The latest news and articles regarding data privacy and related topics from around the web.

FTC goes large on Facebook with $5bn fine
Posted on 12/07/2019 FTC goes large on Facebook with $5bn fine

Ludicrous as it sounds, but even though Facebook had a $5bn fine confirmed by the FTC, their share value went up!  Of course, they can still expect other actions against them by regulators in Europe and elsewhere, as well as Court cases and further Brand damage. With so many other new platforms appearing, it appears that Facebook cannot continue to rely on its powerful global grip it has established.

The company has recently made some efforts to market their caring position vis-a-vis privacy - the issue is that “data protection by design” requires ‘whole privacy’ thinking, so that the likes of Cambridge Analytica relationships should not be allowed to disrespect our privacy, by either Facebook or Cambridge Analytica... but Facebook’s statements appear to be more vacuous in terms of substance.

The wake up call from the world’s regulators this week has not gone unnoticed - does this mean we can rest a little more restfully?

Sadly not. More organisations are turning to machine learning and artificial intelligence. For sound legitimate and necessary reasons in a global competitive economy that is driving down costs. To stay ahead these technologies are required.

What therefore are organisations to do?

Look, data protection legislation is not designed to stop such advances. Au contraire, the object is to facilitate free flows of data, in particular personal data. With that in mind, establishments simply need to get data protection by design right, unlike Facebook and Cambridge Analytica.

Do you get it right? How would you know? How would individuals whose personal data you process know?

Easy. Check with priviness for free.

Read More
Risky business
Posted on 11/07/2019 Risky business

There has been a lot of fanfare in the Press this week regarding data protection - "and about time!" some might say.

One might feel particularly sorry for Sir Kim Darroch. Through no fault of his own, due to the lack of adequate measures to safeguard his emails that conveyed his opinions, the consequence on him is both social and financial disbenefit: we heard yesterday that he's lost his job. The fault would appear to lie at the feet of the Foreign and Commonwealth Office ("FCO"), who are obliged to self-report this personal data breach to the UK data protection watchdog, the Information Commissioner's Office ("ICO"). In order to establish if appropriate safeguarding measures had been considered in the light of potentially identified risks to Sir Kim and other FCO employees, t is likely that the ICO will request a data protection impact assessment ("DPIA") relating to the processing of emails under the control of the FCO - one hopes that such documentation is all in order.

Then there was the update from the ICO on Tuesday that the Marriott hotel chain is facing a £99 million fine relating to inadequate security measures that led to a confidentiality breach of 339 million guests' personal details, which we first heard about in November last year.

And the week started on with the staggering statement from the ICO that British Airways is in the dock for a £183 million fine for their confidentiality breach that came to light in early September last year. Interestingly, this may have been more than one episode, one of which occurring before GDPR came into force. It is not clear what the ICO have taken into account in their deliberations with BA and other EU regulators. One thing for sure, though, is that this fine is in addition to any Court actions and Brand damage that BA is likely to suffer from.

In summary, it appears that if organisations thought that the regulators were only focussing their attention on the likes of Google and Facebook, we all need to think again. The fine against BA is some 4 times the amount that CNIL fined Google - the largest yet.

Let's put some perspective around this. Organisations must self-report in the event of a personal data breach. Whereas the run-rate has on average been about 1,500 per month of such reports to the ICO, across the EU it's closer to 7,500 per month. The problem is that the regulator is starting to crack down on organisations where it is appears they have not put sufficient technical and organisational measures in place to safeguard our rights and freedoms.

The waiting game is over. It's time to be able to prove your organisation is compliant!

Read More
Be careful what your employees are browsing
Posted on 11/06/2019 Be careful what your employees are browsing

When there is a personal data breach, the Morrisons Supermarket case has set the precedent (subject to appeal) that the employer, Morrisons, is vicariously liable for the actions of the employee.

This makes sense.

The obligations of the controller are to ensure that risks to data subjects whose personal data they process have been assessed and appropriate safeguarding measures have been put in place.  So, if an employee, for example, accesses personal data they are unauthorised to access, then the employer is liable for not putting in place adequate measures.

In the Manchester case (see "Read More" link at end of article), the employee has themselves become a controller, and taken it upon themselves to access personal data they were not entitled to access.  This breach of confidentiality under GDPR could attract a fine of up to 4% of the employee's turnover, which, assuming a salary of, say, £15,000, would equate to £600 OR up to €20,000,000, whichever is greater.  With a £300 fine, £364 costs and £30 victim surcharge, the employee appears to have got off lightly (but that was pre-GDPR, of course).

Despite this case being brought by the ICO in a Magistrates Court, the victim might also seek damages in the County Court, both against the employee and the employer (potentially for vicarious liabiliities).

So what do employers have to do to avoid the charge of vicarious liability or other such claims for damages in such a case?

In this case, Stockport Homes quotes an employee code of conduct that presumably all employees are obliged to follow as part of their employment contract.  But is that enough?  To start with, it appears that the personal data was available for the employee, and therefore the employer is liable for their failure to ensure adequate identity and access management protocols werre in place.   So, no, an employee code of conduct is not enough.

Organisations like CybSafe provide excellent training as well to ensure that employers are not subject to the 'human factor'.  This might be another measure Stockport Homes could have put in place.  The list is endless.

