Data disasters

Check out this interactive ‘balloon race’ data visualisation from Information Is Beautiful, of all the major data breaches from the last ten years. Billions of records.

You can choose to highlight the items by year or data sensitivity, and filter for different sectors like academic, governmental or the media.

World’s biggest data breaches & hacks

Our data problems could get a whole lot worse, and not because of hackers this time, but politicians.

A no-deal Brexit may trigger a data disaster, and UK companies don’t have a clue
In the event of a no-deal Brexit, the Data Protection Act will ensure that personal information processed in the UK will keep enjoying the same level of protection they do now. Still, under EU law, the UK will be automatically considered a third country not bound by GDPR rules, and able to diverge from the current strong standards if parliament so decides. Consequently, data from EU countries would not be able to flow freely to the UK.

“Things will remain the same for organisations residing in the UK, and who need to transfer data to the EU,” says Cillian Kieran, CEO of privacy start-up Ethyca. “But you won’t be able to gather data from the EU into the UK. This is an issue for any company that processes information at any level.”

Struggling with GDPR, or just ignoring it?

It’s been over a year now, but are we all still feeling our way with GDPR?

PwC’s data practices rejected in GDPR rebuke
With enforcement of the EU’s General Data Protection Regulation (GDPR) still in its infancy, companies may be floating trial balloons to see which arguments resonate with authorities. PriceWaterhouseCoopers (PwC) recently tested the air currents in Greece, but was shot down by the Hellenic Data Protection Authority in a case involving the processing of employee data.

PwC will have to work to rebuild trust after shock GDPR fine
The Greek representative of PwC is the first of the “Big 4” to be fined under the GDPR. Moreover, it’s the first consultancy that has actually helped many of its clients with GDPR compliance over the last year. It seems astounding that a company of PwC’s size and reputation that’s making a lot of money on giving advice on the GDPR has been burned by the very fire they help clients to avoid on a daily basis.

Or perhaps we’re just ignoring it completely. Research just out has shown what we already know to be the case — most of those cookie notices everywhere aren’t following the EU privacy-first GDPR regulations. At all.

Most EU cookie ‘consent’ notices are meaningless or manipulative, study finds
Their industry snapshot of cookie consent notices found that the majority are placed at the bottom of the screen (58%); not blocking the interaction with the website (93%); and offering no options other than a confirmation button that does not do anything (86%). So no choice at all then.

A majority also try to nudge users towards consenting (57%) — such as by using ‘dark pattern’ techniques like using a color to highlight the ‘agree’ button (which if clicked accepts privacy-unfriendly defaults) vs displaying a much less visible link to ‘more options’ so that pro-privacy choices are buried off screen.

And while they found that nearly all cookie notices (92%) contained a link to the site’s privacy policy, only a third (39%) mention the specific purpose of the data collection or who can access the data (21%) …

This is an important finding because GDPR is unambiguous in stating that if an Internet service is relying on consent as a legal basis to process visitors’ personal data it must obtain consent before processing data (so before a tracking cookie is dropped) — and that consent must be specific, informed and freely given.

Yet, as the study confirms, it really doesn’t take much clicking around the regional Internet to find a gaslighting cookie notice that pops up with a mocking message saying by using this website you’re consenting to your data being processed how the site sees fit — with just a single ‘Ok’ button to affirm your lack of say in the matter.

In the way that those US academics highlighted the dark patterns used with shopping sites, there needs to be a way of reporting and highlighting these non-compliant cookie notices, or they’ll just get away with it.

More data breach fines

Flying off to a nice hotel somewhere?

British Airways gets hammered with a record £183m fine for data breach
The incident came to light last September, when British Airways revealed that a sophisticated hack had led to 380,000 customer accounts being compromised, although that initial figure turned out to be an underestimation, with some 500,000 people actually affected, the ICO reckons.

Those folks had the likes of names, addresses, emails, credit card numbers and expiry dates – as well as the security codes on the rear of cards – stolen over a two-week period beginning on August 21, we were told at the time. Although the ICO claims that the thefts began occurring as early as June 2018.

Marriott to face £99 million GDPR fine from ICO over November 2018 data breach
The breach revealed in November 2018 involved the leak of 500 million customer records from the guest reservation database of Marriott’s Starwood Hotels and Resorts division. The attackers – who are unknown but believed to have links with China’s Ministry of State Security – appear to have had access to the system since 2014.

