* Posts by I_am_not_a_number

13 posts • joined 7 Jun 2018

Dell stamps on the gas for backup devices with speed and cloud boost

I_am_not_a_number

Really..?

This sounds more like a data sheet than the usual El Reg fayre... No critique of it's capabilities Chris...?

Colour us shocked: Google in €50m GDPR fine appeal bombshell

I_am_not_a_number

Re: Google takes small onion from pocket, then says it's …

Where google says, "...it had "worked hard" to create a transparent and straightforward GDPR consent process for its ads personalisation settings"

For the first part, they're trying to reduce the fine by arguing against Article 83.2(c):

"[Regarding] the general conditions for imposing administrative fines)...the intentional or negligent character of the infringement..."

Ditto the second part regarding their concerns, relate to Article 83.2(k)

"..mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement..."

CNIL's final decision will likely be based on the perceived "m.o" of Google.

2018 ain't done yet... Amazon sent Alexa recordings of man and girlfriend to stranger

I_am_not_a_number

Re: Future analysis anyone?

@Cynical Pie,

Not sure what your point is, my friend. Mind clarifying?

It sounds promising, but maybe I'm just a bit dumb to be able to follow the dots you're drawing...

EU politely asks if China could stop snaffling IP as precondition for doing business

I_am_not_a_number

Questionable quality...

Even if they can't restrict the IP theft, the phrase "cheap chinese knock-off" is not for nothing.

They put great value on image, but f* all on quality.

People aren't stupid and will vote with their wallets.

Ticketmaster tells customer it's not at fault for site's Magecart malware pwnage

I_am_not_a_number

Re: Their Site

True.

But if you look more closely, it looks like their lawyers are positioning themselves using GDPR article 82(3):

"A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage."

And in doing so, lay the grounds for a potential counter claim to their processors, if that falls through:

"... [controllers] shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage"

Lenovo tells Asia-Pacific staff: Work lappy with your unencrypted data on it has been nicked

I_am_not_a_number

Re: GDPR?

Hmm.. Singapore doesn't seem to be on the GDPR/Third countries with adequacy decision but they seem to have some kind of data protection under the Personal Data Protection Act 2012 (PDPA).

However:

"The data protection provisions in the PDPA (parts III to VI) generally do not apply to:

"Business contact information. This refers to an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes.,,"

Penalties seem to be a bit weak (1 GBP = 1.72 Singapore Dollars) , I'm personally not convinced about the prison term below:

"...A fine up to SGD10,000. In the case of a continuing offence, the guilty person is liable to a further fine not exceeding SGD1,000 for every day or part of the day during which the offence continues after conviction.

Imprisonment for a term not exceeding three years."

That's pretty broad set of exclusions IMHO + anyone's guess whether their equivalent to the ICO will act to enforce...

Identity stolen because of the Marriott breach? Come and claim your new passport

I_am_not_a_number

Re: Burden of Proof

Not sure what whether this answers the US centric view of "burden of proof" - I'm assuming that you mean by demonstrable losses, which obviously in this case, will be hard to prove, since ID theft isn't enacted until potentially years later...but perhaps the following might help..

The following section 168 of the UK Data Protection Act 2018 (which references GDPR) stipulates that, if you've suffered distress, then you have a right to claim compensation.

Here:

"168 Compensation for contravention of the GDPR

(1) In Article 82 of the GDPR (right to compensation for material or non-material damage), “non-material damage” includes distress."

Compensation mechanisms are referenced in articles 77-83. Since the hotel isn't a public authority, then none of the state level derogations will apply and therefore, fair game for any punishments..

Er, we have 670 staff to feed now: UK's ICO fines 100 firms that failed to pay data protection fee

I_am_not_a_number

Re: No foresight

Apologies for the brevity, not intended to be blunt...

Assuming I've not misunderstood:

"ICO stands for "Interesting Coat Outfitters" they've done nothing other than flash a couple of windcheaters..."

Would you count fines & prison sentence in one case as "nothing"?

https://ico.org.uk/action-weve-taken/enforcement/

"requirement to "promote the awareness of controllers and processors of their obligations under this Regulation" - both of which are apparently not happening."

Do Youtube, LinkedIn, Facebook & Twitter count?

https://www.youtube.com/user/icocomms

https://www.linkedin.com/company/information-commissioner's-office/

https://twitter.com/ICOnews?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor

https://www.facebook.com/ICOnews

Technical foul: Amazon suffers data snafu days before Black Friday, emails world+dog

I_am_not_a_number

Amazon can't just brush it under the carpet now...

Might be useful:

Art. 82 GDPR Right to compensation and liability:

"...Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered."

Data Protection Act 2018:

Section 168:

Compensation for contravention of the GDPR

(1) In Article 82 of the GDPR (right to compensation for material or non-material damage), “non- material damage” includes distress.

Brexit campaigner AggregateIQ challenges UK's first GDPR notice

I_am_not_a_number

Re: "how are the ICO going to enforce the GDPR against a Canadian company?"

Not sure I agree.

--> https://gdpr-info.eu/issues/third-countries/

"...At the time that the General Data Protection Regulation became applicable, the third countries which ensure an adequate level of protection were: Andorra, Argentina, Canada (only commercial organisations),"

It suggests that the "Supervisory Authority" in Canada are obliged to assist to the extent that the existing (canadian) laws that govern data protection requires.

Article 45 may also apply:

https://gdpr-info.eu/art-45-gdpr/

"Transfers on the basis of an adequacy decision"

If so, then article 47 applies regarding "Binding corporate rules", which commit those entities to ensuring "Data Protection" principles that make them "their legally binding [..in..] nature, both internally and externally;"

Here - https://gdpr-info.eu/art-47-gdpr/

Law firm seeking leak victims to launch £500m suit at British Airways

I_am_not_a_number

Re: And So It Begins - Payback is a bitch

I see alot of remarks here who regard the ICO as toothless. Perhaps before May 25th 2018 but after that date, less so.

Article 58 covers the powers bestowed upon the "Supervisory Authority" (ICO) and now can:

"obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law."

"...to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;"

(ref: https://gdpr-info.eu/art-58-gdpr )

The second of the points above is a bigger deal as the ICO can "order" them to comply. Related is Article 32 which is a key provision, as it covers "Security of Processing" which carries the burden of providing assurance of the CIA triad. I'm sure it'd be a major hassle if the regulator is breathing down your neck and publishing at the same time any (lack of) progress.

I can almost hear the people in the back row saying "yeah, yeah but it's never been tested in court, blah blah". True. Equally, the ICO will be keen to be seen as being able to flex it's muscles after it's relatively weak fine on FB.

That said, there's alot of unjustified glee about the potential fines.

Whilst it's true that it can be 2% or 4% etc, it also needs to be "effective, proportionate and dissuasive."

The operative word here is proportionate since it needs to take into account "the intentional or negligent character of the infringement" (Article 83).

If BA can show that they've had an ongoing programme of security audits, risk assessments and/or pen tests, then, I can see them arguing the toss and get away without a "total b*tchslap". At the same time, there's still sufficient scope for it to hurt.

Japanese fashion puts the oo-er into trousers

I_am_not_a_number

Double-shirting?

https://www.telegraph.co.uk/men/the-filter/steve-two-shirts-bannon-strangest-style-politics/

Perhaps they figured Steve Bannon might be on to something...

Biting the hand that feeds IT © 1998–2019