Do you know what is your child’s age requirement to sign up online?

As the Internet permeates every aspect of the economy and society, it is also becoming an essential element of our children’s lives. While it can bring considerable benefits for their education and development, it also exposes them to online risks such as access to inappropriate content, harmful interactions with other children or with adults, and exposure to aggressive marketing practices.

Children online can also put their computer systems at risk and disseminate their personal data without understanding the potential long-term privacy consequences.

In addition, there are other risks for children using online environments, such as:

–Privacy risks

-cyber-bullying

-cyber-stalking

-age-inappropriate content

-online grooming

-identity theft

-emotional implications.

Beside support and guidance from parents when using the online environment, an appropriate mental development and understanding is important for a child when using an online platform. For these reasons, in both the United States and the European Union, a minimum age requirements for accessing the “online world” was set as a legal requirement.

E-Crime Expert thinks that the minimum age requirements a child should meet when signing up for an email account, Facebook, etc., should be a topic of interest for parents. For these reasons, we researched the minimum age requirements on some of the most popular online sites and platforms.

The Children’s Online Privacy Protection Act (COPPA) in United States applies to the online collection of personal information by persons or entities under U.S. jurisdiction from children under 13 years of age. It details what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, and what responsibilities an operator has to protect children’s privacy and safety online including restrictions on the marketing to those under 13. While children under 13 can legally give out personal information with their parents’ permission, many websites altogether disallow underage children from using their services due to the amount of work involved.

In the European Union, the European Commission released in January 2012, a Proposal on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

This Proposal has specific requirements with regards to Children. They deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data. To determine when an individual is a child, this Regulation should take over the definition laid down by the UN Convention on the Rights of the Child.

“Article 8
Processing of personal data of a child

For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child’s parent or custodian. The controller (i.e. the person in charge with the collection, use and disclosure of personal data) shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology”.

Following, are the minimum age requirements for children using different Internet websites or Social Networking Services and other online platforms:

 1.      Facebook:

How old do you have to be to sign up for Facebook?

In order to be eligible to sign up for Facebook, you must be at least 13 years old.

The minimum age requirement on Facebook is more or less enforceable. Simply lying about your birthdate easily circumvents the policy.

The Children’s Online Privacy Protection Act (COPPA) mandates that websites that collect information about users aren’t allowed to sign on anyone under the age of 13. As a result, Facebook’s Statement of Rights and Responsibilities require users of the social network to be at least 13 years old (and even older, in some jurisdictions).

According to MinorMonitor, over 38 percent of children with Facebook accounts are 12-years-old and under. Even more worryingly, 4 percent of children on Facebook are reported to be 6-years-old or younger, which translates to some 800,000 kindergarteners on Facebook.

These results come from a survey of 1,000 parents of children under 18-years-old who use Facebook. The company provides a free, web-based parental tool that gives parents a quick view into their child’s Facebook use, including potential dangerous activities such as the friending of online predators, cyberbullying, violence, drug and alcohol use, as well as sexual references.

2.      Google:

Age requirements on Google Accounts:

•  United States: 13 or older
•  Spain: 14 or older
•  South Korea: 14 or older
•  Netherlands: 16 or older
•  All other countries: 13 or older

Some Google products have specific age requirements. Here are a few examples:

• YouTube: When a YouTube video has been age-restricted, a warning screen is displayed and only users who are 18 or older can watch it. Learn more about age-restricted videos.
• Google Wallet: 18+
•  AdSense: 18+
•  AdWords: 18+

3.      Yahoo

When a child under age 13 attempts to register with Yahoo!, they ask the child to have a parent or guardian create a Yahoo! Family Account to obtain parental permission.

Yahoo! does not contact children under age 13 about special offers or for marketing purposes without a parent’s permission.

Yahoo! does not ask a child under age 13 for more personal information, as a condition of participation, than is reasonably necessary to participate in a given activity or promotion.

Yahoo! is concerned about the safety and privacy of all its users, particularly children. For this reason, parents of children under the age of 13 who wish to allow their children access to the Yahoo! Services must create a Yahoo! Family Account. When you create a Yahoo! Family Account and add your child to the account, you certify that you are at least 18 years old and that you are the legal guardian of the child/children listed on the Yahoo! Family Account. By adding a child to your Yahoo! Family Account, you also give your child permission to access many areas of the Yahoo! Services, including, email, message boards and instant messaging (among others). Please remember that the Yahoo! Services is designed to appeal to a broad audience. Accordingly, as the legal guardian, it is your responsibility to determine whether any of the Yahoo! Services areas and/or Content are appropriate for your child.

4.      Hotmail

As on Hotmail’s Terms of Use is no reference to the age requirements to join the service, we did our own registration and it appears that 13 is the age requirement for joining Hotmail, as shown below:

I.                   Attempt indicating the user is 6 years old

Step 1   

Step 2                        

Step 3

 

II.                Second attempt, indicating the user is 13 years old.

Step 1

Step 2

 

5.        MySpace 

• You must be at least 13 years old to have a Myspace profile
• If you’re under 16 years old, you’re not allowed to list your age as over 16 and make your profile public (your profile must be set to private)
• If you’re under 18, you’re not allowed to list your age as over 18
• Users under 18 are not able to make changes to their listed age

Notes & Tips

• If you break any of the above rules, MySpace will be forced to delete your profile for safety and security reasons (it’s all in their Terms of Use)

6.      Skype

Skype not directly sets up an age restriction within their Terms of Use.

