users for targeted advertisements.
Mail-order pharmacy notifies 130K patients of data breach
More than 130,000 GenRx Pharmacy patients have been notified of a data breach in which ransomware was installed on the Arizona-based organization’s system, The Daily Swig reports. The mail-order pharmacy said it identified the threat in September 2020 finding hackers removed a “small number of files,” some including patients’ names, addresses, phone numbers, birthdates, allergies and medication lists, and health plan and prescription information. The company said less than 5% of customers are potentially impacted.
Illinois law boosts student data protections
An update to Illinois’ Student Online Personal Protection Act will enable parents to review and correct their child’s data that is held by schools or affiliated online services and request its removal in some instances, WSIU Public Broadcasting reports. Under the act, school districts will annually publish affiliated companies, the student data disclosed to them and why, and must meet timeline requirements for notifying parents of a data breach. The law takes effect this year.
Data protection concerns raised with Somalia’s digitization
The Guardian reports a rapid increase in the utilization of digital technologies is causing privacy concerns in Somalia. Nonprofit organizations fear the personal information of Somalians is at risk of being exposed, specifically with online payments, due to a lack of data protection. Organizations are allegedly skipping the collection of informed consent, as well. Digital Shelter Director Abdifatah Hassan said instances of data loss are “extremely dangerous” for affected Somalians, noting it is “a matter of life and death” in some cases.
Twitter, Square CEO Jack Dorsey criticizes data collection in draft cryptocurrency law
Twitter and Square CEO Jack Dorsey has come out against proposed U.S. cryptocurrency regulation and its data collection requirement, The Verge reports. The regulation, introduced by the Financial Crimes Enforcement Network, asks financial institutions to obtain the personal information of parties involved in cryptocurrency transactions. In comments submitted to FinCEN, Dorsey said the regulation would cause “unnecessary friction” while requiring Square to “collect unreliable data about people who have not opted into our service or signed up as our customers.”
Brookings dives into tactics used for employee surveillance
The Brookings Institution highlights the prevalence of employee surveillance, particularly as the world has become more digital due to the COVID-19 pandemic. Brookings Governance Studies Vice President and Director Darrell West looks at the different methods employers use to track their staff, from keylogging software and video surveillance to email and social media monitoring. West also shares methods organizations can put in place to protect employee privacy, such as implementing clearer rules on internal data sharing and notifying staff of monitoring practices.
Singapore government: Law enforcement can access contract-tracing data
Local law enforcement has the ability to access Singapore’s contract-tracing data to assist with criminal investigations, ZDNet reports. Minister of State for Home Affairs Desmond Tan said law enforcement can evoke the Criminal Procedure Code to obtain data from the TraceTogether contract-tracing application, which has been used by more than 4.2 million citizens. TraceTogether has updated its privacy notice to reflect this proclamation.
Drone company says ID rule has ‘unintended negative privacy impacts’
Wing, Alphabet’s drone delivery unit, said U.S. Federal Aviation Administration rules mandating broadcast-based remote identification of drones “will have unintended negative privacy impacts for businesses and consumers,” Reuters reports. The rules require drones to broadcast remote ID messages via radio frequency broadcast, which Wing said enables an observer tracking a drone to “infer sensitive information about specific users, including where they visit, spend time, and live and where customers receive packages from and when.”
Austrian court sides with Facebook in explicit consent case
The Higher Regional Court of Vienna in Austria ruled Facebook can lawfully use personal data without obtaining explicit consent from users, Telecompaper reports. The court said Facebook is permitted to process user data based on its user contracts, a practice that abides by Article 6 of the EU General Data Protection Regulation. However, the court will allow an appeal to the Austrian Supreme Court on the grounds that Facebook uses its terms and services agreement as a contract.
Privacy pros expect GDPR enforcement hurdles to continue
BankInfoSecurity reports EU-based privacy professionals don’t expect outstanding issues with EU General Data Protection Regulation enforcement to clear up in the foreseeable future. IAPP Country Leader for Italy Rocco Panetta, CIPP/E, said it could take at least two more years for data protection authorities to harmonize GDPR approaches since the law provides “a range of values without imposing any standardization.”