Category: European Union

Record GDPR fine by the Hungarian Data Protection Authority for the unlawful use of AI

22. April 2022

The Hungarian Data Protection Authority (Nemzeti Adatvédelmi és Információszabadság Hatóság, NAIH) has recently published its annual report in which it presented a case where the Authority imposed the highest fine to date of ca. €670,000 (HUF 250 million).

This case involved the processing of personal data by a bank that acted as a data controller. The controller automatically analyzed recorded audio of costumer calls. It used the results of the analysis to determine which customers should be called back by analyzing the emotional state of the caller using an artificial intelligence-based speech signal processing software that automatically analyzed the call based on a list of keywords and the emotional state of the caller. The software then established a ranking of the calls serving as a recommendation as to which caller should be called back as a priority.

The bank justified the processing on the basis of its legitimate interests in retaining its customers and improving the efficiency of its internal operations.

According to the bank this procedure aimed at quality control, in particular at the prevention of customer complaints. However, the Authority held that the bank’s privacy notice referred to these processing activities in general terms only, and no material information was made available regarding the voice analysis itself. Furthermore, the privacy notice only indicated quality control and complaint prevention as purposes of the data processing.

In addition, the Authority highlighted that while the Bank had conducted a data protection impact assessment and found that the processing posed a high risk to data subjects due to its ability to profile and perform assessments, the data protection impact assessment did not provide substantive solutions to address these risks. The Authority also emphasized that the legal basis of legitimate interest cannot serve as a “last resort” when all other legal bases are inapplicable, and therefore data controllers cannot rely on this legal basis at any time and for any reason. Consequently, the Authority not only imposed a record fine, but also required the bank to stop analyzing emotions in the context of speech analysis.

 

Dutch DPA issues highest fine for GDPR violations

14. April 2022

On April 7th, 2022, the Dutch Data Protection Authority, Autoriteit Persoonsgegevens, imposed the highest-ever fine for data protection violations, amounting to € 3.7 million. It is directed against the Minister of Finance, who was the data controller for the Tax and Customs Administration’s processing operations. The reason for this is the years of unlawful processing of personal data in the Fraud Notification Facility application, a blacklist in which reports and suspected fraud cases were registered.

The investigation revealed several violations of principles and other requirements of the GDPR. Firstly, there was no legal basis for the processing of the personal data included in the list, making it unlawful under Art. 5 (1) (a), Art. 6 (1) GDPR. Secondly, the pre-formulated purposes of collecting the personal data were not clearly defined and thus did not comply with the principle of purpose limitation stipulated in Art. 5 (1) (b) GDPR. Moreover, the personal data were often incorrect and non-updated, which constituted a violation of the principle of accuracy according to Art. 5 (1) (d) GDPR. Since the personal data were also kept longer than the applicable retention period allowed, they were not processed in accordance with the principle of storage limitation as laid down in Art. 5 (1) (e) GDPR. Furthermore, the security of the processing according to Art. 32 (1) GDPR was not ensured by appropriate technical and organizational measures. In addition, the internal Data Protection Officer was not involved properly and in a timely manner in the conduct of the Data Protection Impact Assessment pursuant to Art. 38 (1), 35 (2) GDPR.

The amount of the fine imposed results from the severity, consequences and duration of the violations. With the Fraud Notification Facility, the rights of 270,000 people have been violated in over six years. They were often falsely registered as (possible) fraudsters, which caused them to suffer serious consequences. It left many unable to obtain a payment agreement or eligible for debt rescheduling and therefore, in financial insecurity. The Tax and Customs Administration also used discriminatory practices. Employees were instructed to assess the risk of fraud based on people’s nationality and appearance, among other factors.

The DPA also considered previous serious infringements in determining the amount of the fine. The Minister of Finance was penalized in 2018 for inadequate security of personal data, in 2020 for illegal use of the citizen service number in the VAT identification number of self-employed persons, and in 2021 for the discriminatory and illegal action in the childcare benefits scandal. Following the latter affair, the Fraud Notification Facility was shut down in February 2020.

