GDPR | Breaking Cybersecurity News | The Hacker News

Meta's decision to offer an ad-free subscription in the European Union (E.U.) has faced a new setback after regulators accused the social media behemoth of breaching the bloc's competition rules by forcing users to choose between seeing ads or paying to avoid them. The European Commission said the company's "pay or consent" advertising model is in contravention of the Digital Markets Act ( DMA ). "This binary choice forces users to consent to the combination of their personal data and fails to provide them a less personalized but equivalent version of Meta's social networks," the Commission said . It also noted that companies in gatekeeper roles must seek users' permission to combine their personal data between designated core platform services and other services (e.g., advertising), and that users who refuse to opt in should have access to a less personalized but equivalent alternative. On top of that, Meta's approach does not allow us

Meta on Friday said it's delaying its efforts to train the company's large language models ( LLMs ) using public content shared by adult users on Facebook and Instagram in the European Union following a request from the Irish Data Protection Commission (DPC). The company expressed disappointment at having to put its AI plans on pause, stating it had taken into account feedback from regulators and data protection authorities in the region. At issue is Meta's plan to use personal data to train its artificial intelligence (AI) models without seeking users' explicit consent, instead relying on the legal basis of ' Legitimate Interests ' for processing first and third-party data in the region. These changes were expected to come into effect on June 26, before when the company said users could opt out of having their data used by submitting a request "if they wish." Meta is already utilizing user-generated content to train its AI in other markets such

As a vCISO, you are responsible for your client's cybersecurity strategy and risk governance. This incorporates multiple disciplines, from research to execution to reporting. Recently, we published a comprehensive playbook for vCISOs, "Your First 100 Days as a vCISO – 5 Steps to Success" , which covers all the phases entailed in launching a successful vCISO engagement, along with recommended actions to take, and step-by-step examples.  Following the success of the playbook and the requests that have come in from the MSP/MSSP community, we decided to drill down into specific parts of vCISO reporting and provide more color and examples. In this article, we focus on how to create compelling narratives within a report, which has a significant impact on the overall MSP/MSSP value proposition.  This article brings the highlights of a recent guided workshop we held, covering what makes a successful report and how it can be used to enhance engagement with your cyber security clients.

Google's plans to deprecate third-party tracking cookies in its Chrome web browser with Privacy Sandbox has run into fresh trouble after Austrian privacy non-profit noyb (none of your business) said the feature can still be used to track users. "While the so-called 'Privacy Sandbox' is advertised as an improvement over extremely invasive third-party tracking, the tracking is now simply done within the browser by Google itself," noyb said . "To do this, the company theoretically needs the same informed consent from users. Instead, Google is tricking people by pretending to 'Turn on an ad privacy feature.'" In other words, by making users agree to enable a privacy feature, they are still being tracked by consenting to Google's first-party ad tracking, the Vienna-based non-profit founded by activist Max Schrems alleged in a complaint filed with the Austrian data protection authority. Privacy Sandbox is a set of proposals put forth by the i

Google is urging third-party Android app developers to incorporate generative artificial intelligence (GenAI) features in a responsible manner. The new guidance from the search and advertising giant is an effort to combat problematic content, including sexual content and hate speech, created through such tools. To that end, apps that generate content using AI must ensure they don't create Restricted Content , have a mechanism for users to report or flag offensive information , and market them in a manner that accurately represents the app's capabilities. App developers are also being recommended to rigorously test their AI models to ensure they respect user safety and privacy. "Be sure to test your apps across various user scenarios and safeguard them against prompts that could manipulate your generative AI feature to create harmful or offensive content," Prabhat Sharma, director of trust and safety for Google Play, Android, and Chrome, said . The development com

How safe is your comments section? Discover how a seemingly innocent 'thank you' comment on a product page concealed a malicious vulnerability, underscoring the necessity of robust security measures. Read the full real-life case study  here .  When is a 'Thank you' not a 'Thank you'? When it's a sneaky bit of code that's been hidden inside a 'Thank You' image that somebody posted in the comments section of a product page! The guilty secret hidden inside this particular piece of code was designed to let hackers bypass security controls and steal the personal identifying information of online shoppers, which could have meant big trouble for them and the company. The page in question belongs to a global retailer. User communities are often a great source of unbiased advice from fellow enthusiasts, which was why a Nikon camera owner was posting there. They were looking for the ideal 50mm lens and asked for a recommendation. They offered thanks in advance to whoever might take th

