Thursday, February 7, 2019

privacy

http://eulawanalysis.blogspot.hk/2016/01/is-workplace-privacy-dead-comments-on.html When can an employer read an employee’s e-mails or texts, or track her use of the Internet? It’s an important question for both employers and employees. A judgment this week in Barbulescu v Romania addressed the issue, but unfortunately has been greeted by press headlines such as ‘EU court allows employers to read all employee e-mails’. This is wrong on two counts: it’s not a judgment of an EU court, but of the separate European Court of Human Rights; and the ruling does not allow employers to read all employee e-mails without limitation.

data access by government authorities
https://www.ft.com/content/fdba38aa-e5fc-11e9-b112-9624ec9edc59 Police and intelligence agencies are to be given expedited access to electronic communications sent by terrorists, serious crime gangs and white-collar criminals, under a new agreement between the UK and the US. This deal — the first-ever bilateral data access agreement — was signed on Thursday by Priti Patel, UK home secretary, and William Barr, US attorney-general. It will compel US technology companies including Facebook, Google and Twitter to hand over the content of emails, texts and direct messages to British law enforcement bodies, and require the same of UK companies holding information sought by US investigators. It takes police and security services from six months to two years to request and access electronic data, under a cumbersome “mutual legal assistance” treaty between the US and UK governments. Officials believe that the new agreement will reduce this process to “weeks or even days”. Facebook received just over 7,000 such requests from British authorities in the second half of last year, data from the company shows. The difficulties for investigators have worsened as digital communications are increasingly stored in networks of virtual servers run by third-party providers and scattered across the world.

google
- 近期連番被指侵犯民眾私隱的美國科技巨擘Google,又再惹起新一輪風波。Google證實,第三方應用程式有權查閱用戶的Gmail電子郵件,開發商更可以將所得資訊免費對外分享。在美國國會的查問下,Google副總裁莫利納里(Susan Molinari)七月向參議員發信解釋公司的私隱政策。信件在周四公開,披露第三方應用程式的開發商可以檢視Gmail的電子郵箱,而只要開發商向Google披露資訊用途,就可以將獲取的資訊免費分享出去。此權限本是為加強廣告針對性而設,惟該功能在去年已被取消,應用程式卻依然可以查看用戶的電子郵件。在蘋果及Android平台上,至少有三百七十九個應用程式有查看Gmail用戶電郵的權限。當國會上問及,一旦有應用程式違反規例,其權限會否被停止時,Google則未有回應。http://orientaldaily.on.cc/cnt/china_world/20180922/00180_023.html
- 美國科技公司Google接連捲入私隱爭議,周一(11日)被指去年與醫療系統Ascension秘密啟動「南丁格爾計劃」,由今夏起加快共享國內廿一個州份、數千萬人的詳細資料及健康資訊。知情人士透露,至少一百五十名Google員工,在涉事病人及醫生未獲通知的情況下,獲取大批病人數據。Google及Ascension稱計劃符合聯邦法例,強調有妥善保護病人個人資料。https://orientaldaily.on.cc/cnt/china_world/20191113/00180_015.html
- 美國的科技巨企Google被指在用戶關閉定位功能時,暗中記錄對方位置。亞利桑那州總檢察長前日入稟馬里科帕縣法院,指控Google違反當地消費者欺詐法案,要求法官勒令Google交還相關利潤,以及向州內用戶賠償等。Google發言人回應指,總檢察長及其律師曲解旗下服務。https://orientaldaily.on.cc/cnt/china_world/20200529/00180_025.html
- 律師事務所「Boies Schiller & Flexner」代表Google用戶,前日在加州聖何塞聯邦法院入稟,指無論用戶是否點擊Google顯示的廣告,該公司都可通過Google分析、廣告管理器及其他應用程式和網站插件,秘密收集用戶的數據,以了解用戶的位置、朋友、愛好、喜好食物、購物習慣等資訊,甚至是他們在網上搜尋各種私隱內容的詳情。https://orientaldaily.on.cc/cnt/china_world/20200604/00180_024.html 

