Privacy Post #13

Georgia Wright Privacy

Every week we’ll be rounding up the latest news in privacy and other interesting articles.
Ransomware infections reported worldwide Friday 12th May

Cyber attacks have hit organisations around the globe, in up to 74 countries. Ransomware has locked computers, demanding $300 in Bitcoin to release them. Photos from social media and company statements have revealed that universities in Italy, Spanish firms and delivery company FedEx have been hit. NHS services across the UK, including hospitals and GP practices have also been affected.

European Data Protection Supervisor addresses Data Protection Officers in Italy

Giovanni Buttarelli, European Data Protection Supervisor has warned data protection officers of the upcoming General Data Protection Regulation (GDPR), hinting at further guidance to come. He also said that the European Union Article 29 Working Party will release guidance on certifications this year, encouraging businesses to develop solutions too in this area.

Federal Court to Rehear Case Exempting ISPs from Privacy Regulations

The Ninth Circuit Court of Appeals for the Northern District of California has said it will rehear a “landmark case” determining whether the Federal Trade Commission (FTC) has authority to regulate “common carriers”. The case protects the likes of Verizon and Google from the federal government’s privacy regulator. Read in depth analysis here.

Business leaders warned over GDPR deadlines

At law firm Pinsent Masons’ data protection conference, attendees were warned that with a year to go until the GDPR comes into force, preparations must be started. The increase in maximum fines will give the Information Commissioner’s Office the authority to fine up to €20 million or 4% of global turnover – whichever is higher.

“GDPR has no transition or implementation phase and as such will be effective from Day 1, 25th May 2018.”
– Laura Gillespie, litigation and regulatory partner at Pinsent Masons.

After net neutrality comment system fails, senators demand answers

Federal lawmakers are demanding to know details of a cyber attack on the Federal Communications Commission (FCC) last weekend. It stopped the FCC from receiving feedback from Americans on FCC Chairman’s deregulation plan for net neutrality. The senators have asked for information on the nature of the attacks, current protection and the numbers affected.

Like this post? Subscribe to our weekly newsletter here to be updated with all news privacy, Cognitiv+ and more.

Privacy Shield Developments: When, What and Why?

Georgia Wright Articles, Privacy

On the 6th April, a resolution passed in European court instigating a review of the EU-US data transfer agreement, Privacy Shield. MEPs are concerned about recent privacy developments in the US which do not reflect the EU’s attitudes towards data protection.

Source: European Commission

Background and purposes

The Privacy Shield arrangement was approved in July 2016, after a previous agreement, Safe Harbour Decision, was invalidated by a Court of Justice of the European Union ruling in October 2015. Since then, Privacy Shield has faced two legal challenges from privacy rights groups in Ireland and France.

The purpose of the deal is to allow the transfer of data between the EU and the US, bypassing the EU’s Data Protection Directive 95/46/EC , which prohibits personal data to be transferred from Europe to a third country, unless it “ensures an adequate level of protection”. By self-certifying under Privacy Shield, organisations can be said to provide adequate protection.

“We have to ensure the proper day-to-day implementation and robust follow-up of the Privacy Shield.”
– Věra Jourov, EU justice commissioner.

In particular, Privacy Shield requires organisations to commit to the protection of EU citizens’ personal data and renegotiate their contracts with parties involved with the transfer or processing of data. Those who provide privacy policies, contact details and demonstrate the relevant compliance are certified and listed here. Certification is intended to provide clarity for businesses on personal data transfer and to ensure the safety and standards of EU law.

Organisations must:

  • give notice to individuals of the type of data collected, their rights to access, recourse mechanisms available and third party transfers;
  • provide choice, allowing data subjects to opt out of third party processing and opt in for sensitive personal data processing;
  • ensure that third party data transfers meet the same standard, by imposing additional contractual provisions and eventually be liable for the third party’s breach;
  • sufficiently protect personal data;
  • only collect data “relevant for the purposes of processing” and commit to the arrangement even after certification has expired;
  • provide access to personal data and the ability to amend, correct or delete inaccurate/misused data.

Developments, criticisms and changing political horizons

Privacy Shield is due for its annual review in September 2017, as Věra Jourov, EU justice commissioner, confirmed at the end of March. Following this, the European Parliament resolution expressing “alarm” over privacy changes passed with 306 votes to 240 with 40 abstentions.

