29_09_22_День_открытых_дверей_РКН_by_Kris.pdf
188.2 KB
#materials #ркн
Заметки с семинара, пропущенные через фильтр восприятия записывающего.
Просьба в комментариях отмечать недочёты / упущенные моменты
Заметки с семинара, пропущенные через фильтр восприятия записывающего.
Просьба в комментариях отмечать недочёты / упущенные моменты
#PrivacyNews
💬Источник: Олег Блинов
More news from the world of privacy!
🔸 EU-US data transfers: Light at the end of the tunnel! (https://www.politico.eu/article/us-expected-to-publish-privacy-shield-executive-order-next-week/): a EU-US agreement on data flows is expected by March 2023.
🔸 Brands Review Data Privacy Policies After $1.2 Million Sephora Settlement (https://www.wsj.com/articles/brands-review-data-privacy-policies-after-1-2-million-sephora-settlement-11664272801, https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement): Much-needed clarity whether ads targeting constitutes “sale” of data under CCPA. Turns out it does, at least until 2023, when “sharing” and “selling” will entail different obligations. I was not aware that CCPA requires to honor Global Privacy Control as opt-outs as if the user pressed the “Do not sell” button.
🔸 Conflicting news from Germany on use of MS in schools:
🔸🔸 Baden-Württemberg: LfDI Baden-Württemberg dismisses investigation into schools on use of MS 365, issues recommendations (https://www.baden-wuerttemberg.datenschutz.de/schulen-auf-dem-weg-zu-datenschutzfreundlichen-loesungen/): according to the Baden-Württemberg regulator, they received convincing documents from the schools and closed the investigations;
🔸🔸 Germany Forces a Microsoft 365 Ban Due to Privacy Concerns (https://techgenix.com/microsoft-365-ban-in-germany): but in Hesse, the regulator banned MS 365 citing violation of privacy following termination of agreement to use only German servers.
🔸 UK: ICO issues reprimands to seven organisations for failing to respond to access requests (https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/09/action-taken-against-seven-organisations-who-failed-in-their-duty-to-respond-to-information-access-requests): Pretty surreal backlogs in public authorities, such as the Ministry of Defense which has 9,000 SAR requests yet to be responded to. 7 public bodies and companies were only issued reprimands.
🔸 UK: ICO issues provisional fine of £27M to TikTok for failing to protect children’s privacy (https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/09/ico-could-impose-multi-million-pound-fine-on-tiktok-for-failing-to-protect-children-s-privacy/): No clear details available on this one.
💬Источник: Олег Блинов
More news from the world of privacy!
🔸 EU-US data transfers: Light at the end of the tunnel! (https://www.politico.eu/article/us-expected-to-publish-privacy-shield-executive-order-next-week/): a EU-US agreement on data flows is expected by March 2023.
🔸 Brands Review Data Privacy Policies After $1.2 Million Sephora Settlement (https://www.wsj.com/articles/brands-review-data-privacy-policies-after-1-2-million-sephora-settlement-11664272801, https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement): Much-needed clarity whether ads targeting constitutes “sale” of data under CCPA. Turns out it does, at least until 2023, when “sharing” and “selling” will entail different obligations. I was not aware that CCPA requires to honor Global Privacy Control as opt-outs as if the user pressed the “Do not sell” button.
🔸 Conflicting news from Germany on use of MS in schools:
🔸🔸 Baden-Württemberg: LfDI Baden-Württemberg dismisses investigation into schools on use of MS 365, issues recommendations (https://www.baden-wuerttemberg.datenschutz.de/schulen-auf-dem-weg-zu-datenschutzfreundlichen-loesungen/): according to the Baden-Württemberg regulator, they received convincing documents from the schools and closed the investigations;
🔸🔸 Germany Forces a Microsoft 365 Ban Due to Privacy Concerns (https://techgenix.com/microsoft-365-ban-in-germany): but in Hesse, the regulator banned MS 365 citing violation of privacy following termination of agreement to use only German servers.
🔸 UK: ICO issues reprimands to seven organisations for failing to respond to access requests (https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/09/action-taken-against-seven-organisations-who-failed-in-their-duty-to-respond-to-information-access-requests): Pretty surreal backlogs in public authorities, such as the Ministry of Defense which has 9,000 SAR requests yet to be responded to. 7 public bodies and companies were only issued reprimands.
🔸 UK: ICO issues provisional fine of £27M to TikTok for failing to protect children’s privacy (https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/09/ico-could-impose-multi-million-pound-fine-on-tiktok-for-failing-to-protect-children-s-privacy/): No clear details available on this one.
