GDPR

  • US firm fined by Dutch for illegal facial recognition data gathering

    Steve WoodsGDPR, Privacy, Security, Tech

    Autoriteit Persoonsgegevens logoThe Dutch Autoriteit Persoonsgegevens (Personal Data Protection Authority) has announced today that it has imposed a fine of €30.5 mn. on the US company Clearwiew AI, as well as a non-compliance penalty in excess of €5 mn.

    Stylised facial recognitionClearview is an American company that offers facial recognition services, which has, inter alia, built up an illegal database with billions of photos of faces, including those of Dutch citizens. Furthermore, the authority has warned that using the services of Clearview is also prohibited.

    Clearview offers facial recognition services to intelligence and investigative services. Moreover, Clearview customers can provide camera images to find out the identity of people shown in the images. To this end, Clearview has a database with more than 30 billion photos of people, which it has scraped automatically from the internet and then converted into a unique biometric code per face, all without the knowledge and consent of its victims.

    According to the authority’s chair Aleid Wolfsen, “Facial recognition is a highly intrusive technology, that you cannot simply unleash on anyone in the world. If there is a photo of you on the internet – and doesn’t that apply to all of us? – then you can end up in the database of Clearview and be tracked. This is not a doom scenario from a scary film. Nor is it something that could only be done in China. This really shouldn’t go any further. We have to draw a very clear line at incorrect use of this sort of technology.’

    Clearview says that it provides services to intelligence and investigative services outside the European Union (EU) only.

    Clearwiew’s services illegal and in breach of the the GDPR

    Clearview has seriously violated the privacy law General Data Protection Regulation (GDPR) on several points: the company should never have built the database and is insufficiently transparent. It should never have built the database with photos, the unique biometric codes and other information linked to them. This especially applies to the codes. Like fingerprints, these are biometric data. Collecting and using them is prohibited. There are some statutory exceptions to this prohibition, but Clearview cannot rely on them.

    Clearview is an American company without an established presence n Europe. Other data protection authorities have already fined Clearview on various earlier occasions, but the company has not changed its conduct. For this reason the Dutch regulator is investigating ways to ensure the violations stop, including whether the company’s directors can be held personally liable for data protection violations.

    Wolfsen: ‘Such [a] company cannot continue to violate the rights of Europeans and get away with it. Certainly not in this serious manner and on this massive scale. We are now going to investigate if we can hold the management of the company personally liable and fine them for directing those violations. That liability already exists if directors know that the GDPR is being violated, have the authority to stop that, but omit to do so, and in this way consciously accept those violations.’

    Clearview has not objected to the decision and is therefore unable to appeal against the fine.

  • Facebook’s parent company fined €1.2 bn. for GDPR breach

    Steve WoodsGDPR, Privacy, Security, Social Media, Tech

    New logo as Facebook morphs into MetaMeta, the parent company of social media platform Facebook, has been fined a record €1.2 bn. by Ireland’s Data Protection Commission (DPC) in relation to breaches of the European Union’s General Data Protection Regulation (GDPR) in respect of user data transfers from the EU to the USA, Irish broadcaster RTE reports.

    The company has been given five months to implement changes to such data transfers.

    The DPC said Meta had infringed the GDPR by continuing to transfer EU user data to the US despite a ruling by the European court of justice requiring strong protection of such information, adding that the data transferred by Facebook under a measure called standard contractual clauses “did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the [European Court of Justice] in its judgment”.

    Meta has said it will appeal the decision, as well as commenting that it was disappointed to have been singled out when using the same legal mechanisms as thousands of other companies providing services in Europe.

    The EU and the USA have agreed a new data transfer framework which is expected to be in place later this year.

    This is the largest ever fine levied in the EU for a privacy breach. The previous record penalty of €746 mn was imposed on Amazon in 2021.

