” To kick off, we are focusing on de-identification and privacy risk assessment, and welcome feedback on future topics of interest. “
https://www.nist.gov/itl/applied-cybersecurity/privacy-engineering/collaboration-space
USA: FTC – Annual Report Privacy and Security 2018
SwissBanking: Leitfaden für sicheres Cloud Banking
Press release
Leifaden
WalderWyss: Permissibility of disclosure by Swiss banks of bank client information to agents in foreign countries under article 47 of the Banking Act (BA)
First GDPR fine in Poland (~220,000 EUR) for failure to meet information obligation
- Data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes.
- Company did not meet the information obligation in relation to over 6 million people.
- Out of about 90,000 people who were informed about the processing by the company, more than 12,000 objected to the processing of their data.
- Some additional comments by Piotr Foitzik (IAPP forum on LinkedIn): The company also processed data of millions of people who were sole traders in the past and are not anymore. When it will send postal letters to postal addresses which are not correct and are outdated, this will result in a data breach. The fact that a legal basis has not been analyzed, and were it to be a legitimate interest a balancing test would need to be conducted, does not mean that processing was legitimate but that unfortunately the authority did not discuss some of the core issues here. All in all, publicly available information, including that of entrepreneurs is also subject to the GDPR and in this instance the data became public not as their free choice, but as it is a legal requirement in Poland, but this requirement also serves for specific purposes and the processing should be in line with these purposes
ICO: Grove – ICO fines company GBP 40,000 for sending nearly two million direct marketing emails without consent
Grove, a Kent pensions company, which relied on ‘misleading’ professional advice has been fined £40,000 by the Information Commissioner’s Office for being responsible for sending nearly two million direct marketing emails without consent. Grove utilised the servie of a third party marketing agent to carry out a range of marketing functions on their behalf, including lead generation.
Grove, by extension through this marketing agent, would work with “email providers”, who essentially provided a hosted marketing service by sending out “pre-approved emails” to opted-in subscribers contained within data sets which they themselves supplied.
Mitigating factors (that helped reduce the penalty):
1) “extensive consultation” with a recognized specialist data protection consultancy (even though this advise was obviously not quite right) as demonstrated awareness of obligations and a generally positive and http://pro.active approach to data protection
2) Number of complaints received was minimal.
3) No evidence that activity continued beyond period set out within the Notice
4) Cooperation with ICO investigation
https://ico.org.uk/media/action-weve-taken/mpns/2614585/grove-pensions-mpn-20190326.pdf
Denmark: DPA proposes ~160k EUR fine for taxi company over data minimization failure (Taxa 4×35)
Fine amounts to 2.8% of company’s turnover.
Company “anonymized” customer information after two years, by deleting customer names from its system – but retained phone numbers for three more years. Argument that phone numbers were integral to the database were dismissed.
https://en.horten.dk/News/2019/Marts/Recommended-GDPR-fine-of-DKK-1-2-mill-to-Danish-taxi-company
On “demonstrating consent”..
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051
see page 20, chapter 5.1
Paper: Accountability of AI Under the Law: The Role of Explanation (by Finale Doshi-Velez et al)
Finale Doshi-Velez (Harvard): Considerations for the Practical Impact of AI in Healthcare
Light, high-level presentation at a FDA event in 2017 (?), with some *easy* examples of *bias* and *potential errors/issues*.. (also some pointer to GDPR discussion)