Digital online rights for children

Sweden is ahead of the rest of the world when it comes to children’s rights, even in the digital/online world. Read more here.

To say I felt an excitement deep in me is an understatement. It was children’s safety online which brought me into privacy. My master thesis for my MSc Information Security was on protecting children online, which led to the publication of my first book “Virtual Shadows” in 2009. This was 8 months before the birth of my daughter.

But what triggered me, was long before this, was my son who was 18 by the time I had published my first book. I often had computers at home, normally open as I was twiddling with them, and so was he since he was 10 years old.

I saw his fascination in Sim City and other highly educational games which transported him into worlds of logistics and consequences. The theme of conversation amongst the boys was which level they are reached, e.g. how a famine had broken out, bad decisions on arming, etc. Gaming was not multi-player, it was single player, and installed on a PC in those days.

What Sweden has triggered is awesome. Beyond what any country has done when it comes to human rights, not surprising considering they were the first country globally to give equal rights to children in 1971. Now in 2020, it has reached the digital world.

H&M have invaded employee privacy

So hot of the press is that H&M (a Swedish business), although the fine of €41,4m was due to practices in one of their German outlets which were not compliant with GDPR.

Clearly as an employer it is difficult to avoid the collection of sensitive data from employees, i.e. when they are sick, just the notification is in itself sensitive and a DPIA must be conducted on how the notification and following process is done in order to any identify privacy risks, and remediations necessary in order to minimise the risk of harm to the rights and freedoms of each employee.

It seems that H&M were in conducting a “welcome back to work” after sick/vacation interview, recording the contents of the conversation, and storing it somewhere, which badly for them became exposed, which meant they got found out because they were reported to the German DPA.

It seems a bit of a pity, as the purpose of the interview seems to be positive, and a nice way to return to the workplace, especially after one has been unwell. However, storage of this conversation is processing outside of the specific purpose of the conversation, and indications -from what I read- are that this personal data was in fact used beyond purely storage, in that 50 managers had access.

Bad news for H&M. Great news for privacy and GDPR. Great work Germany, as per usual at the front of data protection and privacy of each and every data subject!

BCRs and Tetra Pak has just got them approved in Sweden

An extremely interesting development considering the recent Schrems II decision and that Tetra Pak has US operations.

This is a first for the Swedish Data Protection Authority with BCRs. OneTrust has a good summary of the decision, etc., in English. Here is the decision in Swedish.

Now, there is much discussions on the legality of Binding Corporate Rules since Schrems II, after all surveillance in the U.S. is omnipresent, over which we have no control over here in the E.U., but in reality what this decision means is that the we need to be realistic, business must go on.

My take on the transfer of data is to dive into the potential risks to rights and freedoms of the natural person. If there are none, e.g. you are only transferring email address and name of the individual, and maybe they are adding business activities into a log, e.g. financial records. I find it difficult to really force myself to change an established business practice, especially now with coronavirus times, and many businesses are in survival mode, and many close to bankruptcy. If HR data is being transferred then this must change clearly.

I am, even as a privacy professional sceptical of all the fuss and hype there is on blocking all personal data transfers out of the EU to a country such as the U.S. (lacking adequacy decision now with Privacy Shield gone), because of Schrems II.

I guess if I wasn’t a small startup myself, serving small-medium businesses, I would think differently. But if this is all too complex, the SMB will do nothing, they have too much to lose, and when it happens it can go quick, money spent must be prioritised. For the SMB Schrems II is like double-dutch, all this legal speak, it’s out of their boundaries of business operations, and and the Data Protection Authorities get this, and are not normally targeting the small actors selling consulting, car repairs, chickens, or a pair of shoes, they are after the biggies.

Cookie consent banner for the SMB

There’s been quite some cookie talk lately on this blog and one reason why is that I have as CEO of my little startup been looking for a cookie consent banner which costs nothing for my website.

So why only now. Well, I did only have essential cookies on my website until recently which didn’t require cookie consent. I had inserted a banner and notice. However, I started adding YouTube videos and Chat, which came packaged with an analytics engine, Zoho SalesIQ.