MEPs have cited news of surveillance activities by US electronic communications service providers and new rules which allow the US National Security Agency to share data with other US agencies without permission from courts as particular concerns. The “insufficient independence” of the US’ Ombudsperson mechanism, which is meant to provide effective judicial redress rights for EU individuals also came under fire. Also mentioned was the lack of person fulfilling the role of Ombudsperson since July 2016.

“There are clearly deficiencies that remain to be urgently resolved to provide legal certainty for the citizens and businesses that depend on this agreement”,
– Claude Moraes, Civil Liberties Committee Chair.

Privacy advocate Nigel Hawthorn of Skyhigh Networks told Infosecurity: “In order to mitigate the uncertainty that seemingly isn’t going anywhere any time soon, organisations in Europe may have to vote with their wallets and reduce the amount of data going to the US, or invest in technologies that encrypt data before it is transferred.”

Given this detailed resolution, there is significant work cut out for those reviewing Privacy Shield in September. President Trump has demonstrated that his interest in privacy rights of citizens is limited, certainly when it comes to national security. His failure to fill the post of Privacy Shield Ombudsperson and vacancies on the Privacy and Civil Liberties Oversight Board and the Federal Trade Commission (which enforces Privacy Shield) isn’t promising for European citizen’s privacy rights. The repeal of Obama-era broadband rules at the beginning of April adds to further concern that the review might face further political pressure from the US.

Like this post? Subscribe to our weekly newsletter here to be updated with all news privacy, Cognitiv+ and more.

The Privacy Post #12

Georgia Wright Uncategorised

Every week we’ll be rounding up the latest news in privacy and other interesting articles.
FCC to dump Obama-era net neutrality rules

Ajit Pai, chairman of the Federal Communications Commission (FCC) has announced that “light touch regulation” would replace the US’ net neutrality protections. The FCC’s Open Internet Order prevented internet service providers (ISPs) from abusing their position of the only internet provider available to certain areas. The removal of this rule will allow ISPs to discriminate against websites as they see fit, as Verizon has in the past – it banned content about net neutrality itself. Read more criticism here.

Privacy issues help end NSA spying programme

The US National Security Agency (NSA) has revealed that an internal review has found problems with its spying programme. The 2008 Foreign Intelligence Surveillance Act (Fisa) allows the NSA to surveil US citizens without a warrant if messages or calls involved foreign people of interest. The NSA cited privacy issues and technical limits for stopping the regime. It will delete the “vast majority” of the data collected.

Uber adds privacy info and easy account deletion

Uber has unveiled a new account deletion system. The new plans, having undergone a year of development, will allow users to delete their accounts without contacting support. Their data will be held for 30 days before deletion. This move marks the company’s renewed efforts to be transparent about privacy issues.

Amazon adds eyes to AI ears with Echo Look smart home camera

Alexa, Amazon’s voice assistant tool, has been equipped with a video camera for its next version. Echo Look will be able to give style advice to users and share images to social media. This new functionality has become a controversial topic due to the privacy concerns it raises. Alexa will now be able to collect biometric data, for example employing voice and facial recognition, points out Lee Tien of the Electronic Frontier Foundation.

“Adding the camera is even more of a hit to privacy,”

– Lee Tien, attorney at the Electronic Frontier Foundation.

Like this post? Subscribe to our weekly newsletter here to be updated with all news privacy, Cognitiv+ and more.

Cognitiv+ featured on TechCrunch!

Georgia Wright Features

Last month our CEO and co-founder, Vasilis Tsolis, was interviewed by TechCrunch. The article features how Cognitiv+ can help businesses navigate the tricky regulatory environment of Brexit and an overview of planned product releases up until 2018… Want to know how our CEO views disruption in the legal sector? Read on here…

So what problems can Cognitiv+ help with? For a start, Vasilis points out the European Union’s incoming GDPR (May 2018) and the recent developments in the Slavery Act and MiFid II and other compliance rules are causing complications for businesses. Cognitiv+ offers an automated method for keeping ahead of obligations, legal risks and changing regulatory landscapes. By “monitoring [these regulations] in a structured fashion” paired with constant tracking and analysis of company contracts, compliance risks and requirements can be flagged.

