Unmasking the latest wave of privacy violations

Have you ever wondered why data protection is so important? Do you have an overview of the latest cases of data protection violations? Do you know what is Complymate and how it can help you keep an eye of the current data protection situation in your company? You can read all about it in this article!

Firstly, why is data protection so important? Ensuring data protection is crucial as it safeguards an organization's information from fraudulent activities, hacking, phishing, and identity theft. Any organization striving for optimal functionality must prioritize information safety through the implementation of a robust data protection plan.

With the continuous growth in the volume of stored and generated data, the significance of data protection becomes even more pronounced. The potential consequences of data breaches and cyberattacks can be severe. Hence, organizations must take a proactive approach to safeguarding their data, consistently updating and enhancing protective measures.

Recently, there have been several cases of data protection violations all over the world. For example, in 2023 Ida-Tallinn Central Hospital was fined 200,000 euros because the patients' medical records had been left in an unattended construction container, where the Data Protection Inspectorate’s officer found them by chance. Since the patients' data was on paper, the court debated whether the GDPR applies only to digital data in an organized database or to paper data as well. Although the court overturned the fine, the case itself still shows how easily GDPR violations can occur and how they could have been avoided. (Postimees, 2023)

In November 2023 the database of a Tartu-based genetic testing company Asper Biogene fell under a cyber attack. Hackers downloaded 10,000 people's health data, including paternity and genetic disease tests, and some of it is easy to understand and directly linked to a specific person. Some of the files contained the results of genetic tests that health care providers and individuals had ordered from the company. The attack was successful because Asper Biogene did not store people's health data without names and personal identification numbers. This is the largest data leak so far, taking into account the number of affected persons. (ERR, 2023)

In May 2023 the French SA fined the website Doctissimo. Based on a complaint by Privacy International, the CNIL conducted four investigations into the website Doctissimo. The website offers articles, tests, quizzes and discussion forums mainly related to health and well-being to the general public. During the investigation, the CNIL noticed several violations, in particular regarding the duration of data storage, the collection of health data through online tests, the security of data and the way in which cookies are stored on the user's terminal. (European Data Protection Board, 2023)

Last year Clearview AI, a US-based facial recognition company in Italy, received a fine of 20 million euros. Italian SA initiated the proceedings on its own initiative following reports in the press about a number of problems related to facial recognition systems provided by Clearview AI Inc. During the investigation, Italian SA discovered several violations. Personal data held by the company, including biometric and geo-location information, was unlawfully processed without an appropriate legal basis as a US-based company's legitimate interest does not qualify as such. In addition, the company violated several GDPR principles such as transparency, purpose limitation and storage limitations; it failed to provide the information set out in Articles 13-14, failed to provide timely information on actions taken on the basis of an Article 15 request, and failed to appoint a representative in the EU. (European Data Protection Board, 2023)

These incidents could have been avoided. Today, there are several IT solutions to help you comply with GDPR. Do you know any such solutions? We can suggest one!

At TalTech Legal Lab, we are developing a GDPR compliance tool called Complymate. The solution is intended for any organization that needs to comply with GDPR obligations. Complymate aims to be a functional tool that helps every company and institution to conveniently meet GDPR requirements. With our solution, the organization has an overview of the state of data protection and what needs to be done to be compliant. Complymate also has a website which can be found here:?https://bit.ly/Complymate. If you are interested in the solution, let us know and let’s schedule a demo! You can write to us here on LinkedIn or send an email to the following address: [email protected]. ?

Here you can find links to the sources referenced in the article:

Postimees: https://majandus.postimees.ee/7807529/ida-tallinna-keskhaigla-kaib-inspektsiooniga-patsientide-andmete-eest-tehtud-200-000-eurose-trahvi-parast-kohut, https://www.postimees.ee/7846258/kohus-tuhistas-haiglale-isikuandmete-hooletu-kaitlemise-eest-moistetud-hiigeltrahvi;

ERR: https://www.err.ee/1609194367/geenitestimise-ettevottest-asper-biogene-lekkisid-andmed;

European Data Protection Board: https://edpb.europa.eu/news/national-news/2023/health-data-and-use-cookies-french-sa-fines-doctissimo_en, https://edpb.europa.eu/news/national-news/2022/facial-recognition-italian-sa-fines-clearview-ai-eur-20-million_en.