GDPR News Bytes 30th November 2018

Nov. 20

The primary cause of healthcare data breaches is internal neglect, not external hackers, report researchers from Johns Hopkins and the University of Michigan. Researchers reviewed over 1,000 data breach cases over the past seven years and discovered that internal factors such as “unauthorized access or disclosure” made up 53% of data breach causes, while external hackers made up 12%.

Nov. 21

The GDPR turns six months old, yet experts warn that many businesses are still struggling to get on the path to compliance. Issues cited include data sprawl and difficulties mapping and aggregating large volumes of information across many servers. Many businesses are still scratching their heads about legal topics such as data ownership and when to give certain rights (like deletion) to customers.

Nov. 25

A coalition of seven consumer groups across the EU seek to fine Google over data misuse under the GDPR. In their claim brought to the Data Protection Authorities, the coalition asserts that Google violates the GDPR’s “freely given consent” principle by through “deceptive practices” intending to make people turn on its tracking systems.

Nov. 27

The UK Information Commissioner’s Office (ICO) fined Uber £385,000 for failing to tell 35 million users and 3.7 million drivers that their data was compromised in 2016. Hackers obtained records such as full names, phone numbers, and email addresses from Uber’s cloud servers. Had the incident been accounted for prior to 2018, the maximum fine would have been £500,000. However, under the new DPA 2018 which accounts for the GDPR, the fine can be up to 4% of Uber’s global revenue.

Nov. 27

Facebook faces more fury from Europe after Mark Zuckerberg fails to attend a hearing on disinformation with representatives from Argentina, Belgium, Brazil, Canada, France, Ireland, Latvia, Singapore, and the United Kingdom. The summit focused heavily on potential anticompetitive practices by Facebook, as well as Facebook’s ability to curb disinformation campaigns through its platform, particularly during election cycles.

Nov. 29

The European Data Protection Board (EDPB) has published long-awaited draft guidelines on the territorial scope of the GDPR. The guidelines emphasize data processor responsibilities to comply with the GDPR even when controllers are outside the EU. They also outline the two main criteria for determining whether a business meets the territorial scope of the GDPR: “Establishment” (whether a business has an establishment in the EU) and “Targeting” (whether it offers good to EU citizens or monitors their behaviour online). More analysis here.