“Jurisdiction’s Restrictions: If the law of Your country prohibits You from downloading or using Skype Software because You are under the age limit or because the Skype Software is not allowed in Your country, please don’t use it”.

According to this, for US the minimum age requirement is 13 + (COPPA).

7.      LinkedIn

PRIVACY POLICY, 18!

In terms of LinkedIn’s Privacy Policy:

 ”Children are not eligible to use our service and we ask that minors (under the age of 18) do not submit any personal information to us or use the service.”

8.      Twitter

Age screening on Twitter

Age screening is a way for brands and others to determine online whether a follower meets a minimum age requirement, in a way that is consistent with relevant industry or legal guidelines. This makes it easier for advertisers and others with content not suitable for minors (e.g. alcohol advertisers) to advertise on Twitter.

There apparently, is now age restriction for setting up an account on Twitter (as we set it up without being asked about our age). See below:

Step 1

Step 2: Done!

For more advice on how children could stay safe online (you could also share this with your child), click here to visit the material E-Crime Expert specially created for this purpose.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

What to do in case of credit/payment card fraud: real life example!

This weekend E-Crime Expert encountered a financial fraud which happened to us in real life. Money was fraudulently withdrawn from our (Dan’s) account. Luckily, we immediately identified the fraud which enables us to cancel the card and report the fraud in order to be reimbursed.

1.      How it could be detected:

i. Go log into your online banking account (Fig. 1)

(I am using a mobile platform for my online banking)

Fig. 1.

ii. Type your user name or card number and password (Fig. 2)

 Fig. 2

iii. Select one of your accounts and then go through your transaction records carefully and see if there is any transaction you do not recognize (this is how I identified the fraud in my VISA account).Fig. 3.

Fig. 3

iv. Most likely the fraudulent transaction will be from a service provider or vendor that you had nothing to do with it (as it happened in my case) Fig. 4.

 Fig. 4

2. What to do if you suspect fraudulent activity:

 Despite your best efforts, there is still a chance that you will become a victim of payment card fraud. You will save yourself time and worry by following the steps below:

• Call your financial institution immediately. You can find the phone number easily on the back of your card (Fig. 5).

Fig. 5 

 It may want to cancel your current card and mail you a new one. Check to verify that your mailing address has not been changed.   

• If you still have your card, but fraudulent purchases have been made on the account, call your financial institution, and ask them to issue you a new one.   
• Contact the national credit bureaus to let them know you are a victim of fraud. They will place a “Fraud Alert” on your file. You can also request copies of your credit report, which you should review carefully. For North America:                                   Equifax: 1-800-465-7166 or www.equifax.ca
                                                                              TransUnion: 1-866-525-0262 or www.tuc.ca
• Diligently check your statements in the following months to make sure the problem has been completely resolved.
• Report the fraudulent activity to the proper authorities, including the police or to the Internet Crime Complaint Center:
  

i. Mastercard:

To successfully fulfill your mission of how to contact MasterCard fraud,

• you can call 800-627-8372.
• If you’re not in the United States, contact MasterCard fraud by calling 636-722-7111.
• If it’s an emergency related to possible fraud, MasterCard will accept international collect calls.

ii. Visa:

• Call the bank or other organisation that issued your card, if you know the telephone number. They will immediately block your card and organise a replacement
• If you do not have your card issuer’s telephone number, use the menu on the Global Card Assistance Directory page for help. 

To use the Global Card Assitance Service Directory Click here.

From the pull-down menu choose the country you are in now. Call the telephone number that appears in the right-hand box. Calls might be free but may carry local telecom fees if one dials using a mobile phone or calls from within a hotel.

If outside the US please make a reverse-charge call to +1 303 967 1096, if within the US, simply dial +1 800 847 2911.

3.  What you need to be prepare to provide when calling:

• The name of your card issuer
• The type of card — for example, Visa Electron, Visa Classic, Visa Gold
• The country where the card was issued

It will help if you can also tell them:

• Your 16-digit Visa/MasterCard account number
• If you have your own card account or a partner card
• Your name as it is printed on the card
• The address where your statement is sent
• Your home telephone number
• How the card went missing or what transaction you find illegitimate
• Other personal details that will be used as a security check to confirm your identity
• The identity of the primary cardholder, if you are the secondary cardholder.

4. Tips to stay safe:

i.                    How to prevent identity theft

Identity theft involves acquiring another person’s identification information (such as a social insurance number or any unique identifier) without a person’s knowledge for the purpose of impersonating him or her to commit fraud. The best defense against identity theft is to prevent thieves from getting the information in the first place.

