Further to the Facebook and Tesco scandals, and the apparent statistic increase of enforcement fines issued, the Polish Data Protection Authority has issued a landmark fine of €645,000 against online retail company morele.net for insufficient security and organisational measures violating data confidentiality and integrity principles prescribed in the EU’s General Data Protection Regulation.Read More
We are living in an era of online shopping, where consumers are more willing to hand over personal information for goods and services, and are less suspicious of whom they are divulging their personal information to. As a result, online businesses are in possession of a vast amount of their customers’ personal information. The recent hack of Sneaker Platform Stock-X reminds us yet again of the importance of businesses maintaining comprehensive and up to date security processes, and in particular, the necessity of having an adequate data breach response plan in place.
Stock-X, a platform for the re-sale of sneakers and apparel, was recently hacked, exposing over six million users’ personal data, including their real name, username, password, shoe size and trading currency. According to a Report by TechCrunch, Stock-X’s initial response was to reset customer passwords, stating that it was due to system updates. A spokesperson for Stock-X later disclosed to TechCruch that Stock-X was alerted to “suspicious activity”. TechCrunch reports; however, an unnamed data breach seller had contacted it claiming more than 6.8 million records were stolen from Stock-X in May, and that the records had been put up for sale and sold on the dark web for $300.Read More
Russian hackers are accused of penetrating up to 400 Australian businesses in 2017 as part of an alleged state-sponsored cyber-espionage campaign, targeting millions of computers across the world.
The Australian government made the announcement in light of an extraordinary joint statement from the US and UK governments pointing a stern finger at Russia for sponsoring cyber-attacks on government, private organisations, critical infrastructure providers and internet services providers.
Over the last few weeks we’ve been blogging about the data “sharing” scandal that has rocked Facebook, and has lead to a boycott of the popular social media site, and sent CEO Mark Zuckerberg to face the music on Capitol Hill.
In case you’d missed the story (which you can read about here, here and here), Facebook estimated 87 million people globally, including 300,000 Australians, had their data shared with Cambridge Analytica, a political consultancy firm used by US President Donald Trump in his 2016 election campaign.
By Cameron Abbott and Allison Wallace
With the EU heading full throttle towards the implementation of new data protection regulations in May 2018, there has been a lot of buzz around the impact the regulations will have, not only on day-to-day life, but other existing regulations.
One of these regulations is the Directive 2002/58/EC aka the ePrivacy Directive, which has been urgently reviewed ahead of the data protection regulations being implemented.
SAP has expressed concerns over the implications of the landmark EU data privacy regulations, saying the penalties that will be imposed are too high, and could impede the development of Europe’s start-up culture.
The data privacy regulation will be implemented in May 2018, and includes fines for EU companies up to 4 per cent of their global revenues if they commit a significant breach of data privacy.
In an interview with the Financial Times, SAP’s head of products and innovation, Bernd Leukert said he believes the penalties are too high, and put companies at risk of losing their entire revenue if they commit multiple breaches.
Mr Leukert said he also fears that the EU regulations were not properly aligned with laws in other jurisdictions, such as the US.
The US and the European Union reportedly reached an agreement on the language of a key data transfer pact, including clearer limits on U.S. surveillance and stricter rules for companies holding information of Europeans. The updated EU-US Privacy Shield was sent to EU member states, who are expected to vote on the proposal in July. The revised data transfer pact is said to include stricter cross-border data-handling rules for companies using Europeans’ information for targeted online advertising, and also has detailed the specific condition under which U.S. government intelligence services would collect data in bulk and the safeguards on how the data is used.
Meanwhile, U.S. Chamber of Commerce Executive Vice President and Head of International Affairs Myron Brilliant urged the EU’s member states to quickly sign off on the updated version, saying that the new framework for trans-Atlantic data transfer is critical for companies on both sides of the pond.
Further information regarding the report by Reuters can be read here.
The European Commission has now officially released the EU-U.S. Privacy Shield, which sets out the key requirements and principles for trans-Atlantic data flow between Europe to the US.
Read our colleague’s article on the announcement here.
Alternatively, access the European Commission’s Press Release here.
On 26 October 2015, European Commissioner Vera Jourová, announced that the European Union had agreed in principle with the US on a new trans-Atlantic data-transfer agreement. Commissioner Jourová made the announcement in a speech, before the Committee on Civil Liberties, Justice and Home Affairs, which addressed the recent judgment of the European Court of Justice that invalidated the safe harbour scheme between the two countries (Schemes decision). Commissioner Jourvá said, “there is agreement…in principle, but we are still discussing how to ensure that these commitments are binding enough to fully meet the requirements of the Court.” She also added that she expected both sides to make progress on the remaining technical points of discussion by mid-November, when she is scheduled to visit the US. The European Commission is also planning on issuing an explanatory Communication on the consequences of the Schemes decision so that businesses and industry have ‘clear explanations and a uniform interpretation of the ruling.’ The European Commission are also working towards a pending deadline set by European data protection authorities who have said that if, by the end of January 2016, no appropriate solution is found with the U.S. authorities, they will take all necessary and appropriate steps (including enforcement action) to enable data transfers to the U.S. that respect fundamental rights.
The European Commission’s press release can be found here.
The Business Software Alliance, European Union cybersecurity dashboard: A path to a Secure European Cyberspace published by the BSA. The report aims to allow government officials in each of the EU Member States with an opportunity to evaluate their country’s policies against these metrics, as well as their European neighbours. The report is an interesting read for Australian companies holding, or considering holding, data in Europe.
See the report here.