June Privacy Sum Up

News and events

1. A USB stick with an entire Japanese city’s data lost - Towards the end of June, a city worker in Amagasaki, Japan reported a USB stick and his briefcase missing following a night out with colleagues. Now, an event like this in itself might not seem awfully concerning at first glance, however this particular memory stick contained personal data of all 460, 000 Amagasaki citizens. The personal data contained on the device included names, birthdays, genders, addresses and bank account numbers of families receiving welfare. Thankfully, the data on the device was encrypted as well as password protected, which we can imagine has contributed to the lack of reports of data leaks from the device. Nonetheless, the slightly embarrassing incident resulted in an immediate apology from the mayor and serves the rest of the world as a candid reminder of the importance of implementing security measures such as encryption, password protection and using safe data transfer methods. Please find the full story here or here.
2. Italy agrees google analytics is illegal - Italy is already the third European authority (after Austria and France) to determine the use of Google Analytics illegal, as user data is shared to the US, a country which at present does not match EU standards of data protection. The Garante conducted an investigation of a web publisher called Caffeina Media and found the comany's use of Google Analytics resulted in IP addresses, browser information, OS, screen resolution, language selection, plus the date and time of the site visit of users transferred to the US with no additional protection to match the EU requirements. The company now has 90 days to resolve this issue, but it is important to interpret this decision in its wider sense - all businesses which use GA should revise their privacy policies as we await Google to make the appropriate changes. Read more about it here.
3. Problematic denial of access request in Spain - Max Schrems' organisation, NOYB, got involved in an appeal against the Spanish AEPD's decision to deny a customer access to their location data collected by their mobile carrier. Virgin Telco refused to give the customer the data they had asked for arguing only law enforcement could access such data during a criminal investigation. The Spanish authority sided with Virgin on this matter providing no additional explanation, prompting NOYB to step in. According to Felix Mikolasch, a lawyer for the organization, “the fundamental right to access is comprehensive and clear: users are entitled to know what data a company collects and processes about them - including location data. This is independent from the right of authorities to access such data. In this case, there is no relevant exception from the right to access.” With a similar case having taken place in Austria, NOYB is showing a growing concern for authorities issuing such decisions which violate fundamental rights. Find NOYB's full story here.

Decisions

1. Esselmann Technika Pojazdowa, Poland - The Polish DPA, UODO, fined Esselmann €3,500 after being notified by the District Police Chief of potential irregularities in relation to the company's processing of personal data. The resulting investigation revealed the company had lost a certificate of employment of one of their staff, which contained their personal data. Moreover, the company admitted to not reporting the incident to the authorities in the required time frame, as they did not consider it to constitute a personal data breach. The UODO found this assessment to have no legal basis, as apart from basic personal information such as the full name, surname, birthday and address of the employee, the certificate also contained data that may directly or indirectly reveal information about the person's personal life, legal problems and financial status. This includes the legal basis of termination or expiry of employment and information on remuneration. Full decision in Polish available here.
2. SA Rossel & Cie, Belgium - The Belgian DPA, GBA, imposed a fine of €50,000 on the media company SA Rossel & Cie following the abundant findings of their investigation. The GBA concluded Rossel & Cie had placed unnecessary cookies without the consent of the website visitors. In their decision the authority notes that "cookies can only be placed without prior consent when they are (1) strictly necessary for the transmission of communication or (2) to provide a service that is explicitly requested by the user." Furthermore, statistical cookies were implemented without user consent, pre-ticked boxes were used to grant consent for partner cookies, retention periods were exceeded and their privacy policy contained false and inaccurate information. Finally, the company made it impossible to revoke consent. In addition to the fine, the company was also given a period of 90 days to bring its practices in line with the GDPR. Summary of the decision available here.
3. RADIO TELEVISION MADRID, S.A. & CORPORACIóN DE RADIO Y TELEVISIóN ESPA?OLA S.A. , Spain - The Spanish DPA has imposed fines of €30,000 each on RTM and CRTE following the publication of an audio recording of a rape victim's court testimony on their websites and on Twitter by these and several other news outlets. It is not uncommon for the fundamental right to privacy of one party to be somewhat limited by the right to freedom of information of another, however in this case it was determined that the rape victim's right to privacy outweighed the controller's freedom of information. The AEPD reasoned that the audio testimony did not add any significant value to the news reporting, but did significantly violate the victim's privacy, and therefore the media outlets had violated the principle of data minimization. The original fine of €50,000 was reduced to €30,000 due to voluntary payment and admission of guilt. Find the full decisions in Spanish here and here.