Here are guidelines to follow:

• Never leave your purse or wallet unattended – keep your personal data and information guarded at all times.   
• Sign your credit and debit cards in permanent ink as soon as you receive them.   
• Call your card issuer if a new or reissued card does not arrive when expected.   
• Don’t carry your social insurance card, birth certificate, or passport in your wallet or purse unless it’s absolutely necessary. Cancel any inactive payment card accounts.   
• Never throw away receipts in a public trash container. When disposing of receipts or old statements, be sure to destroy the areas where the account number is visible. In general, you should keep all your receipts in a safe place to refer to if you suspect suspicious activity.
• Check your statements frequently and carefully. Be sure you are familiar with all account activity on the statement. If you find an unauthorized or questionable transaction, call the appropriate organizations immediately.
• Do not write your credit or debit card account number on a cheque, or use it for identification when paying by other means.
• If your social insurance card or driver’s license is missing, contact the appropriate agency immediately.
• Never give any payment card, bank, or social insurance information to anyone by telephone, even if you made the call, unless you can positively verify that the call is legitimate and there is a true need for the information.
• Keep a list of all your credit accounts and bank accounts in a secure place so you can quickly call the issuers to inform them about missing or stolen cards. Include account numbers, expiration dates, and telephone numbers of customer service and fraud departments.
• Make a note of when your financial statements arrive each month. If your statements stop arriving, contact your bank immediately.
• Obtain a copy of your credit report once a year from one of the national credit bureaus. You are entitled to a free copy of your report if you are denied credit. Otherwise, most credit bureaus will charge a small fee. If the report data is incorrect, write the credit bureau immediately and keep a copy of your letter.

 ii.                  How to prevent fraud while using your payment card

Payment cards are used everyday by billions of people throughout the world. By following the steps below, you will significantly reduce the chances of fraudulent activity occurring on your account:

• When making a purchase, keep your card in view at all times. Retrieve the card as soon as the transaction is complete and make sure it is yours.
• Memorize your passwords and personal identification numbers (PINs) so you do not have to write them down. Be aware of your surroundings; make sure no one is watching you input your PIN.
• Never sign a blank receipt slip. Draw a line through any blank amount lines that appear above the total amount line.
• Save all of your receipts so you can refer to them at a later time. Never discard your receipt in a public trash container.
• Do not provide your account number over the phone unless you are positive the call is legitimate and there is a legitimate purpose to disclose your account number. Never provide your number over the phone if you didn’t initiate the call.
• Avoid saying your account number aloud at a merchant location or over the phone if others can hear.

iii.                How to prevent fraud while shopping online

Shopping online opens up a world of choices and convenience – as well as some risks that require extra vigilance. Here are some tips to ensure that your online shopping experience remains safe and enjoyable:

• Make sure you are doing business with a reputable Internet merchant. Check with the Better Business Bureau or provincial and local consumer agencies to find out about past complaints or experiences from other customers. You can also look for the following information on the website to check if a merchant is reputable:
  • Privacy policy – A reputable website often has a clearly stated privacy policy in an accessible place. Read the privacy policy so you know exactly how the merchant intends to use your information.
  • Information about the offer – make sure you learn all you can about the offer, including the delivery date, terms of warranty, cancellation policies, how to contact the company if you have questions, etc.
  • Information about the merchant – make sure to find the company’s physical address and telephone number.
  • Security – Reputable websites often provide information about how they protect your financial information when it is transmitted and stored.
• Guard your personal information. Don’t provide information that you are uncomfortable giving. Never give anyone the password that you use to log on to your Internet Service Provider or online bank account.   
• Keep records. Print out all information about your online transaction and keep it in a safe place to refer to at a later time.   
• Pay with a payment card – as this is often the safest way to pay online. In North America, the cardholder has the right to dispute charges if the goods or services were misrepresented or never delivered. Also, you are not responsible for fraudulent purchases made on your account.   
• Make sure the merchant that you are dealing with has proper security measures in place. Your computer browser can tell you if the place where you are about to send the information is secure. Look for an unbroken key or closed lock at the bottom of the browser window. If you cannot determine this, do not put your credit or debit card information over the Internet.
• Hover the weblink on the browser you are using to see if there is no hidden link from a fake or illegitimate cloned website.

iv.                 Setting up your best security for your Visa Card:

Visa has developed several layers of fraud prevention and detection systems and programs, giving you multiple checkpoints for security to protect your business and make transactions more secure. Visa’s Layers of Security complement each other and work together, so by implementing multiple services you can help reduce your risk of fraud.

The Layers of Security:

Layer # 1 – Chip & PIN

Many Visa cards now contain a micro-computer chip that securely stores encrypted information to complete transactions. As well, Personal Identification Numbers (PINs) are used for cardholder authentication when chip cards are used in Canada. This helps make counterfeiting virtually impossible.

Layer # 2 – Verified by Visa

The Verified by Visa (VbV) program is a worldwide service that confirms a cardholder’s authenticity in real time. This helps protect merchants from fraudulent transactions and chargebacks, while protecting cardholders from unauthorized use of their Visa cards.

Layer # 3 – Three-digit Code (CVV2)

The CVV2 is a three-digit security code on all Visa cards that helps ensure a customer making an online or phone purchase has a genuine Visa card in hand.

