Cyber Risk & Data Privacy

Subscribe to Cyber Risk & Data Privacy via RSS

Domino’s Pizza has suffered a security breach by a group of online professional hackers who accessed the online databases and servers of Domino’s Pizza customers in France and Belgium. The hackers claim to have downloaded over 600,000 customer’s records (592,000 relating to French customers and 58,000 relating to Belgian customers) which include names, addresses, phone numbers, passwords, delivery instructions and even favourite toppings.

In an unusual twist the hackers demanded a payment of €30,000 to be paid directly to them in exchange for the stolen information failing which they would publish the personal data online. The hackers posted further information and threats on a Twitter account that has since been suspended. Domino’s France released a statement on Twitter saying that although its data is encrypted, it has fallen victim to "professionals" who were able to "decode the cryptographic system for the passwords".Continue Reading Domino’s Pizza Data Exposure

Following the recent Court of Justice decision in the Costeja case, Google launched a service last Friday that will allow European data subjects to request the removal of search results for queries that include their name where those results are "inadequate, irrelevant, or no longer relevant, or excessive in relation to the purpose for which they were processed". The request form is available online.Continue Reading Google launches new European privacy removal tool

The EU’s Article 29 Working Party has adopted an Opinion on Anonymisation Techniques (Opinion 05/2014).  The Opinion analyses the effectiveness and limits of existing anonymisation techniques, and provides recommendations for use of these techniques in light of the residual risk of identification inherent in each of them.Continue Reading Working party publishes Opinion on Data Anonymisation Techniques

The Court of Justice of the European Union (CJEU) has ruled that the Data Retention Directive 2006/24/EC (Directive) is invalid.

The Irish High Court (in Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources & Ors C-293/12) and the Austrian Constitutional Court (in Kärntner Landesregierung, Michael Seitlinger, Christof Tschohl and others, C 594/12), asked the CJEU to examine the validity of the Directive.Continue Reading CJEU rules that the Data Retention Directive is invalid

Election candidates in the upcoming May local and European Parliament Elections have all recently received correspondence from the Data Protection Commissioner reminding them of their obligations with regards to communicating with the electorate.  Candidates were made aware that should any complaints be received by the office of the Data Protection Commissioner they will be investigated, with appropriate action taken.

Candidates and political parties must adhere to the clear statutory guidelines as set out the in the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, particularly in relation to the use of SMS, phone and e-mail in sending electoral messages. Continue Reading Restrictions on electronic direct marketing- politically correct?

The European Parliament has passed a resolution in response to the U.S. National Security Agency (NSA) surveillance scandal.  The resolution calls for the suspension of the U.S. – EU Safe Harbour Framework immediately, unless the U.S. satisfies the concerns of the EU Parliament.  

However, the Parliament’s resolution does not affect the validity of the Safe Harbour Framework. Only the Commission can renegotiate the Safe Harbour Framework. Last year, the Commission issued 13 recommendations to improve the functioning of the Safe Harbour scheme, and called upon U.S. authorities to remedy these issues by summer 2014 (see

Continue Reading Calls for Suspension of Safe Harbour

On 12 March 2014, the European Parliament voted in favour of the revised draft EU Data Protection Regulation.  To become law the proposed Regulation must be adopted by the EU Council using the "ordinary legislative procedure".  The EU Council is due to meet in June 2014.

Background

The proposed Regulation was originally presented by the European Commission on 25 January 2012.  It has been the subject of voracious debate both in Brussels and across the EU, and has been subject to much re-drafting.   
 Continue Reading European Parliament Approves Draft EU Data Protection Regulation

The Advocate General of the Court of Justice of the European Union (CJEU) has delivered an Opinion that the Data Retention Directive 2006/24/EC (Directive) is incompatible with the Charter of Fundamental Rights. However, the Advocate General proposed that the effects of the finding of invalidity should be suspended in order to enable the EU legislature to adopt, within a reasonable period, the measure necessary to remedy the invalidity found to exist.Continue Reading Data Retention Directive is incompatible with the Charter of Fundamental Rights

The European Commission has published Communications on Rebuilding Trust in EU-US Data Flows and on the Functioning of Safe Harbor. The Communications were released as a result of deepening concerns following the allegations of widespread access by U.S. intelligence agencies to personal data.

 The European Commission has called for action in six areas, including:-  

  1. Adoption of the EU’s draft Data Protection Regulation by Spring 2013;
  2. Improvement of the functioning of the Safe Harbour scheme (which provides a legal basis for the transfers of personal data from the EU to companies in the U.S. for commercial purposes);
  3. Swift conclusion of the current negotiations on the "umbrella agreement" for transfers and processing of data in the context of police and judicial co-operation;
  4. Use by the U.S. administration of the existing Mutual Legal Assistance and Sectoral agreements, whenever transfers of data are required for law enforcement purposes;
  5. Extension of the legal safeguards available to U.S. citizens to EU citizens, not resident in the U.S; and
  6. Accession by the U.S. to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (as it acceded to the 2001 Convention on Cybercrime).

Continue Reading European Commission calls for restoration of trust in EU-U.S. data flows