whatsapp
比利時一名十八歲少年上月在澳洲新南威爾士省背包旅遊時失蹤,其父親上周飛往當地協助警方調查,並於周一公開請求大眾協助,破解兒子加密了的WhatsApp帳戶。目前兇案組探員已加入調查。https://orientaldaily.on.cc/cnt/china_world/20190618/00180_014.html



usa
-  美國大型發卡銀行「Capital One」早前被黑客入侵,美國及加拿大分別有一億及六百萬名顧客的個人資料被盜取,其中包括姓名、地址、身份證號碼等;估計善後工作將花費一至一億五千萬美元(約七億八千萬至十一億七千萬港元)。聯邦調查局(FBI)周一(29日)搜查西雅圖一處住宅,檢獲電子器材,一名涉案黑客被捕。https://orientaldaily.on.cc/cnt/china_world/20190731/00180_021.html
https://www.ft.com/content/19a66bca-dfa3-11e9-9743-db5a370481bc US companies struggling to digest and implement privacy rules that will come into force in California from January 1. Initially passed last year, the California Consumer Privacy Act, or CCPA, gives Californian consumers the right to see all the personal information a business holds about them and ask for that data to be deleted or not sold on to third parties.  Designed mainly to curb the data practices of deep-pocketed tech giants such as Google and Facebook, whose business models rely on wielding user information to target advertising, the rules will actually impact an estimated 500,000 companies operating across the US, from financial and professional services groups to smaller online retailers.  After fierce lobbying to water it down, and a slew of amendments, the bill reached a final draft this month, leaving companies little time to plan for when it takes effect. Many have complained that the bill is both confusing and likely to hit them with hefty compliance costs.
- 美媒報道,經營SAT考試的美國大學理事會(College Board)將考生的個人資料,以每份僅四毫七仙美元(約三點七港元)的價錢賣給大學,助它們漁翁撒網式招攬學生,推高報讀人數並增加拒收比率,從而催谷排名。https://orientaldaily.on.cc/cnt/china_world/20191108/00180_027.html
美國特朗普政府周一啟動一項新試驗計劃,將收集所有遭海關及邊防局(CBP)拘留的入境者的DNA數據,再交予聯邦調查局(FBI)的數據庫CODIS。試驗計劃為期九十日。惟不少人質疑,指向被捕人士收集DNA違反聯邦法律,形容此舉用於監視民眾多於阻止罪案發生。https://orientaldaily.on.cc/cnt/china_world/20200108/00180_016.html
- economist 23feb19 "watching: the detectives" how the police track what people say and do online
- economist 2mar19 "the cambridge analytica bill" congress is trying to create a federal privacy law for 4th time in 45 years

canada
加拿大競爭局前日宣布,社交媒體Facebook(Fb)及其旗下聊天應用程式Messenger違反私隱條例,不當地收集用戶個人訊息,並與第三方開發商共享用戶個人數據,決定對Fb罰款九百萬加元(約五千零二十一萬港元)。
https://orientaldaily.on.cc/cnt/china_world/20200521/00180_005.html