Layer # 4 – Address Verification Service (AVS)

When fraudsters try to order online, by mail or by phone, AVS can help stop them in their tracks. Account number information obtained from a receipt or a stolen card does not include an address or postal code. AVS checks a cardholder’s address and/or postal code against the card issuer’s records in real time, giving you the opportunity to stop a transaction if desired.

Layer # 5 – Visa Advanced Authorization (VAA)

Available through most card issuers, VAA lets you immediately identify and respond to emerging fraud patterns and trends. As transactions are processed through VisaNet^® Advanced Authorization, VAA evaluates an authorization request data in real time and assesses and assigns a risk rating – helping you better identify potential fraud.

5.      Additional contact numbers for Canada only:

MasterCard Issuer Security Phone Numbers in Canada:

ATB Financial:		1-800-661-2266
BMO Bank of Montreal:		1-800-361-3361
Bridgewater Bank:		1-866-398-4404
Canadian Tire Bank:		1-800-459-6415
Capital One Canada:		1-800-481-3239
CIBC:		1-800-663-4575
Citibank Canada:		1-800-305-7259
Credit Union Electronic Transaction Services:		1-800-567-8111
Direct Cash Bank:		1-888-466-4043
GE Money Canada:		1-800-243-2222
HSBC Bank Canada:		1-866-406-4722
MBNA Canada:		1-800-379-2744
National Bank of Canada:		1-888-622-2783
Peoples Trust:		1-866-452-1138
President’s Choice Bank:		1-866-246-7262
RBC Royal Bank:		1-800-361-0152
Sears Canada:		1-800-288-9965
Walmart Financial Services Canada:		1-888-925-6218
Wells Fargo Financial:		1-888-295-0050

 If you have any question you could contact: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

18 Blogs with Techniques for Preventing Identity Theft

Our concern for privacy and information security aims to cover most of our daily life areas from IT, Social Networking Services, Online Commerce, to children or why not nannies.

For this reason, E-Crime Expert is glad to have NannyWebsites.com as a guest today.  NannyWebsites.com is the most comprehensive guide for nannies seeking advice, support and information. It helps gaining resource for nannies, nanny employers and those interested in in-home childcare on the web. You can check out their website here.

The blog post bellow is provided by NannyWebsites.com.

“Identity theft has become an increasing problem as our world shifts to being more online and mobile.  Many people feel like there is no way to keep their information safe should someone want to steal it.  Is this the case, or are there things that you can do to make your information harder to steal?  These 18 blog entries touch on what you can do to protect your identity online, at work and when you are out and about living your life.  The press is doing an admirable job of bringing scams to light so that the public can be better informed and thus better able to protect sensitive information.  To learn what you need to know to keep your personal information safe, keep reading.

Online

With more and more people shopping and banking online, keeping your information safe from thieves becomes both more important and more difficult.  Avoid common or easy to guess passwords, as many times you are making the thief’s job easier.  For more online safety tips, take a look at these six blog posts.

• How to Prevent Identity Theft and Stay Safe Online (Infographic) Learn how to protect yourself online and what makes a password a good one.
• How You, and Google, Can Help Prevent Identity Theft Tips from Google on how to secure your personal information to prevent identity theft.
• Tips to be Safe Online and Prevent Identity Theft in 2013 Advice about online passwords and shopping online are shared by an expert in web design.
• How to Protect Your Online Security This blog post suggests that you avoid mobile banking and to be careful where you shop when you shop online.
• Tips to Prevent Identity Theft Steps to protect your information from dumpster divers is covered in this entry.
• Protecting Your New Smartphone Learn how to encrypt your data on your phone, as well as many other steps to protect yourself.

At Work

While your employer likely has their own security measures in place, you still need to make sure that you are keeping your personal information safe from hackers or other co-workers.  When you go to a meeting make sure that your desk and computer are locked.  Don’t get your personal e-mail on your work computer, as that information can stay in that computer, even if you delete it.  To learn more important safeguards, read these six blog articles.

• Tips to Avoid Identity Theft at Work The use of shredders and protected software are discussed in this blog post.
• Workplace Information Protection An extensive article about security measures that can and must be taken at the workplace.
• Identity Theft in the Workplace Sensitive information about employees is kept at the workplace, and many times thieves will have inside help at accessing that information.
• Preventing Identity Theft in the Workplace This post is full of tips regarding avoiding personal e-mail on your work computer, as well as many other ideas for keeping your information safe.
• Identity Theft in the Workplace: Protect Sensitive Customer Information Methods of collecting sensitive data are discussed in this post.
• Protect Yourself from Workplace Identity Theft Learn how to keep your information safe while you are at work by creating unique passwords and locking your computer when you are away from your desk.

Out and About

If you pay for your gas and other snacks with a credit card that you can tap and go, you may want to stop using it.  While it’s a convenient way to pay for things, it’s also an easy way for a thief to pick up the credit card number at the same time.  When you are out for dinner and you pay the bill by sending your credit card with the waiter, you may want to keep an eye on him.  Specialized equipment designed to steal credit card numbers in a hurry have been found in various restaurants.  Check out these six blog articles and learn more about identity theft scams going on today and how to avoid becoming a victim.

