web analytics
a

Facebook

Twitter

Copyright 2015 Libero Themes.
All Rights Reserved.

8:30 - 6:00

Our Office Hours Mon. - Fri.

703-406-7616

Call For Free 15/M Consultation

Facebook

Twitter

Search
Menu
Westlake Legal Group > Posts tagged "General Data Protection Regulation (GDPR)"

Europe’s Privacy Law Hasn’t Shown Its Teeth, Frustrating Advocates

LONDON — When Europe enacted the world’s toughest online privacy law nearly two years ago, it was heralded as a model to crack down on the invasive, data-hungry practices of the world’s largest technology companies.

Now, the law is struggling to fulfill its promise.

Europe’s rules have been a victim of a lack of enforcement, poor funding, limited staff resources and stalling tactics by the tech companies, according to budget and staffing figures and interviews with government officials. Even some of the law’s biggest supporters are frustrated with how it has worked.

In addition, the response to Covid-19 is raising new questions about the role of privacy safeguards, as digital tools for tracking health and location information, once viewed warily by the European authorities, are now crucial parts of containment strategies.

The law, known as the General Data Protection Regulation, or G.D.P.R., created new limits on how companies can collect and share data without user consent. It gave governments broad authority to impose fines of up to 4 percent of a company’s global revenue, or to force changes to its data-collection practices. The policy served as a model for new privacy rules in Brazil, Japan, India and elsewhere.

But since the law was enacted, in May 2018, Google has been the only giant tech company to be penalized — a fine of 50 million euros, worth roughly $54 million today, or about one-tenth of what Google generates in sales each day. No major fines or penalties have been announced against Facebook, Amazon or Twitter.

The inaction is creating tension within European governments, as some leaders call for speedier enforcement and broader changes. Privacy groups and smaller tech companies complain that companies like Facebook and Google are avoiding tough oversight. At the same time, the public’s experience with the G.D.P.R. has been a frustrating number of pop-up consent windows to click through when visiting a website.

Europe’s challenges risk undermining efforts elsewhere in the world to create tougher privacy rules, said Johnny Ryan, a leading campaigner for privacy regulation. He said American officials had told him that Europe’s problems with putting G.D.P.R. into effect were a reason not to create federal standards in the United States.

“If you don’t have strong, robust enforcement and investment, this law is a fantasy,” said Mr. Ryan, the chief policy officer at Brave, which makes an internet browser with privacy protections to limit data tracking and advertising. “We have failed to realize the potential of G.D.P.R. thus far.”

Supporters acknowledge that the law has had growing pains and that cases have taken longer as new procedures are put in place. But they say it is too early to draw sweeping conclusions. The law has increased awareness about privacy and forced many companies, including Facebook and Google, to adopt new policies to comply. California and New York have adopted similar privacy laws.

The biggest test of the G.D.P.R. thus far will come in the months ahead, supporters argue, when a batch of rulings involving big technology companies are expected. Twitter is expected to be one of the first to be penalized, in an Irish case related to data breaches. WhatsApp, the Facebook-owned messaging service, faces possible penalties for sharing data with other Facebook services.

“The G.D.P.R. is a long-term project,” said Eduardo Ustaran, who leads the privacy practice at Hogan Lovells International, a London law firm that represents many large companies. “The past couple of years barely give us a glimpse of whether this project will be successful.”

Facebook said in a statement that it was committed to the principles of the G.D.P.R., which have resulted in making “our policies clearer, our privacy settings easier to find, and introduced better tools for people to access, download and delete their information.”

Amazon said that as a result of the law, it had introduced a new privacy help page where customers can see more information about data the company collects. Google and Twitter declined to comment.

Many critics said that even if the companies were penalized, the actions had taken too long, leaving regulators at risk of fighting yesterday’s battles. The cases could drag for several more years as a result of court appeals. And with limited financial resources, critics argue, the authorities are inclined to be overly cautious and avoid more complex cases.

Adding to the challenges is the coronavirus pandemic, which has altered the debate about how to build mobile apps and other technologies. Techniques that were once seen as intrusive in Europe, like collecting location and health data, are part of government plans to contain the virus.

The G.D.P.R. provides “legal grounds to enable the employers and the competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent” of individuals, the European Data Protection Board, which helps coordinate enforcement of the law, said in a recent statement. The European Commission delayed until June the release of a full review of the G.D.P.R. as a result of the virus.

Frustrated by the lack of progress, Mr. Ryan spent several weeks examining budget and staffing data from 28 European countries. Mr. Ryan, who lives in Ireland and filed a complaint with regulators there against Google over its ad-targeting practices, found that all but three — Germany, Britain and Italy — had data protection agencies with annual budgets of less than €25 million.

In his report, to be published this week, Mr. Ryan found that most countries had only a handful of investigators with industrial expertise dedicated to reviewing technology industry cases. He is filing a complaint with the European Union asking it to penalize countries that do not give data protection agencies enough resources.





