Weekly Newsletter: 22 March – 26 March 2021
GDPR EU Representative

March 29, 2021

Why You Shouldn’t Use Google Chrome After New Privacy Disclosure

[#GoogleChrome #Privacy #PersonalData] 

“Worse, a new Chrome revelation, one that hasn’t yet made headlines but which is detailed below, should serve as an even more serious warning.[…]

Just as with Gmail, Chrome collects your user ID and device ID in too many categories. Unlike Safari, Edge and Firefox, Chrome says it links all harvested data to devices and individuals. Safari collects but doesn’t link browsing history, usage data and locations to users. Neither Firefox nor Edge link usage data. But Chrome says it collects all those data fields and links all of them to user identities.[…]

This isn’t complicated. The fact is that Chrome collects more data than any of the other browsers, yet is the only one that doesn’t appear to collect any data that isn’t linked to user identities. This is a much more shocking illustration of the different philosophies at play.

Chrome hasn’t even attempted to protect its users’ privacy in this way. This isn’t about specific data fields, this is about an overarching attitude to privacy.”

To read more: Click here

Mistakenly sending an email is data processing, but not data breach? 

[#BelgiumDataProtectionAuthority #DataBreach #DataProcessing] 

“[…] the Belgian Data Protection Authority (“GBA“) issued a decision interesting for its contrast between a simple set of facts, on the one hand, and inclusion of bold statements about some fundamental data protection concepts, such as data breach and lawfulness, on the other hand.[…]

According to the decision, the accounting company sent the email to the complainant’s business partner by mistake.[…]

[…]the GBA pointed out that even unintentional processing is still processing in the meaning of the GDPR and can result in an infringement of the GDPR.[…]

The complainant argued that, by forwarding the email, the accounting company committed a data breach, and that the company was obliged to notify the GBA of the breach. The GBA took a stance that the incident did not amount to a data breach.”

To read more: Click here

US options to resolve Schrems II outcome spelt out

[#SchremsII #USAuthorities] 

“Authorities in the US have three ways of overcoming commercial data transfer difficulties created by the Schrems II ruling from the Court of Justice of the European Union (CJEU), according to the Congressional Research Service. […] the Congressional Research Service highlighted a series of actions open to the US:

– Executive Action – the President could issue an executive order which limits bulk intelligence collections and provides additional redress mechanisms […]

– Diplomacy – US and EU officials could negotiate a diplomatic solution, for example a new framework to replace Privacy Shield and a new adequacy determination by the European Commission.

– Legislation – Congress might legislate to amend the Foreign Intelligence Surveillance Act (FISA) to prohibit bulk intelligence collections and require court approval for each target of surveillance. […]”

To read more: Click here

Apple’s privacy problem

[#Apple #BigTech #iPhone] 

“French critique contradicts the iPhone maker’s privacy exceptionalism.[…]

An internal document from France’s data regulator seen by POLITICO revealed Tuesday that the iPhone maker’s targeted advertising practices may fall afoul of the European Union’s privacy laws.

The French watchdog’s analysis […] came as part of an investigation by the country’s competition authority into Apple’s new anti-tracking tool. Those changes, soon to be released, will give people more say over how their data is collected and used by third-party apps, raising hackles among Facebook and smaller app developers that the company is not playing fair.

But while both French regulators gave a thumbs-up to that feature, called Apple’s App Tracking Transparency, the privacy watchdog gave the iPhone maker’s own ad business a more damning assessment.[…]

“Even though Apple now is making these moves to become more strict on privacy, they’re still heavily profiting from creating an ecosystem that is just overall really privacy-invasive,” said Joris van Hoboken, of the Vrije Universiteit Brussels, who studies Big Tech.””

To read more: Click here

Getting lost in the crowd: the limits of privacy in location data

[#LocationData #DataPrivacy #DataSecurity] 

“Before the introduction of the EU General Data Protection Regulation and other modern privacy regulations, there was growing evidence that histories of human mobility containing detailed location data are vulnerable to simple reidentification attacks. This line of research may have eventually led to the GDPR specifically singling out location data that is pseudonymized (i.e., does not include obvious identifiers, such as a name or phone number) as not anonymous. However, given how useful this data can be, academics and industry practitioners have been asking whether there is a simple fix to privacy in these datasets. Namely, if the dataset was big enough, would individual records become anonymous by being “lost in the crowd”?

[…] This is the question we address in our recent article with the answer being no. We show that people remain unique in population-scale datasets, and thus that dataset size is not sufficient protection for individual privacy.“

To read more: Click here