Weekly Data Privacy Alert – 27 November
Resolutions of the 94th Conference of Data Protection Authorities
Under the chair of the Data Protection Officer of Niedersachsen, on November 8 and 9, 2017, the Conference of the Independent Data Protection Authorities of the Bund and the Länder held its autumn meeting to discuss current data protection issues.
In a resolution, the Data Protection Authorities took a stand against the unfounded data retention of travel data. The German legislator should correct the retention of passenger name records in the light of the opinion of the European Court of Justice (Opinion 1/15 from 26 July 2017) on the passenger name record agreement between Canada and the EU.
In a further resolution, the Data Protection Authorities called for the implementation of the General Data Protection Regulation also into media law. According to the Data Protection Authorities, both the state broadcasting treaties and press and media legislation need to be amended.
Bavarian Supervisory Authority Examines Encryption of Websites
Considering that cyberattacks have significantly increased in recent years, the Bavarian Supervisory Authority (Authority) has announced that it plans to strengthen its concern in relation to the cybersecurity of Bavarian companies. As a first step, the Authority plans to examine the encryption of websites of Bavarian providers.
According to the Authority, experience shows that many companies do not operate state-of-the-art webservers. They often lacked certificates or a sufficient HTTPS configuration, which results in customer data being transmitted to the target server without proper encryption and thus susceptible to being tapped into.
The Authority plans to offer a new online service that gives companies and citizens the opportunity to notify websites to the Authority for examination. Companies that want their own website to be examined can obtain a written feedback with the results of the test. More details on this procedure can be found in the Authority’s press release.
US Congressional Subcommittees to Hold Hearing on Technology Company Data Privacy
Technology company data protection policies will be discussed at a House Communications and Consumer Protection joint subcommittee hearing on November 29 in Washington DC. The hearing, fulfilling a promise made by House Commerce Chairman Greg Walden, R-Ore., will examine how use of algorithms affects consumer privacy and choice with online content. Witnesses include Jeremy Grant, managing director, Venable; Troy Hunt, information security author, Pluralsight; and Ed Mierzwinski, consumer program director, US Public Interest Research Group. According to the Subcommittee chairs, the “hearing will examine how actions taken by tech companies and online platforms affect consumer privacy and choice” and “members will have the opportunity to hear from research experts and academics about the impacts of online algorithms, advertising, privacy policies, consumer data flows, content regulation practices, and more.”
FCC Chair Formally Proposes to Return Oversight of Broadband Privacy Practices to Federal Trade Commission and Pre-empt Inconsistent State and Local Regulations
On November 22, the Chairman of the Federal Communications Commission released a proposed order that, among other things, would formally return authority to regulate broadband privacy and data security to the Federal Trade Commission. This proposal, which is highly likely to be adopted by the FCC on a partisan vote at its December 14 meeting, reflects the reclassification of retail broadband service as an information service, instead of a telecommunications service. It was imposition of that latter classification by the Democratic-controlled FCC that divested the FTC of privacy oversight over such providers. The proposed order also pre-empts “any state and local measures that would effectively impose rules or requirements that we have repealed or decided to refrain from imposing or that would impose more stringent requirements for any aspect of broadband service that we address in this order.” Such pre-emption could apply to state efforts to impose privacy requirements on broadband providers, which had been proposed in some states, such as California.
ICO Fines Nursing Auxiliary for Unlawfully Accessing Patient Records
On 16 November 2017, the ICO announced that a nursing auxiliary has been fined for accessing a patient’s medical records without a valid legal reason.
The nursing auxiliary had worked at the Royal Gwent Hospital in Newport when she unlawfully accessed the records of the patient, who was known to her, on six occasions between 2015 and 2016. This was done without a valid business backing and without the knowledge of the data controller. The nurse was fined £232 and was ordered to pay £150 costs, as well as a £30 victim surcharge.
ICO Grants Programme Supports Independent Research Into Four Privacy and Data Protection Challenges
In June 2017, the ICO launched innovative new research into children’s online privacy and also medical data sharing and consent. New digital tools protecting pseudonymised data and personal information rights in the financial services sector are also among the first independent research projects to be supported by the ICO Grants Programme.
The programme called for proposals for independent research into new, practical solutions for privacy challenges and issues affecting UK citizens, both now and in the future.
The ICO received 117 applications, which were assessed and filtered by two review panels, comprising both ICO experts and external peers. Further information about the successful bids will be published in the near future on the ICO Grants Programme page. The programme will open for a second round of funding in 2018.