Author: Editor

Secure Software Development and OWASP

By Peter van Schelven   For years now, IT practice has shown us that so many contracts on the development of software have been troublesome on one main subject: the specifications of what has to be developed, delivered and implemented. These specifications often turn out to be vague, incomplete, inconsistent or incomprehensible. As a result, the features and capabilities of software can be disappointing and parties can easily argue about what has actually been agreed to. We see this problem even more regularly with regard to the security of software. A lot of software development contracts are rather silent on security-related specifications and security-specific terms and conditions.   When developing and implementing websites and web applications, software developers sometimes ignore the Open Web Application Security Project (OWASP). That is remarkable. After all, OWASP is a security platform on which software professionals, companies and other organizations share useful information and techniques about the security of web-applications....

Continue Reading

Six Questions on Data and Privacy to… VNO-NCW / MKB-Nederland

By Irvette Tempelman - VNO-NCW / MKB-Nederland   We spoke with Irvette Tempelman – Secretary of Policy who deals with privacy, consumer policy and the regulation of artificial intelligence.   Question 1) The VNO-NCW / MKB-Nederland is an association of entrepreneurs, with branch organisations and companies as members. You represent companies of all sectors and sizes and cooperate with several governments. What are currently the main policy topics regarding the protection of personal data? One of the main topics is the fact that the GDPR is still the number 1 regulatory burden for companies, especially for SMEs. The GDPR is a complex piece of legislation. Companies in general are more than willing to implement the GDPR but remain to have many unsolved questions as how to do it. Another important topic is the necessity of a more balanced interpretation of the GDPR. The Dutch DPA is known to interpret the GDPR more restrictively compared to other...

Continue Reading

The vaccine inoculation passport, ticket to..?

By Rob van den Hoven van Genderen   On the initiative of Greece European, countries are discussing the enactment of a ‘vaccination passport for Covid-19’, in the first place to allow vaccinated person to visit the starving European tourist destinations. Will this be the start of a societal partition within Europe and the Netherlands between ‘free traveling’ vaccinated people and locked down ‘non vaccsers’?   The new chapter in the fight against Covid-19 has started, the vaccination, hopefully the beginning of the end, although there are not enough vaccines delivered by the producers because we wanted to have a bargain and are one of the last to be delivered to. The over-organized Netherlands is the last in Europe to begin with vaccination anyway. The Netherlands is so well organized that decision-making is stranded by the segmented organization. Who determines the policy: the Minister, the security region, the laboratories, the State Health institution (RIVM,) OMT or...

Continue Reading

The Dutch DPA on data brokering

Interview with Cecile Schut – Dutch DPA   “To hold grip on your personal data and knowing what others know about you is crucial” - Aleid Wolfsen   The Dutch DPA is the independent supervisor in the Netherlands that guards our constitutionally enshrined protection of personal data. One of the organisation’s main tasks is to monitor companies and governments to determine whether they are complying with the applicable privacy legislation, by means of investigations. In addition to conducting supervision, the Dutch DPA advises on new laws and regulations and provides information. We spoke with Cecile Schut, Director of System Supervision, Security and Technology about the meaning of data brokering, the DPA’s perspective on this subject, how to tackle illegal data trafficking, and more.   1. We’re going to talk specifically about data brokering/trafficking, but first of all, I’m curious about your position within the Dutch DPA. You have been appointed Director of System Supervision, Security and...

Continue Reading

On the misleading metaphors of the information age

By Hans Schnitzler   Perhaps the most apt definition of privacy comes from the Dutch artist and Internet critic Tijmen Schep: “privacy is the right to be imperfect,” he argues. This view of privacy is at odds with an ideology also known as computationalism. This is a philosophy of life that reduces the human mind to an information-generating machine, that sees a data problem in every social problem and that has replaced the belief in higher values with a belief in mathematical values.   With this bits and bytes approach to reality, one chases absolute control and predictability of everyday existence. In his book New Dark Age, James Bridle, a computer scientist, characterizes computationalism as a ‘cognitive hack’: decision-making processes and responsibility are transferred to machines, automated thinking - i.e., computation - replaces conscious thought, with the ultimate result that we increasingly act like ‘perfect’ machines. At least, that is the suggestion.   According to Bridle, computational...