#g-gdpr-box { max-width:600px; } #g-gdpr-box , #g-gdpr-box .g-artboard { margin:0 auto; } #g-gdpr-box p { margin:0; } #g-gdpr-box .g-aiAbs { position:absolute; } #g-gdpr-box .g-aiImg { position:absolute; top:0; display:block; width:100% !important; } #g-gdpr-box .g-aiSymbol { position: absolute; box-sizing: border-box; } #g-gdpr-box .g-aiPointText p { white-space: nowrap; } #g-gdpr-Artboard_1 { position:relative; overflow:hidden; } #g-gdpr-Artboard_1 p { font-family:nyt-franklin,arial,helvetica,sans-serif; font-weight:300; line-height:17px; height:auto; filter:alpha(opacity=100); -ms-filter:progid:DXImageTransform.Microsoft.Alpha(Opacity=100); opacity:1; letter-spacing:0em; font-size:14px; text-align:left; color:rgb(102,102,102); top:1.1px; position:static; text-transform:none; padding-bottom:0; padding-top:0; mix-blend-mode:normal; font-style:normal; } #g-gdpr-Artboard_1 .g-pstyle0 { font-weight:700; line-height:16px; height:16px; font-size:16px; color:rgb(0,0,0); top:1.3px; position:relative; } #g-gdpr-Artboard_1 .g-pstyle1 { height:17px; position:relative; } #g-gdpr-Artboard_1 .g-pstyle2 { font-weight:600; line-height:15px; height:15px; color:rgb(102,39,69); position:relative; } #g-gdpr-Artboard_1 .g-pstyle3 { line-height:15px; height:15px; text-align:right; color:rgb(136,136,136); position:relative; } #g-gdpr-Artboard_1 .g-pstyle4 { line-height:15px; height:15px; color:rgb(136,136,136); position:relative; } #g-gdpr-Artboard_1 .g-pstyle5 { font-weight:600; height:17px; color:rgb(91,129,0); position:relative; } #g-gdpr-Artboard_1 .g-pstyle6 { font-weight:600; height:17px; color:rgb(47,36,23); position:relative; } #g-gdpr-Artboard_2 { position:relative; overflow:hidden; } #g-gdpr-Artboard_2 p { font-family:nyt-franklin,arial,helvetica,sans-serif; font-weight:700; line-height:16px; height:auto; filter:alpha(opacity=100); -ms-filter:progid:DXImageTransform.Microsoft.Alpha(Opacity=100); opacity:1; letter-spacing:0em; font-size:16px; text-align:left; color:rgb(0,0,0); top:1.3px; position:static; text-transform:none; padding-bottom:0; padding-top:0; mix-blend-mode:normal; font-style:normal; } #g-gdpr-Artboard_2 .g-pstyle0 { height:16px; position:relative; } #g-gdpr-Artboard_2 .g-pstyle1 { font-weight:300; line-height:15px; height:15px; font-size:14px; color:rgb(102,102,102); top:1.1px; position:relative; } #g-gdpr-Artboard_2 .g-pstyle2 { font-weight:300; line-height:17px; height:17px; font-size:14px; color:rgb(102,102,102); top:1.1px; position:relative; } #g-gdpr-Artboard_2 .g-pstyle3 { font-weight:600; line-height:15px; height:15px; font-size:14px; color:rgb(102,39,69); top:1.1px; position:relative; } #g-gdpr-Artboard_2 .g-pstyle4 { font-weight:300; line-height:15px; height:15px; font-size:14px; color:rgb(136,136,136); top:1.1px; position:relative; } #g-gdpr-Artboard_2 .g-pstyle5 { font-weight:300; line-height:15px; height:15px; font-size:14px; text-align:right; color:rgb(136,136,136); top:1.1px; position:relative; } #g-gdpr-Artboard_2 .g-pstyle6 { font-weight:600; line-height:15px; height:15px; font-size:14px; color:rgb(91,129,0); top:1.1px; position:relative; } #g-gdpr-Artboard_2 .g-pstyle7 { font-weight:600; line-height:15px; height:15px; font-size:14px; color:rgb(47,36,23); top:1.1px; position:relative; }

Westlake Legal Group gdpr-Artboard_1 Europe’s Privacy Law Hasn’t Shown Its Teeth, Frustrating Advocates Regulation and Deregulation of Industry Privacy Google Inc General Data Protection Regulation (GDPR) Facebook Inc European Union Data-Mining and Database Marketing Computers and the Internet Amazon.com Inc

Shifts at Irish Data Protection Commission

change from previous year

Complaints

Received

Requested

Staff

Start of G.D.P.R.

Requested

Budget

Total Staff

Westlake Legal Group gdpr-Artboard_2 Europe’s Privacy Law Hasn’t Shown Its Teeth, Frustrating Advocates Regulation and Deregulation of Industry Privacy Google Inc General Data Protection Regulation (GDPR) Facebook Inc European Union Data-Mining and Database Marketing Computers and the Internet Amazon.com Inc

Shifts at Irish Data Protection Commission

change from previous year

Complaints Received

Start of G.D.P.R.

Requested

Staff

Requested

Budget

Total Staff


Source: Brave

By The New York Times

Regulators acknowledge the problem and have called for more money. In a February survey of privacy regulators in 30 European countries, 21 responded that “resources are not enough” to fulfill their responsibilities. Luxembourg, which is responsible for regulating Amazon, had a budget of roughly €5.7 million last year, worth about $6.2 million, or roughly Amazon’s sales over 10 minutes.

“We have a lack of enforcement,” said Ulrich Kelber, the chairman of Germany’s data protection authority, which has the highest budget in the European Union, at roughly €85 million when including regional agencies. “Most of the European governments don’t give enough resources to the data protection authorities.”

He called for a more centralized approach, in which countries pool resources and share responsibilities for investigating the biggest companies. Currently, each country is responsible for regulating companies that have their European headquarters within its borders.

At the center of the dispute is Ireland, which has outsize influence over the law’s enforcement because Apple, Facebook, Google, LinkedIn and Twitter are all based there. The country is responsible for leading more investigations, 127, than any other country in Europe, according to Brave. Yet in nearly two years, it has not issued a single G.D.P.R. penalty.

