Connect with us

Science & Technology

GDPR Clock is Ticking for the US Companies as Well: Top 7 Tips to Get Ready

Published

on

General Data Protection Regulation is about to be applicable as from 25 May 2018. Its long-arm teritorrial reach brings obligations not only to EU establishements, but to US based companies as well. Global connection through internet especially underlines the likelihood of such broad application and it will impact US businesses.One of the prerequisits for safe transfer of data between the EU and US is already accomplished by the EU-US Privacy Shield agreement. The European Commission has considered this agreement as providing adequate guarantees for transfer of data. Under Privacy Shield scheme companies may self-certify and adhere to principles stated therein. Yet, there is still less then 3000 companies in the US participating in the Privacy Shield. But GDPR safeguards have still to be followed. Below, we shall look at some of the most profound aspects of compliance with GDPR for the US (non-EU) based companies.

Data protection officer

Although it is not obligatory pursuant the GDPR, it is advisable that a company appoints a data protection officer (‘DPO’) or designate that role to a specific position in the company. DPOcan also be externally appointed. There may be a single DPO for several companies or several persons designated with DPO role in one company. The position needs not necessarily to follow such a title, but it may be a privacy officer, compliance officer, etc. Such person should possess expert knowledge about the GDPR and data privacy, and may have legal, technical or similar background. GDPR was not specific as to requirements of that person, apart from possesing expert knowledge. Role of DPO is toinform, monitor, advise, the controller, processor or employees, to cooperate with supervisory authority, provide training of staff, help in performing data protection impact assesment.

Data Protection Impact Assesment

The further step that companies affected by the GDPR including US companies should do in order to evaluate the risk of data breach is to perform a data protection impact assesment (‘DPIA’). DPIA is a thorough overview of the processes of the company, and can be done with the help of data protection officer. It may include a form or a template with a series of questions, which have to be answered for each processing activity. DPIA has to be detailed and cover all operations in the company. The function of DPIA is to predict situations in which data breaches may occur, and which include processing of private data. DPIA should contain, pursuant to Article 35 of the GDPR, a systematic description of the envisaged processing operations and the purposes of the processing, an assessment of the necessity and proportionality of the processing operations in relation to the purposes, an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph, the measures envisaged to address the risks, including safeguards and security measures. DPIA is a very useful way of showing compliance and it is also a tool that would help to company at the first place, to have an overview of processing activities and an indication of where a breach could happen.

EU representative

A US company (non-EU based company) has to appoint an EU representative if its businessrelates to offering of goods or services to natural persons in the EU, including even free goods or services, or when processing is related to monitoring of behaviour of data subjects in the EU. Behaviour may include monitoring internet activity of data subjects in order to evaluate or predict her or his personal preferences, behaviors and attitudes. EU representative is not obligatory when the processing is occasional or does not include processing on a large scale of special categories of data such as genetic data, biometric data, data concerning health, ethnic origin, political opinions, etc. and when it is unlikely to result in a risk to the rights and freedoms of natural persons. However, given that the exceptions from the duty of designation of EU representative are pretty vague, in most cases companies whose operations are not neglectable towards persons in the EU would have to appoint a reprsentative. Location of such representative would be in one of the EU Member states where the data subjects are located. Representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities regarding any action taken to ensure compliance with this Regulation, and he/she is also liable and subject to enforcement in case of non-compliance.

Consent matters

GDPR is overwhelmed with one key word of respect the privacy:consent. If companies wish to process data of natural persons that are in the EU, they must first obtain consent to do that. Consent must be freely given, informed, specific and unambigous.

Freely givenconsent presupposes that data subject must not feel pressured, or urged to consent, or subjected to non-negotiable terms. Consent is not considered as freely given if the data subject has no genuine or free choice.Data subject must not feel reluctant to refuse consent fearing that such refusal will bring detrimental effect to him/her. If the consent is preformulated by the controller, which is usually the case, the language of the consent must be clear and plain and easily understandable for the data subject. Further, if there are several purposes for the processing of certain data, consent must be given for every purpose separately. Consent must be specific and not abstract or vague. Silence, pre-ticked boxes or inactivity is not to be considered as consent under GDPR.

Informed consent means that data subject must know what the consent is for. He/she must be informed about what the consent will bring and there must not be any unknown or undeterminedissues. It is a duty of controller to inform data subject about scope and purpose of consent, and such information must be in clear and plain language. But, one must be careful that, as today in the world of fast moving technologies we face overflow of consentsa person has to give in short period of time, there may be an occurrence of ‘click fatigue []1’, which would result in persons not reading the information about the consent and clicking routinely without any thorough thinking. So, the controllers would have to make, by their technical design, such form of a consent, that would make the person read and understand his or her consent. It could be a combination of yes and no questions, changing of place of ticking boxes, visually appealing text accompanying consent, etc.