So when one of my Linkedin Connections was kind enough to point this out, I responded without thinking, that only essential cookies are used…… I was feeling just a bit little stupid when I realised that I’d been so deep in getting my business out to market, that I’d actually missed the privacy thing, which is not good, after all my business is about GDPR compliance!

So I was on a mission, install a cookie consent banner with a preference centre on my website, catch was that I had not budget for this. I am after all a small business, and all these small costs add up to something more. And not all small business have funding for extra overheads. I wanted to find something which I could recommend to my customers/partners, many are SMBs, so they have (1) a free option, and (2) paying option.

Criteria for SMB as I see it is:

  1. There must be a free option
  2. It must work on all websites, e.g. even OneSpace, Wix,
  3. It must be easy to setup without too much technical know-how.

Most cookie banner solutions cost money, and you can expect to pay circa €9 per month. However, there are some free ones out there, with restrictions such as a single domain. But this is good enough for most of my customers.

On a technical level it needs to work on all types of websites, e.g. mine is hosted on, and some which I came across and tested didn’t work because they required that I install code in the Header html, and I don’t have access to this. I can only insert code within the page/footer).

Ease of setup, was not great. I spent 2 days looking/testing suitable cookie consent banner. Of those I found, I tested 8, and became extremely frustrated because IMHO this should be EASY, but it was most certainly not. I am not technophobia, and do have a decent level of competence to make this work. But it required javascript, and of all I tested only 2 came close, and only one met the technical criteria for the SMB and the cost criteria. That was Termly.

Now, I still say there is no excuse for how the Guardian’s banner was configured, they have money to pay techie to do this work, but for a small business, setting up a cookie consent banner is not reasonable. If 2 days work is required to find/test and install one. That is why I have written this blogpost. If you’re an SMB you don’t need to waste time looking. Carry on reading for an alternative to Termly later on….

It doesn’t stop here. I then checked this blog to look at cookies. This blog was originally setup by myself in 2007, and cookies weren’t a big thing then. Even since, I haven’t given a thought to my musings on this blog, and that a cookie consent banner is necessary, because I wanted to believe that Article 2 applied, household exception. However, now we are many Authors, and unfortunately WordPress downloads over 80 cookies! Even though this is a personal blog, now for many, we needed to fix this -now that I’m on a cookie kill drive, and starting to hate these little blighters!

Now if your business website is using WordPress you must upgrade to Business to get the Plugin for free, and this should be easy to install, although I haven’t tried yet, because this is a personal blog, and I don’t intend to upgrade at a monthly subscription of €35 just to get my hands on a cookie consent banner. I checked some other cookie banner options. I received a tip on Metomic from a privacy Connection, and I liked it, wish I’d found before. But when it scanned this virtualshadows blog it reported there were no cookies, which is a lie. It could be that it is a not on its own domain. But Metomic looks easy to use, is free, and could be worth testing as an alternative to Termly. I may even replace Termly with Metomic, but it does require some code in the website Header, not sure if this is required or optional.

As it looks now, unless I find a free cookie banner, this blog will be migrated to another platform. Criteria, it must be free of cost, and free of cookies.

My takeaway from the last 3 days…. is that the cookie consent banner has pulled me -a single-man resource in my business- from product development and from revenue generating activities. GDPR has in practice blocked innovation and growth. I became angry and frustrated, not only by the activity, but at the thought that every small business out there which requires a cookie consent banner will find it just too difficult to fix, and they don’t have budget to pay someone else to do this as the larger organisations have.

Let’s get creative with cookie banners! I’m sure it’s fine?

I am seeing more and more the new type cookie banner, which basically informs you of non-essential cookies, i.e. it is not required for the essential ones which is great, however…. there is some creative engineering active which is not compliant with GDPR. I am accepting non-essential cookies, for whatever the reason on my side, but this is because on the cookie side, opt-out is not set as a default. Let’s take a single example.

