14/05/20 GDPR Community Round-Up

Here’s a round-up of interesting reading we found online today*;

• Austrians’ personal data has been publicly accessible on the ministry of economy’s website since 2009. The liberal party NEOS and NGO epicenter.works call it the “biggest data protection scandal of the Second Republic.” NEOS is considering legal action and a GDPR expert told EURACTIV Germany it could be successful.

• Privacy pressure group Noyb has filed a legal complaint against Google on behalf of an Austrian citizen, claiming the Android Advertising ID on every Android device is "personal data" as defined by the EU's GDPR and that this data is illegally processed. Claims state consent was neither informed, nor specific, nor free – but Google says it cannot identify a user from the ID.

• A report has highlighted problems with critical security systems in Amsterdam's Schiphol Airport. The cybersecurity of border controls carried out by the Dutch Royal Military Police at Schiphol is inadequate and not future-proof, according to a report.

• EP wants data protection guaranteed before allowing fingerprint exchange with the UK As long as guarantees on reciprocity and data protection are not in place, Council should not allow fingerprint data exchange between the UK and EU countries, say MEPs. MEPs rejected the Council draft implementing decision on the exchange of fingerprints with the UK with 329 votes for, 357 against, and 4 abstentions.

• New insight has calculated that a data breach could wipe as much as 7.2% off a company’s share price. It’s the equivalent of up to $8.8 million in cash terms for UK companies listed on the FTSE 100, or up to $32.3 million for listed US companies on the NASDAQ index. Calculated by iomart, the new figures also demonstrated the importance of finding data breaches quickly – on average it takes tech companies 187 days to identify a breach and 59 days to contain it. However, in other sectors, that number rises to 246 days to identify and contain.

• Criminal forum trading stolen data suffers ironic data breach. Someone on the dark web is touting for sale an unusual database a lot of people might pay handsomely to get their hands on.

• Once implemented, the PDPA is expected to change the landscape of personal data protection in Thailand. The legislation mandates that data controllers and processors who use personal data must receive consent from the data's owners and use it only for expressed purposes. A royal decree drafted to postpone the enforcement of most sections in the Personal Data Protection Act (PDPA) by a year will be tabled before the cabinet for approval next week, says the Digital Economy and Society (DES) Ministry.

• Proskauer international law firm blog “On April 30, 2020, the French data protection authority, the CNIL, published guidance surrounding considerations behind what it calls “commercial prospecting,” meaning scraping publicly available website data to obtain individuals’ contact info for purposes of selling such data to third parties for direct marketing purposes” and provide their views.

• Freedom of Information Curbs Alarm Rights Activists in Hungary. By extending the deadline for answering FOI requests and suspending data protection regulations due to the COVID emergency, Hungary’s government is continuing its assault on important democratic rights.

• California’s New Privacy Laws Reach Beyond State Lines: European Businesses Must Prepare Now, Despite COVID-19. “European companies must get on top of how they are interacting with data, or risk leaving themselves exposed to punishment come 1st July.”

• New patient consent forms in Germany cover the use of patient care data and clinical and biomedical research. German Data Protection Commission DSK has approved a revised version of forms that the so-called Medical Informatics Initiative of the Federal Ministry of Education and Research had produced in order to comply with data protection laws

• Magellan Health, a Fortune 500 healthcare company, has begun notifying some employees that their personally identifiable information (PII) was compromised as the result of a phishing attack that also served as a prelude to a ransomware attack. The healthcare company has informed affected employees of a data breach on a single corporate server.

• Dathena (the leader in AI-powered data protection and privacy management for global enterprises) Raises $12M Series A Round to Drive Global Adoption of AI-Powered Data Privacy and Security Solution.

• Data Privacy Goes Mainstream: Life in the Era of GDPR, CCPA, LGPD Whitepaper

*These sites aren’t affiliated with GDPR Community and these aren’t an advertisement, they’re simply site’s we’ve thought the community might have an interest in reading.