Tag: GDPR

French DPA fines phone operator for various violations of the GDPR

10. January 2023

After receiving several complaints , in November 2022, the French Data Protection Authority (CNIL) decided to impose a fine of 300.000 Euros upon the French phone operator FREE for several violations of the rules contained in the GDPR.

In particular, findings included violations of:

  • Article 12 and 21 GDPR, regarding transparent communication on how the data subjects can exercise their rights, in particular the right of erasure.
  • Article 15 GDPR, regarding the right of access by the data subject.
  • Article 32 GDPR, regarding the security of personal data.
  • Article 33 GDPR, as FREE did not comply with the obligation to document a personal data breach.

As a consequence of these findings, CNIL decided to impose a fine upon FREE, with an order to comply with the GDPR’s rules regarding the management of access and erasure requests and to justify this compliance within three months from the decision, with an additional fine of 500 Euros for each day overdue.

Category: Data Protection · EU · French DPA · GDPR
Tags: , ,

Thailand’s Personal Data Protection Act enters into force

29. June 2022

On June 1, 2022, Thailand’s Personal Data Protection Act (PDPA) entered into force after three years of delays after its enactment in May 2019. Due to the COVID-19 pandemic, the Thai government issued royal decrees to extend the compliance deadline to June 1, 2022.

The PDPA is widely based on the EU General Data Protection Regulation (GDPR). In particular, it also requires data controllers and processors to have a valid legal basis for processing personal data (i.e., data that can identify living natural persons directly or indirectly). If such personal data is sensitive personal data (e.g. health data, biometric data, race, religion, sexual preference and criminal record), data controllers and processors must ensure that data subjects give explicit consent for any collection, use or disclosure of such data. Exemptions are granted for public interest, contractual obligations, vital interest or compliance with the law.

The PDPA also ensures that data subjects have specific rights, which are very similar to the GDPR: the right to be informed, access, rectify and update data, as well as restrict and object to processing and the right to data erasure and portability.

One major difference to the GDPR is that, while there are fines for breaching the PDPA obligations, certain data breaches involving sensitive personal data and unlawful disclosure also carry criminal penalties including imprisonment of up to one year.

Just like the GDPR, the PDPA also affects both entities in Thailand as well as entities abroad that process personal data for the provision of products and/or services within Thai borders.

Just as we have seen with the GDPR, it will be important to observe the evolution the PDPA will venture through as it becomes more incorporated into the Thai companies’ compliance.

EU: Commission publishes Q&A on SCCs

30. May 2022

On 25 May 2022, the European Commission published guidance outlining questions and answers (‘Q&A’) on the two sets of Standard Contractual Clauses (‘SCCs’), on controllers and processors (‘the Controller-Processor SCCs’) and third-country data transfers (‘the Data Transfer SCCs’) respectively, as adopted by the European Commission on 4 June 2021. The Q&A are intended to provide practical guidance on the use of the SCCs. They are based on feedback from various stakeholders on their experiences using the new SCCs in the months following their adoption. 

Specifically, 44 questions are addressed, including those related to contracting, amendments, the relationship to other contract clauses, and the operation of the so-called docking clause.  In addition, the Q&A contains a specific section dedicated to each set of SCCs. Notably, in the section on the Data Transfer SCCs, the Commission addresses the scope of data transfers for which the Data Transfer SCCs may be used, highlighting that they may not be used for data transfers to controllers or processors whose processing operations are directly subject to the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) by virtue of Article 3 of the GDPR. Further to this point, the Q&A highlights that the Commission is in the process of developing an additional set of SCCs for this scenario, which will consider the requirements that already apply directly to those controllers and processors under the GDPR. 

In addition, the Q&A includes a section with questions on the obligations of data importers and exporters, specifically addressing the SCC liability scheme. Specifically, the Q&A states that other provisions in the broader (commercial) contract (e.g., specific rules for allocation of liability, caps on liability between the parties) may not contradict or undermine liability schemes of the SCCs. 