Consent must be unambiguous, or clearly given. There must not be space for interpretation whether consent is given for certain purpose or not. As to the form of the consent, it may be by ticking a box, choosing technical settings and similar (Recital 32 GDPR).

Data subject gives his consent for the processing of his personal data. However, companies have to bear in mind that data concept in the EU is broadly understood, and that it includes all personally identifiable information (PII), ranging from obvious data such as name and postal address, to less obvious data, but still PII covered by GDPR, such as IP address [2]. On the other hand the IP address is not that clearly considered as PII in the US. In that regard, the protection in the US must be stricter, obliging US based companies to also apply broader EU standards.

Privacy by design implemented

Privacy by design is a concept which brings together the legal requirements and technical measures. It is a nice and smooth way of incorporating law into technical structure of business. Privacy by design, if applied properly at the outset, shall ensure the compliance with the GDPR requirements. It should point out to principles of data minimisation, where only data which is necesssary should be processed, storage limitation, which would provide for a periodic overview of storage and automatic erasure of data no longer necessary.

One of the ways of showing compliance through the privacy by design is ‘pseudonymisation’. Pseudonymization is, according to GDPR, referred to as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. Such additional information must be kept separately, so that it cannot be connected to identified or identifiable natural person.Pseudonymisation is not anonymisation and should not be mixed with it. Anonymisation is a technique which results in irreversible deidentification, and since it completely disables identification it is not subject of data protection under GDPR. Pseudonymisation only reduces the likability of a dataset with the original identity of a data subject, and is accordingly a useful security measure [3].

Binding corporate rules

Binding corporate rules (‘BCR’) include set of principles, procedures andpersonal data protection policies as well as a binding clause adopted by the company and approved by competent supervisory authority. Adopting binding corporate rules is not a simple process but means being on a safe track. It is one of the safeguards envisaged by the GDPR. BCR should include according to Article 47 of the GDPR, the structure and contact details of company, categories of personal data, the type of processing and its purposes, application of general data protection principles (such as purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, ..), rights of data subjects, the tasks of data protection officer, complaint procedures, mechanisms for reporting to the competent supervisory authority, appropriate data protection training to personnel, indication that BCR are legally binding. BCR should additionally be accompanied with privacy policies, guidelines for employees, data protection audit plan, examples of the training program, description of the internal complaint system, security policy, certification process to make sure that all new IT applications processing data are compliant with BCR, job description of data protection officers or other persons in charge of data protection in the company.

Make your compliance visible

Well, if your company has performed all of the above, it has to make it visible. Companies, that are covered with the GDPR, not only do they have to comply, they have to show that they comply. GDPR puts an obligation on controllers to demonstrate their compliance.

From the first contact with the controller, the website must give the impression of compliance. BCR, privacy policies,DPO contact details must be visible in order that data subject may address him in case of data risk or breach. EU representative’s name and contact must be put forward in order to be accessible by the supervisory authority in the EU. Contact form for data subjects with options for access, right to object, erasure, rectification, restriction, should be there.Organisational chart of the company, flow of data transfer demonstrated by data flow mapp.These are only some of the most imporant features that have to be followed.

Non-compliance is a very costly adventure. The adventure that businesses will try to avoid. With systematic planning and duly analysing the necessity of compliance with GDPR, and with clearly defined processes, US companies can put many benefits for the business and attract and encourage data subjects in the EU to freely entrust their datato them. This is a thorough process, but worth accomplishing.

[1] Article 29 Working Party Guidelines on consent,p. 17

[2] According to judgment of the Court of Justice of the EU of 19 October 2016,in case C 582/14,

[3] Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques adopted on 10 April 2014 p. 3

Continue Reading
Comments

Science & Technology

Is your security compromised due to “Spy software” know how

Published

on

Spy software is often referred to as spyware is a set of programs that gives access to user/ administrators to track or monitor anyone’s smart devices (such as desktop, laptop, or smart phone) from anywhere across the globe.

Spyware is a threat, not only to businesses but individual users as well, since it can steal sensitive information and harm anyone’s network. It is controversial due to its frequent violation to end user’s privacy. It can attack user’s device, steal sensitive data (such as bank account or credit card information, or personal identity) or web data and share it with data firms, advertisers, or external users.

