France will impose digital tax, regardless of international levy

France will impose digital tax regardless of whether the rest of the world proceeds with a deal on an international levy, according to this article by Euractiv.

France will impose a digital tax on corporate giant tech companies. According to Finance Economics Minister, Bruno le Maire, large tech companies like Amazon and Google have largely and disproportionately profited from the ease of doing business online during the COVID-19 pandemic and amid social distancing protocol and practices, and the French, like many other EU nations, feel that they must do something in order to stimulate their local economy in what is expected to be their upcoming deep recession.

Washington may fight back on digital tax

There has been a big pushback on the implementation of a digital tax, which would largely affect digital corporate giants like Google, which records an annual global revenue of over $160 billion (over 145 billion Euros). Washington, considering that many of these tech giants are US based, has threatened to fight back with their own trade tariffs, also claiming that France unfairly targets US digital companies.

Many EU nations are moving forward with digital tax implementation despite setbacks

While digital tax implementation at a uniformed rate across European nations arms to be a long time coming, France is not alone in wanting to move forward with its implementation. Countries like Italy, Britain and Spain either have already implemented digital tax or plan on doing so in the near future. However due to opposition from countries like Ireland, progress towards an EU wide digital tax seems to be stalled at the moment. In other nations, like the Czech Republic for example, Finance Minister Alena Schillerova has said that she may actually delay the implementation of a digital tax until next year and lower the rate, from the currently proposed 7% to 5%.

France will impose digital tax, whether or not international tax is implemented.

According to Euractiv, “Nearly 140 countries from the Organisation for Economic Cooperation and Development (OECD) are negotiating the first major rewriting of tax rules in more than a generation, to take better account of the rise of big tech companies such as Amazon, Facebook, Apple and Google that often book profit in low-tax countries.”

“Never has a digital tax been more legitimate and more necessary,” Finance Minister Bruno Le Maire told journalists on a conference call on May 13th. “In any case, France will apply as it has always indicated a tax on digital giants in 2020 either in an international form if there is a deal or in a national form if there is no deal.” Initially, in January, the government of France had offered to suspend its current digital tax on tech companies until the end of 2020, while an international tax deal was being negotiated. However, due to the circumstances surrounding the coronavirus outbreak, things have changed, with finance ministries more focused now than ever before, on saving their local economies.

EU seeks a better managed digital space, including digital tax.

Considering what seems to be an integration of the US and EU economies with the digital sphere, the European Union has sought to introduce regulation to achieve a level playing field and protect both European consumers and businesses in this new digital world. With legislation like the GDPR controlling the flow of information across borders and protecting consumer data, many legislative authorities do believe that a digital tax is the absolutely necessary next step. As digital corporate giants, like Amazon and Google with little to no physical presence in Europe have largely escaped what many would consider fair taxation, as a result of their predominantly online operational presence, governments across the EU believe that it is time to restructure and level the playing field. While there are many initiatives which are more focused on investment and education, there is a push now from legislators to enforce digital tax, particularly with the current need for income and to stimulate local economies impacted by the effects of COVID-19. Ultimately, the result of this will be a more managed digital space where online companies are not benefiting from a disproportionate advantage.

Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Healthcare Committee Data Breach

Healthcare Committee Data Breach in Örebro County, Sweden.

Healthcare Committee Data Breach in Örebro County, Sweden after sensitive personal data of a patient was published on the region’s website.


A healthcare committee data breach was uncovered after complaints were filed with the Swedish Data Protection Authority (DPA), concerning the publication of a patient’s personal data on the region’s website. According to an article by the European Data Protection Board, the complaints were concerning a patient admitted to forensic psychiatry whose personal details were found, through an audit, to have been published on the region’s website. The Swedish DPA found that the region’s website published sensitive data wrongfully, with neither legitimate purpose nor legal basis, nor eligibility for exemption from the proscription of handling sensitive personal data under the General Data Protection Regulation (GDPR). As a result, the DPA has fined the Committee and ordered some changes to ensure compliance moving forward.


Swedish DPA audit uncovers lack of written instructions for publishing, increasing risk of a data breach.


The Swedish DPA performed an audit after receiving a complaint about the data breach in question and discovered that there were no written instructions in place for the publication of information on the Committee’s website. The Committee had depended solely on oral communication for passing on instructions for publication. The publication of this patient’s personal data was the result of those instructions not being followed. While it was accidental, the publication of that personal data was the result of insufficient organisational measures to ensure protection of personal data.


Healthcare Committee Data Breach results in a fine of 120,000 Swedish kronor and an order for corrective action. 


The Swedish DPA has ordered the Committee to establish written instructions and to institute measures to ensure compliance with those instructions for those who are tasked with publishing data on their website. In addition to ordering the Committee to bring its handling of personal data into full compliance under the GDPR, the DPA has also ordered the payment of a 120,000 Swedish kronor administrative fine (approximately 11,000 Euro). The published document resulting in the data breach has since been removed from the region’s website. 


