The post SolarWinds hackers breach US nuclear weapons agency appeared first on GDPR Register | Compliance tool for privacy experts.

Ireland’s data protection regulator is set to announce this week whether Twitter will receive a hefty fine for making some users’ private tweets public.

The result of its investigation into the data breach, which happened two years ago, is to be unveiled by Wednesday, December 17th at the latest.

It comes a week after Facebook said that it has put aside €302m for potential regulatory fines in Europe, arising mostly from investigations by Helen Dixon’s office.

Under GDPR rules, European data regulators can fine companies up to 4% of their annual turnover which, for large tech firms, extends to billions of euros.

However, experts say that is unlikely this Twitter decision will result in a massive fine, given its nature and the company’s voluntary admission of its fault.

Nevertheless, if a fine is announced, it will be the first from the Irish regulator against a big tech company under European GDPR rules.

The Irish Commissioner, Helen Dixon, is Twitter’s lead supervisory authority in the EU. Her office circulated a draft decision to other European data protection authorities in May, but some countries weren’t happy with it. The issue was referred as a “dispute resolution procedure” to the European Data Protection Board. On November 10th, that body said it had made its own determination and that the Irish DPC had a month to finalise and announce the decision.

The move comes ahead of the DPC’s legal showdown against Facebook in the High Court next week. In August, the social media giant took judicial review proceedings against the regulator. Facebook is hoping to quash both an inquiry and a preliminary decision from Helen Dixon’s office on the issue of personal transfers from the EU to the US. The preliminary decision would put a halt to Facebook’s transfers of the personal data of millions of EU users to the US.

Source: Independent.ie

Photo by Brett Jordan on Unsplash

The post Irish Data Protection Commission to announce Twitter fine on December 17th appeared first on GDPR Register | Compliance tool for privacy experts.

To better exploit the potential of ever-growing data in a trustworthy European framework, the Commission today proposes new rules on data governance – a new Data Governance Act. The Regulation will facilitate data sharing across the EU and between sectors to create wealth for society, increase control and trust of both citizens and companies regarding their data, and offer an alternative European model to data handling practice of major tech platforms.

The amount of data generated by public bodies, businesses and citizens is constantly growing. It is expected to multiply by five between 2018 and 2025. These new rules will allow this data to be harnessed and will pave the way for sectoral European data spaces to benefit society, citizens and companies. In the Commission’s data strategy of February this year, nine such data spaces have been proposed, ranging from industry to energy, and from health to the European Green Deal. They will, for example, contribute to the green transition by improving the management of energy consumption, make delivery of personalised medicine a reality, and facilitate access to public services.

Delivering on the announcement in the data strategy, the Regulation will create the basis for a new European way of data governance that is in line with EU values and principles, such as personal data protection (GDPR), consumer protection and competition rules. It offers an alternative model to the data-handling practices of the big tech platforms, which can acquire a high degree of market power because of their business models that imply control of large amounts of data. This new approach proposes a model based on the neutrality and transparency of data intermediaries, which are organisers of data sharing or pooling, to increase trust. To ensure this neutrality, the data-sharing intermediary cannot deal in the data on its own account (e.g. by selling it to another company or using it to develop their own product based on this data) and will have to comply with strict requirements.

The Data Governance Act includes:

• A number of measures to increase trust in data sharing, as the lack of trust is currently a major obstacle and results in high costs.
• Create new EU rules on neutrality to allow novel data intermediaries to function as trustworthy organisers of data sharing.
• Measures to facilitate the reuse of certain data held by the public sector. For example, the reuse of health data could advance research to find cures for rare or chronic diseases.
• Means to give Europeans control on the use of the data they generate, by making it easier and safer for companies and individuals to voluntarily make their data available for the wider common good under clear conditions.

Source: European Commission

Photo by Guillaume Périgois on Unsplash

The post EU Commission proposes new Data Governance Act appeared first on GDPR Register | Compliance tool for privacy experts.

The post EU consumers will soon be able to defend their rights collectively appeared first on GDPR Register | Compliance tool for privacy experts.

