Tsaaro Weekly Privacy Newsletter
3rd June, 2022

The Right to Data Portability under GDPR

The General Data Protection Regulation (GDPR) enforces a total of eight rights and the right to data portability is one of them.it is described under Article 20 of the GDPR. The Right to data portability gives data subjects the power to request for and obtain data from the data controller or the organisation holding data and thus  also enabling them to use this data for personal purposes as well. Individuals have a choice to either use the collected data for their own use or forward the same to a different data controller. 

What kind of data does this apply to?

The right to data portability is applicable on the following:

  • Personal data provided by the data subject to a data controller. 
  • The data which is processed using automated means. 
  • When the processed data is based on an individual’s consent. 
  • When the processed data is for the execution of a contract. 

There is some ambiguity around what data is being provided to or collected by a data controller. So, this right isn’t just applicable on names and addresses collected, but it is also applicable on individual’s activities which are being tracked by an organisation.  These acts include:

  • Browsing history. 
  • Location and traffic routing data. 
  • Data collected from smart devices such as wearables or other meters etc. 

What kind of data is exempted from this right?

This right cannot enforce the company to provide any sort of information other than the raw data collected by them. For example, if a company collects raw data and later after a certain amount of time manages to convert all data collected into various user profiles, this profile data cannot be demanded by a data subject. 

Another important place where this is not applicable is when an organisation is collecting data for public interests or for reasonable actions. 

In what format is this data provided?

This data must be in a usable format and should be structured for ease of access. Organisation must also provide this data in a machine-readable format. 

Data portability is turning out to be more significant as an expanding number of associations store more noteworthy amounts of information on cloud. Obviously, the prerequisites of moving information in a compact arrangement isn’t restricted to just cloud computing; it also applies to more and more forms of IT companies these days and the RIght to data portability helps to keep a check on then in a way that companies have to be careful about the kind of data they are collecting.

Tsaaro Weekly Privacy Newsletter
3rd June, 2022

The Right to Data Portability under GDPR

The General Data Protection Regulation (GDPR) enforces a total of eight rights and the right to data portability is one of them.it is described under Article 20 of the GDPR. The Right to data portability gives data subjects the power to request for and obtain data from the data controller or the organisation holding data and thus  also enabling them to use this data for personal purposes as well. Individuals have a choice to either use the collected data for their own use or forward the same to a different data controller. 

What kind of data does this apply to?

The right to data portability is applicable on the following:

  • Personal data provided by the data subject to a data controller. 
  • The data which is processed using automated means. 
  • When the processed data is based on an individual’s consent. 
  • When the processed data is for the execution of a contract. 

There is some ambiguity around what data is being provided to or collected by a data controller. So, this right isn’t just applicable on names and addresses collected, but it is also applicable on individual’s activities which are being tracked by an organisation.  These acts include:

  • Browsing history. 
  • Location and traffic routing data. 
  • Data collected from smart devices such as wearables or other meters etc. 

What kind of data is exempted from this right?

This right cannot enforce the company to provide any sort of information other than the raw data collected by them. For example, if a company collects raw data and later after a certain amount of time manages to convert all data collected into various user profiles, this profile data cannot be demanded by a data subject. 

Another important place where this is not applicable is when an organisation is collecting data for public interests or for reasonable actions. 

In what format is this data provided?

This data must be in a usable format and should be structured for ease of access. Organisation must also provide this data in a machine-readable format. 

Data portability is turning out to be more significant as an expanding number of associations store more noteworthy amounts of information on cloud. Obviously, the prerequisites of moving information in a compact arrangement isn’t restricted to just cloud computing; it also applies to more and more forms of IT companies these days and the RIght to data portability helps to keep a check on then in a way that companies have to be careful about the kind of data they are collecting.

Major Privacy Updates of the Week

CPRA Draft Regulations Issued

On Friday, May 27, 2022, The California Privacy Protection Agency issued a first set of draft regulations that contain a number of notable provisions but do not address all of the CPRA’s rulemaking topics. The California Privacy Protection Agency (CPPA or Agency) issued draft regulations in connection with a Board meeting scheduled for June 8, 2022.  The draft only addressed 22 regulatory topics which were just to give a brief of the law to the stakeholders.

Read More

Multiple companies affected by Okta hack

On Friday, May 27, 2022, The California Privacy Protection Agency issued a first set of draft regulations that contain a number of notable provisions but do not address all of the CPRA’s rulemaking topics. The California Privacy Protection Agency (CPPA or Agency) issued draft regulations in connection with a Board meeting scheduled for June 8, 2022.  The draft only addressed 22 regulatory topics which were just to give a brief of the law to the stakeholders.

Read More

The enforcement of Thailand’s Data Protection Law started from 1st June.

After a two-year postponement, Thailand’s Personal Data Protection Act (PDPA) will come into force on June 1st, according to Deputy Government Spokesperson Rachada Dhnadirek. the law will provide assurance to members of the public that their personal data will be protected and will not be used by unauthorised people. Under the law, people or entities responsible for controlling or processing personal data must receive consent from the data’s owner for the collection, use of or disclosure of their personal data. They must also inform the data’s owner about the reason for using their personal data and to what purposes it will be put. Additionally, the law recognises the right of data owners to access their personal data, the right to rectification (if the data contains errors) and the right to object to, withdraw or erase the data if it is against the principles of personal data protection or related laws.