I was visiting the Guardian newspaper this morning and it got me thinking again about cookies. Privacy by design as a default is about ensuring that the user needs to do nothing to protect his/her privacy, data protection by default in the GDPR is based on this concept. However, what I found on the Guardian website, was most definitely not opt-in, it was opt-out, and the Guardian newspaper is British, still part of the EU?

What I observed was a very interesting technique to discourage the visitor to opt-out. When I first arrived on the Guardian newspaper website the following notice pops up on the Cookie Banner, which looks good.

We and our partners use your information – collected through cookies and similar technologies – to improve your experience on our site, analyse how you use it and show you personalised advertising.

But then it continues with the following. The default I’m OK with that is not what I would expect unless by default all cookies are in opt-out mode. But at this stage I really have no idea. My expectation as a privacy guy is that opt-out is the default setting.

However, when clicking on Options, the following message is displayed, and it still is not clear if cookies are loaded onto the visitors device as a default or not, the Off booleans are not selected, nothing is.

I went to the cookie notice and found that in fact the default was that cookies are downloaded as a default, and it is necessary to go through to another site to configure.

And this is what got me thinking. Non essential cookies as a default should be switched off, i.e. opt-out. And it should not be more difficult to opt-out than to opt-in.

An open letter to the CJEU from L

Read a view of the Schrems’ decisions from the other side of the great pond, in the U.S. I found this to be an informative, serious but fun read through the spectacles of Lydia F de la Torre, EU & US Counsel (Spain/California) and a lecturer of Privacy Law at Santa Clara University School of Law. Grab a coffee, it is long and its climax is an open letter to the CJEU which I’ve copied below 🙂

Everyone knows the story of the Privacy Shield. Or at least they think they do. But, I’ll let you in on a little secret. Nobody knows the real story, because nobody has ever heard my version of it. I am a lecturer at Santa Clara Law. You can call me L.

The blogpost by Lydia covers the Schrems I and II saga. From reading this I gained some insight which I hadn’t really bothered to dig into earlier, but I am not alone in this. One example is Schrems I resulted in the fall of Safe Habor, we all know this, but what is not common knowledge, is that it seems that even Max himself was unaware that Facebook were using SCCs, if he’d known earlier there would have been no Schrems II because it would have been taken at the beginning.

You really should read the complete Post from Lydia, it is actually entertaining 😉

To: The Court of Justice of the European Union (Grand Chamber)

In regards: Overdue homework

Dear Grand Chamber:

I have been waiting for years for you to give us a hint as to what is the essence of the european right to data protection.

I know you know the right to a private life and the right to data protection are two different rights, but I am starting to suspect you can’t tell them apart as you keep citing to them as if they were twins.

And that is a scary proposition, since the ECtHR is not going to steal your thunder because the European Convention of Human Rights (that the ECtHR has the authority to adjudicate on) does not recognize a right to data protection.

Perhaps reading member state caselaw on the right to data protection could get your creative juices flowing? Jurisprudence under Article 35 of the Portuguese Constitution or Article 18(4) of the Spanish Constitution? How about the German classics on Recht auf informationelle Selbstbestimmung?

And yes, I know you are not bound to follow preceding from the Constitutional Courts of Member States.

But let’s be honest.

You can’t claim copyright over the EU Charter of Fundamental Rights either. We all know the Charter it is just a compilation of the rights granted on Europeans, initially, by Member State law.

So please, do your homework next time you rule on a GDPR case and hand down something that tells us what the core of the European right to data protection exactly is. Is data localization absent essential equivalence for a cross-border transfer part of it? If Privacy Shield had passed muster from a privacy perspective, would a violation of Article 47 of the Charter (since the Ombudsperson did not equate to a tribunal within the meaning) trigger a violation of the fundamental right to data protection under Article 8.3of the Charter?

Looking forward hearing from you soon.



In the Privacy Shield storm -practical advice

I am and still attending a great session hosted by the IAPP on the Schrems II decision and Privacy Shield consequence, i.e. it is no longer a legal mechanism for data transfer from the EU to the US.

Miriam Wegmeister was a great panelist and gave some great insights, very practical and cool lady!

