Entries submitted

D1: New Audit Mechanism for Effective Enforcement (Israel, PPA)
D2: Memorandum of Understanding (MoU) between CNDP and Abu Dhabi Global Market (ADGM) during the celebration of the International Data Day 2018 (Morocco, CNDP)
D3: An investigative cooperation has been provided to the ICO in order to identify a company making marketing calls (Morocco, CNDP)
D4: Inquiry into Ministry of Social Development’s Collection of Client-Level Data from NGOs (New-Zealand, Office of the Privacy Commissioner)
D5: Software development with Data Protection by Design and by Default (Norway, Datatilsynet)
D6: Resolution on the Protection of Personal Data in Counter Services (Turkey DPA)
D7: Resolution on Protection of Personal Data on the Web Sites Providing Guidance Service / Applications (Turkey DPA)
D8: Comprehensive and dynamic Guide to GDPR and Law Enforcement Processing (United Kingdom, ICO)
D9: The ICO’s investigation into use of data analytics and micro targeting for political purposes (United Kingdom, ICO)
D10: FTC’s Expanded Uber Settlement (United States of America, FTC)

 

D1: New Audit Mechanism for Effective Enforcement (Israel, PPA)

Entry by: Israeli Privacy Protection Authority (PPA)

Description of the initiative:

Innovative auditing mechanism which will identify and narrow the gaps between data protection legislation/regulations, and their application by organizations across the economy. The audits will create awareness and incentivize organizations to comply.

The audits will be carried out amongst pre-identified sectors across the economy.

Audits will be based on questionnaires distributed to hundreds of organizations and will be carried out by IT audit and data security experts.

Why the initiative deserves to be recognised by an award?

The new audit mechanism will enable the PPA to significantly increase compliance and awareness across the economy.

The mechanism is unique due to its effectiveness. It is designed to reach a huge amount of organizations across the economy, and to create an in depth gap analysis between legislation and its implementation, maximizing compliance and other regulatory benefits on the one hand while using minimum resources on the other.

The mechanism is a significant tool to promote and implement the PPA’s policies amongst data controllers and processors; reduce gaps between privacy regulation and its implementation in the economy, by identifying them through the audits, correcting deficiencies by guidelines, and enforcing guidelines and corrections by follow up and repeat audits.

The audits will Increase awareness, by broad exposure of the findings to the public (aggregated results by sectors) by the media.

The findings of the audits will enable regulatory adjustments and guidance, and may lead to Initiating administrative or criminal investigations, (when required). In addition, the findings will enable to produce sectorial privacy compliance key performance indicators.

Complete entry available here

 

D2: Memorandum of Understanding (MoU) between CNDP and Abu Dhabi Global Market (ADGM) during the celebration of the International Data Day 2018 (Morocco, CNDP)

Entry by: CNDP Morocco

Description of the initiative:

The National Commission for the Protection of Personal Data Protection (CNDP) and the Abu Dhabi Global Market Registration Authority (ADGM) have signed a Memorandum of Understanding establishing a cooperation framework in the field of Data Protection and Privacy.

This memorandum has been signed to celebrate the International Data Protection Day. Under this convention, CNDP and the ADGM DPA, pledge to share expertise and organize common activities to promote culture of Data Protection and Privacy in the MENA region.

Why the initiative deserves to be recognised by an award?

This convention one of the first of its kind in the MENA region.

The cooperation between CNDP and ADGM aims to:

  • Promote privacy and data protection in the MENA region, where only few countries have adopted privacy legislations;
  • Establish a cooperation framework between DPAs, based on ICDPPC cooperation resolutions, in order to share experiences, best practices and co-host privacy events

Complete entry available here

 

D3: An investigative cooperation has been provided to the ICO in order to identify a company making marketing calls (Morocco, CNDP)

Entry by: CNDP Morocco

Description of the initiative:

CNDP has provided an investigative cooperation to the ICO in relation to a subscriber the ICO was looking into under PECR Privacy and Electronic Communication Regulations (PECR).

