• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Compliance & Regulations   »   Pursuing The Right to be Left Alone

Pursuing The Right to be Left Alone

  • Posted on:November 16, 2017
  • Posted in:Compliance & Regulations, Security
  • Posted by:
    William "Bill" Malik (CISA VP Infrastructure Strategies)
0
GDPR will impact any business handing EU citizen data.

The three pillars of privacy, defined in “The Right to Privacy” (4 Harvard L.R. 193 (Dec 15, 1890)), are 1) the right to know what information is gathered about you, 2) the right to know how it will be used, and 3) the right to be left alone. The European Union has incorporated these principles into the European Data Protection Directive, about to be replaced by the General Data Protection Regulation (GDPR). How often is the right to be left alone invoked?

European citizens can use two channels to remove personal information. First, they can reach out to the specific company asking its data protection officer to remove the data. Second, they can reach out to the national data protection officer to pursue erasure. How often do people use them? For some organizations, quite frequently.

The national Data Protection Officers do not publish lists of requests. However, some companies do. One well-known company is Google. Google publishes statistics on removal requests, in the form of a Transparency Report, here: https://transparencyreport.google.com/eu-privacy/overview. From May 2014 through November 13, 2017 Google has removed 839,556 URLs – about 43% of those requested – from search results, and declined to remove 1,104,867 – nearly 57%. The reasons for not removing a URL include the information may be strongly in the public interest, the information may reside in a government document, or the information may come from a reputable journalistic source.

European citizens can request information removal using this form: https://www.google.com/webmasters/tools/legal-removal-request?complaint_type=rtbf  About 2,000 removal requests arrive at Google every week.

Organizations in the US may be subject to the GDPR through the Privacy Shield. This agreement (two actually, one with the EU and the other with the Swiss) permits US-based organizations that opt in to share personal information about EU and Swiss citizens. The Privacy Shield replaces the Safe Harbor legislation, which the EU has determined is inadequate. The European Commission deemed the Privacy Shield adequate for data transfer under EU law on July 12, 2016. The Swiss Government did so on January 12, 2017. Opting-in requires self-certification with the US Department of Commerce at https://www.privacyshield.gov/PrivacyShield/ApplyNow. The Department of Commerce maintains a list of organizations that have opted in at https://www.privacyshield.gov/; as of this writing more than 2,500 companies are listed. The Federal Trade Commission prosecutes violators as described at https://www.ftc.gov/tips-advice/business-center/privacy-and-security/privacy-shield .

Any organization that opts-in must respond to requests to remove data under the GDPR. Those requests will go to the organization’s Data Protection Officer. The organization will use its Identity and Access Management (IAM) system to find and delete all relevant records concerning that individual. The national Data Protection Agency, or the FTC, can bring a legal action against an organization that fails to respond to such requests. (The FTC recently brought charges against three organizations that announced they were participating in the Privacy Shield when in fact they had not signed up. They are listed on the FTC’s web site.)

Are you working for a US-based firms that holds personal information about European Union or Swiss citizens? If so, you should do three things. First, opt in to the Privacy Shield. Second, put a Data Protection Officer in place. Finally, ensure your IAM solution is comprehensive and effective. Removal requests will come. Be prepared.

Please add your thoughts in the comments below or follow me on Twitter: @WilliamMalikTM.

Related posts:

  1. Edith Wharton, Identity Theft, and the GDPR
  2. What HIPAA and Other Compliance Teaches Us About the Reality of GDPR
  3. New Google privacy policy violates EU law, French data regulators say
  4. Facebook changes privacy settings again…but is it a big issue?

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Trend Micro Offerings Are FedRAMP Authorized and Available on AWS
  • Fujitsu and Trend Micro Demonstrate Solution To Secure Private 5G
  • Trend Micro Receives 5-Star Rating in 2021 CRN® Partner Program Guide
  • Smart Factory Cyber Attacks Knock Out Production for Days
  • Eliminate Hesitations: Security Simplified For Those Building In The Cloud
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.