tag:blogger.com,1999:blog-19557943306785937712024-03-06T09:14:40.406+00:00Kuan0Half lawyer, half geek, mostly harmlessUnknownnoreply@blogger.comBlogger68125tag:blogger.com,1999:blog-1955794330678593771.post-7678570593667341622023-08-23T11:25:00.006+01:002023-08-23T11:31:01.978+01:00Age assurance/verification technologies & privacy/data protection<p></p><p class="MsoNormal">Key ICO resources and UK info/standards on age checking/assurance & the Children's Code are below.</p><p class="MsoNormal"><a name="OpenAt"></a><span lang="EN-GB">ICO work to date on children's privacy and age estimation/verification:</span></p><p class="MsoNormal"></p><ul style="text-align: left;"><li><span lang="EN-GB"><a href="https://www.drcf.org.uk/publications/papers/measurement-of-age-assurance-technologies">Measurement of age assurance technololgies</a>, jointly commissioned with Ofcom under the Digital Regulation Cooperation Forum (DRCF), Aug 23 (previous report <a href="https://ico.org.uk/media/about-the-ico/documents/4021822/measurement-of-age-assurance-technologies.pdf">pt.1</a>, Oct 22) </span></li><li><span lang="EN-GB">ICO-approved certifications under UK GDPR in 2021 include (<a href="https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2021/08/ico-approves-the-first-uk-gdpr-certification-scheme-criteria/">news release</a>)</span></li><ul><li><span lang="EN-GB">Age Check Certification Scheme (ACCS) <a href="https://ico.org.uk/for-organisations/advice-and-services/certification-schemes/certification-scheme-register/age-check-certification-scheme-accs/">testing age assurance products work</a> (tech requirements <a href="https://ico.org.uk/media/for-organisations/documents/2620426/accs-2-2021-technical-requirements-aadc.pdf">ACCS 2:2021</a>)</span></li><li><span lang="EN-GB">Age Appropriate Design Certification Scheme (AADCS) <a href="https://ico.org.uk/for-organisations/advice-and-services/certification-schemes/certification-scheme-register/age-appropriate-design-certification-scheme-aadcs/">criteria for age appropriatedesign of information society services</a> (tech requirements <a href="https://ico.org.uk/media/for-organisations/documents/2620427/accs-3-2021-technical-requirements-aadc.pdf">ACCS 3:2021</a>)</span></li><li><span lang="EN-GB">(I mention this first as many people don't seem to know about them)</span></li></ul><li><span lang="EN-GB"><a href=" https://ico.org.uk/media/about-the-ico/documents/childrens-code/4025494/childrens-code-evaluation-report.pdf">Evaluation report</a> on Children's Code & <a href="https://ico.org.uk/media/about-the-ico/documents/childrens-code/4025495/childrens-code-summary-document.pdf">summary</a>, Mar 23</span></li><li><span lang="EN-GB"><a href="https://ico.org.uk/media/about-the-ico/consultations/4023900/20230203-response-to-aa-cfe-and-roundtables-v1_1.pdf ">Response to the Call for Evidence and roundtables on age assurance</a>, Feb 23</span></li><li><span lang="EN-GB"><a href="https://ico.org.uk/media/about-the-ico/documents/4018659/age-assurance-opinion-202110.pdf ">Age assurance opinion</a>, Oct 21 </span></li><li><span lang="EN-GB">Seers <a href="https://ico.org.uk/media/for-organisations/documents/4018590/seers-regulatory-sandbox-final-report-final.pdf ">Child Privacy Consent Management Platform (CPCMP) sandbox report</a>, Oct 21 </span></li><li><span lang="EN-GB">Yubo <a href="https://ico.org.uk/media/action-weve-taken/audits-and-advisory-visits/4023906/yubo-exec-summary-20230210.pdf ">Age Appropriate Design Code Audit Report</a>, Oct 22</span></li><li><span lang="EN-GB">Yoti <a href="https://ico.org.uk/media/for-organisations/documents/4020427/yoti-sandbox-exit_report_20220522.pdf">age estimation tech for younger children sandbox report</a>, Apr 22 & its <a href="https://ico.org.uk/media/action-weve-taken/audits-and-advisory-visits/4019830/age-appropriate-design-code-yoti-app-audit-report-executive-summary-v1_0.pdf ">AADC audit</a>, Dec 21</span></li><li><span lang="EN-GB"><a href="https://ico.org.uk/media/for-organisations/guide-to-data-protection/key-data-protection-themes/age-appropriate-design-a-code-of-practice-for-online-services-2-1.pdf">Age-AppropriateDesign Code</a> itself </span></li></ul><p></p><p class="MsoNormal"><span lang="EN-GB">Also relevant:</span></p><p class="MsoNormal"></p><ul style="text-align: left;"><li>UK's 2022 <a href="https://www.gov.uk/government/publications/age-verification-technology-in-alcohol-sales-regulatory-sandbox">trials of age verification technology in alcohol sales</a> - interestingly, several using Yoti's age estimation tech - mostly facial, some ID documents, one biometric finger vein</li><li><a href="https://knowledge.bsigroup.com/products/online-age-checking-provision-and-use-of-online-age-check-services-code-of-practice/standard"><span lang="EN-GB">PAS 1296:2018 Online age
checking. Provision and use of online age check services </span>Code of Practice</a> and tech requirements
<a href="https://www.accscheme.com/media/ppqeviaz/accs-4-2020-technical-requirements-for-age-check-systems.pdf ">ACCS 4:2020</a> for checks based on that</li><li><a href="https://5rightsfoundation.com/static/ieee-2089-2021.pdf">IEEE Standard for an Age Appropriate Digital Services Framework Based on the 5Rights Principles for Children</a>, Nov 21</li></ul><p></p><p></p><p><br /></p>Kuanhttp://www.blogger.com/profile/00041429221345800464noreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-4890489709202261142023-07-23T13:10:00.000+01:002023-07-23T13:10:12.042+01:00Windows: try local LLMs easily<p><span style="background-color: white; color: rgba(0, 0, 0, 0.9); font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 20px; white-space-collapse: preserve;">1. Download kobold.cpp.exe from <a href="https://github.com/LostRuins/koboldcpp/releases">https://github.com/LostRuins/koboldcpp/releases</a> (I picked the latest version)</span></p><p style="--artdeco-reset-typography_getfontsize: 1.6rem; --artdeco-reset-typography_getlineheight: 1.5; background-color: white; border: var(--artdeco-reset-base-border-zero); box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 20px; line-height: var(--artdeco-reset-typography_getLineHeight); margin: 0px; padding: 0px; vertical-align: var(--artdeco-reset-base-vertical-align-baseline); white-space-collapse: preserve;">2. Download the GGML BIN file for the <span class="ql-hashtag" data-test-ql-hashtag="true" style="background: var(--artdeco-reset-base-background-transparent); border: var(--artdeco-reset-base-border-zero); box-sizing: inherit; font-size: var(--artdeco-reset-base-font-size-hundred-percent); font-weight: var(--artdeco-reset-typography-font-weight-bold); margin: var(--artdeco-reset-base-margin-zero); outline: var(--artdeco-reset-base-outline-zero); overflow-wrap: normal; padding: var(--artdeco-reset-base-padding-zero); vertical-align: var(--artdeco-reset-base-vertical-align-baseline);">model(s)</span> you want to use - you can get Llama2 models from <a href="https://huggingface.co/TheBloke/Llama-2-7B-Chat-GGML">https://huggingface.co/TheBloke/Llama-2-7B-Chat-GGML</a> - check for which large language models/LLMs are compatible with Kobold, go to the Files tab to find and download the one(s) you want.</p><p style="--artdeco-reset-typography_getfontsize: 1.6rem; --artdeco-reset-typography_getlineheight: 1.5; background-color: white; border: var(--artdeco-reset-base-border-zero); box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 20px; line-height: var(--artdeco-reset-typography_getLineHeight); margin: 0px; padding: 0px; vertical-align: var(--artdeco-reset-base-vertical-align-baseline); white-space-collapse: preserve;"><br /></p><p style="--artdeco-reset-typography_getfontsize: 1.6rem; --artdeco-reset-typography_getlineheight: 1.5; background-color: white; border: var(--artdeco-reset-base-border-zero); box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 20px; line-height: var(--artdeco-reset-typography_getLineHeight); margin: 0px; padding: 0px; vertical-align: var(--artdeco-reset-base-vertical-align-baseline); white-space-collapse: preserve;">3. For command line avoiders, just doubleclick koboldcpp.exe. A command line interface window and GUI window open up</p><p style="--artdeco-reset-typography_getfontsize: 1.6rem; --artdeco-reset-typography_getlineheight: 1.5; background-color: white; border: var(--artdeco-reset-base-border-zero); box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 20px; line-height: var(--artdeco-reset-typography_getLineHeight); margin: 0px; padding: 0px; vertical-align: var(--artdeco-reset-base-vertical-align-baseline); white-space-collapse: preserve;"><br /></p><p style="--artdeco-reset-typography_getfontsize: 1.6rem; --artdeco-reset-typography_getlineheight: 1.5; background-color: white; border: var(--artdeco-reset-base-border-zero); box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 20px; line-height: var(--artdeco-reset-typography_getLineHeight); margin: 0px; padding: 0px; vertical-align: var(--artdeco-reset-base-vertical-align-baseline); white-space-collapse: preserve;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgWiASugj39Fs8z4h0XGsqbcndF4ufP4wIAv1b4tPQFWPoReEgPG3yEPD6mB5PCWylyUe2MOhUVpmeI95BXaI_QoJuKA2fHmx_MChXONg22Itg9qzr-g0l78R9FLee9hOduw0FNLvGAAFDyBTaYgSBrRD4ljKzVRhG5f7h_WqFBwzYFC39BTq26x7QBUO8" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="658" data-original-width="652" height="240" src="https://blogger.googleusercontent.com/img/a/AVvXsEgWiASugj39Fs8z4h0XGsqbcndF4ufP4wIAv1b4tPQFWPoReEgPG3yEPD6mB5PCWylyUe2MOhUVpmeI95BXaI_QoJuKA2fHmx_MChXONg22Itg9qzr-g0l78R9FLee9hOduw0FNLvGAAFDyBTaYgSBrRD4ljKzVRhG5f7h_WqFBwzYFC39BTq26x7QBUO8" width="238" /></a>
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhD1yrDk4F0v8M9g5LBYlzUrfuzOeYXr2XB6KxsHiyiOYosCsDlXyZZDxzQtcZCCGm8ITUTBy4tWBFqGFZgXZpEsAs1WAxzrTprvapwHCRZZRRlUL0rOB5x5VjkLzNHYb1n4oqiXE3QVFmwdaF2JYgLEHoBmkagZM0B3jI0NHyFVxKX81T_tzvBUc0oRRw" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="185" data-original-width="609" height="97" src="https://blogger.googleusercontent.com/img/a/AVvXsEhD1yrDk4F0v8M9g5LBYlzUrfuzOeYXr2XB6KxsHiyiOYosCsDlXyZZDxzQtcZCCGm8ITUTBy4tWBFqGFZgXZpEsAs1WAxzrTprvapwHCRZZRRlUL0rOB5x5VjkLzNHYb1n4oqiXE3QVFmwdaF2JYgLEHoBmkagZM0B3jI0NHyFVxKX81T_tzvBUc0oRRw" width="320" /></a></div><br /><p style="--artdeco-reset-typography_getfontsize: 1.6rem; --artdeco-reset-typography_getlineheight: 1.5; background-color: white; border: var(--artdeco-reset-base-border-zero); box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 20px; line-height: var(--artdeco-reset-typography_getLineHeight); margin: 0px; padding: 0px; vertical-align: var(--artdeco-reset-base-vertical-align-baseline); white-space-collapse: preserve;">4. In the GUI window click Model, Browse, select one of the downloaded GGML BIN files then click Launch</p><p style="--artdeco-reset-typography_getfontsize: 1.6rem; --artdeco-reset-typography_getlineheight: 1.5; background-color: white; border: var(--artdeco-reset-base-border-zero); box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 20px; line-height: var(--artdeco-reset-typography_getLineHeight); margin: 0px; padding: 0px; vertical-align: var(--artdeco-reset-base-vertical-align-baseline); white-space-collapse: preserve;"><br /></p><p style="--artdeco-reset-typography_getfontsize: 1.6rem; --artdeco-reset-typography_getlineheight: 1.5; background-color: white; border: var(--artdeco-reset-base-border-zero); box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 20px; line-height: var(--artdeco-reset-typography_getLineHeight); margin: 0px; padding: 0px; vertical-align: var(--artdeco-reset-base-vertical-align-baseline); white-space-collapse: preserve;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEip0ctpb0eHwSEej8mj1V4CAjNGIn0Ka1XeGaxn04uo28uTNXSxFUPhq3_7Nhoh2_lUhKslARvr4x8xxxRDkkHAPfyRktZNL_GvBlHMt66lOdd2q4psvfntzEKsWJGKI8myJVmGVxVLvj-epO-YadginmSoHS6KCuFs5BUGdPIP6B1KmCY5MPNRKxnZQMQ" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="658" data-original-width="652" height="240" src="https://blogger.googleusercontent.com/img/a/AVvXsEip0ctpb0eHwSEej8mj1V4CAjNGIn0Ka1XeGaxn04uo28uTNXSxFUPhq3_7Nhoh2_lUhKslARvr4x8xxxRDkkHAPfyRktZNL_GvBlHMt66lOdd2q4psvfntzEKsWJGKI8myJVmGVxVLvj-epO-YadginmSoHS6KCuFs5BUGdPIP6B1KmCY5MPNRKxnZQMQ" width="238" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">5. In your default browser a new tab should open, if not just open a tab yourself and go to http://localhost:5001/ and prompt away!</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj7deV4hGwxsZt6Fzg_kc1fg5w_2hVONSSlaYkjyKQe24xamAzc3CX0x3yyrtn25r5K7wkZ-oMeYxSRj8tDQvji7SOqnYQ6SF4xVbO8u4rEwJaJXHsOzbgFC3k2ERw2_Gaei4xZ10vcmfc7-0Z8ZUs4jbCdUQDtFhGc-ZmF35CLbu3AAZfwIstemb3yRnY" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="838" data-original-width="1235" height="271" src="https://blogger.googleusercontent.com/img/a/AVvXsEj7deV4hGwxsZt6Fzg_kc1fg5w_2hVONSSlaYkjyKQe24xamAzc3CX0x3yyrtn25r5K7wkZ-oMeYxSRj8tDQvji7SOqnYQ6SF4xVbO8u4rEwJaJXHsOzbgFC3k2ERw2_Gaei4xZ10vcmfc7-0Z8ZUs4jbCdUQDtFhGc-ZmF35CLbu3AAZfwIstemb3yRnY=w400-h271" width="400" /></a></div><br /><p style="clear: both; text-align: left;">6. The command line window stays open, with info on the input prompts, output, processing time etc. Just close it and the browser tab when done. All data stays local to your computer, inputs and outputs etc.</p><p style="clear: both; text-align: left;">NB. you need a lot of RAM, especially for the bigger models.</p><p style="clear: both; text-align: left;">Thanks to Autumn Skerritt's <a href="https://skerritt.blog/run-your-own-llm">helpful blog</a> (which also covers <b>Mac & Linux</b> and has other useful info) - I just added info on the GUI and other possible downloadable models I found.</p></div><br /><p></p><br /><br /><p></p>Kuanhttp://www.blogger.com/profile/00041429221345800464noreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-18770195291139555332023-03-13T15:55:00.003+00:002023-03-13T15:59:26.314+00:00Data Protection & Digital Information (No.2) Bill - key changes from 2022 Bill No.1; GDPR comparisons
<p style="font-family: arial;"><span style="font-family: arial;">The UK <a href="https://bills.parliament.uk/bills/3430/">Data Protection & Digital Information (No.2) Bill</a>'s key changes from the <a href="https://bills.parliament.uk/bills/3322/">2022 Bill</a>, compared with the <a href="https://www.gdprinfo.info/">EU GDPR</a>, are summarised in the table below. </span></p><p style="font-family: arial;"><span style="font-family: arial;">After the table are some "But why didn't they do that?" questions, and "Will compliance with the EU GDPR really comply with the new Bill"?</span></p><h3 style="font-family: arial;">Table of Key Changes</h3><div style="font-family: arial;"><ul style="text-align: left;"><li>Only <u>changes from the 2022 version</u> are covered, and only those relating to <u>GDPR</u> (<u>not</u> law enforcement or intelligence services or the DVS trust framework).</li><li>Clarifications/typos/minor corrections and other minor textual changes are <u>not</u> covered.</li><li>The table below is also <u>not</u> a full comparison of the entire Bill against the EU GDPR.</li></ul></div>
<p style="font-family: arial;"><b><i>Abbreviations</i></b></p>
<table style="font-family: arial; font-size: 0.8em; width: 100%;">
<tbody><tr>
<td style="text-align: center; vertical-align: top;"><b>ADM</b><br />automated<br />decision-making</td>
<td style="text-align: center; vertical-align: top;"><b>C</b><br />controller</td>
<td style="text-align: center; vertical-align: top;"><b>ICO</b><br />UK Information<br />Commissioner's Office</td>
<td style="text-align: center; vertical-align: top;"><b>P</b><br />processor</td>
<td style="text-align: center; vertical-align: top;"><b>PD</b><br />personal data</td>
<td style="text-align: center; vertical-align: top;"><b>S</b><br />UK Secretary of State</td>
<td style="text-align: center; vertical-align: top;"><b>SRI</b><br />senior responsible individual</td>
</tr>
</tbody></table>
<br />
<table style="border-collapse: collapse; border: 1px solid black; font-family: arial; font-size: 0.8em; padding: 5px; width: 100%;">
<tbody><tr>
<th style="border-collapse: collapse; border: 1px solid black; width: 10%;"><span style="font-family: arial;">Issue</span></th>
<th style="border-collapse: collapse; border: 1px solid black; width: 25%;"><span style="font-family: arial;">Cf 2022 version</span></th>
<th style="border-collapse: collapse; border: 1px solid black;"><span style="font-family: arial;">Cf EU GDPR</span></th>
<th style="border-collapse: collapse; border: 1px solid black;"><span style="font-family: arial;">Comments/Queries</span></th>
</tr>
<tr>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;"><span style="font-family: arial; vertical-align: top;">Personal data</span></td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;"><span style="font-family: arial; vertical-align: top;">Tighter, as this specifically calls out the role of <u>access protection</u> measures. <br />It’s PD if C/P knows/ought reasonably to know another person obtains/is likely to obtain info as result of C/P processing and the individual is identifiable/likely to be identifiable by that person at the time of processing, (added) <u>including</u> if an unauthorised person obtains info due to the C/P <u>not implementing appropriate measures</u> to mitigate the risk of their <u>obtaining</u> the info.<br /></span></td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;"><span style="font-family: arial;">Clarifies: identifiability is assessed at the <u>time of processing</u> by C/P.<br /><br />Focuses on whether info is PD <u>in the hands of</u> whoever processes it (similar to the position under <a href="https://www.legislation.gov.uk/ukpga/1998/29/contents">DPA 1998</a>).</span></td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;"><span style="font-family: arial;"><u>Time of processing</u> - time of whose processing, processing by C, P, either, the other person?<br /><br />If an individual is identifiable to <u>C but not P, or vice versa</u>, does that make them identifiable to both?<br /><br />Why not also mention measures to mitigate the risk of unauthorised persons <u>identifying</u> individuals (e.g. strong encryption), vs. their obtaining the info? Surely such measures are equally important: focus on either/or, not just “obtaining”?</span></td>
</tr>
<tr>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">Legitimate interests</td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;"><span style="font-family: arial;">New Art.6(9) gives examples of types of processing that may be necessary for LI: <br />- Necessary for direct marketing (defined in both versions as <u>communication (by whatever means) of advertising or marketing material which is directed</u> to particular individuals, and now also to be inserted into Art.4(1)(15A) UK GDPR), <br />- Intragroup transmission necessary for internal admin, or <br />- Necessary for security of network and info systems</span></td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">Much has been made of this. But actually it’s just based on GDPR Recs.<a href="https://www.gdprinfo.info/#r47">47</a> last sentence, <a href="https://www.gdprinfo.info/#r48">48</a> & <a href="https://www.gdprinfo.info/#r49">49</a>, putting them into the operative text. Just without the “strictly necessary”, which in my view is very tight particularly in relation to ensuring security.<br /><br />However, "direct marketing" is defined more broadly than in say the European Commission and Council's approach in the <a href="https://data.consilium.europa.eu/doc/document/ST-7458-2022-INIT/x/pdf#page=29">draft ePrivacy Regulation</a> - could it include <u>targeted advertising</u> on websites or mobile apps here? </td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">Pity that necessity for preventing <u>fraud</u> <a href="https://www.gdprinfo.info/#r47">Rec.47</a> wasn’t included, or necessity for the <u>security of PD</u> (not just systems).<br /><br />The scope of "direct marketing" would benefit from clarification, e.g. is "sent" intended or is displaying personalised ads on web/mobile enough to be "direct marketing"?<br /><br /><br /></td>
</tr>
<tr>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">Scientific research</td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;"><span style="font-family: arial;">Clarified:<br />- Even commercial activity can be scientific research<br />- </span>But activities only qualify if they can “reasonably described as scientific”</td>
<td style="border-collapse: collapse; border: 1px solid black;">GDPR doesn’t define scientific research. The Bill just provides helpful clarifications, e.g. drawing on <a href="https://www.gdprinfo.info/#r159">Rec.159</a> (GDPR doesn’t explicitly exclude commercial research and Art.89 of course requires safeguards there, which the Bill is changing).</td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">Processing PD for studies in the area of public health are “scientific” only if conducted in the “public interest” – clarify “public interest” here? But generally that phrase isn’t defined anywhere… and see queries after this table.</td>
</tr>
<tr>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">Statistical purposes</td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">Includes processing for statistical surveys or production of statistical results resulting in aggregate non-personal data, but (added) only if controller doesn’t use personal data processed or resulting information to support measures/ decisions regarding a particular data subject to whom the personal data relates</td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">Just clarifications, reflecting <a href="https://www.gdprinfo.info/#r162">Rec.162</a></td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">-</td>
</tr>
<tr>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">ADM</td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">Art.22A(2) no longer states that decisions include profiling. I consider this to now reflect the <u>correct</u> interpretation, rather than a relaxation - see the next cell. <br /><br />Instead, when considering whether there's meaningful human involvement, the <u>extent to which the decision was reached by profiling</u> must be considered among other things. That's one way to interpret the profiling reference in Art.22 and it makes some sense.<br /><br />S may make <u>regulations</u> stipulating that certain cases do, or don't, have meaningful human involvement.</td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">Clarifies the debated issue of whether Art.22 only gives rights to data subjects to object to ADM, or positively prohibits ADM.<br /><br />Clarifies that decisions “based solely on automated processing” are those with “<u>no meaningful human involvement</u>”.<br /><br />Clarifies role of <u>profiling</u>, in the debate on whether Art.22 catches profiling <i>per se</i>, or <u>only</u> profiling that leads to ADM (I believe the latter). So, Art.22A(2) now reflects what I feel is the correct interpretation.<br /><br /></td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">A positive prohibition usefully clarifies the position. Similarly with the meaning of automated decisions. <br /><br />Data subjects aren't deprived of rights regarding ADM, because the new Art.22C safeguards must enable data subjects to obtain human intervention and to contest decisions, and individuals can no doubt claim compensation for breach of this explicit prohibition. <br /><br />However, it's unclear why Sch.4 will omit <a href="https://www.legislation.gov.uk/ukpga/2018/12/section/14">s.14 DPA2018</a> altogether. Removing the notification requirement may reduce burdens on Cs, but retaining a positive obligation on Cs to <u>consider</u> requests to reconsider decisions could further help to show that data subjects <u>do </u>retain their ADM rights. Perhaps S regulations are intended to address this and other ADM-related issues<span style="font-size: 10.24px;">?</span><br /></td>
</tr>
<tr>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">ROPAs (records of processing activities)</td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">Needed only for processing which, taking into account its nature, scope, context and purposes, is <u>likely to result in a high risk</u> to the rights and freedoms of individual - <u>instead of</u> 2022 exemption for <250 employees unless likely to result in high risk<br /><br />C records need include only <u>categories</u> of person with whom C shares PD, rather than named persons. However, there "recipients" has been changed to "<u>persons</u>" in third countries/ international organisations.<br /><br />Amends Art.57(1)(k) to require the ICO to produce and publish a document containing examples of types of processing which it considers are <u>likely to result in a high risk</u> to the rights and freedoms of individuals (for the purposes of Articles 27A, 30A and 35) - i.e., <u>senior responsible individual</u>, <u>ROPAs</u> and <u>assessment of high-risk processing.</u> This helps ensure a consistent view of what is considered "high-risk" across these different areas.</td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">Required for all Cs and Ps with <u>exemption</u> for <250 employees unless processing is likely to result in <u>a risk</u> to rights and freedoms of data subjects, is <u>not occasional</u>, or the includes <u>special category or criminal-related data.</u><br /><br />Changing "recipients" to "persons" actually goes <u>broader than GDPR,</u> as under GDPR <a href="https://www.gdprinfo.info/#a4.9">Art.4(9)</a> certain public authorities (again it's not entirely clear which) <u>aren't</u> considered "recipients", so this should be positive for UK adequacy as any sharing with public authorities must definitely be recorded.</td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;"><span style="font-family: arial;">Arguably, catching C/Ps even with <250 employees for high-risk processing would catch non-occcasional processing of special category or criminal-related data. <br /><br />While it's "high-risk" vs. "<u>a</u> risk", the latter catches most C/Ps; some might it's say is too strict given realistic risks, especially under EDPB's <a href="https://ec.europa.eu/newsroom/article29/redirection/document/51422">broad interpretation</a> of <a href="https://edpb.europa.eu/our-work-tools/our-documents/guidelines/position-paper-derogations-obligation-maintain-records_en">Art.30.5</a>'s "or". So the Bill is less strict than GDPR, but hopefully that's not significant enough to prejudice UK adequacy.<br /><br />It's odd that the "categories" issue relates to C records (Cs will surely know those they share PD with), rather than DSARs/privacy notices - could the change have been intended for the latter, but inadvertently got inserted here instead?<br /></span></td>
</tr>
<tr>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">DPIAs (assessment of high-risk processing)</td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">Deleted ICO's Art.35(4)-(5) obligation to publish list of operations requiring DPIA and power to publish list of operations <u>not</u> requiring assessment.<br /><br />But, see above on the amended Art.57(1)(k) which effectively does the same thing, <u>except</u> that there's no longer power to publish lists of operations <u>not</u> requiring assessment.</td><td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">No explicit requirement to consult DPO. However, arguably this is implicit in new Art.27B(2)(c), informing/advising of data protection obligations.<br /><br />No <a href="https://www.gdprinfo.info/#a35.3">Art.35(3)</a> criteria deeming certain types of processing always to be high risk (ADM, large-scale processing of special category/criminal-related data and large-scale systematic monitoring of publicly accessible areas!)<br /><br />The related <a href="https://www.gdprinfo.info/#a36">Art.36</a> makes <u>prior consultation</u> with ICO optional, but see <a href="https://www.linkedin.com/posts/wkhon_gdpr-uk-reform-activity-7039996727331811328-NZRT">LinkedIn discussion in comments</a> on whether this makes much difference in practice.<br /><br /></td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">The legislative aim to require assessments for high-risk processing remains, in substance. <br /><br />I suspect the ICO's list of high-risk processing will include the Art.35(3) types! In which case, little difference in practice, but more flexibility.<br /><br />Oddly, there's no explicit power for the ICO to publish lists of activities that are <u>not</u> considered to require assessment as high-risk.<br /><br /></td></tr><tr><td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">Senior responsible individual</td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">To be designated by public body or likely high-risk processing, but note the amended Art.57(1)(k) regarding an <u>ICO list </u>to be published of what's high-risk processing for this purpose. <br /><br />(The ICO's "high-risk" lists could theoretically be different for SRI, high-risk assessments and ROPA purposes, but they may not be - consistency will be helpful here.)</td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">No more <a href="https://www.gdprinfo.info/#a37.1">Art.37(1)</a>(b)-(c) criteria deeming certain types of processing <u>always</u> to require a DPO (core activities involve large-scale regular and systematic monitoring or processing special category/criminal-related data). <br /><br />The individual must be part of the organisation’s <u>senior management</u> which arguably goes beyond GDPR. Allowing job-sharing here is enlightened. SRI details must be notified to the ICO.<br /><br />However, there's no longer any "sharing" allowed ot the SRI across different public authorities or a related group. </td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">Given the SRI must be designated in high-risk processing situations, and issues like resourcing and conflicts are clearly covered, is there much difference in practice?<br /><br />Again, I suspect the ICO's list of high-risk processing here will include the Art.37(1)(a) and (b) types! In which case, again, little difference in practice, but more flexibility.<br /><br />No SRI sharing could cause practical problems given the difficulties with recruiting people with data protection expertise!<br /><br />"Outsourcing" of SRI functions might perhaps still be possible as the SRI can alternatively "secure" that certain tasks are performed by another, taking into account expertise etc. Probably SRIs without sufficient privacy expertise (yet!) will have to secure another person (which doesn't seem limited to internal staff) to perform at least some tasks.</td>
</tr>
<tr>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">Transfers (data exports)</td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">New transitional provisions to "grandfather" valid transfer mechanisms in place before the relevant Bill provisions take effect.</td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">Comparing the transfers provisions generally, e.g. "not materially lower" vs "essentially equivalent", merits a note in itself, and will not be discussed here!</td>
<td style="border-collapse: collapse; border: 1px solid black; vertical-align: top;">Not discussed here. And it will be up to the European Commission to assess the extent to which these and other changes may affect UK adequacy!</td>
</tr>
</tbody></table>
<h3 style="font-family: arial; text-align: left;"><br /></h3><h3 style="font-family: arial; text-align: left;">But why didn't they do that?</h3><p style="font-family: arial;">While the following are points where the 2022 and 2023 versions of the Bill <u>don't</u> differ, some queries spring to mind:</p><p style="font-family: arial;"></p><ol style="text-align: left;"><li style="font-family: arial;"><b>Research processing of special category/criminal-related data</b> - under <a href="https://www.legislation.gov.uk/ukpga/2018/12/schedule/1">DPA2018 Sch.1</a> para.4, such processing is permitted if it's necessary for archiving purposes, <u>scientific</u> or historical research purposes or statistical purposes, is carried out in accordance with Article 89(1) [to be the new Art.84B i.e. safeguards], <u>and</u> is in the public interest. Here, the UK went <u>beyond</u> GDPR, because the "public interest" requirement doesn't appear in <a href="https://www.gdprinfo.info/#a9.2.j">Art.9(2)(j)</a>. National law permitting such processing just has to be "proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject". Presumably it's a UK policy decision to require the "public interest" condition in addition? If so, giving examples or defining "public interest" here would be helpful as it's such a vague and broad term.<br /><br /></li><li><b style="font-family: arial;">AI bias and anti-discrimination </b><span style="font-family: arial;">- the </span><a href="https://www.gov.uk/government/news/new-data-laws-to-boost-british-business-protect-consumers-and-seize-the-benefits-of-brexit" style="font-family: arial;">June 2022 consultation response</a><span style="font-family: arial;"> intended to expand the <a href="https://www.legislation.gov.uk/ukpga/2018/12/schedule/1">DPA2018 sch.1</a> para.8 exemption, allowing processing of special category data and criminal offence-related data for equality of opportunity or treatment, to permit bias monitoring, detection and correction in AI systems. Surely this is a laudable aim that no one should object to, so it's not clear why this update didn't make it into the Bill?</span><br /><br /></li><li style="font-family: arial;"><b>PECR/cookies</b></li><ol style="font-family: arial;"><li><i>Security</i> - the Bill will allow storage/access to ensure security of the terminal equipment, but why not <u>security of networks/data more broadly</u> given the critical importance of security generally?</li><li><i>Analytics</i> - the Bill would allow first party analytics, but it seems not the use of a third party analytics service, as sharing with third parties is allowed only to enable them to "assist with making improvements to the service or website" - why not also to enable them to assist with <u>collecting</u> that information? SMEs in particular won't have technical expertise to install their own on-prem inhouse analytics solutions, so not including "or collecting that information" there may undermine the legislative objective of easing web/mobile analytics for organisations. </li></ol></ol><p></p><p style="font-family: arial;">BTW, on DSARs' change from "manifestly unfounded or excessive" to "vexatious or excessive" - the latter phrase has been much discussed (including at regulatory and judicial level), and therefore is well understood in the UK, in the FOI (freedom of information) context. See also the <a href="https://www.linkedin.com/posts/wkhon_gdpr-uk-reform-activity-7039996727331811328-NZRT">discussion on this in LinkedIn, in the comments section</a>. </p><p style="font-family: arial;">Interestingly, the <a href="http://web.archive.org/web/20230308003416/https://www.gov.uk/government/news/british-businesses-to-save-billions-under-new-uk-version-of-gdpr">first version of the press release</a> said "Ministers have co-designed the Bill with key industry and privacy partners - including Which? and TechUK..." but the <a href="https://www.gov.uk/government/news/british-businesses-to-save-billions-under-new-uk-version-of-gdpr">current press release</a> no longer mentions Which?. Input from consumer organisations is obviously important in this context.</p><h3 style="font-family: arial; text-align: left;">Will compliance with the EU GDPR really comply with the new Bill?</h3><p style="font-family: arial;">I spotted one minor example where strictly, it won't.</p><p style="font-family: arial;">Privacy notices will have to include info about the right to complain to the controller, under the Bill. GDPR privacy notices needn't.</p><p style="font-family: arial;">But, as per statements at the IAPP UK Intensive on 8 Mar 23, it's very unlikely that the ICO would fine or enforce against Cs lacking that one line (it'll just say, add that in)! And obviously including that extra info won't cause any issues under the EU GDPR.<br /></p>