EU
- GDPR

  • approved in apr2016
  • new requirements such as privacy by design, as well as new rights for data subjects, including data portability, and the right to be forgotten.  It imposes certain obligations and prohibitions on data controllers and processors that are currently absent in local data protection policies
  • requires organisations to notify authorities, and in certain cases, affected individuals of an accidental or unlawful loss, theft, access or disclosure of european personal data without undue delay-- at times 72 hours after having become aware of it. Prevention of social/physical harm to an individual is included.
  • facial recognition
  • 英媒周四報道,歐盟正考慮禁止在公共場所使用人臉識別技術,並給予最多五年時間,思考如何避免濫用。歐盟執行委員會解釋,該個有可能出台的新嚴格規定,將加強保護歐洲民眾個人私隱及數據的現有規例。https://orientaldaily.on.cc/cnt/china_world/20200118/00180_012.html
  • cases
  • 英國航空公司安全系統去年被黑客入侵,導致大量乘客資料外洩、影響約三十八萬次訂購機票交易,周一被資訊專員辦公室(ICO)罰款一億八千三百萬英鎊(約十七億八千萬港元)。英航對判決表示訝異及失望,公司可於二十八日內上訴。https://orientaldaily.on.cc/cnt/china_world/20190709/00180_016.html
uk
- 互聯網私隱問題惹人關注,有報道指英國國內近八十個保健網站,在用戶不知情下把個人敏感資料,交給互聯網巨擘Google、Facebook(Fb)和網購巨企亞馬遜等公司。Google強調沒利用敏感資料建立用作推銷的檔案,指公司有嚴格規則阻止廣告商利用這些資料。https://orientaldaily.on.cc/cnt/china_world/20191114/00180_014.html
- 英國官員早前錯誤在網上公開逾千名獲女王元旦授勳人士(New Years Honours)的住址,包括歌星、高級警員、外交官及國防官員等。英國內閣辦公廳上周六發聲明致歉,承諾調查事件。另外,國會下議院前議長白高漢疑因任內偏幫留歐派,導致不獲授勳。https://orientaldaily.on.cc/cnt/china_world/20191230/00180_016.html


france
The Commission nationale de l'informatique et des libertés (CNILFrench pronunciation: ​[knil]; English: National Commission on Informatics and Liberty) is an independent French administrative regulatory body whose mission is to ensure that data privacy law is applied to the collection, storage, and use of personal data. Its existence was established by the French loi n° 78-17 on Information Technology, Data Files and Civil Liberty of 6 January 1978, and it is the national data protection authority for France. Since September 2011, the CNIL has been chaired by Isabelle Falque-Pierrotin. The CNIL was created partially in response to public outrage against the SAFARI program, which was an attempt by the French government to create a centralized database allowing French citizens to be personally identified by different government services. On March 21, 1974, an article in the newspaper Le Monde, "SAFARI ou la chasse aux Français" (SAFARI; or, Hunting Frenchmen) brought public attention to the project. Interior Minister Jacques Chirac, freshly appointed following the events of May 1968, had to face the public uproar. Chirac was the successor to Raymond Marcellin, who had been forced to resign in the end of February 1974 after having attempted to place wiretaps in the offices of the weekly newspaper Le Canard enchaîné. The massive popular rejection of the government's activities in this domain prompted the creation of the CNIL.At the beginning of 1980, when the CNIL began its main activities, news anchorman Patrick Poivre d'Arvor announced that the CNIL had registered 125,000 files.[1] By the end of 1980, Poivre d'Arvor counted 250,000 files (public and private).
- 法國黃背心示威持續之際,總統馬克龍政府宣布下月強制推出名為「Alicem」的身份應用程式,成為首個透過人臉辨識技術來確認民眾身份的歐盟國家。政府形容程式將令國家更有效率;惟反對聲音質疑此舉將侵犯私隱;反對派亦擔憂政府藉以追蹤暴力示威者。https://orientaldaily.on.cc/cnt/china_world/20191006/00180_022.html
india
- https://www.bbc.com/news/world-asia-india-44777787 India's Supreme Court has ruled that the country's controversial biometric identity scheme is constitutional and does not violate the right to privacy. However the court limited the scope of the Aadhaar scheme, saying it could not be compulsory for bank accounts, mobile connections or school admissions. The world's largest biometric ID database covers welfare and tax payments and access to social services. More than a billion Indians have already been enrolled. Many don't have other forms of identification - only 65 million own a passport and 200 million have a driving licence. Those who enrolled in Aadhaar received a unique 12-digit identification number after submitting their fingerprints and retina scans. About 30 petitioners went to court to argue that the scheme infringed Indians' privacy.