  • Czech government using open source web analytics

    Steve WoodsGDPR, Open Source, Privacy, Security, Tech

    Czechia coat of armsJoinup, the EU’s open source news site, reports that the Czech Republic is to begin using the Matomo open source web analytics tool on the Czech citizen portal and gov.cz websites, where it will replace Google Analytics.

    This change will ensure that the data by the sites collected will stay within the EU and, as the Czech administration will be using its own instance of Matomo, it will retain full control of the records.

    The change was triggered by an open letter sent by the Czech the digital freedom watchdog luridicum Remedium after it noticed the Czech state vaccination system website was using Google Analytics during the COVID-19 crisis. The Czech Data Protection Authority and public sector strategic partner NAKIT then pursued the matter and replaced Google Analytics with Matomo on Czechia’s Ministry of Health website. This move later led to further action and the country will continue following this trend on public sector websites.

    Previously named Piwik, Matomo has been in development since 2007 and is presently deployed on 1.4 million websites, including those of NASA, the European Commission, the United Nations and Amnesty International.

    The Czech decision to choose Matomo follows those of other European countries seeking to keep control of their citizens’ data. Last year the French and Austrian data protection authorities determined that Google Analytics was not compliant with EU data privacy standards, in particular because Google’s data transfers to the United States are contrary to the EU’s General Data Protection Regulation (GDPR).

  • Another data protection fine for Meta

    Steve WoodsGDPR, Privacy, Social Media, Tech

    New logo as Facebook morphs into MetaAfter a record fine of €390 mn. at the start of January, the Irish Data Protection Commission is imposing a further fine of €5.5 mn. on Meta, this time for WhatsApp’s policy with regard to personal data under the GDPR, Le Monde Informatique reports.

    Has been welcoming (in tax terms) to American IT companies, but is proving to be as very sensitive area for implementation of the GDPR. Meta has just experienced this once again with a fine of €5,5 mn. imposed by Ireland’s Data Protection Commissioner. This is the social network’s second fine in less than a month; on 4 January the same commission announced a record fine of €390 mn. on the personal data processing policy of Facebook and Instagram (posts passim).

    In this instance it’s WhatsApp’s policy that is being censured following a complaint filed on 25 May 2018 – the date the GDPR entered into effect – by a German user. After this date the messaging service updated its general conditions of use and informed its users they had to click on “accept and continue” to indicate their consent. If they did not reply, they no longer had access to the service.As in the decision of 4th January, WhatsApp regards its data processing policy must be considered like a “contract” according to the GDPR (Article 6.1) concluded between the company and the user.

    EDPB lays it on thick

    The Irish Data Protection Commission investigated and drew up a draft decision which was submitted to the European regulators parties involved in this case. It proposed not imposing additional financial penalties. WhatsApp had already been fined €225 mn. in September 2021 for similar actions. However, the DPC pleaded for recognition of the contractual and thus legal nature of WhatsApp’s personal data policy – a position which caused an outcry from other data protection regulators.

    The DPC approached the EDPB for a decision. It dismissed the legal basis of the contract and added an additional infringement of the transparency obligation. As a consequence, the Irish DPC is adding €5.5 mn. to the fine imposed on Meta, WhatsApp’s parent company.

  • GDPR"> Meta falls foul of GDPR

    Steve WoodsGDPR, Privacy, Social Media, Tech

    Meta logoLe Monde Informatique reports that Meta, the conglomerate that owns both Facebook and Instagram, has been fined a total of €390 for breaches of the EU’s General Data Protection Regulation (GDPR) in respect of both platforms’ personal data processing policy.

    It has been a bad start to the year for Meta which has just been notified of a fine of €390 mn. by the Irish Data Protection Commission (DPC). The regulator is penalising the actions of Meta’s 2 subsidiaries, Facebook to the tune of €210 mn. and Instagram €180 mn. This decision concludes a case which started on 25 May 2018 (the date the GDPR entered into effect after 2 complaints had been filed – one by well-known Austrian privacy campaigner Max Schrems and the other by a Belgian citizen.