Practical steps as follows:

  • There were some revised SCCs drafted even before this decision which can be used.
  • Look at other mechanisms, e.g. transfers subject to appropriate safeguards (Article 46). What jumps out at me are (e) Code of Conduct, and (f) Certification.
  • Art 49 normally only to be used in exceptional circumstances, maybe the Commission can relax on this. Art 49 is derogations for international transfers, my favourite (not) legal subject. It makes sense, as it is similar to Art 6, with some variations.

The decision is that Privacy Shield is not legal anymore, stop, no grace period, however looking at the UK Information Commissioner website and voila, they are recommending to “continue using Privacy Shield until new guidance becomes available” but do not start using Privacy Shield.

Yes, I’m angry about the Schrems II decision!

Why the hell should a devote privacy and GDPR advocate be angry about this decision, after all it’s good for privacy is it not?

Yes decision is correct, but also no.

Clearly Facebook is a scapegoat, twice now with Schrems I and II. But now we are in limbo again! The fact is that even if the large businesses have heaps of money to bring in an army of legal professionals to replace all Data Processing Agreements (DPAs) with Standard Contractual Clauses (SCCs), which may or may not work. The Small Medium Business (SMB) do not have this luxury.

Apart from the large businesses, I work with quite a lot of SMBs, and I can tell you exactly how they feel in a single word…. confused in two words confused and hopeless. Most have yet to do their work for GDPR compliance, and those which have, may have done an initial effort in 2018, but have since done nothing.

What makes me angry is that now in 2020, some of these are calling me in because I have created some low-cost tools which help them to help themselves. They are making the effort, but they are in main, using cloud providers from the U.S., and there was a simple remediation, to check that the business was Privacy Shield certified. I had a cheat list of all most common cloud services, if the business wasn’t listed, my recommendation was to move to another which was. And so it was cheap and easy for them to fix themselves, without paying me my expensive hourly consulting rate.

So now all these SMBs have nothing, again. And yes I’m angry, because I was starting to get some traction in the SMB market. My speciality is making this legal stuff doable for any businesses, it’s not rocket science, But now it’s quite ridiculous, there is no way I will instruct every SMB to stop using all U.S. cloud services, they will kick me out. In fact the low-cost GDPR tools I have created are based on U.S. services, and they can’t be moved. There is nothing equivalent in the EU. It feels unfair to the SMB, they are getting the GDPR thing, and how it is good for business. Together, my small business and my customers were starting to make great progress.

It is not only my opinion that the SMB is critical for a functioning society, although maybe it is just mine that it is the SMB which will suffer most from this judgement?

Okay, sorry for this rant. I’m feeling a bit like Ms Angry, but now I’m done 😉

Image taken from

What went wrong? Foodora hacked!

Half a million customer data was stolen by hackers is being reported by Swedish newspapers. Foodora a Swedish concern is owned by a German business, Delivery Hero. As one can guess by the combination of both names: 1) its about food, and 2) yes, customers book online from whichever is their favourite restaurant and get it delivered.

From what I can gather, the data was stolen from their test environment. This means that live data was stored in test which was not appropriately protected as is required by Art 32 (GDPR). Moreover it seems that the purpose limitation (Art 5.1b) and data minimisation (Art 5.1c) principles were not respected. There is probably more, but this is what I have based on a couple of newspaper articles.

So the affected data subjects are included as customer data was from 2016. The only data stolen in clear text was data which is in main public in Sweden (except if you have a protected identity), so it seems low risk, but read on…

What is not public data is the fact that the individual is a customer of Foodora, and this is a great way to social engineer a phishing attack that seems to come from Foodora to these customers.

On the plus side it looks as though Foodora have got out their communications function, sent a message to all customers warning them on what has happened, and not to click on any links in emails from them. Their quick action is impressive, very transparent, and a good example on how to act when this kind of incident occurs.

Nevertheless, I see that there will be an investigation of Foodora by the Swedish Data Protection Authority, which is scheduled to finish before December 2021.

Image taken from restaurant guide.