The latest news and articles regarding data privacy and related topics from around the web.

Be careful what your employees are browsing
Posted on 11/06/2019 Be careful what your employees are browsing

When there is a personal data breach, the Morrisons Supermarket case has set the precedent (subject to appeal) that the employer, Morrisons, is vicariously liable for the actions of the employee.

This makes sense.

The obligations of the controller are to ensure that risks to data subjects whose personal data they process have been assessed and appropriate safeguarding measures have been put in place.  So, if an employee, for example, accesses personal data they are unauthorised to access, then the employer is liable for not putting in place adequate measures.

In the Manchester case (see "Read More" link at end of article), the employee has themselves become a controller, and taken it upon themselves to access personal data they were not entitled to access.  This breach of confidentiality under GDPR could attract a fine of up to 4% of the employee's turnover, which, assuming a salary of, say, £15,000, would equate to £600 OR up to €20,000,000, whichever is greater.  With a £300 fine, £364 costs and £30 victim surcharge, the employee appears to have got off lightly (but that was pre-GDPR, of course).

Despite this case being brought by the ICO in a Magistrates Court, the victim might also seek damages in the County Court, both against the employee and the employer (potentially for vicarious liabiliities).

So what do employers have to do to avoid the charge of vicarious liability or other such claims for damages in such a case?

In this case, Stockport Homes quotes an employee code of conduct that presumably all employees are obliged to follow as part of their employment contract.  But is that enough?  To start with, it appears that the personal data was available for the employee, and therefore the employer is liable for their failure to ensure adequate identity and access management protocols werre in place.   So, no, an employee code of conduct is not enough.

Organisations like CybSafe provide excellent training as well to ensure that employers are not subject to the 'human factor'.  This might be another measure Stockport Homes could have put in place.  The list is endless.

#StockportHomes #PersonalDataBreach #ConfidentialityBreach #ICO #fine #StockportMagistratesCourt #DataProtection #Privacy #priviness #privinews #GDPR #training #CodeOfConduct

Read More
Privacy - US journalists don't get it either
Posted on 10/06/2019 Privacy - US journalists don't get it either

The New York Times article in the "read me" is written by journalists who, like so many organisations, do not get what data protection is all about.

"Companies are free today to monitor Americans' behaviour and collect information about them from across the web and the real world to do everything from sell them cars to influence their votes to set their life insurance rates," writes the Editorial Board. "Although Americans cannot legally avail themselves of specific rights under GDPR, the fact that the biggest global tech companies are complying everywhere with the new European rules means that the technocrats in Brussels are doing more for Americans' digital privacy rights that their own Congress."

The bit about Brussels doing more than Congress is true. The rest is wayward.

Americans absolutely can avail themselves legally of specific rights under GDPR. Professor David Carroll, a US citizen, has taken up the opportunity to do exactly that when he discovered SCL Elections were processing his personal data in the EU and he complained to the UK watch dog.

It is laughable to also suggest it is a fact that the biggest global tech companies are complying everywhere with GDPR. It is more accurate to hint that these organisations are relying on a defensible position that (a) few individuals understand the legislation well enough to know what to complain about; (b) those individuals are unlikely to know what evidence to present to make their case; and (c) the individuals will need deep pockets and resilience to fight a battle being defended by an army of lawyers using delaying tactics to keep their corporate client out of the docks.

The problem with articles like this is they spread the wrong myths.

The article goes on, "GDPR requires companies to take adequate security measures to protect data." The focus on GDPR is actually to ensure and demonstrate a high level of protection of human rights and fundamental freedoms of natural persons with regard to the processing of their personal data. A not-so-subtle and important difference: it's not about security of data, but protection of rights and freedoms.

When journalists understand the reality, perhaps the articles will improve. An otherwise good article though, dispite being riddled with flaws, that draws awareness to issues such as consent, it redeems itself a little in the final paragraph, "any regulation must evolve alongside technology to safeguard fundamental freedoms."

#NewYorkTimes #DataProtection #Congress #CaliforniaConsumerPrivacyAct #GDPR #privacy #privinews #priviness

Read More
e-Privacy: gone with the wind
Posted on 09/06/2019 e-Privacy: gone with the wind

Frankly, my dear, I don't give a damn.

One wonders if an update on the e-Privacy Regulation is warranted with the three party negotiations still a long way off between the European Parliament, Commission and the Council - the latter yet to find a common position. It's bad news that definitions around machine learning, artificial intelligence and internet-of-things are not yet agreed. Worse still is EU member states want more flexibility around data retention and wish to retain independence.

On Friday there were some more meetings and in early July there's some more still. The whole e-Privacy initiative has gone with the wind, and the gusts don't seem to be likely to settle in 2019.

The reason why e-Privacy is so important is that it deals with, for example, technologies that invade your personal life - for example, fridges and vacuum cleaners that collect personal data about you in your home, or cars that process personal data about you whilst you are driving - just like cookies share personal data about you when they are downloaded onto your device, or Apps have inherent mechanisms to track your location and transfer the personal data back to HQ. Of course, whatever is collected is then further processed: analysed, share, re-analysed, re-shared, automatically across a network of machines through countless organisations.

All our personal data - gone with the wind.

Undue delays are not appreciated.  Frankly, my dear, we do give a damn.