What should have the Healthcare Committee done in order to avoid the breach?


-Have in place an adequate internal data protection policy providing written and clear instructions about how to process and secure the personal data held by the Committee. 

Pursuant to Article 24 GDPR “(1) Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary; (2) Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller”.

-Deliver relevant training to the employees. When it comes to reducing the risk of data breaches, it is paramount to train the staff so that they understand the new processes you have put in place and also the data protection rules behind them.

Why are the measures above especially important in this case?

The data compromised involves health information, which is a special category of personal data, therefore additional safeguards should apply, plus the bases for processing it are limited to some specific scenarios. However, it should be noted that the breach would have taken place even if the personal data published in their website was not sensitive, because there was no legitimate basis to make the information public.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

EasyJet Customers Hacked

Approximately Nine Million EasyJet Customers Hacked

EasyJet reveals that some nine million of its customers have been affected by a “highly sophisticated cyber-attack” 


Nine million EasyJet customers have been hacked according to  a recent BBC news article. In January this year EasyJet became aware of a cyber attack which had affected millions of its customers and  is now, based on the advice of the ICO—coming public in order to minimize potential phishing attempts. So far it has been noted that email addresses and travel details have been stolen and that 2,208 customers also had their credit card details accessed.


Although investigations are still underway, EasyJet reportedly told the BBC that it was only able to notify customers whose credit card details were stolen in early April.


“This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted. We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed.” The BBC article quotes EasyJet. 


At present, EasyJet has found no evidence that any personal information has been misused, although the ICO is investigating the breach and may take action accordingly. One should note that, regardless how the attackers use the personal data compromised in a breach, the risk to the rights and freedoms of the data subjects involved plays a key role when assessing the consequences of the incident and deciding the measures that should be implemented


What should be the response from EasyJet upon the breach?


The steps that should be taken upon a breach with the aim of reducing the impact of the potential harm are the following: 

  • Apply any necessary measures to contain the breach where possible.
  • Inform the DPO.
  • Assess the risk of the breach and identify relevant elements such as categories of data and data subjects affected plus remedial actions considered or taken.
  • Report the incident if necessary:
    • The ICO should have been notified within 72 hours after having become aware of the breach, unless it was unlikely to result in a risk to the rights and freedoms of natural persons.
    • The customers should be notified unless EasyJet has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise. This is not the case because travel and credit cards details were involved, which may comprise sensitive data and address to further attacks such as phising. For example, under the current global health emergency, travel details may involve information about the customer testing positive for COVID-19.
  • Evaluate the response and recovery to prevent future breaches.


It should also be noted that the reason why most data breaches take place is human error, therefore providing training to the employees is paramount.


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

New facial recognition bill

New facial recognition bill passed in Washington state.

New facial recognition bill passed in Washington state, constraining government use of facial recognition. What does the future hold for this technology in Europe and abroad?


A new facial recognition bill passed in Washington state recently will require public agencies to frequently report on their use of the technology and have it tested for fairness and accuracy. Law enforcement may use the technology, but must first obtain a warrant, except in cases of emergency. With this new facial recognition bill, any public agencies which use facial recognition technology to make decisions which may have legal repercussions must ensure that the results are tested by a human. This includes any testing that may have ramifications for someone’s ’s job, financial services, housing, insurance, and education.


Washington state’s new facial recognition bill also establishes a task force to study the use of facial recognition technology by government agencies. As civil rights groups and researchers claim that facial recognition can amplify human biases, American Civil Liberties Union (ACLU) is calling for a delay on the implementation of facial recognition by both local and federal government agencies. ACLU and MIT conducted studies of Amazon’s facial recognition software (Rekognition), which showed that the technology misidentifies women and people of color, more frequently than it does white men. While Amazon responded saying that the methodology of those studies was flawed, Amazon CEO, Jeff Bezos has deemed facial recognition “a perfect example of where regulation is needed.” Washington state is home to both Microsoft and Amazon, two of the largest US companies developing facial recognition software. Leaders at both companies have urged lawmakers to create new rules for facial recognition technology, which was, for the most part, unregulated.


The GDPR gives everyone the right to object to profiling, including biometric profiling like facial recognition, and also requires companies to conduct data protection impact assessments before systematically monitoring a publicly accessible area. Pursuant to Article 35 of the GDPR, “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data”. For this reason, the EU has been considering a temporary ban on the use of facial recognition software.


Recently, on our vlog, we explored the ramifications of the use of facial recognition in public spaces. You can take a look at it right here, and also subscribe to our Youtube channel for more updates.



Does your company utilize biometric data such as fingerprinting, voice printing and facial recognition? If yes, failure to adhere fully to the guidelines and rules of the GDPR and Data Protection Act 2018 could result in a hefty financial penalty. Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, EU AI Ethics assessments and Data Protection Officer outsourcing. Contact us today.