Cognitiv+ will extract key information from contracts, for example parties involved, the limit of liability, renewal and termination information and jurisdiction.

Reports, dashboards and notifications using this information will aid in-house lawyers, commercial staff, procurement, financial and compliance departments.

“Cognitiv+ performs the contract analysis at near real-time speeds, leaning on open source algorithms for the core tech.

[Vasilis] describes the IP as “the process and all the stages we take for analyzing a contract, the training” — so, in other words, the legal expertise needed to get a proper handle on compliance.”

– Tech Crunch on Cognitiv+

And what about the future for Cognitv+? Look out for V2 in September 2017, which will offer specific tools for financial and procurement teams. In March 2018, V3 will provide tailored solutions for the insurance, real estate and engineering industries.

photo-vasilis-company2“We use machine learning, we use NLP [natural language processing], we use neural networks.

We aim to be a risk management tool; we identify as much as possible that the machine can do…”

– Vasilis Tsolis, Cognitiv+ CEO

Caught your attention? Read the rest of the article ‘Cognitiv+ is using AI for contract analysis and tracking’

Thanks to TechCrunch for originally publishing parts of this article. 

Like this post? Subscribe to our weekly newsletter here to be updated with all news privacy, Cognitiv+ and more.

The Privacy Post #11

Georgia Wright Privacy, Privacy roundup

Every week we’ll be rounding up the latest news in privacy and other interesting articles.
Why one Republican voted to kill privacy rules: “Nobody has to use the Internet”

One Wisconsin congressman’s response to a civilian has sparked outcry on social media. The townhall meeting attendee asked Rep. Jim Sensenbrenner (R-Wis.), who voted to remove Obama’s privacy rules, about his decision to allow internet service providers (ISPs) access to data. He cited the lack of consumer choice in ISPs as his concern.

E-privacy: MEPs look at new rules to safeguard your personal details online

During a hearing on 11 April 2017, the European Parliament’s civil liberties committee discussed proposed changes to privacy rules. The proposed changes are meant to tackle the challenge of technological developments. This means that EU privacy rules should also apply to “new providers of communication services” i.e. WhatsApp, Facebook Messenger and Gmail instead of solely traditional telecoms companies. This would mean that users would gain better control of their privacy settings, for example cookies.

Uber adds cross street pickups and drop-offs for more user privacy

Controversy arising from Uber’s tracking of users has driven a new feature in the app. Users in America will now be able to specify an intersection as an origin or destination. Uber can suggest intersections based on road addresses and users will not have to enter a specific address. The cross section identification will make protecting riders’ personal data hassle-free.

Uber ‘tracked iPhones to stop fraud’

According to the New York Times, Apple nearly banned the Uber app from its app store in 2015, citing breach of privacy rules. The practice of identifying devices attached to accounts, “fingerprinting”, is banned by Apple. Uber claimed this code was to stop digital fraud and deter criminals from using stolen credit cards. However, it also came to light that Uber had “geofenced” Apple’s headquarters in California so they wouldn’t be tracked – allowing Uber to escape Apple’s notice for a short time. Travis Kalanick, Uber’s CEO, was warned in person by Tim Cook, CEO of Apple.

Bloomberg Law Identifies The 10 Countries With The Highest Data Breach Notification Compliance Risk

Bloomberg Law’s Compliance Risk Benchmarks data has revealed that South Korea has the highest risk for data breach notification compliance. It takes the lead over 50 countries. This is due to the combination of a strict regulations, rigorous enforcement and potential for civil, criminal and financial risks. Also in the top five are Colombia, Mexico, France and Japan. The report includes analysis on higher risk countries as well as an in depth look at the top 5. The report can be found here.

Like this post? Subscribe to our weekly newsletter here to be updated with all news privacy, Cognitiv+ and more.

Cognitiv+ exhibits at ‘Unlocking the Power of Data: the Future of Smarter Payments’

Georgia Wright Events

On Wednesday 22 March 2017 Payments UK and techUK hosted an inaugural member-only event looking at the opportunities and risks of harnessing the potential of data within the payments industry.

Cognitv+ were delighted to exhibit at the event, showcasing its contract analytics tools.

“We really enjoyed hearing the opportunities on open banking initiative and how open data could change the relationship between consumers and banks.”

