Four Singapore organisations found to be in breach of obligation to protect personal data

On 13 December 2018, the Singapore data protection commission issued four separate decisions against the following organisations, for breaches of the protection obligation under section 24 of the Personal Data Protection Act 2012 (PDPA):

  • Funding Societies Pte Ltd
  • WTS Automotive Services Pte Ltd
  • Institute of Singapore Chartered Accountants
  • SLF Green Maid Agency

Funding Societies

The facts of this case were as follows:

  • The organisation operates an online financing platform for investors and borrowers.
  • There was a vulnerability on the organisation’s website, such that when a user logged in, they could access the personal details of other users of the site simply by changing a unique identifier without such identifier in both their authentication and authorisation tokens needing to match. The vulnerability lasted for 37 days and enabled the customer’s name, national registration identity card number and residential address to be accessed without authorisation.
  • The commission found that an authorised user would have been able to pretend to be another user and perform functions such as using an investor’s account to contact prospective borrowers, updating a user’s personal details and even altering the auto-investment settings of an investor’s account.

The commission determined that:

  • The organisation failed to put in place adequate security arrangements on its website, which led to the unauthorised access of users’ personal information and potential misuse of the accounts by unauthorized users.
  • What is particularly noteworthy is the commission’s comment that it “did not consider being a young organisation to be a mitigating factor”.
  • A financial penalty of $30,000 was imposed for the breach.

Continue Reading

Rise of AI poses new regulatory challenges

Companies that employ algorithms, machine learning and artificial intelligence (AI) in their day-to-day business may face increased attention from federal antitrust and consumer protection regulators in the future. On November 13–14,  the Federal Trade Commission (FTC) addressed this topic in their hearings on “Competition and Consumer Protection in the 21st Century.” The panelists, an assembly of industry leaders, academics and enforcers, proposed methods for AI companies to improve data security and to promote industry self-regulation. To learn more, read our client alert at reedsmith.com.

Joint Committee on Human Rights launches inquiry into Article 8 and the digital revolution

The Joint Committee on Human Rights has launched an inquiry into the right to privacy under Article 8 of the European Convention on Human Rights (ECHR) and the “Digital Revolution”. The inquiry will examine whether further safeguards to regulate the collection, use, tracking, retention and disclosure of personal data by private companies are required to protect human rights in the new digital age.

The key human right considered to be at risk is the right to private and family life under Article 8.

The Committee has also stated that freedom of expression (Article 10), freedom of assembly and association (Article 11) and prohibition of discrimination (Article 14) are also deemed to be at risk.

The Committee are now in the process of collecting written evidence of the threats posed to human rights by the processing of personal data by companies, and instances where those rights have been breached. The Committee have raised the following five questions and requested responses to be submitted online by 31 January 2019:

Continue Reading

European Data Protection Board – Fifth plenary session: EU-Japan draft adequacy decision, DPIA lists and guidelines on accreditation

The European Data Protection Board (EDPB) met for its fifth plenary session on 4 and 5 December 2018.

The EDPB published a press release, highlighting the three main areas of discussion:

  1. EU-Japan draft adequacy decision. The EDPB adopted an opinion on the European Commission’s draft adequacy decision. In adopting its opinion, the EDPB focused on the sufficiency of guarantees for an adequate level of data protection, emphasising that the Japanese framework need not necessarily replicate that of the European Union (EU). The EDPB welcomed the increased convergence of both frameworks, but expressed a number of concerns, in particular with regard to the continuing protection of personal data transferred from the EU to Japan. The EDPB recommends the European Commission to also address the requests for clarification to provide further evidence and explanations regarding the issues raised and to closely monitor the effective application. As the first adequacy decision to be made since the General Data Protection Regulation (GDPR) entered into force, this will no doubt set a precedent for adequacy decisions going forward.
  2. DPIA lists. The EDPB adopted opinions on the Data Protection Impact Assessment (DPIA) lists, submitted by the supervisory authorities of Denmark, Croatia, Luxembourg and Slovenia. DPIA is a process to help identify and mitigate data protection risks that could affect the rights and freedoms of individuals. The lists set out the types of processing activities which require a DPIA. The EDPB has now adopted 26 opinions. The opinions will help to develop a common view and the consistent application of the GDPR in this area.
  3. Guidelines on accreditation of certification bodies. The aim of the guidelines is to provide guidance on how to interpret and implement the provisions of Article 43 of the GDPR. They seek to create a consistent view for the accreditation of bodies that issue certification in accordance with the GDPR. The Article 29 Working Party previously adopted draft guidelines and opened them up for public consultation. The EDPB has now adopted a final version of the guidelines. In doing so, the EDPB added an annex, which provides guidance on additional requirements for supervisory authorities to consider. The annex will be subject to public consultation.

For further insight into the other areas of discussion, see the session’s agenda.

Does GDPR require non-EU companies to nominate EU representatives? EDPB issues guidance

On 16 November 2018, the European Data Protection Board (EDPB) adopted draft guidelines on the territorial scope of the General Data Protection Regulation (GDPR) (the guidelines).