Ireland’s budget of €16.9 million ranks sixth among data protection agencies in Europe. Last year, Ireland’s data protection regulator sought a budget increase of €5.9 million. It got a third of that amount.

Helen Dixon, the chair of Ireland’s data protection agency, said she was frustrated by the budget restrictions but defended the work of her office. More than 140 people work in her office, compared with 27 in 2017. She graded Ireland’s performance an “A for effort” but a “C-plus/B-minus in terms of output.”

Ms. Dixon said rulings involving Twitter, Facebook and others were coming. But she said her office had been overwhelmed by complaints filed by advocates like Mr. Ryan that called for sweeping, resource-intensive investigations of entire industries like digital advertising. Under the law, regulators must respond to every complaint filed — more than 12,000 in Ireland since 2018.

Companies like Facebook asked a slew of procedural legal questions that must be responded to before cases can advance, Ms. Dixon said. Google stalled regulators by not immediately declaring where its European headquarters would be.

Ms. Dixon said many people wrongly assumed that the G.D.P.R. would result in a swift and wholesale shake-up of data-collection practices of the largest tech companies.

“There will be fines, there is no doubt about that,” she said, but the law “doesn’t allow for taking on an entire sector.”

Regulators have other leverage beyond investigations, Ms. Dixon said. Facebook delayed the release of its dating app, she explained, after the Irish authorities raised questions about its data collection.

“There are lots of different ways to go about creating a positive effect,” she said. “Not all of them cater around fines and the superficial commentary we sometimes see.”

Real Estate, and Personal Injury Lawyers. Contact us at: https://westlakelegal.com 

What’s the Price of Getting Your Data? More Data

Westlake Legal Group 00datarequests2-facebookJumbo-v2 What’s the Price of Getting Your Data? More Data Science and Technology Privacy Law and Legislation General Data Protection Regulation (GDPR) Data Storage California

The new year ushered in a landmark California privacy law that gives residents more control over how their digital data is used. The Golden State isn’t the only beneficiary, though, because many companies are extending the protections — the most important being the right to see and delete the personal data a company has — to all their customers in the United States.

In the fall, I took the right of access for a test drive, asking companies in the business of profiling and scoring consumers for their files on me. One of the companies, Sift, which assesses a user’s trustworthiness, sent me a 400-page file that contained years’ worth of my Airbnb messages, Yelp orders and Coinbase activity. Soon after my article was published, Sift was deluged with over 16,000 requests, forcing it to hire a vendor to deal with the crush.

That vendor, Berbix, helped verify the identity of people requesting data by asking them to upload photos of their government ID and to take a selfie. It then asked them to take a second selfie while following instructions. “Make sure you are looking happy or joyful and try again” was one such command.

Many people who read the article about my experience were alarmed by the information that Berbix asked for — and the need to smile for their secret file.

“This is a nightmare future where I can’t request my data from a creepy shadow credit bureau without putting on a smile for them, and it’s completely insane,” Jack Phelps, a software engineer in New York City, said in an email.

“It just seems wrong that we have to give up even more personal information,” wrote another reader, Barbara Clancy, a retired professor of neuroscience in Arkansas.

That’s the unpleasant reality: To get your personal data, you may have to give up more personal data. It seems awful at first. Alistair Barr of Bloomberg called it “the new privacy circle of hell.”

But there’s a good reason for this. Companies don’t want to give your data away to the wrong person, which has happened in the past. In 2018, Amazon sent 1,700 audio files of a customer talking to his Alexa to a stranger.

The right to have access to personal data is enshrined in the new California Consumer Privacy Act. The law is modeled in part on privacy regulations in Europe, known as the General Data Protection Regulation, or G.D.P.R. Soon after Europe’s law went into effect, in May 2018, a hacker gained access to the Spotify account of Jean Yang, a tech executive, and successfully filed a data request to download her home address, credit card information and a history of the music she had listened to.

Since then, two groups of researchers have demonstrated that it’s possible to fool the systems created to comply with G.D.P.R. to get someone else’s personal information.

One of the researchers, James Pavur, 24, a doctoral student at Oxford University, filed data requests on behalf of his research partner and wife, Casey Knerr, at 150 companies using information that was easily found for her online, such as her mailing address, email address and phone number. To make the requests, he created an email address that was a variation on Ms. Knerr’s name. A quarter of the companies sent him her file.

“I got her Social Security number, high school grades, a good chunk of information about her credit card,” Mr. Pavur said. “A threat intelligence company sent me all her user names and passwords that had been leaked.”

Mariano Di Martino and Pieter Robyns, computer science researchers at Hasselt University in Belgium, had the same success rate when they approached 55 financial, entertainment and news companies. They requested each other’s data, using more advanced techniques than those of Mr. Pavur, such as photoshopping each other’s government ID. In one case, Mr. Di Martino received the data file of a complete stranger whose name was similar to that of Mr. Robyns.

Both sets of researchers thought the new law giving the right to data was worthwhile. But they said companies needed to improve their security practices to avoid compromising customers’ privacy further.

“Companies are rushing to solutions that lead to insecure practices,” Mr. Robyns said.

Companies employ different techniques for verifying identity. Many simply ask for a photo of a driver’s license. Retail Equation, a company that decides whether a consumer can make returns at retailers like Best Buy and Victoria’s Secret, asks only for a name and driver’s license number.

The wide array of companies now required to hand over data, from Baskin Robbins to The New York Times, have varying levels of security expertise and experience in providing data to consumers.

