24 January Weekly podcast: Google GDPR fine, EU-US Privacy Shield and US DNS hijacking attacks

This week, we discuss Google’s €50 million GDPR fine, GDPR complaints against eight streaming services, Facebook’s Supreme Court appeal and its potential effects on the EU-US Privacy Shield, and an Emergency Directive from the US Department of Homeland Security.

Hello and welcome to the IT Governance podcast for Thursday, 24 January 2019. Here are this week’s stories.

France’s data protection regulator, the CNIL, has fined Google a record €50 million (approximately £44 million or US$57 million) for breaching the GDPR (General Data Protection Regulation).

Following complaints from the privacy rights groups noyb (None Of Your Business) and LQDN (La Quadrature du Net), the regulator found that Google violated the GDPR in two ways:

  • First, by “excessively” disseminating essential information – including data processing purposes, data storage periods and the categories of personal data used for ad personalisation – across several documents that require users to take several steps to access, and by describing its data processing activities in “too generic and vague” a manner, in breach of the GDPR’s requirement for transparency; and
  • Second, by failing to obtain a valid legal basis for processing personal data for ad personalisation, in violation of the GDPR’s requirements for specific and unambiguous consent for all forms of personal data processing.

According to the CNIL, “the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement”.

Max Schrems, the co-founder and director of noyb, commented:

“We are very pleased that for the first time a European data protection authority is using the possibilities of [the] GDPR to punish clear violations of the law. Following the introduction of [the] GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”

This isn’t the only complaint noyb has made under the GDPR. Last Friday, the group filed complaints with the Austrian Data Protection Authority against eight streaming services, including Amazon, Apple, Netflix, YouTube and Spotify, for violating Article 15 of the Regulation by failing to exercise users’ right to access.

Schrems is no slouch when it comes to privacy campaigning: you’ll probably remember that it was his complaint against Facebook that prompted the collapse of the US Safe Harbor agreement in 2015 and the creation of its replacement, the EU-US Privacy Shield – although that could also be invalidated for the same reasons.

Yesterday saw the conclusion of Facebook’s appeal to the Irish Supreme Court over the High Court’s October 2017 judgement and subsequent referral to the European Court of Justice of issues concerning the validity of EU-US data transfers.

According to The Irish Times, the Chief Justice, Mr Justice Frank Clarke, “said the court would consider what to do next and inform the parties in that regard”. Watch this space.

Talking of the Privacy Shield, The Register reports that “the US may have finally complied with the European Commission’s repeated requests to name a permanent Privacy Shield ombudsperson” by 28 February this year.

Last week, President Trump announced his intent to nominate DocuSign’s former CEO Keith Krach as Under Secretary of State for Economic Growth, Energy, and the Environment – a role that The Register’s Rebecca Hill points out “has consistently come with the position of public advocate for the Privacy Shield agreement on transatlantic data flows”.

Owing to the government shutdown, however, no one was available to offer an official comment.

And while we’re talking about the shutdown, you’ll remember that last week I said that numerous federal websites had been rendered insecure or inaccessible because there was no one at work to renew expired digital security certificates.

Well, this week the Department of Homeland Security issued an Emergency Directive setting out a series of “Required Actions” for all federal agencies to help prevent DNS (Domain Name System) hijacking – a type of attack that allows miscreants to intercept and redirect web traffic.

According to the Directive, the Department’s Cybersecurity and Infrastructure Security Agency “is aware of multiple executive branch agency domains that were impacted by [a DNS infrastructure tampering] campaign and has notified the agencies that maintain them”.

All .gov domains must audit their DNS records, change passwords for and add multi-factor authentication to their DNS accounts, and monitor certificate transparency logs within ten business days – although, given the fact that so many staff have been furloughed, this could be something of a stretch.

According to researchers from FireEye, there has been a wave of large-scale DNS hijacking attacks affecting “dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America” since January 2017. “Preliminary technical evidence,” FireEye states, allows it “to assess with moderate confidence that this activity is conducted by persons based in Iran and that the activity aligns with Iranian government interests.”

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.