Last week we published a blog on these guidelines, focusing on when the GDPR applies to non-European Union (EU) controllers and processors. This week, we focus on when non-EU controllers and processors who come within the scope of the GDPR must appoint an EU representative.

GDPR requires that non-EU controllers or processors of personal data of individuals located in the EU appoint EU-based representatives (EU representative), unless they are exempt. The guidelines divide this requirement into four distinct sections.

Continue Reading

UK government introduces Data Retention and Acquisition Regulations 2018

The Data Retention and Acquisition Regulations 2018 (the regulations) entered into force on 31 October 2018. The regulations concern the retention of communications data by telecommunications and postal operators and the acquisition of communications data by public authorities.

“Communications data” means data concerning a communication transmission, but not the content of the communication. For example, it includes the method of communication, and the sender and receiver of the communication, but excludes what was said or written.

Tele2 and Watson

The regulations were introduced following the Court of Justice of the European Union’s (CJEU) ruling on the Tele2 and Watson case in 2016, which found that the scope of the UK’s data retention regime was too wide to be compatible with European Union (EU) law.

The CJEU found that the retention and acquisition of communications data can only be justified where: (1) the objective is fighting serious crime, (2) only data that is “strictly necessary” is retained, and (3) the retained data is kept within the EU. There should also be independent administrative or judicial authorisation for the retention and acquisition of communications data. The CJEU therefore required the UK to limit the scope of its data retention regime.

Continue Reading

ICO warns that the Washington Post offers invalid cookie consent under the GDPR

It has been reported that the Information Commissioner’s Office (ICO) has issued the US-based Washington Post newspaper with a warning about how it obtains consent for cookies from website visitors.

According to a report in The Register, the ICO stated that the Washington Post’s online subscription options do not allow users to opt out of cookies and other trackers free of charge. Such functionality is only possible as part of the newspaper’s premium paid subscription service. The browsing options offered by the Washington Post are:

(i) free access to a limited number of articles dependent on consent to the use of cookies and tracking for personalised advertisements;

(ii) a basic subscription that provides paid access to an unlimited number of articles but which also requires consent to the use of cookies and other tracking; and

(iii) a more expensive premium subscription option that gives users access to an unlimited number of articles, free of advertising and ad tracking.

The ICO views this as a contravention of the EU’s General Data Protection Regulation (GDPR). Article 7(4) GDPR states that “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”. In failing to provide a free alternative to accepting cookies, the ICO appears to have determined that consent cannot be freely given by users, and is therefore invalid.

Continue Reading

Get caught in the crossfire! E-Discovery debates

Tuesday, December 4, is officially “E-Discovery Day” and Reed Smith is doing its part to participate. Join us as we host a free onehour webinar: “Discovery crossfire: Debating the controversial issues in E-Discovery.”

The program, scheduled for 12-1 p.m. ET, will feature debates on five controversial e-discovery issues:

  • Obligations of employers to search employee personal devices for relevant information;
  • Defensible data disposal when litigation is pending;
  • Responsibility for discovery problems with data stored in the cloud;
  • Technology assisted review transparency and cooperation requirements and protocols; and
  • Whether requesting parties should be entitled to strong remedies when prejudiced by spoliation of relevant information, where the spoliation resulted from negligence rather than intentional misconduct.

Each issue will be debated by Reed Smith litigators Therese Craparo and Anthony Diana, with the debates moderated by David Cohen, leader of Reed Smith’s Records & E-Discovery (RED) Practice Group. After each issue is debated, participants will have an opportunity to vote on each issue and see the results of the voting of other participants.

To join in on the debate, please click here to register.

 

 

Federal Court deals SEC a setback in Blockvest ICO litigation

On November 28, 2018, the U.S. Securities and Exchange Commission’s (SEC) request for a preliminary injunction against Defendants Blockvest, LLC (Blockvest) and Blockvest’s founder and chairman Reginald Buddy Ringgold, III (Ringgold) was denied by United States District Court for the Southern District of California.

Blockvest and Ringgold were offering and selling unregistered securities in the form of digital assets called BLV tokens, per allegations by the SEC. Blockvest sold the tokens in an initial coin offering that, according to the SEC’s complaint, began with pre-sales starting in March 2018.

To review the full report on our FinTech Update blog, click here.

Regulating the tech giants

“2018 was the year that people have woken up to the importance of privacy and have begun to bite back at big tech”.

This was the view expressed by James Dipple-Johnstone, Deputy Commissioner (Operations) at the UK Information Commissioner’s Officer (ICO), during his recent speech at the Institute of Directors in London.

The speech focused on the ICO’s regulation of tech giants in the digital age. It highlighted the many benefits of big tech and big data, indicating that their influence and importance is only likely to grow. However, his speech also stressed that there are deep public concerns about the business models of some tech giants and their increasingly opaque uses of personal data.

Continue Reading

LexBlog