Companies such as Apple, Amazon and Twitter can ask users to verify their identity by logging into their platforms. All three give a heads-up via email after data is requested, which can help warn people if a hacker got access to their account. An Apple spokesman said that after a request is made, the company uses additional methods to verify the person’s identity, though the company said it couldn’t disclose those methods for security reasons.

If consumers can’t verify their identity by logging into an existing account, Mr. Di Martino and Mr. Robyns recommend that companies email them, call them or ask them for information that only they should know, such as the invoice number on a recent bill.

“Regulators need to think more about the unintended consequences of empowering individuals to access and delete their data,” said Steve Kirkham, who worked on Airbnb’s trust and safety team for five years, before founding Berbix in 2018. “We want to prevent fraudulent requests and let the good ones go through.”

It is on regulators’ minds. The California law requires businesses to “verify the identity of the consumer making the request to a reasonable degree of certainty” and to have a more stringent verification process for “sensitive or valuable personal information.”

Mr. Kirkham said Berbix requested the first selfie to test whether a person’s face matched their ID; the second selfie, with a smile or some other facial expression, ensures that someone isn’t simply holding a photo up to the camera. Mr. Kirkham said Berbix ultimately deleted the data collected within seven days to a year, depending on the retention period requested by the company that hires the firm. (Sift deletes its data after two weeks.)

“It’s a new threat vector companies should consider,” said Blake Brannon, vice president of product at OneTrust, another company that helps businesses comply with the new data privacy laws. OneTrust offers the 4,500 organizations using its service the option to create several levels of identity verification, such as sending a token to someone’s phone or verifying ownership of an email address.

“If I’m requesting something simple or lightweight, the verification is minimal, versus a deletion request,” Mr. Brannon said. “That will require more levels of verification.”

Mr. Kirkham of Berbix said the verification process discouraged some people from making the data request at all.

“A lot of people don’t want to give more information,” Mr. Kirkham said. “Their assumption is that you will do something nefarious with it.”

He added: “But that’s the irony here. We require additional information from people to protect them. We want to make sure you are who you say you are.”

Real Estate, and Personal Injury Lawyers. Contact us at: https://westlakelegal.com 

Want Your Personal Data? Hand Over More

Westlake Legal Group 00datarequests2-facebookJumbo Want Your Personal Data? Hand Over More Science and Technology Privacy Law and Legislation General Data Protection Regulation (GDPR) Data Storage California

The new year ushered in a landmark California privacy law that gives residents more control over how their digital data is used. The Golden State isn’t the only beneficiary, though, because many companies are extending the protections — the most important being the right to see and delete the personal data a company has — to all their customers in the United States.

In the fall, I took the right of access for a test drive, asking companies in the business of profiling and scoring consumers for their files on me. One of the companies, Sift, which assesses a user’s trustworthiness, sent me a 400-page file that contained years’ worth of my Airbnb messages, Yelp orders and Coinbase activity. Soon after my article was published, Sift was deluged with over 16,000 requests, forcing it to hire a vendor to deal with the crush.

That vendor, Berbix, helped verify the identity of people requesting data by asking them to upload photos of their government ID and to take a selfie. It then asked them to take a second selfie while following instructions. “Make sure you are looking happy or joyful and try again” was one such command.

Many people who read the article about my experience were alarmed by the information that Berbix asked for — and the need to smile for their secret file.

“This is a nightmare future where I can’t request my data from a creepy shadow credit bureau without putting on a smile for them, and it’s completely insane,” Jack Phelps, a software engineer in New York City, said in an email.

“It just seems wrong that we have to give up even more personal information,” wrote another reader, Barbara Clancy, a retired professor of neuroscience in Arkansas.

That’s the unpleasant reality: To get your personal data, you may have to give up more personal data. It seems awful at first. Alistair Barr of Bloomberg called it “the new privacy circle of hell.”

But there’s a good reason for this. Companies don’t want to give your data away to the wrong person, which has happened in the past. In 2018, Amazon sent 1,700 audio files of a customer talking to his Alexa to a stranger.

The right to have access to personal data is enshrined in the new California Consumer Privacy Act. The law is modeled in part on privacy regulations in Europe, known as the General Data Protection Regulation, or G.D.P.R. Soon after Europe’s law went into effect, in May 2018, a hacker gained access to the Spotify account of Jean Yang, a tech executive, and successfully filed a data request to download her home address, credit card information and a history of the music she had listened to.

Since then, two groups of researchers have demonstrated that it’s possible to fool the systems created to comply with G.D.P.R. to get someone else’s personal information.

One of the researchers, James Pavur, 24, a doctoral student at Oxford University, filed data requests on behalf of his research partner and wife, Casey Knerr, at 150 companies using information that was easily found for her online, such as her mailing address, email address and phone number. To make the requests, he created an email address that was a variation on Ms. Knerr’s name. A quarter of the companies sent him her file.

“I got her Social Security number, high school grades, a good chunk of information about her credit card,” Mr. Pavur said. “A threat intelligence company sent me all her user names and passwords that had been leaked.”

Mariano Di Martino and Pieter Robyns, computer science researchers at Hasselt University in Belgium, had the same success rate when they approached 55 financial, entertainment and news companies. They requested each other’s data, using more advanced techniques than those of Mr. Pavur, such as photoshopping each other’s government ID. In one case, Mr. Di Martino received the data file of a complete stranger whose name was similar to that of Mr. Robyns.

