This sounds more like a data sheet than the usual El Reg fayre... No critique of it's capabilities Chris...?
13 posts • joined 7 Jun 2018
Where google says, "...it had "worked hard" to create a transparent and straightforward GDPR consent process for its ads personalisation settings"
For the first part, they're trying to reduce the fine by arguing against Article 83.2(c):
"[Regarding] the general conditions for imposing administrative fines)...the intentional or negligent character of the infringement..."
Ditto the second part regarding their concerns, relate to Article 83.2(k)
"..mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement..."
CNIL's final decision will likely be based on the perceived "m.o" of Google.
But if you look more closely, it looks like their lawyers are positioning themselves using GDPR article 82(3):
"A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage."
And in doing so, lay the grounds for a potential counter claim to their processors, if that falls through:
"... [controllers] shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage"
Hmm.. Singapore doesn't seem to be on the GDPR/Third countries with adequacy decision but they seem to have some kind of data protection under the Personal Data Protection Act 2012 (PDPA).
"The data protection provisions in the PDPA (parts III to VI) generally do not apply to:
"Business contact information. This refers to an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes.,,"
Penalties seem to be a bit weak (1 GBP = 1.72 Singapore Dollars) , I'm personally not convinced about the prison term below:
"...A fine up to SGD10,000. In the case of a continuing offence, the guilty person is liable to a further fine not exceeding SGD1,000 for every day or part of the day during which the offence continues after conviction.
Imprisonment for a term not exceeding three years."
That's pretty broad set of exclusions IMHO + anyone's guess whether their equivalent to the ICO will act to enforce...
Not sure what whether this answers the US centric view of "burden of proof" - I'm assuming that you mean by demonstrable losses, which obviously in this case, will be hard to prove, since ID theft isn't enacted until potentially years later...but perhaps the following might help..
The following section 168 of the UK Data Protection Act 2018 (which references GDPR) stipulates that, if you've suffered distress, then you have a right to claim compensation.
"168 Compensation for contravention of the GDPR
(1) In Article 82 of the GDPR (right to compensation for material or non-material damage), “non-material damage” includes distress."
Compensation mechanisms are referenced in articles 77-83. Since the hotel isn't a public authority, then none of the state level derogations will apply and therefore, fair game for any punishments..
Apologies for the brevity, not intended to be blunt...
Assuming I've not misunderstood:
"ICO stands for "Interesting Coat Outfitters" they've done nothing other than flash a couple of windcheaters..."
Would you count fines & prison sentence in one case as "nothing"?
"requirement to "promote the awareness of controllers and processors of their obligations under this Regulation" - both of which are apparently not happening."
Do Youtube, LinkedIn, Facebook & Twitter count?
Might be useful:
Art. 82 GDPR Right to compensation and liability:
"...Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered."
Data Protection Act 2018:
Compensation for contravention of the GDPR
(1) In Article 82 of the GDPR (right to compensation for material or non-material damage), “non- material damage” includes distress.
Not sure I agree.
"...At the time that the General Data Protection Regulation became applicable, the third countries which ensure an adequate level of protection were: Andorra, Argentina, Canada (only commercial organisations),"
It suggests that the "Supervisory Authority" in Canada are obliged to assist to the extent that the existing (canadian) laws that govern data protection requires.
Article 45 may also apply:
"Transfers on the basis of an adequacy decision"
If so, then article 47 applies regarding "Binding corporate rules", which commit those entities to ensuring "Data Protection" principles that make them "their legally binding [..in..] nature, both internally and externally;"
Here - https://gdpr-info.eu/art-47-gdpr/
I see alot of remarks here who regard the ICO as toothless. Perhaps before May 25th 2018 but after that date, less so.
Article 58 covers the powers bestowed upon the "Supervisory Authority" (ICO) and now can:
"obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law."
"...to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;"
(ref: https://gdpr-info.eu/art-58-gdpr )
The second of the points above is a bigger deal as the ICO can "order" them to comply. Related is Article 32 which is a key provision, as it covers "Security of Processing" which carries the burden of providing assurance of the CIA triad. I'm sure it'd be a major hassle if the regulator is breathing down your neck and publishing at the same time any (lack of) progress.
I can almost hear the people in the back row saying "yeah, yeah but it's never been tested in court, blah blah". True. Equally, the ICO will be keen to be seen as being able to flex it's muscles after it's relatively weak fine on FB.
That said, there's alot of unjustified glee about the potential fines.
Whilst it's true that it can be 2% or 4% etc, it also needs to be "effective, proportionate and dissuasive."
The operative word here is proportionate since it needs to take into account "the intentional or negligent character of the infringement" (Article 83).
If BA can show that they've had an ongoing programme of security audits, risk assessments and/or pen tests, then, I can see them arguing the toss and get away without a "total b*tchslap". At the same time, there's still sufficient scope for it to hurt.
Biting the hand that feeds IT © 1998–2019