The organisation only became aware of the compromise in September 2018 following an alert from an internal security tool over an attempt to gain access to the reservation system. The company claims that it “quickly engaged” a group of security experts to investigate the apparent attack and “learned during the investigation that there had been unauthorised access to the Starwood network since 2014”.

Update 15/07/2019

Meanwhile.

Facebook’s $5 billion FTC fine is an embarrassing joke
Facebook’s stock went up after news of a record-breaking $5 billion FTC fine for various privacy violations broke today.

That, as The New York Times’ Mike Isaac points out, is the real story here: the United States government spent months coming up with a punishment for Facebook’s long list of privacy-related bad behavior, and the best it could do was so weak that Facebook’s stock price went up …

From some other perspectives, that $5 billion fine is a big deal, of course: it’s the biggest fine in FTC history, far bigger than the $22 million fine levied against Google in 2012. And $5 billion is a lot of money, to be sure. It’s just that like everything else that comes into contact with Facebook’s scale, it’s still entirely too small: Facebook had $15 billion in revenue last quarter alone, and $22 billion in profit last year …

That’s actually the real problem here: fines and punishments are only effective when they provide negative consequences for bad behavior. But Facebook has done nothing but behave badly from inception, and it has only ever been slapped on the wrist by authority figures and rewarded by the market. After all, Facebook was already under a previous FTC consent decree for privacy violations imposed in 2011, and that didn’t seem to stop any of the company’s recent scandals from happening. As Kara Swisher has written, you have to add another zero to this fine to make it mean anything.

Don’t leave your computer unattended

Or this might happen.

Update faker
Update Faker allows you to “fake a system update”, it’s the perfect way to prank your friends, family members or colleagues. Especially when they’re working on something rather important.

Yes, it’s just a silly prank (reminds me a little of Hacker Typer), but you could see it as an important security/GDPR lesson.

Ever since the launch of updatefaker.com we’ve been flooded with positive feedback both online and in real life. And everyone who’s ever fallen victim to update faker will never leave their PC unattended again, which certainly is a good thing. You never know what bad things people are up to. This website is literally one of the least bad things that can happen to an unattended PC.

Google’s GDPR probe

A year on from GDPR Day, and Irish eyes are staring in Google’s direction.

Irish regulator opens first privacy probe into Google
Google’s lead regulator in the European Union, Ireland’s Data Protection Commissioner, opened its first investigation into the U.S. internet giant on Wednesday over how it handles personal data for the purpose of advertising.

The probe was the result of a number of submissions against the company, the Irish Data Protection Commissioner said, including from privacy-focused web browser Brave which complained last year that Google and other digital advertising firms were playing fast and loose with people’s data.

Ireland’s Data Protection Commissioner launches investigation into Google’s advertising and compliance with GDPR
Dr Ryan [Chief Policy Officer at Brave] said his evidence to the DPC “revealed a massive and ongoing data breach” in which Google’s DoubleClick/Authorized Buyers “leaks intimate data about the people visiting these websites to thousands of companies every day”.

I noted The Register’s footnote on this story, about that “privacy-focused web browser Brave”.

Irish data cops are shoving a probe right into Google’s ads
There is some irony in Brave being built on Chromium, the browser engine built and maintained by – who else? – Google. Ryan told us that Brave had “certainly not” seen any pushback from Googlers involved in the Chromium project.

It could be an extremely expensive problem for Google though, as all the reports are keen to point out, although I can’t imagine it would come to that.

Google is facing its first GDPR probe from Irish privacy regulators
If found guilty, the potential penalties for Google would be enormous. The GDPR authorizes fines as high as four percent of global annual revenue, which would total $5.4 billion in Google’s case. Even more damaging, the company would have to fundamentally reshape its ad system in order to avoid future fines.

There’s quite a lot of attention on Ireland’s Data Protection Commission already.

Ireland sits idly by as GDPR goes unenforced
Politico shares an investigation into why the GDPR’s lead regulator Ireland has failed to bring a single enforcement action against the big tech companies it is supposed to watchdog.

These are hugely complex cases, that will be setting precedents that may redefine how these companies operate.

Irish data official defends tech investigation record: ‘They’re not overnight’
Helen Dixon said the reality is it will take time to produce results from the 18 major technology investigations her office is pursuing — 11 of which involve Facebook or its platforms WhatsApp and Instagram.

