Category: General

CNIL fines Telecom Operator

7. January 2019

The French Data Protection Authority CNIL imposed a fine of €250.000,00 on telecom operator BOUYGUES TELECOM for not taking required security measures to protect the personal data of its clients.

BOUYGUES TELECOM offered their clients an option to create a profile on their webpage to have easier access to their contract details and telephone bills.

In March 2018, CNIL was informed that a lack of security measures gave free access to personal data of clients of B&You, a subsidiary company of BOUYGUES TELECOM. Each profile had its own URL address, which involved the first and last name of the client. Just by exchanging the name in the URL address, one gained free access to first and last name, date of birth, e-mail address, address and phone number as well as contracts and bills. The violation of data security went on for two years and had an impact on over two million clients.

Shortly after CNIL was informed, BOUYGUES TELECOM notified the data breach to CNIL. The company explained that the incident occurred after the computer code, which depends on user authentication, was deactivated for a test phase, but was forgotten to be re-activated after completion of the test phase. After noticing the data breach, the company quickly blocked the access to the personal data.

Nevertheless, CNIL stated that the company failed to protect the personal data of its clients and violated its obligation to take all required security measures, especially as appropriate measures would have revealed the data breach earlier.

As the incident occurred before the legal validity of GDPR, CNIL decided to impose a fine of €250.000,00 on BOUYGUES TELECOM.

Happy New Year!

1. January 2019

Dear readers,

the team of the blog privacy-ticker.com wish you a happy new year and all the best for 2019.

Once again this year we will keep you up to date on the subject of data protection.

Best regards,

privacy-ticker.com

Category: General

USA: Call for National Privacy Law

28. December 2018

The Association of National Advertisers (ANA) is urging the Federal Trade Commission (FTC) to work towards a national privacy legislation and prevent fragmentation of the U.S. privacy landscape.
In its plea, the ANA specifically raises concerns about current developments regarding the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). It deems both legislations to be overly restrictive and threatening to the free flow of information that “is vital to delivering the products and services that consumers value and expect” and asks the FTC to carry out a detailed review of the effects of the GDPR and the CCPA on competition and consumers.

The ANA is worried as “other states are considering additional and potentially inconsistent privacy and data security laws” and has been working with member companies and other industry groups to develop a new privacy paradigm that would be enforced by the FTC as a single national standard.

The approach involves allowing companies to use data considered “per se reasonable,” and prohibiting uses of data deemed “per se unreasonable.”
The reasonable practices “could include the collection and use of non-sensitive data for advertising purposes with consumer transparency and choice,” the ANA writes. Unreasonable ones “could include determining adverse terms or conditions or ineligibility for an individual’s: employment; credit; health care treatment; insurance; education and financial aid”.

The comments were filed in response to a request for input on the February 2019 FTC Hearing on Competition and Consumer Protection in the 21st Century, which will focus on consumer privacy.

Uber to pay another fine for 2016 data breach

27. December 2018

Uber’s major data breach of 2016 still has consequences as it has also been addressed by the French Data Protection Authority “CNIL”.

As reported in November 2017 and September 2018, the company had tried to hide that personal data of 50 million Uber customers had been stolen and chose to pay the hackers instead of disclosing the incident to the public.

1,4 million French customers were affected as well which is why the CNIL has now fined Uber 400K Euros (next to the settlement with the US authorities amounting to $148 Million).

The CNIL came to find out that the breach could have been avoided by implementing certain basic security measures such as stronger authentication.

Great Britain and the Netherlands have also already imposed a fine totalling €1 million.

Google changes Privacy Policy due to GDPR

19. December 2018

As it is widely known these days, the General Data Protection Regulation (GDPR) came into force earlier this year to standardize data protection regulation in the EU. This has now lead to the fact that Google will update the company’s terms of service and privacy policy to be compliant with the GDPR.

The company started to notify the countries in the European Economic Area (EEA) and Switzerland in regard to some upcoming changes. They will come into effect on January 22, 2019.

The most important update, also legally, is the change of the data controller. The Google Ireland Limited will become the so called “data controller” who is responsible for the information of European and Swiss users . Therefore, Google Ireland Limited will be in charge to respond to request from users and to ensure compliance with the GDPR. At present, these services are provided by Google LLC, based in the U.S.

For website operators this means that they might also have to adapt their privacy policy accordingly. This is the case, for example, if Google Analytics is used.

Furthermore, there are no changes in regard to the current settings and services.

French Data Protection Authority launches a public consultation on future standards – Data Processing for Managing Business Activities and Unpaid Invoices

12. December 2018

Due to the GDPR and the new French data protection law (“loi Informatique et Libertés”), the French Data Protection Authority (“CNIL”) launched two draft standards (in French: référentiels) on November 29, 2018. One o these CNIL’s draft standards deals with the processing of personal data to manage business activities, the other with unpaid invoices.

Until January 11, 2019 the possibility to consult the CNIL on the two draft Referentials will be open to the public. According to the CNIL, the draft standards will afterwards be adopted by the CNIL in plenary session.

CNIL’s Draft Referential on Data Processing for Managing Business Activities represents an update to the CNIL’s Simplified Norm No. 48 on the management of customers and prospective customers. It provides a framework for the implementation of “customer” and “prospect” files. The Draft Referential is applicable to data processing activities carried out by any data controller, except the following: health or educational institutions, banking or similar institutions, insurance companies and operators subject to approval by the French Online Gambling Regulatory Authority.

