Included in this Data Issues Round Up: European Court blocks plans to share passenger name record data with Canada; Singapore privacy watchdog proposes mandatory data breach notice and Unicredit reveals data breach involving 400,000 loan applicants. Read more... 


United Kingdom

European Court blocks plans to share passenger name record data with Canada

The Court of Justice of the European Union (EU) has blocked a planned EU agreement to share airline passenger details with Canada because "several of its provisions are incompatible with the fundamental rights recognised by the EU”.

The 2014 agreement was designed to help in the fight against terrorism and international crime, however, the Court has ruled that the agreement would have meant individuals' personal data was held for five years, even if they were not involved in illegal activities.

Online privacy campaigners have said this ruling has considerable implications for any future agreement between the UK and EU. The same approach can be expected to be applied for any trade agreements following Brexit, making the prospects for a deal involving digital communications tenuous.

As reported by Open Rights Group, 26 July 2017. For more information click here.

Singapore privacy watchdog proposes mandatory data breach notice

On 27 July 2017, Singapore's privacy watchdog, the Personal Data Protection Commission (PCPC), launched a consultation on the review of the Personal Data Protection Act (PDPA).

The PDCP is proposing to introduce a mandatory breach notification regime, whereby companies doing business in Singapore must notify the regulator and affected individuals of data breaches that pose any risk of impact or harm to the affected individual or where the breach is significant.

The privacy office is also proposing to loosen consent rules for digital economy companies, due to the sheer volume of data transactions, in which it may not always be practical or possible to seek consent for data collection or use. Two circumstances have been put forward by the PDPC; necessity for a legal or business purpose and where an individual has been notified of its purpose.

The public consultation will close on 21 September 2017.

As reported by the Personal Data Protection Commission, 27 July 2015. For more information click here.

Unicredit reveals data breach involving 400,000 loan applicants

Italian bank UniCredit has admitted personal data and International Bank Account Numbers of 400,000 loan applicants might have been accessed during two separate data breaches that occurred in September and October 2016 and June and July 2017.

An unnamed third-party provider has been blamed by the bank for exposing the data during the breaches.

The bank said it had closed the breaches, which were discovered last week, and informed the relevant authorities whilst embarking on a security audit. It has pledged to upgrade its IT systems in a £2billion project.

The General Data Protection Regulation (GDPR) of 2018 goes some way to making third parties accountable for security concerns such as this. UniCredit's delay in revealing the breach highlights the need for big businesses to know exactly where and how their data is managed.

As reported by The Register, 26 July 2017. For more information click here.

Key Contacts

Helena Brown

Helena Brown

Partner, Commercial and Data Protection & Head of Data
Edinburgh, UK

View profile