The Minister of Finance can appeal the decision within six weeks.

ECJ against data retention without any reason or limit

6. April 2022

In the press release of the judgment of 5.4.2022, the ECJ has once again ruled that the collection of private communications data is unlawful without any reason or limit. This reinforces the rulings of 2014, 2016 and 2020, according to which changes are necessary at EU and national level.

In this judgment, the ECJ states that the decision to allow data retention as evidence in the case of a long-standing murder case is for the national court in Ireland.

Questions regarding this issue were submitted in 2020 by Germany, France and Ireland. The EU Advocate General confirmed, in a legally non-binding manner, the incompatibility of national laws with EU fundamental rights.

However, a first exception to data retention resulted from the 2020 judgment, according to which, in the event of a serious threat to national security, storage for a limited period and subject to judicial review was recognized as permissible.

Subsequently, a judgment in 2021 stated that national law must provide clear and precise rules with minimum conditions for the purpose of preventing abuse.

According to the ECJ, an without cause storage with restriction should be allowed in the following cases:

  • When limited to specific individuals or locations;
  • No concrete evidence of crime necessary, local crime rate is sufficient;
  • Frequently visited locations such as airports and train stations;
  • When national laws require the identity of prepaid cardholders to be stored;
  • Quick freeze, an immediate backup and temporary data storage if there is suspicion of crime.

All of these are to be used only to combat serious crime or prevent threats to national security.

In Germany, Justice Minister Marco Buschmann is in favor of a quick freeze solution as an alternative that preserves fundamental rights. However, the EU states are to work on a legally compliant option for data retention despite the ECJ’s criticism of this principle.

Italian DPA imposes a 20 Mio Euro Fine on Clearview AI

29. March 2022

The Italian data protection authority “Garante” has fined Clearview AI 20 million Euros for data protection violations regarding its facial recognition technology. Clearview AI’s facial recognition system uses over 10 billion images from the internet and prides themself to have the largest biometric image database in the world. The data protection authority has found Clearview AI to be in breach of numerous GDPR requirements. For example, fair and lawful processing was not carried out within the data protection framework, and there was no lawful basis for the collection of information and no appropriate transparency and data retention policies.

Last November, the UK ICO warned of a potential 17 million pound fine against Clearview, and in this context, and also ordered Clearview to stop processing data.

Then, in December, the French CNIL ordered Clearview to stop processing citizens’ data and gave it two months to delete all the data it had stored, but did not mention any explicit financial sanction.

In Italy, Clearview AI must now, in addition to the 20 million Euro fine, not only delete all images of Italian citizens from its database. It must also delete the biometric information needed to search for a specific face. Furthermore, the company must provide a EU representative as a point of contact for EU data subjects and the supervisory authority.

Belgian DPA declares technical standard used for cookie banner for consent requests illegal

28. March 2022

In a long-awaited decision on the Transparency and Consent Framework (TCF), the Belgian data protection authority APD concludes that this technical standard, which advertisers use to collect consent for targeted advertising on the Internet, does not comply with the principles of legality and fairness. Accordingly, it violates the GDPR.

The ADP’s decision is aligned with other European data protection authorities and has consequences for cookie banners and behavioral online advertising in the EU. The advertising association IAB Europe, which develops and operates the TCF system, must now delete the personal data collected in this way and pay a fine of 250,000 euros. In addition, conditions have been determined for the advertising industry under which the TCF may continue to be used at all.

Almost all companies, including advertising companies such as Google or Amazon, use the mechanism to pass on users’ presumed consent to the processing of their personal data for personalized advertising purposes. This decision will have a major impact on the protection of users’ personal data. This is also confirmed by Hielke Hijmans from APD.

The basic structure of the targeted advertising system is that each visit to a participating website triggers an auction among the providers of advertisements. Based on the desired prices and the user’s data profile, among other things, a decision is made in milliseconds as to which advertisements she will see. For this real-time bidding (RTB) to work, the advertising companies collect data to compile target groups for ads.

