Weekly Newsletter: 26 April – 30 April 2021
GDPR EU Representative

May 3, 2021

Irony Alert: US Could Block Personal Data Transfers To Ireland, European Home Of Digital Giants, Because GDPR Is Not Being Enforced Properly 

[#USdatatransfers #IrishDPC] 

“The absence of a simple procedure for sending EU personal data to the US is bad news for companies that need to do this on a regular basis. […]

“Officials from the EU and U.S. are “intensifying negotiations” on a new pact for transatlantic data transfers, trying to solve the messy issue of personal information that is transferred between the two regions.”

[…] Most digital giants have their European headquarters in Ireland. Under the GDPR, it is Ireland’s Data Protection Commission (DPC) that must investigate and ultimately fine these companies for their GDPR infringements anywhere in the EU. The DPC has opened many data privacy inquiries (pdf), but has so far failed to impose serious fines. Without strict enforcement by the Irish authorities, there is a growing feeling that the GDPR could be fatally undermined. Hence the risk that the US might not allow personal data to be transferred to Ireland, if the new “Protecting Americans’ Data From Foreign Surveillance Act” becomes law. Given the long-standing concerns over the protection of personal data flows from the EU to the US, that would be a rather ironic turn of events.”

To read more: Click here.

Joint Committee on Justice to discuss General Data Protection Regulation (GDPR) 

[#GDPR #Ireland] 

“The Joint Committee on Justice will meet with stakeholders […] Tuesday, 27 April, to discuss the General Data Protection Regulation (GDPR). The meeting at 6.30pm will be broadcast from Committee Room 3 of Leinster House will be split into two sessions each lasting 60 minutes.

– Session 1 will hear from Max Schrems, Director of noyb.eu, and Fred Logue of Fred Logue Solicitors.
– Session 2 will hear from representatives of the Irish Council for Civil Liberties and the Data Protection Commission.

Committee Cathaoirleach Deputy James Lawless said: “The Committee agreed last December to include an examination of the GDPR as part of our 2021 Work Programme. Members have indicated they have number of issues they wish to seek clarity on and we look forward to discussing these matters with Mr Schrems, Mr Logue, and the representatives from the ICCL and the DPC.””

To read more: Click here

A Clubhouse bug let people lurk in rooms invisibly

[#Clubhouse #Cybersecurity] 

“”Basically, I’m going to keep talking to you, but I’m going to disappear,” longtime security researcher Katie Moussouris told me in a private Clubhouse room in February. “We’ll still be talking, but I’ll be gone.” And then her avatar vanished. I was alone, or at least that’s how it seemed. “That’s it,” she said from the digital beyond. “That’s the bug. I am a fucking ghost.” […]

Not knowing who’s listening in on a conversation, or having to shut down a room because you can’t stop an invisible person from saying whatever they want, are nightmare situations for an audio chat app.

After Moussouris submitted her findings to the company in early March, she says Clubhouse was not immediately responsive, and it took a few weeks to fully resolve the issue. […]

Whitney Merrill, a privacy and data protection lawyer and former Federal Trade Commission attorney, says […] “I don’t think there are the right incentives for startups to care about privacy and security issues, so you end up fighting the exact same battles that were already fought with other organizations 10 years ago””

To read more: Click here

Irish DPC “handles” 99,93% of GDPR complaints, without decision? 

[#Schrems #GDPRCompliant #Dataprotection] 

“Irish DPC openly acknowledges: It does not decide about GDPR complaints. At least 99.93% see no decision, despite €19.1 million funding.

In a rather astonishing hearing before the Joint Committee on Justice of the Irish Parliament, the Irish Data Protection Commissioner (DPC), Helen Dixon, acknowledged for the first time publicly what many suspected […]. She also accused other Data Protection Authorities of political reasons to criticize her office. […]

The long-standing miracle of “self-resolving” GDPR complaints was then lifted by Helen Dixon: The DPC simply interprets the word “handle” to mean that the DPC can also simply dispose of complaints on the fundamental right to privacy. She openly argued “In fact, there is no obligation on the DPC under the 2018 Act to produce a decision in the case of any complaint.”

Max Schrems, Chair of noyb: “If you were to tell your boss that you interpreted ‘to handle’ as letting you dump work in the trash, you would probably get fired. Instead, the DPC asked for an increase to its existing € 19.1 million budget.”

To read more: Click here

Google and Apple are the world’s biggest privacy regulators

[#Apple #Watchdog #Google] 

“Move over, privacy watchdogs. Apple and Google are policing the internet. It’s a claim that might make many howl.

But by rolling out privacy-focused updates to their dominant mobile software, these two tech giants are doing more to change online tracking practices in a few weeks than years of regulation have done on either side of the Atlantic.

Take Apple. On Monday, the iPhone maker released a long-awaited upgrade that will force outside developers to ask users if they want their data collected. If people don’t, these third-party groups are straight out of luck. […]

Are Google and Apple simply amassing more power by boxing out competitors for data? Rivals and critics certainly think so. […]

“Even though Apple now is making these moves to become more strict, I still think that they’re still heavily profiting from creating an ecosystem that is just overall really privacy invasive,” said Joris van Hoboken, an academic at Vrije Universiteit Brussel.”

To read more: Click here.

Census 2021: Portuguese DPA (CNPD) suspended data flows to the USA 

[#DataProtectionAuthority #StandardContractualClauses #DataTransfers]

“The Portuguese Data Protection Authority (CNPD) ordered INE (National Institute for Statistics) to suspend the sending of personal data from the Census 2021 to the United States.

CNPD has issued a decision addressed to INE for the suspension within 12 hours of any international transfer of personal data to the United States or other third countries without an adequate level of protection in the context of Census 2021 questionnaire. […]

Given that the data in question are personal data from an almost total universe of citizens residing on national territory, including sensitive data such as health and religion data, the CNPD took the view that the transfer of data to the United States or to any other third country without adequate protection should be suspended with almost immediate effect.”

To read more: Click here