“These aren’t matters where we can take in a complaint today and tomorrow make a conclusion on it,” Dixon, Ireland’s data protection commissioner, said during an interview at POLITICO’s Washington-area headquarters. “They’re not overnight, and anyone who understands anything about the process understands it takes time.”

Others agree.

Is Ireland too soft with GDPR enforcement, or just being prudent?
Jules Polonetsky, CEO of the Future of Privacy Forum (FPF), comes down on the side of patience. In fact, he argues that while fines tend to get most of the headlines, they aren’t as important as the major precedents that regulators will be setting – precedents that will “redefine business models.” That, he said, takes time to be done right. …

Danny O’Brien, international director of the Electronic Frontier Foundation (EFF), an aggressive privacy advocacy group, also isn’t troubled – at least not yet – about GDPR enforcement taking some time to get in gear. “There’s a lot about how the whole system was going to be organized that was left unsaid in the GDPR, so I think it’s fair to say that no-one was expecting anything to happen very quickly,” he said. “It’s not necessarily the Irish DPC’s fault.”

Let’s wait and see, then.

GDPR is still a thing, right?

Some recent data protection stories that have caught my eye.

French data watchdog dishes out largest GDPR fine yet: Google ordered to hand over €50m
The French agency, CNIL, ruled today that the search giant had offered users inadequate information, spreading it across multiple pages, and had failed to gain valid consent for ads personalisation. […] The CNIL concluded that Google had breached the General Data Protection Regulation in two ways: by failing to meet transparency and information requirements, and failing to obtain a legal basis for processing.

Amazon, Apple and Google face data complaints
General Data Protection Regulation (GDPR) rules say EU customers have the right to access a copy of the personal data companies hold about them. However, privacy group noyb said it found that most of the big streaming companies did not fully comply. It has filed formal complaints, which if upheld could result in large fines.

Google accused of GDPR privacy violations by seven countries
Consumer groups across seven European countries have filed GDPR complaints against Google’s location tracking (via Reuters). The European Consumer Organisation (BEUC), of which each of the groups are a member, claims that Google’s “deceptive practices” around location tracking don’t give users a real choice about whether to enable it, and that Google doesn’t properly inform them about what this tracking entails. If upheld, the complaints could mean a hefty fine for the search giant.

The NOYB organisation gets mentioned a number of times there.

Max Schrems: The privacy bubble needs to start ‘getting sh*t done’
After years locked in numerous long, drawn-out and often bitter legal battles, Schrems decided to launch a nonprofit aiming to help people bring their own consumer privacy cases to court.

The plan is for NOYB (None Of Your Business) to take advantage of the incoming European Union General Data Protection Regulation, which offers more options for collective redress across the bloc, and harness the momentum Schrems has built up with various high-profile court cases.

Seems to be working. (Via)

Another day, another data protection issue

We’re generating data all the time, without realising, and without really knowing where it all goes.

Users told to ditch OneDrive and Office 365 to avoid ‘covert’ data harvesting
Microsoft Office and Windows 10 Enterprise uses a telemetry data collection mechanism that breaches the EU’s General Data Protection Regulation (GDPR), according to a 91-page report commissioned by the Dutch government, and conducted by firm Privacy Company.

It’s not just Microsoft in the firing line, of course.

With GDPR now several months into play, data watchdogs across Europe are beginning to take their first steps in the new regulatory landscape. Microsoft is the latest in a line of major companies accused of breaching GDPR, with Oracle and Equifax among seven firms reported for violations by a data rights group last week.

And that story about Google’s AI company having access to NHS data is still rumbling on.

Google: Our DeepMind health slurp is completely kosher
DeepMind told The Reg: “It is false to say that Google is “absorbing” data. This data is not DeepMind’s or Google’s – it belongs to our partners, whether the NHS or internationally. We process it according to their instructions.”

That claim, echoed by DeepMind Health chief Dominic King, brought a swift correction from legal experts. “It doesn’t belong to DeepMind’s partners, it belongs to the individuals,” Serena Tierney partner at lawyers VWV. “Those ‘partners’ may have limited rights, but it doesn’t belong to them.”

I wonder if we’ll be seeing more of these issues, what with one thing and another.

What the potentially useless draft Brexit agreement means for tech
One of the big questions for Brexit is data protection, and the agreement seeks to hold onto the status quo. Scroll through to Article 71 for the text, which says that EU data protection law will continue to cover the UK before and after the transition period, which runs until the end of 2020. That means personal data can continue to flow between the UK and the EU.