#StockportHomes #PersonalDataBreach #ConfidentialityBreach #ICO #fine #StockportMagistratesCourt #DataProtection #Privacy #priviness #privinews #GDPR #training #CodeOfConduct

Read More
Privacy - US journalists don't get it either
Posted on 10/06/2019 Privacy - US journalists don't get it either

The New York Times article in the "read me" is written by journalists who, like so many organisations, do not get what data protection is all about.

"Companies are free today to monitor Americans' behaviour and collect information about them from across the web and the real world to do everything from sell them cars to influence their votes to set their life insurance rates," writes the Editorial Board. "Although Americans cannot legally avail themselves of specific rights under GDPR, the fact that the biggest global tech companies are complying everywhere with the new European rules means that the technocrats in Brussels are doing more for Americans' digital privacy rights that their own Congress."

The bit about Brussels doing more than Congress is true. The rest is wayward.

Americans absolutely can avail themselves legally of specific rights under GDPR. Professor David Carroll, a US citizen, has taken up the opportunity to do exactly that when he discovered SCL Elections were processing his personal data in the EU and he complained to the UK watch dog.

It is laughable to also suggest it is a fact that the biggest global tech companies are complying everywhere with GDPR. It is more accurate to hint that these organisations are relying on a defensible position that (a) few individuals understand the legislation well enough to know what to complain about; (b) those individuals are unlikely to know what evidence to present to make their case; and (c) the individuals will need deep pockets and resilience to fight a battle being defended by an army of lawyers using delaying tactics to keep their corporate client out of the docks.

The problem with articles like this is they spread the wrong myths.

The article goes on, "GDPR requires companies to take adequate security measures to protect data." The focus on GDPR is actually to ensure and demonstrate a high level of protection of human rights and fundamental freedoms of natural persons with regard to the processing of their personal data. A not-so-subtle and important difference: it's not about security of data, but protection of rights and freedoms.

When journalists understand the reality, perhaps the articles will improve. An otherwise good article though, dispite being riddled with flaws, that draws awareness to issues such as consent, it redeems itself a little in the final paragraph, "any regulation must evolve alongside technology to safeguard fundamental freedoms."

#NewYorkTimes #DataProtection #Congress #CaliforniaConsumerPrivacyAct #GDPR #privacy #privinews #priviness

Read More
e-Privacy: gone with the wind
Posted on 09/06/2019 e-Privacy: gone with the wind

Frankly, my dear, I don't give a damn.

One wonders if an update on the e-Privacy Regulation is warranted with the three party negotiations still a long way off between the European Parliament, Commission and the Council - the latter yet to find a common position. It's bad news that definitions around machine learning, artificial intelligence and internet-of-things are not yet agreed. Worse still is EU member states want more flexibility around data retention and wish to retain independence.

On Friday there were some more meetings and in early July there's some more still. The whole e-Privacy initiative has gone with the wind, and the gusts don't seem to be likely to settle in 2019.

The reason why e-Privacy is so important is that it deals with, for example, technologies that invade your personal life - for example, fridges and vacuum cleaners that collect personal data about you in your home, or cars that process personal data about you whilst you are driving - just like cookies share personal data about you when they are downloaded onto your device, or Apps have inherent mechanisms to track your location and transfer the personal data back to HQ. Of course, whatever is collected is then further processed: analysed, share, re-analysed, re-shared, automatically across a network of machines through countless organisations.

All our personal data - gone with the wind.

Undue delays are not appreciated.  Frankly, my dear, we do give a damn.

#e-Privacy #GDPR #EUParliament #EUCommission #EUCouncil #DataProtection #privacy #priviness #privinews #PECR

Read More
SCL ignores ICO
Posted on 08/06/2019 SCL ignores ICO

Will Professor David Carroll bring a representative action against Facebook, Cambridge and SCL Elections for the unlawful processing of their personal data?  He has already complained to the UK regulator, the Information Commissioner's Office (the ICO), who it appears have not had much luck receiving details as per their order.

As a US citizen whose personal data was being processed in the EU, he has the right to bring his case through the Courts whilst at the same time complaining to the regulator.

There seems to be plenty of evidence for concern in this article, including a former Facebook employee's quote, "things like deepfakes, the ability to create on-demand content that's completely fabricated but looks real... things like artificial intelligence which can predict user actions before those actions are actually done."  No wonder Professor Carroll and the rest of us are stressed.

The risk for the prof is quite simple. How much will it cost him? Max Schrems knows the price for taking on Facebook over the past two decades. Can the prof anticipate the outcome? Richard Lloyd, the ex-director fo Which? found it was difficult to prove damage in his case against Google.

Organisations understand this risk. This is why they continue to process personal data, purely building 'a defensible position': if it's hard to prove damage and it's hard to prove unlawful processing, we're pretty safe.

That's the challenge facing individuals or the regulators who take up their complaints.

On the other hand, the challenge for organisations is to build their defensible position. With all of the organisations that they share personal data with, for example, with cookies, this is a real challenge. And how does an organisation demonstrate they have a trustworthy brand?

THe answer is a data protection seal, a certificate that they have passed an audit... but more about this next week.

#SCL #Facebook #CambridgeAnalytica #priviness #privinews #privacy #GDPR #ProfessorDavidCarroll #ICO #DataProtection

Read More