Kuanhttp://www.blogger.com/profile/00041429221345800464noreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-13916741395360120892023-02-24T16:21:00.002+00:002023-02-24T16:34:04.982+00:00Key points: EDPB transfers & territorial scope final guidance<p>We now have the final version of the EDPB's <a href="https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052021-interplay-between-application-article-3_en">Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR</a></p><p>1. Generally, it makes useful clarifications to draft guidance, rather than substantive changes. There are 5 extra examples and new Annex with diagrams for all examples. New Exec Summary. Maria and George remain the same (not Alice or Bob!), but specific third-country names were removed.</p><p>2. Most clarifications aren’t surprising e.g. remote viewing/access of/to EEA-hosted personal data from outside EEA whether for support/admin etc. is a “transfer”, including by a processor; EEA platform passing personal data to non-EEA controller is making a “transfer” (“controller” seems a misnomer if the non-EEA entity isn’t subject to GDPR, but the platform is making a transfer whether it is or isn’t)</p><p>3. Helpful: controller disclosing personal data to EEA-incorporated processor (with non-EEA parent) – <i>not</i> a “transfer”. If processor discloses to third-country authority, it does so as <i>independent controller</i>. So controllers must assess circumstances for sufficient guarantees before engaging such processors.</p><p>4. Also helpful: </p><p></p><ul style="text-align: left;"><li>when data subjects directly provide personal data to third country controller <i>not</i> subject to GDPR, that’s <i>not</i> a transfer</li><li>when data subjects directly provide personal data to third country controller that IS subject to GDPR under Art.3(2) offering/monitoring (added: “specifically targets the EU market”), that’s <i>not</i> a transfer but the controller must comply with GDPR (practical enforceability against it is a different issue of course)</li><li>when data subjects directly provide personal data to third country processor for third country controller, they don’t make transfers, but the <i>controller</i> “transfers” to the processor</li></ul><p></p><p>5. Note: still not a transfer if EEA company employee travels to third country with laptop or remotely accesses EEA-hosted data – it’s within the same entity. New: if the employee in his capacity as such sends or makes available data to another entity in the third country, then that’s a transfer by the company.</p><p>6. Non-“transfers”:</p><p></p><ul style="text-align: left;"><li>New section on safeguards when processing personal data outside the EEA even if technically there’s no “transfer”. Pay “particular attention” to the third country’s legal framework, as there may still be “increased risks” because “it takes place outside the EU, for example due to conflicting national laws or disproportionate government access in a third country”. These risks must be considered for compliance e.g. Art.5 principles, 24 controller responsibility, 32 security, 35 DPIA, 48 transfers not authorised under EU law: “a controller may very well conclude that extensive security measures are needed – or even that it would not be lawful – to conduct or proceed with a specific processing operation in a third country although there is no transfer situation.”</li><li><i>Privacy notices</i> for non-transfers outside EEA!: when a controller intends to process personal data outside the EU (although no transfer takes place), this information should as a rule be provided to individuals as part of the controller’s transparency obligations, e.g. to ensure compliance with the principle of transparency and fairness, which also requires controllers to inform individuals of the risks in relation to the processing”. Non-binding, strictly…</li></ul><p></p><p>7. Still unaddressed:</p><p></p><ul style="text-align: left;"><li>Not a “transfer” if it’s within the same legal entity, so e.g. EEA branch of US corp sending personal data to HQ <i>isn't </i>making a transfer, but an EEA subsidiary sending to US parent IS. Obviously the EEA branch would be subject to GDPR, with easy enforceability due to its EEA presence.</li><li>Art.3(1) can apply directly to non-EEA “established” entities e.g. in the Costeja case, but EDPB focuses mainly on 3(2), mentioning 3(1) only in relation to processors used by EEA-established controllers. Presumably direct provision of personal data by data subjects to Art.3(1) non-EEA controllers would also not be “transfers”, but the controller is caught by GDPR? (practical enforceability…?)</li><li>EEA subprocessor to non-EEA processor – analogy with processor-to-controller transmissions, this must be a “transfer”, but no SCCs exist to allow this… (workaround – adapt P2C SCCs, hey we tried our best!) </li><li>The <a href="https://blog.kuan0.com/2020/07/schrems-ii-data-localization-encryption.html">“conflicting laws” issue applies equally to EEA-established organizations</a> that expand to third countries. Remember SWIFT, where using its own US data center was a “transfer”? Presumably now that use alone is not “transfer”, but disclosure to third-country entities would be.</li></ul><p></p><p>8. My speculations about possible new options for non-EEA controllers: </p><p></p><ul style="text-align: left;"><li>will some non-EEA controllers just directly collect personal data from EEA data subjects now? They may still be subject to GDPR under Art.3(2) or even 3(1), but practical enforceability…</li><li>will some non-EEA groups set up non-EEA subsidiaries to operate branches in the EEA, that can send data “back” outside the EEA without making “transfers”? Of course, those subsidiaries are subject to GDPR, and their disclosure to non-EEA parents will be “onward transfers” that need SCCs etc, but that might be easier for some…</li></ul><p></p><p>9. Puzzling: most of us share common views on what “made available” involves, but I didn’t follow “embedding a hard drive or submitting a password to a file” – what does that mean, how do they involve “making available” data?</p>Kuanhttp://www.blogger.com/profile/00041429221345800464noreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-12133999444002026952022-10-16T22:02:00.001+01:002022-10-16T22:02:24.037+01:00Automated Decision Making (ADM) & GDPR - Flowchart<p>ADM under GDPR - I produced this flowchart after noticing that my Imperial AI MSc students were struggling to parse <a href="https://www.gdprinfo.info/#a22">Art.22</a>. Admittedly it's been termed the worst-drafted of all GDPR provisions, rightly, by someone I used to work with, who knows who she is :) I hope it will be useful, and as always all comments are welcome!</p>
<iframe allow="autoplay" height="480" src="https://drive.google.com/file/d/1T0MqH60n3odFSnMW3ss1IVisSusqwsPB/preview" width="640"></iframe>Kuanhttp://www.blogger.com/profile/00041429221345800464noreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-64171727632642164052022-07-09T17:32:00.011+01:002022-07-10T12:08:53.173+01:00UK NIS Regulations: enforcement, & future<p>For both OESs and DSPs the <a href="https://www.legislation.gov.uk/uksi/2018/506">UK NIS Regulations</a> have barely been enforced, but change is coming, including to bring <b>MSPs </b>within scope. (<b>OESs</b> are operators of essential services, basically critical infrastructure service providers, while <b>DSPs</b> are "digital service providers": cloud computing service providers, online marketplaces or online search engines <i>only,</i> <i>not</i> other providers of digital services in the broad sense). </p><p>The <a href="https://www.gov.uk/government/publications/second-post-implementation-review-of-the-network-and-information-systems-regulations-2018/second-post-implementation-review-of-the-network-and-information-systems-regulations-2018#is-the-existing-form-of-government-regulation-still-the-most-appropriate-approach">Second Post-Implementation Review of the Network and Information Systems Regulations 2018</a> (<a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1087719/Second_Post_Implementation_Review_of_the_Network_and_Information_Systems_Regulations_2018.pdf">PDF</a>), 4 July 2022, revealed this and other interesting information:</p><p></p><ol style="text-align: left;"><li><u>NIS incident reporting</u> hasn't actually been happening: “…the system <i>does not appear to be working</i>. As of this review, <i>competent authorities have received little-to-no reports</i>, despite other sources of information, such as the Breaches Survey, indicating a prevalence of incidents within the wider economy and society.”<br /><br /></li><li><u>NIS enforcement</u> has been minimal; <i>no NIS fines</i> (penalty notices) have been imposed so far: </li><ol><li>Only <i>2 competent authorities</i> have enforced to date, "which raises the question of "is the enforcement regime appropriate?" But, “NCSC has also been informed of one very successful instance of a competent authority carrying out enforcement, which had very positive outcomes, suggesting that the enforcement regime may be appropriate." </li><ol><li>Note: it's unclear if the UK ICO, which regulates DSPs under the NIS Regulations, was one of thise two authorities.</li></ol><li>“…there is evidence from competent authorities to suggest that there are cases where enforcement activities were <i>merited </i>but <i>no action was taken. </i>The use of enforcement tools overall, is <i>much lower than the reported need</i> and so far competent authorities appear to have been <i>less inclined to make use of their regulatory powers</i>." Why, and why not? The reasons are not stated.</li><li>"There is also a reported concern from regulators that the <i>grounds for enforcement</i> (either via enforcement notices or penalty notices) is <i>not clear enough</i>”…</li><li>“NIS competent authorities... have additionally reported <i>being very restrictive with their regulatory powers</i>, relying more on regular engagements, inspections, and information notices rather than any binding provisions of the regulations, such as enforcement notices, civil proceedings, or penalty notices.”</li><li>"Of those who felt the enforcement regime wasn't proportionate, 44% gave other reasons including there is no clear link between the fine levied and the actions that operator of essential services took prior to the incident and the fact that fines result in <i>double jeopardy </i>as there is already a cost relating to a cyber breach."</li><ol><li>Note: it's interesting that the double jeopardy cited was not the possibility of fines under both GDPR and NIS, which is the key double jeopardy risk in my view (to be addressed in the EU's <a href="https://ec.europa.eu/commission/presscorner/detail/en/ip_22_2985">NIS 2 Directive</a>). The breach costs point is, of course, also relevant to GDPR fines too, but cited only sometimes (in conjunction with remediation costs) in GDPR supervisory authority decisions.</li></ol><li>The only relevant DSPs who indicated the enforcement regime was <i>not</i> proportionate to the risk of disruption reported feeling that the <i>Regulations were incorrectly applied to DSP organisations</i> in general. (This I agree with, see later below.)<br /></li><li>DCMS will aim to collect annual data from the competent authorities e.g. the number of incidents per year, the number of independent audits of the Cyber Assessment Framework, the number of improvement plans as a result of the Cyber Assessment Framework, the number of information notices issued by the competent authorities, the number and nature of enforcement notices issued by competent authorities, and the number of organisations regulated by sector and also the number of SMEs regulated by sector.</li><br /></ol><li><u>NIS Regs' Cyber Assessment Framework</u>: this has allowed experts in competent authorities to review organisations' cyber security arrangements and ensure improvements are made. <i>67 known operators have received improvement plans</i> (including <i>updating legacy systems and software</i> to reduce vulnerabilities), highlighting Regulations' role in improving cyber security. </li><ol><li>Note: the reference was only to "operators". This suggests no DSPs were asked to make any improvements to their cybersecurity under NIS.<br /><br /></li></ol><li><u>NIS Regs generally</u>: effective to drive good cyber security behaviours; "...strong indication that without NIS, cyber security improvements across essential services in the UK would proceed at a much slower pace. ...added benefit of covering a large number of sectors, which is expected to address some of the inconsistencies of managing risks to networks and information systems across sectors...". But, areas of improvement remain, thought to be most appropriately tackled through <i>regulatory intervention</i>, to strengthen and future-proof the regulatory framework.</li><ol><li>Other regulations or standards mentioned as drivers for improvements in cyber security included: UK General Data Protection Regulations (GDPR) (13 or 86% of relevant digital service providers, 68 or 78% of operators of essential services); ISO27001 (28% of operators of essential services); Cyber Essentials and Cyber Essentials Plus (11% of operators of essential services); as well as other industry standards (33% of operators of essential services).<br /><br /></li></ol><li><u>Areas needing improvement, and future plans</u>: Then-Minister Lopez's associated <a href="https://questions-statements.parliament.uk/written-statements/detail/2022-07-04/hcws173">statement to Parliament</a> on 4 July noted that recommended changes to the NIS Regs were included in the Department for Digital, Culture, Media & Sport's Jan 2022 consultation, <a href="https://www.gov.uk/government/consultations/proposal-for-legislation-to-improve-the-uks-cyber-resilience/proposal-for-legislation-to-improve-the-uks-cyber-resilience#pillar-i-proposals-to-amend-provisions-relating-to-digital-service-providers">Proposal for legislation to improve the UK’s cyber resilience</a> (summarised in <a href="https://www.linkedin.com/posts/wkhon_data-centre-security-activity-6918571534798204928-Pb6e/">my Linkedin post</a>). The outcome of that consultation is to be published "later this year", i.e. <u>later in 2022</u>. Recent UK political events, including <a href="https://twitter.com/JuliaLopezMP/status/1544673757725343744">her resignation on 6 July</a>, may of course result in delays to the initially-planned timescale. The key areas are:<br /><br /></li><ol><li><u>DSP registration and guidance</u>: 54% of responding DSPs stated it was <i>not easy to identify</i> that their organisations are in scope (this deters registration, and ICO won't be aware of their activities to advise them!).</li><ol><li>"Further work is required to ensure that the guidance makes it easy to identify whether firms are in or out of scope of the Regulations and to ensure that organisations that need to be included in the regulations are designated."</li><li>"Registration of digital service providers cannot be left to digital service providers alone... The Government will continue to support the ICO in the work it is already carrying out to identify firms that should be under the Regulations and support them in notifying those organisations of their responsibilities. Both the government and the Information Commissioner, should consider ways to increase awareness of the NIS Regulations with all potential digital service providers." The government should consider <i>options to provide the Information Commissioner with increased information-seeking powers</i> (similar to existing ones available to competent authorities of operators of essential services) to ascertain whether an organisation qualifies as a relevant DSP under the NIS Regulations.<br /><br /></li></ol><li><u>Ensuring the right sectors are caught</u>: <i><b>managed service providers (MSPs)</b></i> are <i>not</i> caught currently, but under the Jan 22 consultation <i>they will be</i>. (For other subsectors discussed e.g. <i>BPO, SIEM, analytics & AI</i>, see <a href="https://www.linkedin.com/posts/wkhon_data-centre-security-activity-6918571534798204928-Pb6e/">my Linkedin post</a>, but it seems "While this Post-Implementation Review <i>has not identified any other sectors that need to be included</i> at this time, it has underlined a need for the government to maintain the <i>powers to make such additions in the future</i>.")<br /><br /></li><li><u>Supply chain security</u>: OESs can't monitor supply chains due to <i>lack of supplier cooperation</i> and <i>lack of resources</i>. Action is needed to increase operators’ ability to manage security risks arising from supply chains, particularly suppliers <i>critical</i> to provision of essential services.</li><ol><li>Proposed <i>power to designate critical dependencies</i> to identify, impose duties, and then <i>regulate certain supply chain organisations</i> that present systemic risks to OESs, due to their market concentration, reliance on those services, or other factors.</li><ol><li>Comment: could IaaS/PaaS, perhaps even some SaaS providers, be caught both as DSP and as critical dependency? - highest common denominator of compliance required there. Also, could IaaS/PaaS providers that are critical enough, simply be designated as OESs themselves (legislative rules permitting)?</li></ol><li>DCMS will consider options such as <i>amending guidance</i> to tackle supply chain security concerns, including using <i>standards and certification</i>, such as Cyber Essentials and Cyber Essentials +, to address this issue. But cross-government consultation is needed.</li><li>Note: see also the <a href="https://www.gov.uk/government/publications/government-response-on-supply-chain-cyber-security/government-response-to-the-call-for-views-on-supply-chain-cyber-security">Government response to the call for views on supply chain cyber security</a>, Nov 2021.<br /><br /></li></ol><li><u>Capability & capacity of OESs, DSPS, competent authorities</u>: lack of finance/funding or of general resources, more variable among authorities particularly lack of cyber regulator specific training or centralised NIS training (as opposed to GDPR training). Competent authorities also need more resources for effective enforcement. On authorities' resources:</li><ol><li>DCMS will "commit to persuading those departments to ensure that they <i>meet their legal obligations to fund</i> their NIS oversight. For these, plus those regulators that are not central government departments, DCMS aims to ensure that competent authorities are able to <i>recover the costs of regulation from those being regulated</i>, in line with government policy."</li><li>Additional ways to improve resource-efficiency will be considered, e.g. promoting <i>collaboration across authorities and with non-NIS authorities such as banking and financial services regulators</i> (for designation of critical dependencies), exploring existing frameworks like CBEST and TBEST to test assumptions and highlight areas for further development.<br /><br /></li></ol><li><u>Incident reporting</u>: thresholds (in statutory guidance) are too high, and base criteria of a reportable incident is too narrow (disruption to the service, cf. impact on NIS) to capture the most high risk incidents risks. To ensure that the right incidents are captured:</li><ol><li>Authorities should review reporting thresholds and lower if necessary.</li><li>OESs and DSPs will be required to report all incidents that have a <i>material impact on the confidentiality, integrity, and availability of NIS </i>[note: the well known CIA triad], <i>and</i> [note: I think "or" is intended here?] that have a potential impact on service continuity.<br /><br /></li></ol><li><u>Enforcement</u>: DCMS needs to conduct work to assess why the enforcement regime is not being utilised where it is merited.<br /><br /></li><li><u>Consistency and more robust oversight</u>: greater consistency in regulatory implementation across sectors is required, alongside creation of performance metrics to better measure the impact and effectiveness of the Regulations.</li><ol><li>DCMS should issue <i>revised and updated guidance</i> to competent authorities, setting out the requirement for a <i>common approach to assessment and performance indicators</i>; explore ways to make such guidance more binding on authorities; and establish a <i>process by which competent authorities report against performance indicators and are held accountable</i> for their performance (indicators could be linked to the delivery of the <a href="https://www.gov.uk/government/publications/national-cyber-strategy-2022/national-cyber-security-strategy-2022">National Cyber Strategy</a> and its performance framework). </li></ol></ol></ol><div>Note also the related consultation on <a href="https://www.gov.uk/government/publications/data-storage-and-processing-infrastructure-security-and-resilience-call-for-views/data-storage-and-processing-infrastructure-security-and-resilience-call-for-views">Data storage and processing infrastructure security and resilience - call for views</a> (<a href="https://www.gov.uk/government/news/views-sought-to-boost-the-security-of-uk-data-centres-and-cloud-services">press release</a>), including data centre infrastructure, <i>cloud platform</i> infrastructure and <i>MSP </i>infrastructure, which expires at the end of <i>Sunday 24 July 2022</i>.</div><div><br /></div><div>The next UK NIS Regulations review isn't due for another 5 years.</div><div><br /></div><h3 style="text-align: left;">Comments</h3><div>Below are my personal views only, but they're based on my practical experience of advising clients on the UK NIS Regulations and <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32016L1148">EU NIS Directive</a>: both their legal and technical/security teams.</div><div><ul style="text-align: left;"><li><u>Incident reporting</u>:</li><ul><li>"There is a lot of uncertainty around the incident response, and <i>which incidents</i> need to be reported...". In my view, this uncertainty is a contributing factor, and <i>guidance </i>is sorely needed, alongside the planned steps mentioned above regarding lowering reporting thresholds and requiring reporting of incidents materially affecting NIS CIA even if not affecting the service.</li><li>However, there's a risk of a tsunami of reports that regulators may not be able to cope with, if <i>every</i> incident "materially" impacting C, I or A has to be notified. It's important to bear this factor in mind <i>when setting the reporting test/thresholds</i>. Again, <i>guidance on "materiality"</i> will be vital.<br /></li></ul><li><u><span id="SaaS">Awareness, scope, DSPs and non-registration</span></u>: I hope the government will take the opportunity, post-Brexit, to reconsider the scope of the NIS Regulations <i>beyond </i>just bringing MSPs into scope. In particular, please consider whether and to what extent <i>SaaS providers</i> should be caught by the NIS Regulations.</li><ul><li>The NIS Regulations were binding from 10 May 2018. Guess what else there was in May 2018? Yep, the GDPR. No surprises then that most organisations focused their resources on GDPR rather than NIS compliance, especially with the huge publicity about GDPR fines and hardly anything being said about NIS.</li><li>It's understandable that IaaS/PaaS providers should be subject to the Regulations as DSPs, because many organisations build their own technology infrastructure or customer-facing services on top of those cloud services. I.e., many organisations create <i>their own SaaS services</i> based on third party IaaS/PaaS services, which do constitute <i>technology infrastructure-type services</i>.</li><li>However, automatically and unthinkingly copying out the <a href="https://csrc.nist.gov/publications/detail/sp/800-145/final">NIST definition of cloud computing</a> is not the right approach here. Applying NIS laws to SaaS is like applying certain laws to "all websites" when they should actually apply to "website hosting platforms/services". SaaS involves the provision of <i>specific applications or services</i> to end users (like a word processing application online, instead of via an application installed on a local computer). Those applications/services can vary hugely in their scope and purpose. The applicability of NIS requirements ought to depend on the <i>specific type</i> of application/service and its importance to the economy or society (e.g. is the service critical to the provision of an OES's essential service?) - and not just because of its <i>general nature</i> as SaaS. Currently, <i>all </i>SaaS services are technically caught, whether they're used for bill payments or as a forum for pet lovers to discuss their animals. To me, that doesn't seem to make sense.</li><li>As I've previously <a href="https://web.archive.org/web/20210410195307/https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/offering-cloud-services-online-marketplaces-in-the-uk-nis-representative-registration-and-fines">pointed out</a>, SaaS providers don't always register with the ICO for various reasons.</li><ul><li>Registering puts their heads firmly above the parapet for possible enforcement. Especially as, since Jan 2021, the top £17m tier of fines could be imposed based on serious service outages alone, whereas previously the top tier only applied if the service was important to the economy. If I provided a SaaS service for pet lovers' discussions, which no one could think would harm the economy or society if it went down, I wouldn't want to register and make my service known to the ICO either.</li><li><a href="https://ico.org.uk/for-organisations/the-guide-to-nis/digital-service-providers/">Saying</a> that SaaS services are caught "only to the extent that they provide a scalable and elastic pool of resources to the customer" just parrots the definition without providing any useful guidance. <i>All </i>cloud services are, by definition, meant to be scalable and elastic. They're not <i>infinitely</i> scalable or elastic, of course; even IaaS/PaaS services impose practical commercial limits on customers' usage, so SaaS services' lack of infinite scalability/elasticity should be a non-point too. But some SaaS providers do argue they're not caught because their service doesn't enable access to a "scalable" and "flexible" pool of shareable computing resources. I have some sympathy here, not because the services really aren't scalable/flexible, but because (as above), given the legislative objective of NIS laws, I feel that it's simply not sensible to try to catch all SaaS services just because they're SaaS, regardless of the exact nature of their services or customers served. Business models are increasingly moving to SaaS, away from software licensing: but there's no legal requirement to have security measures or report vulnerabilities or security issues affecting all software applications regardless of their nature (although many might think that would be sensible). And I've always thought it odd that flexible/scalable services are subject to NIS, when inflexible, non-scalable "classic" hosting platforms are not, even though with the latter their customers are more at risk from availability issues (due to their inflexibility and non-scalability!). Surely it should be the other way round?</li><li>And making all SaaS services register is akin to making all software application manufacturers/distributors register their software. The ICO receives fees from controllers who register for data protection purposes, so there's a benefit to the ICO from that registration. But is the benefit of finding out about all online software applications of whatever type or importance worth the administration and other costs?</li><li>Would introducing a fine for non-registration help? I don't think so, because of the underlying issue I've emphasised regarding the inappropriateness and disproportionality of bringing <i>all </i>SaaS services within scope regardless of their importance to society or the economy (and see later below).</li><li>In my experience, SaaS providers may register if they provide important services to operators. Otherwise, they tend to keep their heads down, and I don't blame them.</li><li>The lack of publicly-reported enforcement of the Regulations is another reason for relative lack of awareness of NIS. <br /></li></ul></ul><li><u>Capability and enforcement</u>: </li><ul><li>Certainly as regards DSPs, I've found that many ICO staff aren't familiar with NIS and need NIS training as well as more resources for NIS, e.g. those staffing the helpline number given on the <a href="https://ico.org.uk/for-organisations/the-guide-to-nis/digital-service-providers/#https://ico.org.uk/for-organisations/the-guide-to-nis/digital-service-providers/#dsp-7">ICO's NIS webpage</a>. As flagged above, some DSPs consider the Regulations were incorrectly applied to DSPs in general, and I agree, possibly because of awareness and/or knowledge issues.</li><li>The reluctance of many SaaS providers to register, never mind report incidents, is fuelled by the factors I've outlined above, and fear of being subject to the maximum possible fine even though their service may be of minor importance to society or the economy. If they have to bear the costs of ICO investigations too, as is planned, that may drive even more SaaS providers to decide not to register. </li><li>The bigger risks for non-registering DSPs are monetary penalties for not reporting incidents when they should have, and/or not having the appropriate security measures in place. If they haven't registered and haven't notified incidents, that of course reduces those risks, because the ICO won't know about them! The main risk then is if they report a personal data breach under GDPR and the ICO says, "Aha! We will fine you under NIS too, because you should have reported the incident under NIS!". But, this depends on the ICO's NIS and GDPR enforcement divisions being sufficiently joined up and also trained up (again, the skills/knowledge issue flagged earlier).<br /></li></ul><li><u>Summary</u>: personally, I would recommend:</li><ul><li>Reconsidering the <i>extent to which SaaS providers should be in scope</i> under NIS, if at all. For example, consider introducing specific thresholds or criteria for SaaS providers to be in scope (Obviously if they are critical suppliers to OESs, or OESs themselves, they should be caught under those proposed changes and be exposed to possible designation as OESs, but that's a separate matter.)</li><li>Reconsidering the extent to which SaaS providers should be subject to the different tiers of <i>NIS monetary penalties or other enforcement</i>, if at all (with the same caveat). Again, consider if different types/tiers of fines or other enforcement should be applicable to SaaS providers or indeed DSPs that aren't OESs or critical suppliers.</li><li>These would help save the ICO's resources too, so they can be directed towards IaaS/PaaS and truly important SaaS providers.</li><li>If less radical changes are to be made, provide <i>much clearer guidance</i> on if/when SaaS providers will be caught by the Regulations and therefore need to register with the ICO.</li><li><i>Making publicly available</i> the annual data DCMS aims to collect from regulators, particularly enforcement information and levels of fines imposed. This would help to raise awareness and incentivise compliance.</li><li>Requiring the ICO and other regulators to <i>publish the full text of their NIS enforcement and monetary penalty etc notices</i>, but redacted as necessary (including as to OES/DSP names), ideally also listing and linking to them on a centrally-maintained webpage of NIS enforcement action. That would also help raise awareness and incentivise compliance.</li></ul></ul></div><div><br /></div><p></p>Kuanhttp://www.blogger.com/profile/00041429221345800464noreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-49054299976408755732022-06-25T11:45:00.010+01:002022-06-25T11:57:46.413+01:00"Old fingers": digital exclusion, accessibility<div>Song with serious message: tablets, smartphones & other touchscreens have built-in accessibility & usability issues. This is a real problem as we'll all get old eventually (& it's not just the elderly who may suffer from "zombie fingers"): see <a href="https://www.noisolation.com/research/digital-exclusion-report">research</a>; some user <a href="https://www.consumerreports.org/cro/news/2015/06/zombie-finger-and-touchscreens/index.htm">solutions</a> are possible, but designing for lower skin conductivity would be ideal.</div><div><br /></div><div>The lyrics below are original to me, but I don't provide any video of them being sung or indeed any backing music, to avoid any copyright issues (despite the parody exception). <a href="https://www.youtube.com/watch?v=5JG-J1ZTGgw">This seems to be the official YouTube video</a>, so James Bond/Shirley Bassey fans please feel free to sing along!</div><div><br /><div style="text-align: center;"><iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/5JG-J1ZTGgw" title="YouTube video player" width="560"></iframe></div>
</div><div><br /></div>Old fingers
<br />Touchscreens weren’t designed for skin that’s dry
<br />I want to cry!