• Prevent Identity Theft When Using a Public Computer Tips about deleting your browser history and clearing any sensitive information when you are done are covered in this blog entry.
• Shredding will Help Prevent Identity Theft Be careful not to throw away any piece of mail or paperwork that may have sensitive information on it without shredding it.
• How to Avoid Identity Theft Keep your wallet safe and remember to avoid carrying your social security card in your wallet.
• How to Help Prevent Identity Theft—10 Easy Ways To keep your credit card safe at a restaurant make sure that you keep it visible at all times so that your credit card number is not stolen.
• Tips to Avoid Id Theft When Traveling Abroad Alert your credit card company that you will be traveling and make sure that you keep your electronics secured at all times.
• Identity Theft Scams and How to Avoid Them Many common scams and different techniques to stay safe are discussed on this blog post”.

To read the original Article click here.

If you have any question you could contact: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Privacy Impact Assessment (PIA)

Happy New Year!

We are back with a fresh Article on Privacy Impact Assesment.

What is a Privacy Impact Assessment (PIA)?

Privacy Impact Assessment is a process to determine the impacts of a program, system, service, scheme, initiative, application, information system, policy or administrative practice, or database, called for the purpose of this article as “project,” on an individual’s privacy and the ways to mitigate or avoid any adverse effects (risks).

Conducting a PIA is a good business practice that should be considered in a similar way to financial, legal, operational, and IT practices prior to proceeding with a new project development.

This Article was written by Dan Manolescu. If interested, you could read the full Article published by InfoSec Institute here.

If you would like to find out more about InfoSec, you could visit this page here.

Dan Manolescu is now a frequent contributer for InfoSec Institute.

If you have any questions please contact us at: dan@e-crimeexpert.com

Privacy versus Data Protection

Today, E-Crime Expert presents the main similarities and differences between privacy and data protection concepts mainly from two different legislative perspectives:  Canada and the European Union (EU), and briefly from the United States (US).

Also, this blog post provides the main privacy and data protection legislative acts from Canada and EU as a useful resource for those interested or working in this field.

Last but not least, you could find bellow the full EU Data protection revision 2012 package.

I.      US versus EU versus Canada

-The United States (US) and European Union (EU) have different concepts regarding personal information and private data, such as Privacy in the US versus Data Protection in the EU.

–US’s approach to privacy focuses on narrowly applicable legislation.

• sector-based,
• with a mix of legislation,
• regulation and self-regulation,
• focusing on the protection of personal information by specifically addressing a particular industry sector (i.e. medical information, online transactions, credit check, etc)
• regulating data collected by the federal government

– EU has a more comprehensive approach.

• set of rights and principles for personal data treatment (processing),
• without considering that the data is held in the public or private sector,
• protects just natural persons not legal entities
• the relation between data protection and the economic value as a proper balance between fundamental rights and free flow of information (which has economic value).
• by granting data protection as a fundamental right, the aim is to protect the individuals but also to encourage the free flow of information, giving data subjects legal certainty and encouraging them to not negatively affect the exchange of information and data

-Canada – similar level of protection to the EU one.

• Privacy is regulated by the government at the federal and provincial level:
  • The Privacy Act (federal level for private information held by the gov),
  • PIPEDA (federal level for private sector),
  • PIPA (provincial level for private sector, Alberta for example),
  • FOIP (provincial level for public sector, Alberta for example),
  • HIPA (federal level for health information),
  • HIA (provincial level for health information, Alberta for example)
• The difference between Canada and EU
  • Canada’s legislation regulates both organizations and individuals privacy rights and access
  • EU’s legislation regulates the individuals’ rights (no organizations)
  • Canada gives to the individual the right to access their data or other individuals’ or organizations data along with their privacy protection right under the same Act (The Privacy Act, FOIP)
  • EU gives to the data subject the right to protection of their personal data under one single act (Directive 95) and to access data for public interest under the Transparency Regulation (1049)-no others personal data could be accessed in the private sector (just for law enforcement)
• Canada enacted different acts for different data categories (private-PIPA, public-FOIP, health-HIA, children-Child, Youth&family enhancement act, etc)
• EU has the same Legislative Act (e.g. Directive) but with different degrees of protection and limitations based on the data categories sensitivity (identification, medical, criminal, etc).
• Canada sets forth a minimum time for information retention when EU sets forth a maximum time for data retention
• in Canada information sharing is done based on Information Sharing Agreements (local, federal, international)
• in EU the data transfer has three layers of protection for exchange locally within the same institutions, bodies, organizations, between EU member states, or internationally (with third countries).

