GDPR

Vestager from DPC: Regulators’ enforcement powers key for GDPR

Taking the keynote stage at the IAPP Data Protection Congress in Brussels, Belgium, Thursday morning, European Commission Executive Vice President-Designate Margrethe Vestager challenged the many privacy professionals in the room to work together in deciding the kind of world we want to live in and promised to contribute to that under the next European Commission. Vestager touched upon the lack of control individuals have over their data and why that makes her job so important. Vestager also called upon data protection authorities to have the proper power to enforce privacy rules such as the EU General Data Protection Regulation. IAPP Editor Angelique Carson, CIPP/US, was there and has the details in this piece for The Privacy Advisor.
Full Story

Takeaways from the Polish DPA’s decision on personal data processing

On Sept. 10, Poland’s data protection authority, the Personal Data Protection Office, issued its highest fine of 660,000 euros to retail company Morele.net for infringing on the principle of integrity and confidentiality, Article 5(1)(f), and the rules on security of processing, Article 32(1)(b)(d) and (2), of the EU General Data Protection Regulation.

Key takeaways from this decision relate to the UODO’s interpretation of “the state of the art,â€� which, under the GDPR, needs to be considered when implementing technical and organizational measures appropriate to the risk of processing.

Background

In 2018, Morele suffered a data breach that affected approximately 2.2 million clients. Data accessed included client names, phone numbers, email and delivery addresses. A subset of 35,000 users also had loan applications exposed. Morele only learned of the breach after some of its clients reported phishing SMSes that were allegedly sent by Morele.net and contained a link to a fake payment gateway. Hackers blackmailed the company for ransom and, when Morele refused, the stolen personal data was sold online. In response to the breach, the company eliminated technical vulnerabilities, helped the affected data subjects and cooperated fully with the UODO and the police.

The UODO acknowledged satisfactory post-breach cooperation but found the infringement of the GDPR’s principle of integrity and confidentiality and the rules on security of processing contributed to the data breach, all of which posed a high risk to the rights and freedoms of Morele’s clients.

How to interpret ‘the state of the art’

The UODO recognized the GDPR does not require technical and organizational measures to eliminate processing risks (which would be impossible), but it does require those measures to be appropriate to the risks, taking into account the “state of the art� and the cost of implementation.

The GDPR demands security of personal data processing is brought up to the “state of the art� level but does not specify in any detail what that requires. In this decision, the UODO provides some assistance in determining the meaning of the “state of the art� within the GDPR. It states that, in constantly changing market conditions, controllers and processors should treat the ISO standards as a reliable benchmark for IT security (including those ISO standards that have not been published in Polish). Further elements of the framework, which should be consulted when determining the current “state of the art,� include recommendations and guidelines from organizations specializing in information security, with the European Union Agency for Cybersecurity, National Institute of Standards and Technology, and Open Web Application Security Project referred to as examples.

Authentication and access control

The UODO stressed that an appropriate authentication and access control are essential security measures, as indicated in the standard PN-EN ISO/IEC 27001:2017- 06. In determining the “state of the artâ€� in that respect, the UODO referred to ENISA’s “Guidelines for SMEs on the security of personal data processing and the OWASP’s Top 10 Application Security Risks – 2017,â€� which strongly recommend a two-factor authentication for accessing systems that process personal data.

In Morele’s case, two-factor authentication was introduced only as part of the breach response. The UODO saw it as a failure to provide appropriate technical safeguards in Morele’s IT systems that contributed to the successful hacking attack.

Appropriate monitoring

The UODO reinforced the point that, to satisfy the requirements of Article 32 of the GDPR, the access control mechanism should always be chosen following a thorough risk assessment, and its ongoing appropriateness should be regularly tested and evaluated (as also recommended in ISO/IEC 29115:2017/07, NIST 800-63B: “Digital Identity Guidelines: Authentication and Lifecycle Management and OWASP Top 10 Application Security Risks – 2017�).