– Vasilis Tsolis, CEO Cognitiv+

The brief of the event set out to discuss several key issues:

  • The way in which data should be understood and defined, and how its full potential within the payments ecosystem could be ‘unlocked’.
  • The role of technology in using data to make informed decisions to deliver competitive opportunities, increase efficiencies and drive innovation.
  • The importance of bringing customers on the data journey, data privacy and security concerns, and how best to communicate the user benefits.
  • The potential collaborative space to assist in meeting regulatory and legislative requirements.

Learn more about the event here.

No mercy: ICO confirms that there will be no grace period for GDPR

Georgia Wright Articles

Steve Wood, Head of International Strategy & Intelligence for the Information Commissioner’s Officer (ICO) confirmed that there will be no grace period for the enforcement of the General Data Protection Regulation (GDPR). His keynote for the International Association of Privacy Professionals’ (IAPP) Data Protection Intensive on 15 March 2017 summarised the ICO’s approach to enforcing the new regulation, due to come into force in May 2018.

“Will there be a grace period? No. You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy….What you will see is a common-sense, pragmatic approach to regulatory principals.”

– Steve Wood, ICO

The ICO’s stated approach will be to tackle risk, accountability and transparency. In moving forward with this idea, the ICO held a public consultation on consent guidance during March. Obtaining consent from data subject is an important change brought by the GDPR, and transparency around consent will become a key focus for the ICO. Methods in collecting the consent will need to be put in place by organisations ahead of May 2018.

Wood clarified that when the ICO is pushed to investigate firms further, he expects to find a comprehensive accountability program in place in order to demonstrate the steps taken to address compliance issues. Guidance published on the ICO’s website is an important resource for understanding standard practice.

“The key thing to do is invest now, convince people in your organisation why data protection is important for trust.”


The Privacy Post #10

Georgia Wright Uncategorised

Every week we’ll be rounding up the latest news in privacy and other interesting articles.
Data Privacy Shield: MEPs alarmed at undermining of privacy safeguards in the US

A resolution has passed in European court for a review of the EU-US data transfer agreement, Privacy Shield. The MEPs are concerned about recent privacy developments in the US which do not reflect the EU’s attitudes towards data protection. They have cited in particular news of surveillance activities by US electronic communications service providers and new rules which allow the US National Security Agency to share data with other US agencies without permission from courts.

Rise in hospital cyber attack reports

NHS hospital trusts reported 55 cyber attacks last year, compared to 15 in 2015. NHS Digital claimed that the increase reflected a “rise in reporting, not necessarily a rise in cyber attacks”. Ransomware attacks, which lock a computer system then demands a ransom, are apparently on the rise.

China’s new draft cyber law proposes ban on export of all data deemed as posing security threat

On 11th April, China released a drafted cybersecurity law which will require businesses transferring data affecting over 500,000 subjects or over 1,000 GB to submit to an annual assessment. The law, said to come into effect this June, will also allow China to ban any export of data if it is deemed a threat to national security. For more advice, see here.

UK charities fined for data law breaches

11 UK charities, including Oxfam, Cancer Research UK and Battersea Dogs’ and Cats’ have been fined by the Information Commissioner’s Office (ICO) for misusing personal data. The ICO limited fines to a maximum of £18,000 due to their charitable status but warned it was investigating further action. So-called “wealth screening” processes designed to analyse the wealth of donors and sharing data between charities came under fire.

Daily Mail, Mirror and Times publishers fail in European law bid to avoid millions in libel and privacy costs

The UK Supreme Court has released its judgement after hearing publishers pleas to reform costly no win, no fee rules. The Conditional Fee Arrangements used for defamation and privacy cases can hugely inflate the cost of cases for the newspaper groups, sometimes by millions. Read the full judgement here.

Yahoo’s EU Watchdog Set to Show Teeth as Privacy Probe Wraps Up

Ireland’s Data Protection Commissioner, Helen Dixon, has hinted that her office has found fault with Yahoo’s European counterpart in one of the biggest data breaches in history. She has stated that she intends to impose remedial action. The investigation of Facebook’s plans to use data from WhatsApp is set to conclude in the summer.