<br />Why?! my old fingers
<br />Can’t control the same touchscreen anymore
<br />Like once before?
<br />And I press and I swipe all in vain
<br />And I curse and I try it again
<br />But a thousand times, won’t make a difference
<br />It’s their **** design, conceived for
<br />Young fingers
<br />Supple skin, conducting the signals in
<br />With no chagrin
<br />You can press, you can swipe all in vain
<br />You can curse and just try it again
<br />Try a thousand times, won’t make a difference
<br />It’s their **** design that beats my
<br />Old fingers
<br />Gaming gloves, or wet them, is what I’m told
<br />Too bad you’re old
<br />Can’t stop getting old
<br />Getting old
<br />We’ll be old
<br />Who cares ‘bout the old
<br />You'll be old
<br />Just be old!Kuanhttp://www.blogger.com/profile/00041429221345800464noreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-31066338742943196122022-06-17T13:27:00.030+01:002022-06-20T09:55:46.224+01:00UK data protection reform post-Brexit: key points summary<p>The UK government’s <a href="https://www.gov.uk/government/news/new-data-laws-to-boost-british-business-protect-consumers-and-seize-the-benefits-of-brexit">response to its data protection reform consultation</a> is out (<a href="https://www.gov.uk/government/news/new-data-laws-to-boost-british-business-protect-consumers-and-seize-the-benefits-of-brexit">press release</a> 17 June 2022).</p><p>Certain proposals will proceed under the Data Reform Bill announced in the <a href="https://www.gov.uk/government/speeches/queens-speech-2022">10 May 2022 Queen’s Speech</a> (<a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1074113/Lobby_Pack_10_May_2022.pdf#page=57">more info</a>). Others won’t, while still others are to be be considered further. The devil’s always in the detail, of course, so when the Bill’s text is available the proposed changes will be clearer – it's still unknown exactly when it’s to be published (updated: TechUK <a href="https://www.techuk.org/resource/plans-to-reform-the-uk-s-data-protection-regime-represent-an-important-evolution-for-the-uk-gdpr.html">says</a> the Bill will be laid "<u>this summer</u> to undergo several rounds of amendments before it is formally passed into legislation". So, presumably June/July before the August summer holidays).</p><p>Some highlights below.</p><h4 id="anon" style="text-align: left;">Anonymisation </h4><p></p><ol style="text-align: left;"><li>To use <a href="https://rm.coe.int/convention-108-convention-for-the-protection-of-individuals-with-regar/16808b36f1#page=18">Convention 108+</a> test para19: “Data is to be considered as anonymous only as long as it is impossible to re-identify the data subject or if such re-identification would require unreasonable time, effort or resources, taking into consideration the available technology at the time of the processing and technological developments. Data that appears to be anonymous because it is not accompanied by any obvious identifying element may, nevertheless in particular cases (not requiring unreasonable time, effort or resources), permit the identification of an individual. This is the case, for example, where it is possible for the controller or any person to identify the individual through the combination of different types of data, such as physical, physiological, genetic, economic, or social data (combination of data on the age, sex, occupation, geolocation, family status, etc.). Where this is the case, the data may not be considered anonymous and is covered by the provisions of the Convention”. </li><li>The test for anonymisation will be <u>relative</u>, i.e. will the individual remain identifiable <i>by that controller</i>, cf. a third party?</li></ol><p></p><h4 style="text-align: left;">Artificial intelligence (AI) & machine learning (ML), and ADM</h4><p></p><ol style="text-align: left;"><li>Anti-discrimination - the <a href="https://www.legislation.gov.uk/ukpga/2018/12/schedule/1#schedule-1-paragraph-8">UK DPA sch1 para8</a> exemption allowing processing of <u>special category data and criminal offence-related data</u> for <u>equality of opportunity or treatment</u> will be expanded to allow bias monitoring, detection and correction in AI systems.</li><li>Fairness - the government will consider the role of UK GDPR “fairness” in wider AI governance in its forthcoming AI White Paper, but will not legislate here.</li><li><a href="https://www.gdprinfo.info/#a22">Art.22 automated decision-making (ADM)</a> - will be retained, but with clarified limits & scope, including ADM as a <u>right to specific safeguards</u>, rather than a general prohibition on solely automated decision-making. The approach to ADM will be aligned with the broader approach to governing AI-powered ADM, which will be addressed as part of the upcoming UK White Paper on AI governance.</li><li>Explainability and intelligibility of AI-powered ADM, including the role of DP legislation in that context, will be considered in the White Paper on AI governance.</li><li>See also above on purpose limitation.</li></ol><p></p><h4 id="accountability" style="text-align: left;">Accountability</h4><p></p><ol style="text-align: left;"><li>Organisations must have a <u>privacy management programme</u>.</li><li><u>No</u> need for DPO, but must designate a suitable individual to oversee data protection compliance</li><li>No more data protection impact assessments (DPIAs), or requirement for records of processing activities (ROPAs) as such. </li><li>Controllers must have simple, transparent <u>complaint-handling processes</u> for data subjects (but retaining clear pathway to complain to the ICO).</li></ol><p></p><h4>Legal basis - legitimate interests</h4><p></p><ol><li><u>No balancing test</u> will be needed for a limited number of carefully-defined processing activities in the clear public interest based on legitimate interests, likely to include processing activities undertaken by controllers to <u>prevent crime, report safeguarding concerns or that are necessary for other important reasons of public interest</u> (the government will consider if any additional safeguards are needed for children’s data). Hopefully this should “encourage organisations to make the authorities aware of individuals who are at risk without delay”, including children and other vulnerable groups with protected characteristics. However, core principles like lawfulness, fairness & transparency, and further conditions for processing special category data, etc., would of course continue to apply.</li><li>Power to update the list of activities, subject to Parliamentary scrutiny.</li></ol><p></p><h4>Special category data, criminal offence-related data</h4><p>The <a href="https://www.legislation.gov.uk/ukpga/2018/12/schedule/1#schedule-1-part-2">UK DPA 2018 sch1 part 2</a> exemptions for processing in the <u>substantial public interest</u> could be expanded to add certain activities, but “substantial public interest” will not be defined specifically.</p><h4>Purpose limitation</h4><p></p><ol><li>Further processing or reuse by the same controller for <u>incompatible purposes will be permitted </u>“when based on a law that <u>safeguards important public interest</u>”, with “greater clarification on the rules and permissions of data re-use and the need for greater transparency”. </li><li>On <u>consent-based processsing</u>, “further processing cannot take place when the original legal basis is consent <u>other than in very limited circumstances</u>”. We’ll have to wait to see what those new circumstances will be.</li><li>Distinctions between further processing and <u>new processing by a different controller</u> to be clarified.</li></ol><p></p><h4 id="transfers">Transfers</h4><p></p><ol><li>Adequacy decisions - a risk-based approach will be taken; judicial or administrative redress are both acceptable. There will be ongoing review, cf 4-yr review of adequacy decisions.</li><li>The Secretary of State can recognise alternative transfer mechanisms (ATMs). </li><li>(But no repetitive derogations or reverse transfers etc.)</li></ol><p></p><h4>DSARs</h4><p></p><ol><li>No nominal fee to be introduced.</li><li>No cost ceiling, but controllers can refuse to deal with DSARs that are “<u>vexatious or excessive</u>” (cf. the current “manifestly unfounded or excessive”).</li></ol><p></p><h4>Research</h4><p></p><ol><li>No new lawful basis for research, but various changes will be made to assist and promote research.</li><li>E.g. a “scientific research” definition (hopefully making crystal clear the position on <u>commercial</u> scientific research, and what's research in the "public interest"?); and clarifying that <u>broad consent</u> is possible and can be relied on.</li><li>Privacy notices – the UK GDPR's <a href="https://www.gdprinfo.info/#a14.5.b">Article 14(5)(b)</a> “disproportionate effort” exemption will be replicated, but <u>only</u> for research purposes, to allow personal data being used for a research purpose differing from the original purpose to be <u>exempt</u> from re-providing information under <a href="https://www.gdprinfo.info/#a13.1">Article 13(3)</a> - but without exempting controllers who obtain personal data directly from data subjects from providing the required <a href="https://www.gdprinfo.info/#a13">Article 13</a>(1) & (2) information to them on collection. “Disproportionate effort” to be clarified by bringing in the GDPR's <a href="https://www.gdprinfo.info/#r62">Rec.62</a> language into the operative text.</li></ol><p></p><h4 style="text-align: left;">ePrivacy under <a href="https://www.legislation.gov.uk/uksi/2003/2426/contents">PECR</a></h4><p></p><ol style="text-align: left;"><li>Fines - to be increased to <u>GDPR levels</u>.</li><li>ICO powers - to include assessment notices etc.</li><li><u><span id="cookies"></span>Cookies and similar technologies (i.e. mobile apps, smart devices too)</u></li><ol><li><u>Analytics</u> will be considered “strictly necessary”.</li><li>Consent to be unnecessary in more situations: "a small number of other non-intrusive purposes" (e.g. website fault detection?), "where the controller can demonstrate legitimate interest for processing the data".</li><li>Websites must respect users’ browser preferences; the UK will move to <u>no cookies banners </u>for UK residents and an <u>opt-out model</u> for cookies once preferences management technology is widely available.</li></ol><li><u>Direct marketing</u></li><ol><li><u>Soft opt-i</u>n to be extended to political parties and non-commercial organisations like NGOs/charities. </li></ol><li><u>Nuisance phone calls</u> e.g. automated telephone marketing </li><ol><li>The ICO will be able to take enforcement action against organisations based on the number of calls <u>generated</u> (cf. only the number that are connected, currently)</li><li>Communications service providers must report to the ICO “suspicious levels of traffic on their networks”.</li></ol></ol><p></p><h4 id="transfers" style="text-align: left;">ICO</h4><p></p><ol style="text-align: left;"><li>New <u>duties</u> (e.g. to uphold data rights and to encourage trustworthy and responsible data use, have regard to economic growth and innovation, competition issues and public safety, to consult with relevant regulators and any other relevant bodies).</li><li>Structural changes e.g. independent Board and Chief Executive.</li><li>New powers for the DCMS Secretary of State, e.g. to prepare a statement of strategic priorities which the ICO must respond to; to approve statutory codes of practice and statutory guidance ahead of laying them in Parliament.</li><li>Legislative criteria for a more risk-based proportionate approach to <u>complaints</u> - ICO discretion to decide when/how to investigate complaints, including discretion not to investigate vexatious complaints, and complaints where the complainant has not first attempted to resolve the issue with the relevant data controller. "This will empower the ICO to exercise its discretion with confidence."</li><li>New ICO powers</li><ol><li>To issue <u>technical report notices</u> where fair and reasonable, having regard to alternative investigatory tools, relevant knowledge and expertise available to the controller or processor and the impact of the cost of producing the report.</li><li>To <u>compel witness interviews</u>, without interfering with the right not to self-incriminate, rights to legal professional privilege and various procedural mechanisms to ensure proportionality & fairness of interview.</li></ol><li>Must provide organisations with the <u>expected timeline</u> at the start of all investigations.</li></ol><p></p><p>Note: on <u>ICO resources and funding</u>, the ICO <a href="https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2022/06/ico-funding-update-fine-income-retention-agreement/">announced</a>, on 14 June 2022, its agreement with its sponsor department the Department for Digital, Culture, Media & Sport (DCMS) and with the Treasury (HMT) that the ICO will now able to <u>retain some of the funds paid as a result of its civil monetary penalties i.e. fines</u> to cover pre-agreed, specific and externally audited litigation costs. (Previously, all fines money went to the UK government’s central Consolidated Fund.)</p>Kuanhttp://www.blogger.com/profile/00041429221345800464noreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-44501869771830966512022-04-10T15:38:00.003+01:002022-04-10T16:59:15.831+01:00Security training - review of Security Innovation's Cmd+Ctrl Shred cyber range & security training<p>GDPR supervisory authorities (SAs) emphasise data protection training (e.g. the UK Information Commissioner's <a href="https://ico.org.uk/media/report-a-concern/forms/4019685/report-a-personal-data-breach-form.doc">personal data breach notification form</a> asks, "Had the staff member involved in this breach received data protection training in the last two years?", and "Please describe the data protection training you provide, including an outline of training content and frequency").</p><p>What about security? Security of personal data is of course important under GDPR, and organisations can be fined for not having appropriate security measures in place. While security training for <i>developers </i>is not specifically mentioned in GDPR as such, developers do also need training on application security issues
that can lead to breaches of websites, online services and any databases or
other data storage behind them (including personal data in systems). Most IT
staff, developers and otherwise, are <i>not</i> necessarily cyber security (or even security) experts, and
must be educated on what to look for and how to address, at least, the most
common key security issues.</p><p style="text-align: center;"></p><div class="separator" style="clear: both;">Many online training courses on cybersecurity
for developers are now available. There are also "cyber ranges" offering
users deliberately vulnerable systems, websites or online applications that
users can attack and seek to exploit, to learn how hackers think and the kinds
of the actions they take, and therefore be able to defend against them better. </div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTofh5vqOwJfaUcu8MsofJmrS2VCoqlEyNWES7fuahBWrSYdEfwOLuiF_Z8fCG6XeOG8v77K_aYXtHpP-ZoCtEJYY3BPe1r5-9JNQQ9s_HclJq8e0eDrDL48VH69k5BtJ59s79Cw5_eW2qg7Ekxsfkyw_mqdNCcbFA_PHDDV4pZnf9IwNLoF6s4ZA8/s382/clip_image002.jpg" style="clear: left; display: inline; float: left; margin-bottom: 1em; margin-right: 1em; padding: 1em 0px; text-align: left;"><img alt="" border="0" data-original-height="382" data-original-width="230" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTofh5vqOwJfaUcu8MsofJmrS2VCoqlEyNWES7fuahBWrSYdEfwOLuiF_Z8fCG6XeOG8v77K_aYXtHpP-ZoCtEJYY3BPe1r5-9JNQQ9s_HclJq8e0eDrDL48VH69k5BtJ59s79Cw5_eW2qg7Ekxsfkyw_mqdNCcbFA_PHDDV4pZnf9IwNLoF6s4ZA8/s320/clip_image002.jpg" /></a>As part of <a href="https://www.meetup.com/OWASP-London/events/281856079/">OWASP London CTF
2021</a>, in Nov 2021 <a href="https://www.securityinnovation.com/">Security Innovation</a> generously offered participants free
access for a month to a fake e-commerce website "Shred Skateboards" on
its <a href="https://www.securityinnovation.com/training/cmd-ctrl-cyber-range-security-training/cyber-range-suite/">CMD+Ctrl
CTF (Capture the Flag) web application cyber range</a>, and for 6 weeks to its Bootcamp
Learning Path, a self-paced online training course incorporating 32 selected courses
from its <a href="https://www.securityinnovation.com/print-catalog/">full catalog</a>
of <a href="https://www.securityinnovation.com/training/software-application-security-courses/">training
courses</a>.</div><p class="MsoNormal">This blog reviews the Shred range, then
the online training courses. These cover some of the issues referenced in the
recently-finalised European Data Protection Board (EDPB) <a href="https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012021_pdbnotification_adopted_en.pdf">Guidelines
01/2021</a> on Examples regarding Personal Data Breach Notification, as those
Guidelines include some recommended security measures as well as breach
notification, and also mention OWASP for secure web application development. </p><p class="MsoNormal"><br /></p><p class="MsoNormal"><b><span lang="EN-GB"><br /></span></b></p><p class="MsoNormal"><b><span lang="EN-GB"><br /></span></b></p><p class="MsoNormal"><b><span lang="EN-GB"><br /></span></b></p><p class="MsoNormal"><b><span lang="EN-GB"><br /></span></b></p><p class="MsoNormal"><b><span lang="EN-GB">Cmd+Ctrl Ranges and Shred</span></b></p>
<p class="MsoNormal">Cmd+Ctrl's ranges are generally available
only to paying organisations to train their staff (but not to paying
individuals, sadly. Missed trick there, as I think individuals wanting to
improve their ethical hacking skills would pay a reasonable fee or sub for access).
People who signed up for the event were however given free access to Shred for
a month. Shred is meant to be one of the easy ranges.</p>
<p class="MsoNormal">The Cmd+Ctrl <a href="https://cmdnctrl.net/welcome">login page</a> provides some sensible
disclaimers and warnings: </p>
<p align="center" class="MsoNormal" style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJxAyOzYEmnI8avAzUfWVqg5e2fQ1DsG8x4MD9DQEZ3mZSpvlvZnO_m1ISq0VUfM4vPubIb6M9IP3qCeHT6jhEDuyUnwDdeKMd6zpXNS7YPPmo9lypnvJhyvsRbK1KbLLLn4Lum5MXdg2q6RZKiSq1zYUTJNmevdxjNKtvO3p8KNamYX92F_pQ1NmW/s440/clip_image004.jpg" style="display: block; padding: 1em 0px;"><img alt="" border="0" data-original-height="382" data-original-width="440" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJxAyOzYEmnI8avAzUfWVqg5e2fQ1DsG8x4MD9DQEZ3mZSpvlvZnO_m1ISq0VUfM4vPubIb6M9IP3qCeHT6jhEDuyUnwDdeKMd6zpXNS7YPPmo9lypnvJhyvsRbK1KbLLLn4Lum5MXdg2q6RZKiSq1zYUTJNmevdxjNKtvO3p8KNamYX92F_pQ1NmW/w400-h348/clip_image004.jpg" width="400" /></a></p>
<p class="MsoNormal"><span lang="EN-GB">After logging in, you need to click on the
relevant range's name and wait a few minutes for it to start up (each user gets
their own virtual machines I suspect on Amazon Web Services), as a real website
available on the Internet with its own URL (hence the exhortation not to enter
sensitive information on the website - I would expand that to real names, real
email addresses and basically any real personal data, because real hackers can
also access that website as much as you can!).<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Then, basically explore the website and try
different things to find vulnerabilities e.g. click the links, register user
accounts, try different URLs, enter different things into the search or login
forms, etc. I won't share screenshots of Shred so as not to give anything away,
but it emulates an online shop for skateboards and related accessories and
pages, with user accounts that can store user details including payment cards,
the ability to purchase gift cards, etc. Each machine is up for I believe 48
hours, and each time you start it, it may have a different URL and IP address. If
things go badly wrong you may have to reset the database (which loses your
changes e.g. a fake user you registered) or even do a full reset, but you're
not penalised for that, the system retains the record of scores you achieved
for previous exploits.</span> </p>
<p class="MsoNormal"><span lang="EN-GB">When you successfully exploit a
vulnerability, a banner slides in from the top of the webpage indicating what
challenge was solved and how many points you gained for it. You can also see what
broad types of other challenges remain unsolved.</span> </p>
<p align="center" class="MsoNormal" style="tab-stops: 212.65pt; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbLfQjV8YqojKXvDqxnZ9anCwslXmiEJA_MzO2KSKS66fJvD13hn8WnoCXPrs2fJV1rYQP-MFrvtBje_ngDqjygMjDjddoU5iLc53BOsyOZQHANqYgQQS-2mj6j8bpCjJ5udLSs_GOiZvOWE-ps-8vwpIpiI5U82OsVMEs8EUKVMWR6lrMykK2xrt7/s785/clip_image005.png" style="display: block; padding: 1em 0px;"><img alt="" border="0" data-original-height="313" data-original-width="785" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbLfQjV8YqojKXvDqxnZ9anCwslXmiEJA_MzO2KSKS66fJvD13hn8WnoCXPrs2fJV1rYQP-MFrvtBje_ngDqjygMjDjddoU5iLc53BOsyOZQHANqYgQQS-2mj6j8bpCjJ5udLSs_GOiZvOWE-ps-8vwpIpiI5U82OsVMEs8EUKVMWR6lrMykK2xrt7/w640-h256/clip_image005.png" width="640" /></a></p>
<p class="MsoNormal">Via the My Stats link, you can see a Challenges
page, which also gives similar broad information about the types of challenges
remaining unsolved. Unfortunately, only Category information was provided regarding
unsolved challenges (see the Category column of the Solved table shown below
for examples). </p><p class="MsoNormal"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIuyUcWUPZlq0z1JP-rmlWxBHMmlhRe4u0U6deXYd1El8tsDLr_f3H3s4KzDPlySf7S6sUa1tlSHJX_N8RRBxg995NP_TyjneuYw6bgUSG9HIGZNQpOe4grOkTL_dnz8KmhyeZL3RKUJrEvLfgt4ikIRLlGNL-t10rQ6veYMVFsK7DYkwYS1qpdKiI/s1274/clip_image007.png" style="display: inline; padding: 1em 0px; text-align: center;"><img alt="" border="0" data-original-height="692" data-original-width="1274" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIuyUcWUPZlq0z1JP-rmlWxBHMmlhRe4u0U6deXYd1El8tsDLr_f3H3s4KzDPlySf7S6sUa1tlSHJX_N8RRBxg995NP_TyjneuYw6bgUSG9HIGZNQpOe4grOkTL_dnz8KmhyeZL3RKUJrEvLfgt4ikIRLlGNL-t10rQ6veYMVFsK7DYkwYS1qpdKiI/w640-h348/clip_image007.png" width="640" /></a></p>
<p class="MsoNormal">No
detailed information about the exact nature of any challenge (i.e. the info
under the Challenge column, such as "Unsafe File Upload" in the table
above) was provided. It appeared only after you actually solved the challenge, whereupon
it was listed in the Solved table (as well as the banner appearing). The
"Get Hints" link was disabled for this event - but presumably hints
are available in the paid versions of the ranges. However, Security Innovation
provided a live online introduction on the first day of the CTF event, access
to a one-page basic cheat sheet tutorial, with a guide to Burp Proxy for
intercepting HTTP traffic, and weekly emails with some hints and links to
helpful videos. A chat icon at the bottom right of every webpage allowed the
user to ask questions of support staff. I tried to confine my range attempts to
the afternoon/evening given that Cmd+Ctrl is US-based, but I was very impressed
with how quickly responses were given to my chat queries, even though I was
using the range as an unpaid user. The support staff did not give away any
answers, but instead provided some hints, often very cryptic - I suspect similar
to the tips that users for whom the Get Hints" link is enabled would
receive. </p>
<p class="MsoNormal"><span lang="EN-GB">Under My Stats there was also a Report Card
link giving detailed information about your performance, also in comparison to
others who had attempted the range, including the maximum score reached.
