Italy’s privacy regulator imposes a million Euro fine on Facebook. Facebook’s pre-GDPR data protection breaches in the context of the Cambridge Analytica fiasco have now attracted a million Euro fine imposed by the Italian privacy regulator. The Italian regulator found that Facebook had disclosed to the third-party “This Is Your Digital Life” app, personal data of 214,077 Italian users. These users had not been informed of the sharing of their data and had not given their consent to such sharing, in violation of Italy’s pre-GDPR data protection law.
Although the data processed by the app was generally the basis for Cambridge Analytica’s attempts to influence the U.S. presidential elections in 2016, the Italian regulator found that the data from these Italian users had not been transmitted to Cambridge Analytica. In determining the fine, the Italian regulator took into account the size of the database in question as well as Facebook’s economic status and the number of its users both worldwide and in Italy. The Italian regulator also dismissed Facebook’s arguments for a reduced fine of €52,000.
CLICK HERE to read the Italian privacy regulator’s order against Facebook (in Italian).
ICO’s Report on AdTech and Real Time Bidding. The UK’s Information Commissioner’s Office (ICO) has published a report criticizing companies that use online advertising technologies and real-time bidding. The report outlines the issues that require attention and outlines a six-month timescale after which the ICO will re-examine the matter.
In Real-Time Bidding, online ad placements (‘impressions’) are enabled through the auctioning of advertising space in real time, during the milliseconds a webpage takes to load on a user’s browser. Through this process, the online behavioral data of ad-targeted users is shard with AdTech companies billions of times a day. The data shared can include user geo-location data, sexual orientation, religion, political opinions, and online habits, and this processing enables user behavioral profiling.
The ICO’s report criticizes the wrongful reliance by AdTech companies on the GDPR’s legitimate interests as a legal basis to legitimize this processing, without obtaining users’ affirmative consent to this data processing. The ICO also found that privacy policies are not sufficiently clear on how personal data is handled in the Real-Time Bidding process and that companies neglect to conduct a Data Protection Impact Assessment (DPIA) before they engage in this form of processing, in violation of the GDPR.
A Danish furniture company faces fine for over-retaining customers’ personal data. The Danish Data Protection Authority has recommended imposing a €230,000 fine on IDdesign, a large Danish furniture company, that had processed personal data about 385,000 customers for a longer period than necessary for the purpose the data was collected, in violation of the GDPR’s data minimization principle. In addition, the company did not set a retention data policy and did not comply with the accountability principle required by the GDPR.
CLICK HERE to read the official statement of the Danish regulator (in Danish).
Spanish Soccer League fined for spying on fans through its mobile app. The Spanish Data Protection Authority imposed a €250,000 fine on the Spanish Major Soccer League (‘La Liga’) after it found that the League had used its mobile app to spy on users through their smartphones’ microphones, in order to help it determine whether bars had pirated soccer matches. La Liga’s misconduct was found to be an infringement of the GDPR because it had to re-inform its users each time the app used the device’s microphone, and not just by notifying of this practice upon download and initial installation of the app.
The regulator also held that La Liga must provide an option for users to withdraw their consent to this form of tracking, at any time, and not just seek the user’s initial consent to this processing. La Liga indicated that it plans to appeal the regulator’s decision, which is the largest fine imposed in Spain to date for GDPR violations.
The GDPR’s first anniversary shows compliance is a challenge. The EU Commission has published two reviews marking the GDPR’s first anniversary. According to the first survey, more than two-thirds of Europeans have heard about the GDPR, but just half of them understand the subject of the regulations. The three most-exercised rights are opting-out of direct marketing (24%), accessing the personal data (18%) and correcting it when it is inaccurate (16%). Only one of six data subjects read privacy policies completely, but every other person has attempted to change the default privacy setting on their social network profile.
The second report examined organizations’ compliance with the GDPR. Some organizations indicated that the GDPR uses vague terms such as “high risk” to data subjects. Many organizations feel that the GDPR may adversely impact innovation, particularly due to the strict interpretation of the GDPR’s requirement for automated decision-making without human involvement. Another concern raised is that the high demand for Data Protection Officers (DPOs) compared with their limited availability in the market, pushes organizations to appoint insufficiently qualified DPOs.
This article was published in the Internet, Cyber and Copyright Group’s June 2019 Newsletter.