Month: July 2020

What went wrong? Foodora hacked!

by

14 July 2020

13:46

Leave a comment on What went wrong? Foodora hacked!

Article 5, Sweden

Half a million customer data was stolen by hackers is being reported by Swedish newspapers. Foodora a Swedish concern is owned by a German business, Delivery Hero. As one can guess by the combination of both names: 1) its about food, and 2) yes, customers book online from whichever is their favourite restaurant and get it delivered.

From what I can gather, the data was stolen from their test environment. This means that live data was stored in test which was not appropriately protected as is required by Art 32 (GDPR). Moreover it seems that the purpose limitation (Art 5.1b) and data minimisation (Art 5.1c) principles were not respected. There is probably more, but this is what I have based on a couple of newspaper articles.

So the affected data subjects are included as customer data was from 2016. The only data stolen in clear text was data which is in main public in Sweden (except if you have a protected identity), so it seems low risk, but read on…

What is not public data is the fact that the individual is a customer of Foodora, and this is a great way to social engineer a phishing attack that seems to come from Foodora to these customers.

On the plus side it looks as though Foodora have got out their communications function, sent a message to all customers warning them on what has happened, and not to click on any links in emails from them. Their quick action is impressive, very transparent, and a good example on how to act when this kind of incident occurs.

Nevertheless, I see that there will be an investigation of Foodora by the Swedish Data Protection Authority, which is scheduled to finish before December 2021.

Image taken from https://www.missethoreca.nl/ restaurant guide.

On a crucial importance of TOMs under GDPR Article 32

by

13 July 2020

21:44

1 Comment on On a crucial importance of TOMs under GDPR Article 32

Uncategorized

, , , ,

DPA of Baden-Württemberg (Germany) fined a health insurance company 1’240’000 EUR for insufficient implementation of TOMs resulted in personal data of app. 500 individuals being accidentally processed for advertising purposes without due consent. 

The fine is quite high, especially given that there have been some mitigating factors in this case:

  • not too many data subjects concerned
  • cooperation with DPA
  • TOMs were not absent at all, the level of implementation thereof was just insufficient

Besides, no data breaches or other factors posing a (high) risk to data subjects were identified.

The investigation resulted in one of the highest fines issued under Article 32 (if not highest). This can be explained, in particular, by the adoption of the German model for calculating fines under the GDPR.

Anyway, this is another one reminder for controllers and processors about the importance of putting TOMs in place appropriate to the risk as ‘somewhat good’ TOMs will unlikely be enough.

More to read – see below.

https://digital.freshfields.com/post/102garn/1-2m-fine-in-germany-for-failure-to-implement-appropriate-toms

At the Nexus of Privacy and Antitrust

by

10 July 2020

15:32

1 Comment on At the Nexus of Privacy and Antitrust

Uncategorized

,

The IAPP Privacy Advisor published an excellent article on 23 June entitled “The thin line between privacy and antitrust.” In particular, the three scenarios presented by the authors are concise introductions to the important ways that privacy issues may arise in antitrust matters / investigations. And how the areas of privacy and antitrust are more linked as a way forward in the future.

As someone who has worked at the nexus of antitrust and privacy for the past couple years – and involved in 10 such U.S. matters (involving the U.S. Federal Trade Commission and the U.S. Department of Justice) – I have the following general observations to share:

  1. It is important to be extremely careful in internal corporate communications when it comes to privacy issues as discussed by those “in the know.” That may sound like an obvious piece of common sense, but I have been shocked by how corporate leaders (from the CEO on down) are inappropriate and sloppy when it comes to privacy discussions in antitrust matters. Email is an easy mode to fire off one’s thoughts, but discipline of thought and tact are incredibly important.
  2. I have been pleased by the awareness of company personnel when it comes to personal sensitive information, PHI – PII, etc. Very impressed.
  3. I have seen little discussion of privacy as a basic human right. Much more work needs to be done in the U.S. in terms of cultural change. As privacy pros know, they are excellent ambassadors for that point of view.
  4. In some situations, discussions of privacy issues were subtly couched in ways to restrain competition in the industry. As everyone here knows, never say that. As well versed antitrust lawyers also know, sometimes corporate leaders and counsel cease writing emails on a topic and continue the discussion on the phone.
  5. Some of the situations I have been involved with involved mergers where getting the data from the acquired company is one proposed benefit of the merger. The discussion by the authors in their section entitled, “Sharing data raises privacy concerns” is spot on and bears multiple reading. Once again, if you view data protection & privacy as a basic human right, there should be no question that a more rigorous conception of those topics is necessary from Day One. Privacy should be baked into the company’s DNA – and a newly merged entity is an excellent opportunity to make that a reality.

The section in the IAPP article focusing on nascent competition is especially pertinent for the future, though now with the pandemic in full force it remains to be seen what the final damage inflicted upon the U.S. economy will be. And how that will ultimately change corporate leadership in the future – especially with regards to the privacy / antitrust relationship.

My TikTok – My Observations

by

9 July 2020

14:20

Leave a comment on My TikTok – My Observations

Social Media

Well apart from the fact that my 10 year old daughter has been an avid user of TikTok for 2 years, my interest would be nonetheless sparked by the torrent of privacy issues which have been popping up left, right and centre. I thought it could be good to give you an idea of what TikTok actually is if you haven’t tried it (yet), and what it means to kids, because I’ve actually spent some time there.

To summarise on the list of issues I see:

  • TikTok is a Chinese business and hence privacy is not something they feel strongly about so I just don’t trust them -I guess this is a British understatement 😉
  • They are not following any of the GDPR principles, e.g. data minimisation on content created by EU data subjects, incl. minors.
  • Privacy is not built in the design of the App -you only need to Google to find what I mean here.
  • Kids are be stalked by sexual predators, there are no ‘safe gardens’ for kids.
  • Kids are being cyber-bullied -aggressively, and not only by peers but by older users, the Trolls.