- ft 30sep19 privacy advocates sound alarm on india's facial recognition plans

kazakhstan
- 美國傳媒前日報道,哈薩克首都努爾蘇丹近日在巴士付費系統上,引入來自中國海康威視的人臉識別支付系統,引起爭議。有民眾憂慮侵犯個人私隱,但官方指數據會加入銀行的數據庫中,銀行會保護所有數據,強調並非用作監控民眾。https://orientaldaily.on.cc/cnt/china_world/20191110/00178_005.html


australia
- 澳洲國會一個委員會周五審視去年提出的訊息加密法案,擬賦予安全機關新權力,要求Facebook、Google等互聯網巨擘協助解密資料。律師組織主席指出,強迫互聯網公司協助警方破解極端分子或其他罪犯的加密訊息,將嚴重侵害個人私隱和自由。http://orientaldaily.on.cc/cnt/china_world/20181020/00180_019.html
- The director of privacy at the agency behind My Health Record has quit amid claims the organisation and Health Minister Greg Hunt's office have not been taking the concerns of internal privacy experts seriously enough.https://www.smh.com.au/technology/my-health-record-s-privacy-chief-quits-amid-claims-agency-not-listening-20181107-p50elu.html 
澳洲內政部早前通過就業部門開設職業技能分享平台,邀請有意移民澳洲的工人及生意人登記及分享資料,以便澳洲僱主邀請並幫助合適人選申請工作簽證。惟英媒前日報道,公眾可輕易閱覽平台用戶的個人資料,包括部分姓名、出生地、年齡、技能、婚姻狀況及簽證申請結果。https://orientaldaily.on.cc/cnt/china_world/20200504/00180_030.html

new zealand
- scmp 3oct18 nz customs can now demand passwords

thailand
- personal data protection act (to be enforced as of may 2020)
泰國政府近日按《電腦罪行法》頒布新例,要求咖啡店店主追蹤並儲存顧客的WiFi紀錄最少九十日,有關數據將交予「假新聞中心」,監察和追蹤虛假和不當報道,以及識別和追蹤違法的互聯網用戶身份。外界憂慮新例目的是打壓異見分子和言論自由,商戶則不滿法例增加經營成本。https://orientaldaily.on.cc/cnt/china_world/20191011/00180_021.html



singapore
- ft 27sep19 singapore backed app for students in second data breach hk
- regulation

  • 政制及內地事務局局長聶德權昨日接受電台節目訪問時表示,計劃今年上半年落實《個人資料(私隱)條例》修例具體措施,大方向包括是否強制企業通報個人資料外洩事故、加重罰則、縮短企業保存客戶資料的期限等,而當局對一系列建議持開放態度。

- 洩露九百四十萬位客戶個人資料的國泰航空及國泰港龍,拖延近半年才公布事件,導致大批客戶未能即時採取補救措施,但原來罪魁禍首是港府十一年前否決私隱專員公署提交的修例建議,縱容企業即使洩露客戶個人資料,亦毋須強制通報事件。另外,國泰未有列明客戶個人資料保存期限,令人擔心客戶個人資料外洩的風險會增加。 私隱專員公署於二○○七年底便向港府及內地事務局,提交五十六項關於《私隱條例》修例建議,當中包括強制資料使用者在個人資料被洩露時,必須通知私隱專員和受影響人士,但當時港府認為該做法會對資料使用者造成沉重負擔,否決該建議,並反建議推行自願通報機制。 http://orientaldaily.on.cc/cnt/news/20181029/00176_027.html- section 33 of personal data ordinance (has yet to come into force) prohibits the transfer of personal data to places outside hk unless certain conditions are met
- breach notification not mandatory under hk law
-香港環聯資訊有限公司索取信貸報告的程序懷疑出現保安漏洞,個人資料私隱專員公署已接獲通報,正就事件展開循規審查,並得悉環聯已即時提升保安措施,包括凍結有關帳戶、通知受影響人士及提供一次性密碼認證。公署呼籲環聯及信貸或中介機構即時停止有問題索取信貸報告程序,加強身份核實。金融管理局亦已透過銀行公會要求環聯立即全面調查事件,盡早提升認證程序。http://orientaldaily.on.cc/cnt/news/20181129/00176_039.html
-   https://www.scmp.com/news/hong-kong/education/article/3012719/trial-safety-wristbands-raises-data-privacy-worries A trial of electronic safety bands has divided parents at a Canadian school in Hong Kong, with some voicing concerns over potential threats to data privacy.Introduced on May 9 for a six-week trial on 200 Grade Four and Grade Eight pupils, the bands provide real-time information about when students and staff enter and exit the 14-storey Aberdeen campus of the Canadian International School of Hong Kong (CDNIS), or board and exit a bus under contract with the school.The devices can also count their wearer’s steps or monitor their heart rate.
They came in after consultation with international audit firm PwC and Tencent, the Shenzhen-based tech giant behind social media and mobile payment app WeChat. The devices have no e-payment facility for the trial period, though the school said that was an option in the future.

