Category: European Union

Ikea France on trial for spying on staff and customers

7. April 2021

Ikea’s French subsidiary and several of its former executives stood trial on Monday, March 22nd, 2021, after being sued by former employees on charges of violating privacy rights by surveilling the plaintiffs, job applicants and customers.

Trade unions reported the furniture and household goods company to French authorities in 2012, accusing it of fraudulently collecting personal data and disclosing it without authorization. The subsequent criminal investigation uncovered an extensive espionage system. According to French prosecutors, the company hired a surveillance company, private investigators and even a former military operative to illegally obtain confidential information about its existing and prospective employees as well as customers. The files received contained, inter alia, criminal records and bank statements. The system has been used for years, possibly even over a decade, to identify individuals who were particularly suspicious or working against the company.

After the case caused outrage in 2012, Ikea’s main parent company fired several executives at the French branch, including the former general manager. But the extensive activity in France has again raised questions about data breaches by the company.

At Monday’s trial an employee accused the company of abuse since it had wrongly suspected him of being a bank robber because its investigative system had found prior convictions of a bank robber with the same name. Others claimed the retailer had browsed through employees’ criminal records and used unauthorized data to reveal those driving expensive cars despite low incomes or unemployment benefits. Even an assistant director who had taken a year of medical leave to recover from hepatitis C was monitored to investigate whether she had faked the severity of her illness. Illicit background checks on hundreds of job applicants were also conducted. Moreover, the system was used to track down customers seeking refunds for mismanaged orders.

One of the defendants, the former head of Ikea France’s risk management department, has testified at the hearing that EUR 530.000 to 630.000 a year had been earmarked for such investigations. The former CEOs and Chief Financial Officer as well as store managers are also on trial. In addition, four police officers are accused of handing over confidential information from police files.

Ikea France said in a statement that it takes the protection of its employees’ and customers’ data very seriously. The company added that it adopted compliance and training procedures to prevent illegal activity and changed internal policies after the criminal investigation had been initiated. But at Monday’s hearing, Ikea France’s lawyers denied a system-wide surveillance. The case was also called “a fairy tale” invented by trade union activists.

The deputy prosecutor claimed, Ikea France had illegally monitored at least 400 people and used the information to its advantage. She is asking for a fine of EUR 2.000.000 against the company, prison sentences of at least one year for two former CEOs and a private investigator, as well as fines for some store managers and police officers. A total of 15 people have been charged. The company also faces potential claims for damages from civil lawsuits filed by unions and several employees.

The trial ended on April 2nd. A verdict by a panel of judges is scheduled for June 15th.

EU and South Korea complete adequacy talks

6. April 2021

On March 30th, 2021, EU Justice Commissioner Didier Reynders and Chairperson of the Personal Information Protection Commission of the Republic of Korea Yoon Jong In announced the successful conclusion of adequacy talks between the EU und the Republic of Korea (“South Korea”). These adequacy discussions began in 2017, and there was already initially a high level of convergence between the EU and the Republic of Korea on data protection issues, which has been further enhanced by additional safeguards to further strengthen the level of protection in South Korea. Recently, South Korea’s Personal Information Protection Act (“PIPA”) took effect and the investigative and enforcement powers of South Korea’s data protection authority, the Personal Information Protection Commission (“PIPC”), were strengthened.

In the GDPR, this adequacy decision is based on Art. 45 GDPR. Article 45(3) GDPR empowers the EU Commission to adopt an implementing act to determine that a non-EU country ensures an “adequate level of protection”. This means a level of protection for personal data that is substantially equivalent to the level of protection within the EU. Once it has been determined that a non-EU country provides an “adequate level of protection”, transfers of personal data from the EU to that non-EU country can take place without further requirements. South Korea will be the 13th country to which personal data may be transferred on the basis of an adequacy decision. An adequacy decision covering both commercial providers and the public sector will enable free and secure data flows between the EU and the Republic of Korea and it will complement the EU-Republic of Korea Free Trade Agreement.

Until the free flow of data can occur, the EU Commission must initiate the procedure for adopting its adequacy finding. In this procedure, the European Data Protection Board will issue an opinion and a committee composed of representatives of the EU member states must agree. The EU Commission may then adopt the adequacy decision.