“This issue is critical to the tech sector and to every other industry in a modern digitising economy,” says Tech UK CEO Julian David in a blog post. Data’s the oil that greases tech, and all that.

That doesn’t mean that GDPR will continue to apply in the UK post Brexit. Christopher Knight, privacy lawyer at 11KBW, notes that the UK will become a “third state”. That means the UK won’t be required to apply GPDR and other data laws to “wholly internal situations of processing”.

Update 20/11/2018

Well, here’s a thing. I’m still getting used to this new Android phone, with its Google news feed thing, and some time after first drafting this post I was browsing through it and came across the article below. How did it know to surface stories about DeepMind? I’m sure I hadn’t searched for it, but came across it in a newsletter. Is Google reading what I type into WordPress?

Inside DeepMind as the lines with Google blur
Last week, the line between the companies blurred significantly when DeepMind announced that it would transfer control of its health unit to a new Google Health division in California. […]

In March 2017, DeepMind also announced it would build a “data audit” system, as part of its public commitment to transparency. The technology would allow NHS partners to track its use of patient data in real time, with no possibility of falsification, DeepMind said. Google did not comment on whether it will finish the project.

Remember the hacking cough?

More hacking schadenfreude, but with an added GDPR element this time.

First, the hapless Tories.

Major security flaw in Tory conference app reveals users’ data
Commentators said the flaw raised questions over the ability of the government to harness technology to solve issues around the Irish border and customs checks. The app may also have breached data laws. Its privacy policy states that it “complies with … the European Union’s general data protection regulation (GDPR)”.

Boris Johnson’s profile immediately vandalised with hardcore pornography in Tory conference app security blunder
The highly serious blunder allowed anyone to access details of hundreds of MPs including Foreign Secretary Jeremy Hunt and Defence Secretary Gavin Williamson – who have police protection and warn regularly of the hacking threat from Russia. But it also gave pranksters an opportunity to have fun with the profiles of prominent Conservatives.

And then Facebook. Again.

Facebook says at least 50 million users affected by security breach
Facebook said the FBI is now investigating. Because users in Europe are also affected, the company said it has informed data protection authorities in Ireland — where the company’s European headquarters are located. The Irish Data Protection Commission has asked Facebook to clarify the breach “urgently.” If Facebook is found to have breached European data protection rules — the newly implemented General Data Protection Regulation (GDPR) — the company can face fines of up to four percent of its global revenue.

Facebook hack: Here’s what you need to do to secure your account
Critically, for European users, Facebook has been in touch with the Data Protection Commissioner in Ireland – where it is registered – to inform it of the breach. This will be the first data protection incident from one of the major tech companies since the enforcement of Europe’s General Data Protection Regulation (GDPR) in May. GDPR gives regulators the power to issue huge fines but this is yet to be tested. In a statement the Irish Data Protection Commission said Facebook hasn’t given it many details yet. It is “concerned” that despite Facebook discovering the breach on Tuesday, it hasn’t been able to “clarify the nature of the breach and the risk for users at this point”.

Follow the data

I’m hearing more and more about data ethics. It wasn’t ‘a thing’ before, was it? But it certainly is now. Here’s a very interesting take on it: flow.

The ethics of data flow
In Privacy in Context, Helen Nissenbaum connects data’s mobility to privacy and ethics. For Nissenbaum, the important issue isn’t what data should be private or public, but how data and information flow: what happens to your data, and how it is used. Information flows are central to our expectations of privacy, and respecting those expectations is at the heart of data ethics.

It’s not what they’ve got, but what they do with it that matters.

The infamous Target case, in which Target outed a pregnant teenager by sending ad circulars to her home, is a great example. We all buy things, and when we buy things, we know that data is used—to send bills and to manage inventory, if nothing else. In this case, the surprise was that Target used this customer’s purchase history to identify her as pregnant, and send circulars advertising products for pregnant women and new mothers to her house. The problem isn’t the collection of data, or even its use; the problem is that the advertising comes from, and produces, a different and unexpected data flow. The data that’s flowing isn’t just the feed to the marketing contractor. That ad circular, pushed into a mailbox (and read by the girl’s father) is another data flow, and one that’s not expected.

