Your roundup of what’s been happening in the Global Data Protection & Privacy Industry over the past four weeks.
EU Data Protection News
Ireland’s Data Protection Commissioner asked to halt EU-US data transfers
Max Schrems, the Austrian lawyer behind the massive legal case involving Facebook, the US Government, the European Court of Justice and the Irish Data Commissioner, has asked the High Court in Dublin to put a hold on transfers of data that originates in the European Union, making it’s way to the US.
The case has far reaching consequences on both sides of the atlantic and brings into focus the capability of the existing EU-US Privacy Shield agreement to protect the rights of hundreds of millions of EU Citizens when their personal data is transferred to US jurisdictions. Related Article
Facebook says Irish challenge to U.S. data transfers ‘deeply flawed’
Facebook said on Thursday a legal challenge against the way it transfers EU user data to the United States was “deeply flawed” and should not be referred to the EU’s top court because ample privacy protections were already in place.
The challenge by the Irish data regulator is the latest to question whether methods used by large tech firms such as Google and Apple to transfer data gives EU consumers sufficient protection from U.S. surveillance. Related Article
German parents told to destroy doll that can spy on children
German watchdog classifies My Friend Cayla doll as ‘illegal espionage apparatus’ and says shops and owners could face fines. The watchdog has ordered parents to destroy or disable a “smart doll” because the toy can be used to illegally spy on children.
The My Friend Cayla doll, which is manufactured by the US company Genesis Toys and distributed in Europe by Guildford-based Vivid Toy Group, allows children to access the internet via speech recognition software, and to control the toy via an app. Related Article
Credit broker sends more than five million unlawful text messages, fined £120,000
Credit broker Digitonomy Ltd has been fined £120,000 by the Information Commissioner’s Office (ICO) for being responsible for millions of marketing texts sent without proper consent.
Between April 2015 and February 2016 there were 1,464 complaints about the spam messages which encouraged people to apply for loans and directed them to company websites. Related Article
Polish DPA Releases Data Privacy Inspection Plans
The Polish Data Protection Authority (GIODO) has just released its inspection plans for 2017.
This year, the GIODO has decided to target its review of compliance with data protection laws on the health services and consumer sectors, with particular attention to certain profiling activities taking place in stores and shopping malls. Related Article
Ireland’s Health Service Executive refuses to explain why ‘clerical error’ wasn’t reported as data breach
The HSE will not explain why the “clerical error” at the centre of the false Tusla sex abuse claims against whistleblower Maurice McCabe failed to be registered as a data protection breach.
A HSE spokesperson refused to comment, despite saying last weekend the “administrative error” was referred to its data protection section when uncovered — meaning it should have automatically been identified as a data protection breach. Related Article
Cloud industry body sets up new data protection code
A number of cloud infrastructure providers operating in Europe have signed up to a new data protection code of conduct.
The code, established by Cloud Infrastructure Services Providers in Europe (CISPE), places restrictions on the processing of personal data that cloud customers store with providers, defines responsibilities for data security, and requires providers to offer customers the option to process and store personal data entirely within the European Economic Area (EEA). It also, among other things, details protocols for handling requests for data from government authorities and law enforcement agencies, as well as for the notification of data breaches. Related Article
Data Breach News
Yahoo data breaches net Verizon $250m discount
Verizon Communications Inc. is close to a renegotiated deal for Yahoo! Inc.’s internet properties that would reduce the price of the $4.8 billion agreement by about $250 million after the revelation of security breaches at the web company.
Yahoo said in December that cyberthieves in 2013 siphoned information including users’ e-mail addresses, scrambled account passwords and dates of birth. The stolen data may allow criminals to go after more sensitive personal information elsewhere online. The announcement followed news in September of a 2014 breach that affected at least 500 million customer accounts. Related Article
Australia passes data breach legislation
The Australian senate has given the go-ahead on a bill that requires companies to report security breaches, while the New Zealand equivalent remains in beta.
The Australian law will come into effect some time in the next 12 months, requiring breaches that cause “serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm” to be reported to Australia’s Privacy Commissioner within 30 days of the breach. Related Article
Fast Food Chain Arby’s hit with Data Breach
Hackers have stolen customer credit card information from an unknown number of Arby’s restaurants, according to a report on Thursday.
The fast food chain discovered in mid-January that it suffered a data breach that affected a number of Arby’s corporate restaurants.
The data breach only affected some of Arby’s roughly 1,000 corporate restaurants, and none of its franchise restaurants operated by third parties, the report said. Over 350,000 credit and debit card accounts may have been impacted by the hack, according to the credit union service PSCU. Krebs’s report said PSCU contacted various banks after it noticed a breach that affected a “large fast food restaurant chain.” Related Article
Non-EU Data Protection News
Changes announced to Japanese Data Protection Law
The data protection regime in Japan is likely to change shortly as a number of provisions to the Act on Protection of Personal Information (APPI) will come into force on the 30th May 2017.
Coming into effect in May 2017, International businesses will note changes to data transfer restrictions, the definition of personal data itself, exemption limits, etc. Related Article
Russia Ups Fines for Data Protection Violations
New fines adopted by Russian authorities for violations of personal data protection requirements could mean less protection for businesses, privacy professionals told Bloomberg BNA.
President Vladimir Putin signed into law Federal Law No. 13-FZ to amend Article 13.11 of the Code of Administrative Offenses and set forth new financial penalties for failure by businesses and individuals to comply with data protection requirements, the presidential press-service said in a statement. The law, adopted Jan. 27 by the lower house of Parliament and Feb. 1 by the upper house, takes effect July 1, 2017 Related Article