Tag:privacy

1
SURVEY ON THE ECONOMICS ON PERSONAL DATA ON MOBILE APPS LAUNCHED BY FRANCE’S PRIVACY WATCHDOG
2
New Privacy Enforcement Act commences in Australia
3
Australia passes Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022
4
Update from the Australia/New Zealand privacy conference and the changes to Australian privacy and cybersecurity laws
5
UK Data Protection: Beware of the consequences of unsolicited marketing emails!
6
Privacy and cybersecurity laws expected to undergo a significant overhaul in the wake of Optus data breach
7
UK Government publishes new proposed data protection law
8
Attorney-General Mark Dreyfus pledges sweeping data privacy reforms
9
The Importance of Managing DSARs
10
New concerns over China’s ability to access user data on WeChat

SURVEY ON THE ECONOMICS ON PERSONAL DATA ON MOBILE APPS LAUNCHED BY FRANCE’S PRIVACY WATCHDOG

Jan 23 2023
Browse archives for January 23, 2023
Posted in

Government Regulation, Legislation & Enforcement, Legal & Regulatory Risk, Privacy, Data Protection & Information Management

Tagged with , , , ,
Share

By Claude-Étienne Armingaud, Camille Scarparo and Alexandra Séguis

This survey follows the CNIL’s announcement on 24 November 2022 that it aims at “better understanding the economic challenges associated with the collection and processing of personal data in mobile applications” as part of its 2022-2024 strategic plan.

The CNIL considered data collection via mobile applications greatly lacks transparency as opposed to cookies collection on websites.

The expected inputs are to be used for the purpose of drafting recommendations to be submitted to public consultation during the second semester of this year.

Concurrently to its ever-active enforcement of website cookie framework, the CNIL also recently started going after mobile applications for their use of personal data, often leverage as a primary source of revenue for free-to-play mobile games. The most recent example being the French mobile game publisher Voodoo SAS, with a fine of EUR3 million for breach of user consent for targeted ads on 29 December 2022. Indeed, the CNIL considered that even when users did not consent to the tracking for advertising purposes, Voodoo still accessed the IDFV (Apple’s “IDentifier For Vendors” (“IDFV”) – an identifier assigned to app operators, which facilitates targeted advertising) and processed browsing information for advertising purposes, constituting a violation of French privacy law and the GDPR.

The CNIL now calls for economic contributions from experts, interest groups, regulatory entities and experienced private individuals in the field. The call for contributions closes on 10 February 2023. Contributions can be submitted by completing a questionnaire and/or a written statement at the following email address: ecodesapplis@cnil.fr.

All contributions will be covered by professional secrecy and will be published in the form of a synthetic and aggregated report.

New Privacy Enforcement Act commences in Australia

Dec 14 2022
Browse archives for December 14, 2022
Posted in

Breaches, Legal & Regulatory Risk, Litigation of Data Breaches, New Developments, Privacy, Data Protection & Information Management, Uncategorized

Tagged with , , , , , , , , ,
Share

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

As of yesterday, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Privacy Enforcement Act) is now in effect after receiving Royal Assent on 12 December 2022.

As we have previously shared, the Privacy Enforcement Act increases the maximum penalties for serious or repeated privacy breaches. For body corporates/organisations this increases the penalty from the current $2.22 million to whichever is the greater of:

Read More

Australia passes Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022

Dec 02 2022
Browse archives for December 02, 2022
Posted in

Government Regulation, Legislation & Enforcement, Legal & Regulatory Risk, Privacy, Data Protection & Information Management

Tagged with , , , , , ,
Share

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

Earlier this week (on 29 November), the Australian Parliament passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) which was introduced to Parliament on 26 October 2022.