[…]

Everyone who works with data knows that data becomes much more powerful when it is combined with data from other sources. Data that seems innocuous, like a grocery store purchase history, can be combined with geographic data, medical data, and other kinds of data to characterize users and their behavior with great precision. Knowing whether a person purchases cigarettes can be of great interest to an insurance company, as can knowing whether a cardiac patient is buying bacon.

The article is written by and for data developers, primarily, and poses more questions than it can answer, especially around the thorny concept of data deletion. It’s an interesting read, but it left me wondering if those GDPR data protection principles will ever be fully put into practice.

Facebook gets away with it

Facebook fined for data breaches in Cambridge Analytica scandal
Facebook is to be fined £500,000, the maximum amount possible, for its part in the Cambridge Analytica scandal, the information commissioner has announced.

But talk about good timing.

In the first quarter of 2018, Facebook took £500,000 in revenue every five and a half minutes. Because of the timing of the breaches, the ICO said it was unable to levy the penalties introduced by the European General Data Protection (GDPR), which caps fines at the higher level of €20m (£17m) or 4% of global turnover – in Facebook’s case, $1.9bn (£1.4bn). The £500,000 cap was set by the Data Protection Act 1998.

Elizabeth Denham, the information commissioner, explains her real goal with this fine is to “effect change and restore trust and confidence in our democratic system.”

“Most of us have some understanding of the behavioural targeting that commercial entities have used for quite some time,” Denham said, “to sell us holidays, to sell us trainers, to be able to target us and follow us around the web.”

“But very few people have an awareness of how they can be micro-targeted, persuaded or nudged in a democratic campaign, in an election or a referendum.

“This is a time when people are sitting up and saying ‘we need a pause here, and we need to be sure we are comfortable with the way personal data is used in our democratic process’.”

I think we’re still some way off that; people just seem not to be bothered.

Facebook’s rise in profits, users shows resilience after scandals
Facebook Inc (FB.O) shares rose on Wednesday after the social network reported a surprisingly strong 63 percent rise in profit and an increase in users, with no sign that business was hurt by a scandal over the mishandling of personal data.

But maybe I shouldn’t be so pessimistic.

The digital privacy wins keep coming
Progress can be difficult to measure; it often comes in drips and drops, or not at all for long stretches of time. But in recent weeks, privacy advocates have seen torrential gains, at a rate perhaps not matched since Edward Snowden revealed how the National Security Agency spied on millions of US citizens in 2013. A confluence of factors—generational, judicial, societal—have created momentum where previously there was none. The trick now is to sustain it.

Let’s hope.

University data breach

With GDPR still getting attention, here’s news that the Information Commissioner has fined the University of Greenwich over a significant data breach that happened in 2016.

Greenwich University fined £120,000 for data breach
The fine was for a security breach in which the personal data of 19,500 students was placed online. The data included names, addresses, dates of birth, phone numbers, signatures and – in some cases – physical and mental health problems. It was uploaded onto a microsite for a training conference in 2004, which was then not secured or closed down.

The Information Commissioner said Greenwich was the first university to receive a fine under the Data Protection Act of 1998 and described the breach as “serious”.

[…]

In a statement, the university said it would not appeal against the decision.

It said it had carried out “an unprecedented overhaul” of its data protection and security systems since the discovery of the breach in 2016, and it had invested in both technology and staff.

So the personal data was added to a website in 2004 and left there for 12 years until the breach was discovered?

The University of Greenwich fined £120,000 by Information Commissioner for “serious” security breach
The investigation centred on a microsite developed by an academic and a student in the then devolved University’s Computing and Mathematics School, to facilitate a training conference in 2004.

After the event, the site was not subsequently closed down or secured and was compromised in 2013. In 2016 multiple attackers exploited the vulnerability of the site allowing them to access other areas of the web server.

A timely warning for others, I guess. Under GDPR, these fines could be significantly higher.

Happy GDPR Day!

Remember though, 25 May is just the beginning, not the deadline. Don’t panic.

US sites block users in Europe: Why are they ghosting EU? It’s not you, it’s GDPR
Visitors in the bloc trying to load articles from the Tribune, or stablemates the Los Angeles Times – the fifth-biggest daily – and the Orlando Sentinel are shown the same error message from publisher Tronc.

“Unfortunately, our website is currently unavailable in most European countries,” it reads. “We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism.”