Challenges were again shown here, broken down by category and percentage
solved.</span> </p>
<p align="center" class="MsoNormal" style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAS1mNDt71bhFitYIr_lYSLrnC1PBW72kPvwX5VEY4gcUbphoIIsbH4779It4Ue2ZDtrG4ZLidN9KR94iZAHSmet0qSTdxna8Eg2q2NC98U5hb6EwdMwx1diN3tx6T8lBQ2z_a6aLZJCLqWLSSGrfIXri30n_3HUfJxFKv5gUqCllNkzZ96PJUhs7v/s656/clip_image010.jpg" style="display: block; padding: 1em 0px;"><img alt="" border="0" data-original-height="472" data-original-width="656" height="460" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAS1mNDt71bhFitYIr_lYSLrnC1PBW72kPvwX5VEY4gcUbphoIIsbH4779It4Ue2ZDtrG4ZLidN9KR94iZAHSmet0qSTdxna8Eg2q2NC98U5hb6EwdMwx1diN3tx6T8lBQ2z_a6aLZJCLqWLSSGrfIXri30n_3HUfJxFKv5gUqCllNkzZ96PJUhs7v/w640-h460/clip_image010.jpg" width="640" /></a></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span>As well as repeating the solved challenges
table further down on this page, there's also a time-based view of the user's stats.
As you'll see, I had a go over the first weekend, solving a few basic and easy
challenges, then left it until I realised that I would lose access to Shred
soon, so I made a concerted effort over the last few days though I ran out of
energy with an hour or two to spare!</p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p align="center" class="MsoNormal" style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguInh-c1DepMiQUH6sGXop13_p189DABeFGM7z36oDguGX19HSLR_NNb36KCGi_yEw4VJcraxt6dmtSExHjNvrjvhVyf_rJPEMLU4QssRJzOaw20bt3IYPHLi7UJDbLWH_MiwmA_YZIcZmcQ1OXnJZAzqPF9QwgOvWm49zGPTXwsCzrLd4lMBmRcY5/s543/clip_image011.png" style="display: block; padding: 1em 0px;"><img alt="" border="0" data-original-height="208" data-original-width="543" height="246" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguInh-c1DepMiQUH6sGXop13_p189DABeFGM7z36oDguGX19HSLR_NNb36KCGi_yEw4VJcraxt6dmtSExHjNvrjvhVyf_rJPEMLU4QssRJzOaw20bt3IYPHLi7UJDbLWH_MiwmA_YZIcZmcQ1OXnJZAzqPF9QwgOvWm49zGPTXwsCzrLd4lMBmRcY5/w640-h246/clip_image011.png" width="640" /></a></p>
<p class="MsoNormal">I was rather chuffed that, as a mere lawyer
and not cybersecurity professional, I managed to complete 25 out of the 35
challenges and reach the rank of 7, out of 54 people who at least attempted
Shred (in the screenshots below I've redacted names and handles other than
common ones like Mark or David). I admit I have attended some pen testing
training, one excellent 2-day course with renowned web security expert <a href="https://en.wikipedia.org/wiki/Troy_Hunt">Troy Hunt</a> (yes, I was very
lucky), and one terrible week-long course with someone whose name should never
be mentioned again (but at least the food was great). However, those courses <a name="OpenAt"></a>were several years ago, and this is the first time that I've
attempted a range or CTF event. (I've signed up for other services with some similarities,
<a href="https://hackthebox.eu/">Hack the Box</a> and <a href="https://go.rangeforce.com/community-edition-registration">RangeForce
Community Edition</a>, but I haven't had time to try them properly yet.)</p>
<p align="center" class="MsoNormal" style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge7-yM8avCEuP7d69138xqx126Gnn-txAFCOS6narDoCJBc9UOxrZXDdr_3zMtzj51ufne-eB3XPAcgiqxe3OaQZVfeFFxGF6ARBB5dSw7rw77ydEcaetPPmH814ELtx2TbuHTwM7KHfyW3dB0EetIOGCiESB9wntGZmNWLB5aJtczdPs6dUqsKsKK/s869/clip_image013.png" style="display: block; padding: 1em 0px;"><img alt="" border="0" data-original-height="605" data-original-width="869" height="446" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge7-yM8avCEuP7d69138xqx126Gnn-txAFCOS6narDoCJBc9UOxrZXDdr_3zMtzj51ufne-eB3XPAcgiqxe3OaQZVfeFFxGF6ARBB5dSw7rw77ydEcaetPPmH814ELtx2TbuHTwM7KHfyW3dB0EetIOGCiESB9wntGZmNWLB5aJtczdPs6dUqsKsKK/w640-h446/clip_image013.png" width="640" /></a></p>
<p align="center" class="MsoNormal" style="text-align: center;"><span lang="EN-GB"><o:p> </o:p></span></p>
<p align="center" class="MsoNormal" style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSA5l1khcvdJw3PWjkNhodIOKg1_q855K8OtMDjcHnOfma3U4qfk4vERAjvYZeZwPqXQgiBVBIP7t5wtprB45M9THdyH_3Px-fzuYNLs912BoWZ8ZucGlvk7pCEPGLtLxHr_X61sMoVLl5XLm0Ot1xaE7BFHQw4WLvKjMMC6ofADI72ny_zXc-E79v/s1073/clip_image015.png" style="display: block; padding: 1em 0px;"><img alt="" border="0" data-original-height="775" data-original-width="1073" height="462" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSA5l1khcvdJw3PWjkNhodIOKg1_q855K8OtMDjcHnOfma3U4qfk4vERAjvYZeZwPqXQgiBVBIP7t5wtprB45M9THdyH_3Px-fzuYNLs912BoWZ8ZucGlvk7pCEPGLtLxHr_X61sMoVLl5XLm0Ot1xaE7BFHQw4WLvKjMMC6ofADI72ny_zXc-E79v/w640-h462/clip_image015.png" width="640" /></a></p>
<h4 style="text-align: left;">Prerequisites for trying these ranges</h4><p class="MsoNormal">You do
need some prior knowledge, particularly about HTML and how URLs, query
parameters and web forms work, HTTP, cookies, databases and SQL etc, and
concepts like base64 encoding and hashes. You also have to know how to use tools
like Chrome developer tools, which is built into Chrome, to edit Shred webpages'
HTML. I'd not used those developer tools before tackling Shred, but searched
for how (I didn't resort to Burp for Shred, myself). I probably have a better
foundation than most tech lawyers as I have computing science degrees as well
as the pen testing training, coupled with a deep and abiding interest in
computing and security since my childhood days. So I'd strongly recommend that
those without such a foundation should take the courses before attempting any
ranges (the courses are covered in more detail below).</p>
<h4 style="text-align: left;">Positives</h4><p class="MsoNormal">The range provided an excellent
assortment of different vulnerabilities to try to exploit, most of the type
that exist in real life (indeed, recently I spotted a common one on one site I
shop from, when I mistyped my order number into its order tracking form!). The
chat support staff were very prompt, although I couldn't figure out some of
their hints.</p>
<h4 style="text-align: left;">Negatives</h4><p class="MsoNormal">Shred included 3 challenges
(maybe more?) that involved the solving of certain puzzles (at least one of
which scored quite a few points). However, I think the range would have been
better if they had not been included, as you wouldn't find them on actual websites
- they were simply puzzles to solve, not realistic website vulnerabilities. OK
perhaps for some fun factor, not so much for learning about web
vulnerabilities, particularly as access to the range is time-limited.</p>
<p class="MsoNormal">The biggest negative in my view is that no
model answers are given at the end. If you haven't managed to solve some of the
challenges, tough luck, they won't tell you how. A support person said they
felt that these ranges could be devalued by "giving away too much",
because customers pay to access its ranges. However, I think that view is
misconceived.</p>
<p class="MsoNormal">It depends on how customers use these
ranges internally. I believe they would be best used as hands-on training for tech
staff (developers, security), but I can't see why previous users would give
away the answers to colleagues or indeed people in other organisations, as it
defeats the object of trying these ranges. If organisations required staff to
achieve a minimum score on these ranges, then yes, that might incentivise
"cheating" and disclosure of solutions. But it's not uncommon, and in
fact often a good thing, to form teams to solve challenges together and share
knowledge. For this and many other reasons, such a requirement would not make
sense. And it would make no sense for one customer of Security Innovation to
give the answers away to other customers, what would be the purpose of that?</p>
<p class="MsoNormal">Conversely, it would be very frustrating
for someone who had paid to use the range to find out that they would not be
told any outstanding answers at the end. If you haven't managed to teach
yourself the solutions, you don't know what you don't know, how will you learn
if they refuse to fill in the gaps? Security Innovation already impose a
condition on the login page that users cannot post public write-ups or answer
guides, which they could expand if they wish (though I don't think that's
necessary or desirable).</p>
<p class="MsoNormal">In similar vein, I think they should at
least give hints about the detailed challenges (e.g. "Unsafe file
upload" as one challenge), not just categories of challenges. The cheat
sheet mentioned a few types of vulnerabilities that I spent too many hours trying
to find, and it was only on the last day or two before expiry that I asked on
the chat, only to be told Shred didn't actually have those types of
vulnerabilities! I appreciate Cmd+Ctrl doesn't want to give too much away, but
knowing there's an unsafe file upload issue to try to exploit still doesn't
tell you <i>how</i> to exploit it, and it would have saved me so much time
particularly given that access to Shred was time-limited. Again, I think paying
customers would appreciate more detailed hints so that they can be more
targeted and productive in tackling the challenges during the limited time
available (and perhaps "Get hints" would have done that, but access
was disabled for this event).</p>
<p class="MsoNormal">Also, I'm not sure how time-limited access
would be for the paid version, but organisations wanting to subscribe should of
course check the details and ensure the time period is sufficient for their
purposes, as staff also have to do their jobs! (I tried the range during my
annual leave).</p>
<h4 style="text-align: left;">Final comments</h4><p class="MsoNormal">I think it's definitely worth
it for organisations to pay for their developers to try these ranges, subject
to the negatives mentioned above (and see below for my review of the training
courses). These ranges can be more interesting and fun for users, and certainly
involve more active learning (looking into various issues in context as part of
attempting to exploit those types of vulnerabilities), which research has shown
improves understanding, absorption and retention. And of course, gamification
is known to increase engagement. Attempting these ranges would help to
consolidate knowledge gained during the security training. </p>
<p class="MsoNormal"><span lang="EN-GB">But, as mentioned above, I believe the best
way would be to give staff enough time to tackle the ranges, over a reasonable
period over which the relevant range is open. Don't make staff do this exercise
during their weekends or leave, or require each person to reach a minimum
score; instead, hold a debrief at the end of the period, for staff to discuss
the exercise and share their thoughts (and hopefully receive the answers to
challenges none of them could solve, so that they can learn what they didn't
know). I appreciate that leaderboards and rankings can bring out the
competitive streak and make some people try harder, but I believe team members
need to cooperate with each other, and staff shouldn't be appraised based on
their leaderboard ranking (or be required to reach a minimum score) - the joint
debrief and "howto" at the end is, I feel, the most critical aspect to
getting developer teams to work together better in future to reduce or
hopefully eliminate vulnerabilities in their online applications.<o:p></o:p></span></p>
<p class="MsoNormal">Cmd+Ctrl offers <a href="https://www.securityinnovation.com/training/cmd-ctrl-cyber-range-security-training/cmd-ctrl-cyber-range-features-benefits/">a
good variety of ranges</a> with the stats and other features covered above,
which seem very up to date in their scope: banking (two), HR portal, social
media, mobile/IoT (Android fitness tracker), cryptocurrency exchange, products
marketplace, and cloud. I wish I'd had the chance to try the cloud ones! In
fact, there now seem to be 3 separate cloud-focused ranges: cloud
infrastructure, cloud file storage, and what seems to be a cloud mailing list
management app, i.e. both IaaS and SaaS. </p><p class="MsoNormal"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuRiVyNh6iNKsX98K_d-aV5nrE7nYN4-ldX9_6pPzxq-fVrQylF4vFktnGWHxDb1IlLpjx_n92dZeSiaywmcPhxv7VfVaskkMDYrwpZVM0Fn96xzEGlk-qCSPPgs1ZZlE7qEvHBEIa6bZV51-i1_hHFjaSO2-n0FM8Kur_ivcHPb5FJzMUK0qhQWgJ/s915/clip_image017.png" style="clear: left; display: inline; float: left; margin-bottom: 1em; margin-right: 1em; padding: 1em 0px; text-align: center;"><img alt="" border="0" data-original-height="510" data-original-width="915" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuRiVyNh6iNKsX98K_d-aV5nrE7nYN4-ldX9_6pPzxq-fVrQylF4vFktnGWHxDb1IlLpjx_n92dZeSiaywmcPhxv7VfVaskkMDYrwpZVM0Fn96xzEGlk-qCSPPgs1ZZlE7qEvHBEIa6bZV51-i1_hHFjaSO2-n0FM8Kur_ivcHPb5FJzMUK0qhQWgJ/w400-h223/clip_image017.png" width="400" /></a></p>
<h4 style="text-align: left;"><span lang="EN-GB">Wishlist</span></h4><p class="MsoNormal"><span lang="EN-GB">A range that actually allows the
user to edit the application code to try to address each vulnerability, then
test again for the vulnerability, would be great for developers!</span></p><p class="MsoNormal"><span lang="EN-GB"><br /></span></p><p class="MsoNormal"><span lang="EN-GB"><o:p><br /></o:p></span></p><p class="MsoNormal"><br /></p><p class="MsoNormal"><span lang="EN-GB"><o:p><br /></o:p></span></p><h1 style="text-align: left;"><span lang="EN-GB"><o:p><br /></o:p></span></h1><h3 style="text-align: left;"><u><span lang="EN-GB">Online training courses</span></u></h3>
<p class="MsoNormal">Alongside access to Shred, for those who
signed up to the Nov 2021 bootcamp, Security Innovation kindly offered access
for 6 weeks to 32 online courses from its <a href="https://www.securityinnovation.com/print-catalog/">full catalog</a> of <a href="https://www.securityinnovation.com/training/software-application-security-courses/">training
courses</a>. I provide some comments on format and functionality first, then end
with thoughts on the content.</p>
<p class="MsoNormal">I took the bootcamp courses, but the vast
majority of them only after I'd finished the Shred range. The information in
some of those courses would help with the Shred challenges, but not all of
them, and they are aimed at developers, so to follow those courses you would
also still need some prior computing and coding knowledge.</p>
<p class="MsoNormal">It was great that many courses were based
on the <a href="https://cwe.mitre.org/">Mitre CWE (common weakness enumeration)</a>
classifications often used in the security industry, e.g. incorrect
authorization (CWE-863) and on the <a href="https://owasp.org/www-project-top-ten/2017/Top_10">OWASP 2017 top 10
security risks</a>, but I won't list them all here. The topics covered by the
bootcamp: fundamentals of application security, secure software development,
fundamentals of security testing, testing for execution with unnecessary
privileges, testing for incorrect authorization, broken access control, broken
authentication, database security fundamentals, testing for injection vulnerabilities,
injection and SQL injection, testing for reliance on untrusted inputs in a
security decision, testing for open redirect, security misconfiguration, cross
site scripting (XSS), essential session management security, sensitive data
exposure (e.g. encrypting), deserialization, use of components with known
vulnerabilities, logging and monitoring and XML external entities.</p>
<p class="MsoNormal"><span lang="EN-GB">Several courses were split logically into
one course on the problem, and the next on mitigating it, or testing for it.
Personally, I learn best by being told the point, then seeing practical concrete
worked examples, and I would have liked to see more concrete examples of e.g.
XSS attacks or SQL injection attacks. A couple were given occasionally, but not
enough in my view. (I appreciate some examples can be found by searching
online.)</span> </p><p class="MsoNormal"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgONECyv17qqAXRCXIN1Qlkyg6bRJ6VGC9Zidux42XMK8DVlwlgYa6lBVG8hORiSjuSoKB9Xkp6IJQPnfdlIN_Vg5oX7i8WnIG4llugYItO-lwes1u-NfKsd7eYZADcWTPViSa665mb3zMuQPb15moAfIc6_ZdOrdlFQ_N1Lbgd9uuhCIfsnDvSGKex/s1052/clip_image019.png" style="display: inline; padding: 1em 0px; text-align: center;"><img alt="" border="0" data-original-height="676" data-original-width="1052" height="412" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgONECyv17qqAXRCXIN1Qlkyg6bRJ6VGC9Zidux42XMK8DVlwlgYa6lBVG8hORiSjuSoKB9Xkp6IJQPnfdlIN_Vg5oX7i8WnIG4llugYItO-lwes1u-NfKsd7eYZADcWTPViSa665mb3zMuQPb15moAfIc6_ZdOrdlFQ_N1Lbgd9uuhCIfsnDvSGKex/w640-h412/clip_image019.png" width="640" /></a></p>
<p class="MsoNormal">The above shows Completed but a course's status
could also be displayed as being in progress. You need to click against a
particular course (where it shows Completed above) to enrol in the first place,
an extra step whose purpose I couldn't fathom (why not just
"Start"?). The 3 dots "action menu" enables you to copy the
direct link to a particular course for sharing, or pin individual courses.</p>
<p class="MsoNormal">Clicking on a course name takes you to a
launch page, from where you can also open a PDF of the text transcription of
the audio.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0hxJw3uhatyOxjlQFb8KaEyAdS4FbZaZ5AQFtAK775YHPnR44Ep2ZvfleVDCuC_AM8z1zgbZNXEDGk-cJI7YtA_Hm8vZ1AE784eOScegC0CuRfuXpdEPhJhtdCLvXBr_-7gvocfg7_BH0oHq_XJehdT67B-5PM8Fygshyt7nTOAB00p_8zyJ-NLOk/s1259/secTrg.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="715" data-original-width="1259" height="365" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0hxJw3uhatyOxjlQFb8KaEyAdS4FbZaZ5AQFtAK775YHPnR44Ep2ZvfleVDCuC_AM8z1zgbZNXEDGk-cJI7YtA_Hm8vZ1AE784eOScegC0CuRfuXpdEPhJhtdCLvXBr_-7gvocfg7_BH0oHq_XJehdT67B-5PM8Fygshyt7nTOAB00p_8zyJ-NLOk/w640-h365/secTrg.png" width="640" /></a></div><p style="text-align: center;"><span style="text-align: left;">You can leave a course part-completed, and
resume later: </span></p>
<p align="center" class="MsoNormal" style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDmObDF9ohZbNVaZ7z7mkpFzD8JGb8135M08f2_dJBzJRiMppidAhrxa13Lh7SYH92B93qJFFyqRbpbDQPcGM-EqBi5ZqSq90TfLR4zJUuIIjLWkrYCh4JPo7isKbLbv4a61AIs4k_Z163MB8LI9SLMhjdH3SABXAJxci3WANH8AR5VvZ3Es2i5B8X/s1038/clip_image023.png" style="display: block; padding: 1em 0px;"><img alt="" border="0" data-original-height="694" data-original-width="1038" height="429" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDmObDF9ohZbNVaZ7z7mkpFzD8JGb8135M08f2_dJBzJRiMppidAhrxa13Lh7SYH92B93qJFFyqRbpbDQPcGM-EqBi5ZqSq90TfLR4zJUuIIjLWkrYCh4JPo7isKbLbv4a61AIs4k_Z163MB8LI9SLMhjdH3SABXAJxci3WANH8AR5VvZ3Es2i5B8X/w640-h429/clip_image023.png" width="640" /></a></p>
<p class="MsoNormal"><span lang="EN-GB">When you launch or resume a course, a video
appears for playing. There are 3 icons on the top right, above the video, for a
glossary (the book), help regarding how to use the video (the questionmark),
and the text version of the course (printer icon).</span> </p>
<h4 style="text-align: left;"><span lang="EN-GB">Positives</span></h4><p class="MsoNormal"><span lang="EN-GB">This course caters for people
with different learning styles, by providing both videos and PDF transcriptions.
