Author: Editor

The draft ePrivacy Regulation: will it still be future proof?

by Herwin Roerdink The intentions were admirable: a new ePrivacy Regulation that would apply on the same day as the newly introduced General Data Protection Regulation (GDPR). When the European Commission published its first proposal in January 2017, this still seemed to be the idea. But this turned out to be completely different. There was great division in the European Parliament, the negotiations in the Council were stuck. The Council did publish a compromised version late September for discussion, but so far, there is no final text yet. The bottlenecks are mainly in the area of cookies (Article 8 of the proposal) and direct marketing (Article 16 of the proposal). A final proposal is still a long way off. With a possible transition period of 1 to 2 years, the new ePrivacy Regulation will probably come into force in 2023 or 2024 at the earliest. This is unfortunate on several points,...

Continue Reading

Bad bots are getting worse – the complicated world of bot attacks and account takeover fraud

By Mélisande Mual – The Paypers The global push for digitisation has created the perfect environment for fraudsters to operate on a large scale in three ways: firstly, with data breaches happening on a daily basis, there is no shortage of stolen credentials available for purchase. Secondly, the number of digital transactions is ever-increasing, causing financial institutions to process more and more transactions every day. Finally, technologies such as automation tools and bots have become cheaper and more widely available than ever before. Together, these phenomena lead bot attacks to become increasingly cheap, scalable and dangerous.   Bot attacks (also known as botnet attacks or malicious bot attacks) happen when a cybercriminal uses a collection of devices over the internet to cause harm in various ways. These devices are often infected with a virus that provides the hacker with complete access and control over a device, which the hacker then integrates into a botnet....

Continue Reading

How to keep track of privacy during corona?

By Lex Keukens en Sander Tempel  On April 7, Minister De Jonge announced that the government wanted to use tracking apps (‘the App’) to fight the COVID-19 virus. In addition to tasks regularly carried out by the Dutch Municipal Health Services (GGD), the government wants the App to provide smart digital solutions for source and contact tracing.1 This means that the App will need to process personal data, including data from which an individual’s health situation can be extrapolated.    Before focusing on the starting points which the App must meet according to the government, it must first be determined whether the General Data Protection Regulation (GDPR) applies to this form of data processing and if so, whether there is a lawful basis for processing personal data.2 After that we will focus on a number of critical comments in relation to data minimisation, protection and data storage. We conclude with some food for thought.   Starting points In the...

Continue Reading

SyRI legislation in violation of article 8 of the ECHR, but no exclusion of intrusive technology!

By Rob van den Hoven van Genderen On 5 February 2020, the Court of The Hague ruled that SyRI (System Risk Indication) legislation is contrary to the European Convention on Human Rights (ECHR).1 This case was brought by a large number of civil society organizations against the use by the State of the Netherlands to detect and combat fraud in a number of ‘risk areas’ with the help of data linking and analysis using algorithms. The court ruled that there was insufficient balance between the use of new technologies such as AI, data analysis, algorithms, deep learning or self-learning systems - and respect for private life as set out in article 8 of the ECHR. According to the court, there is also a risk of discrimination. The law is insufficiently transparent and verifiable and therefore unlawful.   Tijmen Wisman of the Civil Protection Platform says about the verdict: “We have been proved right...

Continue Reading

The privacy advocate for the dark side

By Roel van Rijsewijk   And then we had the lockdown and her message started to resonate, loud and clear Inspiring conversations at my kitchen table with Lokke Moerel   It is the third of March as I am waiting for my next ‘kitchen-table-conversation’ with Lokke Moerel, lawyer, professor and a very effective privacy advocate. There is no privacy without security, so we are two sides of the same coin. And I am particularly looking forward to this meeting of both sides, since Lokke is an influential person: when companies have a data breach, she is the one invited in the boardroom for advice. She is described by people who know her as someone with a strong opinion, which she will share with you in no uncertain terms. I get all that in the next hour. An intense and sometimes humbling experience.   At the time of our meeting I was still in denial about the spread of...

Continue Reading

The Legal Look – A spinning approach towards encryption

By Victor de Pous If it is up to Justice and Security Minister Ferd Grapperhaus technology companies must hand over a decryption key to law enforcement agencies if an investigating criminal judge orders so, for example in a case about transmitting child pornography via WhatsApp or Telegram which use end-to-end encryption. The fierce discussions about government access to encrypted private communication versus privacy protection are old – originally called the “crypto wars” - but have now taken the Netherlands by surprise because the government, until recently, held-on to its stone and finished encryption policy with the Leitmotiv: “Cryptography plays a key role in technical security in the digital domain.” Suddenly the wind blows from a diametrical angle.   Regulating encryption with special legislation – or rather not – is a fine example of divided interests and opinions in the digital society and a lasting legal trend at the same time, just as changing fundamental...

