Category: Personal Data
11. March 2019
The Dutch data protection authority, Autoriteit Persoonsgegevens, clarified on 7th of March 2019 that the use of websites must remain accessible when tracking cookies are not accepted. Websites that allow users to access only if they agree to the use of tracking cookies or other similar means to track and record their behavior do not comply with the General Data Protection Regulation, GDPR.
The Dutch DPA’s decision was prompted by numerous complaints from website users who no longer had access to the websites after refusing the usage of tracking cookies.
The Dutch DPA noted that the use of tracking software is generally allowed. Tracking the behaviour of website users, however, must be based on sufficient consent. In order to be compliant with the GDPR, permission must be given freely. In the case of so-called cookie walls the user has no access to the website if he does not agree to the setting of cookies. In this way, pressure is exerted on the user to disclose his personal data. Nevertheless, according to the GDPR a consent has not been given voluntarily if no free or no real choice exists.
With publication of the explanation the Dutch DPA demands organizations to make their practice compliant with the GDPR. The DPA has already written to those organisations about which the users have complained the most. In addition, it announced that it would intensify its monitoring in the near future in order to examine whether the standard is applied correctly in the interest of data protection.
22. February 2019
Recently around 2.7 million sensitive phone calls were uncovered by Swedish technology news site Computer Sweden. In total, 170,000 hours of conversation were available online on an unencrypted web server. The server had no login mechanism so the recorded calls could be accessed freely.
Sweden operates a national health advice line (1177), which is run by Swedish company Medhelp. For out-of-hour calls they subcontract with a Thailand-based firm called Medicall. According to repords, most of the uncovered calls were made outside the regular times and therefore answered by Medicall. A request from the BBC left Medicall unanswered.
The uncovered data is extremely private as People usually call 1177 seeking medical advice, talking about their symptoms, their kids’ illnesses and giving out their social security number.
The Swedish Data Protection Authority is currently investigating the case.
12. February 2019
After TechCrunch initiated investigations that revealed that numerous apps were recording screen usage, Apple called on app developers to remove or at least disclose the screen recording code.
TechCrunch’s investigation revealed that many large companies commission Glassbox, a customer experience analytics firm, to be able to view their users’ screens and thus follow and track keyboard entries and understand in which way the user uses the app. It turned out that during the replay of the session some fields that should have been masked were not masked, so that certain sensitive data, like passport numbers and credit card numbers, could be seen. Furthermore, none of the apps examined informed their users that the screen was being recorded while using the app. Therefore, no specific consent was obtained nor was any reference made to screen recording in the apps’ privacy policy.
Based on these findings, Apple immediately asked the app developers to remove or properly disclose the analytics code that enables them to record screen usage. Apples App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity. In addition, Apple expressly prohibits the covert recording without the consent of the app users.
According to TechCrunch, Apple has already pointed out to some app developers that they have broken Apple’s rules. One was even explicitly asked to remove the code from the app, pointing to the Apple Store Guidelines. The developer was given less than a day to do so. Otherwise, Apple would remove the app from the App Store.
According to the British news website The Register, 620 million accounts from hacked websites are for sale on dark web. For less than $20.000 in Bitcoin, people can buy the stolen accounts on Dream Market, located in the Tor network. Criminals should also be able to buy the copied user data individually. The data comes from hacks from the years 2016 to 2018. Some were already known others now became acquianted.
Among the sixteen hacked websites are the video messaging application Dubsmash (162 million accounts), the diet and exercise app MyFitnessPal (151 million accounts) and the family-tree-tracking service MyHeritage (92million accounts).
As reported by The Register, the account records appear to be legit. The data leak contains e-mail addresses, names and passwords but it does not contain any bank or credit card information and the passwords are encrypted and must therefore be decoded before they can be used.
Depending on the affected side, there are also a few other categories of personal information such as social media authentication tokens. It can be expected that the vendees will use the data for credential stuffing attacks. In such attacks, attackers try out lists with email password pairs at various online services to hack accounts. These attacks are made possible because many users reuse the same password across many websites.
The seller told The Register that they possess one billion accounts in total and that their aim is to make “life easier” for hackers. The seller said “I don’t think I am deeply evil, I need the money. I need the leaks to be disclosed […] I’m just a tool used by the system. We all know measures are taken to prevent cyber attacks, but with these upcoming dumps, I’ll make hacking easier than ever.”
