Security News

Privacy pressure group Noyb has filed a legal complaint against Google on behalf of an Austrian citizen, claiming the Android Advertising ID on every Android device is "Personal data" as defined by the EU's GDPR and that this data is illegally processed. The complaint against Google, which was filed with the Austrian Data Protection Authority, is based on the claim that Google's Android operating system generates the advertising ID without user choice as required by GDPR. "In essence, you buy a new Android phone, but by adding a tracking ID they ship you a tracking device," said Noyb lawyer Stefano Rossetti.

An EU-sponsored GDPR advice website run by Proton Technologies had a vulnerability that let anyone clone it and extract a MySQL database username and password. "The irony of a EU-funded website about GDPR having security issues isn't lost on us," mused the security consultancy.

The website, GDPR.EU, is an advice site for organizations that are struggling to comply with the General Data Protection Regulation laws that were imposed by the EU in 2018. "However, the irony of a EU-funded web site about GDPR having security issues isn't lost on us."

Synthetic data is helping highly regulated companies safely use customer data to increase efficiencies or reduce operational costs, without falling under scope of stringent regulations. The GDPR does not expressly reference synthetic data, but it expressly says that it does not apply to anonymous information: according to UCL, "Information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable." Synthetic data is considered personal data which has been rendered anonymous and therefore falls outside the material scope of the GDPR. Essentially, these important global regulatory mandates do not apply to collection, storage and use of synthesized data.

A European consortium based in Switzerland plans to this week launch an opt-in location-detecting app to expedite contact-tracing those who have encountered coronavirus carriers. The new group, named Pan-European Privacy-Preserving Proximity Tracing, promises a GDPR-compliant app that sounds a lot like Singapore's TraceTogether service, but also offers considerable detail on how the service is designed to preserve privacy.

Concerns over privacy and security raise important questions: is Zoom safe, and is it even GDPR compliant? In our current example, we do not know whether the host asked for a copy to be kept by Zoom for future reference, or whether Zoom kept a copy by default.

A newly released report offers a glimpse into how European Union authorities are applying the General Data Protection Regulation to some of the biggest U.S. technology firms, including social media giants Facebook and Twitter. What makes Ireland a bellwether for GDPR is that many U.S. technology firms, including Apple, Facebook and Google, have designated Ireland as their "Main establishment" in the EU. Under GDPR, that enables them to qualify for a one-stop-shop mechanism, which ensures that the data protection authority in that country takes the lead on any EU privacy investigations.

A joint report by the International Association of Privacy Professionals and Ernst & Young, published last year, revealed inconsistencies in how companies are implementing the DPO role, including whether the CISO also serves as DPO. When Is DPO Required? While some say it's appropriate for CISOs to serve as DPOs because the roles complement each other, others argue the DPO position should be separate.

During the Brexit transition period, "It will be business as usual for data protection," which means mandatory compliance with the EU's General Data Protection Regulation remains in effect, the U.K. Information Commissioner's Office said in a Jan. 29 blog post. What happens after the transition period is over? From a privacy standpoint, that remains the million-dollar - or rather, pounds-sterling - question, and "Depends on negotiations during the transition period," as noted in a Brexit FAQ issued by the ICO. Odds are good that after 2020, U.K. organizations will have to continue to comply with GDPR. Otherwise, they could be shut out of easy trading with the EU, leaving Britain at a competitive disadvantage.

From when GDPR went into full effect on May 25, 2018, until Friday, EU data protection authorities also imposed €114 million in fines under the privacy regulation for a wide variety of infringements, not all involving data breaches. The report doesn't count the U.K. Information Commissioner's Office stating that it intends to fine Marriott International $130 million and to fine British Airways $239.5 million for data breaches that occurred after GDPR went into full effect, since those penalties have yet to be finalized.