In today's digital era, data privacy isn't just a concern; it's a consumer demand. Businesses are grappling with the dual challenge of leveraging customer data for personalized experiences while navigating a maze of privacy regulations. The answer? A privacy-compliant Customer Data Platform (CDP). Join us for a transformative webinar where we unveil Twilio Segment's state-of-the-art CDP. Discover how it champions compliant and consented data use, empowering you to craft a holistic customer view and revolutionize engagement strategies. What Will You Learn? Strategies for ethically democratizing data across your organization. The power of first-party data in unlocking profound customer insights. The pivotal role of a CDP in fostering compliant and consented data utilization. Proven customer engagement methodologies from industry leaders. Why Should You Attend? Twilio Segment's State of Personalization Report reveals a compelling truth: 63% of consumers wel

Italy's data protection authority (DPA) has notified ChatGPT-maker OpenAI of supposedly violating privacy laws in the region. "The available evidence pointed to the existence of breaches of the provisions contained in the E.U. GDPR [General Data Protection Regulation]," the Garante per la protezione dei dati personali (aka the Garante)  said  in a statement on Monday. It also said it will "take account of the work in progress within the ad-hoc  task force  set up by the European Data Protection Framework (EDPB) in its final determination on the case." The development comes nearly 10 months after the watchdog imposed a  temporary ban  on ChatGPT in the country, weeks after which OpenAI  announced  a number of privacy controls, including an  opt-out form  to remove one's personal data from being processed by the large language model (LLM). Access to the tool was subsequently reinstated in late April 2023. The Italian DPA said the latest findings, which h

Explore how an advanced exposure management solution saved a major retail industry client from ending up on the naughty step due to a misconfiguration in its cookie management policy. This wasn't anything malicious, but with modern web environments being so complex, mistakes can happen, and non-compliance fines can be just an oversight away. Download the full case study here . As a child, did you ever get caught with your hand in the cookie jar and earn yourself a telling-off? Well, even if you can still remember being outed as a cookie monster, the punishments for today's thieving beasts are worse. Millions of dollars worse. Cookies are an essential part of modern web analytics. A cookie is a small piece of text data that records website visitor preferences along with their behaviors, and its job is to help personalize their browsing experience. Just as you needed parental consent to access the cookie jar all those years ago, your business now needs to obtain user consent before i

The Irish Data Protection Commission (DPC) slapped TikTok with a €345 million (about $368 million) fine for violating the European Union's General Data Protection Regulation (GDPR) in relation to its handling of children's data. The investigation, initiated in September 2021,  examined  how the popular short-form video platform processed personal data relating to child users (those between the ages of 13 and 17) between July 31 and December 31, 2020. Some of the major findings include - The content posted by child users was set to public by default, thereby allowing any individual (with or without TikTok) to view the material and exposing them to additional risks A failure to provide transparency information to child users The implementation of dark patterns to steer users towards opting for privacy-intrusive options during the registration process, and when posting videos A weakness in the Family Sharing setting that allowed any non-child user (someone who could not be

Instagram Threads, the upcoming Twitter competitor from Meta, will not be launched in the European Union due to privacy concerns, according to Ireland's Data Protection Commission (DPC). The development was  reported  by the Irish Independent, which said the watchdog has been in contact with the social media giant about the new product and confirmed the release won't extend to the E.U. "at this point." Threads  is Meta's answer to Twitter that's set for launch on July 6, 2023. It's billed as a "text-based conversation app" that allows Instagram users to "discuss everything from the topics you care about today to what'll be trending tomorrow." It also enables users to follow the same accounts they already follow on Instagram. A listing for the app has already appeared in the  Apple App Store  and  Google Play Store , although it's yet to be available for download. The " App Privacy " section on the App Store indic

Facebook's parent company Meta has been fined a record $1.3 billion by European Union data protection regulators for transferring the personal data of users in the region to the U.S. In a binding decision taken by the European Data Protection Board (EDPB), the social media giant has been ordered to bring its data transfers into compliance with the GDPR and delete unlawfully stored and processed data within six months. Additionally, Meta has been given five months to suspend any future transfer of Facebook users' data to the U.S. Instagram and WhatsApp, which are also owned by the company, are not subject to the order. "The EDPB found that Meta IE's infringement is very serious since it concerns transfers that are systematic, repetitive, and continuous," Andrea Jelinek, EDPB Chair,  said  in a statement. "Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizati

