April Privacy Sum Up

News and Events

1. Elon Musk Twitter Takeover - On April 25th Twitter accepted Elon Musk’s 44 billion dollar purchase offer. Musk was already the biggest shareholder in the company,?and was reportedly offered a seat on the board. However, he opted to make Twitter a private company instead, as he believes this will make it easier to make improvements to the platform. Musk, a self-declared free speech absolutist, has said that “free speech is the bedrock of a functioning democracy” and that Twitter is “the digital town square where matters vital to the future of humanity are debated.” He has previously spoken out about the issues with blocking controversial accounts on the platform. The regulators on the other hand have expressed concerns over the spread of misinformation or hate speech that would ensue if content was not moderated. Especially seeing as about 70% of Twitter users get their daily news from the platform, making it a generally well-trusted. From a privacy perspective, it will be very interesting to see where exactly Twitter’s new owner will draw the line on free speech in order to comply with international regulations. EU commissioner for the internal market has already warned Elon Musk that non-compliance with the EU’s moderation regulations would result in sanctions up to 6% of revenue, or even a ban from operating in Europe. Please find several articles on the topic here, here or here.
2. Facebook doesn't know where data goes? - A leaked Facebook document highlights the concerns of many regulators - namely, were does user data go and how exactly is it used? The GDPR pushes for increased transparency and it is precisely this that Facebook is not able to provide. “This document admits what we long suspected: that there is a data free-for-all inside Facebook, and that the company has no control whatsoever over the data it holds” says Johnny Ryan, a privacy activist and senior fellow at the Irish Council for Civil Liberties. The issues that Facebook will face in complying with the GDPR may not have a simple fix. For example, if a user requests to find out what their data is being collected for, it's not a matter of Facebook going back and retrieving this information, it will not be possible for the company to check this. While the content of the document clearly showcases how it is impossible for Facebook to comply with certain privacy regulations, a spokesperson recently denied this and argued the document simply lacks context. Please read the full story here.

Decisions

1. ?Dutch Tax and Customs Administration - April saw the highest fine yet handed out by the Dutch authority (AP) at € 3.7 million to the Dutch Tax and Customs Administration. The violations concerned a problematic list maintained to record potential indications of fraud, containing unlawfully and disproportionately processed personal data of over 270 000 adults and minors. In the course of the investigation, the AP found the list to be unnecessary for the performance of the institution’s function. Perhaps the most problematic aspects of this list were that it contained mistaken information and the discriminatory practices used to maintain it. The AP found that the risk of fraud was often based on the physical appearance or nationality of the person, leading to many people being falsely suspected of fraud. Furthermore, the administration did not use sufficient technical and organisational measures to ensure the security of the data on the list; and the data was stored for longer than necessary, violating the principle of storage limitation. Please find the publication in Dutch here.
2. ?Danske Bank - The largest Danish bank was fined € 1.3 million last month due to issues with data deletion. The Danish authority, Datatylsinet, found in its investigation that personal data of customers was being stored for longer than necessary and it was not being deleted in a timely manner from their over 400 IT systems. The bank claims there had been efforts to implement appropriate deletion mechanisms for several years and that the functionality of the systems was being improved in stages. However, the regulator was not notified of such plans and the bank could not prove that it had any rules for data deletion, thus Datatysinet found this to be a breach of the GDPR. Additionally, the authority recommended the national police impose a fine of their own, so perhaps this is not the end yet for the penalties on the controversial bank. Please read more on the topic here.
3. Dedalus Biologie - A recent decision of the French regulator, CNIL, imposed a fine of € 1.5 million on DEDALUS BIOLOGIE, a supplier of software solutions to medical analysis laboratories. The data leak, which revealed data of over 500 000 data subjects was attributed for the most part to a lack of appropriate security measures. The investigation found several examples of security issues, such as: lack of encryption of personal data stored on server; no deletion of data after migration to another server; and no procedure for monitoring and reporting security alerts amongst others, which can be found on the CNIL website. Several aggravating factors influenced the calculation of the fine. The seriousness of the breach was considered, as it involved sensitive data including medical data, which requires additional care under the GDPR. The large amount of data subjects involved also played a role in the calculation of the fine, as well as the revenue of the company.