Consent banners are still flawed, dating apps discovered to expose your exact and real time location to anybody, and the UK’s ICO gives adtech an ultimatum. While you were catching up on your missed calls and emails, the privacy world was in constant movement. In this blog, we will have a look at the last two weeks of August.

OPINIONS, GUIDANCE, DECISIONS

Draft decision Dutch DPA (AP) on code of conduct by branch organisation Nederland ICT

Branch organisation Nederland ICT has drawn up a code of conduct to which organisations may opt to adhere to. While the Dutch DPA (AP) intends to approve the so-called Data Pro Code, the privacy watchdog does impose the condition that a supervisory body is established to ensure adherence to the code. The code of conduct can be used as one element to show the controller/processor adheres to its GDPR obligations.

BREACHES & INCIDENTS


Biometric data of millions of users breached by biometric security platform

A team of vpnMentor recently discovered a data breach in security platform BioStar 2. BioStar 2 is a web-based biometric security smart-lock platform, built by Suprema, a security manufacturer with the largest market share in biometric access control of the EMEA region. The overarching access control system, of which Biostar 2 is a part, is used by over 5,700 organizations in 83 countries, among the users are several of the biggest multinational businesses, as well as governments, banks, and the UK’s Metropolitan Police. The vpnMentor team was able to access facial recognition information and over a million fingerprint records. This type of information is of a permanent nature of course, expanding the potential impact for the individuals involved, and the companies that employ them.

More on physical security: EDPB adopts Guidelines on processing of personal data collected through video devices

Dating apps may have exposed exact locations of 10M users

Through dating apps Grindr, Romeo, Recon, and 3fun, users could be precisely located and tracked, potentially putting at risk 10 million users. Researchers of PenTestPartners could track them from home, to work, and find out where they socialise, by simply knowing a person’s username.

Global data breach costs will rise to $5 trillion by 2024

A new report from Juniper Research found that the cost of data breaches will rise from $3 trillion each year to over $5 trillion in 2024. The rise represents an annual growth of 11%. The sharp increase “will primarily be driven by increasing fines for data breaches as regulation tightens, as well as a greater proportion of business lost as enterprises become more dependent on the digital realm,” Juniper states in a press release.

TECH AND YOUR PRIVACY


UK’s ICO says “nothing has been solved or resolved” concerning adtech sector

After saying the entire adtech sector was operating illegally by not acquiring consent properly, now, two months later, ICO Executive Director for Technology and Innovation Simon McDougall states that “absolutely nothing has been solved or resolved at this point,” as well as that the industry has given “vague, immature and short answers”. The ICO has given the companies until the 2020 to improve their data protection practices or else it will start issuing fines. 

Most EU cookie notices leave user no choice, or use ‘dark patterns’ to get consent

Research by academics at Ruhr-University Bochum and the University of Michigan studied how European consumers interact with the cookie consent mechanisms. The majority, 93%, of cookie consent notices do not block interaction with the underlying website and offer no other option than the “Accept” button (86%), leaving the user no choice. 57% of notices also tried to get users’ consent through their design. Users were more likely to click the “Accept” button when it was highlighted in colour (50.8% on mobile, 26.9% on desktop), versus if it was displayed as a plain text only 39.2% on mobile and 21.1% on did so. 

Interestingly, around 30% of mobile users, and 10% of desktop users accepted all third party cookies if the checkboxes were already preselected when visiting a site, whereas only a small fraction, less than 0.1%, of these users allowed all third party trackers when faced with a compliant consent notice.

Facebook and Apple to end automatic reviews of collected audio
Bloomberg reported Facebook confirmed it had been paying contractors to transcribe audio recorded by voice chats in their Messenger app. Facebook initially stated that no EU users were involved, but it has been revealed audio messages of 48 EU users were collected and transcribed by hundreds of third-party contractors. The Irish DPA is examining the activity to determine if it violated the GDPR.

In the meantime, Reuters reported Apple has announced that it will end its default collection and human review of Siri audio recordings after privacy flags were raised during the first weeks of August.

Related: Hamburg DPA publishes legal requirements for Google to resume audio transcriptions of Google Home assistant recordings

Microsoft improves privacy protection; investigation still needed

The Dutch DPA (AP) said it found Microsoft has remotely collected data from those who use Windows Home and Windows Pro, while the watchdog tested if Microsoft complied with previous agreements. The AP requested Ireland’s DPA to look into Microsoft’s data collection practices. With 78.32%, Windows is still the leading OS for desktops, making the news surrounding this issue all the more important.

Google to introduce new standards for continuation of personalized advertising

While other browser developers like Mozilla, Apple and Brave are moving away from tracking, Google wants to introduce new standards for continuation of personalized advertising. The company announced a privacy initiative in May with five main ideas. The goal of the Chrome developer is to bring all browsers to a uniform balance between data processing and privacy. So far, Google has had only limited success with such initiatives.

ENFORCEMENT AND JURISPRUDENCE


Sweden's first GDPR fine: facial recognition in schools to monitor student attendance

A school in northern Sweden conducted a pilot using facial recognition to keep track of students’ attendance. The Swedish DPA concluded that the activity violates several articles of the GDPR, fining the municipality approximately €20.000. 

Düsseldorf court suspends order over Facebook to stop data collection

The Higher Regional Court (Oberlandesgericht) of Düsseldorf suspended an order from the German Federal Cartel Office (Bundeskartellamt) concerning Facebook’s data collection practices. The office ordered Facebook to stop its cross-platform gathering of user data. The Oberlandesgericht had “serious doubts” about whether the Bundeskartellamt’s decisions had a legal basis: “even if the contested data breached data-protection rules, that would not be an infringement of competition law at the same time”. As the Bundeskartellamt plans to appeal the decision, this seems like a first victory for the tech-giant.

Spanish Supreme Court finds information about electricity use to be personal data

The Spanish Supreme Court determined information about electricity use is protected by the Spanish Law implementing GDPR when it is accessed by a third party (such as an employee tasked with the measurement of electrical activity). The reasoning behind the decision is that behavioural habits such as entry and exit schedules and if a person lives together with another can be deduced from the data.