Privacy

EU's New Data Protection Rules Come Into Effect

The European Union's new data protection laws came into effect on Friday, with Brussels saying the changes will protect consumers from being like "people naked in an aquarium". The EU's so-called General Data Protection Regulation (GDPR) has been blamed for a flood of spam emails and messages in recent weeks as firms rush to request the explicit consent of users to contact them. Even though the rules were officially adopted two years ago, with a grace period until now to adapt to them, companies have been slow to act, resulting in a last-minute scramble this week.

Britain's data protection watchdog, the Information Commissioner's Office (ICO), said that its site had experienced "a few interruptions" as the deadline loomed, but said that "everything is working now". Brussels insists that the laws will become a global benchmark for the protection of people's online information, particularly in the wake of the Facebook data harvesting scandal. "The new rules will put the Europeans back in control of their data," said EU Justice Commissioner Vera Jourova.

"When it comes to personal data today, people are naked in an aquarium." Companies can be fined up to 20 million euros (£24 million) or four percent of annual global turnover for breaching the strict new data rules for the EU, a market of 500 million people. - Explicit consent -

The law establishes the key principle that individuals must explicitly grant permission for their data to be used. The new EU law also establishes consumers' "right to know" who is processing their information and what it will be used for. People will be able to block the processing of their data for commercial reasons and even have data deleted under the "right to be forgotten".

Parents will decide for children until they reach the age of consent, which member states will set anywhere between 13 and 16 years old. The case for the new rules has been boosted by the recent scandal over the harvesting of Facebook users' data by Cambridge Analytica, a US-British political research firm, for the 2016 US presidential election. The breach affected 87 million users, but Facebook said Wednesday it has found no evidence that any data from Europeans were sold to Cambridge Analytica.

Facebook chief Mark Zuckerberg said in a hearing at the European Parliament on Tuesday that his firm will not only be "fully compliant" with the EU law, but will also make huge investments to protect users. Zuckerberg said he was "sorry" for the Cambridge Analytica breaches, but also for its failure to crack down on election interference, "fake news" and other data misuses. - 'Global standard'

Big platforms like Facebook, WhatsApp and Twitter seem well prepared for the new laws, while smaller businesses have voiced concern. But EU officials say they are initially focusing on the big firms, whose business models use a goldmine of personal information for advertising, while offering smaller firms more time to adapt. Meanwhile Brussels has expressed impatience with the eight countries -- out of the EU's 28 -- that say they will not have updated their laws by Friday.

EU Commissioner Jourova said the new rules are setting "a global standard of privacy". Many Americans who once criticised Europe as too quick to regulate the new driver of the global economy now see the need for the GDPR, EU officials insist. "I see some version of GDPR getting quickly adopted at least in the United States," Param Vir Singh, a business professor at Carnegie Mellon University, told AFP in an email.

Japan, South Korea, India and Thailand are also drawing "some inspiration" from Brussels as they debate or adopt similar laws, another EU official said.

Senator Asks DoD to Secure Its Websites

Senator Ron Wyden (D-Ore.) on Tuesday asked the chief information officer at the U.S. Department of Defense (DoD) to take immediate action to ensure that the organization's websites use HTTPS. The senator noted that some of the DoD's websites, such as the ones belonging to the NSA, the Army and the Air Force, do use HTTPS by default and certificates trusted by major web browsers, but many other sites either don't use HTTPS at all or they rely on digital certificates issued by the DoD Root Certificate Authority.

Certificates issued by the DoD itself trigger security warnings in browsers. The list of websites that do not use HTTPS includes the ones of the Navy, Marines, and even the CIO's official website hosted at dodcio.defense.gov. Sen.

Wyden believes the security warnings displayed for HTTP sites will "erode the public's trust in the Department and its ability to defend against sophisticated cyber threats" and "actively degrade the public's security by teaching users to treat security warnings as irrelevant." The lawmaker has pointed out that memo M-15-13 issued by the Office of Management and Budget (OMB) in 2015 requires all federal agencies to secure their websites by enabling HTTPS and enforcing HSTS. Furthermore, a Binding Operational Directive issued last year by the Department of Homeland Security (DHS) requires all agencies to start using web and email security technologies such as HTTPS, DMARC and STARTTLS.

The senator also noted in his letter that Google's Chrome web browser will soon start marking HTTP pages with a red "Not Secure" warning. The CIO of the DoD, Dana Deasy, has been instructed to direct all agencies to enable HTTPS with HSTS on all public web services, obtain and deploy certificates trusted by major browsers, and evaluate the use of shorter-lived certificates such as the ones offered by Let's Encrypt. An action plan and progress report must be provided by the DoD by July 20.

The senator is well regarded by many in the cybersecurity industry for his initiatives. One of his advisers in privacy researcher and activist Christopher Soghoian, formerly principal technologist at the American Civil Liberties Union. Related: Security of U.S.

Government Sites Improved Only Slightly

Related: DMARC Not Implemented on Most White House Email Domains

Senator Asks DoD to Secure Its Websites

Senator Ron Wyden (D-Ore.) on Tuesday asked the chief information officer at the U.S. Department of Defense (DoD) to take immediate action to ensure that the organization’s websites use HTTPS. The senator noted that some of the DoD’s websites, such as the ones belonging to the NSA, the Army and the Air Force, do use HTTPS by default and certificates trusted by major web browsers, but many other sites either don’t use HTTPS at all or they rely on digital certificates issued by the DoD Root Certificate Authority.

Certificates issued by the DoD itself trigger security warnings in browsers. The list of websites that do not use HTTPS includes the ones of the Navy, Marines, and even the CIO’s official website hosted at dodcio.defense.gov. Sen.

Wyden believes the security warnings displayed for HTTP sites will “erode the public’s trust in the Department and its ability to defend against sophisticated cyber threats” and “actively degrade the public’s security by teaching users to treat security warnings as irrelevant.” The lawmaker has pointed out that memo M-15-13 issued by the Office of Management and Budget (OMB) in 2015 requires all federal agencies to secure their websites by enabling HTTPS and enforcing HSTS. Furthermore, a Binding Operational Directive issued last year by the Department of Homeland Security (DHS) requires all agencies to start using web and email security technologies such as HTTPS, DMARC and STARTTLS.

The senator also noted in his letter that Google’s Chrome web browser will soon start marking HTTP pages with a red “Not Secure” warning. The CIO of the DoD, Dana Deasy, has been instructed to direct all agencies to enable HTTPS with HSTS on all public web services, obtain and deploy certificates trusted by major browsers, and evaluate the use of shorter-lived certificates such as the ones offered by Let’s Encrypt. An action plan and progress report must be provided by the DoD by July 20.

The senator is well regarded by many in the cybersecurity industry for his initiatives. One of his advisers in privacy researcher and activist Christopher Soghoian, formerly principal technologist at the American Civil Liberties Union. Related: Security of U.S.

Government Sites Improved Only Slightly

Related: DMARC Not Implemented on Most White House Email Domains