CLEARVIEW AI ordered to delete photos by French DPA; CNIL

CLEARVIEW AI, ordered to delete photos by the French DPA after investigation revealed unlawful collection and processing of photos from the Internet.

 

CLEARVIEW AI, and the facial recognition software the company produces were first reported to the CNIL in May of 2020. This led to an investigation which uncovered two GDPR infractions; the unlawful processing of personal data, and the lack of sufficient consideration of the rights of the individual, particularly their right to request access to their data. As a result, the CNIL has ordered CLEARVIEW AI to cease the collection and use of data from people on French territory without legal basis, and to facilitate access to data by data subjects. In addition CLEARVIEW AI was ordered to comply with requests to have data erased. The CNIL has given the company two months to comply with these requests sent in their formal notice.

 

CLEARVIEW AI developed a facial recognition system which uses a database of photos which the company had neither consent, nor legal basis to process.

 

CLEARVIEW AI developed a facial recognition software of which the database is built on photographs and videos extracted from the internet’s publicly accessible media. The company does not receive consent of the data subjects whose photos are being used to feed its software. There is also no legal basis for the processing of this personal data. As a result the company was found to be in breach of Article 6 of the GDPR. The collection of data of tens of millions of individuals in France territory without legitimate interest is also considered particularly intrusive.

 

“It should be noted that the fact that personal data is publicly available does not mean that it can be freely used. The GDPR applies to publicly available personal data as well, therefore a basis of Article 6 is required in order to process it lawfully. If this basis is legitimate interest, a Legitimate Interest Assessment needs to be performed” comments Cristina Contero Almagro, Partner in Aphaia

CNIL also found CLEARVIEW AI in breach of articles 12, 15 and 17 of the GDPR as individuals found difficulty in exercising their rights with the company.

 

The many complaints received by the CNIL pointed to an issue with individuals’ rights being infringed upon by the CLEARVIEW AI, particularly the right of access for data subjects and the right to erasure. The company was found to have been limiting the exercise of the right of access to only data collected during the 12 month period preceding the request. In addition individuals were only being allowed to exercise this ride twice a year by CLEARVIEW AI, and without justification. The company was found to only respond to certain requests after an excessive number of requests that come from the same person. When requests were made to exercise the right to erasure, it was reported that the company either did not respond at all, or provided incomplete responses. CLEARVIEW AI has since been put on notice by CNIL to come into compliance, cease unlawful processing and delete all data processed unlawfully within a two month period.

 

 

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessmentsAI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Poor personal data security by Dutch airline leads to a fine

Poor personal data security leads to a fine from the Dutch DPA, after security flaws cause a major hack.

 

An airline has recently been hit with a €400,000 fine from the Dutch DPA following a major hack, attributable to poor data security. The airline Transavia suffered a hack of two accounts in the company’s IT department, giving a hacker potential access to the personal data of over 25 million passengers. An assessment has since revealed that the personal data of 83,000 passengers was downloaded by the hackers.

 

There were three security flaws which made the company more susceptible to easily being hacked.

 

Hackers were able to download the personal information of 83,000 passengers from this airline’s database. This was made very easy due to three security flaws, the first of which was the use of very simple passwords which were evidently easy to guess. In addition, there was no multi-factor authentication in place, meaning that the one password was all that was needed to access those accounts. To further compound the situation, the access rights for these two accounts were not limited to what was necessary, making several of the company’s systems available to the hackers once they gained access to those two accounts.

 

This situation has been taken very seriously and highlights the importance of maintaining robust security systems and measures. In this case, the hacker was able to access the personal data of millions, simply by breaking into the system with a very simple password. One of those passwords was one that for years has been at the top of the list of most-used passwords, for example “123456”, “Welcome” and “password”.’

 

The personal data of 83,000 people was downloaded, including health data of 367 people.

 

Once the hacker gained access to those two accounts in Tansavia’s IT department, they gained access to the personal data of 25 million people which included their names, dates of birth, gender, email addresses, telephone numbers, flight information and booking numbers. The information downloaded related to 83,000 people, including a list of passenger data from 2015 containing names, dates of birth and flight information. The data also included the health information of 367 people who needed to request special considerations like wheelchairs due to health issues.

 

The Dutch DPA has reported an uptrend in data theft in recent times.