Update: 127 million more stolen accounts appeared a few days ago. Affected sites include architecture, interior and designe website Houzz (57 million records), live-video streaming site YouNow (40 million records) and travel booking site Ixigo (18 million records). This data is sold by the hacker for a total of $14,500 in Bitcoin.
7. February 2019
The Bundeskartellamt announced in a press release on their website on Febraury 7, 2019 that it imposes far-reaching restrictions on Facebook.
Up to now Facebook’s terms and conditions stated that users have only been able to use the social network under the precondition that Facebook can collect user data also outside of the Facebook website in the internet or on smartphone apps and assign these data to the user’s Facebook account. Therefore, all data collected on the Facebook website, by Facebook-owned services which includes Instagram and WhatsApp as well as on third party websites can be combined and assigned to the account of a Facebook user.
The authority’s decision affects said processing of user data in Germany and covers different sources of data.
Firstly, all social networks/services can continue to collect data under the existing laws. But the collected data can only be transferred to Facebook itself if consent is given by the data subject (the user). If such a consent is not given, the data cannot be assigned to an existing Facebook account. Secondly, the same applies to collecting data from third party websites.
Consequently, without the above mentioned consent Facebook will face far-reaching restrictions concerning collecting and combining data.
The Bundeskartellamt states as reason for this decision that in December 2018 Facebook had 1.52 billion daily active users and 2.32 billion monthly active users and therefore also occupies a dominant position in the German market for social networks. It further claims that the market share of Facebook concerning social networks in Germany is more than 95 % (daily active users) and more than 80 % (monthly active users). Therefore, the conclusion is drawn that the group with its subsidiaries WhatsApp and Instagram occupy a key position in the market which indicates a monopolisation process. Competitors like Google+, Snapchat, YouTube or Twitter or professional networks like LinkedIn or Xing provide only components of the services offered by the Facebook Group.
The authority’s decision is not yet final. Facebook has one month to appeal the decision to the Düsseldorf Higher Regional Court. The company has already announced that it will appeal against the decision.
31. January 2019
Healthcare insurer Aetna will have to pay a 935,000$ fine after letters had been sent to nearly 12.000 patients in 2017, disclosing highly sensitive information on the windows of the envelopes.
The information revealed that the recipients were taking HIV-related medications.
In addition, the insurance company will have to complete privacy risk assessments annualy for three years.
The patients have received compensation through a private class action settlement.
28. January 2019
The European Commission adopted an adequacy decision for Japan on the 23rd of January 2019, enabling data flows to take place freely and safely. The exchange of personal data is based on strong safeguards that Japan has put in place in advance of the adequacy decision to ensure that the transfer of data complies with EU standards.
The additional safeguards include:
– A set of rules (Supplementary Rules), which will cover the differences between the two data protection systems. This should strengthen the protection of sensitive data, the exercise of personal rights and the conditions under which EU data can be further transferred to another third country. These additional rules are binding in particular on Japanese companies importing data from the EU. They can also be enforced by the independent Japanese data protection authority (PPC) as well as by courts.
– Also, safeguards have been established concerning access by Japanese authorities for law enforcement and national security purposes. In this regard, the Japanese Government has given assurances to the Commission and has ensured that the use of personal data is limited to what is necessary and proportionate and is subject to independent supervision and redress.
– A complaint handling mechanism to investigate and resolve complaints from Europeans regarding Japanese authorities’ access to their data. This new mechanism will be managed and monitored by Japan’s independent data protection authority.
The adequacy decision has been in force since 23rd of January 2019. After two years, the functioning of the framework will be reviewed for the first time. The subsequent reviews will take place at least every four years.
The adequacy decision also complements the EU-Japan Economic Partnership Agreement, which will enter into force in February 2019. European companies will benefit from free data flows as well as privileged access to the 127 million Japanese consumers.
25. January 2019
On 21st of January 2019, the French Data Protection Authority CNIL imposed a fine of € 50 Million on Google for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.
On 25th and 28th of May 2018, CNIL received complaints from the associations None of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). The associations accused Google of not having a valid legal basis to process the personal data of the users of its services.
