The Greek Personal Data Protection Authority (PDPA) has imposed significant fines on the Greek Ministry of Interior and New Democracy MEP Anna-Michelle Asimakopoulou for their roles in violating data protection regulations in the 'email-gate' scandal. The fines come after an investigation into the "email-gate" scandal, in which Asimakopoulou was accused of sending unsolicited emails to Greeks living abroad ahead of the European Parliament elections in June.

Ministry of Interior Violations and Consequences

The authority found that a file of 25,000 voters registered for the June 2023 elections had been leaked between June 8 and 23, 2023. The list, which included voter emails, was sent to New Democracy's then Secretary for Diaspora Affairs, Nikos Theodoropoulos, by an unknown individual. Theodoropoulos forwarded the file to MEP Asimakopoulou, who used it to send mass campaign emails in violation of data protection laws and basic principles of legality. [caption id="attachment_71501" align="alignnone" width="1000"] Source: Shutterstock (MEP Anna-Michelle Asimakopoulou)[/caption] On receiving the unsolicited emails to their private accounts, several Greek diaspora voters living abroad expressed their surprise on social media and accused the New Democracy MEP of violating the European Union’s General Data Protection Regulation (GDPR). The expats questioned how the addresses were obtained by the MEP for use in the email campaigns. Asimakopoulou earlier attempted to refute allegations of violating these data protection laws but was found to provide contradictory explanations regarding the source from which these addresses were obtained for usage in the mass email campaign. As a result, the Ministry of Interior faces a 400,000-euro fine, while Asimakopoulou faces a 40,000-euro fine. The authority also postponed its verdict on Theodoropoulos and the New Democracy party  to examine new claims related to the investigation. The PDPA stated in its investigation that the use of the emails, “was in violation of the basic principle of legality, objectivity and transparency of processing, as it was in violation of a series of provisions of the electoral legislation and furthermore could not reasonably be expected.” The ministry said it will "thoroughly study" the authority's decision to consider further legal actions. The "email-gate" scandal has led to significant consequences, including the resignation of the general secretary of the Interior Ministry, Michalis Stavrianoudakis, and the dismissal of Theodoropoulos by New Democracy. Asimakopoulou has announced she will not run in the European Parliament elections. Asimakopoulou is also facing 75 lawsuits by citizens and over 200 lawsuits from the Interior Ministry, over the scandal.

Reaction of Opposition Parties to the Investigation Results

Opposition parties are now demanding the resignation of Interior Minister Niki Kerameos following the outcome of the investigation into the unsolicited emails. [caption id="attachment_71241" align="alignnone" width="1000"] Source: Shuttertock (Interior Minister Niki Kerameos)[/caption] The main opposition party SYRIZA released a statement asserting that “private data were being passed around for months among the Interior Ministry, ND, and at least one election candidate,” questioning whether the email list had been leaked to other New Democracy candidates by the Interior Ministry. While the Interior Minister might not have been directly involved, SYRIZA claimed that “Kerameos did not have the guts to show up at the Committee on Institutions and Transparency.” The Socialist PASOK Party also demanded Kerameos’ resignation, adding that the violation demonstrates the government as “incapable of fulfilling the self-evident, as proven by the high fines.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Source: www.techrepublic.com – Author: The European Union’s General Data Protection Regulation requires every business enterprise and public authority that collects personal data from EU customers and clients to protect that data from unauthorized access. Finding ideal candidates for the GDPR data protection compliance officer position will require thorough vetting, and potential candidates may be difficult […]

La entrada Hiring Kit: GDPR Data Protection Compliance Officer – Source: www.techrepublic.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Law professor Dan Solove has a new article on privacy regulation. In his email to me, he writes: “I’ve been pondering privacy consent for more than a decade, and I think I finally made a breakthrough with this article.” His mini-abstract:

In this Article I argue that most of the time, privacy consent is fictitious. Instead of futile efforts to try to turn privacy consent from fiction to fact, the better approach is to lean into the fictions. The law can’t stop privacy consent from being a fairy tale, but the law can ensure that the story ends well. I argue that privacy consent should confer less legitimacy and power and that it be backstopped by a set of duties on organizations that process personal data based on consent.

Full abstract:

Consent plays a profound role in nearly all privacy laws. As Professor Heidi Hurd aptly said, consent works “moral magic”—it transforms things that would be illegal and immoral into lawful and legitimate activities. As to privacy, consent authorizes and legitimizes a wide range of data collection and processing.

There are generally two approaches to consent in privacy law. In the United States, the notice-and-choice approach predominates; organizations post a notice of their privacy practices and people are deemed to consent if they continue to do business with the organization or fail to opt out. In the European Union, the General Data Protection Regulation (GDPR) uses the express consent approach, where people must voluntarily and affirmatively consent.