Both sets of researchers thought the new law giving the right to data was worthwhile. But they said companies needed to improve their security practices to avoid compromising customers’ privacy further.

“Companies are rushing to solutions that lead to insecure practices,” Mr. Robyns said.

Companies employ different techniques for verifying identity. Many simply ask for a photo of a driver’s license. Retail Equation, a company that decides whether a consumer can make returns at retailers like Best Buy and Victoria’s Secret, asks only for a name and driver’s license number.

The wide array of companies now required to hand over data, from Baskin Robbins to The New York Times, have varying levels of security expertise and experience in providing data to consumers.

Companies such as Apple, Amazon and Twitter can ask users to verify their identity by logging into their platforms. All three give a heads-up via email after data is requested, which can help warn people if a hacker got access to their account. An Apple spokesman said that after a request is made, the company uses additional methods to verify the person’s identity, though the company said it couldn’t disclose those methods for security reasons.

If consumers can’t verify their identity by logging into an existing account, Mr. Di Martino and Mr. Robyns recommend that companies email them, call them or ask them for information that only they should know, such as the invoice number on a recent bill.

“Regulators need to think more about the unintended consequences of empowering individuals to access and delete their data,” said Steve Kirkham, who worked on Airbnb’s trust and safety team for five years, before founding Berbix in 2018. “We want to prevent fraudulent requests and let the good ones go through.”

It is on regulators’ minds. The California law requires businesses to “verify the identity of the consumer making the request to a reasonable degree of certainty” and to have a more stringent verification process for “sensitive or valuable personal information.”

Mr. Kirkham said Berbix requested the first selfie to test whether a person’s face matched their ID; the second selfie, with a smile or some other facial expression, ensures that someone isn’t simply holding a photo up to the camera. Mr. Kirkham said Berbix ultimately deleted the data collected within seven days to a year, depending on the retention period requested by the company that hires the firm. (Sift deletes its data after two weeks.)

“It’s a new threat vector companies should consider,” said Blake Brannon, vice president of product at OneTrust, another company that helps businesses comply with the new data privacy laws. OneTrust offers the 4,500 organizations using its service the option to create several levels of identity verification, such as sending a token to someone’s phone or verifying ownership of an email address.

“If I’m requesting something simple or lightweight, the verification is minimal, versus a deletion request,” Mr. Brannon said. “That will require more levels of verification.”

Mr. Kirkham of Berbix said the verification process discouraged some people from making the data request at all.

“A lot of people don’t want to give more information,” Mr. Kirkham said. “Their assumption is that you will do something nefarious with it.”

He added: “But that’s the irony here. We require additional information from people to protect them. We want to make sure you are who you say you are.”

Real Estate, and Personal Injury Lawyers. Contact us at: https://westlakelegal.com 

Want Your Personal Data? Hand Over More

Westlake Legal Group 00datarequests2-facebookJumbo Want Your Personal Data? Hand Over More Science and Technology Privacy Law and Legislation General Data Protection Regulation (GDPR) Data Storage California

The new year ushered in a landmark California privacy law that gives residents more control over how their digital data is used. The Golden State isn’t the only beneficiary, though, because many companies are extending the protections — the most important being the right to see and delete the personal data a company has — to all their customers in the United States.

In the fall, I took the right of access for a test drive, asking companies in the business of profiling and scoring consumers for their files on me. One of the companies, Sift, which assesses a user’s trustworthiness, sent me a 400-page file that contained years’ worth of my Airbnb messages, Yelp orders and Coinbase activity. Soon after my article was published, Sift was deluged with over 16,000 requests, forcing it to hire a vendor to deal with the crush.

That vendor, Berbix, helped verify the identity of people requesting data by asking them to upload photos of their government ID and to take a selfie. It then asked them to take a second selfie while following instructions. “Make sure you are looking happy or joyful and try again” was one such command.

Many people who read the article about my experience were alarmed by the information that Berbix asked for — and the need to smile for their secret file.

“This is a nightmare future where I can’t request my data from a creepy shadow credit bureau without putting on a smile for them, and it’s completely insane,” Jack Phelps, a software engineer in New York City, said in an email.

“It just seems wrong that we have to give up even more personal information,” wrote another reader, Barbara Clancy, a retired professor of neuroscience in Arkansas.

That’s the unpleasant reality: To get your personal data, you may have to give up more personal data. It seems awful at first. Alistair Barr of Bloomberg called it “the new privacy circle of hell.”

But there’s a good reason for this. Companies don’t want to give your data away to the wrong person, which has happened in the past. In 2018, Amazon sent 1,700 audio files of a customer talking to his Alexa to a stranger.

The right to have access to personal data is enshrined in the new California Consumer Privacy Act. The law is modeled in part on privacy regulations in Europe, known as the General Data Protection Regulation, or G.D.P.R. Soon after Europe’s law went into effect, in May 2018, a hacker gained access to the Spotify account of Jean Yang, a tech executive, and successfully filed a data request to download her home address, credit card information and a history of the music she had listened to.

Since then, two groups of researchers have demonstrated that it’s possible to fool the systems created to comply with G.D.P.R. to get someone else’s personal information.

One of the researchers, James Pavur, 24, a doctoral student at Oxford University, filed data requests on behalf of his research partner and wife, Casey Knerr, at 150 companies using information that was easily found for her online, such as her mailing address, email address and phone number. To make the requests, he created an email address that was a variation on Ms. Knerr’s name. A quarter of the companies sent him her file.

“I got her Social Security number, high school grades, a good chunk of information about her credit card,” Mr. Pavur said. “A threat intelligence company sent me all her user names and passwords that had been leaked.”