Personally, I scan text a zillion times faster than if I had to watch a video linearly at the slower pace at which people speak, so for learning I much prefer text over
video (plus the ability to ask questions, but I didn't see a chat icon - I
don't know if that's possible with the paid version?). So, I always clicked the
printer icon to read the PDF (opens in another tab) rather than watch the
video.<o:p></o:p></span></p><p class="MsoNormal">A TOC button on the bottom right brings up a table of contents on the left, where you can click to go straight to a particular section of the video. That it also shows progress, with a tick against the sections that you've watched. </p><p align="center" class="MsoNormal" style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu7dGXhy8BVTKyjgDsgM_s8OnW-sHLh9Do3C-60jtevQp3bHaY6XB0kEfsAjfR26xQpUOhL61yIDRHXjjxt9WGEYzF_O3v40MMPeSGqSSpplHBHZ_YGFwRa1yl2pNCqqIcIDo1RnudleDrltPTTD-0ENjVbGPDewdatdRUKty6usj8t4yTI2aqbri5/s1195/clip_image027.png" style="display: block; padding: 1em 0px;"><img alt="" border="0" data-original-height="693" data-original-width="1195" height="372" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu7dGXhy8BVTKyjgDsgM_s8OnW-sHLh9Do3C-60jtevQp3bHaY6XB0kEfsAjfR26xQpUOhL61yIDRHXjjxt9WGEYzF_O3v40MMPeSGqSSpplHBHZ_YGFwRa1yl2pNCqqIcIDo1RnudleDrltPTTD-0ENjVbGPDewdatdRUKty6usj8t4yTI2aqbri5/w640-h372/clip_image027.png" width="640" /></a></p><p class="MsoNormal">Another positive, from an accessibility perspective: the CC (closed captions) button at the bottom right brings up the text transcript for the current part of the video, synchronised to the audio. </p><p class="MsoNormal"><span lang="EN-GB"></span></p><p align="center" class="MsoNormal" style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj5K8sKb6KcgQ23Xuc_S9TF-PZBDBSXb2KVxtUD750Y1TJ-JEFPKc6SrNkJuWWlDGrFVjT4pF8NguZD3qRx65_Gvtd3zAWD6jKc48q4_07U1EcsT6IZ4hj_yMfSPeoEL0l_htEzMIBm6V5A0In15FEmbWPYKUsRXn7JC2unQuNgSG6rstBy7_uEWPp/s1219/clip_image029.jpg" style="display: block; padding: 1em 0px;"><img alt="" border="0" data-original-height="692" data-original-width="1219" height="364" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj5K8sKb6KcgQ23Xuc_S9TF-PZBDBSXb2KVxtUD750Y1TJ-JEFPKc6SrNkJuWWlDGrFVjT4pF8NguZD3qRx65_Gvtd3zAWD6jKc48q4_07U1EcsT6IZ4hj_yMfSPeoEL0l_htEzMIBm6V5A0In15FEmbWPYKUsRXn7JC2unQuNgSG6rstBy7_uEWPp/w640-h364/clip_image029.jpg" width="640" /></a></p><div><br /></div><p></p>
<h4 style="text-align: left;">Negatives</h4><p class="MsoNormal">The PDF didn't always show all
the slides from the video, especially in the first few courses - not all the
slides contained substantive content, but some slides with example URLs or code
were missing from the PDF version. So, personally, I only played the videos to
check for any useful slides missing from the PDFs. </p><p class="MsoNormal"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfnDhrJddp6fNu0m-BCQziYQvbepZV8JpxEC-MWttQRHm2yGN6Z8ygkiRIQS2pXsp_CteTFrWrqpS1sHhNyWE1BvrL5TY4_5KZjXvPsmPAd21l4Zu7eubC0ZAO12rSCfgABWHqpM_R3b5VdJYDuRKzKZJJKjzgpUG-qsgl2CA_pP8KkN1b0Sax5551/s1175/clip_image025.png" style="display: inline; padding: 1em 0px; text-align: center;"><img alt="" border="0" data-original-height="693" data-original-width="1175" height="378" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfnDhrJddp6fNu0m-BCQziYQvbepZV8JpxEC-MWttQRHm2yGN6Z8ygkiRIQS2pXsp_CteTFrWrqpS1sHhNyWE1BvrL5TY4_5KZjXvPsmPAd21l4Zu7eubC0ZAO12rSCfgABWHqpM_R3b5VdJYDuRKzKZJJKjzgpUG-qsgl2CA_pP8KkN1b0Sax5551/w640-h378/clip_image025.png" width="640" /></a></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span>If you play a video, it stops occasionally
and you have to click the play button again to start the next section, which
may not be obvious. Sometimes it stops to provide interactivity, i.e. the user
has to click on one part of the slide to learn about that issue, click on
another part to learn about another issue etc. I hate these types of features,
myself. I would prefer videos to just play continuously, moving on from section
and part to section and part, unless and until the user pauses it. Stopping a
video to force the user to click on something just to get to the next portion
seems popular, particularly with the periodic online staff training that many
are compelled to undergo for regulatory compliance reasons, but really it's not
the same as active learning, in my view! Forced stops like these just break the
train of thought and get in the way, when the user wants to get a move on. But
perhaps this is a matter of personal preference, so allow me my rant about
"interactive" online training courses!</p><h4 style="text-align: left;">Exam</h4>
<p class="MsoNormal"><span lang="EN-GB">At the end of a video, you can take an exam
(and there are also Knowledge Check quizzes to answer throughout the video). As
I had scanned the PDFs rather than watch the videos, I generally went straight
to the exam via the TOC or by dragging the position arrow.</span> </p>
<p class="MsoNormal"><span lang="EN-GB">If you pass an exam, you get a certificate of
completion that you can download under the Transcripts section of the site,
which also allows printing of the list of courses and marks (niggle: all
certificate PDFs had the same filename, it would be great if certificate
filenames followed the course name, and if you could download a single zipped
file of all certificates in one go).</span> </p>
<p class="MsoNormal"><span lang="EN-GB">You're allowed to take the exam multiple
times until you pass. Most exams comprise about 4-5 questions, although one had
3, a few 6-8, and another 12 questions. They estimate it takes about 5 mins per
exam (10 mins sometimes), which I found was about right.</span> </p>
<p class="MsoNormal"><span lang="EN-GB">It doesn't seem possible to go back and
amend your answer if you change your mind about a previous question - when I
tried that to do that in one exam, it threw a fit and I ended up having to
retake the exam (with the same answers) twice before it would register as
completed.</span></p><p class="MsoNormal"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj70eUsPGqMYl6ss3O0c3RmiVjTLppbi5v_E1eEZIsZ1YQ_WsO94HqNNU3Fui46oiDDzEqcRfQpZ73XXNwmQiSpZekAGRPpe_wQnbBsdmWoN3Q4XRwvZh744DXDLn0YdDss5EzY6Zi2TDbTWqBBuDdn80_tFRrnKm1wJl-ATWH-7B41pBAo-S61ISp/s1347/clip_image031.png" style="display: inline; padding: 1em 0px; text-align: center;"><img alt="" border="0" data-original-height="811" data-original-width="1347" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj70eUsPGqMYl6ss3O0c3RmiVjTLppbi5v_E1eEZIsZ1YQ_WsO94HqNNU3Fui46oiDDzEqcRfQpZ73XXNwmQiSpZekAGRPpe_wQnbBsdmWoN3Q4XRwvZh744DXDLn0YdDss5EzY6Zi2TDbTWqBBuDdn80_tFRrnKm1wJl-ATWH-7B41pBAo-S61ISp/w640-h386/clip_image031.png" width="640" /></a></p>
<p class="MsoNormal">At the end of the exam, your full results
are shown (it doesn't show results per question as you go through):</p>
<p align="center" class="MsoNormal" style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhk5kqOZHfbRK9Pu6jzPJZTLT4AvjTDqahw7j62xYjebjlXymwc2ebQYqUFFvr-oXDSKTi-ZHYclNJ0W-8JpK47SKShmPodE60pXg-3Pjw5otmeFj5r0KaBfKOk451xqK8qjQ3ybuFDV7K26VV8sPFvvNwA2ERADCXe0aLvY5Hbqcc3L4O1Xab7LvS1/s1035/clip_image033.png" style="display: block; padding: 1em 0px;"><img alt="" border="0" data-original-height="595" data-original-width="1035" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhk5kqOZHfbRK9Pu6jzPJZTLT4AvjTDqahw7j62xYjebjlXymwc2ebQYqUFFvr-oXDSKTi-ZHYclNJ0W-8JpK47SKShmPodE60pXg-3Pjw5otmeFj5r0KaBfKOk451xqK8qjQ3ybuFDV7K26VV8sPFvvNwA2ERADCXe0aLvY5Hbqcc3L4O1Xab7LvS1/w400-h230/clip_image033.png" width="400" /></a></p>
<h4 style="text-align: left;">Tips</h4><p class="MsoNormal">The obvious answer is usually the
right one, and if you think "Yes, but only if..", then the answer is
probably "No"! I felt a few of the questions or multiple choice
answers were unclearly or ambiguously phrased. I did think some of the answers
were more about categorising vulnerabilities by type, e.g. broken
authentication, or more about vulnerabilities than about how to mitigate them.</p>
<p class="MsoNormal">If you didn't pass, you can click Review
Exam to see where you went wrong, which is helpful. I only had to retake one to
pass (becase of the No answer above when I had answered Yes!), but didn't
bother to retake a few others where I'd passed with less than 100%.</p>
<p class="MsoNormal">I discovered that I actually knew more than
I thought I did, so the courses didn't actually help me with Shred (although
the support staff tips did). But I still learned some useful things that I
didn't already know, and I strongly recommend that those without the necessary foundation
should take these courses before trying the ranges.</p><h3 style="text-align: left;">Final thoughts</h3>
<p class="MsoNormal">Overall, I would recommend the Cmd+Ctrl
ranges as an excellent way for developers and security staff to learn about
online application vulnerabilities, subject to taking the courses first for those
without the prior knowledge. They really are aimed at developers/programmers,
so most lawyers may struggle, even tech lawyers. I do think it's helpful for
lawyers to have a basic knowledge of the common vulnerabilities and how they
are exploited and mitigated when discussing cybersecurity measures and breaches
with clients that have suffered incidents, but you probably don't need to
tackle the courses or ranges to gain that knowledge.</p>
<p class="MsoNormal">Thanks very much again to <a href="https://www.securityinnovation.com/">SecurityInnovation</a> for making Shred and the courses available for the OWASP London CTF
2021 event!</p><p class="MsoNormal">(I wrote this back in Dec 2021 but for various reasons couldn't publish it till now.)</p>Kuanhttp://www.blogger.com/profile/00041429221345800464noreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-33884609986487969922021-12-06T21:15:00.001+00:002021-12-06T21:15:44.655+00:00Covid-19 tool: risks in different situations<p>This interesting and useful interactive graphic tool brings to life, visually, different levels of Covid19 risks arising with varying:<div><ul style="text-align: left;"><li>transmission routes</li><li>activities, e.g. singing vs. talking vs. loud talking</li><li>room size / outdoor location</li><li>distance from infected person</li><li>ventilation</li><li>physical contact</li><li>surface type</li><li>protections used by infected & uninfected people: mask and type, visor, perspex screen; and also the impact on infection risks of respiratory hygiene, surface cleaning, hand hygiene & gloves.</li></ul></p>
<p>I've posted about this on LinkedIn but as the authors kindly provided the embed code, I'm posting the tool here too.</p>
<div style="height: 0px; overflow: hidden; padding-bottom: 105%; position: relative; text-align: center;"><iframe scrolling="no" src="https://sandpit.bmj.com/graphics/2021/transEmbed/index.html" style="border: none; height: 105%; left: 0; margin: 0px; max-width: 750px; position: absolute; top: 0; width: 100%;">This infographic will display on browsers that support iframes.</iframe></div></div></div>
Sources: <a href="https://www.gov.uk/government/news/dstl-supports-new-covid-19-decision-making-tool">press release</a>, <a href="https://bmjopen.bmj.com/content/11/12/e050869">BMJ article</a> and the <a href="https://www.bmj.com/content/375/bmj-2021-065312">tool</a> itselfKuanhttp://www.blogger.com/profile/00041429221345800464noreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-31637197892277122472021-06-28T09:00:00.030+01:002021-06-28T10:31:05.591+01:00Bias – AI vs. name fields in databases / formsAI discrimination, due to past biases built into training data, is touted as a massive problem, notably when it reflects bias based on racial or ethnic origin. This is Art.9 special category data, as all GDPR practitioners know. A <a href="https://www.newstatesman.com/politics/uk/2018/01/higher-insurance-if-you-re-called-mohammed-s-just-start-institutionalised">famous example</a> is car insurance quotes being about £900 higher for people named Mohammed, compared with quotes for those named John, even when the other details were identical (although it's unclear whether any artificial intelligence was involved there).<div><br /><h3>What's in a name?</h3><div><p class="MsoNormal"><o:p></o:p></p><p class="MsoNormal">However, there's an even <b><i>more</i></b> <b><i>basic</i></b> concern about names. This arises, not from emerging technologies like machine learning, but just from everyday life progressively going digital and online, no doubt accelerated by the Covid-19 pandemic.<o:p></o:p></p><p class="MsoNormal">People and, crucially, the organisations they have to interact with, must increasingly rely on electronic records or digital databases to store personal data and other information.<o:p></o:p></p><p class="MsoNormal">More and more, we are forced to fill in online (or other electronic) registration forms to obtain services or goods. Those form fields are often completed by someone <b><i>other</i></b> than the individual seeking to obtain services or goods, e.g. an organisation's staff member may input details of new clients or customers.<o:p></o:p></p><p class="MsoNormal">People, and those organisations, rely on these records and databases to be accurate especially as, more and more, online transactions rely on correct identification and authentication. Art.5(1)(c), to drop in another GDPR provision.<o:p></o:p></p><p class="MsoNormal">However, too many electronic forms for the input of people's data are coded based on unconscious biases: namely, that people's names are <b><i>always</i></b> Western in format, typically Anglo-Saxon, with a single one-word first name and single one-word surname, and maybe sometimes a one-word middle name.<o:p></o:p></p><p class="MsoNormal">This isn't a new problem. A <a href="https://www.w3.org/International/questions/qa-personal-names">W3C document</a> from a <b><i>decade</i></b> ago, 2011, urged an internationalised approach to names when designing forms, databases, ontologies, etc. for the Web – but, I'd now say, a global approach must be taken much more generally, towards the design of <b><i>all</i></b> databases and forms - not just those used "for the Web".<o:p></o:p></p><p class="MsoNormal">It's not simply a technical issue of "forms validation" (where an electronic system refuses to accept the name you're trying to enter, the computer says No, even though it actually <b><i>is</i></b> your real name!). It's an organisational issue: database/forms design, staff awareness and training are vital too. All staff must be conscious of this issue when taking down and entering customers' names into systems.<o:p></o:p></p><h3>What triggered this blog?</h3><p class="MsoNormal">I have a Chinese first name. <b><i>I don't have a middle name</i></b>. I have a <b><i>two-word</i></b> <b><i>first</i></b> name, "Wai Kuan". I go by "Kuan" for ease, as that's the short form of my first name – it's like going by "Liz", when your name is "Elizabeth". Also, going by "Wai Kuan" risks "witty" quips like "Why not Kuan?", so I don't!</p><p class="MsoNormal">Some organisations have entered my "first name" on their systems as "Wai", others as "Kuan". All this <b><i>without asking me how</i></b> my "first name" should appear on their systems, or on my payment cards, etc etc – although, to be fair, I think one bank did actually ask me once. (And btw, with Chinese names the "first" name is the surname, the personal name usually appears <b><i>second</i></b>, not first – but I've just given up and anglicised the order of my real name for ease.) If someone's name was Philip, would you automatically enter his first name on your system as "lip" without asking him, or query his identity if one source said he was "Phil" and another source said he was "Philip"? I don't think so.<o:p></o:p></p><p class="MsoNormal">I spend far too much of my life trying to sort out problems arising from organisational mismatches in my name, or mis-spellings of my name. Recently, I received a rejection because one organisation's receipt had my first name down as "Wai", whereas the other had noted my name as "Kuan". You might think an explanation of the reason for the rejection would have been merited but, no, the standard message they sent me just implied that I hadn't filled in all the (<b><i>other</i></b>) details correctly – whereas in fact the problem was due to the first name mismatch, even though my surname was clearly the same! I had to waste my time, and theirs, calling to find out the real reason, i.e. the "first name" mismatch.<o:p></o:p></p><p class="MsoNormal">Now, if one organisation had put my name down as Liz and the other as Beth, do you think they'd have automatically rejected my request - or let it go through? Or do you think they might have, at least, sent me a message properly explaining that it was the first name discrepancy that was of concern? If that isn't indirect ethnic discrimination, I don't know what is. I keep, continually, having to ask for receipts to be issued just to "W K", yet some organisations still get it wrong, or are huffy when I ask them to reissue their receipts, or both.<o:p></o:p></p><h3>First name, middle name, surname, hyphens, apostrophes...</h3><p class="MsoNormal">Even people of Western origin can be affected by this problem, particularly those from Southern USA. The actor <a href="https://en.wikipedia.org/wiki/Billy_Bob_Thornton">Billy Bob Thorton</a> has a two-word first name. His first name is "Billy Bob". It's not "Billy", and "Bob" is not his middle name. Same with actor John David Washington, <a href="https://www.esquire.com/entertainment/movies/a35421403/john-david-washington-malcolm-marie-netflix-interview/">whose first name is "John David"</a>. As female examples, there's tennis player <a href="https://en.wikipedia.org/wiki/Billie_Jean_King">Billie Jean King</a>, and singer <a href="https://www.sarahjanemorris.co.uk/sweet-little-mystery-project">Sarah Jane Morris</a>. I've also seen two-word first names with no space or hyphen in between, just a capitalisation of the second name, like MaryAnn. Other people may have more than one <b><i>middle</i></b> name.<o:p></o:p></p><p class="MsoNormal">So, please don't always assume the first word is a "first name" and the second word is a "<b><i>middle</i></b> name"! (yes, I get "Kuan" entered as my middle name, even though I constantly stress that I have a two-word first name). I also know English people with double-barrelled surnames. Some with hyphens, some without. Name fields must also allow two-word surnames! (and hyphens in first names, as some people have hyphenated first names - e.g. actor <a href="https://en.wikipedia.org/wiki/Mary-Louise_Parker">Mary-Louise Parker</a>). Allowing apostrophes in names would also help people of e.g. Irish descent, and yes please preserve the way people capitalise their names and don’t "auto correct" to perdition. If someone spells their name without a hyphen, please train staff not to hyphenate it when entering it on your systems. I don't know how many times I've had to say it's not "Wai-kuan" or even "Wai-Kuan", when someone has unthinkingly added the hyphen without my actually using the word "hyphen", and always without asking me. If I spell it as "space", that means there's a space between the two words, <b><i>not</i></b> a "hyphen" – there's a difference between a space and a hyphen, you know! (At least no one has ever tried to call me "Wai Space Kuan" - yet.)<o:p></o:p></p><h3>Minimum and maximum lengths for name fields</h3><p align="left" class="MsoNormal">Finally, don't assume that names must always have a certain minimum or maximum length. It's tough enough for me, having a 3-letter surname (on spelling my surname out over the phone, I once got asked, "Is that all?!"). Take pity on people like politician <a href="https://en.wikipedia.org/wiki/C%C3%A9dric_O">Cédric O</a>, and actors <a href="https://en.wikipedia.org/wiki/Maggie_Q">Maggie Q</a> and <a href="https://en.wikipedia.org/wiki/Jet_Li">Jet Li</a>. Or <a href="https://www.bangkokpost.com/life/social-and-lifestyle/1568990/whats-in-a-thai-name-">Thanita Phuvanatnaranubala or Bhadajarabhakinai Dhanarpitivongsavadhadhana (from Thailand)</a>, and Dr Tedros Adhanom Ghebreyesus (<a href="https://www.who.int/director-general/biography">WHO's current Director-General</a>). A well known data protection-related website, that I won't name, rejects attempts to register for its events if you enter a single letter in either first name or surname - that's not considered valid, so pity Mr O if he tries <a name="OpenAt"></a>to attend one of their events! (At least they accept 2 letters so Mr Li will be just fine, luckily for him.)<o:p></o:p></p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOQlngD2N_9oJfMOb3IbdYgkjl1ZhwoOGQi3YwyFahrQsvtyGcPGercC3il_jawp0uMFS7Ws9IA3Csi9vtOHZso-WEwJq3S3oZ5q-RejSqCQcM09zmC1R8Kr8DnQltH5zj_iOvirkvPXI/s602/namefield-redacted.png" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="368" data-original-width="602" height="392" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4eg1e84q-7bOaW_XnpQP6mu-MmHX-sZTwpTCpbeI3e7EZAMuddd322DgmQrbTHtjbG9XZ0k96_o74n2dptor_wOsmsDnbWqXNrDBCLxuLzdoXBRgrobv4vaW9v-gLifg4m4klczbwXTs/w640-h392/namefield-redacted.png" width="640" /></a><br /><h3><br /></h3><h3>"The computer says no"</h3><p align="left" class="MsoNormal">There also seems to be a mentality of "the computer is always right", "what's on the system is always right", which completely ignores the possibility that the staff member who first input someone's details onto the system might have misheard or misspelled the name, unilaterally added a hyphen for no reason, etc. etc. etc. I won't give details of the hoops organisations have made me jump through to get them to correct my name on their systems.</p><p align="left" class="MsoNormal">Again, they always assume that the staff member who first entered my name must always be correct, more correct than the person whose name it actually is! Even when they first got my name from a third party source, and not from me. Or even when their staff made errors when inputting it, although my name was perfectly correct on the paper form I had sent in. (I'll mention just one hoop – sometimes I have had to make them go check against the name on the paper form, or the name my bank has recorded for me, before they're willing to correct my name on their systems.)<o:p></o:p></p><h3>GDPR to the rescue?</h3><p align="left" class="MsoNormal">I've had to resort to sending DSARs, more specifically <a href="https://www.gdprinfo.info/#a16">Art.16</a> data subject rectification requests, to the data protection contact details set out in privacy notices, in order to get organisations to correct my name on their systems. Often, that's after repeated fruitless calls to customer "service" "help" lines - who haven't been of much service, or any help. I don't want to waste the time of DPOs or privacy teams, who I feel have much better things to do with their limited time and resources, but I haven't had any other choice. Thank goodness for GDPR!<o:p></o:p></p><p align="left" class="MsoNormal">Obviously, there is an <a href="https://www.gdprinfo.info/#a5.1.d">Art.5(1)(d)</a> accuracy issue in relation to wrongly-input names. There's also an issue regarding <a href="https://www.gdprinfo.info/#a25">Art.25</a> data protection by design and by default, particularly in relation to database and web form fields, as controllers are supposed to take account of "risks of varying likelihood and severity for rights and freedoms of natural persons" - not just data protection rights, but also the right not to be discriminated against or "singled out" based on racial or ethnic reasons. And a broader <a href="https://www.gdprinfo.info/#a5.2">Art.5(2)</a> and <a href="https://www.gdprinfo.info/#a24">Art.24</a> accountability issue, including in relation to staff training. (It could involve <a href="https://www.gdprinfo.info/#a22">Art.22</a> automated decision-making too, if someone can't access certain services, online or otherwise, because their name is "too short" or "too long" for the system (as designed) to accept it, or it "doesn't match the system" because staff entered their name wrongly!)</p><h3>What to do?</h3><p align="left" class="MsoNormal">The <a href="https://www.w3.org/International/questions/qa-personal-names">W3C document</a> says it all – in real life, ethnic or racial discrimination doesn't arise only from AI bias. I wish all organisations would read that document, train staff on those issues, and apply its guidance fully when designing name fields for databases and web forms, <b><i>and</i></b> when their staff enter data into name fields. That's the only solution.</p><p align="left" class="MsoNormal">Otherwise, we'll risk facing a very Kafkaesque future, where what services or goods we can obtain, and with what degree of difficulty, will depend entirely on how organisations (often wrongly) first decided to enter our names on their systems.</p><p align="left" class="MsoNormal">From my experiences, we're already halfway there. Although my name is correctly spelled within the email address from which I send emails to organisations, or indeed is correct on organisational systems, I still keep receiving email replies or other correspondence addressed to me with a Q or a Kw, etc. I'm often called "Kuon". Even "Juan", although I'm not actually of Spanish origin – my photo might provide a bit of a clue about that.</p><p class="MsoNormal"><o:p></o:p></p><p>I also feel sorry for <a href="https://www.bbc.com/future/article/20160325-the-names-that-break-computer-systems">people with names like "Null"</a>, given that we no longer have any choice about the computerisation of our names. But, that's a different problem…</p></div></div>Kuanhttp://www.blogger.com/profile/00041429221345800464noreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-37429784811432042582021-05-11T11:00:00.089+01:002021-05-11T11:00:00.186+01:00Make EDPB webpages readable again - howtoThe recent <a href="https://edpb.europa.eu/">EDPB website</a> redesign kills usability and ergonomics for those with widescreen monitor. Maybe they were trying to make the site user-friendly for mobiles/tablets, but the result is that it's user-<i><b>un</b></i>friendly for desktop PCs/laptops.<div><br /></div><div>Viewed on a computer with widescreen monitor, the left sidebar or margin's <a href="https://en.wikipedia.org/wiki/Dead_Parrot_sketch">passed on, it's no more, it has ceased to be... it's an ex-margin</a>! (hi <a href="https://en.wikipedia.org/wiki/Monty_Python">Monty Python</a> fans).</div><div><br /></div><div>This means that the main webpage text is <b><i>no longer centered</i></b> onscreen.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheSOTOvoS6CDjzjY8zAMfMz4V4kYwPrJ0t6XYbW-3XGSXA1ggWN9dUPBLjnTvp0qnNNsURZazE2m9PwBSGBViWzGqVMJbrhR1eJUeqax6XtTy4O_XaSPhj1GZKjbveMpPz-yHuuCnjzn8/s1917/edpb-noleftmargin.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="838" data-original-width="1917" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheSOTOvoS6CDjzjY8zAMfMz4V4kYwPrJ0t6XYbW-3XGSXA1ggWN9dUPBLjnTvp0qnNNsURZazE2m9PwBSGBViWzGqVMJbrhR1eJUeqax6XtTy4O_XaSPhj1GZKjbveMpPz-yHuuCnjzn8/w640-h280/edpb-noleftmargin.png" width="640" /></a></div><br /><div>Cue neckache or crick from having to twist or turn the head too far to the left (and hold it there) just to read the main webpage text! What to say, that's certainly one way to deter desktop/laptop website users.</div><div><br /></div><div>This seems to be an EDPB website matter, as the general Europa website is still fine. But it can be a pain in the neck for EDPB website visitors, literally!</div><div><br /></div><div>To center EDPB webpages on your widescreen monitor again and save your neck, three options to try:</div><div><br /><div>1. Un-maximise ("restore") your browser window, move the window (or drag the left edge) to the right till the main text is centered onscreen, and read EDPB webpages only from the restored window. </div><div><br /></div><div>2. Use the <a href="https://alexschreyer.net/web-programming/liquid-page-a-bookmarklet-to-rearrange-webpages/">Liquid Page bookmarklet</a> (instructions are on that webpage), if you prefer to keep your browser window maximised. Then, you can drag the "Latest news" column on the right (and beige box behind it, and the flag thing) even further to the right, out of the way. Then drag the main text column to the right, and scroll down as usual. (Links won't work till you refresh the page, but you can rightclick the link and open in new tab). More troublesome maybe than 1., but I do like outside the box creative solutions - have fun dragging stuff around!</div></div><br /><div>3. Simplest solution (tested in Chrome and Edge on a Windows 10 PC) - use my bookmarklet or favelet: <a href="javascript:(function(){document.body.style.marginLeft = '500px';})();">/Fix EDPB</a>. Instructions: ensure your browser bookmarks or favourites toolbar is visible, drag that link to the toolbar e.g. between other bookmarks then, when you're on a no-margin EDPB webpage, just click that bookmark. Or, if you prefer, follow the <a href="https://blog.kuan0.com/2020/08/chrome-highlights-text-on-webpages-how.html">bookmarklet creation instructions</a> under Solutions but, in step 4, name the bookmark whatever name you wish and, in step 6, instead of pasting the code shown there, paste the following code:<a></a></div><div>javascript:(function(){document.body.style.marginLeft = "500px";})();</div><div>All fixed, main text is centered on screen! This also narrows the text column so it's easier to read scrolling down.</div><div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqZOOJDtvNk-lH_Cjvxgna6sWpxHnmSNyqiwNawQMqVxaW63OioiVyFjw5NinDQP-wOd8sMBiC2TeziYESbOMnbFjhWHt6HlSheY5uskF4Ag9nCq4lctj-6JmKapZ8CKXcESGmGwjRO1A/s1911/edpb-fixed.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="828" data-original-width="1911" height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqZOOJDtvNk-lH_Cjvxgna6sWpxHnmSNyqiwNawQMqVxaW63OioiVyFjw5NinDQP-wOd8sMBiC2TeziYESbOMnbFjhWHt6HlSheY5uskF4Ag9nCq4lctj-6JmKapZ8CKXcESGmGwjRO1A/w640-h278/edpb-fixed.png" width="640" /></a></div></div><div><ul style="text-align: left;"><li><u>Keyboard shortcut fans</u>: hotkeys to run this in Chrome are Alt-e, b, then type the 1st letter of the bookmarklet name (I made that the / symbol here so as not to clash with other bookmarklets, but feel free to edit the bookmarklet's name yourself), then Enter if necessary.</li><li><u>Per webpage only</u>: if you navigate to another EDPB webpage, you'll need to click the bookmarklet or use the hotkey <i><b>again</b></i>. It's a per page rather than permanent fix, as it adds a margin to the current page after it's been downloaded to your browser. Unfortunately it can't modify the original pages on the EDPB website, only the EDPB can do that.</li><li><u>Margin width</u>:- a 500 pixel left margin works for me. If it's too narrow/wide for you, rightclick the bookmarklet in the toolbar, Edit, under URL just change 500 to 400 or 600 as you wish (but obviously don't change the rest of the code) and Save. </li></ul></div><div>My neck feels better already! (and this works on <a href="https://www.bailii.org/">BAILIII</a> too, BTW).</div><div><br /></div><div>I hope this helps other EDPB website visitors too.</div>Kuanhttp://www.blogger.com/profile/00041429221345800464noreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-23643942401820419322021-04-10T16:25:00.010+01:002021-04-10T16:34:56.059+01:00Security / identity theft risks - reporting Covid-19 home test results<p class="MsoNormal">It's laudable that free Covid19 lateral flow home test kits
<a href="https://www.gov.uk/government/news/new-campaign-urges-public-to-get-tested-twice-a-week">became</a> available in England yesterday, e.g. from pharmacies.<o:p></o:p></p>
<p class="MsoNormal">You're meant to <a href="https://www.gov.uk/report-covid19-result">report results</a> even if negative (though that could be made clearer), by phone/online. But - then
you get an email from <a href="https://www.notifications.service.gov.uk/">Gov.uk Notify</a> with your result, advocating continued social distancing etc -
with your name, date of birth and NHS number, right at the top of the email! Full marks for promptness, but - for security/privacy...?<o:p></o:p></p>
<p class="MsoNormal">As is well known, email is <b><i>insecure</i></b>. If your email or the
NHS's gets hacked, or intercepted, or shoulder surfed, bad guys can use your
name, DoB and NHS no. for fraud and/or identity theft. I guard my DoB
jealously, not just because some women don't like revealing their age (yes, I
<i>am</i> over 30!), but because of this risk of crime. I only ever give my real DoB
to government, health and financial organisations (perturbation anyone? <span face=""Segoe UI Emoji",sans-serif" style="mso-bidi-font-family: "Segoe UI Emoji"; mso-fareast-font-family: "Segoe UI Emoji";">😁).</span><o:p></o:p></p>
<p class="MsoNormal">Too many organisations use just name and DoB to identify
customers who contact them, sometimes combined with address/postcode, which
usually aren't difficult for criminals to discover. (Recall that in Germany,
for using just name and DoB for authentication, 1&1 got <a href="https://edpb.europa.eu/news/national-news/2019/bfdi-imposes-fines-telecommunications-service-providers_en">fined</a>
€9.55m, <a href="https://www.lg-bonn.nrw.de/behoerde/presse/zt_archiv_060/Archiv-2020/Pressemitteilung27-2020-vom-11_11_2020-Bussgeld-gegen-Telekommunikationsd___.pdf">reduced</a>
by the court to €0.9m – which is still substantial.)<o:p></o:p></p>
<p class="MsoNormal">I'm OK with the UK <a href="https://www.gov.uk/government/organisations/department-of-health-and-social-care">DHSC</a> requesting my DoB and NHS number (as long
as they store it securely and share it securely and only on a need to know basis).
