August Privacy Sum Up

News

1. The 25 Canadian companies that suffered a breach in the 12-month period ending in March paid an average of $7 million in recovery costs per incident. By comparison, the average of 550 companies studied around the world was $5.5 million (all amounts in Canadian dollars). Canada recorded the third highest average cost of a data breach worldwide once again – after the United States and the Middle East region. There is slightly good news: Canadian firms in the study reported a drop in the average number of days it took to detect an attack: 160, compared to 164 days in the previous year’s study. Still, O’Regan called that number “disappointing.” The average time Canadian firms took to contain a data breach dropped to 48 days from the 60 days in the previous years’ study. Read more here.
2. The Polish DPA invariably takes the view that copying of identity cards by financial institutions is legal only if undertaking of security measures to prevent money laundering and terrorist financing is necessary. The Polish DPA's unchanged opinion is that this provision does not entitle financial institutions to copy a customer's ID card in every situation. The Polish DPA points out that banks, according to Article 112b of the Banking Law, may process information contained in the identity documents of natural persons for the purposes of their banking activities. This means only that, on its basis, they have the right to process all personal data of customers which are included in the identity documents. However, this does not amount to the right to make copies of those documents. You can find the details up here.
3. ICO publishes simplified guidance on UK Binding Corporate Rules. The ICO has published updated guidance on using UK Binding Corporate Rules as a data transfer mechanism. The new guidance aims to simplify the approach for controllers and processors, reducing the scope of the referential tables that organisations have had to complete and allowing organisations to combine their EU and UK BCRs into a single binding instrument. Find out details.

4. Sensitive data ruling by Europe’s top court could force broad privacy reboot. A ruling put out yesterday by the European Union’s top court could have major implications for online platforms that use background tracking and profiling to target users with behavioral ads or to feed recommender engines that are designed to surface so-called ‘personalized’ content. The impacts could be even broader — with privacy law experts suggesting the judgement could dial up legal risk for a variety of other forms of online processing, from dating apps to location tracking and more. Although they suggest fresh legal referrals are also likely as operators seek to unpack what could be complex practical difficulties arising from the judgement. You can read more here.?

?

Decisions

1. € 600 000 fine imposed on Accor for insufficient fulfillment of data subjects rights.

French Data Protection Agency have received complaints relating to the difficulties encountered by people in exercising their rights with ACCOR, a French hotel group. They checked if they are justified or not. It turns out that every guest who makes a reservation on a website or directly with the staff they are automatically made the recipient of a newsletter without any choice. Newsletter contained commercial offers from partners, but the box relating to the consent to receive the newsletter was pre-ticked by default. As the law states there should be explicit consent. That infringes Art. 12 GDPR, Art. 13 GDPR, Art. 15 GDPR, Art. 21 GDPR, Art. 32 GDPR. And due to that The Restricted Committee (FDPA body responsible for pronouncing sanctions) consequently imposed a fine of 600,000 euros on ACCOR, which was made public.

Read more

2. € 30 000 fine on Private Polyclinic and Diagnostic Centre of Pyle Axiou for non-compliance with general data processing principles.

The Authority rejects as unfounded the patient's complaint of a breach of the right of access by the complainant diagnostic centre, on the grounds that the personal data at issue had become unlawfully unavailable at the time of exercising the right. Furthermore, the Authority, in the context of its examination of the above complaint: a) finds that the loss of availability of the disputed imaging test constitutes a violation of the principle of Article 5 para. 1(f) of the GDPR, due to the failure to take appropriate technical organisational measures to ensure an appropriate level of security under Article 32 of the GDPR, and imposes an administrative fine on the diagnostic center; (b) finds that the notification of a personal data breach to the Authority was made late in violation of Article 33 of the GDPR and issues a reprimand pursuant to Article 58(1)(f) of the GDPR. 2(b) of the GDPR to the diagnostic centre; and (c) issue an order, pursuant to Article 58(2)(b) of the GDPR, to the diagnostic centre. 2(e) of the GDPR, to the diagnostic centre to communicate the personal data breach to the affected data subjects, in accordance with Article 34 of the GDPR.

3. Adtech giant Criteo faces a $65M fine in France for GDPR consent breaches.

In the latest blow to the creepy ‘tracking-ads’ complex, French adtech giant Criteo has been found in breach of European Union data protection regulation and hit with a €60 million sanction (~$65 million) by the country’s national privacy watchdog in a preliminary decision following a multi-year investigation. Digital rights advocacy group Privacy International, which lodged a formal complaint against the surveillance adtech giant back in 2018, when the bloc’s General Data Protection Regulation (GDPR) came into application, tweeted news of the sanction today. Details can be found here