TheNewsGuru

Tag: GDPR

  • TikTok slammed €345m privacy fine

    TikTok slammed €345m privacy fine

    TikTok has been fined 345 million euros (368 million U.S. dollars) by Irish data protection authorities following an investigation into the handling of user data from minors.

    The agency said on Friday that the investigation, which ran from the end of July 2020 to the end of December 2020, focused on some of the video app’s settings as well as the age check during registration.

    Posts such as videos by users between the ages of 13 and 17 could be published for all to see, according to a default setting.

    The commenting function in the profiles was also accessible to all other users by default.

    TikTok said the investigation’s findings primarily refered to settings that were valid three years ago.

    “Most of those results are no longer relevant due to measures we put in place before the investigation began.

    “These included setting all accounts for users under the age of 16 to private by default,” he said.

    In addition to the fine, TikTok was ordered to bring its data processing in line with the European General Data Protection Regulation (GDPR) within three months.

    In May, Ireland’s Data Protection Commission slapped Meta with a record fine of 1.2 billion euros.

    TikTok is in the process of moving European users’ data to new data centres in Ireland and Norway.

    By the end of 2024, European user data would be transferred and stored at these centres by default.

    TikTok is trying to gain trust in Europe with the plan under the name “Project Clover.”

    The video app has a difficult political standing in the West because it belongs to the Chinese corporation Bytedance.

    The European Commission and several European governments have banned the use of the app on the mobile phones of their employees.

    With “Project Clover,” TikTok says it wants to guarantee that access to personal data of European users is strictly regulated and transparent.

  • Consumer groups can take legal action against Facebook – EU court

    Consumer groups can take legal action against Facebook – EU court

    Consumer advocacy groups were allowed to file lawsuits over alleged data protection violations against internet giants, such as Facebook, even without a specific mandate from affected individuals.

    The European Court of Justice (ECJ), EU’s highest court ruled in Luxembourg on Thursday.

    ECJ clarified with its ruling that the European General Data Protection Regulation (GDPR) does not stand in the way of consumer protection associations seeking to take legal action.

    Thursday’s ruling is linked to a case before Germany’s Federal Court of Justice.

    The German Federal Union of Consumer Organisations and Associations had sued Facebook’s owner, Meta Platforms, for alleged data protection violations in connection with free third-party games that can be accessed via Facebook.

    In May 2020, the German court referred the case to the EU Court of Justice to determine whether a German regulation, according to which not only data protection commissioners may sue, but also consumer advocates, still applies under the GDPR.

  • Privacy: NITDA searches for local alternatives to WhatsApp, Twitter, Facebook

    Privacy: NITDA searches for local alternatives to WhatsApp, Twitter, Facebook

    The National Information Technology Development Agency (NITDA) has said it will organize a hackathon for Nigerians to pitch solutions that can provide services that will provide functional alternatives to existing global social media platforms such as WhatsApp, Facebook and Twitter.

    TheNewsGuru.com (TNG) reports this is contained in a public advisory issued by NITDA and released on Tuesday by it’s Head of Corporate Affairs and External Relations, Mrs. Hadiza Umar to address WhatsApp’s recent privacy policy changes and the implications for Nigerian users.

    According to the public advisory, to understand the issues bothering on WhatsApp’s recent privacy policy changes, NITDA in collaboration with the African Network of Data Protection Authorities had engaged Facebook Incorporated, the owners of Whatsapp platform, specifically, its global Policy officials on 9th April, 2021.

    “Nigeria’s engagement with Facebook continues. We have given them our opinion on areas to improve compliance with the NDPR. We have also raised concerns as to the marked difference between the privacy standard applicable in Europe, under the GDPR and the rest of the world.

    “Given the foregoing and other emerging issues around international technology companies, NITDA, with stakeholders, is exploring all options to ensure Nigerians do not become victims of digital colonialism. Our national security, dignity and individual privacy are cherished considerations we must not lose.

    “Because of this, we shall work with the Federal Ministry of Communications and Digital Economy to organize a hackathon for Nigerians to pitch solutions that can provide services that will provide functional alternatives to existing global social platforms,” the public advisory reads.

    Read public advisory in full below:

    PUBLIC ADVISORY

    WHATSAPP PRIVACY POLICY CHANGES: IMPLICATION FOR NIGERIAN USERS

    The National Information Technology Development Agency (NITDA) under Section 6 (f) of the NITDA Act 2007 wishes to provide this advisory to Nigerians to address Nigerian concerns on changes to Whatsapp Terms of Service and Privacy Policy which took effect on 15th May, 2021. Millions of Nigerians use Whatsapp platform for business, social, educational, and other purposes. The platform is the social media platform of choice for many Nigerians.