In the UODO’s opinion, Morele fulfilled that requirement only partially: It monitored the measures implemented to protect known vulnerabilities but failed to assess whether, overall, the implemented technical measures were appropriate to the risks posed by the processing. The UODO noted that the company was processing personal data on a large scale that involved a high level of risk to the rights and freedoms of data subjects and meant that the level of monitoring had to be increased to the level appropriate to such risks. The UODO found that, despite carrying out some forms of security monitoring, the company failed to react in a timely manner to unusual patterns in the network traffic: it remained unaware of an increased network activity for a period of four months. The UODO saw it as falling short of the security level appropriate to the risk, considering the “state of the artâ€� security standards recommended — e.g., in ENISA’s guidelines on monitoring traffic to and from the IT system. The UODO concluded that, had the monitoring of Morele’s IT systems been appropriate to the risks, it should have detected the vulnerabilities of its one-factor access control, as well as the unusual network traffic.

Conclusions

The determination of the “state of the artâ€� in security of personal data processing is an ongoing technical, organizational and legal task for businesses subject to the GDPR. This decision may provide some support in identifying the required level of IT security. The references to security frameworks and guidelines indicate a general approach to a risk-based interpretation of the “appropriate technical and organisational measures,â€� and we may well see further references to information security guidelines made by DPAs in other jurisdictions. NIST Cybersecurity Framework and NIST Privacy Framework (once completed), as well as country specific documents, provide some possible examples of useful points of reference for organizations considering how to comply with the GDPR’s rules on confidentiality, integrity and security of personal data processing.

Photo by k u on Unsplash

Breaking down the Polish DPA’s personal data processing decision

On Sept. 10, Poland’s data protection authority, the Personal Data Protection Office, issued its highest fine of 660,000 euros to retail company Morele.net for infringing on the principle of integrity and confidentiality and the rules on security of processing under the EU General Data Protection Regulation. In this piece for Privacy Tracker, Womble Bond Dickinson Associate Anna Rawlinson, CIPP/E, looks at the key takeaways from the decision, including the UODO’s interpretation of “the state of the art,â€� which, under the GDPR, needs to be considered when implementing technical and organizational measures appropriate to the risk of processing.
Full Story

You’re about to gouda major change in Microsoft cloud security after Redmond agrees to go Dutch on data

Will take the GDPR hit for all cloud biz so you don’t have to

Microsoft says it will be making a data protection deal it struck with the Dutch Ministry of Justice and Security into a global policy for its cloud services.

Under the new outline for its Online Services Terms (OST) agreement for enterprise customers, Microsoft says it will take the responsibility as the legal data processor for all of its commercial cloud services including Azure, Office 365, Dynamics, and Intune.

By designating itself as the data processor, Microsoft will agree to handle all data privacy and storage requirements.

“At a basic level, this means Microsoft collects and uses personal data from its enterprise services to provide the online services requested by our customers and for the purposes instructed by our customers,” Julie Brill, Mirosoft chief privacy officer and corporate VP for global privacy and regulatory affairs, explained.

“As a processor, Microsoft ensures the integrity and safety of customer data, but that data itself is owned, managed and controlled by the customer.”

While the new terms will be rolled out in early 2020 for all commercial cloud customers worldwide, they will largely be of interest to those operating within the EU under the GDPR.

With the new terms in effect, businesses can rest assured that any GDPR concerns for those Azure, Office 365, and other cloud services will be handled by Microsoft, rather than falling on their shoulders.

EU parliament photo2 via Shutterstock

Euro data watchdog has ‘serious concerns’ as to whether EU deals with Microsoft obey GDPR

READ MORE

This designation was the reason for a conflict that arose between Microsoft and the Netherlands’ Ministry of Justice earlier this year. Worried that some of the data-handling procedures in Office 365 and Office mobile apps were not in compliance with GDPR guidelines, the ministry went so far as to warn other European governments not to use the Microsoft services.

The warning caught the attention of Microsoft, who then sat down with the MoJ and worked out a new set of policies and agreements that addressed all of the ministry’s concerns.

“As noted above, the updated OST reflects the contractual changes we developed with the Dutch MOJ,” said Brill.

