Collection of Personal Data – 4/2021
Originally published: newspaper “Estia” (in Greek)
Date: 25/02/2021
Aimilios Koronaios
Attorney at Law
LL.M. (Aberdeen), LL.M. (Athens)
Cybersecurity – Safe browsing
On the occasion of World Safer Internet Day, the National Cyber Security Authority of the Ministry of Digital Government has published useful guidelines for enhancing cyber security and privacy in cyberspace. Regarding the use of passwords for online accounts, it is pointed out that they should be complex. The ideal password should contain a combination of numbers, symbols, uppercase and lowercase letters. Its length must be between 10 and 12 characters. The use of personal data, common words written backwards, as well as sequences of numbers and characters should be avoided. The use of 2-factor authentication is also recommended, when possible.
Cyprus – Coronavirus detection
The Office of the Commissioner for Personal Data Protection (Commissioner) warns not to openly pronounce personal data of persons who have undergone a rapid coronavirus test. As stated, the relevant practice has been repeatedly observed in some test centers by their employees, at the time of receipt of the results. According to the Commissioner, this behavior carries risks for the affected persons. In this way, the General Data Protection Regulation, known as the GDPR, is violated. This is another guideline of the supervisory authority in the direction of dealing with the new challenges of the pandemic presented in the field of personal data.
Estonia – “Deepfakes”
The Estonian Foreign Intelligence Service (EFIS) is sounding the alarm about “deepfakes” in its annual report on international security issues. It is recalled that “deepfake” technology allows the creation of synthetic media, e.g. videos, using artificial intelligence, in which real people appear to act in a realistic way, but without actually being them. “Deepfakes” can be used in particular to commit fraud, extortion, circumvent security measures to authenticate users, and in the context of fake news. According to the report, the risk will become extremely high when technological advances allow the creation of “deepfakes” so convincing that it is impossible to detect the sham with the human eye.
Spain – Web conferencing
The Spanish Data Protection Authority has issued basic guidelines for conducting web conferencing to protect privacy and security. Recalling the incident last November, when a Dutch journalist managed to enter an online conference call of the European Union Defense Ministers, the supervisory authority stressed the importance of implementing basic protection measures. Among other things, it is pointed out that teleconferencing should not be recorded unless necessary. In the latter case, participants should be informed of the purpose of the recording, as well as of the starting and ending time of the recording. The relevant information can be made in an automated way.
Finland – School Photos
A Finnish school photography company had adopted the practice of incorporating black-and-white photographs in a reduced-size into its respective invoices. This method ensured per the company the correct matching of photos and invoice for its customers. In the event that was the subject of the complaint, the invoice was then forwarded to a debt recovery company to pursue its payment. Therefore, the content of the photos was also forwarded. According to the Finnish Data Protection Authority, in this case a violation of the fundamental principle of data minimization of the GDPR was found, which requires the processing of personal data to be limited to what is necessary. According to such principle, said practice was by origin unnecessary to achieve the purpose of correctly sending the photographs to customers. Therefore, it was unjustified.
INTERPOL – Southeast Asia
INTERPOL points out the main cyber threats in the region of the Association of Southeast Asian Nations (ASEAN) in a recent report. As it turns out, the increased use of the internet due to the pandemic has led to an increase in cybercrime. At the top of the list of cyber threats are, among others, Business E-mail Compromise, where the perpetrators interfere in the online communication between trading professionals, persuading them to deposit money in different bank accounts than originally agreed . Also, phishing, where the perpetrators pretend via e-mail that they represent an existing company, e.g. bank, seeking to extract personal and financial data of the recipient.