But, I <b><i>already</i></b> know my own DoB and NHS no., wouldja believe it, and, with this type
of home test kit, I do actually already know my result! There's absolutely <b><i>no</i></b> need to email
<b><i>any</i></b> of that info to me.</p><p class="MsoNormal">Even if they'd adapted a previous standard form of email
designed to go to people who didn't already know their results, again there's
<b><i>no</i></b> need to include DoB or NHS number. (It's not just the DHSC - other organisations are guilty of emailing
people with their DoB too, including an optician I was unfortunate enough to
try using.)<o:p></o:p></p>
<p class="MsoNormal">I suspect that if I didn't give my DoB/NHS no. they wouldn't take
my report, or if I asked for that info <b><i>not</i></b> to be automatically included in
their followup email, they'd reply "The computer says no, the system
hasn't been designed that way, we can't tell it to omit that info!"<o:p></o:p></p>
<p class="MsoNormal">Let's count the <a href="https://www.legislation.gov.uk/ukpga/2018/12/contents">UK GDPR</a> issues here:</p><p class="MsoNormal"></p><ul style="text-align: left;"><li><a href="https://gdpr.kuan0.com/#a5">Art.5</a>(1)(f) integrity and confidentiality, and the related <a href="https://gdpr.kuan0.com#a32">Art.32</a> security.</li><li><a href="https://gdpr.kuan0.com/#a5">Art.5</a>(1)(c) data minimisation, most definitely. </li><li>(Not to forget <a href="https://gdpr.kuan0.com/#a25">Art.25</a> data protection by design & by default of
course. And <a href="https://gdpr.kuan0.com/#a35">Art.35</a> on data impact assessments aka DPIAs.) </li></ul>Also, the <a href="https://www.legislation.gov.uk/uksi/2018/506">UK NIS Regulations</a>
under the <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016L1148">EU NIS Directive</a> require operators of essential services or OESs (critical
infrastructure, including the healthcare sector) to take appropriate and proportionate
technical and organisational measures to manage risks to the security of their
network and information systems. (Ironically, the DHSC doesn't seem to be caught under
those Regs, although <a href="https://www.nhs.uk/">NHS</a> Trusts are.)<o:p></o:p><p></p>
<p class="MsoNormal">The worst consequence of the DHSC's approach is that it might cause privacy/security-conscious people (like data protection professionals!) to decide <b><i>not</i></b> to report their test results (at least if negative) while it's not
legally-required, in order to avoid the risk of fraud and identity theft. Meaning
that the NHS may not receive fully comprehensive data...<o:p></o:p></p>
<p class="MsoNormal">Because, in connection with Covid-19, it handles sensitive, special category data like health
data, the DHSC might be expected to be more careful about security and privacy than most. Our NHS heroes of course deserve our greatest respect and gratitude. But real security and privacy risks to individuals can be created
unless everything is thought through carefully when conducting the DPIA (I hope
there <b><i>was</i></b> one?) - even supposedly minor process issues like the content of
standard followup emails after home test reports.</p><p class="MsoNormal">I've emailed the
DHSC's data protection officer (at the email address in the <a href="https://www.gov.uk/government/publications/coronavirus-covid-19-testing-privacy-information/testing-for-coronavirus-privacy-information--2 ">privacy notice</a> linked to from the test results reporting webpage), and I really hope the DHCS will change this risky
practice ASAP.</p>Kuanhttp://www.blogger.com/profile/00041429221345800464noreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-84348874051204801212021-04-01T11:43:00.001+01:002021-04-01T11:43:18.262+01:00BEST cookie consent tool ever!Try the<a href="https://blog.kuan0.com/p/cookie-consent.html"> best ever cookie consent tool here</a> - you'll never need anything else! Kuanhttp://www.blogger.com/profile/00041429221345800464noreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-66289741182371390352021-02-11T20:42:00.002+00:002021-02-11T20:42:53.485+00:00Digital Services Act infographic summary<p>Here's my infographic summarising the key liability and due diligence rules under the EU Digital Services Act, proposed in December 2020.</p>
<iframe height="480" src="https://drive.google.com/file/d/1OMMgrZlO5GticFxJjacXZIZy1apG9_EO/preview" width="640"></iframe>Kuanhttp://www.blogger.com/profile/00041429221345800464noreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-23756123007565045802020-08-23T10:30:00.002+01:002020-09-18T17:36:13.852+01:00Chrome highlights text on webpages: how to disable<p>This blog explains how to stop Chrome's highlighting of text on some webpages you visit after clicking on Google search results snippets. </p><p>The problem: Chrome now scrolls directly to the highlighted text ("text fragments", meant to reflect your search terms) on the webpage in question. It also mangles the URL in the browser so that the web address has, appended to it:<br />#:~:text=whateverTextFragmentIsToBeHighlightedWhichCanBeVeryLong</p><p>For anyone who's managed to escape this new feature, <a href="http://blog.kuan0.com/2020/07/schrems-ii-data-localization-encryption.html#:~:text=But%20-%20are%20you%20sure%20data%20insularization%20(yes%20I%20made%20that%20up)%20is%20a%20good%20thing?">here's a direct example</a>. (Apparently it also does this in Apple's Safari.) Not everyone wants that behaviour in their browser and can even find it annoying and unhelpful. This new <a href="https://chromestatus.com/feature/4733392803332096">Chrome feature</a> was <a href="https://searchengineland.com/google-launches-featured-snippet-to-web-page-content-highlight-feature-335511">introduced</a> by Google in early June 2020. <a href="https://support.google.com/webmasters/answer/6229325">Websites can opt out</a>, but it's much more difficult for Chrome end users to disable it.</p><p>To prevent this happening via <a href="https://www.reddit.com/r/chrome/comments/gyz09c/guide_disable_chrome_automatically_highlighting/">Chrome flags</a> is <a href="https://support.google.com/chrome/thread/52117247?hl=en&msgid=62697315">no longer</a> <a href="https://www.reddit.com/r/chrome/comments/hz1mds/how_do_you_disable_search_text_highlighting_text/">possible</a>. Most people may not be able (or want) to <a href="https://www.reddit.com/r/chrome/comments/hucpkh/can_scroll_to_text_fragment_be_disabled/">set</a> <a href="https://www.reddit.com/r/chrome/comments/gyz09c/guide_disable_chrome_automatically_highlighting/fte3hxp/">enterprise policies</a> or <a href="https://support.google.com/chrome/a/answer/9131254?hl=en">mess with</a> <a href="https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ScrollToTextFragmentEnabled">their registry</a> (which even stopped Chrome working <a href="https://www.reddit.com/r/chrome/comments/hucpkh/can_scroll_to_text_fragment_be_disabled/#CommentTopMeta--Created--t1_fypo71q">for one person</a>), or <a href="https://www.reddit.com/r/chrome/comments/gyz09c/guide_disable_chrome_automatically_highlighting/fte3hxp/">install the Redirector</a> extension with more fiddling.</p><p>So, here's my own relatively easy fix, which you can use to change the webpage back to what it should be, rather than preventing or getting rid of the new feature. My solution to this issue:</p><p></p><ul style="text-align: left;"><li>"Reverts" you to the webpage you were trying to view, <u>without</u> highlighting the text fragment or scrolling to it.</li><li>Cleans up the URL in the address bar too, removing the # and all the stuff after it.</li><li>(Optional - even copies the "clean" URL to your clipboard for easy sharing.)</li></ul><div>It involves setting up a new bookmarklet or favelet with some Javascript, that you can just click (or use a hotkey to access), to sort out the issue quickly. If that description fazes non-coders, not to worry, here's a very simple step by step:</div><p> </p><h1 style="text-align: left;">Solution to remove unwanted text highlighting</h1><div><ol style="text-align: left;"><li>Make your bookmarks bar visible in Chrome if it's not already (click top right up arrow > Bookmarks > Show Bookmarks, or press Ctrl-Shift-b).</li><li><a href="https://support.google.com/chrome/answer/188842?hl=en">Bookmark</a> any webpage you like (e.g. Ctrl-d and Enter), but drag it so it's visible in the bar.</li><li>Rightclick the new bookmark in the bar, select Edit.</li><li>In the <u>Name box</u>, change it to e.g. Cleanup, or even just 1 (I'll explain the latter later), ideally starting with a letter which your existing bookmarks don't start with.</li><li>In the <u>URL box</u>, clear what's there, and copy and paste the following text in there instead, exactly as is (don't add spaces etc.), then click Save:<br />javascript:var url=window.location.href; cleanurl=url.split('#')[0]; window.location.replace(cleanurl); </li><li>In future, if you find yourself on a webpage with highlighted text fragments and the long URL after clicking on Google search results, to clean it up just:</li><ol><li>Click that new bookmark in the bookmarks bar, or</li><li>(For those who like keyboard shortcuts) Press Alt-e then b then 1 (or whatever was the first letter of the new bookmark's name) then, if necessary, Enter - which has the same effect as clicking it.</li></ol><li>Optional: if you also want to be able to <u>copy the clean URL automatically to your clipboard</u> for pasting into an email etc. then, in step 5 above, <u>instead of</u> pasting what was shown there just paste the following exactly as is:<br />javascript:var url=window.location.href; cleanurl=url.split('#')[0]; var input=document.body.appendChild(document.createElement("input")); input.value=cleanurl; input.focus(); input.select(); document.execCommand('copy'); input.parentNode.removeChild(input); window.location.replace(cleanurl); </li></ol>I hope that's helpful.</div><p></p>Kuanhttp://www.blogger.com/profile/00041429221345800464noreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-74628723292085202842020-08-17T13:44:00.010+01:002020-10-10T17:58:28.675+01:00Schrems II additional safeguards: confidential computing<p>The highest EU court (CJEU) in the <a href="http://curia.europa.eu/juris/liste.jsf?num=C-311/18"><i>Schrems II</i></a> ruling said that standard contractual clauses (SCCs) <i>can</i>, in principle, be used to legitimise transfers of personal data outside the EU/EEA, <i><u>provided</u></i> "additonal safeguards" are implemented where appropriate (or "supplementary measures", as the European Data Protection Board or EDPB <a href="https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118.pdf">has called them</a>).</p><p>I previously <a href="http://blog.kuan0.com/2020/07/schrems-ii-data-localization-encryption.html">blogged</a> about providing additional safeguards through encryption. And indeed Amazon, regarding its AWS cloud service and Privacy Shield's invalidation, <a href="https://aws.amazon.com/blogs/security/customer-update-aws-and-the-eu-us-privacy-shield/">emphasised</a> its "technical and physical controls designed to prevent unauthorized access or disclosure of customer and partner content", and "advanced encryption and key management service".</p><p>I also noted that data could be encrypted in storage and in transmission ("at rest" and "in transit"), but there were difficulties with operating on encrypted data, although work was proceeding on areas such as homorphic encryption.</p><p>I just wanted to expand on that to point out that, in fact, it is a reality <i>today </i>that secure operations on data are possible in practice - <i>without</i> the third party cloud provider or other service provider being able to "spy" on the computing operations or access intelligible data that they could then give to third country intelligence or security agencies.</p><p>The main development here is "<a href="https://spectrum.ieee.org/computing/hardware/what-is-confidential-computing">confidential computing</a>", as it's become known as. This involves protecting data <i>in use</i>, within a "trusted execution environment" (TEE) which safeguards the data from outside viewing or interference. TEEs, or enclaves as they're also termed, can be implemented via hardware, e.g. <a href="https://www.intel.co.uk/content/www/uk/en/architecture-and-technology/software-guard-extensions.html">Intel's SGX (Software Guard Extension)</a> which seeks to protect areas of <i>memory</i> running the relevant application code on the relevant data, or via software. Edited: to clarify, yes, this isn't really working on encrypted data, it's working on unencrypted or decrypted data, but only when (effectively) it's within a secure hardware "box" that the cloud or other service provider can't peek into. This means they can't see what the data in the box is, or what operations are being conducted on that data, so they can't spy on the data or processing or tell any authorities what it is.</p><p>What's exciting is that the Confidential Computing Consortium, spearheaded by the <a href="https://www.linuxfoundation.org/press-release/2019/10/confidential-computing-foundation-founding-member-comments/">Linux Foundation</a>, was formed <a href="https://confidentialcomputing.io/2019/10/17/92/">just last year</a>, in Oct 2019, with members including <a href="https://www.alibabacloud.com/blog/alibaba-clouds-next-generation-security-makes-gartners-report_595367">Alibaba Cloud</a>, Arm, Google, Huawei, <a href="https://www.intel.com/content/www/us/en/security/confidential-computing.html">Intel</a>, Microsoft and Red Hat and also Baidu, Bytedance, Fortanix, Oasis Labs, Oracle, Swisscom, Tencent and VMWare. By the end of June 2020, it had been <a href="https://confidentialcomputing.io/2020/06/29/confidential-computing-membership-grows-60-percent-within-nine-months-of-formation/">joined</a> by companies such as Accenture, AMD, Facebook, NVIDIA, and R3 (see <a href="https://confidentialcomputing.io/members/">Members list</a> and <a href="https://confidentialcomputing.io/faq/">FAQ</a>, <a href="https://confidentialcomputing.io/wp-content/uploads/sites/85/2019/12/CCC_Overview.pdf">CCC overview</a> and <a href="https://confidentialcomputing.io/wp-content/uploads/sites/85/2020/06/ConfidentialComputing_OSSNA2020.pdf">White Paper</a>).</p><p><a href="https://confidentialcomputing.io/projects/">Open source projects</a> under the CCC's umbrella include an SGX SDK for Linux, an Open Enclave SDK to build TEE apps that can run across multiple TEE architectures (Microsoft) and Enarx, a platform for TEEs to create and run “private, fungible, serverless” applications (Red Hat). </p><p>In addition, Microsoft <i>already </i>offers confidential computing <a href="https://docs.microsoft.com/en-gb/azure/confidential-computing/overview">on Azure</a>, i.e. <a href="https://azure.microsoft.com/en-us/solutions/confidential-compute/">in the cloud</a> using SGX, while Google offers (although not under CCC) <a href="https://cloud.google.com/blog/products/gcp/introducing-asylo-an-open-source-framework-for-confidential-computing">Asylo</a>, an open source framework for confidential computing. AliCloud <a href="https://www.alibabacloud.com/blog/alibaba-clouds-next-generation-security-makes-gartners-report_595367">uses Fortanix</a>, also mentioning SGX. As we're talking cloud, what about Amazon's AWS, you may ask? Well, interestingly AWS is absent from the CCC membership list, but it too, in Dec 2019, <a href="https://press.aboutamazon.com/news-releases/news-release-details/aws-announces-three-new-security-offerings">had</a> <a href="https://aws.amazon.com/blogs/aws/aws-launches-previews-at-reinvent-2019-tuesday-december-3rd/">launched</a> "<a href="https://aws.amazon.com/ec2/nitro/nitro-enclaves/">Nitro enclaves</a>" for customers to create "isolated compute environments" to process "highly sensitive data", initially in preview phase.</p><p>UPDATE: after I posted this blog, I found further articles on confidential computing so I want to add the links here: about <a href="https://www.itwire.com/cloud/confidential-computing-is-part-of-ibm-s-cloud-vision.html">IBM's offering</a> of confidential computing in its public cloud and its launch of fully homomorphic encryption toolkits, and about the <a href="https://www.techrepublic.com/article/bank-of-america-daimler-and-apple-partnering-with-ibm-for-confidential-computing-services/">use of its confidential computing services</a> (<a href="https://www.eweek.com/innovation/how-ibm-is-bringing-confidential-computing-to-the-mainstream">another article</a>), again in the public cloud, by the likes of Bank of America, Daimler and (for healthcare data) Apple.</p><p>Use of technologies like confidential computing should stymy or at least deter third party vendors' and/or third country authorities' attempted monitoring or surveillance of data <u>in use</u> - <i>regardless</i> <i>of where</i> the servers conducting the processing are geographically located, i.e. there's no need for data localization in order to protect personal data (or other sensitive data) properly! Couple the use of confidential computing with strong encryption of data at rest and strong encryption of data in transit, and Roberta's your auntie.</p><p>What's the catch? This is all relatively new still, so there might well be teething issues. And no doubt confidential computing will be more expensive than "normal" computing, but costs should come down in future as is common with new technologies. I wonder if the CCC will go for a certification for confidential computing under the GDPR's Arts.<a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679#d1e4075-1-1">42</a>-<a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679#d1e4120-1-1">43</a> in future? Or even Art.<a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679#d1e4319-1-1">46</a>(2)(e) or (f), codes or certifications enabling transfers? (as I've <a href="http://blog.kuan0.com/2020/07/schrems-ii-data-localization-encryption.html">argued before</a>, there <i>shouldn't</i> be a need for "binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards"<span> if they can't even access the data in question. But Art.46 says what it says...).</span></p><p>(Another area worth considering is secure multiparty computation or MPC, but I didn't want to hold up this blog post while awaiting more info on that. There seems to be an industry consortium there too, the <a href="https://www.mpcalliance.org/">Multi-party Computation Alliance</a>.)</p><p></p>Kuanhttp://www.blogger.com/profile/00041429221345800464noreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-14415799962473050992020-07-25T10:31:00.003+01:002022-02-13T14:48:52.342+00:00Schrems II: data localization, encryption & the bigger pictureThe <a href="http://curia.europa.eu/juris/liste.jsf?num=C-311/18"><i>Schrems II</i></a> decision by the EU's highest court (CJEU) invalidated the EU-US <a href="https://www.privacyshield.gov/">Privacy Shield</a>. It declared valid, just about, <a href="https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en">SCCs</a> (standard contractual clauses between data sender and recipient) for transfers or data exports outside the EU - but <i>only</i> if there's enough practical checks and controls for "adequate protection" of personal data. The 64 million Euro question being, exactly <i>what</i> checks/controls will be considered good enough?<br />
<br />
All that's well known and well discussed. We're eagerly awaiting the <a href="https://edpb.europa.eu/news/news/2020/statement-court-justice-european-union-judgment-case-c-31118-data-protection_en">promised collective regulatory guidance</a> from the European Data Protection Board (EDPB) on what these additional safeguards or additional measures, which the EDPB <a href="https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118.pdf">calls</a> "supplementary measures", might consist of. Hopefully their guidance will help to avoid fragmentation among national data protection supervisory authorities (SAs).<br />
<br />
But let's dissect another proposed "solution": "data localization" (vs. "transfers").<br />
<br />
Germany's Berlin SA in particular has taken a very strict approach, <a href="https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2020/20200717-PM-Nach_SchremsII_Digitale_Eigenstaendigkeit.pdf">stating</a> that:<br />
<ul>
<li>If a "third country" receiving transferred personal data has laws permitting governmental access to the data that goes <i>beyond</i> what EU law permits, then</li>
<ul>
<li>SCCs can't be used for that export, and </li>
<li>Personal data <i>already</i> transferred to that country must be "retrieved" or recovered - i.e. onshoring / reshoring or "repatriation" of that data, if you like; and</li>
</ul>
<li>Controllers who transfer personal data to the United States of America, especially when using <b>cloud services</b>, are now "required" to switch "immediately" to service providers "in the EU" or "in" a country with an adequate level of data protection.</li>
</ul>
<div>
The first point is pretty much what Austria's SA <a href="http://web.archive.org/web/20160508033524/https://www.dsb.gv.at/site/6218/default.aspx">said</a> after the CJEU's 2015 <a href="http://curia.europa.eu/juris/liste.jsf?num=C-362/14">invalidation</a> of Privacy Shield's predecessor, the EU-US Safe Harbour scheme. In fact, the Austrian SA specifically referred to using a company-owned server, a server in an EU member state or another country with an adequate level of data protection. In other words, <i>data localization</i> - storing data only in servers physically located within the territory of an EU or other "adequate" country.</div>
<div>
<br /></div>
<div>
There are actually two separate aspects to the Berlin SA's statements above. They're related but they're definitely not the same thing:</div>
<div>
<ul>
<li>Localization of personal data, in terms of the geographical location of physical storage / hosting, i.e. local location of servers and other <i>equipment</i> used to process personal data; and</li>
<li>Using only <i>providers</i> "in" the EU or another "adequate" country to host or process personal data. (We'll assume that "in" means "incorporated in", i.e. registered under the laws of an EU Member State or other "adequate" country.)</li>
</ul>
<div>
Let's consider both of these in detail now, by way of a two-way mental debate...</div>
</div>
<div>
<br /></div>
<div>
<span style="color: #073763;">We must store personal data only in <i>servers physically located in the EU</i> or other "adequate" territory. That's the best way to protect it against over-intrusive third countries! And also let's retrieve any data already stored in those third countries, data is a-comin' home!</span></div>
<div>
<span style="color: red;"><br /></span></div>
<div>
<span style="color: red;">But - this is the 21st century. There's this thing called the Internet. Organisations physically located in geographic location A can <i>remotely </i>access data stored in geographic location B. In fact, we'd have been in an even worse fix during the Covid-19 crisis if they couldn't. And errr, digital data is actually quite easily copiable. If the third country's <i>already</i> grabbed it (strictly, made a copy of it), then deleting it from your third country storage </span><span style="color: red;">afterwards</span><span style="color: red;"> </span><span style="color: red;">or "repatriating" it afterwards </span><span style="color: red;">isn't actually going to magically delete <i>their</i> copy. Though you clearly think it might stop them from getting their hands on it subsequently, if they haven't already.</span></div>
<div>
<br /></div>
<div>
<span style="color: #073763;">OK, so we insist that personal data can <i>only</i> be stored or processed, within EU borders, by <i>EU-incorporated or -registered service providers</i>. And not by processors from over-intrusive third countries, who could be forced by their national laws to access that data remotely from EU servers for disclosure to the third country's authorities. Avoid those risky US providers, away, away with them!</span></div>
<div>
<br /></div>
<span style="color: red;">But - even EU-incorporated service providers might want to expand outside the EU. In fact, the EU would quite like them to be successful enough to be able to sell their goods and services abroad, and make money from non-EU countries. Go EU businesses! And some third countries <a href="https://iccwbo.org/content/uploads/sites/3/2016/10/Cross-border-law-enforcement-access-to-company-data-current-issues-under-data-protection-and-privacy-law.pdf">may say</a>: if you want to do business in our country, then you have to comply with our laws. Including remotely accessing personal data physically located in the EU, and giving it to us if we require that. If not, we'll issue criminal proceedings against your directors in our country. They have <i>effective jurisdiction</i> over those EU providers. As does the provider's EU Member State.</span><br />
<div>
<br /></div>
<span style="color: #073763;">OK, so let's tell EU-incorporated businesses not to leave the EU then. Indeed, why not stay within the borders of just Germany? It's a big bad world out there. It's so much safer to shrink down and withdraw, just retreat home.</span><br />
<div>
<br />
<span style="color: red;">But - are you sure data insularization (yes I made that up) is a good thing? Digital isolation, cutting ourselves off from the rest of the world? Are you advocating the deglobalization that some have touted since the pandemic? And is that even possible? The way the Internet works, personal data travelling from one EU Member State to another, or even within the same EU Member State, might well transit somewhere outside the EU.</span><br />
<span style="color: red;"><br /></span>
<span style="color: #073763;">Yes, telecommunications networks' cables carrying Internet traffic in transit could be tapped by over-intrusive countries to intercept data. But if the <a href="https://webarchive.nla.gov.au/awa/20170816070900/http://www.pm.gov.au/media/2017-07-14/press-conference-attorney-general-senator-hon-george-brandis-qc-and-acting">law of Australia can trump the laws of mathematics</a>, however "commendable" the latter may be, surely the laws of Europe can trump Internet routing, so let's just ban Internet data from transiting outside the EU! Even better, hey, let's just build a <a href="https://tech.newstatesman.com/policy/europe-china-style-internet-firewall">Great Firewall of Europe</a> like a recent <a href="https://www.europarl.europa.eu/RegData/etudes/STUD/2020/648784/IPOL_STU(2020)648784_EN.pdf">report for a European Parliament committee</a> recommended, eat local stay local. Like the report says, if we do that: "</span><span style="color: #073763;">It would drive competition and set standards, similar to what has happened in China in the </span><span style="color: #073763;">past 20 years. The foundations of such a European cloud are democratic values, transparency, </span><span style="color: #073763;">competition and data protection.</span><span style="color: #073763;">" That's what we want, and that's how we want it!</span><br />
<span style="color: red;"><br /></span>
<span style="color: red;">So you really really think that would protect personal data best? And that, umm, this would actually work to stop third countries' intelligence agencies from getting hold of intelligible EU data?</span><br />
<span style="color: red;"><br /></span>
<span style="color: #073763;">Of course. Data is safest on EU soil, in EU hands. Because third country nation states and cybercriminals would never be able to hack into or otherwise access EU-located data hosted by EU organisations. And </span><span style="color: #073763;">EU intelligence agencies would never seek to access EU data so broadly. Or if they did, surely they'd never share any of it with US or other third country authorities. Nuh huh.</span><br />
<br />
<span style="color: red;">Errr.....</span><br />
<br />
<br />
Sure, the above is a bit tongue in cheek. And it's certainly not trying to support over-broad US surveillance laws.<br />
<br />
But we mustn't lose sight of what should be the first, and ultimate, goal of data protection laws: protection of personal data and privacy/security, particularly confidentiality.<br />
<br />
Is the best way to do this really to have the highest EU court tell another (sovereign) country to, effectively, change its own national laws because they're not good enough by another region/country's standards, and put EU (and non-EU) organisations with international or cross-border operations in the impossible position of having to choose which country's laws to break?<br />
<br />
The core issue should be, not the adequacy of a third country's <i>laws</i>, but the adequacy of <i>protection </i>for personal data there. Again, those two concepts <i>aren't </i>actually the same thing, even though the first can affect the second.<br />
<br />
The GDPR's predecessor, the <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:01995L0046-20031120">Data Protection Directive</a>, also restricted "transfers" except to third countries that ensured an "adequate level of protection".<br />
<br />
Now, under the UK implementation of the Directive, the UK Information Commissioner's Office (ICO) had previously <a href="https://ico.org.uk/media/1529/assessing_adequacy_international_data_transfers.pdf">allowed</a> controllers to conduct their <i>own assessment</i> of the adequacy of protection in a third country:<br />
<blockquote class="tr_bq">
"Organisations exporting data may be able to ensure that the personal data are protected <i>by means of technical measures</i> (such as <i>encryption</i> or the adoption of information security management practices such as those in ISO27001/ISO27002".</blockquote>
Art.25(2) of the Directive listed particular factors to be considered when assessing the adequacy of protection. It explicitly mentioned "security measures which are complied with in that country". So inadequate laws did not necessarily mean inadequate protection - adequate <i>security</i> measures like encryption, perhaps along with other practical measures, might be enough to overcome inadequate laws in a third country.<br />
<br />
In particular, if a third country authority can't access intelligible personal data because it's been encrypted and the authority can't decrypt it, then the risk to data subjects' rights from third country governmental access has surely been mitigated, if not eliminated. The data has been adequately protected against access by those third country authorities. Data subjects don't need rights against third country authorities if their data can't even be read by those authorities. If authorities can't even read intelligible data, then they can't use it or do anything with it against the interests of the data subjects.<br />
<br />
In <i>Schrems II</i> the CJEU said:<br />
<blockquote class="tr_bq">
"It is therefore, above all, for that <i>controller or processor</i> to <i>verify</i>, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the <i>law</i> of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, <i>by providing, where necessary, additional safeguards</i> to those offered by those clauses" (<a href="http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&doclang=EN#point134">para.134</a>).</blockquote>
So, it's gone full circle. We're back to each transferring entity that wants to use SCCs (or Art.47 binding corporate rules i.e. BCRs, <a href="https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118.pdf">according to</a> the EDPB) to send or transmit personal data to, or make it accessible from, a third country, effectively having to make its <i>own </i>adequacy assessment or <i>adequate protection assessment</i> ("APA", to coin an acronym, as "AA" may be a bit ambiguous).<br />
<br />
Now, that vital sentence could have been a lot more clearly phrased (can other language versions assist?). How can a transferor "verify" "whether" third country law ensures adequate protection "<i>by</i> providing, where necessary, additional safeguards"? You can't verify <i>laws'</i> <i>adequacy </i>by implementing additional safeguards. But, you <i>can </i>sometimes counteract "inadequate" laws by providing additional safeguards or measures, whether technical or organisational - i.e. by using suitable technologies, policies and/or processes and practices. Like encryption. Surely that must be what the CJEU meant.<br />
<br />
When assessing the "appropriate safeguards" under <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679#d1e4319-1-1">Art.46</a> GDPR (including use of SCCs) needed to provide <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679#d1e4244-1-1">Art.45</a>(1) "adequate protection", the CJEU in <i>Schrems II</i> also stated:<br />
<blockquote class="tr_bq">
"The assessment required for that purpose in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the <i>relevant aspects of the legal system of that third country</i>. As regards the latter, the factors to be taken into consideration in the context of Article 46 of that regulation <i>correspond to those set out, in a non-exhaustive manner, in Article 45(2)</i> of that regulation." (<a href="http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&doclang=EN#point104">para.104</a>).</blockquote>
Guess what? GDPR <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679#d1e4244-1-1">Art.45</a>(2)(a), on factors that the European Commission must consider when assessing the adequacy of the level of protection in a third country, <i>also</i> mentions "security measures... which are complied with in that country". Just as in the Directive's Art.25(2).<br />
<br />
This means that the door is potentially open for the EDPB to allow encryption as a "security measure" that could ensure adequate protection in a third country with otherwise "inadequate" laws. I reiterate, the goal isn't adequacy of laws, it's adequacy of <i>protection</i> for personal data.<br />
<br />
So it's heartening that the EDPB in its <a href="https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118.pdf">FAQs</a> on <i>Schrems II</i> stated:<br />
<blockquote class="tr_bq">
"The EDPB is currently analysing the Court’s judgment to determine the kind of supplementary measures that could be provided in addition to SCCs or BCRs, whether legal, <i>technical or organisational</i> measures, to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own.<br />
The EDPB is looking further into what these supplementary measures could<br />
consist of and will provide more guidance."</blockquote>
I'm not saying encryption is a panacea. Not at all. Some intelligence agencies undoubtedly have the capability to decrypt certain encrypted data. Or, the encryption applied could be weak - cracked or bad algorithm used, too short a key used. Even with strong encryption, the service provider might have the key because it needs it to in order to process the data as expected by the customer. Most data operations can't be performed on encrypted data, not yet anyway, or if they can it would be unfeasibly slow currently, so the data has to be decrypted first before those operations can be performed. At which point the provider has access to intelligible data. Which can then be disclosed to authorities. And obviously the proper implementation of encryption in practice in concrete situations is very important, along with other security measures like access controls. [Added: however, <a href="https://blog.kuan0.com/2020/08/schrems-ii-additional-safeguards.html">confidential computing</a> is now available with many cloud providers, that allows encryption "in use" i.e. for computation operations.]<br />
<br />
But, if everyone everywhere strongly encrypts data as much as possible, including in transmission as well as in storage, that would make it a lot more difficult for intelligence agencies - admittedly EU as well as third country - to obtain intelligible, usable data. Indeed, in its <a href="https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf">cloud computing guidance</a>, the Article 29 Working Party (the EDPB's predecessor) recommended that "Encryption of personal data should be used in all cases when “in transit” and when available to data “at rest”". Not just when using non-EU cloud service providers.<br />
<br />
To curb excessive state surveillance in practice, those who are against such surveillance should be promoting encryption or other strong forms of pseudonymisation, rather than forcing transferors to analyse and assess the "adequacy" of third country <i>laws</i>. As others have noted, many transferors who use US or other non-EEA service providers are SMEs. Most of them aren't lawyers and can't afford lawyers, let alone expensive lawyers expert in the surveillance laws of all relevant third countries. And what if regulators or courts then disagree with their good faith assessments?<br />
<br />
This highlights one problem with the GDPR's drafting, and some lawmakers/regulators' approach to it. To paraphrase <a href="https://en.wikipedia.org/wiki/Law_of_the_instrument">Maslow</a>, if all you're used to is nails, then you'll tend to think that a hammer must be the only, or at least the best, tool to use. But, for screws, wouldn't you want to use a screwdriver?<br />
<br />
Lawmakers, regulators and judges are used to the tools of law: legislation, regulation, contract, legal obligations and liabilities. Many, dare I say most, of them aren't as familiar or comfortable with the tools of <i>technology</i>, and may not be inclined to trust the efficacy of tools that aren't tools of law.<br />
<br />
But my point is that, to protect transferred personal data adequately, we ought to use <i>all</i> the tools available. We can't just rely on third country laws alone (or dismiss their laws as inadequate, so that transfers there are prohibited absolutely).<br />
<br />
We need to use <i>technical and organisational measures</i> too to protect personal data, whether the data's physically located in the EU <i>or transferred outside it</i>. Saying that only the tools of law are good enough for transfers, and that technical tools like encryption don't count, would be like trying to protect transferred personal data with one arm tied behind your back, to use yet another analogy.<br />
<br />
For transfers, the GDPR should be encouraging, and interpreted as encouraging, the use of technical and organisational safeguards - not just the tools of law. If technical and/or organisational measures can provide adequate protection in a third country, enough to provide "essentially equivalent" guarantees of protection for the relevant personal data and data subjects, then it shouldn't be necessary to make transferors analyse the <i>laws </i>of the third country too!</div>
<div>
<br /></div>
<div>
Read literally, <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679#d1e4319-1-1">Art.46</a> states that appropriate safeguards "may" be provided for by SCCs or the other safeguards listed in Art.46(2)(a)-(f). It doesn't actually say that Art.46(2) is exhaustive; it doesn't say that the safeguards listed there are the <i>only </i>possible safeguards.<br />
<br />
However, Art.46(1) requires all safeguards to be "on condition that enforceable data subject rights and effective legal remedies for data subjects are available". Even though, logically, they wouldn't <i>need </i>rights or remedies against authorities <i>who can't access intelligible data</i>. That condition isn't necessary to protect data subjects from those who can't access usable data, but it reflects the hammer/nail issue above.<br />
<br />
Similarly, if codes of conduct or certification mechanisms get approved for transfers under Art.46(2), "binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights" are still required. Even if the personal data has been encrypted or otherwise pseudonymised in such a way that the third country recipient itself can't access intelligible data, e.g. for pure hosting or storage only. If they want the business, they'll just have to suck it up and agree to those "binding and enforceable commitments", so third country recipients who offer such codes or certifications may still have to sign something like SCCs. (And, to be fair, those commitments could cover other security measures such as backups for integrity, not just confidentiality.)<br />
<br />
Let's hope that when the GDPR is updated, I fear probably in another 20 years, Art.46 is amended to delete "and on condition that enforceable data subject rights and effective legal remedies for data subjects are available" and "together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights".<br />
<br />
To be technologically neutral, which the GDPR was intended to be, data protection laws should simply require adequate protection of personal data and data subjects' rights by <i>whatever</i> <i>means</i>, <i>wherever</i> the data are physically located. In some situations (not all, but some), technical and organisational measures may well provide sufficient protection <i>in practice</i>, so in those situations tools of law like contractual or other obligations on the recipient should <i>not</i> be mandatory as well. Especially if homomorphic encryption, conducting useful operations on encrypted data without needing to decrypt it, ever <a href="https://www.forbes.com/sites/bernardmarr/2019/11/15/what-is-homomorphic-encryption-and-why-is-it-so-transformative/">becomes</a> <a href="https://pureai.com/articles/2020/07/13/homomorphic-encryption.aspx?m=1">feasible</a> and fast enough to be workable.<br />
<br />
As I hope the above has illustrated, in the absence of "adequate protection" in a third country, even data localization ("Data should not only be stored but also administered elsewhere than in the U.S." as the EDPB <a href="https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118.pdf">put it</a>), will not necessarily be enough to protect personal data, without appropriate technical and organisational measures too. We need a multidisciplinary, cross-disciplinary approach to data protection. Don't tie organisations' hands on this. Tools of law are <i>not</i> the <i>only</i> effective tools. Don't make organisations spend more and more money on lawyers and documentation, share the love and make them spend money on technical security too, which often might actually protect personal data better!<br />
<br />
<div>
<div style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;">
<a href="http://www.kuan0.com/publications.html"><img alt="Kuan Hon, Data Localization Laws and Policy" height="200" src="https://www.kuan0.com/img/Hon-bookcover.jpg" width="130" /></a></div>
Most of the above and more, is discussed in my book on <a href="http://www.kuan0.com/publications.html">Data localization laws and policy - the EU data protection international transfers restriction through a cloud computing lens</a>. It predated <i>Schrems II,</i> but discusses the aftermath of the Safe Harbour invalidation in greater detail than above (e.g. German fines for controllers who relied on Safe Harbour for US transfers, but decided to wait and see and didn't implement SCCs immediately).<br />
<br />
More importantly, the basic themes, concepts and arguments in the book <i>still </i>remain the same. The EU's approach to international transfers of personal data dates from the <i>1970s</i>. It needs to be modernised to take account of tech, not just laws. (And, by the way, the transfers restriction was in fact initially intended to prevent controllers from <i>circumventing</i> EU data protection laws by using third country processors. But it's taken on a life of its own to become a Frankenrule, it's been and is being repurposed far beyond its original legislative objective to take potshots at all sorts of things like "inadequate" third country surveillance laws.)<br />
<br />
Long story short - dear EDPB, please please don't say that data localization alone is the answer (the Commission itself <a href="https://www.linkedin.com/pulse/action-after-gdpr-2-yr-report-dr-w-kuan-hon">no longer</a> equates data localization with data protection, quite the contrary). And please please explicitly recognise strong encryption or other forms of strong pseudonymisation as a potential technical supplementary safeguard allowing the use of SCCs (and BCRs) for transfers, even to "inadequate" third countries!</div>
</div>
Kuanhttp://www.blogger.com/profile/00041429221345800464noreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-8273923002399428022020-07-11T13:27:00.002+01:002020-07-11T13:34:05.576+01:00The technical challenges of recording socially-distanced music videos during lockdown!Now I know why movies / TV shows need large film crews - respect!
