Month: October 2021

https://www.dlapiperdataprotection.com/

A minimum security baseline for enterprise-ready products and services.
https://mvsp.dev/

(Introduced by Google and others, see https://www.scmagazine.com/news/devops/google-tech-industry-proposes-minimum-viable-secure-product-baseline-for-b2b-software)

https://iapp.org/news/a/multiparty-computation-as-supplementary-measure-and-potential-data-anonymization-tool/

includes some interesting links, such as

• https://www.cs.tau.ac.il/~iftachh/Courses/Seminars/MPC/Intro.pdf
• https://www.gartner.com/en/newsroom/press-releases/2020-10-19-gartner-identifies-the-top-strategic-technology-trends-for-2021
• distributed signatures
  https://new.ingwb.com/en/insights/distributed-ledger-technology/ing-releases-multiparty-threshold-signing-library-to-improve-customer-security
• key management
  https://sepior.com/blog/secure-multiparty-computation-mpc-for-agile-enterprise-key-management
• privacy-preserving machine learning
  https://ppml-workshop.github.io/
• blockchain
  https://eternacapital.medium.com/secure-multi-party-computation-applications-within-blockchain-technology-e07c727281e1
• financial fraud detection
  https://cacm.acm.org/news/255395-mining-financial-data-without-actually-seeing-it-can-detect-fraud/fulltext
• digital advertising
  https://www.neowin.net/news/facebook-explains-how-it-will-preserve-your-privacy-while-serving-you-ads/
• medical research https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7952236/
• Basic Constructions of Secure Multiparty Computation https://ebooks.iospress.nl/volumearticle/40025
• Links related to the legal point of view that MPC leads to anonymization of personal data
  • https://www.jmir.org/2021/2/e25120/PDF
  • https://www.jipitec.eu/issues/jipitec-7-2-2016/4440
  • https://core.ac.uk/download/pdf/301662056.pdf
  • https://medium.com/applied-mpc/simplified-gdpr-compliance-using-mpc-cryptography-un-and-ec-studies-explain-b2c21ecd0d7b

On June 3, 2021, the CNIL approved the first European code of conduct, carried by Cloud Infrastructure Service Providers Europe (CISPE), dedicated to cloud infrastructure service providers (Iaas).

This code of conduct identifies several bodies in charge of monitoring its correct application by members, including the National Metrology and Testing Laboratory (LNE) and Bureau Veritas Italia Spa. – After an instruction and discussion phase, the CNIL decided to issue these two this approval for a period of 5 years from September 23, 2021 for the first and October 7, 2021 for the second. The CNIL will ensure that these approved organizations comply with the standards it has established.
The verifications carried out by approved organizations such as LNE and Bureau Veritas Italia Spa are completely separate from the verification missions carried out by the CNIL in application of the Data Protection Act.

Each code of conduct provides for penalties in the event of non-compliance noted, for example it may be a public exclusion of the member concerned.

https://www.cnil.fr/fr/code-de-conduite-la-cnil-delivre-deux-nouveaux-agrements-des-organismes-de-controle

https://forum.kuketz-blog.de/viewtopic.php?t=8196
(in context of its use by the RKI – www.rki.de )

With link to an action by the Data Protection Authority in Portugal (CNPD – Deliberação/2021/533) from 27.4.2021:
https://gdprhub.eu/index.php?title=CNPD_-_Delibera%C3%A7%C3%A3o/2021/533&mtc=today

The RKI has adjusted their privacy notice:

Content Delivery Network
Zur Einbindung von Skripten und Bibliotheken auf dieser Webseite setzen wir ein sogenanntes Content Delivery Network (CDN) der Firma Cloudflare, Inc., 101 Townsend Street, San Francisco, California 94107, USA (“Cloudflare”) ein. Content Delivery Networks haben den Zweck, Ihnen die Inhalte dieser Website schnell und optimiert zur Verfügung zu stellen und Angriffe, wie z.B. DDos-Attacken, besser abzuwehren. Zu diesen Zwecken werden die zuvor genannten Zugriffsdaten bei jeder Nutzung dieser Website an den nächstgelegenen Server von Cloudflare weitergeleitet. Sofern der Server-Standort, von dem die Inhalte zur Verfügung gestellt werden, in einem Drittland liegt, kommt es insoweit zu einer Übermittlung der zuvorgenannten pseudonymisierten Zugriffsdaten in dieses Drittland.

Die Datenverarbeitung ist erforderlich, um den Besuch der Website zu ermöglichen und um die dauerhafte Funktionsfähigkeit und Sicherheit unserer Systeme zu gewährleisten. Rechtsgrundlage ist Art. 6 Abs. 1 S. 1 lit. b DSGVO. Weitere Informationen zur Datenverarbeitung finden Sie in der „Cloudflare Privacy Policy“.

https://www.activemind.de/magazin/aufgedraengte-daten/

Amazon AWS “Hébergeur de Données de Santé” (HDS) overview at https://aws.amazon.com/compliance/hds/

“To be HDS certified, an IT provider must be ISO 27001 certified. This means that the services covered by our ISO 27001 certification are included in the scope of HDS. The AWS services that are in scope for the ISO/IEC 27001:2013 certification can be found on the ISO Certified webpage. ”

“As per the Shared Responsibility Model, AWS’ HDS certification demonstrates the “Security of the Cloud,” enabling customers to focus their resources on items related to “Security in the Cloud” in connection with their HDS certification process.”

HDS details at ANS: https://esante.gouv.fr/labels-certifications/hebergement-des-donnees-de-sante

https://edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf

SchremsII approach by Google, Microsoft and Salesforce

https://datenrecht.ch/wie-google-microsoft-und-salesforce-die-neuen-scc-umsetzen-und-was-dies-fuer-verantwortliche-im-ewr-und-in-der-schweiz-bedeutet/

https://www.cnil.fr/sites/default/files/atoms/files/cnil_livre_blanc_2-paiement.pdf

https://www.cnil.fr/fr/la-cnil-publie-un-nouveau-livre-blanc-sur-les-donnees-et-moyens-de-paiement