Category: Legislation

Watch out for your identity – if you live in Sweden

by

9 May 2014

15:14

5 Comments on Watch out for your identity – if you live in Sweden

Identity, Legislation, Sweden

, , , , , , , , , ,

Hopping mad you should be if you are a Swedish resident, after taking a visit here http://www.ratsit.se, and search for your name. This is against the Data Protection directive, of which Personuppgiftslagen (PUL) is the legal enactment of. I am so bored of asking to have my name removed, only for it to pop up again later, and now I see that it is impossible to remove your personal identifying information (PII) (http://www.ratsit.se/Content/FaqSearch.aspx)… it is PUBLIC for all to see forever! What a smorgasbord for identity thieves!

I can see how old you are, where you live and the first 6 digits of 10 digits from your Swedish ID!

It seems to be that the Kreditupplysningslagen (KuL) has priority over PuL. In PuL you have a right to personal privacy. You should be informed who has had access, or even viewed your personal information. Now KuL does inform you when a request is made for your creditworthiness, but it doesn’t tell you about who has viewed your Personal Identifying Information (PII) through www.ratsit.se who they share your PII with, for example. Your PII includes your date of birth, where you live, etc…

Identity Theft
I am going to make an official compliant to the Datainspektion. If you are interested to add yourself to a petition to support me in this, please Like this Post here on the blog direct, or on LinkedIn or FB status update, wherever you happen to pick this up.

Collection of your data is illegal!

by

9 April 2014

18:09

Leave a comment on Collection of your data is illegal!

European Union, Information Privacy, Legislation

At least that was what the Court of Justice of the European Union in Luxemborg declared yesterday concerning the Data Retention Directive. But what does this really mean for you in practice?

      Firstly, this is about the

collection of your traffic patterns, not the contents

      , from here a traffic analysis can be done to ascertain your online habits from telephone and ISP providers, and this includes location data, i.e. where you are, as well as related data necessary to identify the subscriber or user.

Secondly, this directive was wanted to ensure that the data collected could be used for the prevention, investigation, detection and prosecution of serious crime, such as, in particular, organised crime and terrorism.

However, the directive was flawed because:

      1. The data was collected on ALL of us, not just limited to crime prevention;

 

      2. Anyone could access data collected on you. No court warrant was needed, like for example what is needed to search your home premises;

 

      3. There was nothing forcing the deletion of data collected after the maximum retention period of 24 months;

 

    4. There was nothing stopping the data collected from ending up outside of the EU.

So what next? I believe, just like a ‘bad penny’ this directive will pop-up again later with a new set of clothes, this time with less holes 😉

More reading:
SvD – EU:s datalagringsdirektiv ogiltigt (2014-04-08)
ft.com – European Court of Justice rules EU data collection laws illegal (2014-04-08)
PCWorld – Germany Taken to Court for Failing to Implement Data Retention (2012-05-31)
PCWorld – German Lawmakers Say Data Retention Directive May Be Illegal (2011-04-27)

Simplified and stronger data protection rules in the EU

by

31 March 2014

20:47

Leave a comment on Simplified and stronger data protection rules in the EU

European Union, Information Privacy, Legislation, Privacy

We are getting some really interesting happening in the EU when it comes to revolutionising the EU Directive on Data Protection. Thanks to the summary provided by Panoticon blog.

The Memo from the European Commission, that has been approved, gives the following reforms that will make doing business simpler for EU companies, and they are significant! So here they come the 4 pillars of reform, or at least a summary of them. If you want to read the full Monty, go here.

Pillar One: One continent one law…
The European Parliament agrees that the new data protection law for the private and public sector should be a Regulation, and no longer a Directive. The Regulation will establish a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws. Companies will deal with one law, not 28.

Pillar Two: Non-European companies will have to stick to European data protection law if they operate on the European market. What this means is that non-European companies will have to apply the same rules as their European counterparts. European regulators will be equipped with strong powers to enforce this.

