Data Regulators Reflect On the First Months Of GDPR*:

  • Speaking at theIAPP Data Protection Intensive 2019 conference in London, a panel discussion on the first year of GDPR and “What Actions Have Been Taken?” explored how over €55m has been handed out in fines, although the majority of that was the €50m levied at Google.
  • The last year has also seen data protection authorities more than double their head counts.
  • Moderator Vivienne Artz, chief policy officer of Refinitiv, reflected on data relating to investigations, reports and financial penalties since GDPR came into force.
  • She said that in the UK, 206,326 total cases had been reported, of which 94,000 were complaints and 64,000 were data breach notifications. Of these, 52% had been concluded.
  • Stephen Eckersley, director of investigations at the UK Information Commissioner’s Office, said that the ICO had increased staff numbers from 380 to 700, while Jay Fedorak, information commissioner of the Jersey Channel Islands, added that staff had increased from four to nine people.
  • Eckerlsey explained that teams were added to deal with “the cyber problem” of breaches and state sponsored attacks, while teams were investigating “criminal breaches of the Data Protection Act and Freedom of Information Act” and regulating the NIS Directive.
  • Fedorak, who was formerly an assistant to current UK information commissioner Elizabeth Denham, said that there were ambitions of growing beyond 60 people for the 110,000+ population of the Channel Islands.
  • Eckersley said that a lot of the work since May 25 2018 had been on “legacy cases” and he acknowledged that issuing fines was “not only way to regulate,” but it was investigating: gathering evidence, reacting quickly and dealing with reports from data controllers and from the media.
  • Explaining how an investigation comes together, he said that an investigating team finds evidence and speaks to the data controller, looks for policy and procedures and it “all ends up in the same place – enforcement action.”
  • This team then pulls the case together, which goes to the delegated authority, and a regulatory panel determines the size of the fine.
  • He said: “There were five bands under the 1998 DPA, and we are considering our options of continuing that approach or working with our colleagues in The Netherlands and Norway, and harmonizing the calculation of fines.”
  • Appearing via video link, Mathias Moulin, director of rights protection and sanctions directorate at the Commission nationale de l’informatique et des libertés, said that prioritization with colleagues was important, and regulation was pushing that as it was a “natural” expectation of GDPR to prioritize European cooperation for complaints “as we have a limited time limit to handle complaints.”
  • Commenting on the shift from data loss to other types of privacy breach (94,000 to 64,000), Moulin said that there is “still room to improve the processes of contact.”
  • Asked by an audience member if there is a problem of over reporting, Ecklersley said that the ICO recognized that it needed a dedicated team and in the first month of GDPR, 1700 breaches were reported and while it has levelled to 380-400 a month, “it more and more clarifies what GDPR is saying.”

*Source: Infosecurity Magazine, March 14, 2019

 

Netherlands Premieres First Fining Policy in The EU*:

  • The Dutch Data Protection Authority just released its GDPR fining policy, being the first country to do so.
  • GDPRallows for a maximum fine of 4 percent of global revenue or €20 million, whichever is higher, but little has been said about how to determine the exact fine amount and what the scale is
  • The new GDPR fining policy sheds light on this as it introduces a four category system, giving various examples depending on company size and maximum fine.
  • For example, if a company’s maximum fine is €10 million, it might face the following fines for less severe violations:
    • Category I: €0 to €200,000
    • Category II: €120,000 to €500,000
    • Category III: €300,000 to €750,000
    • Category IV: €450,000 to €1 million
  • While the Dutch Data Protection Authority doesn’t explicitly state how it’ll categorize GDPR violations, it does share a list of “relevant factors” for determining a severity of a violation.
  • Factors include the duration of the infringement, the number of data subjects (people) affected, how quick the company reacts, and what type of personal data is involved.
  • Arnoud Engelfriet, IT lawyer and partner at Dutch firm Legal ICT, says the policy brings some much needed clarity to GDPR enforcement.
  • While the GDPR doesn’t strictly require a detailed policy, it does require a fine to be evaluated according to many criteria, so issuing a clear policy like this helps in Engelfriet’s opinion.
  • Introducing categories does, however, make it easier for companies and the general public to understand how GDPR will be enforced.
  • Engelfriet is happy with the introduction of the new policy and says the fine system is set up so that ‘simple’ offenses can be managed with a relatively light fine, thus reducing the number of appeals and making the whole process smoother.
  • But if something big happens, they can bring down the full GDPR hammer and fine €10 or €20 million, or 4 percent of worldwide turnover.
  • And this is definitely so for the general rules of GDPR: transparency, easily available rights, and above all, clear documentation on every step you took to become compliant.
  • Because if you’re GDPR compliant but you have no documentation, you’re not GDPR compliant.
  • And that’s a €20 million fine for you then.
  • Many have been waiting for GDPR‘s ‘real’ impact, as there wasn’t much enforcement in 2018.
  • Experts predict that it will change in 2019, with various investigations coming to a close in the following months, accompanied with the first GDPR fines. 

*Source: TheNextWeb, March 15, 2019                   

 

Australian Man Arrested For Selling $200K Worth Of Stolen Spotify and Netflix Passwords*:

  • A 21-year-old man living in Sydney, Australia was reportedly arrestedon Tuesday for having over one million stolen Netflix, Spotify, and Hulu passwords on his website com.
  • Australian police estimate that he made approximately $211,000 over the course of the two-year scam.
  • The FBI initially informed the Australian Federal Police (AFP)of Wicked Gen in 2018, given the 120,000 paid members the site reportedly had.
  • The two entities then collaborated in a joint international cybercrime investigation to pinpoint the man responsible.
  • Although the perpetrator was based out of Australia, the users who subscribed to the site were based across the globe, including the U.S.
  • After obtaining a search warrant and arriving at the premises, the AFP seized, “electronic materials and various amounts of cryptocurrencies.”
  • According to the AFP, the man accessed the account information by “credential stuffing,”which involves the attacker compiling a list of previously compromised usernames and passwords, usually due to a breach, and then selling them for profit. 
  • As most people reuse the same password again and again, once account information has been obtained, it will likely provide details to access other accounts.
  • The AFP confirmed that they are working with Netflix, Spotify, Hulu and all other companies implicated to address the issue.