Additionally, with respect to the Court of Justice of the European Union’s judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (‘the Schrems II Case’), the Q&A includes a set of questions on local laws and government access aimed at clarifying contracting parties’ obligations under Clause 14 of the Data Transfer SCCs. 

In this regard, the Q&A highlights that Clause 14 of the Data Transfer SCCs should not be read in isolation but used together with the European Data Protection Board’s Recommendations 01/2020 on measures that supplement transfer tools. 

Record GDPR fine by the Hungarian Data Protection Authority for the unlawful use of AI

22. April 2022

The Hungarian Data Protection Authority (Nemzeti Adatvédelmi és Információszabadság Hatóság, NAIH) has recently published its annual report in which it presented a case where the Authority imposed the highest fine to date of ca. €670,000 (HUF 250 million).

This case involved the processing of personal data by a bank that acted as a data controller. The controller automatically analyzed recorded audio of costumer calls. It used the results of the analysis to determine which customers should be called back by analyzing the emotional state of the caller using an artificial intelligence-based speech signal processing software that automatically analyzed the call based on a list of keywords and the emotional state of the caller. The software then established a ranking of the calls serving as a recommendation as to which caller should be called back as a priority.

The bank justified the processing on the basis of its legitimate interests in retaining its customers and improving the efficiency of its internal operations.

According to the bank this procedure aimed at quality control, in particular at the prevention of customer complaints. However, the Authority held that the bank’s privacy notice referred to these processing activities in general terms only, and no material information was made available regarding the voice analysis itself. Furthermore, the privacy notice only indicated quality control and complaint prevention as purposes of the data processing.

In addition, the Authority highlighted that while the Bank had conducted a data protection impact assessment and found that the processing posed a high risk to data subjects due to its ability to profile and perform assessments, the data protection impact assessment did not provide substantive solutions to address these risks. The Authority also emphasized that the legal basis of legitimate interest cannot serve as a “last resort” when all other legal bases are inapplicable, and therefore data controllers cannot rely on this legal basis at any time and for any reason. Consequently, the Authority not only imposed a record fine, but also required the bank to stop analyzing emotions in the context of speech analysis.

 

Google launches “Reject All” button on cookie banners

After being hit with a €150 million fine by France’s data protection agency CNIL earlier in the year for making the process of rejecting cookies unnecessarily confusing and convoluted for users, Google has added a new “Reject All” button to the cookie consent banners that have become ubiquitous on websites in Europe. Users visiting Search and YouTube in Europe while signed out or in incognito mode will soon see an updated cookie dialogue with reject all and accept all buttons.

Previously, users only had two options: “I accept” and “personalize.” While this allowed users to accept all cookies with a single click, they had to navigate through various menus and options if they wanted to reject all cookies. “This update, which began rolling out earlier this month on YouTube, will provide you with equal “Reject All” and “Accept All” buttons on the first screen in your preferred language,” wrote Google product manager Sammit Adhya in a blog post.

According to Google they have kicked off the rollout of the new cookie banner in France and will be extending the change to all Google users in Europe, the U.K., and Switzerland soon.

Google’s plan to include a “Reject All” button on cookie banners after its existing policy violated EU law was also welcomed by Hamburg’s Commissioner for Data Protection and Freedom of Information Thomas Fuchs during a presentation of his 2021 activity report.

But the introduction of the “Reject All” button is likely to be only an interim solution because the US giant already presented far-reaching plans at the end of January to altogether remove Google cookies from third-party providers by 2023.

Instead of cookies, the internet giant wants to rely on in-house tracking technology for the Google Privacy Sandbox project.

Dutch DPA issues highest fine for GDPR violations

14. April 2022

On April 7th, 2022, the Dutch Data Protection Authority, Autoriteit Persoonsgegevens, imposed the highest-ever fine for data protection violations, amounting to € 3.7 million. It is directed against the Minister of Finance, who was the data controller for the Tax and Customs Administration’s processing operations. The reason for this is the years of unlawful processing of personal data in the Fraud Notification Facility application, a blacklist in which reports and suspected fraud cases were registered.

