Icelandic DPA fines InfoMentor

Icelandic DPA fines InfoMentor

Icelandic DPA fines InfoMentor for a data breach affecting hundreds of children from 2019.

 

The Icelandic Data Protection Authority has fined the company InfoMentor EUR 23,100 for not ensuring the proper security of personal data of several data subjects, mainly affecting children. According to this report from the EDPB, in an incident reported in February 2019, their system, Mentor, an information system for schools and other parties, which provides  services for working primarily with children,was subject to a data breach. A vulnerability on their part, led to the six-digit system number of each user being visible in the URL address of a particular page within the Mentor system. This resulted in unauthorised parties gaining access to the personal information of these students, including the national identification numbers and avatars of over 400 children. 

 

At its core, this data breach was caused primarily by human error, including a delay in fixing a vulnerability that the company had been aware of. 

 

InfoMentor acknowledged that the company had been aware of the vulnerability which led to this data breach, and that a solution had already been created. However, due to human error, the solution was not fully implemented into their Mentor system until after the data breach had already occurred. This data breach could have been avoided, had those vulnerabilities been addressed once the relevant persons had been made aware of them. In addition, InfoMentor sent national identification numbers of students affected by the data breach to the wrong schools and data protection officers in error.

The Icelandic DPA fined InfoMentor based on the number of data subjects affected, and the fact that those affected were children.

 

The rights and freedoms of children were directly affected by this data breach. The most significant factors considered by the Icelandic DPA  in determining the administrative fine were the number of data subjects directly and potentially affected, and the fact that the data subjects are children. The Icelandic DPA also considered that InfoMentor‘s main activity is the development and operation of an information system intended for schools and other entities working with children. On the plus side, there was no indication of harm suffered by the data subjects as a result of this breach. In addition, InfoMentor has taken numerous steps to improve their  security and address the vulnerabilities which caused this breach, affecting the personal data within their system.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

COVID-19 travel certificates

COVID-19 travel certificates questioned by Italian DPA

COVID-19 travel certificates launch in the EU soon, however the Italian DPA has pointed out some issues that need critical attention before the rollout. 

 

This summer, COVID-19 travel certificates or “vaccine passports” will be rolled out throughout the EU, with the official launch of this scheduled for the end of June. The majority of EU countries should be technically prepared by the first week of June, according to this article from Euractiv. In order to avoid delays, the aim is to have the systems for the functioning of these certificates ready when the legislation is published. The passes are expected to be legally valid and operational all over Europe. These EU COVID-19 travel certificates, which we wrote about last month, will take the form of a QR code containing information related to a person’s status with regard to the COVID-19 vaccine, or virus (whether it be negative test results or the presence of antibodies). Due to the amount of data intended to be contained in these QR codes, and the nature of that data, data protection authorities around Europe are paying close attention to the rollout of these certificates to ensure the people’s rights and freedoms of natural persons. The Italian DPA has issued a statement pointing out certain key issues which will require special attention in ensuring that the rights and freedoms of natural persons remain protected. 

 

Twenty countries, including Italy, are expected to be part of the first group to begin technical checks to interconnect the systems, from the second week of May. 

 

EU member states have been divided into three groups and rated based on their preparedness to begin system testing. The first group which includes Italy, France, Spain and Germany are expected to start testing the interconnected systems from the second week of May. The third, and last group is expected to begin their phase of testing around the middle of June. This technical testing will include checking the entire setup, after checking that the system is validated, and changing the keys. For this reason, an EU official explained, the member states are divided into groups for testing and being tested in phases. 

 

While the technical work is being done to lay the groundwork for COVID-19 travel certificates, the EU is working on the legal basis of the initiative. 

 

On April 29th, European lawmakers adopted a negotiating decision on the proposal by the Commission for the COVID-19 travel certificates or digital green certificates. This set the stage for the inter-institutional negotiation, where the Council will represent the 27 member states. With the goal of having the certification system up and running for summer, in an effort to save the struggling European tourism sector. There may seem to be a bit of pressure for time, however data protection authorities appear to be keeping a watchful eye on the process. 

 

The Italian DPA has released a statement pointing out some major critical issues for vaccination passes. 

 

The COVID-19 travel certificates have been criticized by the Italian DPA. The EDPB reported that the supervisory authority has highlighted that this rollout is affected by several data protection shortcomings, including the lack of assessment of possible large scale risks affecting the rights and freedoms of individuals. Contrary to EU GDPR requirements, the decree called “Italy Reopens”, does not provide a suitable legal basis to introduce and regulate a nationwide green pass. Among the issues cited by the Italian DPA, the decree does not specify the purposes of the processing of health data, and paves the way to multifarious and unforeseeable future applications which potentially conflict with EU initiatives and go against the GDPR. The Italian SA has noted that the major critical issues that it has found are ones that could have easily and quickly been addressed beforehand, however the SA has offered its cooperation to the government in resolving those criticalities. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

SCCs and Privacy Shield

SCCs and Privacy Shield replacement updates, what can we expect?