    In this case Meta Ireland changed its general terms and conditions before the date of entry into effect of the GDPR, in particular “the legal basis on which it relied to legitimise its processing of users’ personal data (including behavioural advertising)”. To adopt this new policy, existing and recent Facebook and Instagram users were asked to click on the “I Accept” button on pain of no longer being able to access the platforms’ services. The questions then arose as to whether users had been forced to give their consent and if the “contract” concluded between Meta and its users conformed to Article 6 of the GDPR.

    A fine increased by the EDPB

    The debate was long and heated, including at European regulator level. As a matter of fact, the Irish DPC’s analysis did not meet with agreement from other European data protection authorities. For example, it considered the aspect of “forced consent” could not be upheld. Many authorities likewise thought the original Irish financial penalties too lenient. The European Data Protection Board (EDPB) was contacted to settle the matter and gave its decision on 5th December. It judged that “Meta Ireland was not entitled to invoke the legal basis of the “contract” as a legal based for its personal data processing for behavioural advertising purposes”.

    It also demanded the fines proposed by the Irish regulator be raised. This is the second fine imposed on Meta in recent months by the CPD. Last November the American company was fined €275 mn. for so-called data scraping. In both cases, Meta still has the possibility of challenging the regulator’s decisions before the European judicial authorities.

    Facebook and Instagram have now been given three months to bring their terms and conditions into line with the GDPR.

  • Prying Google is not your friend

    Steve WoodsGDPR, Media, Privacy, Security, Tech

    The Irish Council for Civil Liberties (ICCL) is pointing its finger at Google for spying on users, French IT news website Le Monde Informatique reports. A real-time bidding (RTB) system which is actively used by the company enables it to follow and share what everyone is looking at or doing online and note down this activity’s location. RTB is the technology underpinning all online advertising and it relies on sharing of personal information without user consent, according to the ICCL.

    Google’s troubles are far from over. Widely singled out for its actions in terms of the use of personal data, the company is now in the spotlight for its tracking and advertising targeting activity. A report (PDF) published by the ICCL on 16 May accuses the search giant of an unprecedented data breach. The report sheds light on the RTB system, which works in the background on websites and in applications. “It tracks what you are looking at, no matter how private or sensitive, and it records where you go. Every day it broadcasts this data about you to a host of companies continuously, enabling them to profile you,” the report states.

    The ICCL report claims it presents the scale of this data breach for the first time.

    This data breach takes place throughout the world. The RTB system “tracks and shares what users are viewing online with their location in real time 294 bn. times in the USA and 197 bn. times in Europe each day”, it states. On average a person in the USA has their online activity and location tracked 747 times a day by those using RTB. In Europe, RTB exposes personal data 376 times a day. In Germany alone, Google sends 19.6 million broadcasts about German Internet users’ online behaviour every minute that they are online. “Europeans and U.S. Internet users’ private data is sent to firms across the globe, including to Russia and China, without any means of controlling what is then done with the data”. It is a high-earning business generating more than $117 bn. in the USA and Europe in 2021.

    Maps of Europe and USA showing billions of daily Google RTB broadcasts

    Advertising is an indispensable condition of this system as the majority of advertising on websites and in applications is placed there using RTB. Advertisers spend $100 bn. annually in the USA and Europe. The RTB market’s estimated value was $91 bn. in the USA in 2021 and €23 bn. in Europe in 2019. It therefore highlights that Americans’ online activity and their locations is exposed 57% more frequently than that of users in Europe.

    Google is one of the five largest users of this real-time bidding system. No fewer than 4,698 US companies are authorised by Google to receive RTB data on people, whilst in Europe the number drops to 1,058 companies. More specifically, the data collected by Google, like what people are looking at online or doing with an application and their ‘hyperlocal‘ geographical location is broadcast 42 bn. times per day in Europe and 31 bn. times daily in the USA.