The finger is pointed at the General Data Protection Regulation, which, although it is only just being enforced today, was adopted on 14 April 2016 – meaning organisations have had more than two years to prepare.

Help, my lightbulbs are dead! How GDPR became bigger than Beyonce
But the potential of huge fines hasn’t been the only reason for GDPR mania. There’s also a growing market of people working in data protection and offering dubious services related to GDPR. In the UK there are more than 100 registered companies with the GDPR acronym in their titles – and the vast majority of these were formed after the regulation was approved in 2016. Their purpose? To offer advice on how companies can get their data in order and create products that can help organise information.

[…]

In a post on LinkedIn, George Parapadakis who formerly worked at IBM, wrote that technology wouldn’t solve GDPR issues. “The nonsense that I read on a daily basis, defies belief,” Parapadakis wrote. Turner adds: “Don’t get me wrong, we’re all in it to pay the mortgage but I think as the panic has increased, there is something of a feeding frenzy of, ’Let’s see how much we can get before the momentum goes out of the market.’” This may have peaked when GDPR became more popular than Beyonce.

Another day, another GDPR e-mail

GDPR finally comes into force on Friday, and there seems to be no let up in the privacy notice update e-mails we’re all getting. This raised a smile though.

Most GDPR emails unnecessary and some illegal, say experts
What’s more, Vitale said, if the business really does lack the necessary consent to communicate with you, it probably lacks the consent even to email to ask you to give it that consent.

“In many cases the sender will be breaching another set of regulations, the Privacy and Electronic Communications Regulations, which makes it an offence to email someone to ask them for consent to send them marketing by email.”

I wonder if we’ll still receive these e-mails after 25 May. If we do, are the companies that send them admitting they weren’t compliant initially? I’m sure the ICO won’t be too concerned, but it’ll be interesting to see what happens.

Last-minute frenzy of GDPR emails unleashes ‘torrent’ of spam – and memes
The whole process has inspired the internet to rope in everyone from Julian Assange to Donald Trump to Prince William in an attempt to illustrate their frustration at the electronic onslaught.

Photocopiers have long memories

They say elephants never forget, and it seems neither do photocopiers.

In light of all the attention currently on GDPR and data protection generally, here’s an interesting article from 2010 about the dangers hiding within our photocopiers. For some time now, our digital copiers contain hard drives that store an image of everything it copies, scans or e-mails. That’s potentially a lot of valuable personal data that can stay on the machine long after you’ve thrown it away.

Digital photocopiers loaded with secrets
It took Juntunen just 30 minutes to pull the hard drives out of the copiers. Then, using a forensic software program available for free on the Internet, he ran a scan – downloading tens of thousands of documents in less than 12 hours.

The results were stunning: from the sex crimes unit there were detailed domestic violence complaints and a list of wanted sex offenders. On a second machine from the Buffalo Police Narcotics Unit we found a list of targets in a major drug raid.

The third machine, from a New York construction company, spit out design plans for a building near Ground Zero in Manhattan; 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied checks.

But it wasn’t until hitting “print” on the fourth machine – from Affinity Health Plan, a New York insurance company, that we obtained the most disturbing documents: 300 pages of individual medical records. They included everything from drug prescriptions, to blood test results, to a cancer diagnosis. A potentially serious breach of federal privacy law.

Something to add to our risk registers, perhaps?

GDPR Day’s getting nearer

The EU’s Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data was signed off on 27 April 2016, two years ago. It becomes enforceable from 25 May 2018. Have we been using these last two years to get ready?

This, from a year ago, sums it up, I think.

Concern that schools are not preparing for new rules on personal data
The General Data Protection Regulations are the ‘biggest change in 25 years’ to how organisations must manage personal data, but only a fifth of schools are aware of the May 2018 deadline.

Employers and schools are all certainly busy now, in these last few weeks, reviewing data asset registers and updating privacy notices. The news that the fines for noncompliance could be as high as  £17 million is certainly a motivator, although here’s Elizabeth Denham, the Information Commissioner, suggesting they won’t be levying such large fines lightly.

What is GDPR? Data protection law is changing in 2018. Here’s what you need to know
But Denham says speculation that her office will try to make examples of companies by issuing large business-crippling fines isn’t correct. “We will have the possibility of using larger fines when we are unsuccessful in getting compliance in other ways,” she says. “But we’ve always preferred the carrot to the stick”.