The case was related to marketing calls targeting British citizens.

ICO has requested cooperation from CNDP after getting the confirmation by the British network provider that the calling numbers were allocated to a Moroccan Subscriber.

CNDP has contacted the company and was able to identify third parties these numbers were allocated to.

Why the initiative deserves to be recognised by an award?

We do think that this kind of cooperation among countries, will improve DPA’s investigation efficiency, since it represents a way of sharing insights and expertise.

This is could also enhance the safety and security of a broader community.

Complete entry available here

 

D4: Inquiry into Ministry of Social Development’s Collection of Client-Level Data from NGOs (New-Zealand, Office of the Privacy Commissioner)

Entry by: Office of the Privacy Commissioner New Zealand

Description of the initiative:

The Privacy Commissioner conducted an inquiry in the Ministry of Social Development’s collection practices around client-level data from NGOs. The proposal was that funding for the NGOs was dependent upon providing the client-level data.

Why the initiative deserves to be recognised by an award?

The initiative was a highly effective one. It involved wide consultation with stakeholders, primarily NGOs. No similar work was being carried out by any other agency. The Office saw a real need to challenge the legal and ethical basis upon which the proposal was based, particularly given that it affected some of the most vulnerable members of our society.

The effect of the report was to raise awareness of the proposal, which was being implemented across the social sector as part of the Government’s social investment focus.

The Privacy Commissioner’s inquiry concluded that the ICLD policy, as implemented, was inconsistent with the principles of the Privacy Act and should therefore be amended.

The Office worked to ensure there was wide media coverage for the report, and that the central concerns raised in the report were made known publicly.

The effect of the report findings and the media coverage was to generate wider public debate and attention. Politically, the report generated a debate in Parliament and the proposal was disbanded a few weeks later.

Complete entry available here

 

D5: Software development with Data Protection by Design and by Default (Norway, Datatilsynet)

Entry by: The Norwegian Data Protection Authority

Description of the initiative:

We have developed these guidelines to help organizations understand and comply with the requirement of data protection by design and by default in article 25 of the General Data Protection Regulation. We have cooperated with security professionals and software developers in public and private sector among others. These guidelines are primary intended for developers, software architects, project managers, testers, data protection officers and security advisors.

Why the initiative deserves to be recognised by an award?

The guidelines have to be specific and clear so that organisations that develop software, applications, services, systems etc. and follow the guide, and later on can get their processing activities certified and get a privacy seal or mark according to article 25 (3).

The framework is not meant to be a substitute for a company’s methodology for software development, but it is a supplement to ensure that privacy and security are included in the methodology.

There is abundant technical literature that focuses on security by design when developing software. Relatively little has however been written about data protection by design and by default when developing software. While working on this guide, we have used Software Development LifeCycle (SDLC), Microsoft Security Development Lifecycle (SDL) and ENISA; Privacy and Data Protection by Design – from policy to engineering, as a starting point, and explored how to incorporate privacy principles, subject rights, and the requirements of the GDPR into every step of the process.

The guidelines has already become a gold standard for developers and adopted by three universities in Norway. We think it is because the guide is specific, clear and have checklists that can be used directly by the different developer professions.

Complete entry available here

 

D6: Resolution on the Protection of Personal Data in Counter Services (Turkey DPA)

Entry by: Turkish Data Protection Authority

Description of the initiative:

In accordance with the Resolution No. 2017/62 of 21/12/2017 of Personal Data Protection Board on the understanding of violation of data security in the areas which give service in adjacent order together with more than one employee; it has been decided for the controllers to take necessary technical and administrative measures in order to prevent the assignment of the unauthorized persons in Service Areas such as Counter, Pay Desk, Table and also in order to prevent the hearing, seeing and seizing of the personal data of those who get service in close position to each other at the same time; and to initiate a legal action for the persons who do not abide by this Resolution.

Why the initiative deserves to be recognised by an award?