There are numerous online spyware designed for almost no cost, whose ultimate goal is to track and sell users data. Some spy software can install additional software and change the settings on user’s device, which could be difficult to identify.

Below are four main types of spyware, each has its unique features to track and record users activity:

Tracking cookies: These are the most common type of trackers, these monitor the user’s internet usage activities, such as searches, downloads, and history, for advertising and selling purposes.

System monitors: These spy software records everything on your device from emails, keystrokes, visited websites, chat-room dialogues, and much more.

Adware: This spyware is used for marketing purpose, it tracks users downloads and browser history, and suggests or displays the same or related products, this can often lead to slow device.

Trojan: This spyware is the most malicious software. It can be used to track sensitive information such as bank information or identification numbers.

Spyware can attack any operating system such as windows, android, or Apple. Windows operating systems are more prone to attack, but in past few years Apple’s operating systems are also becoming vulnerable to attacks.

According to a recent investigation by the Guardian and 16 other media organizations, found that there is a widespread and continuous abuse of NSO’s hacking spyware Pegasus, on Government officials, human rights activists, lawyers and journalists worldwide which was only intended to use against terrorists and criminals.

The research, conducted by the Pegasus technical partner Amnesty’s Security Lab, found traces of the Pegasus activity on 37 out of the 67 examined phones. Out of 37 phones, 34 were iPhones, and 23 showed signs of a Pegasus infection, while remaining 11 showed signs of attempted infection. However, only three out of 15 Android phones were infected by Pegasus software.

Attacks like the Pegasus might have a short shelf life, and are used to target specific individuals. But evidences from past have proved that attackers target large group of people and are often successful.

Below are the most common ways devices can become infected with spyware:

  • Downloading software or apps from unreliable sources or unofficial app publishers
  • Accepting cookies or pop-up without reading
  • Downloading or watching online pirated media content
  • Opening attachments from unfamiliar senders

Spyware can be extremely unsafe if you have been infected. Its damage can range from short term device issue (such as slow system, system crashing, or overheating device) to long-term financial threat.

Here’s what you can do protect your devices from spyware:

Reliable antivirus software: Firstly look for security solutions available on internet (some are available for free) and enable the antivirus software. If your system or device is already infected with virus, check out for security providers offering spyware identification and removal.

-For instance, you can install a toolkit (the Mobile Verification Tool or the MVT) provided by Amnesty International. This toolkit will alert you with presence of the Pegasus Spyware on your device.

-The toolkit scans the backup file of your device for any evidence of infection. It works on both Apple and Android operating systems, but is more accurate for Apple operating system.

-You can also download and run Norton Power Eraser a free virus removal tool.

Update your system regularly: Set up an update which runs automatically. Such automatic updates can not only block hackers from viewing your web or device activity, but can also eliminate software errors.

Be vigilant of cookies compliance: Cookies that records/ tracks users browsing habits and personally identifiable information (PII) are commonly known as adware spyware. Accept cookies only from reliable sites or download a cookie blocker.

Strong authentication passwords: Try to enable Multi-factor Authentication (MFA) wherever possible, or if not possible create different password for all accounts. Change your password for each account after a certain period of time.

-Password breaches can still occur with these precautions. In such case change your password immediately.

Be cautious of free software: Read the terms and conditions on software licenses, before accepting. Free software might be unlimited but, your data could be recorded with those free software’s.

Do not open any files from unknown or suspicious account: Do not open any email attachments or text on mobile from a suspicious, unknown, or untrustworthy source/number.

Conclusion:

Spyware could be extremely dangerous, however it can be prevented and removed by being precautious and using a trustworthy antivirus tool. Next gen technologies can also help in checking and removing malicious content. For instance, Artificial intelligence could aid the organizations identify malicious software, and frequently update its algorithms of patterns similar to predict future malware attacks.

Continue Reading

Science & Technology

Implementation of virtual reality and the effects in cognitive warfare

Published

on

Photo: Lux Interaction/Unsplash

With the increasing use of new technologies in warfare situations, virtual reality presents an opportunity for the domain of cognitive warfare. Nowadays, cognitive skills are treated equally as their physical counterparts, seeking to standardize new innovative techniques. Virtual reality (VR) can be used as a tool that can increase the cognitive capabilities of soldiers. As it is understandable in today’s terms, VR impacts the brain directly. That means that our visual organs (eyes) see one object or one surrounding area, but brain cells perceive and react to that differently. VR has been used extensively in new teaching methods because of the increased probability of improving the memory and learning capabilities of students.