“The only substantive differences in the updated terms relate to customer-specific changes requested by the Dutch MOJ, which had to be adapted for the broader global customer base.” ®

Sponsored: Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Sure, we made your Wi-Fi routers phone home with telemetry, says Ubiquiti. What of it?

You didn’t ask for it, we didn’t tell you about it, but hey, it clears GDPR so what you gonna do?

Ubiquiti Networks is fending off customer complaints after emitting a firmware update that caused its UniFi wireless routers to quietly phone HQ with telemetry.

It all kicked off when the US-based manufacturer confirmed that a software update released this month programmed the devices to establish secure connections back to Ubiquiti servers and report information on Wi-Fi router performance and crashes.

Ubiquiti told customers all of the information is being handled securely, and has been cleared to comply with GDPR, Europe’s data privacy rules. Punters are upset they weren’t warned of the change.

“We have started to gather crashes and other critical events strictly for the purpose of improving our products,” the hardware maker said. “Any data collected is completely anonymized, GDPR compliant, transmitted using end-to-end encryption and encrypted at rest. The collection of this data does not and should not ever impact performance of devices.”

fail_parking_meter_648

In its current state, Ubiquiti’s EdgeSwitch won’t have much of an edge on anyone

READ MORE

The assurance was of little consolation to UniFi owners who bristled at the idea of any of their data being collected, particularly without any notification nor permission. In particular, enterprise customers were less than thrilled to learn diagnostic data was being exfiltrated off their network.

“Undisclosed backdooring of my network is completely unacceptable and will result in no longer recommending, using, or selling of Ubiquiti gear,” remarked one netizen using the alias Private_.

“I realize that UBNT is too big to care about the few tens of $K per year that I generate for them, but I want to formally and clearly disclose my privacy policy/EULA, so that we understand each other. This is a stealth network intrusion and I don’t/won’t accept it.”

Ubiquiti has offered an olive branch of sorts to its upset customers, as the biz said there are plans in place to release another firmware update that will allow customers to opt out of the data collection. No release date has been given, and Ubiquiti did not respond to a request for comment on the matter.

In the meantime, however, punters are going to have to deal with knowing that Ubiquiti will be slurping some of their data, and that is not going over particularly well. One mitigation is to use DNS or IP address filtering to block connections from the devices to Ubiquiti’s servers, though this may interfere with the equipment’s operation.

“Despite our good experiences with the hardware and our clients’ satisfaction, this is absolutely a step too far,” said user sillyrat. “We’re through buying Ubiquiti products unless and until they go back to doing only what we set them up to do.” ®

Thanks to Reg reader Kevin Campbell for the tip.

Sponsored: Technical Overview: Exasol Peek Under the Hood

Dough! Jobs microsite for UK’s data watchdog set hundreds of cookies without visitors’ consent

Information Commissioner’s Office is very knowledgeable about why that’s bad

A strong grasp of data privacy is key for anyone wanting a job at the UK’s Information Commissioner’s Office (ICO), according to the blurb on its microsite. Just one catch: the site itself enables hundreds of cookies – seemingly without consent.

The gaffe was first spotted by a Reg reader who told us he’d never seen so much cookie tracking on a single site, nevermind one that pertains to an organisation that holds poor data practioners to count.

“I have just discovered that the Information Commissioner’s Office jobs microsite, which talks about the importance of GDPR and Data Privacy, and which is currently advertising the new Director of Regulatory Strategy role, sets approximately 204 advertising and tracking cookies, all without consent.

The site (visit at your own risk) is: https://microsites.hays.co.uk/jobs/ico/.

Under the EU’s General Data Protection Regulations (GDPR), tracking cookies may only be set once the user has given their consent. This means that tracking cookies are not allowed to operate, collect and process user data without the user agreeing to it.

EU parliament photo2 via Shutterstock

Euro data watchdog has ‘serious concerns’ as to whether EU deals with Microsoft obey GDPR

READ MORE

That is something the ICO is well aware of, with an introductory blurb on the microsite from its head, Elizabeth Denham, stating: “The arrival of a new EU General Data Protection Regulation (GDPR) and UK Data Protection Act in May last year means real change for the rights of UK citizens and for the accountability of organisations processing personal information. It also means huge change for the regulator.”