POLITICO
US expected to publish Privacy Shield executive order next week – POLITICO
The order is designed to address European concerns over surveillance practices in the US.
#events
Тут запускается такой интересный хакатон по Privacy Enhancing Technolohy.
Для регистрации нужно собрать команду. Команду собираем в закрытом чате RPPA.ru.
💬Источник: Екатерина Калугина
Тут запускается такой интересный хакатон по Privacy Enhancing Technolohy.
Для регистрации нужно собрать команду. Команду собираем в закрытом чате RPPA.ru.
💬Источник: Екатерина Калугина
petlab.officialstatistics.org
UN PET Lab's Hackathon
Registration for UN PET Lab's first global virtual Hackathon
#ЯрмаркаВакансий
Пятничный подарок всем ищущим - Руководитель направления по защите персональных данных в АО «ИНТЕКО».
Только на RPPA.ru
Пятничный подарок всем ищущим - Руководитель направления по защите персональных данных в АО «ИНТЕКО».
Только на RPPA.ru
#EDPC
🌟А мы тем временем не унываем и идём по плану-графику🌟
Вот уже опубликована программа с нашими спикерами-звёздами на 20е октября.
Не забудьте отметить себе в календарях самое масштабное мероприятие по приватности 2022 года - EDPC.network.
🌟А мы тем временем не унываем и идём по плану-графику🌟
Вот уже опубликована программа с нашими спикерами-звёздами на 20е октября.
Не забудьте отметить себе в календарях самое масштабное мероприятие по приватности 2022 года - EDPC.network.
#materials #privacy
Как «Аэрофлот» оспорил устоявшуюся практику Роскомнадзора и что это значит для бизнеса, здесь
Доступно для членов сообщества
💬Авторы: Марина Юфа, Владислав Симоненко
Как «Аэрофлот» оспорил устоявшуюся практику Роскомнадзора и что это значит для бизнеса, здесь
Доступно для членов сообщества
💬Авторы: Марина Юфа, Владислав Симоненко
#PrivacyNews
Подборка за 2 недели😍
💬Автор: Олег Блинов
🔸 Biden Administration Issues Executive Order for Privacy Shield Replacement (https://noyb.eu/sites/default/files/2022-10/Biden%20EO%20on%20Surveillance%2C%20Structured.pdf). It is likely that a new data transfer framework between the US and the EU will come into effect around March 2023. The EO adds legal guarantees of proportionality re bulk “signal” intelligence by US surveillance authorities. It also adds a redress mechanism previously lacking as highlighted by the CJEU. Complaints will be ultimately addressed by the Data Protection Review Court (“DPRC”) which will be part of the executive, but will consist of six or more judges appointed by the US Attorney General. NOYB has already criticized the EO as essentially window dressing (https://noyb.eu/en/new-us-executive-order-unlikely-satisfy-eu-law). Additional commentary is also available at Lexology (https://www.lexology.com/library/detail.aspx?g=23fcd874-8e46-40a8-90ec-eb4100c71bfb). In my opinion, the EO and the transfer framework are likely to stand for 2-3 years, after which they can be struck down by the CJEU again, bringing us to square 1 with operational risks and endless TIAs.
🔸 CJEU AG opinion on individual’s non-material damages claim (https://curia.europa.eu/juris/document/document.jsf;jsessionid=79F0B703F7CD84C2DE01BF340FD03C29?text=&docid=266842&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=244110). Some may remember that the Austrian Post created political profiles on citizens without their consent. The incident resulted in a giant fine, but apart from that, a person claimed EUR 1,000 in civil litigation for “massive anger, loss of trust and a feeling of exposure”. The Austrian courts now referred several questions to the CJEU, most importantly, (1) can there be damages for just infringement of GDPR or does harm need to be suffered?; and (2) is there a de minimis threshold? As of now, there is only the opinion of the AG, which is very pro-business on both questions. I recommend reading NOYB’s commentary to it (https://noyb.eu/en/analysis-no-non-material-damages-gdpr), it is plainly a thing of art, highly enjoyable and interesting. The implications for GDPR (if the CJEU were to agree with the AG) would be massive. Current risk management approaches place subjective harm quite high up the ladder of importance, an opposite approach from the CJEU would clearly show that there is a high chance of overturning fines in court.
