30 April 2011

Sony PSN: Clueless And Breaching


Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Playstation 3: Sixaxis Wireless Controllerphoto © 2008 włodi | more info (via: Wylio)

Not that I wish to blog so often on data protection, but some technology giants would not give me a break.

Last week I covered the (very likely) unlawful data collection practice of Apple’s iPhone and this week I decided to spend some words on the fact that

Sony Leaked Personal Data

particularly credit card data from its Play Station Network.

Ars Technica have been reporting during the last few days, here is the most current update as of the writing of this article.
According to Sony, “It is possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained.”

What is this if not a

Personal Data Breach?

Some of you will remember that at the end of 2009 the European Union updated its Telecoms Package and, as a part thereof, the ePrivacy Directive. The European lawmakers sharpened the provisions on privacy and introduced a data breach notification requirement in order to prevent data loss debacles.

The updated ePrivacy Directive mandates that in the event of a personal data breach, providers of publicly available electronic communications services shall, without undue delay, notify the personal data breach to the competent national authority in charge for data protection.

Now read the italic type again. What providers does it cover? Only telcos, right? One could ask:

Must Sony Notify Its Breach?

Well, seemingly not under the ePrivacy Directive since Sony should not be defined as a telco.
Funnily, during the negotiations of the Directive’s final version, the European Parliament demanded that all providers of “information society services” be subjected to the data breach notification duty. Sony is, inter alia, a provider of information society services – check the definitions of the E-Commerce Directive (2000/31/EC). Hence, that demand would have covered Sony, had it only been implemented.

However, European Union Directives normally set only minimum requirements and leave member states with a certain amount of leeway as to the exact rules to be transposed.

Member states such as Germany, Spain, Austria and Ireland did not limit the data breach notification duty to only telcos. They rather chose to oblige the so-called data controller under the Data Protection Directive (95/46/EC). Thus, they have achieved a much broader scope of applicability.
Data controller’s definition clearly puts

Sony Under An Obligation

to notify the respective data protection authorities of above member states.
To the best of my knowledge, Sony has not yet undertaken such a notification – it has been dangerously clueless for more than two weeks instead.

What Is The Moral Of The Story?

The data breach notification was introduced as a consequence of recent years’ high-profile incidents of personal data loss across Europe.
Who forgot the T-Mobile data loss or the UK privacy debacles?
Now, it seems, Sony has joined the data breach elite.
See, what the consequence therefor will be.

 

24 November 2009

The US cares for data protection


Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

IMG_1458photo © 2011 John Taylor | more info (via: Wylio)

 

Well, I agree the title of this post reads somewhat provocative. Nevertheless, it is driven by the criticism that European data protection practitioners usually express towards their US colleagues’ approach when dealing with privacy and protection of personal data.

This should not surprise as the right to privacy is a highly developed area of law in Europe. Accordingly, the European Union has long had a privacy framework for the processing of personal information that is different – and more restrictive — than privacy practices in the US. By contrast, the United States prefers what is called a “sectoral” approach to data protection legislation, relying on a combination of legislation, regulation, and self-regulation, rather than overarching governmental regulations (see “A Framework for Global Electronic Commerce“. To date, the US has no single, overarching privacy law comparable to the EU Directive.

The EU Data Protection Directive requires EU member states to provide for legislation that prohibits the transfer of personal data outside the EU. However, there are some exemptions from that rule, one of which applies where the EU has determined that the laws of the country of destination provide “adequate” protection for personal data. Among others, Switzerland and Argentina were determined to be such countries. In the late 1990s, the EU determined that the laws of the United States did not meet its adequacy standard.

However and in order not to totally prohibit the personal data transfer between the largest economies, the US Department of Commerce in consultation with the European Commission developed the “Safe Harbor Arrangement”. As a consequence, US companies that are under the jurisdiction of the Federal Trade Commission or the US Department of Transportation may enrol to that arrangement and process personal data submitted by European partners (subsidiaries) of theirs.

A company under the FTC’s jurisdiction that self-certifies its compliance with the Safe Harbor Arrangement, but fails to observe them may be subject to an enforcement action under Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices.

After a decade without any enforcement actions, the FTC recently proceeded against seven companies and obtained consent orders against them.

While these actions by the FTC are said not to represent substantive enforcement within the Safe Harbor Arrangement, they do signify that companies need to be even more vigilant about the content of their privacy policies and marketing assertions.

6 May 2009

Consumer Rights: EU Commission wants consumers to surf the web without borders


Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

Warning: Illegal string offset 'status_txt' in /home/reguligc/public_html/reguligence.biz/wp-content/plugins/share-and-follow/share-and-follow.php on line 1243

The European Commission launched the eYouGuide, a new online tool giving practical advice on the “digital rights” consumers have under EU law.

This guide, which responds to a call from the European Parliament in 2007, addresses consumer issues like the rights towards your broadband provider, shopping on the web, downloading music and protecting your personal data online and on social networking sites.

Even though 48.5% of EU households have a broadband internet connection, a new Eurobarometer survey shows that a lack of confidence still holds many consumers back from online transactions.
Only 12% of EU web users feel safe making transactions on the internet, while 39% of EU internet users have major doubts about safety, and 42% do not dare carry out financial transactions online. 65% of internet users in the EU do not know where to get information and advice about cross-border shopping in the EU.

A third of consumers would consider buying online from another country because it is cheaper or better, but only 7% actually do so. Giving consumers clear information about their rights will increase trust and help unlock the full economic potential of Europe’s single online market, worth EUR 106 billion in revenues.