The Bill amends the following:

  • Privacy Act 1988 to expand the Australian Information Commissioner’s enforcement and information sharing powers and increase penalties for serious or repeated interferences with privacy;
  • Australian Communications and Media Authority Act 2005 to enable the Australian Communications and Media Authority to disclose information to a non-corporate Commonwealth entity that is responsible for enforcing one or more laws of the Commonwealth; and
  • Australian Information Commissioner Act 2010 to allow the Australian Information Commissioner to delegate certain functions or powers.
Read More

Update from the Australia/New Zealand privacy conference and the changes to Australian privacy and cybersecurity laws

Nov 25 2022
Browse archives for November 25, 2022
Posted in

Government Regulation, Legislation & Enforcement, Legal & Regulatory Risk, Litigation of Data Breaches, New Developments, Privacy, Data Protection & Information Management

Tagged with , , , , ,
Share

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

We’ve just returned from the annual iapp Australia/New Zealand privacy conference held in Sydney this week, and it was a whirlwind. Even if you’re not one of around half of Australians affected by two of the biggest data breaches in our recent history, you’ll be aware a lot is changing – and a lot more is poised to change – in this space.

We’ll be blogging over the coming weeks about some of the key themes and changes your organisation will need to prepare for, including:

– new regulatory enforcement tools

– higher expectations of the way personal information is collected and secured, and when it needs to be destroyed

– potential removal of key exemptions such as the employee records exemption that your business may currently rely on,

– and of course the major penalty increases that seek to deter privacy breaches being viewed as ‘the cost of doing business’,

as Australia tightens the protections around the collection and use of Australians’ personal information.

Stay tuned!

UK Data Protection: Beware of the consequences of unsolicited marketing emails!

Oct 11 2022
Browse archives for October 11, 2022
Posted in

Government Regulation, Legislation & Enforcement, Privacy, Data Protection & Information Management

Tagged with , , , , , , ,
Share

By Claude-Étienne Armingaud and Keisha Phippen

Sending unsolicited marketing emails could prove costly to UK organisations, as bike and car accessory retailer Halfords have recently discovered.

Last month, Halfords were handed a fine of £30,000 by the Information Commissioner’s Office (ICO) for sending around half a million unsolicited marketing email messages to customers who had not previously opted-in to marketing (see here).

The fine was issued under the Privacy and Electronic Communications Regulations (PECR), which gives people specific privacy rights in relation to electronic communications and restricts how unsolicited direct marketing is carried out.

An investigation carried out by the ICO found that the retailer broke the laws governing electronic communications by sending out emails relating to a government voucher scheme that gave people £50 off the cost of repairing a bike at any participating store or mechanic in England. The email not only pointed customers to the government website, it also invited them to book a bike assessment and to redeem their voucher at their chosen Halfords store. The ICO concluded that the insinuation of Halfords having a direct connection with the government scheme encouraged its customers to redeem the voucher in its stores and that Halfords was therefore advertising its own services.

PECR prevents organisations from sending emails or messages to people unless they have consented to it or they are an existing customer who has bought similar products or services in the past (known as the “soft opt-in” rule).

Halfords argued that the email constituted a service message and should not be categorised as direct marketing, but the ICO maintained that the email did constitute direct marketing because it satisfied the definition of such under Paragraph 35 of the ICO’s Direct Marketing Guidance (see here).  In addition, the ICO concluded that the soft opt-in rule could not apply because the targeted customers had already opted out. 

Andy Curry, Head of Investigations at the ICO said: “This [decision] sends a message to similar organisations to review their electronic marketing operations, and that we will take necessary action if they break the law.”

Privacy and cybersecurity laws expected to undergo a significant overhaul in the wake of Optus data breach

Sep 29 2022
Browse archives for September 29, 2022
Posted in

Breaches, Government Regulation, Legislation & Enforcement, Managing Threats & Attacks, Privacy, Data Protection & Information Management

Tagged with , , , , , , ,
Share

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

Over the past two years, the Privacy Act has been the subject of long-awaited reform in Australia however, it seems the Optus data breach may have given it some much needed momentum.