A complaint was made in September 2018 by Jim Killock and Dr Michael Veale to the ICO about the systemic breaches of the GDPR by the AdTech industry, focusing on the role of the IAB (Interactive Advertising Bureau), a trade industry body as the rule setter.

The ICO’s investigation which was concluded in June 2019 found the AdTech industry to be in breach of the GDPR with widespread and systemic problems with industry practices such as collecting and sharing people’s browsing history without any control over who ends up accessing such personal information.

However, despite founding unlawful practices, the ICO decided to close the investigation in September 2020 without taking any substantive action. The ICO had also ‘paused’ enforcement during the first COVID lockdown.

The co-complainants (Jim Killock and Dr Michael Veale) are now taking the regulator to court over its refusal to take substantive action against what their own investigation concluded were very serious and extensive unlawful practices.

Jim Killock, Executive Director of the Open Rights Group and one of the two complainants, said:

“The AdTech industry has driven a coach and horses through the GDPR and the ICO’s own investigation has highlighted widespread systemic abuses in the AdTech industry practices. But instead of taking action against, it has decided to close the investigation. We are determined to ensure that the law is enforced even when the regulator can’t be bothered to protect our rights and liberties.”

Dr Michael Veale, an academic at the University College London (UCL) who sits on the Advisory Council of the Open Rights Group and is a co-complainant against the AdTech industry to the ICO, said:

“The ICO is expected to protect individuals against complex misuses of their sensitive data by entire industries acting outside the law, not just the simple, low-hanging fruit it can easily enforce against. This lawsuit is about stopping the ICO sweeping the most difficult cases under the carpet. Adtech isn’t simple — but dealing with illegal adtech is the ICO’s job.”

Ravi Naik, Legal Director of the data rights agency AWO who is instructed to act on behalf of the complainants, said: 

“Our clients simply want to the ICO to act to prevent widespread and systemic abuses of human rights; abuses that the ICO has acknowledged occur. Rather than take steps to address those problems, the ICO have acted against our clients and closed their complaints because our clients asked them to take action. This appalling state of affairs has left our clients with little option than to take the Commissioner to the Tribunal. That the Commissioner is being taken to the Tribunal because of a refusal to act to protect our rights speaks volumes of the Commissioner’s record.

“Our clients seek no more than the protection of our rights. Why the Commissioner is refusing to act to protect us all is a matter they will have to justify to the Tribunal.”

Source: ORG

Photo by Andre Hunter on Unsplash

The post Open Rights Group is taking the ICO to court over the regulator’s failure to stop unlawful practices by the AdTech industry appeared first on GDPR Register | Compliance tool for privacy experts.

Analysis reveals that out of the 4,179 businesses, 45% lost data to hackers in the past 12 months. IT and telecommunication companies saw breaches most often, with 53% of companies losing data. IT and telecommunication businesses often have customers’ financial information, in addition to other sensitive data, such as private conversations, social security numbers, and addresses.

Next up is the retail and wholesale industry, in which 52% of businesses experienced a data breach in the last year. Such cybersecurity incidents in retail businesses can damage the brand’s reputation, which leads to losing numerous customers, especially those who are privacy-conscious.

Third on the list is financial services, where exactly half of the respondents stated that their business lost sensitive data to fraudsters. Breaches in the financial industry are a huge concern since an unnoticed leak allows cybercriminals to drain the victims’ bank accounts.

Companies in the government sector are not an exception to the rule, as 46% of them had a data leak in the last 12 months. Attacks aimed at the government are more often than not supported by foreign authorities, whose aim is to obtain political and military information.

Finally, manufacturing and industrial companies experienced data breaches least often, but still a significant amount, at 43%. The danger is mostly to the businesses themselves, as competitors hire hackers to steal inside data which would destroy the competitive advantage the victim company had.

Most common threats overall

Shockingly, as many as 78% of surveyed businesses reported some kind of a cyber threat in their systems last year. On average, a cyber incident caused $312,117 in damages.

Besides data breaches, viruses and malware are the most common threats detected. Over 43% of companies experienced viruses and malware in their internal network in the last 12 months.