Nonetheless, TikTok is in fact fun! I created an account 2 years ago to try and understand why kids were here. All good material for my next book! As a success, one TikTok Post (below) I made together with the help of my daughter got of 67,8k Views, 3 630 Likes and circa 100 Comments. So had had something perfect to use for my analysis.

Fun observations:

  • It’s addictive, and getting involved as a parent has removed barriers we had concerning the use of TikTok or other social media Apps.
  • The inbuilt templates provides kids with opportunities to test their creative abilities beyond what I ever thought was possible. Working with my daughter to create this and other TikToks has given me an insight of what the world could look like when they are entering the workplace!
  • Watching kids collaborate on TikTok and other social Apps is mind-blowing beyond what we ever did ourselves as kids. We have a generation of kids growing up socially connected/collaborating -these kids won’t understand why our generation had to learn how to work as a team.
  • I was amazed at how my daughter on seeing some rather nasty comments, just deleted them, and then how she advised me to ignore them.
  • Accounts setup -at least 2 years ago- were not on Only Friends as a default.

Worrying observations:

  • I saw kids being cyber-bullied on TikTok aggressively one poor girl who couldn’t have been older than 9 was being attacked as ugly… the Comments were damning. There was a ‘report abuse’ button which I used, but there was no follow-up.
  • The template we used was damned as racist “100% DNA, Swedish”. Although not raciest, they are triggers for Trolls.
  • Kids can be easily lured into creating ‘duets’ or more and I’ve seen kids kissing through a virtual wall to older teenage boys when singing together a love song. This makes online grooming very easy.
  • It is likely that many kids have multiple accounts for reasons such as they lost their password and can’t fix it, or they are harassed by cyberstalkers and need to move.

This is the TikTok I made together with my daughter which went viral a couple of years ago. Btw. Something going viral, doesn’t mean it’s good…. so you’ve been warned 🙂

Contract Negotiation Best Practices

by

7 July 2020

19:10

Leave a comment on Contract Negotiation Best Practices

Uncategorized

, , , , ,

If you are interested in contract negotiation best practices, check out my discussion in the latest installment of NCURA YouTube Tuesday (National Council of University Research Administrators). Not exactly concerned with privacy per se, but I would consider the topic to be within the larger universe of privacy issues.

https://www.youtube.com/watch?v=XY33603mlPk

The ethics of privacy

by

7 July 2020

14:47

1 Comment on The ethics of privacy

Uncategorized

, , , , , ,

Privacy is a fundamental human right recognized in the UN Declaration of Human Rights, the International Covenant on Civil and Political Rights and in many other international and regional treaties. Privacy underpins human dignity and other key values such as freedom of association and freedom of speech. It has become one of the most important human rights issues of the modern age. And yet, for many, the GDPR is the beginning of privacy law as we know it. The most remarkable difference being the introduction of some really sizeable fines.   So how does this affect the ethics of privacy?

Privacy is, in its nature, an element of compliance. Compliance with privacy laws and with the “intention” of privacy laws is how we show optimal data protection.  When talking of compliance, I always say that “Compliance is not about just doing the right thing, but showing we are doing the right thing”. Compliance is only possible with accountability. No one ever challenges the concept that compliance is about doing the right thing. We should remodel our approach to privacy away from compliance with law, but towards the behaviour of doing the right thing. The GDPR helps us to show we are doing the right thing; it helps us to show our accountability, but it is not the reason privacy exists.

Why is this important for companies? Privacy is now a central element of business ethics.  It forms part of the corporate approach to mitigating controversial subjects in order to gain public trust and support. No matter what industry, data is essential to the functioning of business. Without an ethical approach to treating data, it will not be entrusted to those who need it most to make business turn and of course, maintain reputation, help avoid significant financial and legal issues, and thus, ultimately benefit everyone involved.

Tiktok moves under control of Irish DPC

by

4 July 2020

09:00

4 Comments on Tiktok moves under control of Irish DPC

Uncategorized

, , ,

From 29 July 2020 onwards, Tiktok Ireland will control the data of all users in the EEA and Switzerland.

Nothing specific, just another smart move of a non-EEA company (parental company Tiktok Inc incorporated in the US) in an attempt to use one-stop-shop mechanism via its EEA subsidiaries.

Except for one thing. The recent French scenario where CNIL issued an administrative fine directly to Google LLC (US) instead of its EU subsidiary (and this was upheld by the Conseil D’Etat) may become a real problem in case of receiving a support from Irish authorities.

The decision of Conseil D’Etat, probably, ended the era of so-called ‘delegated controllership’. If supported by other DPAs, this will affect all non-EU ‘factual’ controllers willing to use one-stop-shop mechanism. Think about it, TikTok.

The ex-employee & data subject rights

by

3 July 2020

16:53

1 Comment on The ex-employee & data subject rights

China, Data subject rights, Germany

This is an interesting case, and not only for the reasons mentioned in the press. It doesn’t give us much to work with but…

What strikes me, which is often overlooked by organisations are that employees and ex-employees -as is the case here- have rights under GDPR. Every employee is a data subject…. although of course you knew that 😉

What seems to be common with dissatisfied customers applies to unhappy ex-employees (in this case) they exercise their rights under GDPR. This guy wanted to be forgotten and access (on what couldn’t be deleted one can assume). This means that even if your organisation is a role of processor in the delivery of services to your customers, who are the controller, you are still regardless the controller to your employees.

What was used for the transfer of employee data over to China is contractual clauses. However, the award of the fine, a meagre €5k was for not responding to the ex-employee as per his rights, not on the use of contractual clauses…. would be interesting to know more on this.