The Optus attack is understood to have affected the details of 11.2m Optus customers, and of that 2.8m individuals have had their driver’s licence and/or passport numbers compromised. The hacker claims to have extracted the data from an API – software that allows two different systems to talk to each other. Therefore, if the claim is true the hacker didn’t need to provide authentication (e.g. a username and password) to retrieve the data.

In the wake of the attack, the Government has shared its plans to pursue substantial reforms that will include increased penalties under the Privacy Act (currently capped at $2.22m per offence) as well as changes to data breach notification laws to allow companies to rapidly inform financial institutions of affected individuals in an effort to minimise fraud.

The data breach also highlights the risks involved in collecting large amounts of personal information and storing this for excessive time periods. While the Privacy Act promotes the collection of a minimum amount of personal information, i.e. only that information that is necessary for a particular purpose and which the entity intends to use or disclose – individuals generally have limited control over how long their information is retained for.

During the initial stages of the Privacy Act review, the Attorney General’s Department sought submissions from entities on their views as to whether individuals should be given the right to have their personal information erased. Optus in submissions to the review argued against such a change stating that the right to erase personal data would involve significant technical hurdles and compliance costs that would outweigh the benefits. Of course this incident has happened just as stores are gearing up for Halloween – a fitting time for those public submissions to come back to haunt them.

UK Government publishes new proposed data protection law

Jul 27 2022
Browse archives for July 27, 2022
Posted in

Government Regulation, Legislation & Enforcement, Legal & Regulatory Risk, Litigation of Data Breaches, Privacy, Data Protection & Information Management

Tagged with , , , , , ,
Share

By Claude-Étienne Armingaud, Nóirín McFadden and Keisha Phippen

The UK Government has finally published its highly anticipated Data Protection and Digital Information Bill (the Bill), marking the first significant post-Brexit change to the UK’s data protection regime. Following Brexit, the UK continued following the EU General Data Protection Regulation, incorporated into UK law as the UK GDPR, and the UK implementation of the EU ePrivacy Directive, the Privacy and Electronic Communications Regulations 2003 (PECR), also remained in force.

The Bill is only at the start of the legislative process, and it remains to be seen how it will develop if it is amended during its passage through Parliament, but early indications are that it represents more of an evolution than a revolution in the UK regime. That will come as a relief to businesses that transfer personal data from the EU to the UK, because it reduces the risk that the EU might rescind the UK’s adequacy status.

For a start, the Bill actually preserves the UK GDPR, its enabling legislation the Data Protection Act 2018, and the PECR, because it is drafted as an amending act rather than a completely new legislative instrument. This does not contribute to user-friendliness, as interpreting UK data protection requirements will require a great deal of cross-referencing across texts.

The more eye-catching proposed changes in the Bill include:

  • The inclusion of a list of “legitimate interests” that will automatically qualify as being covered by the lawful basis in UK GDPR Article 6(e).
  • Some limitations on data subject access requests, such as the possibility of refusing “vexatious or excessive” requests.
  • More exemptions from the requirement to obtain consent to cookies.
  • Much higher fees for breach of PECR.

The Bill will now progress through various Parliamentary stages over the coming months in order to become law.

Attorney-General Mark Dreyfus pledges sweeping data privacy reforms

Jul 01 2022
Browse archives for July 01, 2022
Posted in

Uncategorized

Tagged with , ,
Share

By Cameron Abbott, Rob Pulham and Hugo Chow

Newly sworn-in Attorney-General Mark Dreyfus has announced that there is a range of “sweeping reforms” that are needed to be made to Australia’s privacy laws, and that he is committed to making these changes during the government’s first term in parliament.

Mr Dreyfus’ department is currently reviewing the feedback it has received from its discussion paper around the current review of the Privacy Act 1988 (Cth) (Privacy Act). Mr Dreyfus said that “Everyone agrees that the Commonwealth Privacy Act is out of date and in need of reform for the digital age”, and that he is hoping to bring a final report of reform proposals into the public domain in the coming months.