Mariano Di Martino and Pieter Robyns, computer science researchers at Hasselt University in Belgium, had the same success rate when they approached 55 financial, entertainment and news companies. They requested each other’s data, using more advanced techniques than those of Mr. Pavur, such as photoshopping each other’s government ID. In one case, Mr. Di Martino received the data file of a complete stranger whose name was similar to that of Mr. Robyns.

Both sets of researchers thought the new law giving the right to data was worthwhile. But they said companies needed to improve their security practices to avoid compromising customers’ privacy further.

“Companies are rushing to solutions that lead to insecure practices,” Mr. Robyns said.

Companies employ different techniques for verifying identity. Many simply ask for a photo of a driver’s license. Retail Equation, a company that decides whether a consumer can make returns at retailers like Best Buy and Victoria’s Secret, asks only for a name and driver’s license number.

The wide array of companies now required to hand over data, from Baskin Robbins to The New York Times, have varying levels of security expertise and experience in providing data to consumers.

Companies such as Apple, Amazon and Twitter can ask users to verify their identity by logging into their platforms. All three give a heads-up via email after data is requested, which can help warn people if a hacker got access to their account. An Apple spokesman said that after a request is made, the company uses additional methods to verify the person’s identity, though the company said it couldn’t disclose those methods for security reasons.

If consumers can’t verify their identity by logging into an existing account, Mr. Di Martino and Mr. Robyns recommend that companies email them, call them or ask them for information that only they should know, such as the invoice number on a recent bill.

“Regulators need to think more about the unintended consequences of empowering individuals to access and delete their data,” said Steve Kirkham, who worked on Airbnb’s trust and safety team for five years, before founding Berbix in 2018. “We want to prevent fraudulent requests and let the good ones go through.”

It is on regulators’ minds. The California law requires businesses to “verify the identity of the consumer making the request to a reasonable degree of certainty” and to have a more stringent verification process for “sensitive or valuable personal information.”

Mr. Kirkham said Berbix requested the first selfie to test whether a person’s face matched their ID; the second selfie, with a smile or some other facial expression, ensures that someone isn’t simply holding a photo up to the camera. Mr. Kirkham said Berbix ultimately deleted the data collected within seven days to a year, depending on the retention period requested by the company that hires the firm. (Sift deletes its data after two weeks.)

“It’s a new threat vector companies should consider,” said Blake Brannon, vice president of product at OneTrust, another company that helps businesses comply with the new data privacy laws. OneTrust offers the 4,500 organizations using its service the option to create several levels of identity verification, such as sending a token to someone’s phone or verifying ownership of an email address.

“If I’m requesting something simple or lightweight, the verification is minimal, versus a deletion request,” Mr. Brannon said. “That will require more levels of verification.”

Mr. Kirkham of Berbix said the verification process discouraged some people from making the data request at all.

“A lot of people don’t want to give more information,” Mr. Kirkham said. “Their assumption is that you will do something nefarious with it.”

He added: “But that’s the irony here. We require additional information from people to protect them. We want to make sure you are who you say you are.”

Real Estate, and Personal Injury Lawyers. Contact us at: https://westlakelegal.com 

Smile for Your Data File!

Westlake Legal Group 00datarequests2-facebookJumbo Smile for Your Data File! Science and Technology Privacy Law and Legislation General Data Protection Regulation (GDPR) Data Storage California

The new year ushered in a landmark California privacy law that gives residents more control over how their digital data is used. The Golden State isn’t the only beneficiary, though, because many companies are extending the protections — the most important being the right to see and delete the personal data a company has — to all their customers in the United States.

In the fall, I took the right of access for a test drive, asking companies in the business of profiling and scoring consumers for their files on me. One of the companies, Sift, which assesses a user’s trustworthiness, sent me a 400-page file that contained years’ worth of my Airbnb messages, Yelp orders and Coinbase activity. Soon after my article was published, Sift was deluged with over 16,000 requests, forcing it to hire a vendor to deal with the crush.

That vendor, Berbix, helped verify the identity of people requesting data by asking them to upload photos of their government ID and to take a selfie. It then asked them to take a second selfie while following instructions. “Make sure you are looking happy or joyful and try again” was one such command.

Many people who read the article about my experience were alarmed by the information that Berbix asked for — and the need to smile for their secret file.

“This is a nightmare future where I can’t request my data from a creepy shadow credit bureau without putting on a smile for them, and it’s completely insane,” Jack Phelps, a software engineer in New York City, said in an email.

“It just seems wrong that we have to give up even more personal information,” wrote another reader, Barbara Clancy, a retired professor of neuroscience in Arkansas.

That’s the unpleasant reality: To get your personal data, you may have to give up more personal data. It seems awful at first. Alistair Barr of Bloomberg called it “the new privacy circle of hell.”

But there’s a good reason for this. Companies don’t want to give your data away to the wrong person, which has happened in the past. In 2018, Amazon sent 1,700 audio files of a customer talking to his Alexa to a stranger.

The right to have access to personal data is enshrined in the new California Consumer Privacy Act. The law is modeled in part on privacy regulations in Europe, known as the General Data Protection Regulation, or G.D.P.R. Soon after Europe’s law went into effect, in May 2018, a hacker gained access to the Spotify account of Jean Yang, a tech executive, and successfully filed a data request to download her home address, credit card information and a history of the music she had listened to.

Since then, two groups of researchers have demonstrated that it’s possible to fool the systems created to comply with G.D.P.R. to get someone else’s personal information.