Besides its theoretical teaching approach and improvement of learning, VR can be used systematically towards more practical skills. In medicine for example students can have a full medicine lesson on a virtual human being seeing the body projected in 3D, revolutionizing the whole field of medicine. If that can be used in the medical field, theoretically it will be possible to be used in combat situations, projecting a specific battlefield in VR, increasing the chances of successful engagement, and reducing the chance of casualties. Knowing your terrain is equally important as knowing your adversary.

The use of VR will also allow us to experience new domains relating to the physical health of a person. It is argued that VR might provide us with the ability to effectively control pain management. Since VR can stimulate visual senses, then it would be safe to say that this approach can have higher effectiveness in treating chronic pain, depression, or even PTSD. The idea behind this usage is that the brain itself is already powerful enough, yet sometimes when pain overwhelms us we tend to lose effectiveness on some of our senses, such as the visual sense. An agonizing pain can blurry our vision, something that we cannot control; unless of course theoretically, we use VR. The process can consist of different sounds and visual aids that can trick the mind into thinking that it is somewhere that might be the polar opposite of where it is. Technically speaking, the mind would be able to do that simply because it works as a powerful computer, where our pain receptors can override and actually make us think that we are not in such terrible pain.

Although the benefits of VR could be useful for our health we would still need to deal with problems that concern our health when we use a VR set.  It is possible that the brain can get overloaded with new information and the new virtual environments. VR poses some problems to some people, regarding the loss of the real environment and creating feelings of nausea or extreme headaches. As a result, new techniques from cognitive psychologists have emerged to provide a solution to the problem. New technologies have appeared that can desaturate colors towards the edge of the headset in order to limit the probability of visual confusion. Besides that, research shows that even the implementation of a virtual nose when someone wears a VR headset can prevent motion sickness, something that our brain does already in reality.

However, when it comes to combatants and the implementation of VR in soldiers, one must think of maybe more effective and fast solutions to eliminate the problems that concern the confusion of the brain. Usage of specific pharmaceuticals might be the key. One example could be Modafinil which has been prescribed in the U.S. since 1998 to treat sleep-related conditions. Researchers believe it can produce the same effects as caffeine. With that being said, the University of Oxford analyzed 24 studies, where participants were asked to complete complex assignments after taking Modafinil and found out that those who took the drug were more accurate, which suggests that it may affect higher cognitive functions.

Although some of its long-term effects are yet to be studied, Modafinil is by far the safest drug that can be used in cognitive situations. Theoretically speaking, if a long exposure to VR can cause headaches and an inability to concentrate, then an appropriate dose of Modafinil can counter the effects of VR. It can be more suitable and useful to use on soldiers, whose cognitive skills are better than civilians, to test the full effect of a mix of virtual technology and pharmaceuticals. VR can be a significant military component and a simulation training program. It can provide new cognitive experiences based on foreign and unknown terrains that might be difficult to be approached in real life. New opportunities arise every day with the technologies, and if anyone wanted to take a significant advantage over adversaries in the cognitive warfare field, then VR would provide a useful tool for military decision-making.

Continue Reading

Science & Technology

Vaccine Equity and Beyond: Intellectual Property Rights Face a Crucial Test

Published

on

research coronavirus

The debate over intellectual property rights (IPRs), particularly patents, and access to medicine is not new. IPRs are considered to drive innovation by protecting the results of investment-intensive R&D, yet arguably also foster inequitable access to affordable medicines.

In a global public health emergency such as the COVID-19 pandemic, where countries face acute shortages of life-saving vaccines, should public health be prioritized over economic gain and the international trade rules designed to protect IPRs?

The Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPs), to which all 164 member states of the World Trade Organization (WTO) are a party, establish minimum standards for protecting different forms of IPRs. 

In October 2020, India and South Africa – countries with strong generic drug manufacturing infrastructure – invoked WTO rules to seek a temporary waiver of IPRs (patents, copyrights, trade secrets, and industrial designs) on equipment, drugs, and vaccines related to the “prevention, containment or treatment of COVID-19.” A waiver would mean that countries could locally produce equipment and vaccines without permission from holders of IPRs. This step would serve to eliminate the monopolistic nature of IPRs that give exclusive rights to the holder of IPRs and enable them to impose procedural licensing constraints.

Brazil, Japan, the European Union (EU), and the United States (US) initially rejected the waiver proposal. That stance changed with the rise of new COVID-19 mutations and the associated increase in deaths, with several countries facing a public health crisis due to vaccine supply shortages. The position of many states began shifting in favor of the India-South Africa proposal, which now has the backing of 62 WTO members, with the US declaring support for the intent of the temporary waiver to secure “better access, more manufacturing capability, more shots in arms.” Several international bodies, the World Health Organization (WHO), and the UN Committee on Economic, Social and Cultural Rights have voiced support.

