Tag: Data Protection Authority

TikTok faces huge fine from Britain’s ICO

12. October 2022

Lately, the Chinese social media success has been the subject of an investigation by the British data protection watchdog, the Information Commissioner’s Office (ICO): the investigation has so far concluded that the social media network has clearly breached the United Kingdom’s data protection laws, in particular the regulations concerning children’s personal data in the time. The Authority issued therefore a notice of intent, which is a potential precursor to a fine amounting up to a staggering 27 million pounds.

In particular, the Authority found out that the platform could have processed personal data of children under the age of 13 failing to gather the parents’ consent for the processing of these data. Under these data there are allegedly also special category data, which have a special protection under Art. 9 GDPR.

Furthermore, in the ICO’s opinion the principle of transparency was not respected by the Chinese hit platform by not providing complete or transparent information on the data processing or their gathering.

The ICO’s investigation is still ongoing as the Commissioner’s Office is still deciding whether to impose the fine or whether there has been a breach of data protection law.

The protection of teenagers and children is the top priority of the ICO according to current Information Commissioner John Edwards. Under his guidance, the ICO has several ongoing investigations targeting various tech companies who could be breaking the UK’s data protection laws.

This is not the first time TikTok has been under observation by data protection watchdogs. In July a US – Australian cybersecurity firm has found that TikTok gathers excessive amounts of information from their users, and voiced their concern over their findings. Based on these precedents, it could be possible that local data protection authorities will increment their efforts to control TikTok’s compliance with local laws and, in Europe, with the  GDPR.

French CNIL highlights its data protection enforcement priorities for 2022

25. February 2022

Following complaints received, but also on its own initiative, the French data protection supervisory authority Commission Nationale Informatique et Liberté (hereinafter ‘CNIL’) carries out checks, also based on reports of data protection violations. CNIL has published three topics for 2022 on which it will focus in particular. These topics are: commercial prospecting, surveillance tools in the context of teleworking, and cloud services.

With regard to commercial prospecting, CNIL draws particular attention to unsolicited advertising calls, which are a recurring complaint to CNIL in France.

In February 2022, CNIL published a guideline for “commercial management”, which is particularly relevant for commercial canvassing.

Based on this guideline, CNIL will control GDPR compliance. The focus here will be on professionals who resell data.

Regarding the monitoring tools for teleworking, identified as CNIL’s second priority, CNIL aims to assist in balancing the interests of protecting the privacy of workers who have the possibility of home office due to COVID-19 and the legitimate monitoring of activities by informing the rules to be followed for this purpose. CNIL believes that employers need to be more strictly controlled in this regard.

Last but not least, CNIL draws particular attention to the potential data protection breaches regarding the use of cloud computing technologies. Since massive data transfers outside the European Union can be considered here in particular, activities in this area must be monitored more closely. For this purpose, CNIL reserves the right to focus in particular on the frameworks governing the contractual relationships between data controllers and cloud technology providers.

Dutch Minister of Finance fined 2.75 million Euro for discriminatory and unlawful data processing

4. January 2022

On December 8th, 2021, the Autoriteit Persoonsgegevens (the Dutch Data Protection Authority (DPA)) announced that it had fined the Belastingdienst (the Dutch Tax Administration) €2.75 million. The fine was imposed because, as part of the so-called Toeslagenaaffaire (Childcare Benefit Affair), the Belastingdienst processed data on the (dual) nationality of childcare benefit claimants in an unlawful, discriminatory and therefore unlawful manner over many years, in serious breach of the principles of the General Data Protection Regulation (GDPR).