SCCs and Privacy Shield replacement are both of paramount importance to trans-Atlantic data flows, however, right now the focus may be more on new SCCs. 

 

 Almost one year since the CJEU “Schrems II” decision, a new EU-US privacy shield may still be far off. However, with Standard Contractual Clauses being upheld and used quite frequently to facilitate cross border data flows, new SCCs can be expected soon. According to this IAPP article, new SCCs may be here within a matter of weeks. Bruno Gencarelli, Head of International Data Flows and Protection at the European Commission said “We are about to because it’s a question of weeks, adopt modernized SCCs that do things that are aligned with the (EU General Data Protection Regulation) that are much better adapted to the reality of today’s digital economy”.

 

The new Standard Contractual Clauses are expected to be here in short order, and the Commission considers the feedback received on the draft SCCs. 

 

Since the Schrems II decision, SCCs have been upheld, but with a few caveats. They have been put to use to facilitate data flows between the EU and the US, however this has not been without incidence. While privacy professionals wait for conclusive information regarding data flows across the Atlantic, there have been some recent developments. Bruno Gencarelli, during IAPP’s Global Privacy Summit Online, said that the new Standard Contractual Clauses will soon be adopted. Gencarelli, based on the feedback the European Commission received, called the draft SCCs an “enormous success”, with the Commission taking this feedback very seriously. The ongoing process is intended to modernize the SCCs to better suit the current digital climate’s size and complexity. 

 

“This is a much awaited step forward which once in place will help to unify the dissimilar criterion that EU Supervisory Authorities have been applying since Schrems II when it comes to international data transfers, as we have recently seen with the Bavarian and French DPAs decisions” comments Cristina Contero Almagro, Aphaia’s Partner.

 

Privacy Shield replacement negotiation is intensifying, but a privacy shield replacement may still be far off. 

 

While there is a willingness on each side to make a deal on a replacement for Privacy Shield, it is a balancing act between privacy and national security, making this a delicate, and complex situation. As we have seen since Schrems II, SCCs, while very useful, may not always be enough. As each side seeks to create a durable replacement for Privacy Shield, one that can stand up to legal challenges and political scrutiny, talks are underway for a solution that will meet the needs of both parties with regards to both privacy and national security.  

 

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing.  Contact us today.

CNPD ordered Statistics Portugal to suspend all data transfers within 12 hours

CNPD ordered Statistics Portugal to suspend all data transfers to a US based processor within 12 hours earlier this week.

The Portuguese DPA, Comissão Nacional de Proteção de Dados or CNPD ordered Statistics Portugal (INE) to suspend all data transfers specific to their census within 12 hours, due to an inadequate level of protection for international data transfers, IAPP reported. After receiving complaints about the conditions for the collection of data via the internet, the Authority carried out a quick investigation. This probe revealed that INE used Cloudfare Inc, a California based web infrastructure and website security company to handle census survey operations. Due to the nature of the services provided by Cloudfare, the company is directly subject to US surveillance legislation for the purposes of national security.

While the international transfers were based on SCCs, it was concluded that the data was still not adequately protected.

Even in cases where the data transfers are based on Standard Contractual Clauses, data protection authorities are obliged to suspend or prohibit data transfers where there are no guaranteesthat these can or will be complied with in the recipient country. US surveillance legislation imposes on certain companies a legal obligation to give unrestricted access to US authorities to the personal data in their possession, without being able to inform their clients of it. With Cloudfare Inc being subject to this legislation and being in possession of large amounts of personal data from Portuguese citizens, this posed some serious risk.

CNPD ordered INE to cease data transfers within 12 hours due to the sensitive nature of the information collected.

The data collection process for the census exercise being executed by INE began on April 19th and was due to be completed by May 3th, however due to the complaints received by CNPD, about a week into the process, they were ordered to cease data transfers within 12 hours. The main reason for the immediate order to cease data transfers was, in addition to the sheer amount of data being collected and processed, the sensitive nature of the data itself. The data included information like religious and health data from the individuals in this large data pool.

Of late, similar issues have been dealt with by various data protection authorities across the EU.

In recent times we have seen similar action being taken by other EU DPAs, for example in Spain and Germany, concerning data transfers on the basis of Standard Contractual Clauses. However, with these transfers being made to the U.S. or any other third country that may have not been recognized as providing an adequate level of data protection and without applying any additional measures, these present an issue. This risk is particularly difficult when dealing with particularly sensitive data, as it was the case in this instance. It is extremely important, when making international data transfers on the basis of Standard Contractual Clauses that the data is subject to a level of protection equivalent to the level provided under EU law.

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.