Continue Reading

If you’re relying on consent, you’re doing it wrong under the GDPR

By Arnoud Engelfriet Ever since the GDPR went into effect, companies have worked hard to achieve compliance. However, one key mistake keeps on popping up: asking consent as a legal basis for some processing of personal data. It is strange that companies would rely on this ground, because it has the strictest legal requirements and is the most difficult to work with. Yet the myth persists that you should seek consent. Please stop.   Consent is of course one of the ways to acquire a so-called ‘ground for processing’, a legal basis required by the GDPR. Without such a ground, any processing is unlawful. There are other grounds, notably the performance of an agreement and the legitimate interest, but those grounds have scary-sounding requirements like necessity or a balance of interests. Asking consent thus seems logical; you explain what you are going to do and you get a clear and voluntary “yes please”. Right?   Wrong....

Continue Reading

PSD2: A Crucial Link in Building the New Digital Europe

[vc_row][vc_column][qodef_button size="" type="" target="_self" icon_pack="" font_weight="" text="VIEW PDF" link="https://www.dcsp.nl/wp-content/uploads/2019/08/Delex-8949-DCSP-Magazine-01-2018-Edwin-van-Gorp-Chris-Barbiers.pdf"][/vc_column][/vc_row] By Edwin van Gorp and Chris Barbiers A lot of hard work is being done to launch Payments Service Directive - Part 2. But why do we actually need PSD2? And what does this mean for the financial services market? Time to let go of the daily worries and details of PSD2 and to reflect on the larger context, the objectives of the European Commission (EC) and the emergence of the new financial Europe. The PSD2, together with GDPR, is a great piece of European politics. PSD2 is one of the pieces to the puzzle of the European Commission in the construction of a strong internal European market. The idea behind this plan is simple: if we remove barriers within Europe as far as possible, we create a strong internal trade market. As a result, Europe remains a strong player on the world stage, compared...

Continue Reading

Technical and Organizational Controls in a Processor Agreement

[vc_row][vc_column][qodef_button size="" type="" target="_self" icon_pack="" font_weight="" text="VIEW PDF" link="https://www.dcsp.nl/wp-content/uploads/2019/08/Delex-8949-DCSP-Magazine-01-2018-Marianne-Korpershoek.pdf"][/vc_column][/vc_row] Technical and Organizational Controls in a Processor Agreement: How do you make them work? By Marianne Korpershoek When an organization outsources its processing of personal data, the GDPR requires the company to only use processors that can provide adequate guarantees for their security level. In itself, laying down the security requirements in a data processing agreement was a rule that was already covered by the old law, but with the ‘guarantee’ requirement that an organization will now need to have is a big step further in assuring whether there are actually sufficient technical and organizational controls implemented by the processor. Especially now that there are more and more providers of handy apps and cloud applications in which tasks are taken care of.   Consider, for example, an app for pre-employment checks, for video job applications, and so on. Can you still rely on the Guidelines on...

Continue Reading

Talking with Jaya Baloo – Chief Information Security Officer KPN

[vc_row][vc_column][qodef_button size="" type="" target="_self" icon_pack="" font_weight="" text="VIEW PDF" link="https://dcsp.nl/wp-content/uploads/2019/07/Delex-8949-DCSP-Magazine-01-2018-Jaya-Baloo.pdf"][/vc_column][/vc_row] By Claudia Zuidema Two months ago a mister Mao Zhang sent me an email. “This is your bad luck. I hacked your password ***** and I know all your secrets.” If I didn’t transfer 3000 bitcoins to Mr. Zhang within a week, he threatened to send all kind of files and photos to my business relations.   When Jaya Baloo[efn_note]https://jobs.kpn.com/vakgebied/security/jaya-baloo-en-de-eredivisie-van-cybersecurity/[/efn_note], KPN’s Chief Information Security Officer (CISO), states that cybersecurity is a daily issue, she’s right. I met with KPN’s leading lady of cybersecurity at the Security Operations Center (SOC) in Hilversum while she was in the middle of a RED Team meeting.   My first, a little bit corny question, you are a well-known CISO in the World’s Top 100 Chief Information Security Officers list, what’s your biggest professional challenge? ‘KPN is a very large company and that means that there are many challenges. We have to be...

Continue Reading