One of the researchers, James Pavur, 24, a doctoral student at Oxford University, filed data requests on behalf of his research partner and wife, Casey Knerr, at 150 companies using information that was easily found for her online, such as her mailing address, email address and phone number. To make the requests, he created an email address that was a variation on Ms. Knerr’s name. A quarter of the companies sent him her file.

“I got her Social Security number, high school grades, a good chunk of information about her credit card,” Mr. Pavur said. “A threat intelligence company sent me all her user names and passwords that had been leaked.”

Mariano Di Martino and Pieter Robyns, computer science researchers at Hasselt University in Belgium, had the same success rate when they approached 55 financial, entertainment and news companies. They requested each other’s data, using more advanced techniques than those of Mr. Pavur, such as photoshopping each other’s government ID. In one case, Mr. Di Martino received the data file of a complete stranger whose name was similar to that of Mr. Robyns.

Both sets of researchers thought the new law giving the right to data was worthwhile. But they said companies needed to improve their security practices to avoid compromising customers’ privacy further.

“Companies are rushing to solutions that lead to insecure practices,” Mr. Robyns said.

Companies employ different techniques for verifying identity. Many simply ask for a photo of a driver’s license. Retail Equation, a company that decides whether a consumer can make returns at retailers like Best Buy and Victoria’s Secret, asks only for a name and driver’s license number.

The wide array of companies now required to hand over data, from Baskin Robbins to The New York Times, have varying levels of security expertise and experience in providing data to consumers.

Companies such as Apple, Amazon and Twitter can ask users to verify their identity by logging into their platforms. All three give a heads-up via email after data is requested, which can help warn people if a hacker got access to their account. An Apple spokesman said that after a request is made, the company uses additional methods to verify the person’s identity, though the company said it couldn’t disclose those methods for security reasons.

If consumers can’t verify their identity by logging into an existing account, Mr. Di Martino and Mr. Robyns recommend that companies email them, call them or ask them for information that only they should know, such as the invoice number on a recent bill.

“Regulators need to think more about the unintended consequences of empowering individuals to access and delete their data,” said Steve Kirkham, who worked on Airbnb’s trust and safety team for five years, before founding Berbix in 2018. “We want to prevent fraudulent requests and let the good ones go through.”

It is on regulators’ minds. The California law requires businesses to “verify the identity of the consumer making the request to a reasonable degree of certainty” and to have a more stringent verification process for “sensitive or valuable personal information.”

Mr. Kirkham said Berbix requested the first selfie to test whether a person’s face matched their ID; the second selfie, with a smile or some other facial expression, ensures that someone isn’t simply holding a photo up to the camera. Mr. Kirkham said Berbix ultimately deleted the data collected within seven days to a year, depending on the retention period requested by the company that hires the firm. (Sift deletes its data after two weeks.)

“It’s a new threat vector companies should consider,” said Blake Brannon, vice president of product at OneTrust, another company that helps businesses comply with the new data privacy laws. OneTrust offers the 4,500 organizations using its service the option to create several levels of identity verification, such as sending a token to someone’s phone or verifying ownership of an email address.

“If I’m requesting something simple or lightweight, the verification is minimal, versus a deletion request,” Mr. Brannon said. “That will require more levels of verification.”

Mr. Kirkham of Berbix said the verification process discouraged some people from making the data request at all.

“A lot of people don’t want to give more information,” Mr. Kirkham said. “Their assumption is that you will do something nefarious with it.”

He added: “But that’s the irony here. We require additional information from people to protect them. We want to make sure you are who you say you are.”

Real Estate, and Personal Injury Lawyers. Contact us at: https://westlakelegal.com 

Facebook Dodged a Bullet From the F.T.C. It Faces Many More.

Westlake Legal Group 13fbworld1-facebookJumbo Facebook Dodged a Bullet From the F.T.C. It Faces Many More. Social Media Regulation and Deregulation of Industry Privacy Politics and Government Libra (Currency) Law and Legislation General Data Protection Regulation (GDPR) Facebook Inc Data-Mining and Database Marketing Computers and the Internet Antitrust Laws and Competition Issues

LONDON — Facebook escaped largely unscathed from the Federal Trade Commission’s decision on Friday week to fine it around $5 billion for privacy violations: The settlement neither bruised its bottom line nor severely restricted its ability to collect people’s data.

Yet even as the Silicon Valley company dodged that bullet, its pain was just beginning.

Regulators and lawmakers in Washington, Europe and in countries including Canada have already begun multiple investigations and proposing new restrictions against Facebook that will probably embroil it in policy debates and legal wrangling for years to come. And in some of these places, the authorities are increasingly coordinating to form a more united front against the company.

In the United States, the potential for a federal antitrust investigation looms, several state attorneys general have initiated investigations of the company, and members of Congress are considering a federal privacy law and other restrictions. Not to mention that President Trump has turned up the heat on Facebook and other tech behemoths, including on Friday when he said that the platforms were “dishonest” and “crooked” and that “something is going to be done.”

That momentum will be on display this coming week on Capitol Hill. On Tuesday, the House Judiciary subcommittee on antitrust plans to hold a hearing featuring executives from Facebook, Apple, Amazon and Google about the power of the firms. That same day, the Senate Banking Committee is scheduled to hear from David Marcus, a top Facebook executive, on the company’s new Libra cryptocurrency project, which lawmakers have criticized and questioned.

