SimpLawfy

Created with Microsoft Bing Image Creator powered by DALL-E Over 100 million won stolen through identity theft via personal information posted in SNS chatting groups.            In Korea, a man was arrested for using personal information published by an insurance company on the SNS (Social Networking Service) to fraudulently steal money using identity theft . The incident arose due to an insurance agency posting their customers' personal information in an SNS group chat room, which included the victim's ID, credit card information, and insurance contract. The suspect used this personal information to fraudulently create a mobile phone number in the victim's name, then proceeded to create bank accounts, mobile certificates which was subsequently used to borrow over 100 million won through open-banking and loans. This incident demonstrates potential vulnerabilities in user-friendly fintech (financial services based on advanced information technology), as...

Created with Microsoft Bing Image Creator powered by DALL-E           Korea's Personal Information Protection Commission (PIPC) signed a joint declaration of cooperation in the Global Privacy Assembly held in Istanbul on Oct 25-26. The PIPC intends to cooperate with France's CNIL (in charge of privacy protection in France) to carry out joint research for new technologies, share best practices and experiences, organize joint training workshops, and exchange agents. Aside from France, the PIPC's representative also discussed potential cooperation in privacy protection and enforcement with representatives of data privacy agencies of California, the United Kingdom, the European Union, and the Philippines . The PIPC also discussed with Germany's BfDI on Korea's possible inclusion into the Berlin Group , which is an international body focusing on data protection in telecommunications . Overall, this development shows Korea's growing integration and advanceme...

          Is Google Analytics a privacy concern, especially considering the current grey zone for EU-US data transfers?  Given  EU's moves against Google Analytics , this may be the case.          When a European website uses Google Analytics using Google's cookies, the data collected by the Google Analytics cookie transfers all the collected data from the EU to Google's servers in the US . This type of data transfer was ruled by an Austrian court to be breaching the EU's General Data Protection Regulation (GDPR) because the data was not properly protected against access by US intelligence agencies (which is a similar reason to why the EU-US Privacy Shield was overturned ). Although this court ruling only applies in Austria, similar rulings banning the use of Google Analytics by websites operating within said country's borders have happened throughout this past year in multiple other EU countries, such as France, Ita...

  Created with Microsoft Bing Image Creator powered by DALL-E               President Biden signed a new European Union - United States transfer framework which will replace the Privacy Shield framework that EU courts had struck down. The Privacy Shield framework, which until two years ago governed rules over personal data flows from the EU to the US to ensure they met GDPR requirements, was invalidated by the Court of Justice of the EU's "Schrems II" decision . The court found that US surveillance programs went beyond what was 'strictly necessary and proportional', and moreover did not have any means of effective remedy for EU data subjects. Since this ruling, with the absence of any framework for data transfers from the EU to the US, such data transfers have become a legal grey zone , with much confusion and legal costs for US tech firms. The new changes in the framework include a change in the definition of 'personal data' to that which...

  Blog Oct 6 Created with Microsoft Bing Image Creator powered by DALL-E In the wake of the Optus data breach in Australia that affected over 10 million people, the Australian government is proposing amendments to privacy regulations that enable data sharing between telecommunication firms and banks to better protect affected people from fraud and identity theft . If implemented, the new amendments will allow banks to use temporary government-issued identification documents to monitor those impacted by data breaches, with banks limited to using the information only for preventing data breach-related damages (such as fraud and identity theft). Notably, this enables affected telecommunications companies such as Optus to share its users personal data with third parties (the banks) for strictly limited purposes (to prevent further loss from fraud/identity theft) .  However, this is merely a stopgap measure and according to some, such as Anna Johnston (founder of Salinger Privacy),...

Created with Microsoft Bing Image Creator powered by DALL-E Last week, Korea’s Personal Information Protection Commission (PIPC) held its second contest on the uses and application of pseudonymized information . The purpose of this contest is improving the real-life use and performance of pseudonymized information as well as developing best practices and upholding safety standards. Projects included analysis on the effectiveness of treatment for alcoholics and analysis on quality of life indicators for single person households . This marks great progress since Korea implemented its pseudonymized information system 3 years ago.  Pseudonimization is a process through which information that can indicate the identity of a data subject is replaced by ‘pseudonyms’ which prevents the data from identifying the user . This method also allows re-identification later on if the pseudonyms are replaced by their original identifiers. Since it makes personal data processing easier while al...

Oct 3 Blog Created with Microsoft Bing Image Creator powered by DALL-E What’s the issue?  Do data breach incidents have a significant negative impact on breached companies’ share prices?  What are the findings?  Based on recent studies and reports, it seems that data breaches do have a negative impact on both short and long term share prices, but the impact is fairly small and given the small sample size, there may be flaws in the analysis. It also appears that customers place greater importance on a company’s response to the breach rather than punishment of the breach itself.  Why is this important?  For those who have invested in a company that suffered a privacy data breach (or is likely to suffer one), this may mean there is no need to fear an immediate and permanent drop in share prices. Rather, analyzing the company’s response to the breach may be of greater importance before deciding whether to stay invested.  In More Detail:  Given the ...

Oct 2 Blog Created with Microsoft Bing Image Creator powered by DALL-E This May, Korea’s Prosecutor’s Office rejected the Korea’s Bar Association’s lawsuit against the platform LawTalk (which advertises lawyers’ services) for violation of attorney laws. Contrary to the Bar Association’s claims that LawTalk was enticing and misleading clients seeking a lawyer by providing only the information of membership lawyers in their platform, the prosecutor found that there was no unfair presentation of membership lawyers compared to non-membership lawyers . The prosecutor also ruled that it was difficult to interpret advertisements claiming “case analysis by a lawyer within 15 mins” and “when you need a lawyer, use LawTalk” as LawTalk directly conducting legal affairs.   Such legal tech is already prevalent in North America and Europe: for instance, DoNotPay is a widely used legal tech service in England and the US to check if you have to pay a parking ticket or if there are legal ways...

Oct 1 Blog              There have been multiple data breaches this week around the world. Continuing from the massive data breach at Uber early in September , there have been a further two separate data breaches recently in Canada and Australia.  On Sept 29, the Office of the Privacy Commissioner of Canada confirmed that a Canadian border agency suffered a data breach exposing up to 1.38 million licence plate image files and related information (such as the province/state, date, and border crossing site). 11,000 of these were posted on the dark web. The OPC further reported in its investigation that despite such files being considered personal information under the Privacy Act, there were no adequate contractual clauses ensuring that the border agency’s private-sector partner properly protected that information . Ultimately the cause was attributed to improper management of data and inadequate security measures .   Another invest...