Pillar Three: The Right to be Forgotten/ The Right to Erasure
The right to be forgotten builds on already existing rules to better cope with data protection risks online. If an individual no longer wants his or her personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system.

The right to be forgotten is not an absolute right. For example there are cases where there is a legitimate reason to keep data in a data base, e.g. archives of newspapers. In addition the right to be forgotten includes an explicit provision that ensures it does not encroach on the freedom of expression and information.

Pillar Four: A “One-stop-shop” for businesses and citizens
The Regulation will establish a ‘one-stop-shop’ for businesses. What this means is that companies established and operating in several Member States will only have to deal with a single national data protection authority not 28, making it simpler and cheaper for companies to do business in the EU.

Update on revisions to EU directive on Data Protection

by

28 February 2014

17:03

Leave a comment on Update on revisions to EU directive on Data Protection

European Union, Germany, Information Privacy, Legislation

I missed this, progress on the new EU directive on data protection and implications on Safe Habor on the excellent Panopticon blog. 

To summarize seems they need to trash what has already been created and start again. Germany in the driving seat now, I think, which means there should be some action. Nevertheless excepted completion is this year, 2014. Concerns about the alignment of Safe Harbor with this directive, particularly considering the amount of personal data from EU citizens, e.g. Facebook, etc., that is held in the U.S.

UK Citizens! Does the Protection of Freedom Act 2012 really protect you?

by

17 June 2013

20:20

Leave a comment on UK Citizens! Does the Protection of Freedom Act 2012 really protect you?

Legislation, U.K.

,

Sorry I’ve been so verbose today, but there is just so much going on right now!

Here I am again, popping online to check, when this pops up on the Panopticon blog. This blog is cool because it is seriously legal. You know real legal experts writing about threats to our personal privacy. I wish my legal expertise was more seriously legal 😉

Well now they are talking about new legislation going through in the UK, CCTV, surveillance stuff, with all this Snowden excitement.

It is about the the Protection of Freedoms Act 2012 expressed the incoming Coalition Government’s commitment to keeping in check the state’s surveillance of ordinary citizens. By that Act (sections 29-36), the Home Secretary was to present to Parliament a Code of Practice governing the use of surveillance camera systems including CCTV and Automatic Number Plate Recognition (ANPR). Now go and visit this site. They summarize this Act. I haven’t looked in detail yet, but what I have read it looks more that it is protecting the rights of the citizen rather than vise-versa.

The Code sets out 12 guiding principles which systems operators should follow:

(1) Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.
(2) The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.
(3) There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
(4) There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
(5) Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.
(6) No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged.
(7) Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.
(8) Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.
(9) Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
(10) There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.
(11) When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
(12) Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.

Ireland’s Data Protection Commissioner report 2012

by

23 May 2013

12:59

Leave a comment on Ireland’s Data Protection Commissioner report 2012

Ireland, Legislation

Thanks to Robert Streeter (uk.linkedin.com/in/robertstreeter/) for sharing this. It gives some interesting reading on the number of DPA breaches and their nature, also some case studies. If you skip over the first couple of sections, the interesting stuff starts at the ‘Complaints and Investigations’ section on Page 7 😉

CISPA

by

18 April 2013

09:51

2 Comments on CISPA

Cybercrime, Legislation, Privacy of communications, Territorial Privacy, U.S.

, , , ,

Cyber Intelligence Sharing and Protection Act (CISA) is not aligned with civil and privacy rights of the individual according to privacy advocates such as Electronic Frontier Foundation and Avaaz.org.

Neither Microsoft or Facebook support this bill. Imagine that everything you post on FB to be available for government authorities? Fine if you trust them I suppose, but I don’t.

Why is not crowdsourcing used more in the fight against terrorism? Transparency and the power of the people, of whom most want a safe society could provide an all encompassing safetynet. Crowdsourcing for example is starting to be used to locate missing persons and children, it is very powerful. There are so many people out there that can make a positive difference to this broken world we live in.