    To understand the issues and give an opportunity to explain its views, NITDA in collaboration with the African Network of Data Protection Authorities engaged Facebook Incorporated, the owners of Whatsapp platform, specifically, its global Policy officials on 9th April, 2021. After the engagement, NITDA, as Nigeria’s data privacy regulator, wishes to advise Nigerians on how Facebook’s business decision affects their privacy rights.

    What Has Changed?

    Facebook acquired Whatsapp in February 2014. Facebook currently has over 2.5 billion users globally, while Whatsapp has over 2 billion users. Whatsapp shared a reviewed Privacy Policy on 4th January 2021, informing its users outside the European Union that it would now share their information with Facebook and its sister companies.

    Datasets collected by Whatsapp

    Whatsapp collects the following information on users:

    • account information;
    • messages (including undelivered messages, media forwarding);
    • connections;
    • status information;
    • transactions and payments data;
    • usage and log information;
    • device and connection information;
    • location information;
    • cookies etc.

    Other information collected by Whatsapp include:

    • battery level;
    • signal strength;
    • app version;
    • browser information;
    • mobile network;
    • connection information (including phone number, mobile operator or ISP), language and time zone;
    • Internet Protocol address;
    • device operations information;
    • social media identifiers.

    The new policy best renders the platform’s information sharing practices with Facebook and its companies-

    “As part of the Facebook Companies, WhatsApp receives information from, and shares information with, the other Facebook Companies. We may use the information we receive from them, and they may use the information we share with them, to help operate, provide, improve, understand, customize, support, and market our Services and their offerings, including the Facebook Company Products…”

    Whatsapp shares the above listed information and the following with the Facebook company:

    • account registration information;
    • details on how users interact with others;
    • mobile device information;
    • Internet Protocol address;
    • Location data etc.

    The Facebook Team confirmed that private messages shared on WhatsApp consumer version are encrypted and not seen by the company. But the metadata (data about the usage of the service) which is also personal information is shared with other members of the Facebook Group.

    Whatsapp users are at liberty to decide on giving consent to the processing of their data based on the new privacy policy. The Nigeria Data Protection Regulation (NDPR) recognizes consent (a clear, unambiguous expression of privacy terms communicated by the controller and accepted by the Data Subject) as one of the lawful basis for data processing. Acceptance of the new privacy policy and terms of use implies that user data would now be shared with Facebook and other third parties. Users will now be subject to the terms and policies of Facebook and other receiving entities with or without being direct subscribers to such services.

    Advise

    As a result of the foregoing, NITDA advises as follows:

    • Nigerians may wish to note that there are other available platforms with similar functionalities which they may wish to explore. Choice of platform should consider data sharing practices, privacy, ease of use among others; and
    • Limit the sharing of sensitive personal information on private messaging and social media platforms as the initial promise of privacy and security is now being overridden on the bases of business exigency.

    Nigeria’s engagement with Facebook continues. We have given them our opinion on areas to improve compliance with the NDPR. We have also raised concerns as to the marked difference between the privacy standard applicable in Europe, under the GDPR and the rest of the world.

    Given the foregoing and other emerging issues around international technology companies, NITDA, with stakeholders, is exploring all options to ensure Nigerians do not become victims of digital colonialism. Our national security, dignity and individual privacy are cherished considerations we must not lose. Because of this, we shall work with the Federal Ministry of Communications and Digital Economy to organize a hackathon for Nigerians to pitch solutions that can provide services that will provide functional alternatives to existing global social platforms.

