Life in China… and..

Not many of us know each other personally as human beings with a life outside of what we do in the real world. We are connected on LinkedIn and are a sect of professionals. But behind each individual is a private life. In this private life we make decisions about how we live with our ‘right to a private life’ concerning ourself and our family.

I have had 2 children, a son in UK when I was 17 yrs, and a daughter at 46 yrs in Sweden. This is about my son who has no right to a private life. Some of the details are modified in order to protect him and his family.

Funnily enough there is no way to connect me with my son due to the fact that on his passport his name is not the same as mine, or even what he was born. The name on his passport is not his legal name. How this is possible is another interesting story. What this means is that through some fluke my son and I are -from a paper trail- angle, unconnected. This means I can speak openly about his life in China as a father of a half-Chinese child living with his Chinese wife without risk to him or his family. He has lived in China for 20 years.

The situation in China has always been difficult. As a foreigner he is monitored 24/7. There is a threshold over how much money he is allowed to have, and he doesn’t get much. He is used to receiving visits from the Chinese police. He did use ToR, but even that fact that he is using ToR, data cannot be read by the Chinese nannies (police) is suspicious behaviour, and warrants a home visit. He loves his wife but she is under the influence of Chinese propaganda. She does not see a better life for her family outside of China.

Since the Russian invasion of Ukraine life has become increasingly difficult for my son, and my grandchild because they are not Chinese, or only half Chinese. My grandchild is treated differently at school. My son has occasionally been stopped in the street to ask if he is Russian, when he replied “no”, the reaction is not agreeable.

My son suspects that he is one of a very few European/British/Americans left in the city where he lives. They have all left. What is good news is that finally his wife is coming round, even her close friends are advising that she and her family leave China, for the sake of her family. Although this is also bad, because if Chinese are advising, it’s time to leave…..My son is deeply concerned that they will be segregated and worse. Time is running out.

I have so many stories, shared by my son with me over the years about life in China and how it is changing. So if you are interested, have questions, etc., just add in Comments, and I will write more when I feel in the mood.

Sensitive employee data made public in Finland

Okay, there were only 7 employees, and this personal data breach which was investigated by the Finnish DPA was concerning a single employee who was on sick-leave.

What is super interesting about this case is that the employer (a family business) put the fact that the employee was on sick leave on the company website. It seems that because the employee was sending an automated response to emails that he/she was on sick leave, gave the idea that this data was now public data.

It then digs into the employment act and secrecy concerning employee data, and the decision was that sanctions would be placed on this business, i.e. it was a personal data breach which has an impact on ‘rights and freedoms’.

Clearly I’ve cut out a load of details here… but what is important is that even the small family businesses are not immune to GDPR sanctions.

A US update on the TikTok saga

As you know Trump tried to ban TikTok from the US, and a compromise was reached with TikTok that US user data would only be stored in US data-centers. Sounds a bit similar to the Irish ruling in 2020. What I am thinking is that US intelligence have the power/mandate to access data of EU data subjects under FISA 702, so what if China have something similar?

Anyhow despite my speculations, there is a new development. It seems that biometric data may or will be collected by TikTok, as it stands now, only US TikTok users, although consent will be required. Apparently it seems that now all US states require consent for the collection of biometric data!

But what about all the underage users? There is a law which mandates parental consent (of minors) in the US. A significant number of TikTok users are minors, and the mind boggles when it comes to the collection of biometric data of minors…..how aware are the parents. More and more I am coming to the view that TikTok should be banned…. even though my daughter is a user, and the fun and benefits are boundless.

Mailchimp is out, even if…..

I am pretty creative when it comes to taking the GDPR legal stuff and working out how to make it work in practice. No business/organisation should hit a wall of what I call ‘GDPR paralysis’ because of something legal which prevents a business from functioning. Our livelihood depends upon a working economy and a healthy GNP. In fact if we didn’t have this, human rights starts to become problematic, because if we as private people do not have access to jobs we lose something which is the most important word in IMHO, and that is CHOICE.