If users accept cookies or do not object that the use of their data is in the legitimate interest of the provider, the TCF generates a so-called TC string, which contains information about consent decisions. This identifier forms the basis for the creation of individual profiles and for the auctions in which advertising spaces and, with them, the attention of the desired target group are auctioned off, and is forwarded to partners in the OpenRTB system.

According to the authority, the TC strings already constitute personal data because they enable users to be identified with the IP address and the cookies set by the TCF. In addition, IAB Europe is said to be jointly legally responsible for any data processing via the framework, although IAB Europe has not positioned itself as a data processor, only as a provider of a standard.
The TCF envisions advertising providers invoking a “legitimate interest” in data collection in cookie banners that pop up all the time, rather than asking for consent. This would have to be prohibited, for example, for it to be lawful. The principles of privacy by design and by default are also violated, since consent is literally tricked by design tricks, the data flows are not manageable, and revocation of consent is hardly possible.

Land register number allows access to personal data, Polish authorities confirm

23. March 2022

In a legal dispute that has been ongoing since 2020, the Polish Commissioner for Human Rights recently stated that the disclosure of land register numbers can lead to obtaining a large amount of personal data contained in the registers. In his opinion, general access to such detailed data harms and significantly restricts the informational autonomy of individuals.

The Commissioner’s view confirms the position of the Polish Data Protection Authority, which, in an administrative decision dated August 24th, 2020, ordered the Polish General Surveyor to cease making land register numbers available on the website “GEOPORTAL2”. He also imposed a fine of PLN 100,000 for violating the principle of lawfulness under Articles 5 para. 1 lit. a, 6 para. 1 GDPR, as there was no legal basis for the processing.

The decision was justified by the fact that land register numbers allow indirect identification of property owners and are therefore considered personal data. Moreover, the publication of these enables access to further data such as national ID number or property address. This may lead to a variety of dangers associated with the use of such data, in particular identity theft or impersonation for criminal purposes.

This opinion was also held by the Polish Voivodeship Administrative Court in Warsaw, which on May 5th, 2021, dismissed the Surveyor’s complaint against the decision of the Polish Data Protection Authority.

Irish DPC fines Meta 17 Million Euros over 2018 data breaches

16. March 2022

On March 15th, 2022, the Irish Data Protection Commission (DPC) has imposed a fine on Meta Platforms 17 million euros over a series of twelve data breaches, which happened from June to December 2018.

The inquiry of the DPC which led to this decision examined the extent to which Meta Platforms complied with the requirements of Arti. 5(1)(f), Art. 5(2), Art. 24(1) and Art. 32(1) GDPR in relation to the processing of personal data relevant to the twelve breach notifications.

As the result of this inquiry, the DPC found that Meta Platforms infringed Art. 5(2) and 24(1) GDPR.  In particular, the DPC assessed that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect the data of its European users in the case of those twelve data breaches.

The processing under examination constituted a “cross-border” processing, and as such the DPC’s decision was subject to the co-decision-making process outlined in Art. 60 GDPR. This resulted in all of the other European supervisory authorities to be engaged in this decision as co-decision-makers.  While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, consensus was achieved through further engagement between the DPC, and the supervisory authorities concerned.

“Accordingly, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU,” the DPC stated in their press release.

A Meta spokesperson has commented on the decision, stating, “This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information. We take our obligations under the GDPR seriously and will carefully consider this decision as our processes continue to evolve.”

EDPS sanctions European Parliament for unlawfully transfered data to the US

25. January 2022

The European Data Protection Supervisor (EDPS) ruled that the European Parliament (EP) offended against a judgement of the European Court of Justice (ECJ) by transferring data to the US using US origin tech tools on their website for COVID-19 tests. This judgement relies on a complaint that involves misleading cookie banners, uncertain data privacy statements and unlawful data transfers from the EU to the US.

The ECJ makes clear that the transfer of personal data from the EU to the US is topic of strict conditions. Websites can only transfer data to the US if a certain security level is given. In this case there was not such a security level available.

The misleading cookie banners were so vague that the cookies were not listed in total and some differences between language options became appearent. Therefore, the website users could not give their valid consent.