🔸UK Catalogue retailer Easylife fined £1.48 million for breaking data protection and electronic marketing laws (https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/10/catalogue-retailer-easylife-fined-148-million/). Easylife created profiles of ~145k customers based on their purchases. For example, if a person bought a jar opener or a dinner tray, Easylife would use that purchase data to assume that person has arthritis and then call the individual to market glucosamine joint patches. 80 items were considered to be ‘trigger products’. Once these products were purchased, Easlylife would profile the customer to target them with a health-related item. The fine comes for lack of legal basis of processing (the LIA concerned a different purpose), violation of rules of processing of special categories of data and for lack of DPIA. Very interesting case with a clear 1 customer = 10 pounds fine ratio.
🔸Italy: Garante fines Senseonics €45,000 over unauthorised disclosure of health data (https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9809998). The controller accidentally added email recipients to cc and thereby disclosed their health status to each other. What is more interesting is that the fine comes not only for disclosure, but also for faulty consent collection mechanism - one checkbox was responsible for multiple processing purposes.
Подборка за 2 недели😍
💬Автор: Олег Блинов
🔸 Biden Administration Issues Executive Order for Privacy Shield Replacement (https://noyb.eu/sites/default/files/2022-10/Biden%20EO%20on%20Surveillance%2C%20Structured.pdf). It is likely that a new data transfer framework between the US and the EU will come into effect around March 2023. The EO adds legal guarantees of proportionality re bulk “signal” intelligence by US surveillance authorities. It also adds a redress mechanism previously lacking as highlighted by the CJEU. Complaints will be ultimately addressed by the Data Protection Review Court (“DPRC”) which will be part of the executive, but will consist of six or more judges appointed by the US Attorney General. NOYB has already criticized the EO as essentially window dressing (https://noyb.eu/en/new-us-executive-order-unlikely-satisfy-eu-law). Additional commentary is also available at Lexology (https://www.lexology.com/library/detail.aspx?g=23fcd874-8e46-40a8-90ec-eb4100c71bfb). In my opinion, the EO and the transfer framework are likely to stand for 2-3 years, after which they can be struck down by the CJEU again, bringing us to square 1 with operational risks and endless TIAs.
🔸 CJEU AG opinion on individual’s non-material damages claim (https://curia.europa.eu/juris/document/document.jsf;jsessionid=79F0B703F7CD84C2DE01BF340FD03C29?text=&docid=266842&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=244110). Some may remember that the Austrian Post created political profiles on citizens without their consent. The incident resulted in a giant fine, but apart from that, a person claimed EUR 1,000 in civil litigation for “massive anger, loss of trust and a feeling of exposure”. The Austrian courts now referred several questions to the CJEU, most importantly, (1) can there be damages for just infringement of GDPR or does harm need to be suffered?; and (2) is there a de minimis threshold? As of now, there is only the opinion of the AG, which is very pro-business on both questions. I recommend reading NOYB’s commentary to it (https://noyb.eu/en/analysis-no-non-material-damages-gdpr), it is plainly a thing of art, highly enjoyable and interesting. The implications for GDPR (if the CJEU were to agree with the AG) would be massive. Current risk management approaches place subjective harm quite high up the ladder of importance, an opposite approach from the CJEU would clearly show that there is a high chance of overturning fines in court.
🔸UK Catalogue retailer Easylife fined £1.48 million for breaking data protection and electronic marketing laws (https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/10/catalogue-retailer-easylife-fined-148-million/). Easylife created profiles of ~145k customers based on their purchases. For example, if a person bought a jar opener or a dinner tray, Easylife would use that purchase data to assume that person has arthritis and then call the individual to market glucosamine joint patches. 80 items were considered to be ‘trigger products’. Once these products were purchased, Easlylife would profile the customer to target them with a health-related item. The fine comes for lack of legal basis of processing (the LIA concerned a different purpose), violation of rules of processing of special categories of data and for lack of DPIA. Very interesting case with a clear 1 customer = 10 pounds fine ratio.
🔸Italy: Garante fines Senseonics €45,000 over unauthorised disclosure of health data (https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9809998). The controller accidentally added email recipients to cc and thereby disclosed their health status to each other. What is more interesting is that the fine comes not only for disclosure, but also for faulty consent collection mechanism - one checkbox was responsible for multiple processing purposes.
#materials #rppa
Про роль RPPA.ru в российском privacy- сообществе в статье Валерии Подаруевой на RSpectr
Про роль RPPA.ru в российском privacy- сообществе в статье Валерии Подаруевой на RSpectr
Rspectr
Кто обеспечит приватность данных - RSpectr
Усиление внимания к приватности как результат трансформации подходов к защите персональных данных.