AEPD issues highest fine for GDPR violations

5. March 2021

The Spanish Data Protection Authority, the Agencia Española de Protección de Datos (AEPD), imposed a fine of EUR 6.000.000 on CaixaBank, Spain’s leading retail bank, for unlawfully processing customers’ personal data and not providing sufficient information regarding the processing of their personal data. It is the largest financial penalty ever issued by the AEPD under the GDPR, surpassing the EUR 5.000.000 fine imposed on BBVA in December 2020 for information and consent failures.

In the opinion of the AEPD, CaixaBank violated Art. 6 GDPR in many regards. The bank had not provided sufficient justification of the legal basis for the processing activities, in particular with regard to those based on the company’s legitimate interest. Furthermore, deficiencies had been identified in the processes for obtaining customers’ consent to the processing of their personal data. The bank had also failed to comply with the requirements established for obtaining valid consent as a specific, unequivocal and informed expression of intention. Moreover, the AEPD stated that the transfer of personal data to companies within the CaixaBank Group was considered an unauthorized disclosure. According to Art. 83 (5) lit. a GDPR, an administrative fine of EUR 4.000.000 EUR was issued.

Additionally, the AEPD found that CaixaBank violated Art. 13, 14 GDPR. The bank had not complied with the information obligations since the information regarding the categories of personal data concerned had not been sufficient and the information concerning the purposes of and the legal basis for the processing had been missing entirely. What’s more, the information provided in different documents and channels had not been consistent. The varying information concerned data subjects’ rights, the possibility of lodging a complaint with the AEPD, the existence of a data protection officer and his contact details as well as data retention periods. Besides, the AEPD disapproved of the use of inaccurate terminology to define the privacy policy. Following Art. 83 (5) lit. b GDPR, a fine of EUR 2.000.000 was imposed.

In conclusion, the AEPD ordered CaixaBank to bring its data processing operations into compliance with the legal requirements mentioned within six months.

Dutch data scandal: illegal trade of COVID-19 patient data

19. February 2021

In recent months, a RTL Nieuws reporter Daniël Verlaan has discovered widespread trade in the personal data of Dutch COVID-19 test subjects. He found ads consisting of photos of computer screens listing data of Dutch citizens. Apparently, the data had been offered for sale on various instant messaging apps such as Telegram, Snapchat and Wickr. The prices ranged from €30 to €50 per person. The data included home addresses, email addresses, telephone numbers, dates of birth and BSN identifiers (Dutch social security number).

The personal data were registered in the two main IT systems of the Dutch Municipal Health Service (GGD) – CoronIT, containing details about citizens who took a COVID-19 test, and HPzone Light, a contact-tracing system, which contains the personal data of people infected with the coronavirus.

After becoming aware of the illegal trade, the GGD reported it to the Dutch Data Protection Authority and the police. The cybercrime team of the Midden-Nederland police immediately started an investigation. It showed that at least two GGD employees had maliciously stolen the data, as they had access to the official Dutch government COVID-19 systems and databases. Within 24 hours of the complaint, two men were arrested. Several days later, a third suspect was tracked down as well. The investigation continues, since the extent of the data theft is unclear and whether the suspects in fact managed to sell the data. Therefore, more arrests are certainly not excluded.

Chair of the Dutch Institute for Vulnerability Disclosure, Victor Gevers, told ZDNet in an interview:

Because people are working from home, they can easily take photos of their screens. This is one of the issues when your administrative staff is working from home.

Many people expressed their disapproval of the insufficient security measures concerning the COVID-19 systems. Since the databases include very sensitive data, the government has a duty to protect these properly in order to prevent criminal misuse. People must be able to rely on their personal data being treated confidentially.

In a press release, the Dutch police also raised awareness of the cybercrime risks, like scam or identity fraud. Moreover, they informed about the possibilities of protection against such crimes and the need to report them. This prevents victims and allows the police to immediately track down suspects and stop their criminal practices.

GDPR fines and data breach reports increased in 2020

12. February 2021

In 2020 a total of €158.5 million in fines were imposed, research by DLA Piper shows. This represents a 39% increase compared to the 20 months the GDPR was previously in force since May 25th, 2018.