As it is understood that personal data shared by the citizens, who get service within the scope of transactions, can be heard, viewed and thus available by the third parties without data subjects’ consent during the sharing in the event that appropriate physical conditions have not be provided and the necessary measures not be taken; and that it is common that measures regarding keeping personal data from being heard and seen by the third parties in counters have not been taken by the controllers especially in banking and health sectors, mail and cargo services, tourism agencies, customer service departments of chain stores which give service in adjacent order together with more than one employee as well as organizations where various subscription transactions are made and public and private sector institutions which give services such as municipal, tax and population transactions; our Authority has taken an immediate action and adopted a Resolution regarding controllers taking necessary technical and administrative measures in order to prevent the assignment of the unauthorized persons in Service Areas such as Counter, Pay Desk, Table and also in order to prevent the hearing, seeing and seizing of the personal data of those who get service in close position to each other at the same time in concern with protection of personal data and initiating a legal action for the persons who do not abide by this Resolution.

The Resolution taken to create awareness in public and to inform our citizens about the mentioned services has been announced to the public on the official website of our Authority and published in the Official Gazette dated 2/01/2018 and numbered 30312. In this way, measures have been taken to prevent the seizure of our citizens’ personal data without their consent, thus preventing the victimization of many people.

Complete entry available here

 

D7: Resolution on Protection of Personal Data on the Web Sites Providing Guidance Service / Applications (Turkey DPA)

Entry by: Turkish Data Protection Authority

Description of the initiative:

As it is understood that the data processing activities without data subjects’ consent is widespread within the guidance services, it has been decided by Resolution No. 2017/61 of 21/12/2017 of Personal Data Protection Board to inform the public about that data processing activities of internet sites/mobile applications which share information without legal grounds shall be stopped immediately, and that if the information is obtained that the mentioned internet sites/applications does not end their activities, this issue shall be notified to the authorized organizations in order to prevent the access to the services and to the Chief Public Prosecutor by taking into account that the personal data may have been obtained contrary to law and that legal action shall be initiated for the persons who do not abide by this Resolution.

Why the initiative deserves to be recognised by an award?

The number of web sites and mobile applications, which serve in the form of phone number inquiry from name or in the form of name inquiry from phone number, is increasing day by day and these applications are widely used in society. Such applications often access the information stored in the phones of the persons who download the application to their phone and transfer the information to their databases so that the phone numbers together with the names of the persons registered in the phone book will be inquisitive to other people using the application. In this case, however, the persons, who are registered in the phone book of the person who downloaded the application, are not informed that their personal data, telephone numbers are shared with third parties in connection with their names and also they do not have the consent regarding the sharing. This sharing of phone numbers with people without their knowledge and consent creates social unrest, causes exposure of people to unwanted calls and in this way personal rights are harmed in various ways.

In case the violation is found to be common on the basis of the complaint or ex officio, the Board has authority to take a Resolution in accordance with paragraph 6 of Article 15 of Personal Data Protection Law No. 6698. Within this framework, as it is understood that there are many applications and websites that collect the personal data via various applications or social media accounts without explicit consent of data subjects and share these data and that give service to access to the phone number information when a name is queried and to access the name information when the phone number is queried and to find out how people are registered in the phone book of others; our Authority has taken an immediate action and decided that activities of internet sites/mobile applications which share information without legal grounds shall be stopped immediately, and that if the information is obtained that the mentioned internet sites/applications does not end their activities, this issue shall be notified to the authorized organizations in order to prevent the access to the services and to the Chief Public Prosecutor by taking into account that the personal data may have been obtained contrary to law and that legal action shall be initiated for the persons who do not abide by this Resolution.

The Resolution taken to create awareness in public and to inform our citizens about the mentioned services has been announced to the public on the official website of our Authority and published in the Official Gazette dated 2/01/2018 and numbered 30312. In this way, measures have been taken to prevent the seizure of our citizens’ personal data without their consent and sharing with third parties, thus preventing the victimization of many people.

