GDPR

As I’m no longer regularly working in the security industry, this page is no longer being maintained. It’s left up here for historical reasons only.

David Harley, 15th April 2020

You might think that the day after the General Data Protection Regulation goes into effect in EU member states is a bit late in the game to launch a page on the topic, but it seems there’s so much last minute panic and uncertainty around I thought I might at least put up some relevant links while the dust settles.

Here’s a sensible article by Mirko Zorz for Help Net Security – GDPR: Today is the day – echoing a point I’ve been making to anyone who insisted on getting my opinion. “The other big misconception is that GDPR is forcing companies to think about something new. Legislation in the EU and UK to protect data has been around years before GDPR. What’s new in GDPR is the potential size of the fine and the fact that it can affect non-EU companies. Getting companies to think seriously about how they protect data has been an ongoing effort for many years.” The point I’ve been trying to make (though not previously in any sort of article) is that if you’ve been compliant with the Data Protection Directive  that GDPR supersedes and harmonized legislation like the UK’s Data Protection Act (updated for 2018 in order to conform with GDPR), then GDPR shouldn’t be such a big deal. Yes, many organizations have needed to tweak their policies and practices, but the broad focus of the legislation, in the words of the Data Protection Act, is still along these broad lines:

The GDPR, the applied GDPR and this Act protect individuals with regard to the processing of personal data, in particular by—

(a)requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified basis,

(b)conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and

(c)conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.

Even organizations outside the European Union but engaged in transactions with member states should not be strangers to the need to address these issues, which have been addressed with regard to external states for decades by the EU directives and legislation. Remember Safe Harbour? Of course, not all organizations have shown equal enthusiasm and prompt action. Microsoft, for instance, has announced that:

…we will extend the rights that are at the heart of GDPR to all of our consumer customers worldwide. Known as Data Subject Rights, they include the right to know what data we collect about you, to correct that data, to delete it and even to take it somewhere else. Our privacy dashboard gives users the tools they need to take control of their data.

(This is also a neat summary from Microsoft: In case you missed it: 10 of your questions from our GDPR webinars.)

Help Net also notes that “Apple has set up a Data and Privacy portal where users can make a request to download all the data Apple has on them, correct their personal information, deactivate or delete their account.”

Sounds good to me, in principle at least. No doubt we’ll have lots of fun seeing what happens in practice.

Facebook has been more equivocal, while claiming to be singing from the same hymnsheet. While ICANN has been noticeably wrong-footed in its belated attempts to tweak DNS and WHOIS in order to achieve conformance. And there is no need for me to even try to name and shame all the services that are currently suspended while the providers try to sort themselves out.

Meanwhile, ESET offers to tell us Why GDPR affects companies around the world (video) and also offers a free guide and compliance check here. And here’s more advice from Jon Fielding of Apricorn for Help Net: It’s time to embrace GDPR

Gizmodo: Facebook and Google Accused of Violating GDPR on First Day of the New European Privacy Law – “So what are Facebook and Google allegedly doing to violate the GDPR? Privacy advocates in Europe say that instead of adhering to the letter of the law, companies aren’t really giving consumers a choice; you can either agree to let Facebook and Google collect enormous amounts of data on you, or you can delete their services. There is no middle ground.”

And, from the Guardian:

Most GDPR emails unnecessary and some illegal, say experts “Many firms have the required consent already; others don’t have consent to send a request”

18th November 2018

Tomáš Foltýn for ESET: Attackers exploit flaw in GDPR-themed WordPress plugin to hijack websites – “The campaign’s goals aren’t immediately clear, as the malefactors don’t appear to be leveraging the hijacked websites for further nefarious purposes”

ThreatPost: GDPR’s First 150 Days Impact on the U.S. – “So, roughly 150 days after the passage of one of the most significant data privacy laws ever, how has it impacted U.S. companies’ privacy efforts? The reality is, not so much.”

19th October 2018

ZDNet: Apple to US users: Here’s how you can now see what personal data we hold on you – “Apple’s privacy tools now go beyond Europe, so more now get to download the personal data it has collected….he move brings the four countries in line with Europe, where Apple began offering a simpler way to download a copy of user data in May, just before the EU’s strict GDPR privacy legislation came into effect.”

10th October 2018

Amber Welch for Security Boulevard: Phishing the GDPR Data Subject Rights – “Companies across the globe are now working toward compliance with the EU GDPR, while phishers may be preparing to exploit their new compliance processes. Airbnb first fell prey to a GDPR-related scam, with more surely to come. Unfortunately, many GDPR security efforts have focused primarily on Article 32 while overlooking new ancillary compliance program risks.”

3rd October 2018

ESET: Facebook: No evidence attackers used stolen access tokens on third-party sites
“The social networking behemoth is expected to face a formal investigation by Ireland’s Data Protection Commission in what could be the “acid test” of GDPR since the law became effective in May”

18th September 2018

Veronika Gallisova for ESET: 100 days of GDPR – “What impact has the new data protection directive had on businesses so far?”