#e-Privacy #GDPR #EUParliament #EUCommission #EUCouncil #DataProtection #privacy #priviness #privinews #PECR

Read More
SCL ignores ICO
Posted on 08/06/2019 SCL ignores ICO

Will Professor David Carroll bring a representative action against Facebook, Cambridge and SCL Elections for the unlawful processing of their personal data?  He has already complained to the UK regulator, the Information Commissioner's Office (the ICO), who it appears have not had much luck receiving details as per their order.

As a US citizen whose personal data was being processed in the EU, he has the right to bring his case through the Courts whilst at the same time complaining to the regulator.

There seems to be plenty of evidence for concern in this article, including a former Facebook employee's quote, "things like deepfakes, the ability to create on-demand content that's completely fabricated but looks real... things like artificial intelligence which can predict user actions before those actions are actually done."  No wonder Professor Carroll and the rest of us are stressed.

The risk for the prof is quite simple. How much will it cost him? Max Schrems knows the price for taking on Facebook over the past two decades. Can the prof anticipate the outcome? Richard Lloyd, the ex-director fo Which? found it was difficult to prove damage in his case against Google.

Organisations understand this risk. This is why they continue to process personal data, purely building 'a defensible position': if it's hard to prove damage and it's hard to prove unlawful processing, we're pretty safe.

That's the challenge facing individuals or the regulators who take up their complaints.

On the other hand, the challenge for organisations is to build their defensible position. With all of the organisations that they share personal data with, for example, with cookies, this is a real challenge. And how does an organisation demonstrate they have a trustworthy brand?

THe answer is a data protection seal, a certificate that they have passed an audit... but more about this next week.

#SCL #Facebook #CambridgeAnalytica #priviness #privinews #privacy #GDPR #ProfessorDavidCarroll #ICO #DataProtection

Read More
Privacy matters, Neymar
Posted on 07/06/2019 Privacy matters, Neymar

So what did Neymar do wrong?

When it comes to privacy, the law is simple. It appears that Neymar has become a controller of the personal data relating to Najila Trindade. Seemingly this personal data breach of Ms Trindade's extensively breaches GDPR.

Allegedly there was an incident on 15 May in a Paris hotel room. GDPR scope covers both data subjects in the EU as well as controllers with a presence in the EU. The assumption is that the texts from Ms Trindade to Neymar where captured by him whilst she was in the EU. As a controller of such texts from Ms Trindade (personal data concerning her), Neymar, who plays for Paris-St.Germaine, is likely to be defined as being an EU-based controller when he stored such personal data.

So the scope of GDPR certainly covers this infringement of privacy.

What controllers must do is put in place appropriate technical and organisational measures to safeguard personal data of those individuals that they are responsible for. In this case, Neymar would need to ensure that unauthorised access and unlawful processing of Ms Trindade did not take place.

Neymar may have felt he had a legitimate purpose and legal grounds for sharing her texts - for example, to defend himself. Did he undertake a risk assessment as required by Article 35? Did he build in data protection by design? So many questions.

What was certainly a private matter has come under the auspices of GDPR. In the UK, the torte of mis-use of personal data might also apply. The damages for Ms Trindade may be extensive in a Court. If CNIL investigate, the maximum fine Neymar could receive as a controller is 4% of his annual turnover - i.e. from a salary of £200,000 per week, that works out at £400,000 fine - or €20,000,000, whichever is higher: er, it looks like €20,000,000 then.  #JustSaying

Perhaps Neymar or his management team should attend next week's Privacy Matters summit on Guernsey or Jersey.

#Neymar #GuernseyPress #JerseyEveningPost #privacy #TorteOfMisuseOfPersonalInformation #GDPR #DataProtection #privinews #priviness #fines #CNIL

Read More
Privacy matters in Jersey too
Posted on 06/06/2019 Privacy matters in Jersey too

Tim Cook, Apple's CEO, said this week, "you can imagine an environment where everyone begins to think there's no privacy, and if there's no privacy, your freedom of expression just plummets because now you're going to be thinking about that everybody's going to know every single thing that you're doing... this is not good for democracy."

I couldn't have put it better myself - Mr Cook has been briefed well vis-a-vis the meaning of 'rights and freedoms'.

Of course, he is appealing to consumers. To a certain extent his proposed technical and organisational safeguarding measures ("TOMs") will be of equal use to App providers as well as other organisations with sign-in facilities on their webpages. But just because there may great encryption, for example, this only addresses one of the many TOMs required as per Article 32 of GDPR, not to mention the other 98 Articles organisations have to comply with.

It is interesting that the word "security" is only used 23 times in all the GDPR Articles, which for those of you entirely focused on selling your 'security-wares' out there should put the priority of security in the minds of potential customers into perspective.

Where providers do rely on Apple's great new features, it is likely that Apple will become a joint controller with each of those organisations. Article 26 kicks in. It is as yet unclear what Apple's written arrangements with said organisations are going to be, and whether those written arrangements are going to be adequate and acceptable.

Articles 13 and 14, of course, require organisations to inform affected data subjects who the controller is. This ties in nicely with Article 26, which requires that the essence of the written arrangement be made available to the data subject, as well as the option for designating a single point of contact.

So much to consider from such a great intention by Apple.

Finally, what is really good is that local Press like the Jersey Evening Post are covering items like this. It all helps in raising the awareness of data protection and privacy challenges. Next week on Friday 14 June is the free-to-attend lunchtime Privacy Matters summit on Jersey for organisations that may wish to hear what their Information Commissioner has to say and ask questions about how to be compliant from the wider panel of experts - more information on the conference is available on EventBrite.

#Apple #security #DataProtection #JointController #privacy #PrivacyMattersConferenceJersey #privinews #priviness

Read More