In the 2010s, the Belastingdienst wrongly reclaimed child benefits from tens of thousands of parents. Even minor formal errors in filling out the forms led to enormous claims, and a supposedly false citizenship could lead to years of stigmatizing fraud investigations. As a result, many families who relied on government assistance were driven into bankruptcy. The Belastingdienst should have deleted the data on dual nationality of Dutch nationals in January 2014, as from that date the dual nationality of Dutch nationals no longer played a legal role in the assessment of applications for childcare benefits. Nevertheless, the Belastingdienst retained and used these data. In May 2018, there were still about 1.4 million people with dual nationality registered in the Belastingdienst’s systems. What initially appeared to be a simple administrative failure has evolved over the years into a major scandal. The final report of the investigative commission, presented in December, concludes that the tax offices systematically preyed on innocent citizens. The Belastingdienst also used the nationality of applicants as an indicator in a system that automatically classified certain applications as risky. Again, the data were not necessary for this purpose. Under the General Data Protection Regulation, it is unlawful to process data on nationality in a discriminatory manner, as the data processing must not violate fundamental rights. These include the right to equality and non-discrimination. Under the GDPR, it is unlawful to process personal data on nationality in a discriminatory manner, as the data processing must not violate fundamental rights. These include the right to equality and non-discrimination. In addition, personal data may only be processed and stored for a specific, predetermined purpose. Processing without a purpose is inadmissible, and here there was no purpose, as nationality is legally irrelevant for the assessment of applications for childcare benefits.

In the statement DPA chair Aleid Wolfsen is quoted:

The government has exclusive responsibility for lots of things. Members of the public don’t have a choice; they are forced to allow the government to process their personal data.
That’s why it’s crucial that everyone can have absolute confidence that this processing is done properly. That the government doesn’t keep and process unnecessary data about individuals. And that there is never any element of discrimination involved in an individual’s contact with the government.
That went horribly wrong at the Benefits Office, with all the associated consequences. Obviously this fine cannot undo any of the harm done. But it is an important step within a broader recovery process.

In the wake of the DPA investigation, the Belastingdienst began to clean up its internal systems. In the summer of 2020, the dual nationalities of Dutch nationals were completely deleted from the systems. According to the DPA, since October 2018, the Belastingdienst no longer uses the nationality of applicants to assess risk. And since February 2019, it no longer uses the data to fight organized fraud. The fine was imposed on the Minister of Finance because he is responsible for the processing of personal data within the Belastingdienst.

Brazil changes new Data Protection Law and creates a Data Protection Authority

15. January 2019

On August 14, 2018, Brazil’s former president Michel Termer signed the new General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais or “LGPD”) (we reported). Although the law enlarges the country’s data protection framework, the final text did not contain the creation of a data protection authority.

On December 28, 2018, Temer signed a last-minute executive order (Medida Provisória no. 869/18), which made important changes to the LGPD including the implementation of the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados or “ANPD”).

Despite the ANPD being an independent entity and being capable of freely handling and evaluating data protection and privacy issues, the authority still is part of the federal government and linked to the office of the President of Brazil.

According to the Executive Order no. 869/18 the ANPD has, among other things, the authority to:

  • Release rules and regulations regarding privacy and data protection;
  • Exclusively be responsible for monitoring and applying fines to non-compliant organizations;
  • Within the administrative field, exclusively interpret the LGPD, including cases in which the law remain silent; and
  • Promote privacy and data protection within the Brazilian society.

The new agency would consist of 28 members, five of them to be chosen by the president to constitute the board of directors and 23 members including public, private and third sector representatives to constitute an advisory board.

The order also establishes other important changes to the LGPD. For example that:

  • The LGPD will come into force in August 2020, six months after the originally scheduled date. Until then the ANPD will have an advisory and collaborative function.
  • The Data Protection Officer does not need to be an individual person. The tasks could be performed by an internal committee or department or could be outsourced to third parties such as specialized companies and law firms.

The executive order came into force immediately but must be voted into law by the Brazilian Congress to remain valid and become permanent.

ICO fines Regal Chambers Surgery with 40,000 GBP

12. August 2016

The ICO fines Regal Chambers Surgery with 40,000 GBP due to the fact that personal medical information was handed out.

Regal Chambers Surgery disclosed medical file to a man regarding his son containing 62 pages not only of personal data but also including information on the ex-partner, her parents, and an older child he was not related to. However, although the man requested the records under Section 7 of the Data Protection Act, Regal Chambers had no process implemented to determine whether the data should be handed out.

The ICO’s Head of Enforcement, Steve Eckersley commented that “Most people would be horrified to think the information they entrust to their GP was being treated with anything less than the utmost care. In this case a patient reinforced this, however her pleas went unheeded”.

Category: EU · UK
Tags: ,