The Italian data protection watchdog, Garante per la Protezione dei Dati Personali (aka Garante), has imposed a temporary ban of OpenAI's ChatGPT service in the country, citing data protection concerns. To that end, it has ordered the company to stop processing users' data with immediate effect, stating it intends to investigate the company over whether it's unlawfully processing such data in violation of the E.U. General Data Protection Regulation ( GDPR ) laws. "No information is provided to users and data subjects whose data are collected by Open AI," the Garante  noted . "More importantly, there appears to be no legal basis underpinning the massive collection and processing of personal data in order to 'train' the algorithms on which the platform relies." ChatGPT, which is estimated to have reached over 100 million monthly active users since its release late last year,  has not   disclosed   what it used  to train its latest large languag

The Irish Data Protection Commission (DPC) on Thursday imposed fresh fines of €5.5 million against Meta's WhatsApp for violating data protection laws when processing users' personal information. At the heart of the ruling is an update to the messaging platform's Terms of Service that was imposed in the days leading to the enforcement of the General Data Protection Regulation ( GDPR ) in May 2018, requiring that users agree to the revised terms in order to continue using the service or risk losing access. The complaint, filed by privacy non-profit NOYB, alleged that WhatsApp breached the regulation by compelling its users to "consent to the processing of their personal data for service improvement and security" by "making the accessibility of its services conditional on users accepting the updated Terms of Service." "WhatsApp Ireland is not entitled to rely on the contract legal basis for the delivery of service improvement and security," th

France's privacy watchdog has imposed a €60 million ($63.88 million) fine against Microsoft's Ireland subsidiary for dropping advertising cookies in users' computers without their explicit consent in violation of data protection laws in the European Union. The Commission nationale de l'informatique et des libertés (CNIL)  noted  that users visiting the home page of its Bing search engine did not have a "mechanism to refuse cookies as easily as accepting them." The authority, which carried out an online audit between September 2020 and May 2021 following a complaint it received in February 2020,  stated  the tech giant deposited cookies with an aim to serve ads and fight advertising fraud without getting a user's permission beforehand, as is required by law. Along with the fines, Microsoft has also been ordered to alter its cookie practices within three months, or risk facing an additional penalty of €60,000 per day of non-compliance following the end

The Irish Data Protection Commission (DPC) on Tuesday slapped Facebook and WhatsApp owner Meta Platforms a fine of €17 million (~$18.6 million) for a series of security lapses that occurred in violation of the European Union's  GDPR laws  in the region. "The DPC found that Meta Platforms failed to have in place appropriate technical and organizational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users' data, in the context of the twelve personal data breaches," the watchdog  said  in a press release. The decision follows the regulator's investigation into 12  data   breach   notifications  it received over the course of a six-month period between June 7 and December 4, 2018. "This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people's information," Meta  said  in a statement shared with the Associated Press. "

French data protection regulators on Thursday found the use of Google Analytics a breach of the European Union's General Data Protection Regulation (GDPR) laws in the country, almost a month after a  similar decision  was reached in Austria. To that end, the National Commission on Informatics and Liberty (CNIL) ruled that the transatlantic movement of Google Analytics data to the U.S. is not "sufficiently regulated" citing a violation of  Articles 44 et seq.  of the data protection decree, which govern the transfers of personal data to third countries or international entities. Specifically the independent administrative regulatory body highlighted the lack of equivalent privacy protections and the risk that "American intelligence services would access personal data transferred to the United States if the transfers were not properly regulated." "[A]lthough Google has adopted additional measures to regulate data transfers in the context of the Google An

A regional court in the German city of Munich has ordered a website operator to pay €100 in damages for transferring a user's personal data — i.e., IP address — to Google via the search giant's Fonts library without the individual's consent. The unauthorized disclosure of the plaintiff's IP address by the unnamed website to Google constitutes a contravention of the user's privacy rights, the court said, adding the website operator could theoretically combine the gathered information with other third-party data to identify the "persons behind the IP address." The violation amounts to the "plaintiff's loss of control over a personal data to Google," the ruling  issued by Landgericht München's third civil chamber in Munich read. Google Fonts is a  font embedding service  library from Google, allowing developers to add fonts to their Android apps and websites simply by referencing a stylesheet. As of January 2022, Google Fonts is a repos