Whenever I am presented with a stop, i.e. “no can’t do”, it is an opportunity to think new. Schrems II is one such example. I did not see it as a stop on international transfers over to the US. It just meant we needed increase diligence, document all and do those Transfer Impact Assessments (TIA) so we understand risks to the rights and freedoms of the natural person. Identify supplementary measures. We need to be realistic.

However, I must admit that the latest decision on Mailchimp in Germany is a show-stopper. From what I’ve dug out, it is only email addresses used in a mailing campaign which was in scope of the international transfer. Risk to the rights and freedoms of the natural person is zero/negligible. Yet due to indications that Mailchimp may in principle be subject to data access by US intelligence services on the basis of the US legal provision FISA702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be lawful if such additional measures (if possible and sufficient to remediate the problem) were taken. “

My take on this previously was to assess risk to the rights and freedoms of the individual, however, now this approach has been kicked out, ignored. I wonder where is the logic, the balance in this decision? Clearly if Mailchimp was being used to send out marketing communications from a Sex Shop, or from a specialist group around a health condition, I could understand this… but an email address used in a standard non-personal communication?

I am wondering which monkey was behind this decision, or am I missing something?

Data Breach or not Data Breach?

Here comes one another evidence of why consistent applications of #GDPR across the #EU is just a ‘shimmering dream’ thus far.

Belgian DPA issued a decision where it said that unintentional (due to human error) sending of an e-mail containing personal data does not mean the violation of Article 32 (security of processing), which prevents the incident from being classified as data breach.

This appears to be in contradiction with #WP29 Guidelines on Personal data breach notification and with the recent #EDPB Guidelines 01/2021 on Examples regarding Data Breach Notifications. Both documents, vice versa, addressed examples of mistakenly sent e-mails, while sufficiency or insufficiency of security measures was not named as a factor of whether the incident should be classified as data breach.

Decisions like this clearly erode the idea and value of ‘consistency’ proclaimed by GDPR and promoted by EDPB.

Another non-obvious conclusion made by Belgian DPA is that unlawfully obtained data cannot be further lawfully processed.

#dataprotection #privacy #datasecurity #databreach #cybersecurity #edpb #dataprivacy #gdprcompliance #databreaches #security #privacyprotection #informationsecurity #infosec #privacyissues #compliance #privacylaw

Consistent application of GDPR is just a half of the problem

Another half is contradictions between the GDPR and the legislation of national Supervisory Authorities, and this is in no way easy to overcome.

Truly, it is difficult to expect that ALL member states will apply GDRP consistently if an agreement within ONE member state seems very far from being reached.

Germany has recently become an example of how Act on Regulatory Offences contradicts to GDPR, while opinion of the District Court of Berlin (‘Court’) contradicts to that of Conference of German SAs (‘Conference’), with stumbling block being whether Article 83 GDPR lists all the requirements that SAs must address to fine a company, or whether national laws can impose additional requirements. Is it enough to establish that a breach of the GDPR has occurred for a company to be held responsible (as GDPR says) or there have to be evidences of a specific act by management or legal representatives that led to the offence (as the German Act says)?

Court opined that German Act on Regulatory Offences shall apply, and this is in clear contradiction with GDPR and the position of Conference. What is especially important here is that it is all about fines, which is often the strongest ‘motivation’ to comply (let’s be realistic).

Meanwhile, Austrian and French courts create their own case law on this issue. Overall… it is a beuatiful mess 🙂

Watch those hands: shadows of “Schrems-II” in super-interesting French case that may indeed have far-reaching effect.

France’s highest administrative court (Conseil d’Etat) discussed the issue of personal data on a platform used to book COVID-19 vaccinations and hosted by Luxembourg company AWS Sarl (subsidiary of a company under U.S. law).

Unlike classic “Schrems-II” setup, there is no data transfer to third countries as the data was hosted in data centers located in the EU.

However, the court says that AWS Sarl (being a subsidiary of a company under U.S. law) may be subject to access requests by U.S. authorities based on Article 702 of the Foreign Intelligence Surveillance Act or Executive Order 12333. Hence, what the court did is started to examine legal, technical and other safeguards put in place. And came to a conclusion that those were sufficient in this particular case.

