#SypherPrivacyTalks - May 2023 - Week 20

by Sypher - May 18, 2023

Welcome to #SypherPrivacyTalks — Your news and article roundup. Bringing you the top privacy & compliance stories of the week.

European Court finds pseudonymised data is NOT personal data in the hands of recipient that can’t re-identify it

goodwinprivacyblog.com • 3 min read

🙈 This EU General Court ruling adds an interesting layer of complexity to the ongoing discussion around personal data, pseudonymised data, and anonymous data. 👇

The ruling suggests that it's crucial for supervisory authorities to assess whether data can be considered personal or not — opening the door for pseudonymised data to potentially be regarded as non-personal data.

The ruling came in response to a case involving the Single Resolution Board (SRB) and the European Data Protection Supervisor (EDPS). The crux of the matter was the alleged lack of information on data sharing by the SRB to third parties, which was done after a pseudonymization process. The General Court annulled the EDPS's decision that deemed the pseudonymised data as personal data, emphasising the importance of evaluating the recipient's ability to reidentify the individuals behind the pseudonymised data.

This judgement may potentially alter the playing field by indicating that whether certain data is personal or non-personal could depend on the specific circumstances and each party's capacity to identify the data subject. It may also encourage companies to carry out reidentification tests to prove that certain data is anonymous under specific factual and legal conditions.

☝️ In any case, caution is advised as this ruling can still be appealed to the European Court of Justice. It's also worth noting that the court has not expressly specified the conditions under which data can be considered anonymous… read more

Google accused of breaking the GDPR by hoarding personal data of potential job candidates for years

finance.yahoo.com • 7 min read

🥽 Google may face investigations over potential GDPR violations, as reported in a recent Fortune article. 👇

Last year, London-based contractor Mohamed Maslouh discovered thousands of people's personal data in Google's internal gHire recruitment system, dating back to 2011. Maslouh filed whistleblower complaints with the UK Information Commissioner's Office and the Irish Data Protection Commission, and Google is now under scrutiny.

Google claims it deployed a global automatic deletion tool in 2021 to protect the privacy of job applicants and candidates in gHire. However, the timeline indicates over four years of noncompliance with the GDPR, which could lead to fines as high as 4% of global annual revenues… read more

Microsoft is scanning the inside of password-protected zip files for malware

arstechnica.com • 3 min read

🔬 Microsoft is scanning the insides of password-protected zip files for malware, even within their cloud services. 👇

This tactic aims to outsmart cybercriminals who often hide malware within zipped files, but it's not without controversy. Security researcher Andrew Brandt, for instance, has expressed concern over the implications this could have for malware researchers like him who routinely need to send password-protected malicious files for analysis. The unannounced scanning and flagging of such files may hinder their vital work.

The situation underscores the delicate balancing act tech companies must undertake - shielding users from cyber threats, yet also respecting their privacy. Microsoft's move likely protects many from falling victim to social engineering attacks, but it's important to note that it also feels invasive to some users… read more

75% of Irish data privacy decisions since 2018 overruled - report

irishtimes.com • 2 min read

🫤 A report from the Irish Council for Civil Liberties highlights that 75% of the DPC's decisions in EU-wide cases have been overturned in favour of tougher enforcement. 👇

This is particularly significant, as major tech companies such as Google, Meta, Apple, TikTok, and Microsoft have their European headquarters in Ireland. 🌐

Interestingly, about 87% of cross-border GDPR complaints to Ireland’s DPC are related to the same eight companies: Meta, Google, Airbnb, Yahoo!, Twitter, Microsoft, Apple, and Tinder. These findings suggest that there's still a lot of work to be done to ensure data privacy regulations are robustly enforced in the digital age. 

The report also indicates a trend towards “amicable resolution” rather than enforcement measures… read more

Are the fines fine? A tale of disharmony and opacity of GDPR enforcement

eulawlive.com • 7 min read

🔨 “Are the fines fine?” Naomi Lintvedt dared to ask it in this insightful op-ed. Are the fines issued under the GDPR actually effective in ensuring compliance and protecting our right to data protection? 👇

Key takeaways:
✅ The effectiveness of fines as a deterrent is questionable, with no concrete evidence that higher fines lead to better compliance.
✅ The fine structure of the GDPR and its influence from competition law may not necessarily be the best model.
✅ The size of the fines, although seemingly large, often represents a small percentage of a company's annual turnover, questioning their true deterrent effect.
✅ The enforcement actions lack transparency and harmonisation across different jurisdictions, making it difficult to understand the full picture.
✅ Other corrective measures, such as orders to erase personal data or a limitation or ban on processing, could potentially be more impactful in certain situations.

This piece not only questions the existing GDPR enforcement mechanisms but also opens up an important discussion on how we can better protect data protection rights. It is a must-read for anyone working in the privacy, tech, legal, or policy sector… read more

Stay tuned for more by 📌 connecting with us on LinkedIn or, better yet, by subscribing to our weekly newsletter. We do our best to select the most interesting and relevant content in our field and deliver it to you in a bite-sized format, so you can stay up to date on topics such as Privacy Management & Compliance.

Photo by Markus Winkler on Unsplash