At a glance.
- Swiss court exempts Proton AG from some surveillance requirements.
- Standard Contractual Clauses under GDPR.
- Creator data compromised in Italian data breach.
- Biometrics in the investigation of the US Capitol riot.
Swiss court grants Proton appeal regarding data surveillance.
Swiss tech company Proton AG has won an appeal against the Swiss Post and Telecommunications Surveillance Service (PTSS) regarding the company’s traffic monitoring policies, Reuters reports. The creator of ProtonMail and ProtonVPN, Proton AG refers to itself as the world's largest secure email provider. PTSS decided last year that Proton, like Swiss telecommunications providers, must store necessary surveillance data and be available to answer to PTSS at all times. The Swiss Federal Administrative Court last week overturned that ruling, confirming that email services are not considered telecommunications providers in Switzerland, and are therefore not required to adhere to telecommunications data retention requirements. A Proton spokesperson said that the decision is a big win for privacy, as it excludes Swiss tech startups “from onerous telco regulations and handing over certain user information in response to Swiss legal orders."
What you need to know about the European Commission's new SCCs.
As part of a webinar series commemorating the third anniversary of the General Data Protection Regulation (GDPR), Cooley offers commentary on the use of standard contractual clauses (SCCs), which under the GDPR are used to allow the transfer of data from the EU and the European Economic Area (EEA) to other parts of the world. In June, the European Commission released two new sets of SCCs, and Cooley highlights some of the most important aspects of the new clauses. The first set of SCCs provides a template contract regarding controller and processor obligations to be used when the data is not transferred outside the EEA, while the second focuses on data exported to other countries. These new clauses impact new contracts concluded on or after September 27, 2021, and follow a modular approach for various transfer scenarios, including processor-to-processor and processor-to-controller, which were not covered by the old clauses.
Italian copyright agency breach compromises creator data.
A ransomware attack aimed at Italy’s Società Italiana degli Autori ed Editori (SIAE) potentially exposed the data of the country’s actors, musicians, artists, authors, and other copyright holders, Bleeping Computer reports. The SIAE is a government agency responsible for safeguarding the intellectual property rights of creative works and the country’s sole royalties collector, and the Everest ransomware gang has leaked 60GB of registered member and employee data, including national ID and driver's license scans, from SIAE contract agreements. The gang is selling the data for $500,000 after SIAE allegedly refused to meet their ransom demands.The Italian data protection authority Garante per la Protezione dei Dati Personali is investigating the breach.
Biometric data used in US Capitol riot investigation.
Forbes reports that, in an investigation connected to the January 6 riot on the US Capitol building, the US Federal Bureau of Investigation has been granted a warrant to open a defendant's devices using the owner’s fingerprint. It’s a controversial move, as several state judges have denied government warrants involving the use of a suspect’s biometrics in an investigation, claiming it violates the Fourth and Fifth Amendments’ protection of suspects from unnecessary searches and self-incrimination. The warrant states, “Pursuant to the language in the warrant authorizing use of biometrics to unlock digital devices on premises, FBI agents used Schwartz’s fingerprint to unlock the Samsung Galaxy S10 cellular telephone.”