As the deadly COVID-19 pandemic rages on, public and private entities alike rush to find a cure, a vaccine, and at the very least, methods for limiting the uncontrolled multiplication of the virus. But exploring every possibility must be balanced with the protection of data privacy – and that can be difficult. Take for example…
Quebec Updates Data Privacy Law
Starting in September 2022, Quebec’s Act respecting the protection of personal information in the private sector (Act) will take effect. Recent updates have been passed to the Act regarding biometric privacy. A summary of the Act by the Commission d’Accès à l’Information (CAI) notes that businesses must notify the Commission before using biometric information to verify a person’s identity. The summary further notes that businesses are obligated to designate a person to be in charge of the protection of personal information, and that that person’s contact info and title must be accessible on the company’s website. Businesses are also obligated to notify the Commission of data breaches that “represent a risk of serious injury,” and keep a registry of such incidents. The summary also recommends that businesses take an inventory of the personal information they hold, as well as security measures that they have in place.
NOYB Issues Open Letter on EU-US Data Transfers
Last week, Privacy activist Max Schrems, through his organization My Privacy is None of your Business (NOYB) issued an open letter regarding the proposed Trans-Atlantic Data Privacy Framework that’s intended to replace the now-defunct Privacy Shield agreement. In the letter, Schrems notes, “We understand that the future deal “agreed in principle” is mainly based on a political agreement between Commission President von der Leyen and US President Joe Biden, but is not the result of material changes to U.S. law in response to the CJEU’s judgment. This approach seems to repeat the “Privacy Shield” agreement and is deeply concerning.” Schrem’s areas of concern revolve around the proposed aspects of the agreement regarding the use of executive orders–instead of amendments–to regulate U.S. surveillance activities, and the U.S.’s plan to form a regulatory body for data transfers within the executive branch. Schrems deems both of these proposed aspects of the Trans-Atlantic Data Privacy Framework to be noncompliant with GDPR. Schrems also bemoans the fact that there are no planned updates to the Privacy Shield Principles, and that the European Commission seems ill-equipped to machinate an adequate data transfer agreement. It should be noted that almost no information has been released about the details of the Trans-Atlantic Privacy Framework, so Schrems’s concerns are really based on speculation at this time. But given that the Privacy Shield Agreement failed due to Schrems and NOYB’s legal challenges, regulators would do well to take the privacy activist’s concerns into consideration if they wish to create a successful adequacy agreement.
EU Reaches Agreement on The Digital Services Act
An expansive new EU privacy law is set to take effect in 2024. The Digital Services Act, designed to protect online users’ rights and filter harmful content, will ban targeted advertising toward children, and targeted advertising based on ethnicity, political views, and sexual orientation. Tech companies will feel the brunt of the law’s effects, though applicability will be dependent upon the size of the company. The law has yet to be approved by the European Parliament and EU member states. ADCG will release a guide to compliance when the law is passed.
Threat Actors Using Chatbots to Steal Data
According to research from Trustwave, Chatbots convey a sense of legitimacy to internet users, and threat actors are deploying schemes that involve chatbots claiming to have package delivery info to lure users “to guide visitors through the process of handing over their login credentials to threat actors.” In this type of scheme, criminals use chatbots to direct users to a PDF containing malicious links that direct users to a site that prompts them to provide personal information under the guise of scheduling delivery. Information phished in this scheme usually includes account credentials and credit card information.
- East Tennessee Children’s Hospital
- Optoma Technology Incorporated
- General Motors
- Chicago Public Schools
- Val Verde Regional Medical Center
- Biolase, Inc.
- Pharma Co.
* * * * * * *
To read our in depth discussion on the need for a Data Protection Impact Assessment and how to conduct one, click here.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.
Stay tuned for our newest episode as Jody Westby discusses the latest topics on our Privacy and Cybersecurity podcast this week. Our Podcasts are released every Thursday, here. They can also be enjoyed on Spotify and Apple Podcasts. Don’t forget to subscribe!