Since that date, a total of € 272.5 million in fines have been imposed across Europe under the General Data Protection Regulation (“GDPR”). Italian authorities imposed a total of € 69.3 million, German authorities € 69.1 million, and French authorities 54.4 million. This calculation does not include two fines against Google LLC and Google Ireland Limited totalling € 100 million  (€ 60million + € 40million) and a fine of € 35 million against Amazon Europe Core issued by the French data protection authority “Commission nationale de l’informatique et des libertés” (“CNIL”) on December 10th, 2020, (please see our respective blog post), as proceedings on these fines are pending before the Conseil d’Etat.

A total of 281,000 data breaches were reported during this period, although the countries that imposed the highest fines were not necessarily those where the most data breaches were reported. While Germany and the UK can be found in the top of both lists, with 77,747 data breaches reported in Germany, 30,536 in the UK and 66,527 in the Netherlands, only 5,389 data breaches were reported in France and only 3,460 in Italy.

Although the biggest imposed fine to date still is a fine of € 50 million issued by CNIL against Google LLC in January 2019 (please see our respective blog post) a number of high-profile fines were imposed in 2020, with 6 of the top 10 all time fines being issued in 2020 and one in 2021.

1. H&M Hennes & Mauritz Online Shop A.B. & Co. KG was fined € 35 million for monitoring several hundred employees (please see our respective blog post).

2. TIM (Italian telecommunications operator) was fined € 27 million for making unwanted promotion calls.

3. British Airways was fined € 22 million for failing to protect personal and financial data of more than 400,000 customers (please see our blog post)

4. Marriott International was fined € 20 million for a data breach affecting up to 383 million customers (please see our respective blog post)

5. Wind Tre S.p.A. was fined € 17 million for unsolicited marketing communications.

A comparison of the highest fines shows that most of them were imposed due to an insufficient legal basis for the processing of personal data (Art. 5 & 6 GDPR) or due to insufficient technical and organizational measures to ensure an appropriate level of security (Art. 32 GDPR).

While the European authorities have shown their willingness to enforce the GDPR rules, they have also shown leniency due to the impact that the COVID 19 pandemic has had on businesses. At least in part due to the impact of the pandemic, the penalties planned by the UK ICO have been softened. A planned fine of €205 million for British Airways was reduced to €22 million and a planned fine of €110 million for Marriott International was reduced to €20 million. GDPR investigations are also often lengthy and contentious, so the increased fines may in part be due to more investigations having had sufficient time to be completed. For example, the dispute over the above fines for British Airways and Marriott International has already started in 2019.

Not only the fines but also the number of data breach notifications increased in 2020. In 2020 121,165 data breaches were reported, an average of 331 notifications per day, compared to 278 per day in 2019. In terms of reported data breaches per 100,000 inhabitants, there is a stark contrast between Northern and Southern European countries. In 2020, Denmark recorded 155.6 data breaches per 100,000 inhabitants, the Netherlands 150, Ireland 127.8, while Greece, Italy and Croatia reported the lowest number of data breaches per inhabitant.

The trend shows that the GDPR is being taken more and more seriously by companies and authorities, and this trend is likely to continue as authorities become more confident in enforcing the GDPR. Fines are only likely to increase, especially as none of the fines imposed so far even come close to the maximum possible amount of 4% of a company’s global annual turnover. The figures also show that while the laws are in principle the same and are supposed to be applied the same in all EEA countries, nations have different approaches to interpreting and implementing them. In the near future, we can expect to see the first penalties resulting from the GDPR restrictions on data transfers to third countries, especially in the aftermath of the Schrems II ruling on data transfers to the USA.

University fined for omitted notification of a data breach

4. February 2021

The President of the Personal Data Protection Office in Poland (UODO) imposed a fine on the Medical University of Silesia in the amount of PLN 25.000 (approx. EUR 5.600). The university had suffered a data breach of which it should have notified the supervisory authority and the data subjects according to Articles 33, 34 GDPR, but failed to do so.