    The ICCL is working to end the RTB data breach in Europe and has litigation ongoing in three European courts, as follows:

  • Research reveals websites collecting information without consent

    Steve WoodsGDPR, Privacy, Security, Tech

    online spying imageToday’s Journal du Geek reports that some unscrupulous websites do not clutter up their webpages with a Submit button when visitors are filling in a form.

    If you have already filled in a web form before changing your mind, your data has doubtless been sucked up by an unscrupulous website. In a recent study carried out by researchers from 3 European universities, which will be presented at the Usenix Security conference in August, we learn that some platforms are capable of spying on every character typed on a keyboard.

    By analysing 2.8 mn. webpages on the world’s 100,000 most visited websites, the research’s assessment is definitive: in the case of a web form filled completed in Europe, nearly 2,000 of them are capable of collecting the user’s email address before that user has clicked the Send button. One of the joint authors Güne Acar of Radboud University in Nijmegen states: “We were very surprised by the results. We thought we might find a few hundred sites where your email address is collected before you send it, but the result far exceeded our expectations”.

    However, the situation in Europe remains better than that in the United States. Whereas the old continent recorded “only” 1844 cases of abusive data sucking, the same request, when sent from the United States triggered 60% more instances, for a total of 2,950 cases, a difference which can be explained in particular by the presence in Europe of the GDPR , which since 2018 has obliged platforms to obtain users’ consent before collecting data..

    How do websites record one’s data without consent?

    For all practical purposes the majority of sites collecting data before submission forwards email addresses (encrypted or unencrypted) to third party sites are generally specialist advertising campanies, which collected the data to serve up personalised advertising (aka corporate graffiti. Ed.). In some less frequent instances a key logger is used to enable the keystrokes made to be directly recorded.

    In Europe, the matter is even more sensitive since a good number of major sites, including Facebook owners Meta and TikTok were amongst the sites tested.

  • Track & trace ‘partner’ sent 84,000 nuisance emails

    Steve WoodsGDPR, Privacy, Tech

    ICO logoThe Information Commissioner’s Office (ICO) has today reported it has fined a Hertfordshire company for sending direct marketing emails to people who provided their personal data for contact tracing purposes as part of the response to the coronavirus pandemic.

    St Albans-based Tested.me Ltd (TML) provides digital contact tracing services which work by offering people a QR code to scan when arriving at their destination.

    TML sent nearly 84,000 nuisance emails at the height of the Covid-19 pandemic between September and November last year, when businesses were using private QR code providers to collect personal data to comply with government contact tracing rules.

    The ICO fined TML £8,000 for using personal data for marketing purposes without adequate valid consent, contrary to law.

    The ICO has created guidelines for businesses to follow as the UK economy continues to open up. Providers should:

    • Adopt a data protection by design approach (DPBD) from the start when they develop new products;
    • Make privacy policies clear and simple so that people understand how their information will be handled;
    • Not keep any personal data they have collected for more than 21 days – in line with regulations brought in last year for the collection of information for contact tracing;
    • Not use the personal data for marketing or any other purpose;
    • Keep up to date with the ICO’s online guidance.

  • Exclusive: Bristol Post changes name to Manchester Evening News

    Steve WoodsBristol, GDPR, Language, Media, Oddities

    It’s official: the Bristol Post (or is it BristolLive? Ed.) is changing its name to the Manchester Evening News.

    And the revelation comes in a piece from no less a personage than Mike Norton, the title’s editor in chief himself, and is hidden away in the details about the implications of the General Data Protection Regulation (GDPR).

    The relevant section is outlined in red in the image below. Click on the image for the full-sized version.

    relevant sentence reads: However, the GDPR is not just related to emails. It affects every industry, business, including publishing and therefore ours here at manchestereveningnews.co.uk

    Whether production of the Post will be moved up north from the Temple Way Ministry of Truth is not mentioned.

    Is Mike Norton guilty of copying and pasting without checking the actual wording?

    In Private Eye’s immortal words: we should be told! 🙂