Complete entry available here

 

D8: Comprehensive and dynamic Guide to GDPR and Law Enforcement Processing (United Kingdom, ICO)

Entry by: Information Commissioner’s Office (ICO), UK

Description of the initiative:

The ICO has developed a comprehensive and dynamic Guide to GDPR and Law Enforcement Processing. The Guide has been structured to provide a layered set of advice for data controllers and processors. It contains a range of information from ‘at a glance’ overviews of the key concepts in the legislation right through to in detail technical guidance. It is fully web based and is constantly evolving. The next phase will involve embedding detail relevant to the UK Data Protection Act 2018.

Why the initiative deserves to be recognised by an award?

We receive consistent feedback from stakeholders nationally and internationally about the value of our practical guidance which is deliberately written in plain English and a very accessible style.

It is particularly relevant to note the Law Enforcement Processing content which we believe is a relatively unique source of support for those with an interest in this specific aspect of the new directive as part of the wider data protection regime.

The access figures clearly demonstrate the significant reach of these resources.

The Guide to the GDPR – published 21 November 2017 (figures correct as of 29 June 2018)
2,714,751 unique visitors to the Guide front page
11,264,949 unique visitors across the whole of the Guide
UK – 2,387,640 unique visitors to guide front page
2nd – USA – 93,044
3rd – Ireland – 19,983

Guide to the Law Enforcement Processing – published 5 April 2018
11,509 unique visitors to Guide front page
39,745 unique visitors across whole of the Guide
UK – 10,157 unique visitors to guide front page
2nd – USA – 370
3rd – Netherlands – 108

Complete entry available here

 

D9: The ICO’s investigation into use of data analytics and micro targeting for political purposes (United Kingdom, ICO)

Entry by: Information Commissioner’s Office (ICO), UK

Description of the initiative:

The investigation was commenced in May 2017 and was intensified in March 2018 when a whistle-blower made allegations that up to 87 million user profiles were harvested from Facebook, for use by the data analytics company, Cambridge Analytica. An ICO report will be published on July 11 2018, which we would like to be considered as part of the entry, once it is published. [Update August 10 2018: the report has now been published and is available here]

Why the initiative deserves to be recognised by an award?

The ICO is the first data protection authority to undertake such a comprehensive investigation into use of personal data for political purposes. The outputs of the investigation will inform a much broader debate, beyond the UK, about the use of personal data in elections and online manipulation, linked to wider debates about fake news.

It is ground breaking in terms of scope and depth and use of digital forensics to examine data seized during the investigation.  There are many wider learnings that the ICO will be able to share with the wider data protection community about conducting digital investigations of this nature.

The investigation has also shone a light on the importance of transparency of micro targeting techniques in social media and the how data from third party sources is used to inform the targeting. It has also considered the application of new data analytics techniques that profile individuals for the purposes of political campaigning, placing them in categories and groups that then inform the use of micro targeting on social media.

The investigation has also highlighted the importance of political parties being subject to data protection laws and being accountable for their use of personal data, whilst respecting the key roles that political parties play in democracy and the positive benefits of political campaigning.

We have also considered the risks from Universities using social media data for research purposes and the need for stronger governance around the uses of the data.

Complete entry available here

 

D10: FTC’s Expanded Uber Settlement (USA, FTC)

Entry by: U.S. Federal Trade Commission (FTC)

Description of the initiative:

FTC’s Expanded Uber Settlement – The FTC reached an expanded settlement with Uber Technologies, Inc. over charges that the ride-sharing company deceived consumers about its privacy and data security practices. After the announcement of a proposed settlement with Uber in August 2017, the FTC learned that Uber had failed to disclose a significant breach of consumer data that occurred in the midst of the FTC’s investigation. Due to Uber’s misconduct related to this breach, Uber will be subject to additional requirements.

Why the initiative deserves to be recognised by an award?

This shows an example of an enforcement action and remedy effectively adapting to new revelations and covering new, significant misconduct. After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the FTC that it suffered another data breach in 2016 while the FTC was investigating the company’s strikingly similar 2014 breach. The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future.

Complete entry available here