Read more

The enforcement of Thailand’s Data Protection Law started from 1st June.

After a two-year postponement, Thailand’s Personal Data Protection Act (PDPA) will come into force on June 1st, according to Deputy Government Spokesperson Rachada Dhnadirek. the law will provide assurance to members of the public that their personal data will be protected and will not be used by unauthorised people. Under the law, people or entities responsible for controlling or processing personal data must receive consent from the data’s owner for the collection, use of or disclosure of their personal data. They must also inform the data’s owner about the reason for using their personal data and to what purposes it will be put. Additionally, the law recognises the right of data owners to access their personal data, the right to rectification (if the data contains errors) and the right to object to, withdraw or erase the data if it is against the principles of personal data protection or related laws.

Read more

SpiceJet airline passengers stranded after ransomware attack

Indian budget airline SpiceJet attributed delayed flights to a ransomware attack. SpiceJet said the attack was quickly contained and rectified with flights again operating normally. SpiceJet is the second largest airline in India measured by domestic passengers, and in pre-COVID 2019 claimed 13.6 percent market share. The company later was forced to clarify that its definition of “normally” meant flights delayed by ransomware had a cascading effect on its schedule, so while it whacked the ransomware passengers could still expect disruptions.

Read more

SpiceJet airline passengers stranded after ransomware attack

Indian budget airline SpiceJet attributed delayed flights to a ransomware attack. SpiceJet said the attack was quickly contained and rectified with flights again operating normally. SpiceJet is the second largest airline in India measured by domestic passengers, and in pre-COVID 2019 claimed 13.6 percent market share. The company later was forced to clarify that its definition of “normally” meant flights delayed by ransomware had a cascading effect on its schedule, so while it whacked the ransomware passengers could still expect disruptions.

Read more

Critical UNISOC Chip Vulnerability Affects Millions of Android Smartphones

A critical security flaw has been uncovered in UNISOC’s smartphone chipset that could be potentially weaponized to disrupt a smartphone’s radio communications through a malformed packet. UNISOC, a semiconductor company based in Shanghai, is the world’s fourth-largest mobile processor manufacturer after Mediatek, Qualcomm, and Apple, accounting for 10% of all SoC shipments in Q3 2021. 

The now-patched issue has been assigned the identifier CVE-2022-20210 and is rated 9.4 out of 10 for severity on the CVSS vulnerability scoring system. In a nutshell, the vulnerability — discovered following a reverse-engineering of UNISOC’s LTE protocol stack implementation — relates to a case of buffer overflow vulnerability in the component that handles Non-Access Stratum (NAS) messages in the modem firmware, resulting in denial-of-service.

Read more

Critical UNISOC Chip Vulnerability Affects Millions of Android Smartphones

A critical security flaw has been uncovered in UNISOC’s smartphone chipset that could be potentially weaponized to disrupt a smartphone’s radio communications through a malformed packet. UNISOC, a semiconductor company based in Shanghai, is the world’s fourth-largest mobile processor manufacturer after Mediatek, Qualcomm, and Apple, accounting for 10% of all SoC shipments in Q3 2021. 

The now-patched issue has been assigned the identifier CVE-2022-20210 and is rated 9.4 out of 10 for severity on the CVSS vulnerability scoring system. In a nutshell, the vulnerability — discovered following a reverse-engineering of UNISOC’s LTE protocol stack implementation — relates to a case of buffer overflow vulnerability in the component that handles Non-Access Stratum (NAS) messages in the modem firmware, resulting in denial-of-service.

Read more

Microsoft Office Zero-Day Vulnerability Exploited

A serious vulnerability has been found in Microsoft Windows, the most-used operating system for computers around the world, which could be exploited by a simple MS Word document. The vulnerability, which affects 32 versions of Windows, was officially acknowledged by Microsoft on Tuesday, while the Indian Computer Emergency Response Team (CERT-In), too, has assigned it a ‘high’ severity rating. Worryingly, there are also preliminary indications that the vulnerability has already been used to target Indian users. 

Follina falls under the category of ‘Zero Day vulnerabilities’, meaning vulnerabilities discovered only when malicious hackers exploit them. The term ‘Zero Day’ is used because there are zero days between their discovery and exploitation.

Read more

Microsoft Office Zero-Day Vulnerability Exploited

A serious vulnerability has been found in Microsoft Windows, the most-used operating system for computers around the world, which could be exploited by a simple MS Word document. The vulnerability, which affects 32 versions of Windows, was officially acknowledged by Microsoft on Tuesday, while the Indian Computer Emergency Response Team (CERT-In), too, has assigned it a ‘high’ severity rating. Worryingly, there are also preliminary indications that the vulnerability has already been used to target Indian users. 

Follina falls under the category of ‘Zero Day vulnerabilities’, meaning vulnerabilities discovered only when malicious hackers exploit them. The term ‘Zero Day’ is used because there are zero days between their discovery and exploitation.

Read more

WEEKLY PRIVACY NEWSLETTER

Keep up to pace with this high-impact weekly privacy newsletter that
features significant data privacy updates, trends, and tools that can
help to make your life secure & easier every day!

*By clicking on subscribe, I agree to receive communications from Tsaaro