Some countries disagree about the specific IPRs to be waived or the mechanisms by which IPRs should be made available. The EU submitted a proposal to use TRIPS flexibilities such as compulsory licensing, while others advocate for voluntary licensing. The TRIPS Council is conducting meetings to prepare an amended proposal to the General Council (the WTO’s highest-level decision-making body in Geneva) by the end of July 2021.

The crisis in India illustrates the urgency of the situation. India produces and supplies Covishield, licensed by AstraZeneca; and Covaxin, which is yet to be included on the WHO’s Emergency Use Listing (EUL). Due to the devastating public health crisis, India halted its export of vaccines and caused a disruption in the global vaccine supply, even to the COVID-19 Vaccines Global Access (COVAX) program. In the meantime, the world’s poorest nations lack sufficient, critical vaccine supplies.

International law recognizes some flexibility in public health emergencies. An example would be the Doha Declaration on TRIPS and Public Health in 2001, which, while maintaining the commitments, stresses the need for TRIPS to be part of the wider national and international action to address public health problems. Consistent with that, the body of international human rights law, including the International Covenant on Economic, Social and Cultural Rights (ICESCR), protects the right to the highest attainable standard of health.

But as we race against time, the current IPR framework may not allow for the swift response required. It is the rigorous requirements before a vaccine is considered safe to use under Emergency Use Authorizations and procedural delays which illuminate why IPR waivers on already approved vaccines are needed. Capitalizing on the EUL’s approved vaccines that have proven efficacy to date and easing IPR restrictions will aid in the timely supply and access of vaccines.

A TRIPS waiver may not solve the global vaccine shortage. In fact, some argue that the shortages are not an inherent flaw in the IP regime, considering other supply chain disruptions that persist, such as the ones disrupting microchips, pipette tips, and furniture. However, given that patent licensing gives a company a monopoly on vaccine commercialization, other companies with manufacturing capacity cannot produce the vaccine to scale up production and meet supply demands.

Neither does a temporary waiver mean that pharmaceutical companies cannot monetize their work. States should work with pharmaceuticals in setting up compensation and insurance schemes to ensure adequate remuneration.

At the College of Law at Hamad Bin Khalifa University, our aim is to address today’s legal challenges with a future-oriented view. We see COVID-19 as a case study in how we respond to imminent and existential threats. As global warming alters the balance of our ecosystem, threats will cascade in a way that is hard to predict. When unpredictable health emergencies emerge, it will be human ingenuity that helps us overcome them. Even the global IP regime, as a legal system that regulates ideas, is being tested, and should be agile enough to respond in time, like the scientists who sprang into action and worked tirelessly to develop the vaccines that will soon bring back a semblance of normal life as we know it.

Continue Reading

Publications

Latest

business-upskilling business-upskilling
Reports2 hours ago

New Skills Development Key to Further Improving Students’ Learning Outcomes

Learning outcomes in Russia would benefit significantly from a focus on teaching new skills that are tailored to the modern...

East Asia4 hours ago

Belt & Road ABCs: Analysis of “One Belt – One Road” initiative

Understanding the foreign policy and geo-economic strategies of countries, especially in such a difficult time when national borders are closed...

Economy6 hours ago

The Politico-Economic Crisis of Lebanon

Dubbed as a failed state. The Middle Eastern country, also known as the ‘Lebanese Republic’, is already leading towards a...

East Asia8 hours ago

Behind the Rise of China is the Centenary Aspiration of the CPC for a Great China

On July 1st, China celebrated the Communist Party’s centenary with a grand ceremony in Beijing where Chinese President Xi Jinping...

taliban afghanistan taliban afghanistan
South Asia10 hours ago

Why Strategies of Stakeholders in Afghanistan Failing Against Taliban?

Taliban is increasingly gaining ground in Afghanistan, on daily basis, for considerable period. US may have declared ending its military...

Human Rights12 hours ago

COVID-19: Education replaced by shuttered schools, violence, teenage pregnancy

A culture of “safety, friends and food” at school has been replaced by “anxiety, violence, and teenage pregnancy”, with remote...

Human Rights14 hours ago

Six months after coup, Myanmar’s political, rights and aid crisis is worsening

It’s been six months since the military coup in Myanmar where there’s grave concern over the widening impact of the...

Trending