First indications of the data breach reached UODO in early June 2020. It was related to exams held at the end of May 2020 by videoconference on an e-learning platform. These were also being recorded. Before the exam, students were identified by their IDs or student cards, so a large amount of their personal data was documented on the recordings. After the exam was completed, the recordings were made available on the platform. However, not only the examinees had access to the platform, but also a wider group of people, about which the students had not been informed. In addition, using a direct link, any extern person could access the recordings and therefore the data of the examinees. Many students, fearing that the video would be deleted to cover up the incident, secured the file or took photographs of the computer screens to protect evidence. Eventually, the chancellor (being the decision-making unit) expressed the position that the incident of 200 people viewing the IDs of some 100-150 other people cannot be considered a personal data breach.

The controller, who was requested to clarify the situation by UODO, did not dispute the data breach. In fact, the virtual room of the platform is only available to the exam group and only those people have access to the recordings. The violation occurred because one of the employees did not close access to the virtual room after the exam. Though, the controller stated that no notification was required. In his opinion the risk to the rights or freedoms of the data subjects was low. Moreover, after the incident, the system was modified to prevent students from downloading the exam files. The controller also indicated that he identified the individuals who had done so and informed them about their criminal liability for disseminating the data.

Despite several letters from UODO, the university still omitted to report the data breach and notify the data subjects. Therefore, administrative proceedings were initiated. UODO found that the controller failed to comply with his obligations to notify both the supervisory authority and affected data subjects as well as improperly assessed the risk involved.

When imposing the fine, the President of UODO took into account the duration of the infringement (several months), the intentional action of the controller and his unsatisfactory cooperation with the supervisory authority. The fine will serve not only a repressive but also a preventive function, as it shows that the obligations arisen in connection with data breaches cannot be ignored. All the more so because an inappropriate approach to the obligations imposed by the GDPR may lead to negative consequences for those affected by the breaches.

WhatsApp’s privacy policy update halted

22. January 2021

Already at the beginning of December 2020, first indications came up signaling that WhatsApp will change its terms of service and privacy policy. Earlier this year, users received the update notice when launching the app on their device. It stated that the new terms concern additional information on how WhatsApp processes user data and how businesses can use Facebook hosted services to store and manage their WhatsApp chats. The terms should be accepted by February 8th, 2021, to continue using the chat service. Otherwise, the deletion of the account was suggested, because it will not be possible to use WhatsApp without accepting the changes. The notice has caused all sorts of confusion and criticism, because it has mistakenly made many users believe that the agreement allows WhatsApp to share all collected user data with company parent Facebook, which had faced repeated privacy controversies in the past.

Users’ fears in this regard are not entirely unfounded. As a matter of fact, outside the EU, WhatsApp user data has already been flowing to Facebook since 2016 – for advertising purposes, among other things. Though, for the EU and the United Kingdom, other guidelines apply without any data transfer.

The negative coverage and user reactions caused WhatsApp to hastily note that the changes explicitly do not affect EU users. Niamh Sweeney, director of policy at WhatsApp, said via Twitter that it remained the case that WhatsApp did not share European user data with Facebook for the purpose of using this data to improve Facebook’s products or ads.

However, since the topic continues to stir the emotions, WhatsApp felt compelled to provide clarification with a tweet and a FAQ. The statements make it clear once again that the changes are related to optional business features and provide further transparency about how the company collects and uses data. The end-to-end encryption, with which chat content is only visible to the participating users, will not be changed. Moreover, the new update does not expand WhatsApp’s ability to share data with Facebook.

Nevertheless, despite all efforts, WhatsApp has not managed to explain the changes in an understandable way. It has even had to accept huge user churn in recent days. The interest in messenger alternatives has increased enormously. Eventually, the public backlash led to an official announcement that the controversial considered update will be delayed until May 15th, 2021. Due to misinformation and concern, users shall be given more time to review the policy on their own in order to understand WhatsApp’s privacy and security principles.

European Commission proposes draft “Digital Service Act” and “Digital Market Act”

21. December 2020

On December 15th, the European Commission published drafts on the “Digital Service Act” (“DSA”) and the “Digital Market Act” (“DMA”), which are intended to restrict large online platforms and stimulate competition.

