At a glance.
- "China's GDPR."
- Northwestern Memorial HealthCare breach.
- Privacy risks involving supervision of remote work.
- EU establishes a child-protection exception to privacy law.
A look at China’s upcoming data privacy law.
JDSupra is presenting a fifteen-article series focused on the recently released second draft of China’s future privacy regulation, the Personal Information Protection Law (PIPL), which many are fondly calling “China’s GDPR.” The latest installment focuses on the appointment of a “person in charge of personal information protection,” or the rough equivalent of the GDPR’s data protection officer (DPO). Under PIPL, the DPO’s duties include determining compliance measures and data breach response regulations. As for which organizations will be required to install a DPO, the draft states that a DPO is necessary if the entity processes an amount of personal data beyond a particular threshold, but it’s unclear exactly what that threshold will be, as it will likely depend on various factors like the number of employees and the amount of data being handled. JDSupra also outlines the DPO’s personal legal liability and how the position might interact or overlap with other roles.
NMHC suffers vendor breach.
Patient data from Northwestern Memorial HealthCare (NMHC), based in the US state of Illinois, were potentially exposed by a data breach at third-party vendor Elekta, provider of a cloud-based cancer data reporting platform. The Daily Swig reports that the intruders accessed and copied sensitive data including patient names, dates of birth, Social Security numbers, health insurance information, and medical record numbers. No financial data was compromised, but patients of at least nine Chicago-area hospitals have been advised to review their insurance statements for any suspicious activity, and NMHC has stated that it is “re-evaluating its relationship with Elekta.”
Demi Ben-Ari, CTO and Co-Founder of Panorays, commented:
"There’s something truly appalling about a cyber incident that involves stealing the private medical information of oncology patients, who are now at risk of being victims of identity theft, blackmail or even worse. In this case, a third-party provider that handled legally-required cancer reporting to the state of Illinois exposed the patients’ data, which was then copied by cybercriminals. This is not the first time we’ve seen private medical information compromised by a third party—nor will it be the last. To help prevent such incidents, it’s crucial for every organization to implement robust automated processes in order to thoroughly assess and continuously monitor all of their third parties."
Privacy risks of remote work surveillance tech.
As the pandemic saw many workers trading their business suits for sweatsuits, some employers have contemplated turning to digital monitoring to keep an eye on their employees’ activities while at home and on the clock. But this technology raises serious questions about employee privacy, especially when it utilizes artificial intelligence analysis. As Security Boulevard reports, under the General Data Protection Regulation, employees have the right to protect themselves against employment decisions based on automated monitoring. Elizabeth Crooks, privacy consultant at cybersecurity advisor Coalfire, explains, “Explicit consent should also be obtained from employees to process sensitive personal information, as these systems may include audio or video surveillance.” Threat intelligence advisor John Bambenek of Netenrich went as far as to compare this tech to spyware, pointing out that AI-based surveillance systems can have programmatic biases that might penalize certain employees unfairly. Given that such monitoring often motivates employees to either trick the system or even quit, before acquiring such tech a company should consider whether the inherent privacy risks are worth it.
EU carves out a child-protection exception to privacy regulations.
The European Parliament has passed a law that would allow Internet companies to scan users' messages for evidence of child abuse. Forbes reports that the measure is intended to address perceived shortcomings of the European Electronics Communication Code, in effect since this past December.
As has been the case on the American front of the Crypto Wars, child protection has in Europe been one of the more compelling arguments the crytpo-skeptical side has offered. Daniel Markuson, digital privacy expert at NordVPN, makes the pro-crypto case:
“What is important to note here is that end-to-end encryption allows users to maintain privacy and secrecy while also safeguarding information from third-party access. Removing this privacy would make it easier for hackers to steal users’ private data by exploiting loopholes in encryption. It could also make it easier for companies to attain access to information that can be exploited. This could ultimately lead to a significant decrease in trust in companies offering messaging and communication services.”
“If the main argument for removing encryption and allowing companies to access sensitive data is for the betterment and safety of society, the government is better off leaving encryption as it is. Because as it stands now, law enforcement already has legally based ways of acquiring necessary information without needing to impede upon the rights of non-involved people. If officials can provide enough evidence, they are granted permits to surveil suspects.”
“In the case of this proposal, millions of innocent people would have their privacy infringed upon without knowing what is happening with the data being collected. This possibility of decryption and subsequent surveillance should be alarming for anyone who values digital privacy. Not to mention, this plan of action sets a dark tone for the digital privacy of those who use communications platforms. Digital crime should in no way be tolerated, but surveillance without an appropriate legal basis is not only a scary concept but should be discouraged at every turn.”