I thought this was rather funny. A Post from over 2 years ago, and rather cute at that 🙂

Okay so it was the final decision is that a breach cannot be hidden. If an organisation reports a breach to the Swedish SA it is public data, although it seems more specific to IT or security angle. I haven’t read the complete ruling yet…

• Kammarrätten har beslutat att Datainspektionen (DI) måste lämna ut en anmälan om personuppgiftsincident enligt GDPR till en tidningsredaktion utan att maska den. DI hade maskat anmälan med hänvisning till att uppgifter om anmälaren kunde vara en upplysning om att dennes säkerhetssystem hade brister, samt att olika anmälningar kunde användas för att lägga ett pussel som avslöjade säkerhetsbrister, 18 kap. 3 § OSL. Kammarrätten bedömer att incidenten inte avser intrång eller brister i den personuppgiftsansvariges IT-system och att anmälan inte heller innehåller uppgifter som kan bidra till att avslöja att IT- eller säkerhetssystemet är sårbart för attacker. Då uppgifterna i anmälan är harmlösa kan de lämnas ut.

I came across this pub_FRA published by FRA (European Union Agency for Fundamental Rights). It’s target audience is non-legal, but IMHO there is too much detail here to be of interest to a non-legal individual, which is the alleged target audience. Nevertheless, I think it is a great read, although I’ve not read it all yet.

I’ve made it available from this post, because getting a digital download/link was a little tricky.

There is an interesting court case going on in Sweden whereby the Swedish Press had made a case (5200_18 DI and journalist case_publicity vs privacy (1)) against the Datainspektion (Swedish SA) to publish all breaches submitted by Swedish companies.  This is still in progress. Sweden, as you will know from my blog have a very strong freedom of information culture, so it’s interesting that the Datainspektion seems to be taking a stance against the journalists. It has been really great to see the Swedish SA jumping on the power they now have, and using it.

Although, I don’t completely agree with them on this specific point. I believe all breaches should be made public, but it is fun observing the action!

 

 

Finally it is ready for launch, at least beta, we are still fixing the payments part. In the meantime you can take a look at a privacy community I’ve been working on for over a year now with a Swedish company called Haaartland. To be a member, it will cost only €9 per month as a privacy early-bird. We wanted to make it accessible to all who were interested in privacy irrespective of how deep pockets they have!

It is a self-help privacy forum, although it is much much more! You need to visit to really get what it’s about. It is a focused forum on privacy, and the GDPR is in there in graphical form… as a member you can Post, Comment and build up your Tribe of favourite contributors. You can find out more and Join via the Privasee website or jump straight in here and request to Join.

By joining, and getting active you will help Privasee make this a success (which, if you didn’t know I am founder ;)), and meet our vision to “make privacy accessible to all”!

OMG Forbes has got it see article, you know that information and security are NOT the same. Maybe the author of the article actually read my latest book. Filip (co-author) says that the use of ‘data protection’ over ‘Privacy’ compliance hadn’t helped at all in the EU. But I guess we do want to be different from Americans after all 😉

Well this article is not directly privacy, but it does give some insight into how the EU Comission deals with unfair competition. However there is one word in data privacy laws which has a commonality with anti competition, and that is CHOICE.

I saw this article in my LinkedIn feed (Sebnem Erener) voiced her opinion on this.

IP address IS personal data. Identification does not only mean the name, address, location of a person but also potential identifiability, linkability and inference. Any information that is useful in tandem with other data points to identify individuals is personal data. Account must be given to all the means likely reasonably to be used for identification, paying attention to the current state of technology. In other words, if it would not take disproportionate effort to (re)identify a person it is personal data and must be protected, including IP addresses. This is not only based on the interpretation of the GDPR but has been established by ISO, Article 29 WP and ECJ previously.

Just to give my 2-cents to Sebnem’s LinkedIn post. Outside of the technical side, given that 20 years of my career have been in IT and security, I understand why he thinks how he does, but he is nonetheless wrong!

Take just 2 of his arguments of why the IP address is not personal data in his ‘non-so-humble’ opinion 😉

According to the article: An IP address is not personal to an individual. It is a shared piece of data. Some might argue that you can use IP addresses for tracking and targeting, but the truth is, they really are only useful in tandem with other data points.

Sorry but personal data is any data linked directly or indirectly to a natural person. See the linkability mentioned in Sebnem’s post.

Then we move on to another argument:

According to the article: Article 17 of GDPR, the Right to Erasure (“right to be forgotten”), states that anyone in the EU can request that a website delete all of their personal data, including records that correspond to their IP address………Why would someone need an IP address “forgotten?” 

Clearly the author is oblivious to the fact that the data subject does not have an ‘absolute right’ neither the concept of ‘legitimate interest’.

 

It has been interesting watching the action now being made to claim the rights of the data subject as stipulated in the GDPR. On average there seems to be for the larger businesses around 10 SARs requests, although, to say on average is not correct in that we are only one month into the aftermath of the GDPR 🙂

I was delighted to see Lucas Khan in action, claiming to have his personal data removed from public sources in Sweden which is the product of something called an utgivningsbevis issued in the name of freedom of speech. I wrote loads on this since already, and its great to have some company 🙂

btw. this will be fixed with the e-Privacy Regulation. I’ll dig out the quote later in another post.

Some of the posts:

Personal data is still PUBLIC in Sweden!

Personal data still public and for sale in Sweden!

Sweden is going to have fun with the new Data Protection Regulation

Ratsit is so kind as to remove sensitive data from public eyes

There is more. Just search 🙂

It seems that the clash on freedom of information and the GDPR in Sweden has finally hit mainstream knowledge.

Sweden’s open society is clashing with EU privacy law, and regulators are frustrated

While the General Data Protection Regulation will this week come into effect across the European Union, some companies in Sweden have nothing to fear — for now at least — thanks to a peculiarity of Swedish free-expression law.

https://iapp.org/news/a/swedens-open-society-is-clashing-with-eu-privacy-law-and-regulators-are-frustrated/

If you want some background reading on the problem, here is some stuff I posted in 2014-2015.