There is a wide variety of viruses and malware created by hackers. Nonetheless, the overwhelming majority of them are created to make money illegally.

Also, 39% of companies reported that bring-your-own-devices (BYOD) had been infected by malware as well. Some companies provide all the needed equipment for work, while others require employees to bring their own computers and mobile devices. Company-owned equipment usually has at-least some security measures in place as soon as the employee gets the device. However, that is not the case with BYOD equipment. There is no guarantee that employees update their computer software, which leaves vulnerabilities that hackers can abuse.

The fourth most common cyber threat in businesses globally is crypto-malware and ransomware. Crypto-malware is a type of ransomware that encrypts a user’s files and demands a ransom. Fraudsters can also steal the data, delete it from the company’s database, and request a ransom (usually in Bitcoin) to get back the data. Unfortunately, companies often choose to pay the ransom to avoid damaging their public reputation, hence further encouraging such attacks.

DDoS attacks are one of the most known types of cyberattacks, which affected 34% of companies globally in the last 12 months. DDoS is short for Distributed Denial of Service, and it is an attack used to crash a service or a website, making it temporarily inaccessible to its users. Although individuals suffering from DDoS attacks, typically, cybercriminals target services instead. They often attack services hosted on high-profile web servers, like banks or credit card payment gateways. Revenge, blackmail, and activism are the most common reasons behind the performed attacks.

Source: atlasvpn

Photo by Kevin Ku on Unsplash

The post Survey result: 45% of businesses faced a data breach in last 12 months appeared first on GDPR Register | Compliance tool for privacy experts.

The Data Protection Commission (DPC) has handed down a €65,000 fine to Cork University Maternity Hospital (CUMH) after the personal data of 78 of its patients was discovered disposed of in a public recycling facility elsewhere in the county.

The complaint was first raised with the DPC in June 2019 after a member of the public, who had discovered the documents, brought the matter to the HSE’s attention.

The executive then reported the data breach to the DPC.

The breach, an infraction of the hospital’s responsibilities under the EU’s General Data Protection Regulation (GDPR) which is understood to have consisted of a large number of documents, equated to the personal data of 78 people and the special category personal data of six of them.

Special category data under GDPR is the information of a particularly sensitive nature, the exposure of which could be expected to significantly impact the rights and freedoms of data subjects or could be potentially used against them in a discriminatory fashion.

It includes information regarding individuals’ race or ethnicity, religious beliefs, political opinions, biometric (identifiable) data, sexual orientation, and health data.

The breach at CUMH is believed to have comprised sensitive health data of patients, including medical histories and future planned programmes of care.

In its decision, handed down on August 18, the DPC said that the HSE had infringed Articles 5 and 32 of the GDPR by failing to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its use and disposal of hardcopy documents containing patients’ personal data”.

It is unknown whether or not any individual or individuals were held accountable for the breach, or how the documents came to be disposed of in the manner in which they were.

Regardless of what individual disposed of the documents, the hospital, as data controller, would have been deemed responsible.

The DPC said it had applied an administrative fine of €65,000 on the HSE for its infringements. The ruling has not been appealed.

“Cork University Maternity Hospital accepts the findings of the report of the Data Protection Commission in full and are working to implement all recommendations in the report,” said a spokesperson for the hospital.

They said that all patients affected by the breach had been notified of it.

“The HSE takes all breaches of data protection seriously and all such cases are fully investigated to establish how they occurred and preventative measures are put in place to reduce the risk of such breaches happening again,” they said.

“This is in addition to a comprehensive training and development programme for staff in GDPR as well as a range of policies and procedures designed to protect personal data.”

The DPC also ordered the HSE to bring its systems for processing and disposing of patients’ information “into compliance” with GDPR standards and issued the executive with a formal reprimand regarding same.

The decision is just the fifth fine handed down by the DPC since GDPR came into force in May 2018. The other four were delivered to child and family agency Tusla.