  • Data protection: NITDA extends deadline for initial data audit report filing

    Data protection: NITDA extends deadline for initial data audit report filing

    The National Information Technology Development Agency (NITDA) has granted a three-month extension period that will elapse on Friday 25th October 2019 for the filing of initial audit report for every data controller and processor.
    TheNewsGuru (TNG) reports Dr Isa Ali Ibrahim Pantami, Director General/Chief Executive Officer (CEO) of the NITDA and Chief Information Technology Officer of Nigeria made this known in a statement in Abuja.
    This is following a series of consultations held by the agency with various industry and government stakeholders on the implementation of the Nigeria Data Protection Regulation (NDPR).
    According to the statement, the overwhelming consensus of all stakeholder groups is that the NDPR is an appropriate regulation that would help provide clarity for data controllers and processors on the rights of data subjects, basis of processing personal data and transfer of data outside Nigeria among others.
    “NITDA is pleased to note that stakeholders including other Sector Regulators, Government, Banks, Industry groups, Private Sector players among many others, have shown tremendous willingness towards compliance with the NDPR.
    “Consequently, Article 4.1(5) of the NDPR requires Data Controllers to submit an initial audit report within six months of issuance of the Regulation (which lapsed on 25th July, 2019).
    “Several Data Controllers have appealed for an extension of time to meet this obligation. Therefore, NITDA is hereby granting a three-month extension for the conduct of the initial audit report for every data Controller and Processor. This extension period would elapse on Friday 25th October 2019.
    “This extension of time for the purpose of audit filing does not limit NITDA’s right to investigate and enforce other allegations of breach made against any Data Controller or Processor pursuant to the NDPR and the NITDA Act 2007,” the statement read.
    TNG reports NITDA is a Federal Government Agency established in 2001 to implement the Nigerian Information Technology Policy as well as coordinate general IT development and regulation in the country.
    Specifically, Section 6(a,c) of the Act mandates the NITDA to create a framework for the planning, research, development, standardization, application, coordination, monitoring, evaluation and regulation of Information Technology practices, activities and systems in Nigeria.
    The Act also mandates the NITDA to develop guidelines for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions as an alternative to paper-based methods in government, commerce, education, the private and public sectors, labour, and other fields.

  • Expert calls for sensitisation on data privacy

    Expert calls for sensitisation on data privacy

    There is an urgent need to sensitise Nigerians on data privacy and security, says John Odumesi, a cyber security expert.

    Speaking during the 2019 Data Privacy Day, Odumesi said that people needed to know how the issue of data privacy affected them.

    January 28 is Data Privacy Day which was set aside to raise awareness and promote privacy and data protection best practices.

    The Cybersecurity Analyst said that the purpose of Data Privacy Day was to raise awareness about the rights to personal data protection and privacy.

    He said that data was becoming more valuable than ever, as people continually share more data on their connected devices, while businesses and government are collecting and using the personal information more than ever before.

    ”Data privacy is basically the necessity to protect personal information collected by any organisation and from unauthorised access. Such data types include: online privacy, medical privacy, financial privacy, among others.

    ”The challenge with data privacy is that most people are not aware enough about data privacy and protection,” Odumesi said in a statement.

    He said that government should review all policies related to surveillance, interception and collection of personal data in line with international human rights standards on privacy protection.

    According to him, there is the need for speedy passage of the personal information and data protection bill as well as the digital rights and freedom bill.

    ”Nigerian organisations should review their current privacy policy and processes in compliance with the General Data Protection Regulation (GDPR).

    ”The European Union (EU) GDPR regulates how the personal data of EU citizens are collected and processed.

    ”The regulation is relevant to Nigerian business environment. It applies to Nigerian organisations that handle personal data of EU citizens. Non-compliance with the regulation can result to severe fines,” he said.

     

  • Consumer groups criticize Google location data collection

    European consumer groups on Tuesday criticized Google for breaching personal data protection rules, citing how the location of smartphone users was continuously tracked.

    Google collected location data of people, who use Google’s services or accounts on their smartphones and features
    like “location history’’ and “web & app activity,’’ according to the Brussels-based European Consumer Organisation.

    This was in breach of the General Data Protection Regulation (GDPR) that entered into force in May, the groups
    said, saying they planned to file complaints with national data protection authorities.

    The information was used for services such as targeted advertising.

    Location data can be sensitive as it can also reveal personal information, ranging from religious beliefs to health
    conditions or sexual orientation, the groups said.

    The findings were highlighted in a report by the Norwegian Consumer Council, one of the European consumer
    groups planning a complaint.

    The consumer groups criticised Google for not being open about the features or how consumers can choose
    not to share their location data.

    “Thanks to the GDPR, users should be in control of their personal data. Google’s deceptive practices are in breach
    of the spirit and the letter of this regulation,” Monique Goyens, Head of the European Consumer Organisation said in a statement.

    Google Norway spokeswoman, Helle Skjervold, said in a written statement to public broadcaster NRK that
    Google was “constantly working to improve our settings, and we will carefully read this report to see if there are things we can change.’’

    Complaints were due in the Czech Republic, Denmark, Greece, the Netherlands, Poland, Slovenia and
    Sweden.