The investigation revealed several violations of principles and other requirements of the GDPR. Firstly, there was no legal basis for the processing of the personal data included in the list, making it unlawful under Art. 5 (1) (a), Art. 6 (1) GDPR. Secondly, the pre-formulated purposes of collecting the personal data were not clearly defined and thus did not comply with the principle of purpose limitation stipulated in Art. 5 (1) (b) GDPR. Moreover, the personal data were often incorrect and non-updated, which constituted a violation of the principle of accuracy according to Art. 5 (1) (d) GDPR. Since the personal data were also kept longer than the applicable retention period allowed, they were not processed in accordance with the principle of storage limitation as laid down in Art. 5 (1) (e) GDPR. Furthermore, the security of the processing according to Art. 32 (1) GDPR was not ensured by appropriate technical and organizational measures. In addition, the internal Data Protection Officer was not involved properly and in a timely manner in the conduct of the Data Protection Impact Assessment pursuant to Art. 38 (1), 35 (2) GDPR.

The amount of the fine imposed results from the severity, consequences and duration of the violations. With the Fraud Notification Facility, the rights of 270,000 people have been violated in over six years. They were often falsely registered as (possible) fraudsters, which caused them to suffer serious consequences. It left many unable to obtain a payment agreement or eligible for debt rescheduling and therefore, in financial insecurity. The Tax and Customs Administration also used discriminatory practices. Employees were instructed to assess the risk of fraud based on people’s nationality and appearance, among other factors.

The DPA also considered previous serious infringements in determining the amount of the fine. The Minister of Finance was penalized in 2018 for inadequate security of personal data, in 2020 for illegal use of the citizen service number in the VAT identification number of self-employed persons, and in 2021 for the discriminatory and illegal action in the childcare benefits scandal. Following the latter affair, the Fraud Notification Facility was shut down in February 2020.

The Minister of Finance can appeal the decision within six weeks.

Belgian DPA declares technical standard used for cookie banner for consent requests illegal

28. March 2022

In a long-awaited decision on the Transparency and Consent Framework (TCF), the Belgian data protection authority APD concludes that this technical standard, which advertisers use to collect consent for targeted advertising on the Internet, does not comply with the principles of legality and fairness. Accordingly, it violates the GDPR.

The ADP’s decision is aligned with other European data protection authorities and has consequences for cookie banners and behavioral online advertising in the EU. The advertising association IAB Europe, which develops and operates the TCF system, must now delete the personal data collected in this way and pay a fine of 250,000 euros. In addition, conditions have been determined for the advertising industry under which the TCF may continue to be used at all.

Almost all companies, including advertising companies such as Google or Amazon, use the mechanism to pass on users’ presumed consent to the processing of their personal data for personalized advertising purposes. This decision will have a major impact on the protection of users’ personal data. This is also confirmed by Hielke Hijmans from APD.

The basic structure of the targeted advertising system is that each visit to a participating website triggers an auction among the providers of advertisements. Based on the desired prices and the user’s data profile, among other things, a decision is made in milliseconds as to which advertisements she will see. For this real-time bidding (RTB) to work, the advertising companies collect data to compile target groups for ads.

If users accept cookies or do not object that the use of their data is in the legitimate interest of the provider, the TCF generates a so-called TC string, which contains information about consent decisions. This identifier forms the basis for the creation of individual profiles and for the auctions in which advertising spaces and, with them, the attention of the desired target group are auctioned off, and is forwarded to partners in the OpenRTB system.

According to the authority, the TC strings already constitute personal data because they enable users to be identified with the IP address and the cookies set by the TCF. In addition, IAB Europe is said to be jointly legally responsible for any data processing via the framework, although IAB Europe has not positioned itself as a data processor, only as a provider of a standard.
The TCF envisions advertising providers invoking a “legitimate interest” in data collection in cookie banners that pop up all the time, rather than asking for consent. This would have to be prohibited, for example, for it to be lawful. The principles of privacy by design and by default are also violated, since consent is literally tricked by design tricks, the data flows are not manageable, and revocation of consent is hardly possible.