29th August 2018

Recorded Future: 90 Days of GDPR: Minimal Impact on Spam and Domain Registration – “While it has only been three months since the GDPR went into effect, based on our research, not only has there not been an increase in spam, but the volume of spam and new registrations in spam-heavy generic top-level domains (gTLDs) has been on the decline.”

Commentary by The Register (30th August): Fear mongers forced to eat shorts over spam swamping claims – “GDPR and no Whois hasn’t caused catastrophe…Researchers at Recorded Future have been tracking spam through Cisco’s Talos reporting system and have concluded that GDPR has had zero impact on online problems.”

24th August 2018

Rebecca Hill for The Register: Chap asks Facebook for data on his web activity, Facebook says no, now watchdog’s on the case – “Info collected on folk outside the social network ‘not readily accessible’ … Facebook’s refusal … is to be probed by the Irish Data Protection Commissioner … Under the General Data Protection Regulation … people can demand that organisations hand over the data they hold on them.”

21st August 2018

Catalin Cimpanu for Bleeping Computer: Number of Third-Party Cookies on EU News Sites Dropped by 22% Post-GDPR  “Researchers looked at 200 news sites in total, from seven countries —Finland, France, Germany, Italy, Poland, Spain, and the UK.” Sadly, there seem to be an awful lot of sites outside the EU that regard GDPR as avoidable simply by saying “We use cookies: live with it or live without us.” Sigh…

The Register takes a slightly broader view: That’s the way the cookies crumble: Consent banners up 16% since GDPR – “While news sites cut cookies by 22% – but Google retains omnipresence”

2nd August 2018

The Register: India mulls ban on probes into anonymized data use – with GDPR-style privacy laws – “Thought having your call center in India was a good idea? Maybe not so much now”

Luana Pascu: GDPR directly impacts Facebook, 1 million European users lost 

11th July 2018

John Leyden for The Register: Thomas Cook website spills personal info – and it’s fine with that
– “Decides not to report code blunder despite Europe’s new GDPR privacy rules” Commentary from Graham Cluley  here.

(I thought it was Nelson who turned a blind eye, not Captain Cook…)

5th July 2018

The Register: United States, you have 2 months to sort Privacy Shield … or data deal is for the bin – Eurocrats – “MEPs call for urgent fix”

22nd June 2018

Threatpost: SNEAKY WEB TRACKING TECHNIQUE UNDER HEAVY SCRUTINY BY GDPR

15th June 2018

8th June 2018

James Barham of PCI Pal for Help Net: Shape up US businesses: GDPR will be coming stateside  – “European consumers have long been preoccupied by privacy which leaves us wondering why the US hasn’t yet followed suit and why it took so long for consumers to show appropriate concern? With the EU passing GDPR to address data security, will we see the US implement similar laws to address increased consumer anxiety?” And yes, Facebook gets more than one mention here.

Caleb Chen for Privacy News Online: Apple could have years of your internet browsing history; won’t necessarily give it to you – “Apple has years of your internet browsing history if you selected “sync browser tabs” in Safari. This internet history does not disappear from their servers when you click “Clear internet history” on Safari  … Additionally, the data stored and provided seems to be different for European Union based requesters versus United States based requesters. Discovering these sources of metadata is arguably one of the side effects of GDPR compliance. ”

1st June 2018

For Tech Beacon, Richi Jennings curates some blog-y thoughts on GDPR and what comes next from the EU: Think GDPR was a disaster? EU’s ePrivacy Regulation is worse

Milena Dimitrova for Security Boulevard: GDPR Is Affecting the Way WHOIS Works, Security Researchers Worry – as indeed it is, and indeed they should…

Graham Cluley: An advert against online privacy “NO, YOU CAN TAKE ANYTHING… JUST DON’T TAKE MY APPS!” – “The advertising industry … has its knickers in a twist so tightly about European privacy regulations that it made videos like this to try to sway public opinion”

For Help Net, Arcserve’s Oussama El-Hilali discusses The emergence and impact of the Data Protection Officer. Not a bad article, but extraordinarily US-centric in its assertion that “… one of the lesser known mandates of the regulation is the creation of a completely new role: The Data Protection Officer (DPO).” That role, if not necessarily that job title, has long been known in Europe and the UK as a direct result of the Data Protection Directive 95/46/EC, which it supersedes and the UK’s Data Protection Act(s).

Sophos:  European Commission “doesn’t plan to comply with GDPR” – well, sort of

28th May 2018

Sophos: Ghostery’s goofy GDPR gaffe – someone’s in trouble come Monday!

30th May 2018

The Register: Businesses brace themselves for a kicking as GDPR blows in – “Securing company data just got even harder”