<br />
<br />
Click on the cartoon for a bigger one.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH0SGQgepqr_-0wSwzw2j4kvN3m9vTC05smI4SRXmsLKps9oYKd3T5HkVvGA7o5GIHwq-q-M2fpqSdavuLahkzbMcgCRSG0jM1yUG6U3DD0-3LMQLdnTUB1sZUOaTtTiDCbM20XAeiGu0/s1600/VideoTechChallenges.png"><img border="0" data-original-height="900" data-original-width="1600" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH0SGQgepqr_-0wSwzw2j4kvN3m9vTC05smI4SRXmsLKps9oYKd3T5HkVvGA7o5GIHwq-q-M2fpqSdavuLahkzbMcgCRSG0jM1yUG6U3DD0-3LMQLdnTUB1sZUOaTtTiDCbM20XAeiGu0/s400/VideoTechChallenges.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
With many thanks to the talented artist who drew this cartoon for me, as I am artistically challenged myself!</div>
<br />Kuanhttp://www.blogger.com/profile/00041429221345800464noreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-56712949648819235422020-06-29T07:30:00.000+01:002020-06-29T07:30:02.835+01:00Children’s consent GDPR Art.8 - Member State differences<br />
<div class="MsoNormal">
Table showing the age below which parental consent is needed
(and above which the child’s consent is acceptable) for the <u>offer of information
society services</u> (i.e. online services) directly to a child, where the <u>legal
basis is consent</u>:<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 0cm 5.4pt 0cm 5.4pt; mso-yfti-tbllook: 1184;">
<tbody>
<tr style="mso-yfti-firstrow: yes; mso-yfti-irow: 0;">
<td style="border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 35.2pt;" valign="top" width="47"><div align="center" class="MsoNormal" style="text-align: center;">
<b><span style="mso-fareast-language: EN-GB;">Age<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 415.6pt;" valign="top" width="554"><div align="center" class="MsoNormal" style="text-align: center;">
<b><span style="mso-fareast-language: EN-GB;">Member State<o:p></o:p></span></b></div>
</td>
</tr>
<tr style="mso-yfti-irow: 1;">
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 35.2pt;" valign="top" width="47"><div align="center" class="MsoNormal" style="text-align: center;">
<span style="mso-fareast-language: EN-GB;">13<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 415.6pt;" valign="top" width="554"><div align="left" class="MsoNormal" style="text-align: left;">
<img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB0AAAATCAYAAABsmQZ/AAAASElEQVRIDWNgYGD4Twx+d8H2/5+7jnjxr932/79omBPEDMRYCFIzailykI8GL3riGk1IGHl3NMuMZhn0bILMH80yo1lm6FbiAF7JkbTMajUTAAAAAElFTkSuQmCC" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>Belgium, </span><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB8AAAAVCAYAAAC+NTVfAAAAuElEQVRIDWOwtrY+z8DA8J/eGGovw/8vGuZY8Wcprf/fU/L+I4PfK9b9/yyujlU9LnOwiUM9O2o5ZtCPBjtNExwo9WLDnzgk/3+LSEa2+//vhSv+f2IVw6oemxm4xOCp/Ud9x3+suKzh/69FK1As/3v6/P8fJXXY1eMyB4s43HIU0+nEGbUcd/zRI85xpUi6pHZsBT9IbLSEQ859o1UqrnRCrDi8kMGlgeYJTlBQ8D3UFXRtx4HsBQDic3MDhREOEQAAAABJRU5ErkJggg==" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>Denmark, </span><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB8AAAAVCAYAAAC+NTVfAAAAr0lEQVRIDe2UvQ7CIBRGv1qwoDWGkRfpwuPobmJceUGXJr6Ia7fP1AB16XoZLMkJCSGc+0MuQggjAEqTvKC9j+KkZDe5bOmXsj9etMIUubk9KU2RN8OFzXAVpcix04Q+EW23shtC94QyhDoSyhLq8EM+64k23V19qyP25zxX5AdMynoO4J/l3ntKUz5cjJHSFPk0TZSmyFlhbfIKRecy4WrYvz13zr1T83M0Ivvs/QCjK7WUSpplwAAAAABJRU5ErkJggg==" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>Estonia, </span><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB8AAAAVCAYAAAC+NTVfAAACQ0lEQVRIDcWW207bQBCGNxdBrQIqqSKSiuIkJFUfIlcph55uKrVIRahUpQdiJ6hPEcoFqGrfCm6qHi4ApQSHHB3bOT3AX82u7biScaiE3Egjb8a7+/n37MyY5XK5b4wxBG0Wl8Hvd3rawoPlMsLxd2D3dsBuvcbzjc8wzYHfson3LLH+8JPjJlae7CGSlsEyJbDZN1h/9QWG2Z8I8JtwJTgpX1opI5x4L5QHCSflq0/3EFlUglduw6f/B7xa1bC8uosp12vf2PyK4WjkF9KJ95yY1y66cJuqajg/70DXhzg6qiD/sDx+7be38GxtHz9/naFR10Fz/8VsjgOPJxV42Z1UEXOSjBuSjFB2R8Q8U8LNpIz4wjYSSQUJSebmtd7P58DZ3W142jz5C2DpogNm2RJYWrHmF8BiW2Bzb8W8y/bx8ovCxsBIlZ9RfruNHsCeb/vt/1e9OnCvJyMfKV8ogC2OlYcIllKE/7J1k/y0rw2n2FBsydxjimcsU0T4/kdwaLaEKUnB7HwBsZSMBBnF3zoz9vq4JPbjftfYzXDgmjZATdVQU7vQOn0+VlU67QMcHlaQf7SLSEYUmRCd9hf7+P7jN8+GZtNEu9VDu2WiWm3zcaNh8HGn3Ue9rvPMoX3rF13QvoYxGiv3S8qzSodXuBkLTrWd5/nwmvLcD+40FleFexlUYzk+aSK/RI3lg9NYAoNz5Y8/iZZKaTSzibX1Axi9APq5aKl/1/ZAlVNLdXc1guvX8TERjUZ7Vs7Zxz+QK3H/AHZl6ROgtduDAAAAAElFTkSuQmCC" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>Finland, </span><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB8AAAAVCAYAAAC+NTVfAAAAZElEQVRIDWOwtrY+z8DA8J/eGGovw//FBhZ0x1DPjlpO36AfDfb/cxQ06I7hwX6iueM/vTHc8v8DAEYtp3t8g9IXPNgHNLWPViz0DAF4nNPTUphdI9xyQUHB99AggOU9utAgewH8tpZuBS9V8QAAAABJRU5ErkJggg==" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>Latvia, </span><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB8AAAAVCAYAAAC+NTVfAAABC0lEQVRIDe2WQUvDMBiG8xcKXvwN+wn9hd538exlNyfoBvOiaxVchQ4v2xhMi6AT1k1ZFRebPLKxsEvpVlbrpYGPkHwhT96XjyTCtm1fCEHRseYKTFuEM96HIzPc2r8eVfHEIf5BJXOsxQrQGhaSSX+Af93m4zEApYqBy3DK2PPp1Otc1Wp0zy8IH3rE8yj1ALkoj0YB965L4+yUk+MqrWYDz3H5ehn/PVzHMd/RJ8ObW5zLFk8dDykleov1uShfyVOKt96AO8dhHjynKjbJ/OCAjhU/K8Xa7J/a5wpPJSUkS/h+l0yCpbtMlbaXtmdxYPOq7VJdCWvKgstit1n7/7ZbljUr+v+25C25v9Vx0tjnS7OtAAAAAElFTkSuQmCC" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>Malta, </span><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB0AAAATCAYAAABsmQZ/AAACXUlEQVRIDd3V30uTURzH8acosJsuyoxqqDnTNp9narFm/tjzWHoxSQvLsB/kytim6GOlYjhRSCivtElhXRQmXQRRIhQRQhCYXQz7pRe1maZiZbHZX+A7pu3OH82mF118OTcHXpzvOef7EdaUmfmbEqpkrHlpECXh0xj+qYQAKJTJS1eVgjXP9L+jDgVBzabEYoLNEr7tBnw7lt/ipdvrkFlfkUVETRalBUZmokV88SJ+zR98Gfe7OOqQiaxM51xLMo23ddys1jFZocV7Ucvk/qRln3hh1Kaw22mktT2Ze+ctPCrO45k1F49Fpj/3AL3OPUwUxjO9JTnklzw/alfYUJ6J877Ij+4YPuabGa2rZ7DjCqNNDXiKjuBWtXhqYplK0ePfGhq8IBqpptPclYi7TcPYyWKG+97Q4/bi7h9k3FmLR0zg0ykdYzmJTEeFA7VlI1420tappbEugZf2Am519dLc/R7Xg1c8qSvjXaGGgWvRfD6ewK9N4UDtCrG1aZxtT8J+JpWRQ0UMPX5Oz8A47r63fFMv4c2P40NTDOMHdSHf64Lt3ahmUNIucsMlcceeymDTMb67HjLUoPK6MoXRpwYmOnfyNVWPPxztnZ3FNgWpfh9tXfG0dki8KM9gZK+C92g67qsSA3c1DJ/ehT9cr3cWdZhZ65CJqzWhXtdT6jLQYtMzdULL0AUtX3IS8W0zzP3VEAfEvO0Npo7gMBOoiIpM1lVnYT1sYkYj8jNuLmn8gXEYIhjYvyg6l0ABWEZQFUosaRApMYutxOwNnja4rkqeBrHguipoMNhXAv0N2eVy4wiriWYAAAAASUVORK5CYII=" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>Portugal and </span><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB0AAAATCAYAAABsmQZ/AAAAw0lEQVRIDe1VsQrCMBS8f/EjHBzaSdTRyUXcOggu4qqLP1AQVETo6lD8B1c7SMX6OZ4Eqy73wKWKkOEIHJd7Sd4lAboLSnS2bE6GZA4yA1mA602DaCdab/koXhZ0Ql/UH68KjMWhlVAi3LE+Gr/TewXjZUgEqdZbPoqP5j1KzPqMVwF5Kq9MDh72NUbTgdZbPoIHL6BEAfIM3rISRzwW4Hhrzoc8XqZP8y+Mv9mp7KfrQ5U9lcl1iasyvf7t9b/M337idwfjrEdXst8DAAAAAElFTkSuQmCC" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>Sweden </span>(and <img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB0AAAATCAYAAABsmQZ/AAAFvElEQVRIDZWWe1DUVRTHbxo2kzKOLmB/N5ksD0EiF1lExRSnsSLpHWT2Mq1m7GFZFMNkNdPbTN4vlVcxJQnL+sBMwxpBjYVRHuu27LKBLCwssAQyPD7NvYik2Uz98Z075/c793zvuffc873CHh/HhL2VP0fG2ZF2jllLsxEhaYjQDMRdmdMITCVkk5GjuUZaoyI4LQRtq5ZTmXcYbWIFIjB12lfOk/PDspkVmc/Wdypp2rYdc1AAgwfLEPWvJ3E+OBh3diYDThfGmg5CnjyA191ZiMXpiLArxIGpaBPKMe6vom1tjCK1LV/GkTwji5+unCYNy1CEXpH5BG0oojAlH1NMLK1btjLicNDX60Fo44rJS9lH/fKVtD/0AGPmJjq7B0nKrGNORM7kikPTVVDtUwYM2QYkmcp0bYxahDaxfJJU+oXnMDsyj9eSDZzd+gaW8FBGKg7g6XZz6JSNgEdKESIsi9kr9hP/bDGNbyXTHKSlP3U3Q109/Hqhh9CEMrzCMxELdxP0lIFjRcevyVQuwl9ur/8evCL3EvJQMd/tzKcpIoLubS8zbrfS1z/MY+/9xBx9DmJxmiTNQCzJZEZ4DoviSyn64ntM4Tra7l0Df9hxuwd5P7+B2UFpaBMNlGcZsEdHXs30SOGPBD1zSP1/69OTnHniGcwBixg7dQKPy03ZKQcL40u5KSQdISGPSzFL9qBURHAmXro8Vj62n9Nv7uS3hXfSs+sLhjq7OFzdyrOf1HCk4Bj2NasUaas+gvJMg8qiOCkDS7Se9ldeYtB8kU73MHHbq7hZFpV2z2R8ySMxP7aYKcxbW4z36iI0sd+ydPNhCr/6Acv69dgfeZhRp5OhCeg31dOk0ynSJt1SBs43Yv1sF81RUQyfPM7E6ChVDb0s23wITUwh3qsLkXGnOOQoumyXuB6d1g46bE48Xb1ctlq5bDYz7nLBQB9DNTU0R05ub7Nez1BtLRPtDkYuXmS0t5fxgQEGO110WNqRca6PLW3RuMCXG8OHBl8f6hcsUDBpNJjmz6du7lzOeXlxVgg1Stvk60v9bbcx5dPgo6Fxgc+/xPVF1AjB/0GtEJwRQpHKUdr/Z770FY1+Gm6EC74aGmRm8+apDE1+fph8fKjz9ubszJmKVI7SvsbHz48GzXzk/BvFld9Et62D6+G0tqsz8VzqYqy/n9GeHkYsFxl3tOE58RPnlyxRhXQ+dImy6XMz1t2tzl7WgMfZwyVbJ07rP2NLLqFZV8JVxJYw954ifO4pYunzRgznXEyMjTFcfYKWFdH8/uHHqlpbYiavTMvKlXiaWhgGRrucqsot991H0dfl6DYfxmddKXPXFKOJ/RvHupK/3VPZsP33MDM8i/i3f6SjdxiP2aLu3e/RUZQkZfB40nF1L6faoBwPZlSw6eMajp6yMXTJSc+Xn1OnDeT0jo9Y8WgBM+/ORQRnXHtPVYcISWdGSDp3bPiWsmqH6iTjv5zEHLiIM49vYscnJ5gTnI7/RiMVe6twxK5W2+tYG0NF/lH8E8rV/517G+hzD0KbDUfceky6ZeR88A2331/CjPBs1fmudKR0bo3KY+P71bj7hhmzWXFueZ4WfSTff5CP//0FzNLvQyzag39ChZKytphoRWpfvgxjbqVqj+LO3cwKzyIs8Qd+bnAx1OViIHUXTYFaLrydwobnSrg1eh+y14uAR7/jYPUfeFx9XC4rxXJXKGe2vM62ZCNz9HlKNcQVlQncWIkx5zqV2Vc1rafSLzQD74gc3s2qo7PLw0SrBecLm6hfsZrclAL844oR7h4PQ83NtL64hfroVRQk56rsvPR7rwjxtJ4GJFZg3H/sGpUx5lQiF3NVxGVDX5yu9Dg04QCHajtVZ+vdvYsLOh2m7cmIwfIyzIFaml7dzsspR7hFnz+5Bf/h5SDPVi5CivtV0qnXhpwfksYtumxe/aoWz/AoE3Yr9vgH+QuQP1GToOQ5ewAAAABJRU5ErkJggg==" /> UK, but we don’t count anymore <span style="font-family: "segoe ui emoji" , sans-serif;">☹</span>)</div>
</td>
</tr>
<tr style="mso-yfti-irow: 2;">
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 35.2pt;" valign="top" width="47"><div align="center" class="MsoNormal" style="text-align: center;">
<span style="mso-fareast-language: EN-GB;">14<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 415.6pt;" valign="top" width="554"><div align="left" class="MsoNormal" style="margin-left: 36.0pt; text-align: left; text-indent: -36.0pt;">
<a href="about:invalid#zClosurez" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB4AAAAVCAYAAABR915hAAAAcElEQVRIDWOwtrY+z8DA8J+eGGonw/+3mpZ0xVBPjlpM+2BHBLW6+f+3dMQIi1VM/7+lI4Zb/Pvqjf/0xHCL/9MZjFpMtwAf+KD+XFL3n54Y7uM3klr/6YnhFo/WTrQOgREa1IKCgu+hXqdbuwtkJwCqZkm54hGJSgAAAABJRU5ErkJggg==" style="color: black;" /></a><span style="mso-fareast-language: EN-GB; mso-no-proof: yes;"><!--[if gte vml 1]><v:shape id="Picture_x0020_1" o:spid="_x0000_i1042"
type="#_x0000_t75" alt="AUSTRIA" style='width:21pt;height:14.4pt;
visibility:visible;mso-wrap-style:square' o:bordertopcolor="yellow pure"
o:borderleftcolor="yellow pure" o:borderbottomcolor="yellow pure"
o:borderrightcolor="yellow pure">
<v:imagedata src="file:///C:/Users/FPC/AppData/Local/Temp/msohtmlclip1/01/clip_image016.png"
o:title="AUSTRIA"/>
<w:bordertop type="single" width="6"/>
<w:borderleft type="single" width="6"/>
<w:borderbottom type="single" width="6"/>
<w:borderright type="single" width="6"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--></span><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>Austria, </span><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB4AAAAVCAYAAABR915hAAAAc0lEQVRIDWOwtrY+z8DA8J+eGGonw396A6gnRy2mfcCP4KA2Wt31n54YHtQME9P/0xVDyg2G/wzT8uiLR7DF80r/M9ATw4K629foPz0xPFU/k+P+T08Mt/iamtB/euJRi+kW3AMb1IKCgu+hLqBbuwtkJwD9xO9SmPb8/wAAAABJRU5ErkJggg==" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>Bulgaria, </span><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB4AAAAVCAYAAABR915hAAABPklEQVRIDWOwtrY+z8DA8J+eGGonw396A6gnRy2mTsD/+/ERp0E0CWqQhR9mW+G0FCRBVYtBFn5aGvT/87ZivJZSZPHndUn/3zYw/H8/UQXsuzeVDP9B+OetHQQtJctikIXfz8z8/65bHmwxyHIYBlmML16RXUR0UP96fPz/xwWuYEtAFsAsA9Fgfhs/2DEgNcQAoi0GGYZuIbLlPy6tIMY+uBqSLAYFMcyHIEeA4heUmEChQSogyWKY4X+/vv7/7VAbjEsWTbLFaYun/+/esR6rZacf3P4/8+BOrHLogiRbDDIYZEHigslgGmTgo7evwPwjd67/BzmMGECyxSBD91+/DPY1yAFff/wA81edOvy/aPV8YuwEqyHLYpBOkIUgn8LYID4pgGyLSbEEm9oRarGgoOB7qNdh1RXNaZCdAAL0YIYQ0syvAAAAAElFTkSuQmCC" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>Cyprus, </span></div>
<div align="left" class="MsoNormal" style="margin-left: 36.0pt; text-align: left; text-indent: -36.0pt;">
<img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABwAAAATCAYAAACDW21BAAAAZElEQVRIDWP4u1P4Pz0xAz0tA9k1Aiz8v0v4Pz0xw//dQv/piRmMKq3+0xMzMKS5/acrZshy+U9XTFfLQJ6jv4X5bv8Z6Ilr7Uz/0xMznFfS/k9PzHBQXfc/PfGohVQPbroHKQANVohF6lznyAAAAABJRU5ErkJggg==" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>Lithuania, </span><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB4AAAAVCAYAAABR915hAAAAaElEQVRIDWOwtrY+z8DA8J+eGGonw3+GSW74cbfl/1W3Dv4nBF7v2PN/v6zm/8Pa5ngx1JOjFmMJ9tGgxpHKRhMXrmw1mp1wl16j2Wk0O0FDYLQAGS1AYCEALjIFBQXf07O9BbILZCcAkf3jpbbt1t0AAAAASUVORK5CYII=" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>Italy and </span><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABwAAAATCAYAAACDW21BAAABRElEQVRIDWM4xi33n56YgZ6WgewatZDq8cvw/xjDf3piuIU/9yAshrFB9JsdbP93zZEA08jiMEfCxEB8YthwC7EZcGYi8/8FtoJwDLIcpg7dAmLFGWCugtEwg1bUMv9/Ppfl/5QA7v+LMhz/b59lD/YlyBHIamHqkWmY5TB1MBokjuFDmOJji5L/Hwrg/V8aKvx/x8Qp/49Uzf//YInM/4sr3eC+RDYIpg9E4xOHWwhTBKJBeEtl0v89EZz/28xk/3sEJoEtPdXG9f9AqzvcQmRLCFkEUwu2EGYZTBDEPzy/5j8o+FZEc4HjEES/XiX0//DEcLCFMD0wGlkvLstBauE+RFYEkqhuCfp/ZQ4POA7npAT/X+8hCA7SGRMdsfoQ3WJ082AOQrEQJgjSjG4AjI+LRtYLY6PTIL2jZSn1y9JhXx8CAIGPwU11D0HjAAAAAElFTkSuQmCC" />Spain</div>
</td>
</tr>
<tr style="mso-yfti-irow: 3;">
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 35.2pt;" valign="top" width="47"><div align="center" class="MsoNormal" style="text-align: center;">
<span style="mso-fareast-language: EN-GB;">15<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 415.6pt;" valign="top" width="554"><div align="left" class="MsoNormal" style="text-align: left;">
<img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB4AAAAVCAYAAABR915hAAAB8klEQVRIDWOwtrY+z8DA8J+eGGonw//UttX/3378+p9eAOpJhv+MlqX/dSJ7/m86fJUudsMtFnSt+89mU/Gfw67yf07Pepr7HsVikOW8zjX/GcxL/hvE9f/ffuwGzXyPYTHIchBmtan4z+1Q/b9k8pb/7z9/p7oDcFosBPK9E8T3ZomT/u89fZuqluO0GOZzEM1iXf6fz6nmf+3MHf8/ff1BFQcQZTHI9zyO1eC4t06b+v/opfsUW06Uxci+Z7Yq+y/gUvu/ed6e/+9+k28/yRaDfM/uVPufwabmf1FK6/93HV3/33R2/3/d2UMSJtliNo+W/wJu9f8LdP3+n+QR/X+NgfX/FQZ2kjHRFvO6Nfxn8mj9b2KT83+FgtH/p4LC/+8IS/y/LiJFFibKYjaP5v8gi7P0A/9fEpX9/0RQ+P8NMi2EORSvxXxgX7b917fL/79I0RRs4V0hcbJ8CLMQRuO0mN29+T+3W+P/ZIOQ/+fE5MBBe0NEkiqWgizHsJjPrf4/k2frf037ov9zlcz/PxYU+X+PSr6E+RbDYg735v+c7k3/Y43C/58SV6C6L7FazOLR8l/VoeT/dBWr/48ERf/fExKjWrAiWwhjw4M61CTm/xlx+f9PBYT/36RiXMIsQqfBFgsKCr6HugAW6TSnQXYCAP9d/qlhajD1AAAAAElFTkSuQmCC" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>Czech
Republic, </span><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB4AAAAVCAYAAABR915hAAAAaElEQVRIDWOwtrY+z8DA8J+eGGonw3+G0CX4see8/6uOPfxPCPzav/v/OxP1/+8dTfFiqCdHLcYS7KNBjSOVjSYuXNlqNDvhLr1Gs9NodoKGwGgBMlqAwEIAXGQKCgq+p2d7C2QXyE4AcJwnZGpme1IAAAAASUVORK5CYII=" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> France </span>and </span><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB4AAAAVCAYAAABR915hAAABnklEQVRIDb2Wy0oCURzG/6/gC8zCjRvfwLUyrzAv0CYSI7pqpGAghGUE4i6sGFq0n22FipA6NiF0wU2FVkjuavnFOXPmNG3EOjkDvznDfIfznf9lLhSLxWwiQpAIT2aaFWyBKINm8xnsKBRqIFr26d481ZEHOq1xDkSbIFr5B35lnEY0Wka12lVGlJW5rwvWeGrr9See6lzuAkQLQkshkTjm91VP0tiyHvDNPcbjT752v/8Oy7oV2h0qlRZ0/RC6fqKENJ42AtZ0RHMgSioiamyaN3BxYJrXGI0++F56vTeYpi20LkqlJgzjFIZxpoSMmGgVLqxjl1CrPXLjbPYcRPNCSyIeP5o2ORPn+Yy953LSc5xGJHKAYrGhjM84DSLGBo+u0XC7Op+/BFFKaBnR3YsgUkXUWNP24LILTdtBpzPkqSqXr6Bp20Lz5qiPMuKJBZmBKI0d5wV+WMTt9gC2PYTjvP7Q/PP+ei2N2YchWOS72muuoEZh3GoNECQy1TPon4lLSuNweB9BIo3dl0dQ9WU+BAqFQmOxg8D+u5jnF66am17UzUtoAAAAAElFTkSuQmCC" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>Greece<o:p></o:p></span></div>
</td>
</tr>
<tr style="mso-yfti-irow: 4; mso-yfti-lastrow: yes;">
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 35.2pt;" valign="top" width="47"><div align="center" class="MsoNormal" style="text-align: center;">
<span style="mso-fareast-language: EN-GB;">16<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 415.6pt;" valign="top" width="554"><div align="left" class="MsoNormal" style="text-align: left;">
<img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB4AAAAVCAYAAABR915hAAABi0lEQVRIDWOwtrY+z8DA8J+eGGonw//bvLx0xVBPQiy+JyHxn14YbjG9LATZAwpduMUgDjGWL4jI+v/QzOx/pmbS/+ycOjA20mv7f0ZV9z9IjhgzQGrgFhOrwWdF+3/uxNn/M2RD/sfXJP73n5P///A++f8prSv+g+SIMYdkH4M09McX/XfoWPk/3670/+LgtP8r/RP+N9rn/2+dvOL/GTu7/5dUtYiyHO7j/0SCn7dv/38dEQ5W/baz8z8IgwBIDCRHLCDZ4h8XLvx/aGDwH0S/ys///yIj4//PK1fA8Q6iiQUkWwzz1W1Ozv+fVq4EYxAbBGhq8d/Pn8HxCHIAyLdgH9++DRYDhQKxgCwfvy4t/f9+2jRw/ILiGMQGicFCgxjLSbYYZii2oIbJEUPDLdYPWPifWOzn0Ag2GxTMoNT89+vX/yEO9UTr1w9ciChAGDS7/5OCRQx7wHm5NrD+P4hNil6wWkhtyEC6RhIdiuGwUYsxgoTSIMWlf0CDWlBQ8D00X8GSOc1pkJ0Abz6T0sp7VtYAAAAASUVORK5CYII=" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> Croatia</span>, </span><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABwAAAATCAYAAACDW21BAAAAQElEQVRIDe2SsQ3AMAzDeG2u7U8MckEXQUPigasJEQawzAjjBeIH/36iLBRscuaNMFrghaQLLYIfNhlhPPf9STfb7A3FSvCU/gAAAABJRU5ErkJggg==" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span></span>Germany<span style="mso-fareast-language: EN-GB;">, </span><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB4AAAAVCAYAAABR915hAAAAd0lEQVRIDWOwtrY+z8DA8J+eGGonw/9zgmp0xVBPjlpM+2BHBDW/yv9zdMRwi8/yKP6nJ4Zb/PXC1f/0xHCL/9MZjFpMtwAf+KCO3Nj3n54Y7mOGOpf/dMWQ2pDhP0N7IH3xqMV0C/IBDWpBQcH30ORNt3YXyE4A4GPB7v60/cUAAAAASUVORK5CYII=" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>Hungary, </span></div>
<div align="left" class="MsoNormal" style="text-align: left;">
<img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB4AAAAVCAYAAABR915hAAAAaUlEQVRIDWOwtrY+z8DA8J+eGGonw3+pHn+8mLvN9f+2m0f/EwL/Luz5/ydb5f+fYgO8GOrJUYsxg300qHElstHEhStbjWYnnKXXaHYazU6wEBgtQEYLEFgIgItMQUHB9/Rsb4HsAtkJAOY6TPKftnonAAAAAElFTkSuQmCC" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>Ireland, </span><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB4AAAAVCAYAAABR915hAAAA9UlEQVRIDeXVP2oCQRTH8Z+oKRQiCwEVBhRyA5E0e61N6Z9KLUyqXMPCMsLOHkE26hEEU6VeMPzkrevoBd4gOPBlys+8t8UiDMM1APqsMMGk16c1htZ0lDO5VQwJ2pcmY8BLYl3htinQCmNoBtq2uQe4dZm4zBiagbZ1M/Gq/sxvwEtiuW+8Xy55WCy8JJaD/+nviOXgLMu8yWI9MEweva1aLLfqr2TPuf3lh3JiiOXgxjAlopR4Vy5KmVvnvyHYnW75NNqxNtZNDLHcxI8Hm8mWpcGO1aFuYojlVv32+cPudMPXmW5iiJXDQRD8FS+4vET9FvMEXVUAqVZP4wcAAAAASUVORK5CYII=" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>Luxembourg, </span><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB4AAAAVCAYAAABR915hAAAA5klEQVRIDeXVsQqCUBQG4ENbg4OLcW8vYZOEs0iztPdEjr2CQZvgAxQ4JGlPEdgQzQ7xx7mp9QL3EHTh544f579HpDAML0QEyfQmofR9lFrLxPeHIQml56EkkonnfcE8rRSs9S/ASslNrNRn4qPj4EAkErb6L4hwKwrc81wkbI3wE3KHrRHuuk5MZuuPYUD2lceqt/sr0qxFurOcrAVbIzyNT6CgAi0tJ6hgrPffkDBf16C4wWRlN2wY63/hWVKDosbUzXVYS9TAWEPVi80ZOqlN//wGtsIGW2arXdd99Os9rLn1m80XiMbWwCNg4VYAAAAASUVORK5CYII=" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>the Netherlands,</span><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB4AAAAVCAYAAABR915hAAAAY0lEQVRIDWOwtrY+z8DA8J+eGGonw/+XL57TFUM9OWox7YN9NKjplrIHPqhf//z6n54Y7uN7LRP/0xPDLb4koP+fnhhu8RVF2//0xKMW0y24R4N6hAS1oKDge2hk063dBbITAAm5hhly9soTAAAAAElFTkSuQmCC" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>Poland, </span><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABwAAAATCAYAAACDW21BAAAAWElEQVRIDWNg0K7/jxcrtP1fMdPy//+7fP//XBTDiv/fF/3/dqL0/9Ms6v/PCarhxQx4LQM5ZtTCi2L/R4MUOSGNJprRbAEueUazxWi2QK2uRmuLwV5bAAAEgIuLp3eMxwAAAABJRU5ErkJggg==" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>Romania and </span><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB4AAAAVCAYAAABR915hAAABVElEQVRIDWOwtrY+z8DA8J+eGGonw396A6gnRy2mfcDjDeq/797//zZxCk5MifPwWvzn7r3/b2VU4BhkETIfJE8ugFvM5bfwPzpe0r8ebNGXmsb/MEtAofDRJxgsPmXSdgw96Gbg4hNlMciid2r6/0GWvpVV/f/ezYc+Fv8+d+H/78tXwKEKYsOigGY+ntK5DiVOwT5GivPWPhoFdUDDHrDFs3X9/4OwUPCS/xs0Xf/3GkaAgx4kjysOCYnjjWOQZly+wiVOyEKYPEGL1ZPW/Ef3WVjL3v8gcZgh3H6L/hODYepBNNxiUP58J6OKgcHiavr/Zy05BrZo35Gb4JSNSz02M7CJ4bUYubAAs2VVURIbNgOJEQOZhWIxui8wLEZK0ehqibEQpoagxSCF+CyHGUQKDTMPr49xWUyKRehqibYYXSOlfBSLBQUF30O9Dot0mtMgOwFd+QS+ls6h0AAAAABJRU5ErkJggg==" /><span style="mso-fareast-language: EN-GB;"><span style="mso-spacerun: yes;"> </span>Slovakia<o:p></o:p></span></div>