The DSA is intended to rework the 20-year-old e-Commerce Directive and introduce a paradigm shift in accountability. Under the DSA, platforms would have to prove that they acted in a timely manner in removing or blocking access to illegal content, or that they have no actual knowledge of such content. Violators would face fines of up to 6% of annual revenue. Authorities could order providers to take action against specific illegal content, after which they must provide immediate feedback on what action was taken and when. Providing false, incomplete or misleading information as part of the reporting requirement or failing to conduct an on-site inspection could result in fines of up to 1% of annual revenue. The scope of said illegal content is to include for example, criminal hate comments, discriminatory content, depictions of child sexual abuse, non-consensual sharing of private images, unauthorized use of copyrighted works, and terrorist content. Hosting providers will be required to establish efficient notice and action mechanisms that allow individuals to report and take action against posts they deem illegal. Platforms would not only be required to remove illegal content, but also explain to users why the content was blocked and give them the opportunity to complain.

Any advertising on ad-supported platforms would be required to be clearly identifiable as advertising and clearly state who sponsored it. Exceptions are to apply to smaller journalistic portals and bloggers, while even stricter rules would apply to large platforms. For example, platforms with more than 45 million active users in the EU could be forced to grant comprehensive access to stored data, provided that trade secrets are not affected, and to set up archives that make it possible to identify disinformation and illegal advertising.

Social network operators would have to conduct annual risk assessments and review how they deal with systemic threats, such as the spread of illegal content. They would also be required to provide clear, easy-to-understand and detailed reports at least once a year on the content moderation they have carried out during that period.

Newly appointed “Digital Service Coordinators” in each EU-Member-State are supposed to enforce the regulation, for example by ordering platforms to share data with researchers who shall investigate the platforms relevant activities, while a new European committee is to ensure that the DSA is applied uniformly across the EU. On demand of the Digital Service Coordinators platforms would have to provide researchers with key data, so they can investigate the platforms relevant activities.

The DMA includes a list of competition requirements for large platforms, so called “gatekeepers”, that have a monopoly-like status. The regulations aim to strengthen smaller competitors and prevent the large gatekeepers from using their dominance to impose practices perceived as unfair. They would neither be allowed to exclusively pre-install their own applications, nor to force other operating system developers or hardware manufacturers to have programs pre-installed exclusively by the gatekeeper’s company. In addition, preventing users from uninstalling included applications would be prohibited. Other common measures of self-preference would also be prohibited. For example, gatekeepers would no longer be allowed to use data generated by their services for their own commercial activities without also making the information available to other commercial users. If a provider wanted to merge data generated by different portals, he would have to obtain explicit consent from users to do so.

The publication of the DSA and the DMA is the next step in the European Commission’s 2020 European strategy for data, following the proposal of the Data Governance Act in November. Like the Data Governance Act, the DSA and DMA aim to push back the dominance of tech giants, particularly those from the U.S. and China, while promoting competition.

Swedish court confirms Google’s violations of the GDPR

16. December 2020

The Administrative Court of Stockholm announced on November 23rd, 2020, that it had rejected Google LLC’s appeal against the decision of the Swedish Data Protection Authority (Datainspektionen) determining Google’s violations of the GDPR. Google as a search engine operator had not fulfilled its obligations regarding the right to be forgotten (RTBF). However, the court reduced the fine from a total of SEK 75 million (approx. € 7,344,000) to SEK 52 million (approx. € 5,091,000).

Background to the case was the Swedish DPA’s audit in 2017 concerning Google’s handling of requests on delisting, which means removal of certain results from a search engine. The DPA concluded the inspection by ordering Google to delist certain individuals’ names due to inaccuracy, irrelevance and superfluous information. In 2018 the DPA initiated a follow-up audit because of indications that Google had not fully complied with the previously issued order. It resulted in issuing an administrative fine of SEK 75 million in March 2020.

The DPA raised attention to the fact that the GDPR increases the obligations of data controllers and data processors as well as strengthens the rights of individuals, which include the right to have their search result delisted. Though, Google has not been fully complying with its obligations, as it has not properly removed two of the search result listings that the DPA had ordered to delete. In one case Google has done a too narrow interpretation of what web addresses to remove, in the other case Google has failed to remove it without undue delay.