CNIL carried out online inspections in September 2018, analysing a user’s browsing pattern and the documents he could access.
The committee first noted that the information provided by Google is not easily accessible to a user. Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are spread across multiple documents. The user receives relevant information only after carrying out several steps, sometimes up to six are required. According to this, the scheme selected by Google is not compatible with the General Data Protection Regulation (GDPR). In addition, the committee noted that some information was unclear and not comprehensive. It does not allow the user to fully understand the extent of the processing done by Google. Moreover, the purposes of the processing are described too generally and vaguely, as are the categories of data processed for these purposes. Finally, the user is not informed about the storage periods of some data.
Google has stated that it always seeks the consent of users, in particular for the processing of data to personalise advertisements. However, CNIL declared that the consent was not valid. On the one hand, the consent was based on insufficient information. On the other hand, the consent obtained was neither specific nor unambiguous, as the user gives his or her consent for all the processing operations purposes at once, although the GDPR provides that the consent has to be given specifically for each purpose.
This is the first time CNIL has imposed a penalty under the GDPR. The authority justified the amount of the fine with the gravity of the violations against the essential principles of the GDPR: transparency, information and consent. Furthermore, the infringement was not a one-off, time-limited incident, but a continuous breach of the Regulation. In this regard, according to CNIL, the application of the new GDPR sanction limits is appropriate.
Update: Meanwhile, Google has appealed, due to this a court must decide on the fine in the near future.
15. January 2019
On August 14, 2018, Brazil’s former president Michel Termer signed the new General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais or “LGPD”) (we reported). Although the law enlarges the country’s data protection framework, the final text did not contain the creation of a data protection authority.
On December 28, 2018, Temer signed a last-minute executive order (Medida Provisória no. 869/18), which made important changes to the LGPD including the implementation of the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados or “ANPD”).
Despite the ANPD being an independent entity and being capable of freely handling and evaluating data protection and privacy issues, the authority still is part of the federal government and linked to the office of the President of Brazil.
According to the Executive Order no. 869/18 the ANPD has, among other things, the authority to:
- Release rules and regulations regarding privacy and data protection;
- Exclusively be responsible for monitoring and applying fines to non-compliant organizations;
- Within the administrative field, exclusively interpret the LGPD, including cases in which the law remain silent; and
- Promote privacy and data protection within the Brazilian society.
The new agency would consist of 28 members, five of them to be chosen by the president to constitute the board of directors and 23 members including public, private and third sector representatives to constitute an advisory board.
The order also establishes other important changes to the LGPD. For example that:
- The LGPD will come into force in August 2020, six months after the originally scheduled date. Until then the ANPD will have an advisory and collaborative function.
- The Data Protection Officer does not need to be an individual person. The tasks could be performed by an internal committee or department or could be outsourced to third parties such as specialized companies and law firms.
The executive order came into force immediately but must be voted into law by the Brazilian Congress to remain valid and become permanent.
7. January 2019
The French Data Protection Authority CNIL imposed a fine of €250.000,00 on telecom operator BOUYGUES TELECOM for not taking required security measures to protect the personal data of its clients.
BOUYGUES TELECOM offered their clients an option to create a profile on their webpage to have easier access to their contract details and telephone bills.
In March 2018, CNIL was informed that a lack of security measures gave free access to personal data of clients of B&You, a subsidiary company of BOUYGUES TELECOM. Each profile had its own URL address, which involved the first and last name of the client. Just by exchanging the name in the URL address, one gained free access to first and last name, date of birth, e-mail address, address and phone number as well as contracts and bills. The violation of data security went on for two years and had an impact on over two million clients.
Shortly after CNIL was informed, BOUYGUES TELECOM notified the data breach to CNIL. The company explained that the incident occurred after the computer code, which depends on user authentication, was deactivated for a test phase, but was forgotten to be re-activated after completion of the test phase. After noticing the data breach, the company quickly blocked the access to the personal data.
Nevertheless, CNIL stated that the company failed to protect the personal data of its clients and violated its obligation to take all required security measures, especially as appropriate measures would have revealed the data breach earlier.
As the incident occurred before the legal validity of GDPR, CNIL decided to impose a fine of €250.000,00 on BOUYGUES TELECOM.
