Series of injunctions issued by CNIL

A series of injunctions have been issued by CNIL of France, for the mismanagement of a database containing fingerprints.

 

The CNIL of France has recently issued a series of injunctions to a government ministry – the Ministry of the Interior, for the alleged illegal storage of data, poor file management, and a lack of information given to persons whose data is stored on their system. The Automated Fingerprints File, initiated in 1987, containing the fingerprints and handprints of various people implicated in investigations, had accumulated a sizable database of the prints of over 6.2 million people. Many of these files should have been deleted for various reasons.

 

CNIL has accused the Ministry of the Interior of storing data unlawfully, as well as keeping data stored well beyond its lawful retention period.

 

According to a Euractiv report, CNIL criticized the Ministry of the Interior last month, for storing data that was not provided for under the legislation. Depending on the gravity and the nature of an offense, this data may be stored for either 10, 15 or 25 years. In the event of an acquittal or dismissal of a case however, all fingerprints and data must be deleted. In 2019, at the time of the CNIL investigation into this government ministry, over 2 million records were being kept past their retention periods. In addition, several million manual files were being kept without a legal basis, despite digitization efforts over several years. The CNIL has asked that about 7 million manual files be deleted in spite of the fact that they had not surpassed their retention period.

 

The injunctions issued by CNIL also concerned matters of security and information dissemination.

 

One of the issues raised by the CNIL was that police were able to access the files containing the aforementioned biometric information as well as other personal information with a password of only 8 characters. This data was therefore deemed insufficiently secured by the privacy authority. In addition, according to the laws of France, individuals whose information is being processed must be informed on the purposes of, as well as the responsible party or parties for that processing. This information must be disseminated to the individuals either at the time of collection or at the time of the decision.

 

CNIL has given the Ministry of the Interior a timeframe to take corrective action for the series of injunctions issued.

 

As of July 2021, the State had notified CNIL that more than three million cards had been deleted in compliance with the rules of the retention periods. With regards to the manual files however, CNIL has rejected the suggested 4 year period for their destruction, stating that the age of the cards concerned, the duration of the breach and the nature of the data concerned, did not allow for that. CNIL asked that the physical filles be disposed of by 31st December, 2022. For all other matters of compliance, the CNIL has given a deadline of 31st December 2021.  According to the law, a fine cannot be imposed on the State.

 

 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Post-Brexit UK to overhaul privacy rules

Post-Brexit UK to overhaul privacy rules in an attempt to increase effectiveness while maintaining adequacy with the EU and other nations. 

The British government is looking forward to creating new privacy rules based on “common sense, not box-ticking”. The new privacy rules might drift the UK away from the EU data protection regulations, including the 2018 GDPR, which still guided the framework of their post-Brexit UK-GDPR privacy rules. According to the culture secretary, this may put an end to the irritating cookie popups and consents requests online. However, the new regime has to qualify for the EU’s adequacy requirement, otherwise continued data transfer between the UK and EU may be affected. 

After October, a new Information Commissioner will be appointed to replace Elizabeth Denham.

The culture secretary aims at developing a globally leading data policy that will help businesses and individuals across the UK. The government plans on giving this daunting task of overseeing the transformation to John Edwards, who will be appointed as the new Information Commissioner. He is currently the Privacy Commissioner of New Zealand, and the UK’s preferred choice to replace the current Information Commissioner, Elizabeth Denham, after the current tenure ends on October 31st. 

Will the new rules help small businesses or result in more trade and investment barriers?   

Whereas cookie consent rules have been widely criticised by the industry and the users, they represent a tiny portion of the current (UK) GDPR framework, and are unlikely to be decisive when it comes to mutual adequacy between nations. The bigger picture is the current freedom to transfer data between the UK and the EU/EEA based on the current European Commission adequacy decision, which still gives UK-based tech companies an edge. “Putting that in jeopardy would likely offset any benefits for tech startups in terms of compliance regime simplification,” comments Dr Bostjan Makarovic, Aphaia’s Managing Partner. ‘We must also be aware that the UK consumers have gotten accustomed to a high degree of privacy protection, and they hardly see the current UK GDPR as an unnecessary bureaucratic burden.’

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Guidance on cookie consent requirements from Malta DPA

The guidance on cookie consent requirements from the Malta DPA gives insight on the applicable legal framework for their use.

 

The Data Protection Authority of Malta has just published guidance cookie consent requirements to aid businesses and organizations in setting them up correctly on their web pages and apps. Cookies are alphanumeric files which are stored on a user’s device for later use. These later uses may include memorising preferences, storing session information or identifying a data subject through a unique identifier. Some cookies, known as tracking cookies, are used for the purpose of behavioral advertising. 

 

The guidance on cookie consent requirements from the Malta DPA heavily emphasizes the notion of consent. 

 

The application of cookieson a website or app is allowed under the applicable laws once they meet certain requirements. The guidance from the Malta DPA focuses on tracking cookies, understood as those used for commercial purposes to deliver behavioural advertising. According to the guidance, for tracking cookies to be lawfully installed on a user’s device, a valid consent mechanism which allows users to take affirmative action giving prior informed consent to the cookies must be implemented. Originally under the ePrivacy Directive, and now also under the GDPR, the notion of consent is very relevant to lawfully obtaining and storing information on data subjects. 

 

The notion of consent in the ePrivacy Directive is linked to that of the GDPR. As a result, in order for stakeholders to obtain valid consent within the scope of the ePrivacy Directive provisions, the elements of valid consent as upheld by Article 4(11) GDPRare applicable in a cumulative manner. This means that consent must  be freely given, specific, informed, and must result from an “unambiguous indication of the data subject’s wishes, by a statement or by a clear affirmative action” and this is what  would signify agreement to the processing of personal data relating to them. This consent must also be withdrawable.