Moreover, the DPA criticized Google’s procedure of managing delisting requests and found it to be undermining data subjects’ rights. Following the removal of a search result listing, Google notifies the website to which the link is directed. The delisting request form, directed to the data subject raising the request, states that information on the removed web addresses can be provided to the webmaster. This information has to be seen as misleading since the data subject is made to understand that its consent to the notification is required in order to process the request. Therefore, such practice might result in individuals refraining from exercising their right to request delisting, which violates Art. 5 (1) lit. a) GDPR. What’s more, in the opinion of the DPA the delisting notifications to the webmasters are not covered by legal obligations according to Art. 6 (1) lit. c), 17 (2) GDPR, nor legitimate interests pursuant to Art. 6 (1) lit. f) GDPR. Also, Google’s routine of regularly sending information to webmasters constitutes processing of personal data being incompatible with the purpose for which the data was originally collected. This practice infringes Art. 5 (1) lit. b), 6 (4) GDPR.

Google appealed the decision of the DPA. Though, the Swedish Administrative Court of Stockholm reaffirmed the DPA’s opinion and confirmed Google’s violations of the GDPR.

The court stated that the process concerning delisting requests must facilitate for the individual to exercise its rights. That means, any process that restricts the individuals’ rights may violate Art. 15 through 22 GDPR. The court also specified why the personal data had been processed beyond their original purpose. Since the notifications are only sent after Google has removed a search result, the purpose of the processing has already expired when the notification is sent. Thus, the notification cannot be considered effective in achieving the purpose specified by Google.

Google shall now delist specific search results and cease to inform webmasters of requests. Also, Google must adapt its data subject rights procedure within eight weeks after the court’s judgment has gained legal force.

Update: The Council of the European Union publishes recommendations on encryption

8. December 2020

In November, the Austrian broadcasting network “Österreichischer Rundfunk” sparked a controversial discussion by publishing leaked drafts of the Council of the European Union (“EU Council”) on encryption (please see our blog post). After these drafts had been criticized by several politicians, journalists and NGOs, the EU Council published “Recommendations for a way forward on the topic of encryption” on December 1st, in which it considers it important to carefully balance between protecting fundamental rights with ensuring law enforcement investigative powers.

The EU Council sees a dilemma between the need for strong encryption in order to protect privacy on one hand, and the misuse of encryption by criminal subjects such as terrorists and organized crime on the other hand. They further note:

“We acknowledge this dilemma and are determined to find ways that will not compromise
either one, upholding the principle of security through encryption and security despite
encryption.”

The paper lists several intentions that are supposed to help find solutions to this dilemma.

First, it directly addresses EU institutions, agencies, and member states, asking them to coordinate their efforts in developing technical, legal and operational solutions. Part of this cooperation is supposed to be the joint implementation of standardized high-quality training programs for law enforcement officers that are tailored to the skilled criminal environment. International cooperation, particularly with the initiators of the “International Statement: End-to-End Encryption and Public Safety“, is proclaimed as a further intention.

Next the technology industry, civil society and academic world are acknowledged as important partners with whom EU institutions shall establish a permanent dialogue. The recommendations address internet service providers and social media platforms directly, noting that only with their involvement can the full potential of technical expertise be realized. Europol’s EU Innovation Hub and national research and development teams are named key EU institutions for maintaining this dialogue.

The EU Council concludes that the continuous development of encryption requires regular evaluation and review of technical, operational, and legal solutions.

These recommendations can be seen as a direct response to the discussion that arose in November. The EU Council is attempting to appease critics by emphasizing the value of encryption, while still reiterating the importance of law enforcement efficiency. It remains to be seen how willing the private sector will cooperate with the EU institutions and what measures exactly the EU Council intends to implement. This list of intentions lacks clear guidelines, recommendations or even a clearly formulated goal. Instead, the parties are asked to work together to find solutions that offer the highest level of security while maximizing law enforcement efficiency. In summary, these “recommendations” are more of a statement of intent than implementable recommendations on encryption.

Pages: Prev 1 2 3 4 5 6 7 8 Next
1 2 3 4 5 6 8