Say goodbye to mojitos on the beach, welcome back to work: Catch up on data privacy happenings (1/3)

Aug 16, 2019 12:00:00 AM | Data Protection Say goodbye to mojitos on the beach, welcome back to work: Catch up on data privacy happenings (1/3)

From mega-fines, a hearing in the case that might rock international data transfers, to thousands of apps and browser extensions spying on consumers - whether you were relaxing on a beach or kicking it in the Alps, you missed a lot. Instead of going through piles of news around data privacy from the summer months, get quickly caught up by looking at a summary of the most important happenings in this short blog post, the first of a three piece series, focusing on the last two summer months. 


July 1-20


Facebook fined 1 million Euro by the Italian DPA for the Cambridge Analytica Scandal

The Italian DPA Garante has fined the social media company for the Cambridge Analytica Scandal of 2015, which came to light last year. Cambridge Analytica had accessed data on 87 million Facebook users that used an app pretending to be a psychological test. The company then used this data to try and influence the US presidential elections by assisting the presidential campaign of current president of the USA Donald Trump.


UK’s DPA ICO intends to fine British Airways and Marriott with largest ever GDPR fines

British Airways and hotel chain Marriott have been notified by ICO that it intends to fine them £183.39m and £99.2m respectively. 

The BA breach was caused by a fraudulent site. Personal data (names and addresses, log in, payment card, and travel booking details) of 500,000 customers were stolen.

The Marriott breach was based on the Starwood reservation system that Marriott acquired when the two companies merged. Personal data contained in approximately 339 million guest records globally were exposed by the incident. 

Both fines were issued because of alleged failures to implement appropriate security measures, Marriott was also blamed for insufficient due diligence. ICO is taking a strong stance against companies who fail to implement appropriate security measures. Recently, three other major fines were issued: against Equifax (£500,000), Uber (£385,000), and Yahoo! (£250,000).


Belgian DPA reprimands FOD Volksgezondheid for failing to respond to access request

The sanction concerns a case where the FOD Volksgezondheid did not respond to a citizen's request to exercise his right of access, despite an order from the DPA. Respect for the right of citizens to the protection of personal data is, in the Authority's view, a cornerstone of the GDPR, and data controllers must do everything in their power to ensure this.

The procedure revealed the fact that the FOD Volksgezondheid had not introduced internal procedures to comply with the requirements of the GDPR, while the Regulation was published in May 2016 and has entered into force in May 2018.


Dutch hospital Haga fined for insufficient internal security of patient records

The investigation into Haga commenced when it turned out that dozens of employees of the hospital had unnecessarily accessed the medical file of a well-known Dutch reality star known as “Barbie”. The Dutch DPA Autoriteit Persoonsgegevens imposed a fine of 460,000 euros on the Haga Hospital for inadequate security. The news followed earlier research of the AP into the functioning of DPOs in eleven hospitals found that these DPOs operate well and fulfil the tasks they have under the privacy legislation well.



New guidance by the Dutch DPA forbids targeted advertising by banks

The Dutch DPA, the Autoriteit Persoonsgegevens, announced banks may not use financial data for targeted advertising. The guidance comes after a bank changed its privacy policy to state it will use payment information for direct marketing offers. 


Hearing of the ‘Schrems II’ case before the CJEU: the end for data transfer in its current form?

The CJEU might find that some or all transfers to the USA are problematic and invalidate SCCs as valid 'safeguards' for such transfers. The case (C-311/18) isn’t specifically about the Privacy Shield, but a lot of the points raised about SCCs apply to Privacy Shield as well.

The alternatives for data transfer are limited: Binding Corporate Rules can only be used by corporate groups and require substantial time to draft and to obtain necessary approval. Other alternatives are even more troublesome: consent is revocable and must be freely given and Contractual Necessity is rarely suitable for large quantities of data transfers of today. Approved Codes of Conduct and Certification under an Approved Certification Mechanism cannot be used yet because there are no approved codes of conduct or certification mechanisms. 


EDPB releases opinion on lead supervisory authority competence

The EDPB released an opinion in which it determined the competence for a lead supervisory authority to act can be switched to another supervisory authority in the event of a documented change related to a main or single establishment.



1000 clips of conversations in Belgium and the Netherlands breached, notification sent to the Irish DPA

The recordings, which were logged by Google Assistant, were sent to Google’s subcontractors for review. A minimum of 153 of these recordings were not authorised by the activation phrase “Ok/Hey, Google” and were never meant to be recorded. They contained personal data reaching from family conversations over bedroom chatter to business calls with confidential information.


Widely used Chrome and Firefox browser extensions caught harvesting data from 4 million consumers

URLs, webpage titles, and sometimes the embedded hyperlinks of pages visited were collected. Most of the collected data was then sold for $10 to $50 on website Nacho Analytics. This data may not sound especially sensitive, but some of the published links led to pages that are not protected by passwords - only by something called tokens, included in the URL. Some might know tokens form their use in URLs contained in private emails - when you click these, they take you straight to the website of the sender, logging you in automatically. The collected data might thus give any buyer access to any account that is accessible per token. A list of the extensions is available on the website of the researchers that first found the harvesting.


1300+ Android apps collect data even when consent is not given

The International Computer Science Institute (ICSI) found as much as 1,325 Android apps that were gathering data from devices after users explicitly denied them permission to do so. The apps used workarounds to negate security features and took data from Wi-Fi sources, metadata stored in phones, and in some cases unprotected files on devices’ memory card. Serge Egelman, ICSI director of usable security and privacy research, presented the study at the FTC’s PrivacyCon. Google was notified of the issues as early as September 2018, but states they won’t be resolved until Android Q, later this year. Egelman will release details with a list of the 1,325 apps that were found at the Usenix Security conference in August.


Join us next week when we’ll give you all the highlights you missed up to the 10th of August.