china
- legislation

  • CAC released draft measures on security assessment of the cross border transfer of personal information on 13jun2019
  • https://www.scmp.com/tech/apps-social/article/3044051/china-issues-rules-stop-apps-abusing-users-personal-information Chinese regulators have published new rules designed to prevent illegal collection and use of the personal information of app users, signalling the government’s determination to clean up unauthorised data collection by internet players. The document, published jointly by China’s Cyberspace Administration, Ministry of Industry and Information Technology, Ministry of Public Security, and State Administration for Market Regulation, provides a standard for identifying illegal collection and use of personal data by app developers.The prohibited behaviours include the absence of published service regulations, failure to clarify the purpose and methods of data collection, collection and sharing of personal information without users’ consent and collection of user information not related to the service provided.
- China has cracked down on another large batch of apps in order to strengthen protection of personal data amid rising consumer anxiety in the country over the potential for online privacy breaches.The China Cybersecurity Center said 100 apps, across a range of industries including e-commerce and banking, have been penalised since November, for incorrect collection of personal data, lack of privacy agreements or ambiguous rules, according to a statement on its WeChat official account last week. It added that 27 of the apps received rectification orders and 63 received written warnings. Meanwhile, 10 were issued with fines while another two were under criminal investigation. “In total, 683 apps have been punished this year,” said the report. “China’s public security authorities will continue to crack down on violations of personal information.”The blacklisted apps include offerings from China Everbright Bank, Bank of Tianjin, e-commerce services providers Weidian and Kaola, online housing rental platform Fang.com as well as vehicle information provider Chexun.com, although the specific punishments for each app were not disclosed.https://www.scmp.com/tech/apps-social/article/3041217/china-punishes-100-apps-breaches-personal-information-consumer
台媒日前報道,大陸第七次人口普查將要求台灣的大陸配偶,提供在台家庭的相關數據,台灣的陸委會其後批評有關做法侵害個人隱私權。國台辦發言人朱鳳蓮昨指,上述報道歪曲事實,該普查只會了解在大陸居住的台灣居民,不在大陸居住的台灣居民不屬於普查範圍。https://orientaldaily.on.cc/cnt/china_world/20200428/00178_009.html
- facial recognition