Continue Reading

Six questions on Data and Privacy to… Unilever

By Simone Pelkmans and Iris Tasevski   We spoke with Simone Pelkmans - General Counsel of Unilever Benelux, and Iris Tasevski – Unilever’s Data Protection Advisor.   Question 1) Unilever is a global corporation in fast moving consumer goods, can you describe to me how a company like Unilever interacts with personal data and privacy? As a fast moving consumer goods company, Unilever group companies collect and use personal data to enable them to provide goods and services to consumers, customers and other stakeholders and collaborate with third parties. Furthermore, Unilever holds personal data of thousands of employees. Although Unilever does not (yet) interact with consumers on a large scale, we do interact with them, mainly for marketing purposes.     At Unilever, we respect the privacy of all individuals (consumers, employees, customers, suppliers). As such, our aim is to collect, use and protect personal data not only in accordance with applicable laws but in line with our own...

Continue Reading

Privacy management at Royal Schiphol Group: Mind your step!

By Robyn Post and Danaï Giannouli   A different perspective When thinking of Royal Schiphol Group (hereafter: Schiphol), this image of an impressive innovative international hub comes to mind where (up to the moment the Covid pandemic started) millions of passengers start, continue or end their journey. A company with the mission “connecting your world” and therefore a strong focus on establishing a secure, safe, efficient, sustainable, high quality and enjoyable environment for travellers and employees. Safety and security are subjects that are integrally part of the Schiphol DNA, not only from an operational perspective – but also from a privacy and data protection perspective.    A common misunderstanding is that Schiphol has the same insights about a passenger departing from, transferring via or arriving at the airport. However, Schiphol does not collect the same personal data about a passenger as for example the Royal Netherlands Marechaussee, Dutch Customs, airlines and the operators of retail units...

Continue Reading

The draft ePrivacy Regulation: will it still be future proof?

by Herwin Roerdink The intentions were admirable: a new ePrivacy Regulation that would apply on the same day as the newly introduced General Data Protection Regulation (GDPR). When the European Commission published its first proposal in January 2017, this still seemed to be the idea. But this turned out to be completely different. There was great division in the European Parliament, the negotiations in the Council were stuck. The Council did publish a compromised version late September for discussion, but so far, there is no final text yet. The bottlenecks are mainly in the area of cookies (Article 8 of the proposal) and direct marketing (Article 16 of the proposal). A final proposal is still a long way off. With a possible transition period of 1 to 2 years, the new ePrivacy Regulation will probably come into force in 2023 or 2024 at the earliest. This is unfortunate on several points,...

Continue Reading

Bad bots are getting worse – the complicated world of bot attacks and account takeover fraud

By Mélisande Mual – The Paypers The global push for digitisation has created the perfect environment for fraudsters to operate on a large scale in three ways: firstly, with data breaches happening on a daily basis, there is no shortage of stolen credentials available for purchase. Secondly, the number of digital transactions is ever-increasing, causing financial institutions to process more and more transactions every day. Finally, technologies such as automation tools and bots have become cheaper and more widely available than ever before. Together, these phenomena lead bot attacks to become increasingly cheap, scalable and dangerous.   Bot attacks (also known as botnet attacks or malicious bot attacks) happen when a cybercriminal uses a collection of devices over the internet to cause harm in various ways. These devices are often infected with a virus that provides the hacker with complete access and control over a device, which the hacker then integrates into a botnet....

Continue Reading

How to keep track of privacy during corona?

By Lex Keukens en Sander Tempel  On April 7, Minister De Jonge announced that the government wanted to use tracking apps (‘the App’) to fight the COVID-19 virus. In addition to tasks regularly carried out by the Dutch Municipal Health Services (GGD), the government wants the App to provide smart digital solutions for source and contact tracing.1 This means that the App will need to process personal data, including data from which an individual’s health situation can be extrapolated.    Before focusing on the starting points which the App must meet according to the government, it must first be determined whether the General Data Protection Regulation (GDPR) applies to this form of data processing and if so, whether there is a lawful basis for processing personal data.2 After that we will focus on a number of critical comments in relation to data minimisation, protection and data storage. We conclude with some food for thought.   Starting points In the...

Continue Reading