 II.      Privacy versus data protection

• The concept of privacy and data protection is not the same.
  • The protection of privacy is a fundamental right: “private and family life, his home and his correspondence” (Art. 8 European Convention of Human Rights),
  • the concept of data protection, which is also a fundamental right, sets forth the basic principles for data subjects’ protection: “Everyone has the right to the protection of personal data concerning him or her” (Art.8 Charter of Fundamental Rights of the European Union)
• Data protection has a privacy dimension, but it is narrower in scope than the privacy concept, “as the privacy encloses more than personal data” (i.e. private life, private home, private correspondence, etc.)
• From a different angle, it encloses a wider area, “since personal data are protected not only to enhance the privacy of the subject, but also to guarantee other fundamental rights, such as the right to freedom of expression, or the right to know what data is gathered about you,  to have access to your data, to ask for modification or deletion of your data, etc”
  • Furthermore, data protection gives individuals the right to know
• What personal data is collected,
• on what legal grounds,
• how it is used, for how long it used and kept,
• and by whom.
  • specifically grants data subjects with the rights to access, modify,   update or ask for deletion of such data

 III.      EU legislative framework

• Convention 108 of The Council of Europe
• Article 16 of the Treaty on the Functioning of the European Union clearly states that “Everyone has the right to the protection of personal data concerning him or her“
• European Convention for the Protection of Human Rights and Fundamental Freedoms (privacy)
• Charter of fundamental rights of the European Union (data protection)
• Regulation 45/2001/EC (Regulates the processing of personal data by the EU Institutions and bodies)
• Directive 95/46/EC (Transposed into national law of the MS for both private and public sectors)
• Directive 2002/58/EC (data protection obligations for information & communication service providers)
• Directive 2006/24/EC (data retention for law enforcement, security and criminal matters)
• Directive 2009/136/EC (Cookie directive, complements Directive 2002/58)
• Decisions (Council decisions or Commission decision on validating third countries for examples for data transfer)
• Case Law (European Court of Justice)

IV.      EU Data protection revision 2012 (to reflect the new technological developments and to provide a consistent legislative framework across EU):

Click here to access the new proposed EU Data Protection regulation

• It was proposed a Regulation versus the existing Directive. A Regulation is better, as it is immediately and more uniformly implemented into the Member States national law.
• Data subjects
  • increasing responsibility and accountability – companies would have to notify their clients of any theft or accidental release of personal data
  • clarifying that where someone’s consent is required before a company reuses their personal data, they need to give that consent explicitly – people would also have access to their own private data and be able to transfer it to another service provider more easily
  • reinforcing the ‘right to be forgotten’ – people will be able to have their personal data deleted if a business or other organization has no legitimate reasons for keeping it
  • applying EU rules when personal data is processed outside Europe – people would be able to involve the national data protection authority in their country, even when their data is processed by a company based outside the EU
  • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services
• Good for business
  • A single set of rules would encourage a more consistent application of the law across the EU. Businesses would have clear rules on how to treat personal data
  • Companies would only have to deal with a single national data protection authority in the EU country where they have their main operations (saving businesses an estimated €2.3bn a year)
  • The obligation of appointment of a data protection officer for organizations with 250 employees and over (private sector
  • Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data
  • Companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours)
  • Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed
  • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens
  • Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company
• Better enforcement
  • The new rules would give national data protection authorities powers to enforce the EU rules more rigorously
  • A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data. For the new Directive click here.
• Next steps
  • The proposals is aimed to encourage more online commerce by improving consumer trust – contributing to economic growth and job creation. The new Data protection proposed legal framework (Regulation+Directive) must be approved by the European Parliament and Council before becoming law.
• Commission Proposals on the data protection reform: legislative texts
  • Communication
  • Regulation
  • Directive
  • Report and annex
  • Impact Assessment and Annexes , Annex 9
  • Impact assesment Executive summary
  • Public consultation

Source: Directorat General Justice of the European Commission

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog

How Secure Is Your Child’s Social Security Number?

E-Crime Expert brings you today an interesting Information Security web show on how Children are the most vulnerable for identity and financial information theft.

Concise Courses organized a web show titled: “How Secure Is Your Child’s Social Security Number?” with three expert speakers on the subject: Michelle Dennedy, Bo Holland and Andrew Serwin. Michelle serves as Chief Privacy Officer at McAfee and founded the iDennedy Project. Bo founded AllClear ID, and Andrew has handled child security matters before the Federal Trade Commission in information security and COPPA.

You can watch the recorded Information Security web show video including a short presentation of the special guests here.

Michelle mentioned that historically child identity theft was never considered to be a problem, however, statistics today show that 11% of kids have their Social Security Number stolen and used to obtain illegal credit. Think about that! In a classroom of 11, one child will have their identity being used to secure mortgages, purchase cars etc. When asked about victim impact for the child and parents, Michelle mentioned that of course it can be very traumatic – not least because, for example, access to education funds can be withheld and the cost to “clean” the credit can be very expensive.

One of the many excellent points that Bo mentioned was that victims keep getting younger because the likelihood of parents checking their child’s credit is minimal, especially if their children are under the age of ten.

Andrew spoke on various equally interesting topics and identified social media as particularly problematic since children can very easily volunteer personal information such as birth date, address and other details that can be used for fraudulent activity.

If you have question please contact us at: dan@e-crimeexpert.com

Case law: leak of personal data (information)

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement.

