CNIL fines Google for violation of GDPR

25. January 2019

On 21st of January 2019, the French Data Protection Authority CNIL imposed a fine of € 50 Million on Google for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.

On 25th and 28th of May 2018, CNIL received complaints from the associations None of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). The associations accused Google of not having a valid legal basis to process the personal data of the users of its services.

CNIL carried out online inspections in September 2018, analysing a user’s browsing pattern and the documents he could access.

The committee first noted that the information provided by Google is not easily accessible to a user. Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are spread across multiple documents. The user receives relevant information only after carrying out several steps, sometimes up to six are required. According to this, the scheme selected by Google is not compatible with the General Data Protection Regulation (GDPR). In addition, the committee noted that some information was unclear and not comprehensive. It does not allow the user to fully understand the extent of the processing done by Google. Moreover, the purposes of the processing are described too generally and vaguely, as are the categories of data processed for these purposes. Finally, the user is not informed about the storage periods of some data.

Google has stated that it always seeks the consent of users, in particular for the processing of data to personalise advertisements. However, CNIL declared that the consent was not valid. On the one hand, the consent was based on insufficient information. On the other hand, the consent obtained was neither specific nor unambiguous, as the user gives his or her consent for all the processing operations purposes at once, although the GDPR provides that the consent has to be given specifically for each purpose.

This is the first time CNIL has imposed a penalty under the GDPR. The authority justified the amount of the fine with the gravity of the violations against the essential principles of the GDPR: transparency, information and consent. Furthermore, the infringement was not a one-off, time-limited incident, but a continuous breach of the Regulation. In this regard, according to CNIL, the application of the new GDPR sanction limits is appropriate.

Update: Meanwhile, Google has appealed, due to this a court must decide on the fine in the near future.

The Dutch DPA (Autoriteit Persoonsgevens) investigates several Data Processing Agreements

23. January 2019

Since the EU General Data Protection Regulation (GDPR) entered into force on May 25, 2018, the Dutch DPA regularly reviews whether organizations comply with data protection regulations. For example, the DPA previously investigated organizations (inter alia hospitals, banks, insurers) regarding their data protection officers and/or whether they keep a register of processing activities.

The Dutch Data Protection Authortiy, the so called Autoriteit Persoonsgevens, announced last week on its website that it had asked 30 private organizations to provide their Data Processing Agreements in use. The organizations in question mainly operate in the field of energy, media and trade.

Art. 28 GDPR states that a data controller must have a data processing agreement (DPA) with a data processor when the ladder is carrying out the data processing on behalf of the controller. This is for example the case when an organization outsources IT facilities. The controller remains responsible for the protection of the personal data and is only allowed to engage processors which can offer sufficient guarantees to ensure those requirements. Especially, the agreement must specify the type and categories of data that will be processed and the duration as well as the nature and purpose of the processing.

Political parties will be sanctioned for data breaches

22. January 2019

On Wednesday, 16th January 2019, EU Parliament and member state negotiators agreed that parties or political foundations can be sanctioned for data protection breaches during election campaigns. This regulation is intended to prevent any influence on the forthcoming European elections in May. It was decided that in such cases affected institutions would have to pay up to five percent of their annual budget in future.

One of the reasons for the new regulation was the data scandal surrounding Facebook and Cambridge Analytica. During the US election campaign, Facebook gained unauthorized access to the data of millions of its users. With this data, Cambridge Analytica is said to have tried to prevent potential Clinton supporters from voting and to mobilise Trump voters by means of advertising and contributions (we reported).

In future, data protection violations that are deliberately accepted in order to influence the outcome of European elections will be severely sanctioned. National supervisory authorities are to decide whether a party has violated the regulation. The Authority for European Political Parties and European Political Foundations must then review the decision and, if necessary, impose the appropriate sanction. Moreover, those found to be in breach could not apply for funds from the general budget of the European Union in the year in which the fine is imposed.

The text adopted on Wednesday still has to be formally adopted by Parliament and the Council of Member States.

Brexit: Impact on data protection after “May’s deal” has been rejected

18. January 2019

Prime Minister Theresa May’s draft withdrawal agreement to regulate Brexit was rejected by a clear majority of parliamentarians on 15th January. The draft withdrawal agreement has been agreed in November 2018 by the United Kingdom (UK) and the European Union (EU) – we reported: Brexit: Draft withdrawal agreement – GDPR remains applicable for foreseeable future – containing a transition period of 21-months in order to facilitate business sectors in their planning. Because of the recent rejection of the withdrawal agreement by the British Parliament, the scenario of the UK disorderly leaving the EU has now become quite likely. Among various economic and EU law issues, Brexit has also a concrete impact on data protection.

In case of a Brexit without corresponding transitional rules, the UK would be regarded as a third country under the General Data Protection Regulation of the EU (GDPR) as of 29th March 2019. This was also confirmed by Prof. Dr. Dieter Kugelmann, the State Data Protection Officer of Rheinland-Pfalz: “The fact is that the United Kingdom will become a “third country” within the meaning of the GDPR after leaving the EU.” Thus, an adaquacy decision would be required to transfer personal data of EU citizens or from the EU to the UK in the absence of any other mechanisms ensuring an adequate level of data protection according to Art. 44 ff. GDPR.