     

  • Facebook’s lead EU regulator opens probe into data breach

    Facebook’s lead EU regulator opens probe into data breach

    Facebook’s lead regulator in the European Union, the Irish Data Protection Commissioner (DPC), continued on Thursday an investigation into a massive cyberattack on the social networking site that the company disclosed last week.
    Facebook said on Friday that hackers had stolen login codes that allowed them to access nearly 50 million Facebook accounts.
    This is its worst-ever security breach given the unprecedented level of potential access.
    “In particular, the investigation will examine Facebook’s compliance with its obligation under the General Data Protection Regulation (GDPR) to implement appropriate technical and organizational measures.
    Such measures will ensure the security and safeguarding of the personal data it processes,” the DPC said in a statement.
    Under the new GDPR European privacy regulations which came into effect in May, breaking privacy laws can result in fines of up to 4 per cent of global revenue or 20 million euros whichever is higher.
    The fine is as opposed to a few hundred thousand euros previously.
    The DPC said that Facebook informed it that their own internal investigation is continuing and that the company continued to take remedial actions to mitigate the potential risk to users.
    DPC is regulates a number of U.S. multinationals with European headquarters in Dubsaid.
    Facebook said on Tuesday that investigators had determined that the hackers did not access other sites that use the social networking site’s single sign-on.
    Some security experts, including former Facebook executive, said the company may have painted worst-case scenario when it disclosed the attack on Friday to ensure compliance with the strict new European Union privacy rules.
    GDPR imposes steep penalties if companies fail to follow rules that include a requirement that they disclose breaches within 72 hours of discovery.
    That is a tight window that security experts say does not give investigators adequate time to determine the impact of the breach.
    Facebook’s latest vulnerability had existed since July 2017, but the company first identified it on Tuesday of last week.
     

  • Google’s delay creates compliance mess

    Google’s delay creates compliance mess

    Google’s delayed entry into the consortium of advertising technology companies has spoiled the members’ push to comply with a new European Privacy Law, leaving some firms exposed to fines, media officials said today.

    Most at risk are unwitting owners of ad-funded websites and apps, which Google has said, have the responsibility of getting consent to serve targeted ads to European consumers.

    The experience shows how Google policy decisions cascade through the $200 billion global online advertising industry, which is dominated in most facets, by the Alphabet Inc unit.

    Data about a website visitor’s identity can pass through a dozen ad tech firms before an ad is loaded.

    Each one must have user consent or another legal basis to access it under Europe’s General Data Protection Regulation (GDPR).

    Hundreds of ad tech firms launched software together a month before GDPR kicked in on May 25 to verify consent before displaying ads.

    Google announced on May 22 that it would not join the industry programme until August.

    It devised a temporary solution that people said has been imperfect.

    As a result, some of Google’s advertising clients are targeting ads to users, who have not given consent to personalised marketing.

    Google declined to comment on possible policy violations, instead reiterating that GDPR “is a big change for everyone’’ and that it is working with partners on compliance.

    GDPR fines can reach as high as 4 per cent of a firm’s annual revenue.

    Four ad tech executives said they are counting on deference from regulators until Google supports the consortium technology.

    “Once Google adopts the consent framework, much of the confusion will start to settle down a bit,’’ said Walter Knapp, Chief Executive of ad software company, Sovrn Holdings Inc.

    Authorities in France and Germany said they have yet to investigate consent issues related to online ads.

    Financial and legal analysts said it is a matter of time.

    A crucial issue has involved Google’s DoubleClick Bid Manager (DBM), which large advertisers use to purchase ad space from ad exchanges.

    Many websites now present European visitors with pop-ups, asking for consent to send identity data to exchanges and DBM as ad space with user information is far more valuable.

    The issue is that DBM cannot yet accept users’ selections because it does not support the consortium standard.

    Big exchanges such as AppNexus Inc and Rubicon Project Inc have worked around by guaranteeing that they will only offer ad space on DBM when users have consented.

    AppNexus and Rubicon Project declined to specify how they are ensuring compliance.

    They told websites it was up to them to block DBM if they cannot meet the guarantee, according to emailed notices seen by Reuters.

    It is unclear how many websites have taken the precaution.

    “The responsibility lies squarely on the publishers,’’ said Erin Yasgar, a team lead at online advertising advisory firm, Prohaska Consulting.

    DBM data last month showed that AppNexus and Rubicon Project did not offer significantly less ad space on DBM after making the consent-only guarantee, according to official sources.