Google to launch Google Analytics 4 with aim to address EU Data Protection concerns

24. March 2022

On March 16, 2022, Google announced the launch of its new analytics solution, “Google Analytics 4”. Among other things, “Google Analytics 4” aims to address the most recent data protection developments regarding the use of analytical cookies and the transfers tied to such processing.

The announcement of this new launch comes following 101 complaints made by the non-governmental organization None of Your Business (NOYB) complaints with 30 EEA countries’ data protection authorities (DPA). Assessing the data transfer from the EU to the US after the Schrems II decision of the CJEU for the use of Google Analytics, the French and Austrian DPAs ruled that the transfer of EU personal data from the EU to the U.S. through the use of the Google Analytics cookies is unlawful under the GDPR.

In the press release, Google states that “Google Analytics 4 is designed with privacy at its core to provide a better experience for both our customers and their users. It helps businesses meet evolving needs and user expectations, with more comprehensive and granular controls for data collection and usage.”

However, the most important change that the launch of “Google Analytics 4” will have on the processing of personal data is that it will no longer store users’ IP addresses. This will limit the data processing and resulting transfers that Google Analytics was under scrutiny for in the EU, however it is unclear at this point if the EU DPAs will change their opinion on the use of Google Analytics with this new version.

According to the press release, the current Google Analytics will be suspended starting July 2023, and Google is recommending companies to move onto “Google Analytics 4” as soon as possible.

Irish DPC fines Meta 17 Million Euros over 2018 data breaches

16. March 2022

On March 15th, 2022, the Irish Data Protection Commission (DPC) has imposed a fine on Meta Platforms 17 million euros over a series of twelve data breaches, which happened from June to December 2018.

The inquiry of the DPC which led to this decision examined the extent to which Meta Platforms complied with the requirements of Arti. 5(1)(f), Art. 5(2), Art. 24(1) and Art. 32(1) GDPR in relation to the processing of personal data relevant to the twelve breach notifications.

As the result of this inquiry, the DPC found that Meta Platforms infringed Art. 5(2) and 24(1) GDPR.  In particular, the DPC assessed that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect the data of its European users in the case of those twelve data breaches.

The processing under examination constituted a “cross-border” processing, and as such the DPC’s decision was subject to the co-decision-making process outlined in Art. 60 GDPR. This resulted in all of the other European supervisory authorities to be engaged in this decision as co-decision-makers.  While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, consensus was achieved through further engagement between the DPC, and the supervisory authorities concerned.

“Accordingly, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU,” the DPC stated in their press release.

A Meta spokesperson has commented on the decision, stating, “This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information. We take our obligations under the GDPR seriously and will carefully consider this decision as our processes continue to evolve.”

Norwegian DPA aims to strengthen cookie regulations

22. February 2022

The Norwegian Data Protection Authority (DPA), Datatilsynet, has reached out to the Ministry of Local Government and District Affairs in a letter emphasizing the requirement of tightening cookie regulations in Norway.

This letter comes amid voices of consulting committees to delay the proposed tightened cookie regulations which have been on open consultation in Norway since the end of last year.

In the letter, the Datatilsynet points out the importance of strengthened cookie laws, specifically regarding the manner of obtaining consent and the design of the consent banners, which “are designed in ways that influence users to consent by making it more cumbersome and time consuming to not consent”.

The letter also references the French data protection authority’s decisions to fine Google €150 million and Facebook €60 million for inadequately facilitating refusal of cookies, as issued on 31 December 2021, and clearly outlined that in contrast to the practices for which Google and Facebook had been fined in France, the cookie practices would hardly have been considered problematic under the Norwegian cookie regulations, where illusory consents are allowed through pre-set browser settings.

Senior Legal Advisor Anders Obrestad stated that “these cases illustrate how unsustainable the current regulation of cookies and similar sports technologies in Norway are for the privacy of internet users”.

The Norwegian DPA hopes to be able to stop any delay in the strengthening of cookie regulations, as well as emphasize the importance of valid consent of internet users.

Pages: 1 2 3 4 5 6 7 8 9 10 11 Next
1 2 3 11