stefan – Page 46 – Privacy Design®

Quite a few interesting data sets published by CNIL as Opendata, incl. e.g.

Contact information for Data Protection Authorities around the world
Number of formal notices notified each year since 2014
Number and type of sanctions notified each year since 2014
Lists of declarative formalities completed with the CNIL (1979 – May 24, 2018)
List of notifications of personal data breaches received by the CNIL
List of formalities prior to the implementation of personal data processing sent to the CNIL since May 25, 2018
Number of complaints received annually by the CNIL since 1981
etc.

July 1, 2020July 1, 2020

Germany: Helpers on Register of Data Processing Activities

DSK: Muster Verarbeitungsverzeichnis Verantwortlicher
https://www.datenschutz-mv.de/datenschutz/DSGVO/Hilfsmittel-zur-Umsetzung/

Kurzpapier Nr. 1 (Verzeichnis von Verarbeitungstätigkeiten – Art. 30 DS-GVO)
https://www.datenschutzmv.de/static/DS/Dateien/Publikationen/Kurzpapiere/Kurzpapier_Nr_1.pdf

(Privacy register, Privacy registry)

July 1, 2020July 1, 2020

Blog post: What’s in a CNAME?

The perils of letting third party trackers use your CNAME / subdomain.
https://www.simoahava.com/web-development/whats-in-a-cname/

July 1, 2020July 2, 2020

Germany: SDM 2 – first three modules published

The German Data Protection Authorities are developing a Standard Data Protection Model (SDM), as a guideline for data controllers.
They just published the three first modules – on “Documentation”, “Logging” and “Data deletion”.
So “Data deletion” is obviously a priority to them.

https://www.datenschutz-mv.de/datenschutz/datenschutzmodell/

June 30, 2020June 30, 2020

Paper: Unacceptable, where is my privacy? Exploring Accidental Triggers of Smart Speakers

https://unacceptable-privacy.github.io/

June 30, 2020June 30, 2020

Study: The impact of the General Data Protection Regulation (GDPR) on artificial intelligence

“This study addresses the relation between the EU General Data Protection Regulation (GDPR) and artificial intelligence (AI). ”

https://www.europarl.europa.eu/thinktank/en/document.html?reference=EPRS_STU(2020)641530

June 30, 2020June 30, 2020

Germany: DIGA digital health applications can’t use Standard Contractual Clauses

in German:
According to the external legal blog post below, DIGA does not allow for standard contractual clauses for transfer of data in countries without an EU adequacy decision. (Note: Not all health apps fall under DIGA).
– This leads to an impact to apps, if US Privacy Shield would not survive Schrems II in mid-July 2020 – in the context of US 3rd parties used (e.g. Google Firebase, etc).

https://www.reuschlaw.de/news/risiko-fuer-betreiber-von-gesundheits-apps-datenuebermittlung-in-die-usa-wegen-eugh-urteil-bald-unzul/

June 29, 2020June 29, 2020

Five Safes Framework

http://www.fivesafes.org/

The Five Safes is a framework for helping make decisions about making effective use of data which is confidential or sensitive. – The Five Safes proposes that data management decisions be considered as solving problems in five ‘dimensions’:

projects (Is this use of the data appropriate?),
people (Can the users be trusted to use it in an appropriate manner?),
settings (Does the access facility limit unauthorised use?),
data (Is there a disclosure risk in the data itself?) and
outputs (Are the statistical results non-disclosive?).

The combination of the controls leads to ‘safe use’.

June 29, 2020June 29, 2020

Germany BfDI: Position paper on Anonymization (with focus on telecoms)

https://www.bfdi.bund.de/DE/Infothek/Transparenz/Konsultationsverfahren/01_Konsulation-Anonymisierung-TK/Positionspapier-Anonymisierung-DSGVO-TKG.html?nn=5216976

My high-level reading (I’m not a lawyer..):

Anonymization is viewed as a processing activity and requires a legal basis. (The paper argues different approaches).
Transparency obligations must be met.
Anonymization can be used as an alternative to deletion.

June 29, 2020

CNIL: Cookies and other tracking devices: the Council of State issues its decision on the CNIL guidelines

In its decision of 19 June 2020, the Council of State (Conseil d’État) essentially validated the guidelines on cookies and tracking devices adopted by the CNIL on 4 July 2019…..
https://www.cnil.fr/en/cookies-and-other-tracking-devices-council-state-issues-its-decision-cnil-guidelines

Author: stefan

CNIL Open Data initiative

Germany: Helpers on Register of Data Processing Activities

Blog post: What’s in a CNAME?

Germany: SDM 2 – first three modules published

Paper: Unacceptable, where is my privacy? Exploring Accidental Triggers of Smart Speakers

Study: The impact of the General Data Protection Regulation (GDPR) on artificial intelligence

Germany: DIGA digital health applications can’t use Standard Contractual Clauses

Five Safes Framework

Germany BfDI: Position paper on Anonymization (with focus on telecoms)

CNIL: Cookies and other tracking devices: the Council of State issues its decision on the CNIL guidelines