CNIL’s second draft (Draft Referential on Data Processing for Managing Unpaid Invoices) intends to provide a framework regarding the processing of personal data for managing unpaid invoices by private or public law entities. It does not apply to the processing of customer data for detecting risks of non-payment, or to identify other infringements (such as incivilities shown by customers).

Adherence to these two standards will ensure that the processing of unpaid invoices and business activities comply with current data protection principles.

Category: French DPA · GDPR · General

Electronic receipts sent by leading retailers may not comply with data protection rules

After investigating several large retailers the consumer body Which? claims that many retailers in the UK include in their e-receipt marketing messages.

A lot of retailers offer the possibility to send digital receipts instead of paper receipts to the shoppers. However, it should be noted that when the General Data Protection Regulation (GDPR) came into force on May 25th earlier this year, the regulations concerning this area were tightened.

Retailers are not allowed to send direct marketing to new customers by email unless the recipient has consented to receive it. Shoppers must be given the opportunity to opt out in case the retailer asks for their email address at the point of sale with the intention to afterwards send marketing information.

According to Which? the following companies were visited at least three times by “mystery shoppers” to test if they send out unwanted marketing information in their e-receipts: Topshop, Dorothy Perkins, Nike, Clarks, New Look, Arcadia Group (Miss Selfridge, Outfit, Burton), Gap, Mothercare, Halfords, Currys PC World and Schuh. The “mystery shoppers” requested an electronic receipt without receiving any additional marketing.

The retailers dealt with this situation differently. One shop apparently sent a marketing email with the e-receipt as an attachment, while others included prompts to sign up for a newsletter or invitations to complete a survey in return for money off a future purchase. The concern is that consumers might be “bombarded” with unwanted marketing messages.

ICO fines companies for not paying the data protection fee

4. December 2018

The UK’s Information Commissioner’s Office (ICO) fines the first companies for not paying the data protection fee. Unless they are exempt, all organisations, companies and sole traders who process personal data have to pay an annual data protection fee.

Depending on their maximum turnover, number of employees and whether they are a charity or public authority, the fee varies from £40 to £2,900. Whereas the fine for not paying varies from £400 to £4,000. The fines recovered go to the Treasury’s Consolidated Fund. The regulations came into force together with the new Data Protection Act on 25 May 2018.

“Following numerous attempts to collect the fees via our robust collection process, we are now left with no option but to issue fines to these organisations. They must now pay these fines within 28 days or risk further legal action. (…) You are breaking the law if you process personal data or are responsible for processing it and do not pay the data protection fee to the ICO”, said Paul Arnold, Deputy Chief Executive Officer at the ICO.

More than 900 fine notices have been issued by the ICO since September and more are set to follow. Companies can check if their fee is due to renewal on the ICO’s website.

Category: General · UK
Tags: ,

LinkedIn processed 18 million non-user email addresses to target Facebook advertisings

28. November 2018

The business and employment-oriented service LinkedIn processed the email addresses of 18 million non-members and targeted them with advertising on Facebook without permission.

A non-LinkedIn user issued a complaint to the Data Protection Commission that their email address had been obtained and used by the organisation for the purposes of targeted advertising on Facebook. Within Ireland’s Data Protection Commission the concerns grew regarding LinkedIn’s processing of personal data of non-users. Therefore, the office conducted an audit of the multinational LinkedIn Ireland, home to the company’s EU headquarters, and stated that it used million of e-mail addresses of non-users.

Also involved is LinkedIn Corp in the US, which processes data on behalf of LinkedIn Ireland. They targeted – by means of 18 million addresses – the individuals in Facebook. According to the commissioner’s annual report LinkedIn in the US carried out the processing in the absence of instructions from LinkedIn in Ireland (the controller). Said annual report covers the period from January 1st to May 24th 2018. Then the old office of the Data Protection Commissioner ceased to exist due to the General Data Protection Regulation. The new Data Protection Commission came into existence on May 25th 2018.

Brexit: Draft withdrawal agreement – GDPR remains applicable for foreseeable future

23. November 2018

Last week the U.K. and EU could conclude a draft withdrawal agreement for the United Kingdom to leave the European Union as of 30th March 2019. The agreement covers the “divorce” of both of them and a non-binding political statement concerning their ideas for the future relations. The declaration is referring to a commitment regarding an ambitious free trade agreement, containing areas including financial services, continued free flow of data, and other subjects relating to the EU such as defense matters have been picked up.

After the U.K. will have left the EU in March 2019 a 21-month transition period is planned in order to facilitating business sectors in their planning. Thus, at least until the beginning of 2021, EU regulations would remain effective keeping the U.K. in the single market and Customs Union. However, this time frame could also be extended by common agreement.

With regard to data protection, the withdrawal agreement directly addresses data protection and security issues in Articles 70 to 74. These provisions stipulate that EU data protection rules, including the GDPR, shall apply in the U.K. when using personal data of data subjects outside the United Kingdom exchanged before the end of the transition period. Furthermore, after the end of the transition period, the U.K. is obliged to further apply these EU rules to the processing of “EU personal data”, until the U.K. data protection laws to be enacted ensure an adequate level of data protection which is “essentially equivalent” to that of the EU.  In the process of becoming subject to this formal adequacy decision to be established by the EU Commission the U.K.’s applicable data protection regime has to be assessed in the first place. In the event of annulling or repealing the adequacy decision, the provisions of the withdrawal agreement would be relevant for the EU personal data transferred to the U.K. to ensure the same “essentially equivalent” standard of data protection directly.

In other words, under the concluded agreement, the GDPR as well as the corresponding Data Protection Act would remain the applicable data protection law in the U.K. for the foreseeable future.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 Next
1 2 3 4 10