Furthermore, the data privacy information were not clear and transparent, in that they refer to an incorrect legal basis for the processing. The given references were also in violation of transperency and requests of information.

Even during the process the EP tried to improve the technical deficits.

The EDPS issued a caution because in contrast to national data protection authorities it can only sentence under certain conditions, which were not given in this case. In result, it imposed a cease and desist order with a one month deadline for the EP to adjust the compliance.

Europol’s criticism of EDPS’ order limiting data collection practices

13. January 2022

Shortly after the European Data Protection Supervisor (EDPS) had notified EU’s Agency for Law Enforcement Cooperation (Europol) of the order restricting data collection practices, the agency strongly objected. We have already reported on the decision setting a retention period of six months for all datasets submitted to the agency.

Europol is concerned that the order will harm investigations, as the agency typically needs to retain data for longer than six months to effectively fight against evils such as terrorism and child abuse. It was precisely the past practices that also enabled the EU arresting numerous of drug traffickers and suspected criminals.

EU’s Commissioner for Home Affairs, Ylva Johansson, agreed with the concern, arguing that it would jeopardize criminal investigations if law enforcement agencies have to start disposing of the data they have collected. She stated that

the potential risk of the decision is huge. If a member state or national police cannot use Europol to help with the analysis of big data … then they will be blind because a lot of national police forces do not have the capacity to deal with this big data.

According to critical comment, law enforcement and security agencies should be given better access to citizens’ data. Johansson advocates this as well. Europol’s powers to process large datasets could soon be strengthened as part of a reform of its mandate. However, this intention also meets with criticism, as Chloé Berthélémy of the European Digital Rights NGO expresses:

The EDPS has taken a critical step today to finally end Europol’s unlawful processing of data … Unfortunately, the reform of Europol to be adopted soon … will reverse all these efforts as it is set to legalize the very same practices that undermine data protection and fair trial rights.

Europol ordered to delete data of individuals with no criminal link

12. January 2022

On January 3rd, 2022, the European Data Protection Supervisor (EDPS) notified the EU’s Agency for Law Enforcement Cooperation (Europol) of an order to delete data of individuals who have not been linked to a crime or a criminal activity. This decision, dated December 21st, 2021, marks the conclusion of EDPS’ investigation launched in 2019.

The own-initiative inquiry concerned Europol’s processing of personal data in large datasets for the purpose of strategic and operational analysis (referred to as Europol’s Big Data Challenge). The investigation revealed non-compliance with the data protection rules laid down in the Europol Regulation (ER), especially the principles of data minimization (Article 28 (1) (c) ER) and data retention (Article 28 (1) (e) ER).

Article 18 (2) (b), (c), (5) and Annex II. B. (1), (3) ER limit the categories of data subjects about whom Europol can process data for the aforementioned purposes to ‘suspects’, ‘potential future criminals’, ‘contacts and associates’, ‘victims’, ‘witnesses’ and ‘informants’. To meet this requirement, large datasets must undergo a process of filtering and extraction called Data Subject Categorization (DSC). Therefore, processing of datasets lacking the DSC should be limited to the shortest time necessary to materially proceed to such categorization. This is important to ensure that processing of data of persons, whose link to crimes has not been established, ceases as soon as possible. It is justified by the fact that in particular the continued storage poses a risk to fundamental rights of these individuals.

EDPS then admonished Europol and urged it to take all necessary and appropriate measures to mitigate the risks for individuals arising from such data processing activities. For this purpose, Europol was also advised to establish an action plan and inform EDPS thereof.

Although Europol has taken some action since then, it has not established an appropriate retention period for the datasets without DSC. As a consequence, the EDPS has decided to impose a retention period of 6 months for all datasets submitted to Europol by EU Member States as of January 4th, 2022, which should allow the filtering and extraction of the permitted personal data. Datasets that do not undergo DSC during this period must be deleted. The EDPS has also given Europol a period of 12 months to comply with the decision for the datasets previously received. Should this period elapse before the datasets undergo DSC, they must be deleted as well.

Pages: 1 2 3 4 5 6 7 8 Next
1 2 3 8