The purpose of this new series is to show actually how the relevant law should be applied in order to properly balance the right to free access of public information, free flow of information and the right to Privacy and Personal Data protection.

The series will balance both the applicability of Data Protection law in the private and public sector, focusing mostly on the Directive 95/46/EC (private sector) and Regulation 45/2001/EC (rights to data protection of individuals working with/for EU Institutions and bodies).

T-259/03, Nikolaou v. Commission, 12.9.2007

Action for non-contractual liability based on acts and omissions of OLAF. OLAF had disclosed certain information about its investigation concerning the applicant: a leak of information to a journalist; its annual report with information about the investigation; and its press statement. Applicant had requested access to the file and the final case report.

Burden of proof for establishing non-contractual liability: Normal rule: The burden of proof is on the applicant to establish: i) Illegal action of an institution; ii) Damages; iii) Proof that damages were caused by the illegal action of the institution. However, burden of proof shifts to the institution when a fact giving rise to damages could have resulted from various causes, and the institution has not introduced any element of proof as to which was the true cause, even though it was best placed to do so. Court concluded OLAF staff member leaked information (including PD) to a journalist, which were published, and OLAF’s press release confirmed the veracity of facts (including PD) that had been mentioned in several press articles. PD definition: The information published in the press release was PD, since the DS was easily identifiable, under the circumstances. The fact that the applicant was not named did not protect her anonymity. Processing definition: 1. Leak (unauthorised transmission of PD to a journalist by someone inside OLAF) and 2. publication of press release each constitute processing of PD.

Lawfulness:

• Leak constitutes unlawful processing in violation of Article 5 of Reg. 45/2001 because it was not authorized by the DS, not necessary under the other sub-paragraphs and it did not result from a decision by OLAF. Even though OLAF has a margin of discretion on transmissions, here it was not exercised because leak is unauthorised transmission. OLAF is best placed to prove how the leak occurred and that the Director of OLAF did not violate his obligations under Article 8(3) of Reg. 1073/99.

In the absence of such proof, OLAF (Commission) must be held responsible. No concrete showing of an internal system of control to prevent leaks or information in question had been treated in a manner that would guarantee its confidentiality.

• Publication of press release was not lawful under Article 5(a) and (b) because public did not need to know the information published in the press release at the time of its publication, before the competent authorities had decided whether to undertake judicial, disciplinary or financial follow-up.

Damages for violation of DP rules: violation of Reg. 45/2001 qualifies as an illegal act of an institution conferring rights on an individual. Objective of Reg. is to confer such rights on DSs.

• A leak of PD is necessarily a grave and manifest violation. Director has margin of appreciation on prevention, but made no showing.

• OLAF gravely and manifestly exceeded the limits of its discretion in the application of Article 5(a) and (e), which was sufficient to engage the responsibility of the Community.

Credits and acknowledgment go to Laraine Laudati, OLAF DPO.

This was the last case law analyzes from this series.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about the findings? Do you think that the applicant was right? 

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Case law: the time limit of right to access

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement.

The purpose of this new series is to show actually how the relevant law should be applied in order to properly balance the right to free access of public information, free flow of information and the right to Privacy and Personal Data protection.

The series will balance both the applicability of Data Protection law in the private and public sector, focusing mostly on the Directive 95/46/EC (private sector) and Regulation 45/2001/EC (rights to data protection of individuals working with/for EU Institutions and bodies).

C-553/07, College van burgemeester en wethouders van Rotterdam v. Rijkeboer, 7.5.2009

Reference for preliminary ruling. Dutch law on PD held by local authorities provides that on request, Board of Aldermen must notify a DS within 4 weeks whether his PD have been disclosed to a purchaser or 3rd party during the preceding year. Data held by authority include basic data (name, dob, personal id no., ssn, local authority or registration, etc.) and data on transfers. Mr. R requested to be informed of all instances where data relating to him were transferred in preceding 2 years, content and recipients.

Question referred: whether, pursuant to Article 12(a) (right of access) of Directive 95/46, a DS’s right of access to information on the recipients of PD regarding him and on the content of the data communicated may be limited to a period of one year preceding the request.

Time limit on right of access: Right of access is necessary to enable DS to exercise other rights (rectification, blocking, erasure, and notify recipients of same; object to processing or request damages). The right must of necessity relate to the past, otherwise DS would not be in a position effectively to exercise his right to have data presumed unlawful or incorrect rectified, erased or blocked or to bring legal proceedings and obtain compensation for damages. MSs have some freedom of action in implementing the Directive, but it is not unlimited. Setting of time limit on right of access must allow DS to exercise his rights. It is for MSs to fix a time limit for storage of information on the recipients and the content of data disclosed, and to provide access to that information which constitutes a fair balance between the interest of the DS in exercising his rights and the burden on the controller to store that information. In present case, limiting storage of information on recipients and content to one year, while the basic data is stored much longer, does not constitute a fair balance, unless it can be shown that longer storage would constitute an excessive burden.

Credits and acknowledgment go to Laraine Laudati, OLAF DPO.

Stay tuned for the case law.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about the findings? Do you think that the applicant was right? 

