Statement on the end of the Brexit transition period
Adopted on 15 December 2020
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_20201215_brexit_en.pdf
New Microsoft DPA (9-Dec-20020)
New Microsoft Data Processing Agreement template
https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=67
Article: Design and evaluation of a data anonymization pipeline to promote Open Science on COVID-19
https://www.nature.com/articles/s41597-020-00773-y
using ARX pipeline
Sweden: DPA fines Umeå University (~53,000 EUR)
Very interesting case involving sensitive personal data that
- was shared via unencrypted email (which was pointed out to the university, but was not reported as an incident)
- stored on box.com, protected only by username/password, despite the fact that the University’s risk assessment didn’t support this – and in violation to internal published policies
(I hope I read the documents correctly..)
Press release:
https://www.datainspektionen.se/nyheter/universitet-brast-i-skyddet-av-kansliga-personuppgifter/
France: CNIL fines Google (100 mio EUR) and Amazon (35 mio EUR) over cookies, trackers and privacy notices
On 7.12.2020 the CNIL fined total o 135 million Euro – Google LLC (60 Mio.), Google Ireland (40 Mio.) and Amazon (35 Mio.)
Press release in English:
- Sanctions on Google https://www.cnil.fr/en/cookies-financial-penalties-60-million-euros-against-company-google-llc-and-40-million-euros-google-ireland
- Sanctions on Amazon https://www.cnil.fr/en/cookies-financial-penalty-35-million-euros-imposed-company-amazon-europe-core
https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042635706
https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042635729
Germany: SDM Standarddatenschutzmodell / Standard Data Protection Model
https://www.datenschutzzentrum.de/sdm/
also – with somehow more material, incl. security control blocks at
https://www.datenschutz-mv.de/datenschutz/datenschutzmodell/
New Zealand: New Privacy Law overview (by FPF)
A Deep Dive into New Zealand’s New Privacy Law: Extraterritorial Effect, Cross-Border Data Transfers Restrictions and New Powers of the Privacy Commissioner
NIST links (Privacy Framework and Cybersecurity Framework)
NIST Privacy Framework
https://www.nist.gov/privacy-framework/privacy-framework
with PDF at
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.01162020.pdf
NIST Cybersecurity Framework
https://www.nist.gov/cyberframework
with PDF at
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
Article by TwoBirds on EDPB Guidelines on targeting social media users (draft)
includes summary of criteria proposed by EDPB in context of “Data manifestly made public by the data subject”.
Also distinction by EDPB between explicit and inferred/combined special categories of personal data.
Assumptions or inferences regarding special category data would also constitute special category data
SWeden: DPA audited eight healtcare providers, fines seven (up to 3 mio EUR)
The Data Inspectorate has now completed an inspection of eight care providers. What has above all been examined is whether the care providers have carried out the needs and risk analysis required to be able to give the staff the right access to personal data in the main medical record systems.
– Caregivers must make a careful analysis and assessment of what staff’s needs are for information in the medical record systems and what risks there are if staff have access to patient data. Without such an analysis, care providers cannot assign the staff the right qualifications, which in turn means that the operations cannot guarantee patients the privacy protection they are entitled to, says Magnus Bergström, who is the coordinator for the eight reviews.
The Data Inspectorate states that seven of the care providers have not carried out a needs and risk analysis, while one care provider has carried out an analysis which, however, has certain shortcomings.
The authority also states that seven of the care providers do not limit the users’ permissions for access to the respective medical record system to what is only needed for the user to be able to fulfill his or her duties.
This means that the seven care providers have not taken sufficient measures to be able to ensure and demonstrate an appropriate security for the personal data in the medical record systems.
https://www.datainspektionen.se/nyheter/brister-i-hur-vardgivare-styr-personalens-atkomst-till-journaluppgifter/ with links to details of the specific cases