Source: Irish Examiner

Photo by Steve Johnson on Unsplash

The post Cork hospital fined €65k after patients’ personal data found in public recycling facility appeared first on GDPR Register | Compliance tool for privacy experts.

Today, the Irish High Court has ordered the DPC to cover the costs of Mr Schrems’ legal team in relation to this summer’s decision on EU-US data transfers before the Court of Justice of the European Union (CJEU). The DPC is not entitled to their costs from Facebook, except the cost for three court days will have to be covered by Facebook.

• Judgment as delivered

Background. Mr Schrems filed a complaint against Facebook in 2013 in the wake of the disclosures by Edward Snowden on Facebook’s cooperation with the US Security Agencies, like the NSA.

After a first trip to the CJEU in 2015 on the “Safe Harbor” Decision, the Irish DPC filed another lawsuit against Mr Schrems and Facebook to “clarify” the interpretation of EU law.

5 years, 6 weeks, 45.000 pages. The second case ran for more than five years before three courts in Ireland and on EU level. Up to 25 solicitors and barristers attended the hearings before the Irish High Court. More than 45.000 pages of documents were submitted by Facebook and more than six weeks of hearings were necessary to deal with the different arguments. In particular, Facebook took every option to expand and delay the procedure.

Mr Schrems ultimately succeeded with his arguments against the Irish Data Protection Commission (DPC) and Facebook before the CJEU. He is now entitled to at least have his legal costs from the plaintiff (the DPC) covered under the “loser pays” principle.

Max Schrems: “I filed a short complaint and suddenly I was named as defendant in an extremely complicated case that was to a large part not necessary in my view. Our arguments ultimately succeeded at the European level. The DPC now has to pick up the legal bill for this case, other than three days that Facebook needs to pay.”

Costs Decision. The court decided today that the DPC has to recover all costs of Mr Schrems, but that Facebook has to recover the DPC’s and Mr Schrems costs for three days of the hearings. In these three days Facebook as unsuccessfully tried to amend the judgment by the High Court. Today’s decision is a decision in principle, while the exact amounts of legal costs will be determined at a later stage. No damages or other payments were sought by Mr Schrems. The recovery he sought is purely to cover the costs of his legal representation and necessary expenses.

About € 2.9 Mio have already gone to the DPC’s own lawyers in the EU-US data transfer litigation (Link). These costs will ultimately have to be covered by the Irish taxpayer, as the DPC was unsuccessful in the case and in the attempt to recover these costs from Facebook, other than three days of the more than six weeks of hearings. The DPC’s 2021 budget was increased to €19.1 Mio, tenfold within seven years. Nevertheless, the DPC’s lawyer bill for this case alone amounts to 15% of the DPC’s budget for 2021.

Max Schrems: “I worked countless unpaid hours on this case. The costs that we now seek are the external costs for the necessary legal representation by solicitors and barristers in Ireland that had to deal with five years of court hearings and more than 45.000 pages of documents. Instead of making a decision already in 2015 the DPC has invested Millions into a case that has delayed the procedure for five years and that they have ultimately lost. The Irish taxpayer now has to pick up parts of the bill for this exercise.”

No decision by DPC after 7 years and 5 judgments. The second reference to the CJEU has apparently not brought the necessary “clarity” required by the DPC. Despite the enormous costs: The data protection watchdog has refused to determine Mr Schrems’ complaint, despite the CJEU judgment.

Instead of making a final determination after seven years, the DPC decided to start a second inquiry into Facebook. Facebook immediately obtained a Court Order restraining the DPC from proceeding with a new inquiry until the Court determines its legality. Mr Schrems, in turn, filed legal actions to finally get his case decided. The three parties will therefore see each other again in December and January to have the Court decide on the next steps.

Max Schrems: “Kafka could not have made this procedure up. Five Courts have dealt with this complaint for over seven years. We have won at every stage, but the DPC had still not decided on a complaint from 2013. It is either total mismanagement of the procedures or simply unwillingness to do their job – either way the situation is highly problematic.”

Source: noyb

Photo by Robert Anasch on Unsplash

The post Irish DPC to cover € 2.9M of legal bill of EU-US data transfer case appeared first on GDPR Register | Compliance tool for privacy experts.

Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.

The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.

The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK.

The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR).

Information Commissioner, Elizabeth Denham, said:

”Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

The ICO’s investigation traced the cyber-attack back to 2014, but the penalty only relates to the breach from 25 May 2018, when new rules under the GDPR came into effect.

Because the breach happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.

In July 2019, the ICO issued Marriott with a notice of intent to fine. As part of the regulatory process, the ICO considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty.

Details of the cyber attack

In 2014, an unknown attacker installed a piece of code known as a `web shell’ onto a device in the Starwood system giving them the ability to access and edit the contents of this device remotely.

This access was exploited in order to install malware, enabling the attacker to have remote access to the system as a privileged user. As a result, the attacker would have had unrestricted access to the relevant device, and other devices on the network to which that account would have had access.

Further tools were installed by the attacker to gather login credentials for additional users within the Starwood network. With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker.

The ICO acknowledges that Marriott acted promptly to contact customers and the ICO. It also acted quickly to mitigate the risk of damage suffered by customers, and has since instigated a number of measures to improve the security of its systems.

Source: ICO

Photo by ActionVance on Unsplash

The post ICO fines Marriott International Inc £18.4million for failing to keep customers’ personal data secure appeared first on GDPR Register | Compliance tool for privacy experts.

Updating name allegedly only possible in case of marriage.

After changing her surname and consequently her email address, an Austrian passenger of Wizz Air needed to update her data stored with the company using her right to rectification provided by GDPR. As the passenger couldn’t do this herself, she filed a “rectification request” for her surname and email address with Wizz Air’s Data Protection Officer (DPO).

Three months later, the data subject still had not received any response. She submitted a new request to change her surname using the company’s contact form. Customer Service told her that she could not change her surname online except in case of marriage. In her case, she would need to call the Wizz Air Call Center, which costs of more than 1 Euro per minute.

35,67 Euros later – a partial success. 

Only after being on the phone for about 32 minutes did Wizz Air change the passenger’s surname, however, they still did not change her email address. Even minor inaccurate data often has real life consequences: Information about a cancelled flight was sent to the passenger’s former email address. As a result, the passenger only coincidentally learned about the cancelled flight in the last minute, as the notification was sent to the passenger’s former email address.

“Wizz Air requires passengers to keep their account data accurate. By law, updating your data must be free, so low costs airlines can’t make compliance with the GDPR another one of their hidden fees.” – Ala Krinickytė, data protection lawyer at noyb

The GDPR gives customers the right to correct their information free of charge (Article 12(5) GDPR). By forcing customers to call their expensive hotlines for changes, Wizz Air fails to let customers exercise this “right to rectification”. The case of the passenger is not an isolated one. Other Wizz Air customers have complained about similar issues too (for example here).

“The GDPR states controllers should take ‘every reasonable step’ to ensure that data is accurate. In this case, it feels like Wizz Air failed to take any steps at all. The request for rectification is probably the least contentious data protection request a data subject can submit to the controller. Especially with airlines, it is of great importance that their passenger lists matches the passports. They make things more complicated and costly than necessary.” – Ala Krinickytė, data protection lawyer at noyb

Complaint filed, with a potential fine of up to €97 million.

Due to the fact that Wizz Air has shown a systematic failure to deal with the right to correct personal data without undue delay and free of charge, noyb has filed a complaint with the Austrian data protection authority.

“According to Forbes, Wizz Air is now ‘Europe’s largest airline’, which makes it all the more important for them to adjust their practices and ensure their customers’ GDPR rights. Given that this is a larger problem at Wizz Air, the data protection authority should impose an effective and dissuasive fine. Companies need to understand that they can’t simply ignore their passengers’ data protection rights.” – Ala Krinickytė, data protection lawyer at noyb

Original article: NOYB

Photo by Markus Winkler on Unsplash.

The post Wizz Air: €1 for a flight, €35 for your GDPR right appeared first on GDPR Register | Compliance tool for privacy experts.