Since many companies currently transfer customer or employee data to the UK as well as a lot of data centres of service providers are located there, the Brexit will cause a need for adaption in terms of data protection matters. After the Brexit these Companies must ensure that there is an adequate legal basis for the relevant data transfers to the UK. Furthermore, according to Art. 13, 14 GDPR, the data subjects must be informed regarding the transfer of personal data outside the EU/EEA. All privacy policies on websites, privacy notices to employees etc. therefore would have to be adjusted. In the event of a data subject’s request for information, Art. 15 GDPR stipulates that the data subject must be informed about the transfer of his/her personal data to a third country. When personal data are transferred to the UK deemed as a third country, companies would eventually have to adjust their records of processing activities pursuant to Art. 30 GDPR.

It is recommended that in particular those companies transferring a lot of personal data to the UK at least are aware of these potentially required adaptations in order to further ensure compliance with EU data protection laws. As the GDPR, principally does not privilege any group of companies, the aforementioned recommendation also apply to data flows within such groups.

Dataset with stolen login information appeared

An 87 gigabyte dataset with stolen login information has appeared on the Internet. This affects 773 million e-mail addresses and over 21 million passwords.

According to initial information, the data do not originate from a single hack, but have been gathered from various hacks. The data set contains information from 12,000 domains and various web services.

The existence of the data set was made public by the Australian IT security expert Troy Hunt on his homepage, who calls it Collection #1. The expert writes that he was first made aware of the record by acquaintances and that the data was originally available from a file hosting provider, where it can no longer be found.

You have the option of checking for yourself whether your data is affected. To check this, simply enter your own address in the search field and click on “pwned?”. The verification service published by the Australian security researcher Troy Hunt is considered trustworthy by the Federal Office for Information Security (BSI). If you are affected, we recommend that you change your password as soon as possible.

CNIL publishes guidance on data sharing

At the end of last year, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés”, the “CNIL”) published guidance on sharing data with business partners or third parties. The CNIL stated that many companies that collect data from individuals transfer this data to “business partners” or other organisations especially to send prospecting emails. In case of a transmission the data subjects must maintain control over their personal data .

The published guidance state the following five requirements:

• Prior consent: Before sharing data with business partners or third parties such as data brokers, organisations must request the individual’s consent.

• Identification of the partners: The individuals must be informed of the specific partner(s) who may receive the data. According to the CNIL’s guidance, the organisation can either publish a complete and updated list containing the organisation’s partners directly on the data collection form or if such a list would be too long, it can integrate a link to the collection form. This should be inserted together with a link to their respective privacy policies.

• Information of changes to the list of partners: The organisations have to notify the individuals of any changes to the list of partners, especially if they may share the data with new partners. Therefore, they may provide an updated list of their partners within each marketing message sent to the individual and each new partner that receives the individual’s data must inform him or her of such processing in its first communication to the data subject.

• No “transfer” of the consent: Companies may not share the information they receive with their own partners without obtaining the consent of individuals, in particular with regard to the identity of new companies that would become recipients of the subject’s data.

• Information to be provided by the partner(s): The partner who received the individual’s data for their own marketing purposes must inform the data subject of the origin (name of the organisation who shared the data with them) and inform them of their data subject rights, in particular the right to object to the processing.

Category: EU · French DPA
Tags: , ,

Massachusetts Approved Amendments to Data Breach Notification Law

15. January 2019

Massachusetts’ data breach law has been significantly amended by the legislation signed by Gov. Charlie Baker on 10th January becoming effective as of 11th April this year. An overview of the key changes can be found following.

The amended law requires companies to provide certain additional information when notifying the Massachusetts Attorney General and the Office of Consumer Affairs and Business Regulation about a breach of security or the reasonable believe of the existence such a breach. This information include, but are not limited to “the nature of the breach of  security or unauthorized acquisition or use”, the types of personal information compromised (e.g. social security numbers), “the number of residents affected by the incident at the time of notification”, the person responsible for the breach – if known -, and whether the entity maintains a written information security program according to Massachusetts 201 CMR § 17.03.

A further update concerns the notice of the affected individuals. The amended law explicitly sets out a rolling notification to individuals under certain circumstances and prohibits therefore a company from delaying notice to affected individuals referring to the ground that the total number of individuals affected has not yet been determined. “In such case, and where otherwise necessary to update or correct the information required, a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information.”
If the company experiencing a data security incident is owned by another entity, the particular notification to the affected individual must specify “the name of the parent or affiliated corporation”.

Another significant change to the data breach law refers to the requirement of providing an offer of complimentary credit monitoring for “a period of not less than 18 months” (42 months, if the company is a consumer reporting agency) when a Massachusetts resident’s Social Security number has been compromised, or is reasonably believed to have been compromised, in a data security incident.  Also, Companies must certify their credit monitoring services to the Massachusetts attorney general and the Director of the Office of Consumer Affairs and Business Regulation in order to demonstrate compliance with the respective Massachusetts state law. Companies must eventually provide the credit monitoring services at no costs to the affected residents and are prohibited from asking them to waive their right to a private action as a condition for the reception of such services.