In Europe, Facebook faces sanctions for breaking the region’s strict privacy laws, and the European Commission is in the early stages of an antitrust investigation against the company. In Britain, where a parliamentary report this year labeled Facebook “digital gangsters,” officials are writing new competition and social media laws, and regulators have started a broad antitrust inquiry targeted at Facebook and Google. France is also considering new penalties against the social network if hate speech and other harmful content is not removed within 24 hours.

And Australia, Japan, India, New Zealand and Singapore are either considering or have passed new rules against big internet platforms. Since 2016, at least 43 countries have passed or introduced regulations targeting social media and the spread of misinformation, according to Oxford University researchers.

“The debate has shifted,” said Tommaso Valletti, a professor at Imperial College Business School and the chief economist for the European Commission’s antitrust division. “The right question is not whether to intervene, but what kind of intervention do we need.”

For Facebook, these global fights could sting more than the F.T.C. decision and its $5 billion fine. While that amount would be a record penalty by the federal government against a technology company, it represents just a fraction of Facebook’s $56 billion in annual revenue. And while the F.T.C. also moved to increase oversight of how Facebook handles user data, none of the conditions in the settlement would impose strict limits on the company’s ability to collect and share data with third parties.

Yet governments and regulators can still potentially force the social media company to change how it conducts business through new laws and restrictions — a damaging outcome that Microsoft and other large companies have faced in the past. Already, Facebook has put huge amounts of time and resources into pushing back against tougher privacy, antitrust and hate speech rules, even as it has publicly expressed openness toward more regulation.

Facebook said in a statement on Saturday that, “by updating the rules for the internet, we can preserve what’s best about it.” The company added, “We want to work with governments and policymakers to design the sort of smart regulation that fosters competition, encourages innovation and protects consumers.”

Facebook is the centerpiece of a broader reckoning facing the tech industry, with governments beginning to collaborate in their response. The European Commission has shared information with the F.T.C. and the Justice Department about its past investigations into Google. And this spring, Ireland’s top privacy regulator, who has been investigating Facebook and Google, met with officials in Washington.

In May, an annual meeting of antitrust regulators from around the world turned into a four-day strategy session focused on the tech industry. Joseph Simons, the head of the F.T.C., and Makan Delrahim, the assistant attorney general overseeing antitrust at the Justice Department, were among those who attended the event in Colombia.

“It’s good news that the U.S. agencies are diving into this discussion,” said Andreas Mundt, Germany’s top antitrust enforcer, who helped organize the meeting and in February issued one of the first antitrust rulings against Facebook. “It’s clear these are companies that are active worldwide and thus a worldwide approach is not a bad idea.”

Mr. Mundt and other regulators believe that actions against Facebook and its industry peers must go beyond fines. Instead, many authorities want to force structural changes to how the businesses operate — like their collection of data and sale of digital advertising.

After the F.T.C. decision, Facebook’s next sanctions are expected to come from Europe, where the authorities have traditionally been more assertive against the tech industry than American regulators.

Ireland’s data-protection office has 11 investigations underway against Facebook for violations of European privacy law, the General Data Protection Regulation, or G.D.P.R. (Ireland has jurisdiction over Facebook under the privacy law because the company’s European headquarters is in Dublin.) At least two verdicts against the company are likely in the coming months.

“Facebook has powers that were previously poorly understood,” Helen Dixon, head of the Irish data commission, said in an interview. She declined to comment on specific Facebook cases, but said, “It’s up to us as regulators to enforce where we see accountability hasn’t been demonstrated.”

France is debating a sweeping new law that would require Facebook and other large internet platforms to prevent the spread of hate speech and other harmful content or risk fines. Germany has already enacted a similar law. In Britain, a similar measure is under consideration, as well as tougher competition rules that would create a new digital regulator and potentially require Facebook to make some of its data available to competitors.

Some academics and free speech advocates have raised concerns that in a rush to limit Facebook’s power, governments are drafting policies with unintended consequences. Human rights groups were alarmed by proposals in Singapore and India to give the government new powers to censor content on social media.

“They are all very reactionary,” said Samantha Bradshaw, a doctoral student and researcher at the Oxford Internet Institute who has been tracking government actions against Facebook and others. “I haven’t seen any proposals that really get to these systemic-level challenges about the algorithms, the data collection, and the privacy.”

What specific policies Facebook will accept remains unclear. In many places, the company has fought back against the regulatory and legal onslaught.

Ms. Dixon of the Irish data commission said Facebook has tried to stall her investigations by raising questions and challenges. The social network is “asking constantly for extensions,” she said. “There have been quite a few testy exchanges. Once you have a law with a very big stick” that can be used “against a very big company, they are going to seek to protect their interests at every turn.”

In Germany, Facebook is appealing an antitrust ruling that would prevent it from sharing data with its other apps, such as Instagram and WhatsApp, as well as websites that use the “like” and “share” buttons. It is simultaneously fighting elements of the French and British proposals regarding hate speech, saying they place too much responsibility on the company to judge what is acceptable online content.

Facebook and other tech giants also oppose a European Union proposal to toughen privacy rules for communications platforms like WhatsApp and Messenger.

In Australia, lobbyists were dispatched to battle antitrust proposals intended to limit Facebook and Google’s market power. And Canadian authorities are taking Facebook to court after the company refused to change its data-collection practices.

“They have softened their message toward the public, but ultimately they are trying to avoid as much binding regulation on them as possible,” said Margarida Silva, a researcher with Corporate Europe Observatory, a group that tracks lobbying in Europe.

Real Estate, and Personal Injury Lawyers. Contact us at: https://westlakelegal.com