 

According to Regulation 5(1) of the “Processing of Personal Data (Electronic Communications Sector) Regulations” (Subsidiary Legislation 586.01), which transposes article 5(3) of the ePrivacy Directive, the “storing of information or the gaining of access to information stored in the terminal equipment of a subscriber or user shall only be allowed on condition that the subscriber or user concerned has given his consent”.

 

Transparency is necessary in all matters to ensure that the rights and freedoms of data subjects remain protected. 

 

The GDPR maintains that data subjects must be informed, and have at the very least, a basic understanding of the state of play, allowing them to decide whether or not to give consent and how to exercise the right to withdraw consent. Pursuant to article 7(3) of the GDPR, data subjects should be able to withdraw their consent at any time and it should be as easy to withdraw their consent as it is to give it. With regards to cookies, transparency refers to the provision of adequate information regarding the processing operation, including how data subjects can exercise their rights. Accordingly, the GDPR stipulates that individuals must also be informed on how to withdraw their consent before it is given. The failure to provide data subjects with a permanent withdrawal option, including the relevant information on withdrawal, infringes several articles of the GDPR.

 

According to the guidance on cookie consent, cookie walls, pre-ticked boxes and scrolling infringe on the regulations governing cookie consent. 

 

In order to fairly and transparently obtain informed consent from users, there are some features which must be avoided as they compromise the rights and freedoms of users. The Malta DPA, in their non-exhaustive list of practices deemed non-compliant, makes mention of cookie walls, pre-ticked boxes and necessary scrolling. 

 

Cookie Walls

 

Cookie walls are banners linked with a website or a mobile app which only allow users to access the site or app after the user grants consent to the use of all cookies and to the purposes for which they are processed. In these cases, access to the website or mobile app is not possible by other means. Indiscriminately collecting personal data through this approach, essentially denies users a  genuine choice, falls foul of the consent requirements as set out in the applicable laws and it is considered to be an unlawful practice. In these cases, consent is in fact not “freely given”. For consent to be freely given, access to services and functionalities should not be made conditional upon the user’s consent for storing information, or gaining access to information already stored, in the device. 

 

Pre-ticked Boxes

In some cases, users’ consent for installing exempt cookies on their devices is sought by using pre-ticked opt-in boxes. According to  recital 32 of the GDPR, “silence, pre-ticked boxes or inactivity should not […] constitute consent”.  As a result, pre-ticked boxes are not a valid tool to obtain consent under the GDPR, specifically with regard to cookies. The approach of using pre-ticked boxes is considered unlawful. 

 

Scrolling  

 

The practice of obtaining consent through a user’s action, such as scrolling or swiping through a web page or pages, does not count as “clear and affirmative”, in terms of the requirements of article 7 of the GDPR and as well as recital 32. As a result, this approach does not satisfy one of the core requirements of valid consent. In addition, this practice makes it extremely difficult to inform, as well as provide the user with his right to withdraw their consent, as easily as it was initially obtained.

 

Does your company want to collect cookies through a website or app? Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Exposed records caused by misconfigured Power Apps

Millions of exposed records caused by misconfigured Power Apps from Microsoft include health related data. 

 

Over a thousand misconfigured web apps have resulted in millions of exposed records. An estimated 38 million records were reportedly exposed online. While there is no evidence that the exposed records were accessed by anyone, investigative research uncovered the fact that these records, which included lots of sensitive personal data, were readily accessible online.  

 

Researchers discovered that the default settings for Power Apps were making data publicly accessible. 

 

Researchers at an organization known as Upguard found one misconfigured app while enabling APIs, and noticed that the settings defaulted to making the data publicly accessible. Upon further inspection, they discovered that thousands more of the apps were similarly misconfigured, leaving the personal records of millions of data subjects available online. These records included phone numbers, home addresses, social security numbers and even COVID-19 vaccination status. This misconfiguration has affected several large companies and organizations, a testament to the far reaching consequences of this manner of incident. Although there is no evidence that these records were accessed by unauthorized persons, this situation is an attestation to the importance of ensuring privacy settings are as they should be, particularly with regard to cloud storage apps. 

 

Misconfiguration is a common issue with cloud based platforms, and many major companies have taken steps to secure privacy. 

 

The exposed data was all stored in Microsoft’s PowerApps portal service, a cloud based development platform that makes it easy to create web or mobile apps for external use. When it comes to cloud based platforms, misconfiguration is a common issue. Many major cloud companies like Amazon Web Services, Google Cloud Platform, and Microsoft Azure have all taken steps to ensure that customers’ data is stored privately by default, and to flag potential misconfigurations, but until fairly recently, the industry as a whole didn’t necessarily prioritize this issue.  

 

Once Microsoft was informed of the issue of misconfiguration on their platform, they took immediate steps to correct it, and to alter their default settings. 

 

Researchers at Upguard, the organization which discovered the misconfigured settings immediately took action. Upguard observed the extent of the exposures and notified as many affected organizations as possible. Due to the sheer reach of the damage, researchers couldn’t get to every entity. They then also disclosed the findings to Microsoft. After being informed of the issue in this instance, Microsoft immediately took steps to correct it. Earlier this month, Microsoft announced that Power Apps portals will now default to storing API data and other information privately. The company has also released a tool that customers can use to check their portal settings on their end.

 

Does your company utilize or offer cloud based storage? Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today