So what does it all mean? The fact of data transfer is not always a requirement to bring the discussion to the realm of “Schrems-II” – it is just enough if the EU-based data importer (with EU-based data storages) is a subsidiary of a company incorporated under law of a third country.

It was France. Now, should we expect the same approach to be taken by other member states? Seems EDPB now got some new things to think over to avoid misinterpretations and misalignment between supervisory authorities in different member states.

#gdpr #privacy #gdprcompliance #dataprivacy #privacylaw #dataprotection #edpb #compliance #schremsii #schrems2

Digital online rights for children

Sweden is ahead of the rest of the world when it comes to children’s rights, even in the digital/online world. Read more here.

To say I felt an excitement deep in me is an understatement. It was children’s safety online which brought me into privacy. My master thesis for my MSc Information Security was on protecting children online, which led to the publication of my first book “Virtual Shadows” in 2009. This was 8 months before the birth of my daughter.

But what triggered me, was long before this, was my son who was 18 by the time I had published my first book. I often had computers at home, normally open as I was twiddling with them, and so was he since he was 10 years old.

I saw his fascination in Sim City and other highly educational games which transported him into worlds of logistics and consequences. The theme of conversation amongst the boys was which level they are reached, e.g. how a famine had broken out, bad decisions on arming, etc. Gaming was not multi-player, it was single player, and installed on a PC in those days.

What Sweden has triggered is awesome. Beyond what any country has done when it comes to human rights, not surprising considering they were the first country globally to give equal rights to children in 1971. Now in 2020, it has reached the digital world.

H&M have invaded employee privacy

So hot of the press is that H&M (a Swedish business), although the fine of €41,4m was due to practices in one of their German outlets which were not compliant with GDPR.

Clearly as an employer it is difficult to avoid the collection of sensitive data from employees, i.e. when they are sick, just the notification is in itself sensitive and a DPIA must be conducted on how the notification and following process is done in order to any identify privacy risks, and remediations necessary in order to minimise the risk of harm to the rights and freedoms of each employee.

It seems that H&M were in conducting a “welcome back to work” after sick/vacation interview, recording the contents of the conversation, and storing it somewhere, which badly for them became exposed, which meant they got found out because they were reported to the German DPA.

It seems a bit of a pity, as the purpose of the interview seems to be positive, and a nice way to return to the workplace, especially after one has been unwell. However, storage of this conversation is processing outside of the specific purpose of the conversation, and indications -from what I read- are that this personal data was in fact used beyond purely storage, in that 50 managers had access.

Bad news for H&M. Great news for privacy and GDPR. Great work Germany, as per usual at the front of data protection and privacy of each and every data subject!

BCRs and Tetra Pak has just got them approved in Sweden

An extremely interesting development considering the recent Schrems II decision and that Tetra Pak has US operations.

This is a first for the Swedish Data Protection Authority with BCRs. OneTrust has a good summary of the decision, etc., in English. Here is the decision in Swedish.

Now, there is much discussions on the legality of Binding Corporate Rules since Schrems II, after all surveillance in the U.S. is omnipresent, over which we have no control over here in the E.U., but in reality what this decision means is that the we need to be realistic, business must go on.

My take on the transfer of data is to dive into the potential risks to rights and freedoms of the natural person. If there are none, e.g. you are only transferring email address and name of the individual, and maybe they are adding business activities into a log, e.g. financial records. I find it difficult to really force myself to change an established business practice, especially now with coronavirus times, and many businesses are in survival mode, and many close to bankruptcy. If HR data is being transferred then this must change clearly.

I am, even as a privacy professional sceptical of all the fuss and hype there is on blocking all personal data transfers out of the EU to a country such as the U.S. (lacking adequacy decision now with Privacy Shield gone), because of Schrems II.

I guess if I wasn’t a small startup myself, serving small-medium businesses, I would think differently. But if this is all too complex, the SMB will do nothing, they have too much to lose, and when it happens it can go quick, money spent must be prioritised. For the SMB Schrems II is like double-dutch, all this legal speak, it’s out of their boundaries of business operations, and and the Data Protection Authorities get this, and are not normally targeting the small actors selling consulting, car repairs, chickens, or a pair of shoes, they are after the biggies.