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Case law: Commission v. Germany (independent DPA)

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement.

The purpose of this new series is to show actually how the relevant law should be applied in order to properly balance the right to free access of public information, free flow of information and the right to Privacy and Personal Data protection.

The series will balance both the applicability of Data Protection law in the private and public sector, focusing mostly on the Directive 95/46/EC (private sector) and Regulation 45/2001/EC (rights to data protection of individuals working with/for EU Institutions and bodies).

C-518/07, Commission v. Germany, 9.3.2010

Infringement action against Germany which transposed 2nd para. of Article 28(1) of Directive 95/46 (requirement for an independent DPA) by making the authorities responsible for monitoring PD processing outside the public sector in the different Lander subject to State oversight.

Requirement of complete independence of DPA: Independence normally means a status which ensures that the body concerned can act completely freely, without taking any instructions or being put under any pressure. There is nothing to indicate that the requirement of independence concerns exclusively the relationship between the supervisory authorities and the bodies subject to that supervision. The adjective “complete” implies a decision-making power independent of any direct or indirect external influence on the supervisory authority. The guarantee of independence of DPAs is intended to ensure the effectiveness and reliability of the supervision of compliance with DP provisions, to strengthen the protection of individuals and bodies affected by their decisions. DPAs must act impartially and must remain free from any external influence, including that of the State or Lander, and not of the influence only of the

supervised bodies. Independence precludes not only any influence exercised by supervised bodies, but also any directions or other external influence which could call into question performance of those authorities of their task consisting of establishing a fair balance between the protection of the right to private life and the free movement of PD.

State scrutiny in principle allows the government of the respective Land to influence the decision of the supervisory authority or cancel and replace those decisions. This is not consistent with principle of independence.

Credits and acknowledgment go to Laraine Laudati, OLAF DPO.

Stay tuned for the case law.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about the findings? Do you think that the applicant was right? 

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Case law: data processing

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement.

The purpose of this new series is to show actually how the relevant law should be applied in order to properly balance the right to free access of public information, free flow of information and the right to Privacy and Personal Data protection.

The series will balance both the applicability of Data Protection law in the private and public sector, focusing mostly on the Directive 95/46/EC (private sector) and Regulation 45/2001/EC (rights to data protection of individuals working with/for EU Institutions and bodies).

C-73/07, Tietosuojavaltuutettu [Finnish DP ombudsman] v. Satakunnan

Markkinaporssi Oy and Satamedia Oy, 16.12.2008

Reference for preliminary ruling. Defendant 1 (a) collected public PD (name of persons whose income exceeds threshold, amount of earned and unearned income, wealth tax levied) from Finnish tax authorities and (b) published extracts in regional newspaper each year. Newspaper says PD can be removed on request without charge. Defendant 1 also (c) transferred the data on CD ROM to Defendant 2 (owned by same shareholders) which (d) disseminated them by text messaging system. Contracted with mobile telephony company to send text messages allowing users to receive information published in the newspaper; PD removed on request. Questions referred: (1) whether collection, publication, transfer of CD ROM and text messages constitutes processing of PD; (2) whether it is processing for solely journalistic purposes within Article 9 of Directive 95/46; (3) whether Article 17 and principles of Directive 95/46 preclude publication of data collected for journalistic purposes and its onward transfer for commercial purposes; (4) whether PD that has already been published in the media is

outside scope of Directive 95/46.

Processing: All 4 types of activities constitute processing.

Scope: Only two exceptions to scope, set forth in Article 3(2). First indent: security and criminal law=activities of the state. Second indent: processing by a natural person in course of a purely personal or household activity, concerns activities in course of private or family life of individuals. Activities (c) and (d) are activities of private companies, not within the scope of Article 3(2). A general derogation from application of directive in respect of published information would largely deprive directive of its effect. Thus activities (a) and (b) also not within scope of Article 3(2).

Processing for solely journalistic purposes: Article 1 of Directive indicates that objective is that MSs should, while permitting free flow of PD, protect the fundamental rights and freedoms of natural persons and, in particular, their right to privacy, with respect to processing of their PD. That objective can only be pursued by reconciling those fundamental rights with fundamental right to freedom of expression. Article 9’s objective is to reconcile the two rights. MSs required to provide derogations in relation to protection of PD, solely for journalistic purposes or artistic or literary expression, which fall within fundamental right to freedom of expression, insofar as necessary for reconciliation of the 2 rights. To take account of the importance of the right of freedom of expression in every democratic society, it is necessary to interpret notions of freedom, such as journalism, broadly. Derogations must apply only insofar as strictly necessary.

Fact that publication is done for profit making purposes does not preclude publication from being considered as “solely for journalistic purposes.” Medium used is not determinative of whether “solely for journalistic purposes.” Thus activities may be classified as “journalistic” if their sole object is the disclosure to the public of information, opinions or ideas, irrespective of the medium used to transmit them.

Credits and acknowledgment go to Laraine Laudati, OLAF DPO.

Stay tuned for the case law.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about the findings? Do you think that the applicant was right? 

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.