Both approaches fail. The evidence of actual consent is non-existent under the notice-and-choice approach. Individuals are often pressured or manipulated, undermining the validity of their consent. The express consent approach also suffers from these problems ­ people are ill-equipped to decide about their privacy, and even experts cannot fully understand what algorithms will do with personal data. Express consent also is highly impractical; it inundates individuals with consent requests from thousands of organizations. Express consent cannot scale.

In this Article, I contend that most of the time, privacy consent is fictitious. Privacy law should take a new approach to consent that I call “murky consent.” Traditionally, consent has been binary—an on/off switch—but murky consent exists in the shadowy middle ground between full consent and no consent. Murky consent embraces the fact that consent in privacy is largely a set of fictions and is at best highly dubious.

Because it conceptualizes consent as mostly fictional, murky consent recognizes its lack of legitimacy. To return to Hurd’s analogy, murky consent is consent without magic. Rather than provide extensive legitimacy and power, murky consent should authorize only a very restricted and weak license to use data. Murky consent should be subject to extensive regulatory oversight with an ever-present risk that it could be deemed invalid. Murky consent should rest on shaky ground. Because the law pretends people are consenting, the law’s goal should be to ensure that what people are consenting to is good. Doing so promotes the integrity of the fictions of consent. I propose four duties to achieve this end: (1) duty to obtain consent appropriately; (2) duty to avoid thwarting reasonable expectations; (3) duty of loyalty; and (4) duty to avoid unreasonable risk. The law can’t make the tale of privacy consent less fictional, but with these duties, the law can ensure the story ends well.

More than five years after domain name registrars started redacting personal data from all public domain registration records, the non-profit organization overseeing the domain industry has introduced a centralized online service designed to make it easier for researchers, law enforcement and others to request the information directly from registrars.

In May 2018, the Internet Corporation for Assigned Names and Numbers (ICANN) — the nonprofit entity that manages the global domain name system — instructed all registrars to redact the customer’s name, address, phone number and email from WHOIS, the system for querying databases that store the registered users of domain names and blocks of Internet address ranges.

ICANN made the policy change in response to the General Data Protection Regulation (GDPR), a law enacted by the European Parliament that requires companies to gain affirmative consent for any personal information they collect on people within the European Union. In the meantime, registrars were to continue collecting the data but not publish it, and ICANN promised it would develop a system that facilitates access to this information.

At the end of November 2023, ICANN launched the Registration Data Request Service (RDRS), which is designed as a one-stop shop to submit registration data requests to participating registrars. This video from ICANN walks through how the system works.

Accredited registrars don’t have to participate, but ICANN is asking all registrars to join and says participants can opt out or stop using it at any time. ICANN contends that the use of a standardized request form makes it easier for the correct information and supporting documents to be provided to evaluate a request.

ICANN says the RDRS doesn’t guarantee access to requested registration data, and that all communication and data disclosure between the registrars and requestors takes place outside of the system. The service can’t be used to request WHOIS data tied to country-code top level domains (CCTLDs), such as those ending in .de (Germany) or .nz (New Zealand), for example.

As Catalin Cimpanu writes for Risky Business News, currently investigators can file legal requests or abuse reports with each individual registrar, but the idea behind the RDRS is to create a place where requests from “verified” parties can be honored faster and with a higher degree of trust.

The registrar community generally views public WHOIS data as a nuisance issue for their domain customers and an unwelcome cost-center. Privacy advocates maintain that cybercriminals don’t provide their real information in registration records anyway, and that requiring WHOIS data to be public simply causes domain registrants to be pestered by spammers, scammers and stalkers.

Meanwhile, security experts argue that even in cases where online abusers provide intentionally misleading or false information in WHOIS records, that information is still extremely useful in mapping the extent of their malware, phishing and scamming operations. What’s more, the overwhelming majority of phishing is performed with the help of compromised domains, and the primary method for cleaning up those compromises is using WHOIS data to contact the victim and/or their hosting provider.

Anyone looking for copious examples of both need only to search this Web site for the term “WHOIS,” which yields dozens of stories and investigations that simply would not have been possible without the data available in the global WHOIS records.

KrebsOnSecurity remains doubtful that participating registrars will be any more likely to share WHOIS data with researchers just because the request comes through ICANN. But I look forward to being wrong on this one, and will certainly mention it in my reporting if the RDRS proves useful.

Regardless of whether the RDRS succeeds or fails, there is another European law that takes effect in 2024 which is likely to place additional pressure on registrars to respond to legitimate WHOIS data requests. The new Network and Information Security Directive (NIS2), which EU member states have until October 2024 to implement, requires registrars to keep much more accurate WHOIS records, and to respond within as little as 24 hours to WHOIS data requests tied everything from phishing, malware and spam to copyright and brand enforcement.