Hinweisschreiben des ULD zu typischen Problemen bei Websites
at “Datenschutz-Guru”:
https://www.datenschutz-guru.de/hinweisschreiben-des-uld-zu-typischen-problemen-bei-websites/
German DPAs: DSK: Expert Opinion US surveillance law and authorities
Expert Opinion on the Current State of U.S. Surveillance Law and Authorities
from Prof. Stephen I. Vladeck,
University of Texas School of Law
from 15 November 2021
https://www.datenschutzkonferenz-online.de/weitere_dokumente.html
in English
https://www.datenschutzkonferenz-online.de/media/weitere_dokumente/Vladek_Rechtsgutachten_DSK_en.pdf
—
Also DLA Piper summary:
https://blogs.dlapiper.com/privacymatters/3606-2/
CIS Controls Privacy guide (Feb 2022)
CIS Controls Privacy Guide intends to provide best practices and guidance for implementing the CIS Critical Security Controls (CIS Controls) while considering the privacy impacts on the workforce, customers, and third-party organizations such as contractors.
https://www.cisecurity.org/blog/protecting-privacy-using-the-cis-controls-privacy-guide/
Cookies/Trackers – EDPS website evidence collector
https://github.com/EU-EDPS/website-evidence-collector
FAQ at https://github.com/EU-EDPS/website-evidence-collector/blob/master/FAQ.md – also make sure that your node.js is at version 14!
with a good intro at https://medium.com/rincon-security/getting-started-with-the-edps-website-evidence-collector-tool-7be921a49e9e
with add-ons
CNIL on trackers and cookies
- https://www.cnil.fr/fr/nouvelles-methodes-de-tracage-en-ligne-quelles-solutions-pour-se-proteger
- https://www.cnil.fr/fr/cookies-et-traceurs-que-dit-la-loi
- Délibération n° 2020-091 du 17 septembre 2020 portant adoption de lignes directrices relatives à l’application de l’article 82 de la loi du 6 janvier 1978 modifiée aux opérations de lecture et écriture dans le terminal d’un utilisateur (notamment aux « cookies et autres traceurs ») et abrogeant la délibération n° 2019-093 du 4 juillet 2019
https://www.cnil.fr/sites/default/files/atoms/files/lignes_directrices_de_la_cnil_sur_les_cookies_et_autres_traceurs.pdf
NIST: SP 800-53A Rev. 5 Assessing Security and Privacy Controls in Information Systems and Organizations
https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final
Abstract
“This publication provides a methodology and set of procedures for conducting assessments of security and privacy controls employed within systems and organizations within an effective risk management framework. The assessment procedures, executed at various phases of the system development life cycle, are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 5. The procedures are customizable and can be easily tailored to provide organizations with the needed flexibility to conduct security and privacy control assessments that support organizational risk management processes and are aligned with the stated risk tolerance of the organization. Information on building effective security and privacy assessment plans is also provided with guidance on analyzing assessment results.”
ENISA: Data Protection Engineering Report (January 2022)
https://www.enisa.europa.eu/publications/data-protection-engineering
Table of content:
1. INTRODUCTION
1.1 DATA PROTECTION BY DESIGN
1.2 SCOPE AND OBJECTIVES
1.3 STRUCTURE OF THE DOCUMENT
2. ENGINEERING DATA PROTECTION
2.1 FROM DATA PROTECTION BY DESIGN TO DATA PROTECTION ENGINEERING
2.2 CONNECTION WITH DPIA
2.3 PRIVACY ENHANCING TECHNOLOGIES
3. ANONYMISATION AND PSEUDONYMISATION
3.1 ANONYMISATION
3.2 k-ANONYMITY
3.3 DIFFERENTIAL PRIVACY
3.4 SELECTING THE ANONYMISATION SCHEME
4. DATA MASKING AND PRIVACY-PRESERVING COMPUTATIONS
4.1 HOMOMORPHIC ENCRYPTION
4.2 SECURE MULTIPARTY COMPUTATION
4.3 TRUSTED EXECUTION ENVIRONMENTS
4.4 PRIVATE INFORMATION RETRIEVAL
4.5 SYNTHETIC DATA
5. ACCESS. COMMUNICATION AND STORAGE
5.1 COMMUNICATION CHANNELS
5.1.1 End to End Encryption
5.1.2 Proxy & Onion Routing
5.2 PRIVACY PRESERVING STORAGE
5.3 PRIVACY-ENHANCING ACCESS CONTROL, AUTHORIZATION AND AUTHENTICATION
5.3.1 Privacy-enhancing attribute-based credentials
5.3.2 Zero Knowledge Proof
6. TRANSPARENCY, INTERVENABILITY AND USER CONTROL TOOLS
6.1 PRIVACY POLICIES
6.2 PRIVACY ICONS
6.3 STICKY POLICIES
6.4 PRIVACY PREFERENCE SIGNALS
6.5 PRIVACY DASHBOARDS
6.5.1 Services-side privacy dashboards
6.5.2 User-side privacy dashboards
6.6 CONSENT MANAGEMENT
6.7 CONSENT GATHERING
6.8 CONSENT MANAGEMENT SYSTEMS
6.9 EXERCISING RIGHT OF ACCESS
6.9.1 Delegation of Access Rights Requests
6.10EXERCISING RIGHT TO ERASURE, RIGHT TO RECTIFICATION
7. CONCLUSIONS
7.1 DEFINING THE MOST APPLICABLE TECHNIQUE
7.2 ESTABLISHING THE STATE-OF-THE-ART
7.3 DEMONSTRATE COMPLIANCE AND PROVIDE ASSURANCE
8. REFERENCES
DSB Austria on Google Analytics
(This is the first of the 101 cookie complaints by NOYB.)
The Austrian DPA held that the use of Google Analytics by an Austrian website provider led to transfers of personal data to Google LLC in the U.S. in violation of Chapter V. of the GDPR.
– incl. the technical tracking parameter (“_gads, _ga and _gid”) being personal data, and might be transferred to the USA
EU primer to EU data protection law and roles
.. by the EU parliament’s research service:
Understanding EU data protection policy
https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/698898/EPRS_BRI(2022)698898_EN.pdf
LG München – Google Fonts – 100 Euro Schadenersatz
LG München I Endurteil vom 20.1.2022 – 3 O 17493/20, GRUR-RS 2022, 612 spricht einen immateriellen Schadenersatz von 100 € zu, weil die dynamische IP-Adresse an Google (konkret: Google Fonts) in die USA übertragen wurde!
https://rewis.io/urteile/urteil/lhm-20-01-2022-3-o-1749320/
includes
- dynamic IP address is personal data
- transfer of personal data (IP address) to Google in the USA (Schrems II..)
- fonts could have been hosted locally