This media is not supported in your browser
VIEW IN TELEGRAM
#events #EDPC
Когда: в четверг, 20 октября
Где: в онлайн пространстве
Тема: 🌟Eurasian Data Protection Congress 2022🌟
Организатор: Партнеры EDPC
Стоимость: бесплатно и без регистрации
Трансляция: YouTube
🌟ПРОГРАММА: https://edpc.network
Девиз: Per aspera ad astra
🌟Друзья, мы просто не можем позволить себе унывать, мы старались и готовились.
Поэтому 20 октября быть жаре!!!🌟
Когда: в четверг, 20 октября
Где: в онлайн пространстве
Тема: 🌟Eurasian Data Protection Congress 2022🌟
Организатор: Партнеры EDPC
Стоимость: бесплатно и без регистрации
Трансляция: YouTube
🌟ПРОГРАММА: https://edpc.network
Девиз: Per aspera ad astra
🌟Друзья, мы просто не можем позволить себе унывать, мы старались и готовились.
Поэтому 20 октября быть жаре!!!🌟
#EDPC
Друзья, мы стартовали!
Присоединяйтесь к единственному крупнейшему мероприятию в области приватности 2022 🌟 EDPC 🌟
🌟Самых активных ждут подарки от спонсоров🌟
Друзья, мы стартовали!
Присоединяйтесь к единственному крупнейшему мероприятию в области приватности 2022 🌟 EDPC 🌟
🌟Самых активных ждут подарки от спонсоров🌟
YouTube
Евразийский конгресс по защите данных | Eurasian Data Protection Congress - 2022.10.20
https://edpc.network
00:00:00 - Церемония открытия Конгресса
00:30:00 - Кристина Боровикова, Алексей Мунтян, Илья Шаленков - Приватность 2022
00:45:00 - Анастасия Грачева - Аутсорсинг и GDPR: кейс-стади
01:00:00 - Алена Геращенко - Тренды защиты персональных…
00:00:00 - Церемония открытия Конгресса
00:30:00 - Кристина Боровикова, Алексей Мунтян, Илья Шаленков - Приватность 2022
00:45:00 - Анастасия Грачева - Аутсорсинг и GDPR: кейс-стади
01:00:00 - Алена Геращенко - Тренды защиты персональных…
#EDPC
🌟Конгресс вернётся в 13:30🌟 Далее с вами:
🔅Сергей Сайганов
🔅Анастасия Петрова
🔅Марина Юфа
🔅Михаил Емельянников
🔅Алексей Мунтян
🔅Нурия Кутнаева
🔅Александр Партин
🔅Иван Бегтин
🔅Алексей Лукацкий
🔅Жанна Николаева
Секции:
🔆Про приватность в KZ
🔆Про утечки
ТРАНСЛЯЦИЯ | ПРОГРАММА
🌟Конгресс вернётся в 13:30🌟 Далее с вами:
🔅Сергей Сайганов
🔅Анастасия Петрова
🔅Марина Юфа
🔅Михаил Емельянников
🔅Алексей Мунтян
🔅Нурия Кутнаева
🔅Александр Партин
🔅Иван Бегтин
🔅Алексей Лукацкий
🔅Жанна Николаева
Секции:
🔆Про приватность в KZ
🔆Про утечки
ТРАНСЛЯЦИЯ | ПРОГРАММА
YouTube
Евразийский конгресс по защите данных | Eurasian Data Protection Congress - 2022.10.20
https://edpc.network
00:00:00 - Церемония открытия Конгресса
00:30:00 - Кристина Боровикова, Алексей Мунтян, Илья Шаленков - Приватность 2022
00:45:00 - Анастасия Грачева - Аутсорсинг и GDPR: кейс-стади
01:00:00 - Алена Геращенко - Тренды защиты персональных…
00:00:00 - Церемония открытия Конгресса
00:30:00 - Кристина Боровикова, Алексей Мунтян, Илья Шаленков - Приватность 2022
00:45:00 - Анастасия Грачева - Аутсорсинг и GDPR: кейс-стади
01:00:00 - Алена Геращенко - Тренды защиты персональных…
#EDPC
Вот и завершается Конгресс.
Но далее самое интересное:
🌟17:45 - Жанна Николаева, Начальник отдела мониторинга и анализа Центра правовой помощи гражданам в цифровой среде, расскажет про деятельность Центра по обеспечению прав и интересов субъектов персональных данных в цифровой среде
🌟18:00 - спикеры Конгресса ответят на ваши вопросы из чата трансляции
ТРАНСЛЯЦИЯ | ПРОГРАММА
Вот и завершается Конгресс.