The microsite itself is subcontracted to recruitment firm Hays.

An ICO spokesperson said: “While the Hays microsite does have a privacy policy and cookies policy and explains the cookies in use, we will discuss compliance issues with them and ask for clarification.”

A spokeswoman for Hays said: “We recently removed a large number of advertising cookies from across our sites, retaining only a core group, but due to the overlap with a switchover project for our web platform, some of these tags were left live on sites still on the legacy infrastructure, including this microsite. Now that this has been brought to our attention, we have applied the same reduction in cookie usage to the microsite.

“As our privacy policy states, we are currently using browser settings to determine cookie acceptance. We recognise that this approach is no longer recommended in the most recent ICO guidance on cookies.

“In response to the release of this guidance, we initiated an internal project to upgrade our cookie consent mechanisms across our digital estate. We expect to deploy a new solution in the coming weeks which will address your concerns and update our approach to meet the most recent clarifications by the ICO.” ®

Sponsored: How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools

Process management may be challenging, but it’s also necessary

The EU General Data Protection Regulation provides a number of rights to data subjects and obligations to companies using the data. It has an impact on technology solutions and requires state-of-the-art security and mechanisms to ensure privacy. What is less often highlighted is that management is of huge importance, and the most profound impact lies within how you manage your operations. In this piece for The Privacy Advisor, Piotr Foitzik, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, explains how process management can help businesses comply with the GDPR and why examining business processes is still useful, even when it is not easy to do.
Full Story

Tech and mobile companies want to monetise your data … but are scared of GDPR

Poor things! Data, data everywhere but not a drop to drink

The vast majority of technology, media and telecom (TMT) companies want to monetise customer data, but are concerned about regulations such as Europe’s GDPR, according to research from law firm Simmons & Simmons.

The outfit surveyed 350 global business leaders in the TMT sector to understand their approach to data commercialisation. It found that 78 per cent of companies have some form of data commercialisation in place but only 20 per cent have an overarching plan for its use.

Alex Brown, global head of TMT Sector at Simmons & Simmons, observed that the firm’s clients are increasingly seeking advice on the legal ways they can monetise data. He said that can either be for internal use, how to use insights into customer behaviour to improve services, or ways to sell anonymised data to third parties.

One example of data monetisation within the sector is Telefónica’s Smart Steps business, which uses “fully anonymised and aggregated mobile network data to measure and compare the number of people visiting an area at any time”.

That information is then sold on to businesses to provide insight into their customer base.

Brown said: “All mobile network operators know your location because the phone is talking to the network, so through that they know a lot about people’s movement. That aggregated data could be used by town planners, transport networks, retailers work out best place to site new store.”

However, he added: “There is a bit of a data paralysis at the moment. GDPR and what we’ve seen recently in terms of enforcement – albeit related to breaches – and the Google fine in France… has definitely dampened some innovation.”

Earlier this year France’s data protection watchdog fined Google €50m for breaching European Union online privacy rules, the biggest penalty levied against a US tech giant. It said Google lacked transparency and clarity in the way it informs users about its handling of personal data and failed to properly obtain their consent for personalised ads.

But Brown pointed out that as long as privacy policies are properly laid out and the data is fully anonymised, companies wanting to make money off data should not fall foul of GDPR.

Simmons & Simmons’ survey also revealed that  53 per cent of TMT companies think they need to improve their understanding of data privacy regulation. Meanwhile, just 31 per cent of respondents said they had updated their communication to customers on data collection and use in the last two years – despite a number offering financial incentives and offering a more personalised service to incentivise data sharing.

Brown noted that lawyers will have rewritten the privacy policies to align with regulatory changes. “But what they are perhaps telling us is they are not talking to customers in different ways. And that comes down to the value exchange: your data for what?

“The survey indicates there is still focus on data being used in ways that are of benefit to the company, like personalised marketing. That is largely about the benefit to the company, rather than the user.”

“But if you don’t engage customers and deliver value, why would they sign up [and allow their data to be used]?”

Why indeed. ®

Sponsored: How to get more from MicroStrategy by optimising your data stack