Included in this issue: Watchdog finds companies selling personal data to potential scammers; Rudy Giuliani appointed as head of new US cyber security team; EU Commission to monitor US data privacy developments.
Watchdog finds companies selling personal data to potential scammers
UK consumer watchdog Which? recently carried out an undercover investigation into 14 different data "list" brokers to discover how they conduct their data business and whether they were taking appropriate steps to protect personal data.
The Which? team pretended to represent a pension advice company which was seeking to get people to access their pensions early. The investigation found that of the 14 companies investigated, ten did not carry out proper checks into the registration of their fake company. Which? found a high lack of due diligence prevalent amongst the list brokers reviewed. All in all Which? managed to gain access to the personal data of more than 500,000 people aged 50 or over. It was found that data was being freely traded with no thought given to the rights of the data subjects and whether they had consented to this data sharing.
Harry Rose, the money editor at Which?, commented:
"Our investigation highlights that sensitive personal and financial data is being traded on a huge scale, with unscrupulous companies selling to anyone who comes calling. Millions are already pestered by nuisance callers and targeted by scammers. To avoid ending up on a list, never give permission for your data to be shared by third parties and if you are called out of the blue about a financial opportunity, hang up and report it."
The ICO has confirmed that it is looking into the claims. We will issue a further report where further developments arise.
Rudy Giuliani appointed as head of new US cyber security team
Newly inaugurated US President, Donald Trump has announced the appointment of former New York City Mayor, Rudy Giuliani, as head of his private sector cybersecurity team.
Giuliani, who founded cybersecurity consulting firm Giuliani Partners LLC (a 16 year old firm), will put together a team of private sector tech company experts, who will regularly meet with President Trump to discuss ways of minimising the risk of cyber-attacks.
This is one of the President's first steps towards establishing a strong cybersecurity defence, and he is looking to have a plan in place within 90 days.
The Trump transition team released the following statement on the appointment:
"This is a rapidly evolving field both as to intrusions and solutions and it is critically important to get timely information from all sources, Mr. Giuliani was asked to initiate this process because of his long and very successful government career in law enforcement and his now sixteen years of work providing security solutions in the private sector."
In the wake of the alleged Russian cyber security attacks on the US, President Trump has made clear that the US is, and will, take pro-active measures to bolster America's cyber security and defence capabilities. We expect to see developments in the next few days in relation to the cyber security executive order which is due to be signed by the President.
EU Commission to monitor US data privacy developments
President Trump has issued the Executive Order on Enhancing Public Safety in the Interior of the U.S. (the Order).
On first glance, the Order appears, due to the wording contained at section 14, to contradict a central aim of the EU-US Privacy Shield agreement, being the safeguarding of EU citizens' data in the US.
The Order makes reference only to the Privacy Act of 1974, which has never conferred any rights of protection upon non-US citizens. The Privacy Act also only covers "Agencies" which in terms of the US would mean the FBI and the NSA. It does not include language to cover "private organisations" such as those signed up to the Privacy Shield.
On review, the Order appears to be primarily focused on the protection of national security rather than privacy. There is a risk that this approach, in the long term, might create a disconnect between the standard of data protection in the EU and the US, and it will be interesting to see what impact the forthcoming General Data Protection Regulation (GDPR) will have.
Although it has been reported that the EU Commission released an official statement in reaction to the Order, this is not correct, instead it sent out an email to journalists who requested a comment. However, the response provided by the EU Commission makes the valid point that the US Judicial Redress Act 2015 is coming into force on 1 February 2017, and will amend the Privacy Act so that the remedies contained within it, such as access to US courts are available to European citizens. The impact that this Act will have remains to be seen.
In terms of data sharing going forwards companies are advised to use EU Model Clauses, especially in light of recent developments and the uncertainty that currently surrounds the future status of the Privacy Shield. The Privacy Shield is due to be reviewed later this year by EU Regulators.