</td>
</tr>
</tbody></table>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
These differences <i><u>are</u></i> allowed by the GDPR, but
the Commission’s <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=SWD:2020:115:FIN&from=EN">Staff Working Document</a>, accompanying its <a href="https://ec.europa.eu/info/sites/info/files/1_en_act_part1_v6_1.pdf">2-year evaluation ofthe GDPR</a>, comments that “Such differences lead to situations where the Member
State in which the controller is established provides for another age limit
than the Member States where the data subjects are residing.” You can say that
again!<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Note: the table above is based on the helpful info provided
in the SWD, p.17, and hasn’t been independently confirmed. No info on Iceland,
Liechtenstein and Norway was provided in the SWD – presumably because <a href="https://www.blogger.com/null" name="OpenAt"></a>they’re EEA, not EU.</div>
Kuanhttp://www.blogger.com/profile/00041429221345800464noreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-86685831432001177512020-06-29T07:00:00.001+01:002021-06-02T20:43:31.235+01:00Countries influenced by GDPRAccording to the Commission's <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=SWD:2020:115:FIN&from=EN">Staff Working Document</a> accompanying its <a href="https://ec.europa.eu/info/sites/info/files/1_en_act_part1_v6_1.pdf">2-year report on the GDPR</a>, the GDPR has acted as "a catalyst" for many third countries around the world to consider introducing modern privacy rules":<br />
Brazil, California, Chile, India, Indonesia, Japan, Kenya, South Korea, Taiwan, Tunisia<br />
<br />
A map of those countries is below. Click on Larger for the larger version.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<img border="0" data-original-height="536" data-original-width="1003" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQrtzjrjFhgngNn2eBSLGim9HoQWlnWrV2wmfvqDOSQMXmq36Ni5-t1bs9MCIZak2XA66YCCjUAsRWmctWVs1C_mVgEwLNv683U71P1eqXr_m4GMouIZNLHmZyQc4w1sy2mIiLRO7s12c/s400/GDPR-influencedCountries.png" width="400" /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQrtzjrjFhgngNn2eBSLGim9HoQWlnWrV2wmfvqDOSQMXmq36Ni5-t1bs9MCIZak2XA66YCCjUAsRWmctWVs1C_mVgEwLNv683U71P1eqXr_m4GMouIZNLHmZyQc4w1sy2mIiLRO7s12c/s1600/GDPR-influencedCountries.png">Larger</a></div>
<br />
Also mentioned in the SWD for "promising developments" regarding privacy legislation, and therefore "third countries" that are possible candidates for future "adequacy" discussions with the Commission:<br />
Malaysia, Sri Lanka, Thailand; Africa (e.g. Ethiopia, Kenya) and the European Eastern and Southern neighbourhood (e.g. Georgia).Kuanhttp://www.blogger.com/profile/00041429221345800464noreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-60052878495790314042018-05-25T08:30:00.000+01:002020-08-01T18:52:53.599+01:00I-CO I-CO! - a GDPR song<div style="text-align: center;">
<iframe allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0" height="240" src="https://www.youtube.com/embed/OuC519ni1aE" width="426"></iframe></div>
<br />
<div class="MsoNormal">
My data and your data? Oh don't you take a flyer!<br />
Heed the GDPR now, or you could draw the I-CO's ire!<br />
Talkin' bout fines now (fines now!), fines now (fines now!)<br />
I-CO I-CO one day! (woah!)<br />
Personal data, keep it safe, personal data, hey!<br />
<br />
Check out the data, why and how? I-CO has more power!<br />
So make sure your processing's all allowed, personal data, ow!<br />
Talkin' bout data (data!), data (data!)<br />
I-CO I-CO one day! (woah!)<br />
Personal data, keep it safe, personal data, hey!<br />
<br />
Think accountability, document it all<br />
Keep your compliance evidence, in case the I-CO comes to call!<br />
Talkin' bout dawn raid (dawn raid!), dawn raid (dawn raid!)<br />
I-CO I-CO one day! (woah!)<br />
Personal data, keep it safe, personal data, hey!<br />
<br />
<i>[Chorus to repeat and fade as I couldn't face doing more verses]</i><br />
Talkin' bout data (data!), data (data!)<br />
I-CO I-CO one day! (woah!)<br />
Data protection's here to stay, data protection, hey!<br />
<div>
<br />
<div style="text-align: center;">
<span style="font-size: x-small;">Lyrics © Kuan Hon licensed under <a href="https://creativecommons.org/licenses/by/2.0/uk/">Creative Commons CC-BY</a></span></div>
</div>
</div>
Unknownnoreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-32723414809339691692018-04-22T18:26:00.000+01:002018-04-22T21:52:36.055+01:00Cloud - tight UK incident notification deadline; use by critical infrastructure<b>Summary</b>:<br />
<br />
<ul>
<li>Not much time left for cloud providers/critical infrastructure operators to respond - <b>29 April </b>deadline!</li>
<li>UK cloud providers face <b>mandatory registration</b>, <b>72-hour</b> incident notification period and <b>up to £17m fines,</b> etc - see further below.</li>
<li><b>Critical infrastructure operators</b> relying on cloud services may be in an impossible position, and should <b>update their contracts</b> before 9 May 2018.</li>
</ul>
<br />
You have till <b><u><span style="color: red;">29 April 2018</span></u></b> to respond to the UK's proposed implementation of the <a href="http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TOC">NIS Directive</a> (Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union - supplemented so far by one <a href="http://data.europa.eu/eli/reg_impl/2018/151/oj/eng">implementing Regulation</a>).<br />
<br />
It has to be implemented nationally by <b><u>9 May 2018</u></b>. That's right, even earlier than the GDPR (General Data Protection Regulation, which from 25 May 2018 applies directly in all EU Member States including the UK, and has nabbed most of the attention in the media and tech community).<br />
<br />
The UK <a href="https://www.gov.uk/government/consultations/consultation-on-the-security-of-network-and-information-systems-directive">conducted</a> a <a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/636207/NIS_Directive_-_Public_Consultation__1_.pdf">consultation</a> in Aug 2017 (with <a href="https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/636065/Pre-consultation_Impact_Assessment_-_Security_of_Network_Information_Systems.pdf">impact assessment</a>), and in Jan 2018 published an <a href="https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/677066/NIS_Consultation_Response_-_Analysis_of_Responses.pdf">analysis of consultation responses</a> and its own <a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/677065/NIS_Consultation_Response_-_Government_Policy_Response.pdf">policy response</a>.<br />
<br />
But in March 2018 it then launched a <a href="https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/694290/DSP_Targeted_Consultation__Final_.pdf">separate targeted consultation just on digital service providers (DSPs)</a>, or "relevant DSPs" (RDSPs) as the UK calls them - with a closing date for responses 29 April 2018.<br />
<br />
<b>Cloud providers with EU HQs in the UK</b> may want to respond - whether <b>IaaS, PaaS or SaaS</b>. So may other RDSPs (basically, <b>online marketplaces</b> and search engines). This is because under the UK proposals, among other things:<br />
<br />
<h4>
<u>Registration</u> </h4>
RDSPs may have to <b>register with the UK Information Commissioner (ICO)</b>, and possibly pay an <b>annual fee</b>.<br /><ul>
<li><a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/694290/DSP_Targeted_Consultation__Final_.pdf">UK proposal</a>: "We are considering making registration mandatory" (p.5)... "it is expected that the ICO... will levy an annual fee on DSPs, in addition to recovering direct costs involved in any regulatory investigations" (p.12)</li>
<ul>
</ul>
</ul>
<h4>
<u><br /></u></h4>
<h4>
<u>Security</u></h4>
<div>
RDSPs have obligations under the NISD regarding the "<b>security of network and information systems"</b> and their physical environment<br /><ul>
<li>This means the ability of "network and information systems" to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems</li>
<li>"Network & information systems" means electronic communications networks; any device or <b>group of interconnected or related devices</b>, if one or more "pursuant to a program" perform automatic processing of digital data; or <b>digital data</b> stored, processed, retrieved or transmitted by the above for their operation, use, protection and maintenance.</li>
<ul>
<li>Note: this means <b><u>any digital data and systems</u> </b>- even if <i><b>not</b></i> personal data (unlike under the GDPR)</li>
<ul>
</ul>
</ul>
<li>See the <a href="http://eur-lex.europa.eu/eli/reg_impl/2018/151/oj/eng">implementing Regulation</a> for mandatory security elements (including <b>security of supplies</b>, not just access controls etc.); and ENISA's technical guidelines for DSPs' implementation of <a href="https://www.enisa.europa.eu/publications/minimum-security-measures-for-digital-service-providers/at_download/fullReport">minimum security measures</a>.</li>
<ul>
</ul>
</ul>
<h4>
<u><br /></u></h4>
<h4>
<u>Incident notification</u></h4>
</div>
<div>
RDSPs must notify the ICO "as soon as possible <b>and in any event <u><span style="color: red;">no later than 72 hours</span></u></b> after the service provider is aware that a security incident has occurred", in cases where the incident has a "<b>substantial impact</b>" on the provision of any of its "digital services" (cloud, online marketplace etc.).</div>
<div>
<ul>
<li>This <b style="text-decoration-line: underline;">absolute 72-hour max. deadline</b> for security breach notification is:</li>
<ul>
<li><b><u>tougher than under the GDPR</u></b>, which only requires "without undue delay and, where feasible, not later than 72 hours after having become aware of it" for controllers to report personal data breaches to regulators</li>
<li><b><u>tougher than the deadline for operators</u></b> of essential services (basically, critical infrastructure providers), where the UK government <a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/677065/NIS_Consultation_Response_-_Government_Policy_Response.pdf">said</a> (p.12-13) that it would follow the GDPR's deadline.</li>
<ul>
</ul>
</ul>
<li>An "incident" is any event having an <b>actual adverse effect</b> on the "security of network and information systems" (see above)</li>
<ul>
<li>This includes incidents affecting <b>non-personal data</b></li>
<ul>
</ul>
</ul>
<li>"Substantial" impact (see <a href="http://eur-lex.europa.eu/eli/reg_impl/2018/151/oj/eng">implementing Regulation</a>) - factors include: no. of users affected (RDSPs need to implement a way to work that out - contracts or past traffic data), duration, geographical area, extent of service disruption, extent of impact on economic and societal activities, including:</li>
<ul>
<li>service unavailable for more than <b>5m user-hours</b> (no. of affected EU users for 60mins)</li>
<li>loss of integrity, authenticity or confidentiality of stored, transmitted or processed data or the related services offered by or accessible via a network and information system of the DSP, affecting more than <b>100k EU users</b></li>
<li>incident created risk to public safety, public security or of loss of life, or</li>
<li>incident caused material damage of <b>over €1m</b> to <b>at least one EU user</b></li>
<ul>
</ul>
</ul>
<li>See further ENISA guidelines on <a href="https://www.enisa.europa.eu/publications/incident-notification-for-dsps-in-the-context-of-the-nis-directive/at_download/fullReport">incident notification for DSPs</a>.</li>
<ul>
</ul>
</ul>
<h4>
<u><br /></u></h4>
<h4>
<u>Penalty for breach</u></h4>
</div>
<div>
Up to <b><u>£17m</u></b> under the <a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/677065/NIS_Consultation_Response_-_Government_Policy_Response.pdf">UK policy response</a> (p.16) - risk of being fined under separate laws</div>
<div>
<ul>
<li>"The Government does not believe that ‘double jeopardy’ can be completely removed, without undermining either the NIS Regulations or other UK legislation" - including the GDPR</li>
<li>A breach includes "failure to cooperate with the competent authority, failure to report a reportable incident, failure to comply with an instruction from the competent authority, failure to implement appropriate and proportionate security measures".</li>
<ul>
</ul>
</ul>
<h4>
<u><br /></u></h4>
<h4>
<u>Critical infrastructure services, and contracts</u></h4>
</div>
<div>
The UK proposes that, if an <b>operator of essential services</b> relies on any RDSP for providing an essential service (which is critical for economic and societal functions - <b>utilities, healthcare, transport</b>, IXPs, DNS service providers, TLD name registries), the operator must notify its competent authority (the authority varies with sector) of any <b>significant impact</b> to the provision of that service caused by a security incident [<i>presumably, at the RDSP</i>] "<b>as soon as the incident occurs</b>".<br /><ul>
<li>This is on top of the requirement for RDSPs to notify the ICO.</li>
<li>Much headscratching. How can an operator notify "as soon as" an incident at its RDSP occurs, when any "significant impact" may take a while to materialise? Cart and horse problem - surely an incident pre-dates its impact, not vice versa? Operators may wish to invest in time machines...</li>
<li>Also, how will an operator know about incidents at an RDSP that it relies on for providing its essential service?</li>
<ul>
<li>There's no statutory obligation on RDSPs to notify their <i>customers</i> such as operators - a gap I pointed out some time ago.</li>
</ul>
<li>So, operators will have to, by 9 May (!):</li>
<ul>
<li>Work out if their essential services rely on any RDSP services</li>
<li><b>Update their contracts</b> with the "relied on" RDSPs to require RDSPs to notify operators of security incidents at the RDSP "as soon as the incident occurs". (Yes, many false positives are possible)</li>
<li>Implement mechanisms (which many operators may already have in place) to work how how "significant" an incident's impact is. (Note: the factors for operators to determine impact are similar but <i>not </i>the same as those for DSPs)</li>
<ul><ul>
</ul>
</ul>
</ul>
</ul>
<ul></ul>
If you're a UK cloud services provider or UK critical infrastructure provider that relies on a cloud service, you may want to <a href="https://dcms.eu.qualtrics.com/jfe/form/SV_7Qx0aNdeXmcEQm1">respond online</a> or <a href="mailto:niscallforviews@culture.gov.uk">by email</a> before 21 April.</div>
Unknownnoreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-63844513918200108872017-12-25T16:16:00.000+00:002017-12-25T16:16:25.540+00:00A GDPR CarolThey've wished us a GDPR, they've wished us a GDPR<br />
They've wished us a GDPR – and a very long year<br />
Good guidance we need, but what will we see?<br />
They've wished us a GDPR – and a very long year!<br />
And we won't sleep until we've got some, we won't sleep until we've got some -<br />
We're weeping because we've got some (!) – and a very long year<br />
<i>[Repeat ad nauseam:]</i><br />
They've wished us a GDPR, they've wished us a GDPR<br />
They've wished us a GDPR – and a very long year…<br /><br />
<i>© Kuan Hon licensed under Creative Commons <a href='https://creativecommons.org/licenses/by/2.0/'>CC BY 2.0</a> so share if you wish! <a href="https://creativecommons.org/licenses/by/2.0/">https://creativecommons.org/licenses/by/2.0/</a>
</i>
Unknownnoreply@blogger.comtag:blogger.com,1999:blog-1955794330678593771.post-71917907584410352522017-10-06T12:24:00.000+01:002017-10-06T12:26:00.891+01:00GDPR - processor to "immediately inform" - indentation matters!The diagram below encapsulates a brief history of the legislative progress of <a href="http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG">GDPR</a> Art.28(3)(h) and the final subparagraph of Art.28(3), and a processor's o<span style="background-color: white; color: #444444; text-align: justify;">bligation to "immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions". Click on the image to enlarge it.</span><br />
<span style="background-color: white; color: #444444; text-align: justify;"><br /></span>
<span style="background-color: white; color: #444444; text-align: justify;">From a separate sub-paragraph, to same level indented, joined in the same paragraph, separated out again... but that can change the meaning!</span><br />
<span style="background-color: white; color: #444444; text-align: justify;"><br /></span>
<span style="background-color: white; color: #444444; text-align: justify;">For the links to these travaux preparatoires documents, and discussion of this and other controller/processor contract and liability issues in response to the <a href="https://ico.org.uk/about-the-ico/consultations/consultation-on-gdpr-guidance-on-contracts-and-liabilities-between-controllers-and-processors/">UK ICO's recent consultation</a>, please see my <a href="https://www.scl.org/articles/10017-data-protection-controllers-processors-contracts-liability-the-ico-draft-guidance">SCL article</a>.</span><br />
<span style="background-color: white; color: #444444; text-align: justify;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF-OpHy2eY2gMYFhNj4NLbYtx4JmvgK4RIv2wCn_eF7X_eRnGsAoIn4lfVgELTxB8DXZaUw0Ji_61HQ_UIDb4zsFjxLv_JCUBj5mHHDNb_PVuSo7tXFOahEjUJy-YGu8Jqy4IrieVQN26L/s1600/immediatelyInform-h.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF-OpHy2eY2gMYFhNj4NLbYtx4JmvgK4RIv2wCn_eF7X_eRnGsAoIn4lfVgELTxB8DXZaUw0Ji_61HQ_UIDb4zsFjxLv_JCUBj5mHHDNb_PVuSo7tXFOahEjUJy-YGu8Jqy4IrieVQN26L/s400/immediatelyInform-h.png" /></a></div>
<span style="background-color: white; color: #444444; text-align: justify;"><br /></span>
<span style="background-color: white; color: #444444; text-align: justify;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="background-color: white; color: #444444; text-align: justify;"><br /></span>Unknownnoreply@blogger.com