  • 工業和信息化部今年九月公布多項措施,以落實手機用戶實名登記,包括要求電訊企業門市全面使用人臉識別系統,市民通過比對後才可辦理上網,有關措施周日(1日)起正式實施。但有網民擔心人臉識別的資料會外洩,個人私隱蕩然無存。https://orientaldaily.on.cc/cnt/china_world/20191202/00178_008.html
  • Cities across China have been trialing face recognition payment systems for their subway networks. Now Zhengzhou, the capital of northeast Henan province, has become the first to roll out the technology on a wide scale.Starting Tuesday, local commuters can board and exit any of Zhengzhou’s subway stops using an optional face scan, according to a report in the Henan Daily.The roll out comes as China is pushing the AI-enabled technology into all walks of life, from catching wanted criminal suspects and preventing ticket scalpers to saving public toilet paper and checking on class attendance.Since the service began trials in September, nearly 200,000 commuters in Zhengzhou have elected to authorise face-scan payments using a local metro service app, according to the report.While Zhengzhou is among dozens of Chinese cities to introduce such trials, it is the first to deploy the service across its entire subway network. Last week, Beijing started a trial of fast track security checking by face scan at one of its subway stations.https://www.scmp.com/tech/apps-social/article/3040398/chinas-subways-embrace-facial-recognition-payment-systems-despite
  • 英媒近日報道,被美國列入黑名單的中國人工智能初創企業曠視科技,早前曾申貸一億元人民幣(約一億一千萬港元),開發提高戴口罩人群的臉部識別準確度等技術,被外界質疑有關技術恐加強中國的監控技術,甚至侵犯個人隱私。曠視科技回應,技術用於定位人群的臉部位置,非識別身份,可檢測體溫助抗疫。https://orientaldaily.on.cc/cnt/china_world/20200214/00178_016.html

- identity theft


taiwan
- 台灣交通部鐵道局早前宣布在台中市豐原站設置「智慧型影像監控系統工程」,並使用人臉辨識系統加強監控,維護車站安全。惟外界擔心會侵犯公眾私隱,發聲反對,台鐵道局遂停止實施。台媒昨報道,監視儀器屬陸資品牌,但因系統為台灣廠商開發,初判沒有資訊安全疑慮。https://orientaldaily.on.cc/cnt/china_world/20191109/00178_011.html
- 台灣遠傳電信近日向用戶寄出續約優惠短訊時,被指存在安全漏洞,恐洩露用戶姓名、住址、身份證號碼等資料。遠傳昨日證實事件,承認確有疏忽之處,事後已關閉續約短訊的相關服務,用戶仍可經由官網登記完成續約,公司將配合警方調查。https://orientaldaily.on.cc/cnt/china_world/20200611/00178_015.html

hk
-香港個人資料私隱專員公署昨向立法會提交一八/一九年報,新一份年報主題為「實踐數據管治」,公署表示,本年度共接獲一萬七千一百六十八宗查詢及一千八百七十八宗投訴,一七/一八年度則接獲一萬五千七百三十七宗查詢和一千六百一十九宗投訴。年內與資訊科技有關的投訴明顯上升,共五百零四宗,較一七/一八年度上升超過一倍,當中包括一百四十三宗有關國泰航空有限公司外洩客戶個人資料事件的投訴。https://orientaldaily.on.cc/cnt/news/20191128/00176_043.html
載有五百多萬名市民信貸紀錄的香港環聯資訊有限公司,去年底被揭索取信貸報告的程序疑出現保安漏洞,只要持有目標人物的身份證號碼及公開資料,回答簡單問題,就可輕易通過核證並下載有關人士的信貸報告。事隔一年,香港個人資料私隱專員公署昨公布調查報告,證實環聯在網上認證程序中,沒有採取所有切實可行的步驟確保資料受保障,違反《私隱條例》下的資料保安原則。
https://orientaldaily.on.cc/cnt/news/20191210/00176_037.html
- https://www.scmp.com/news/hong-kong/health-environment/article/3078191/coronavirus-octopus-provide-data-city-residents
食物環境衞生署於全港多區安裝網絡攝錄機,打擊非法棄置垃圾,署方多次表示攝錄機無法清晰拍攝到人的樣貌,惟有區議員表示,在多番追問下,食環署承認在特定條件下,攝錄機能夠攝錄到行人的樣貌。個人資料私隱專員公署指,《私隱條例》有豁免條文,讓資料使用者可使用收集到的個人資料作防止或偵測罪行等用途。https://orientaldaily.on.cc/cnt/news/20200426/00176_040.html

companies providing related services
- www.meritas.org

No comments:

Post a Comment