Но далее самое интересное:
🌟17:45 - Жанна Николаева, Начальник отдела мониторинга и анализа Центра правовой помощи гражданам в цифровой среде, расскажет про деятельность Центра по обеспечению прав и интересов субъектов персональных данных в цифровой среде
🌟18:00 - спикеры Конгресса ответят на ваши вопросы из чата трансляции
ТРАНСЛЯЦИЯ | ПРОГРАММА
YouTube
Евразийский конгресс по защите данных | Eurasian Data Protection Congress - 2022.10.20
https://edpc.network
00:00:00 - Церемония открытия Конгресса
00:30:00 - Кристина Боровикова, Алексей Мунтян, Илья Шаленков - Приватность 2022
00:45:00 - Анастасия Грачева - Аутсорсинг и GDPR: кейс-стади
01:00:00 - Алена Геращенко - Тренды защиты персональных…
00:00:00 - Церемония открытия Конгресса
00:30:00 - Кристина Боровикова, Алексей Мунтян, Илья Шаленков - Приватность 2022
00:45:00 - Анастасия Грачева - Аутсорсинг и GDPR: кейс-стади
01:00:00 - Алена Геращенко - Тренды защиты персональных…
Privacy GDPR Russia pinned «#EDPC 🌟Запись самой крупной конференции в области приватности года - YouTube🌟 ПРЕЗЕНТАЦИИ»
#PrivacyNews
💬Автор: Олег Блинов
🔸 Bahn app: civil rights activists sue “DB Schnüffel-Navigator” (https://www.heise.de/news/Bahn-App-Buergerrechtler-klagen-gegen-DB-Schnueffel-Navigator-7314938.html): civil rights organization Digitalcourage filed a suit against DB for use of Adobe Marketing Cloud analytics; US-based Optimizely & Crashlytics. Impact: As I predicted, enforcement of consent for tracking via apps will come and so here it goes. This will hit marketing first (marketing attribution, fb&google integrations). I do not believe anyone on the market has a plan at the moment.
🔸 The European Data Protection Board has published its Guidelines 9/2022 on personal data breach notification under GDPR (https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-92022-personal-data-breach_en): The essential update is that non-EU companies do not benefit from the one-stop-shop mechanism and have to notify DPA’s in each country where the affected users are located.
🔸 EU: CJEU interprets purpose and storage limitation principles under the GDPR (https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62021CJ0077): Much ado about nothing, the CJEU essentially reiterated the GDPR text. Only practical implication is that it is not prohibited by purpose limitation to copy data to a separate database from where it was initially collected.
🔸 France: CNIL fines Clearview AI €20 million over facial recognition technology (https://edpb.europa.eu/news/national-news/2022/french-sa-fines-clearview-ai-eur-20-million_en): just another fine against Clearview for its facial recognition software, nothing outstanding.
💬Автор: Олег Блинов
🔸 Bahn app: civil rights activists sue “DB Schnüffel-Navigator” (https://www.heise.de/news/Bahn-App-Buergerrechtler-klagen-gegen-DB-Schnueffel-Navigator-7314938.html): civil rights organization Digitalcourage filed a suit against DB for use of Adobe Marketing Cloud analytics; US-based Optimizely & Crashlytics. Impact: As I predicted, enforcement of consent for tracking via apps will come and so here it goes. This will hit marketing first (marketing attribution, fb&google integrations). I do not believe anyone on the market has a plan at the moment.
🔸 The European Data Protection Board has published its Guidelines 9/2022 on personal data breach notification under GDPR (https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-92022-personal-data-breach_en): The essential update is that non-EU companies do not benefit from the one-stop-shop mechanism and have to notify DPA’s in each country where the affected users are located.
🔸 EU: CJEU interprets purpose and storage limitation principles under the GDPR (https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62021CJ0077): Much ado about nothing, the CJEU essentially reiterated the GDPR text. Only practical implication is that it is not prohibited by purpose limitation to copy data to a separate database from where it was initially collected.
🔸 France: CNIL fines Clearview AI €20 million over facial recognition technology (https://edpb.europa.eu/news/national-news/2022/french-sa-fines-clearview-ai-eur-20-million_en): just another fine against Clearview for its facial recognition software, nothing outstanding.
heise online
Bahn-App: Bürgerrechtler klagen gegen "DB Schnüffel-Navigator"
Digitalcourage macht ernst und reicht Klage gegen Tracking in der Bahn-App DB Navigator ein. Der Grundversorger müsse die Privatsphäre der Reisenden achten.