Privacy practitioners have for years been anticipating some level of reform as the winds of change have been blowing, but it has not been easy to predict what may change, or when. Proposed changes include strengthening individuals’ privacy rights, including creating a direct cause of action or statutory right for breaches of privacy laws; introducing specific codes for certain industries; and increasing maximum penalties which are significantly out of step with international jurisdictions and with other key Australian business laws.

However such changes are not likely to be welcomed by all, even if “everyone agrees” the Privacy Act is out of date and in need of reform, with business groups opposed to areas of proposed reform such as allowing individuals to bring claims directly against companies.

It is a fascinating precursor to what may become hotly contested reforms with significant impact on how businesses engage with their customers. It may be hard to tell but privacy nerds are on the edge of our seats as the reforms, much talked about, move a step closer to taking shape. There’s never been a better time to start paying attention.

The Importance of Managing DSARs

Jun 28 2022
Browse archives for June 28, 2022
Posted in

Breaches, Government Regulation, Legislation & Enforcement, Privacy, Data Protection & Information Management

Tagged with , , , ,
Share

By Claude-Étienne Armingaud and Inès Demmou

With its December 2021 fine imposed on French telephone operator Free Mobile, the French data protection authority (CNIL) reiterated the importance of responding to data subject access requests (DSARs) within the relevant timeline (usually 30 days), with all the relevant and required information (Article 13 and 14 GDPR) and ensuring the security of users’ personal data (Article 32 GDPR). 

Another sanction by the Dutch Supervisory Authority relating to the principle of data minimization confirmed that such DSARs could not be conditioned by overly complex mechanisms, such as a requirement to upload a full copy of an identity document.

These sanctions demonstrate that data subjects have acquired the awareness necessary to exercise their rights, and that data controllers must implement effective channels and internal processes to handle DSARs properly, effectively, in a timely manner, and in a way that would not, in turn, generate its own set of breaches of the GDPR. 

To find out more, see our full alert here.

New concerns over China’s ability to access user data on WeChat

Jun 21 2022
Browse archives for June 21, 2022
Posted in

Uncategorized

Tagged with , , , , ,
Share

By Cameron Abbott and Hugo Chow

A recent report by cybersecurity firm, Internet 2.0, has raised concerns about the Chinese Communist Party’s ability to access the data of millions of users around the world of social media and payment application, WeChat.

WeChat is significant as it is the application that nearly all citizens in China use on a daily basis for communication, payments for services and as a way for citizens to connect through social media. Although the majority of WeChat’s more than 1 billion users are located in China, there are approximately 600,000 users in Australia, 1.3 million users in the UK, and 1.5 million users in the United States.

One of the concerns the report outlines is that although WeChat states that its servers are kept outside mainland China, all user data that WeChat logs and posts to its logging server goes directly to Hong Kong. And the report argues that under Hong Kong’s new National Security Legislation, there is little difference between Hong Kong resident servers and servers in mainland China.

As a result, due to China’s National Intelligence Law which requires organisations and citizens to “support, assist and cooperate with the state intelligence work”, there are concerns that the WeChat logging data that goes to servers in Hong Kong may be accessed by the Chinese Government upon request. The report states that the data that goes to Hong Kong is log data, which includes the user’s mobile network, device information, GPS information, phone ID, the version of the operating system of the device, but does not include information such as content of a conversation.

Another concern the report outlines is that although there was no evidence that chats were stored outside the user’s device, the report found that WeChat had the potential to access all the data in a user’s clipboard. This means that there is the potential for WeChat to access the data that is copied and pasted by users on WeChat, which is a risk to people using password managers that rely on the clipboard feature to copy and paste their passwords.

We expect to hear more about these sorts of concerns from a range of jurisdictions.

Copyright © 2024, K&L Gates LLP. All Rights Reserved.