10 States Take Internet Privacy Matters Into Their Own Hands

10 American states are pushing forward with legislation to protect the data of their citizens. Connecticut, Illinois, Kansas, Maryland, Massachusetts, Minnesota, Montana, New York, Washington and Wisconsin all have plans in spite of the President’s plans for deregulation of privacy rules.

Like this post? Subscribe to our weekly newsletter here to be updated with all news privacy, Cognitiv+ and more.

The Privacy Post #9

Georgia Wright Privacy, Privacy roundup

Every week we’ll be rounding up the latest news in privacy and other interesting articles.
President Trump delivers final blow to Web browsing privacy rules

Proposed Federal Communications Commission (FCC) rules have been overturned by President Trump in a Congressional resolution. Despite Democratic concern, the privacy rules will not come in to effect at the end of the year. They allowed Internet Service Providers (ISPs) to use their customers’ data only once the subject had opted in. This move marks the slow progress of the President’s plans for heavy deregulation.

“President Trump has signed away the only rules that guarantee Americans a choice in whether or not their sensitive Internet information is sold or given away,”

– Chris Lewis, VP of consumer advocacy group Public Knowledge.

EU commissioner announces September review for EU-US Privacy Shield

The Privacy Shield, an EU-US data protection agreement will be up for annual review in September, the European Commissioner for Justice, Consumers and Gender Equality announced. The agreement has been criticised by two separate legal challenges and privacy advocates, particularly concerning judicial remedies for misuse of data in America. This will be of high interest to those critical of the deal, as well as to the 2000 companies who have already signed up.

“In a world where cross-border data flows have become a central feature of global trade, strong data protection rules would be meaningless if the data can travel abroad without protections.”

– Věra Jourová, Commissioner for Justice, Consumers and Gender Equality

US privacy vote is foretaste of net neutrality battle

The President’s order to repeal FCC privacy rules is considered to symbolise the beginning of the net neutrality debate. Although only ISPs have been affected, the rules could have been extended to other companies in the industry – so companies involved in internet advertising also stand to benefit. This includes Google and Facebook, whose privacy positions are hoping to be strengthen by Trump’s efforts to put businesses first by deregulating.

Brexit and the future of data transfers to the UK

The President of the European Privacy Association, Paolo Balboni, has distilled the UK’s options for data transfers amidst Brexit to three scenarios. UK data protection could be recognised as adequate by the EU Commission, a data sharing agreement like the EU-US Privacy Shield could be constructed or the derogations of the General Data Protection Regulation could apply.

Garages, new homes and old offices: the records management mistakes that put health records at risk

The Information Commissioner’s Office (ICO) has released guidance on a more basic data protection measures, namely the transfer of physical data. This is especially relevant to the healthcare sector, as the ICO has seen recurring cases involving mismanaged data in garages, new home and old offices. Leanne Doherty, Group Manager for the health sector within the ICO, recommends strong record management to prevent incidents.

Like this post? Subscribe to our weekly newsletter here to be updated with all news privacy, Cognitiv+ and more.

We’re incubating with Winton Labs this winter!

Georgia Wright Events

We’re delighted to announce that we’ll be incubating with Winton Labs for three months from November to February. Winton Labs aims to be Europe’s premier startup accelerator for data science companies. The programme will culminate in a demo day on 10th February 2017. Read about Winton Labs in their own words:

What is Winton Labs?

W. L. is an accelerator for early-stage startups involved in the creation of data, or the application of data science. TheData Science Startups new programme will be run as a collaboration between investment management and data technology firm Winton, and VC firm Winton Ventures. Whilst the programme will leverage this expertise, it is not set to resemble a classic corporate accelerator, with much of the mentorship coming from an external network of startup experts, technologists and academics.

Who is behind Winton Labs?

Winton has a long history of successfully applying data science to disrupt the world of Investing, and wants to support companies that have the same data centric view of the world.

What are the details of the programme?

The 3 month programme will take place in the ‘The Lab’ co-working space at Winton’s London HQ. There will be three streams of mentors:

  • Business Unit: these are business leaders from within Winton, as well as large corporates and SMEs.
  • Data Science & Technology: these are drawn from Winton’s extensive pool of researchers and data experts, our deep network of academic partners, and leading data scientists from the startup ecosystem.
  • Entrepreneurship: these mentors are experienced founders, investors and advisors.