Privacy and politics: CNIL releases a report
Today is the deadline for comments on COPPA Rule
Hong Kong PCPD on the TransUnion data breach incident
Our Hong Kong member Tanner De Witt contributes to the news today, informing that this investigation report from the Hong Kong Privacy Commissioner relates to an incident in which a local newspaper in Hong Kong was able to pass through the online authentication procedures of a credit reference agency, and obtain the credit reports of a number of public figures. Unsuprisingly, the Privacy Commissioner found that there were poor controls on online authentication by the credit reference agency. The Privacy Commissioner also observed that credit reference checking forms a valuable service within financial services, with broader policy implications than personal data protection alone. The Privacy Commissioner, for instance, sees merit in requiring credit reference agencies being under the direct supervision of a regulator, and there being competition in the marketplace to lower the cost of obtaining credit check reports. The issues are deeper and broader than personal data - though sensitive financial personal data is at the core.
UK patient health data traded to US firms
Euractiv reports that health data belonging to millions of UK National Health Service (NHS) patients has been sold under license to US companies and global pharmaceutical firms, in a move that is likely to inflame tensions between the UK government and privacy campaigners in the run up to the December 12 election.
BfDI imposes € 9.55M fines on telecommunications service provider for GDPR violations
The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has fined the telecommunications service provider 1 & 1 Telecom GmbH with a fine of 9,550,000 euros. BfDI had become aware that callers could obtain extensive information on further personal customer data through the customer care service, by just giving the name and date of birth of another customer. BfDI sees a violation of Art. 32 of the GDPR in this authentication procedure, sicne the company did not take appropriate technical and organisational measures to systematically protect the processing of personal data of customers.