However, when these amendments become effective, beside Connecticut and Delaware, Massachusetts will have become one of those states providing a credit monitoring obligation when residents’ Social Security numbers are concerned by a breach of security. In fact, according to Public Act No. 18-90 that substitutes Senate Bill No. 472, Connecticut recently increased the required period of credit monitoring to be provided to the affected individuals from 12 to 24 months.

Brazil changes new Data Protection Law and creates a Data Protection Authority

On August 14, 2018, Brazil’s former president Michel Termer signed the new General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais or “LGPD”) (we reported). Although the law enlarges the country’s data protection framework, the final text did not contain the creation of a data protection authority.

On December 28, 2018, Temer signed a last-minute executive order (Medida Provisória no. 869/18), which made important changes to the LGPD including the implementation of the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados or “ANPD”).

Despite the ANPD being an independent entity and being capable of freely handling and evaluating data protection and privacy issues, the authority still is part of the federal government and linked to the office of the President of Brazil.

According to the Executive Order no. 869/18 the ANPD has, among other things, the authority to:

  • Release rules and regulations regarding privacy and data protection;
  • Exclusively be responsible for monitoring and applying fines to non-compliant organizations;
  • Within the administrative field, exclusively interpret the LGPD, including cases in which the law remain silent; and
  • Promote privacy and data protection within the Brazilian society.

The new agency would consist of 28 members, five of them to be chosen by the president to constitute the board of directors and 23 members including public, private and third sector representatives to constitute an advisory board.

The order also establishes other important changes to the LGPD. For example that:

  • The LGPD will come into force in August 2020, six months after the originally scheduled date. Until then the ANPD will have an advisory and collaborative function.
  • The Data Protection Officer does not need to be an individual person. The tasks could be performed by an internal committee or department or could be outsourced to third parties such as specialized companies and law firms.

The executive order came into force immediately but must be voted into law by the Brazilian Congress to remain valid and become permanent.

Austrian DPA dismisses complaint concerning validity of Cookie Consent Solution

14. January 2019

The Austrian Data Privacy Authority (“DPA”) decided on a complaint, lodged by an individual, concerning the compliance of the cookie consent solution of an Austrian newspaper with the General Data Protection Regulation (“GDPR”).

The complainant argued that the consent was not given voluntarily, since the website was no longer accessible after the revocation of consent to marketing cookies. Further use of the website required payment. Therefore, according to the complainant, provision of the service depends on consent to the processing of personal data.

The Austrian newspaper grants users free access to the content of the website, provided that they agree to the use of cookies for advertising purposes. If this consent is revoked, the website will no longer be usable and the window for giving consent will reappear. Alternatively, in the same window, users can choose to subscribe to a paid subscription. For currently 6 euros per month users get access to the entire content of the site, without data tracking.

The DPA explained that consent is only given involuntarily if a disadvantage is to be expected if consent is not given. Referring to Article 29 Working Party’s Guidelines on Consent, the DPA stated that such a disadvantage arises when there is a risk of deception, intimidation, coercion or significant adverse consequences. Yet there is no such disadvantage here. In fact, after giving consent, the user of the website even gains an advantage because he gets full access to the newspaper’s services. Furthermore, if the user does not wish to give his consent, he can still use another online newspaper.

With its decision, the Austrian DPA set a welcome signal for other online newspapers that finance themselves through advertising revenues.

Massive data attack targeting hundreds of German politicians and celebrities

8. January 2019

Following the hacker attack on hundreds of politicians and celebrities, investigators have arrested a 20-year-old suspect today. The apartment of the suspect had been searched and he has been taken into custody. This was reported by the central agency of the attorney general in Frankfurt am Main (Zentralstelle zur Bekämpfung der Internetkriminalität der Generalstaatsanwaltschaft Frankfurt am Main) and the Federal Criminal Police Office (BKA).

On January 7, prior to the arrest, the household of a 19-year-old IT worker, who is being treated as a witness, was searched and technical equipment was confiscated. He claimed that he knows the hacker.

On Friday, January 4, Germany’s Federal Office for IT Safety (BSI) revealed that it was investigating a data leak concerning hundreds of German politicians, journalists and celebrities published on the platform Twitter. The authorities were working together with the Irish Data Protection Commissioner to stop the spreading of the affected data. The hack targeted all of Germany’s political parties represented in the federal parliament at the moment, except for the far-right Alternative for Germany (AfD).

The data was published via a Twitter account, followed by more than 17,000 people at the time, in the style of an advent calendar over the course of December 2018. It included mobile phone numbers, contact info and private chats. Furthermore, ID cards as well as banking and financial details, for example credit card details, were leaked.

Pages: Prev 1 2 3 ... 36 37 38 39 40 41 42 ... 67 68 69 Next
1 37 38 39 40 41 69