    Yet, at least 10 per cent of European users are not giving consent, the executives said.

    Google operates a rival exchange, which has spotty enforcement of publishers, according to a Reuter’s review last week of several websites that displayed personalised ads before obtaining permission.

     

  • WhatsApp raises minimum age in Europe to 16

    WhatsApp, the popular messaging service owned by Facebook Inc, is raising its minimum age from 13 to 16 in Europe to help it comply with new data privacy rules coming into force in May.

    WhatsApp will ask European users to confirm they are at least 16 years old when they are prompted to agree new terms of service and a privacy policy provided by a new WhatsApp Ireland Ltd entity in the next few weeks.

    It is not clear how or if the age limit will be checked given the limited data requested and held by the service.

    Facebook, which has a separate data policy, is taking a different approach to teens aged between 13 and 15 in order to comply with the European General Data Protection Regulation (GDPR) law.

    It is asking them to nominate a parent or guardian to give permission for them to share information on the platform, otherwise they will not see a fully personalised version of the social media platform.

    But WhatsApp, which had more than 1.5 billion users in January according to Facebook, said in a blog post it was not asking for any new rights to collect personal information in the agreement it has created for the EU.

    “Our goal is simply to explain how we use and protect the limited information we have about you,” it said.

    WhatsApp, founded in 2009, has come under pressure from some European governments in recent years because of its end-to-end encrypted messaging system and its plan to share more data with its parent, Facebook.

    Facebook itself is under scrutiny from regulators and lawmakers around the world since disclosing in March that the personal information of millions of users wrongly ended up in the hands of political consultancy Cambridge Analytica, setting off wider concerns about how it handles user data.

    WhatsApp’s minimum age of use will remain 13 years in the rest of the world, in line with its parent.
    GDPR is the biggest overhaul of online privacy since the birth of the internet, giving Europeans the right to know what data is stored on them and the right to have it deleted.

    Apple Inc and some other tech firms have said they plan to give people in the U.S. and elsewhere the same protections and rights that Europeans will gain.

    European regulators have already disrupted a move by WhatsApp to change its policies to allow it to share users’ phone numbers and other information with Facebook to help improve the product and more effectively target ads.

    WhatsApp suspended the change in Europe after widespread regulatory scrutiny.

    It said on Tuesday it still wanted to share the data at some point.

    “As we have said in the past, we want to work closer with other Facebook companies in the future and we will keep you updated as we develop our plans,” it said.

    Other changes announced by WhatsApp on Tuesday include allowing users to download a report detailing the data it holds on them, such as the make and model of the device they used, their contacts and groups and any blocked numbers.

    “This feature will be rolling out to all users around the world on the newest version of the app,” it said.

    The blog post also points to safety tips on the service, such as the ability to block unwanted users, and delete and report spam.

     

  • Facebook CEO, EU official discuss privacy protection

    Chief executive officer and founder of Facebook, Mark Zuckerberg and European Commission Vice President for the digital single market Andrus Ansip on Wednesday met and discussed issues bothering on privacy protection.

    The European Commission Vice President made this known on Wednesday tweeting about the meeting which also entails how to counter disinformation on the Internet, especially on social media.

    “Discussed with Mark Zuckerberg and Sheryl Sandberg the steps that Facebook has taken and plans to take to protect users privacy and tackle disinformation. There is a wider need to rebuild trust. GDPR (General Data Protection Regulation) shows the way forward,” Ansip tweet read.

    Facebook has been under fire for allowing UK-based data analytic firm, Cambridge Analytica, to harvest personal details of more than 87 million users without their permission to target them during the 2015 Nigeria presidential election, the 2016 US presidential election and the Brexit referendum.

    Zuckerberg accepted responsibility for the whole brouhaha when he appeared before US Congress last week, especially for not preventing the social media platform from being used for harm, including fake news, foreign interference in elections and hate speech.

    However, the Facebook CEO pledged to limit the amount of users information apps on the platform can get access to, and said such apps must have to get users’ approval.

    European Parliament on Wednesday renewed its call to Zuckerberg to come before the Parliament to answer questions on the misuse of European citizens’ personal data.

    Members of the European Parliament (MEPs) emphasized that the General Data Protection Regulation that will apply as of May 26 will give citizens control over their personal data and set global standards.

    However, some MEPs pointed out that the new data protection rules will not prevent future scandals and called on the Council to proceed with the e-privacy regulation.