[…]

“Having larger fines is useful but I think fundamentally what I’m saying is it’s scaremongering to suggest that we’re going to be making early examples of organisations that breach the law or that fining a top whack is going to become the norm.” She adds that her office will be more lenient on companies that have shown awareness of the GDPR and tried to implement it, when compared to those that haven’t made any effort.

As well as some of us acting as data controllers or data processors, we’re all data subjects too. These are new rules designed to protect our data. I’m sure we’ve all been getting e-mails from companies like Twitter, Instagram and Fitbit and so on, about their revised data and privacy policies.

Here’s a great summary from Danny O’Brien of the Electronic Frontier Foundation, on what to look out for.

Why am I getting all these terms of service update emails?
The EU regulators are certainly paying attention to these email updates. A strongly-worded blog post this week by EU’s head enforcer, European Data Protection Supervisor (EDPS) Giovanni Buttarelli, warned the public and his fellow regulators to be “vigilant about attempts to game the system”, adding that some of these new terms of service emails could be “travest[ies] of the spirit of the new regulation”.

[…]

As Buttarelli says, such “legal cover” might well be against the spirit of the GDPR, but it’s going to take a while for companies, regulators, and privacy groups to establish what the law’s sometimes ambiguous statements really mean. One particularly knotty problem is whether the language that many of these emails use (“by using our service, you agree to these terms”) will be acceptable under the GDPR. The regulation is explicit that in many areas, you need to give informed, unambiguous consent by “a statement or clear affirmative action.” Even more significantly, if the data being collected by a company isn’t necessary for the service it is offering, under the GDPR the company should give covered users the option to decline that data collection, but still allow them to use the service.

GDPR and a Digital Protection Agency?

Ok, I know I said that I’ll stop reading articles about personal data abuses, but they just keep coming.

Silicon Valley has failed to protect our data. Here’s how to fix it
What’s been unfolding for a while now is a rolling catastrophe so obvious we forget it’s happening. Private data are spilling out of banks, credit-rating providers, email providers, and social networks and ending up everywhere. […]

Given that the federal government is currently one angry man with nuclear weapons and a Twitter account, and that it’s futile to expect reform or self-regulation from internet giants, I’d like to propose something that will seem impossible but I would argue isn’t: Let’s make a digital Environmental Protection Agency. Call it the Digital Protection Agency. Its job would be to clean up toxic data spills, educate the public, and calibrate and levy fines.

That sounds like a very sensible, pragmatic and effective approach, so it’s obviously going to be ignored. It was interesting reading that after hearing about another data breach yesterday, this time with a fitness app. It seems the company dealt with it appropriately though. This time.

The MyFitnessPal hack may affect 150 million people. It could’ve been even worse.
Under Armour and MyFitnessPal seem to have some good data practices in place: Payment information was kept separate from general user information, which was stored separately from user-uploaded app data. Under Armour also appears to have reacted swiftly once it learned of the breach and notified users and the public a few days later—a stark comparison to other companies, such as Uber, which hid its 2016 data breach by paying off the hackers. Still, it’s an important reminder that being hacked isn’t a matter of if—it’s when.

What will these companies make of the GDPR, I wonder.

WTF is GDPR?
Last year the company [Facebook] told us it had assembled “the largest cross functional team” in the history of its family of companies to support GDPR compliance — specifying this included “senior executives from all product teams, designers and user experience/testing executives, policy executives, legal executives and executives from each of the Facebook family of companies”.

“Dozens of people at Facebook Ireland are working full time on this effort,” it said, noting too that the data protection team at its European HQ (in Dublin, Ireland) would be growing by 250% in 2017. It also said it was in the process of hiring a “top quality data protection officer” — a position the company appears to still be taking applications for.

And this.

How Europe’s new privacy rule is reshaping the internet
Much of the GDPR builds on rules set by earlier EU privacy measures like the Privacy Shield and Data Protection Directive, but it expands on those measures in two crucial ways. First, the GDPR sets a higher bar for obtaining personal data than we’ve ever seen on the internet before. By default, any time a company collects personal data on an EU citizen, it will need explicit and informed consent from that person. Users also need a way to revoke that consent, and they can request all the data a company has from them as a way to verify that consent. It’s a lot stronger than existing requirements, and it explicitly extends to companies based outside the EU. For an industry that’s used to collecting and sharing data with little to no restriction, that means rewriting the rules of how ads are targeted online.