The data breach which led to this international investigation was but one of numerous attacks recorded in recent years. From September to November 2019, these hackers had access to Transavia’s accounts and were stealing personal information. In 2020, the Dutch DPA recorded an increase of 30% in the number of hacks reported, majority of them with the aim of stealing data. The authority has advised that data theft can be avoided by improving security measures.

 

 

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Proposed Digital Markets Act to be enforced by the EU Commission

Proposed Digital Markets Act will be enforced exclusively by the European Commission, but what does it entail?

 

EU representatives have officially agreed that the European Commission will be the enforcer of the Digital Markets Act, which is set to be ratified on November 25 as part of the bloc’s common position ahead of negotiations with EU lawmakers. The Digital Markets Act or DMA was proposed last year by EU antitrust chief Margrethe Vestager, and aims to prevent large companies from abusing their market power and allow new players to enter the market. The proposed legislation specifically targets these online gatekeepers – companies that control data and access to their platforms- with a list of dos and don’ts, to achieve that goal of curbing any possible abuse of power within the online markets.

 

The Digital Markets Act is designed to ensure fair and open digital markets.

 

The DMA establishes a set of narrowly defined objective criteria for qualifying a large online platform as a “gatekeeper”, and specifically targets these platforms. They are defined by their strong economic position, significant impact on the internal market, strong intermediation position, durable position in the market, and/ or solid presence  in multiple EU countries. This is expected to benefit consumers by giving them better access to a range of services to choose from, more choices leading to opportunities to switch their providers, as well as direct access to services, and more reasonable prices. In addition, this will provide smaller companies the opportunity to be competitive in online markets.

 

The act consists of various dos and don’ts which will be monitored by the European Commission.

 

The act consists of various dos and don’ts which will be monitored by the European Commission to ensure that gatekeepers do not have unfair advantage. These gatekeepers will still be allowed to innovate and offer new services, however they will simply not be allowed to gain an undue advantage. Under the DMA, companies will still be able to allow their business users to access the data that they generate while using the gatekeeper’s platform. Gatekeepers will also continue to have the capabilities to allow third parties to inter-operate with the gatekeeper’s own services in certain specific situations. These companies will still be allowed to provide advertising for companies on their platform with the tools and information necessary for advertisers and publishers to carry out their independent verification of the advertisements they hosted with the gatekeeper. They will also still be able to allow their business users to promote their offer and conclude contracts with their customers outside the gatekeeper’s platform.

 

There are some things, however, which will not be allowed under the Digital Markets Act. Gatekeeper companies will not under any circumstances be allowed to rank their own services and products more favourably than similar services or products offered by third parties on the gatekeeper’s platform. Preventing consumers from linking up to businesses outside their platforms will also be disallowed. These companies are also not allowed to prevent users from uninstalling any pre-installed software or app if they wish so, and failure to comply with these guidelines may result in penalties of up to 10% of their annual worldwide turnover, or periodic payments of 5% of their daily turnover.

 

The European Commission, as the exclusive enforcer of the DMA will be responsible for carrying out market investigations.

 

The European Commission, as the exclusive enforcer of the DMA will be responsible for carrying out market investigations. This gives the Commission the authority to dynamically update the obligations for gatekeepers when necessary, and also to identify companies as gatekeepers, based on the aforementioned criteria. In addition, the European Commission will be expected to design remedies to tackle systematic infringements of the Digital Markets Act rules, as additional penalties may be imposed after the Commission carries out a market investigation, if they consider the previously mentioned penalties insufficient or inappropriate.

 

 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Monitoring data processors: guidance from Danish DPA

The Danish DPA has published guidance for data controllers on monitoring data processors, with suggestions based on risk assessment.

The Danish DPA published guidance last month, for any private company, public authority or institution, processing personal data, or functioning as a data controller, on how to best monitor their data processors. These data processors are essentially external bodies who process information on behalf of the data controllers, and are oftentimes in possession of personal data and other sensitive information. It is imperative that processors handle this information as they are supposed to, and data controllers can monitor their respective processors to ensure that this is the case. This is important, as ultimately data controllers are held responsible for the data.

Data controllers have a responsibility to ensure that their  data processors are processing the information properly.

In the relationship dynamic between a data controller and processor, the data controller decides why (for what purpose) and how (with what aids) the personal data is processed. A data processor, on the other hand, is the one  who processes personal data on behalf of the data controller – i.e. following an instruction from the data controller. The data controller is oftentimes held responsible for the data and its use, as well as any mishaps which may occur regarding the data and its processing. As a result, it is imperative that data controllers monitor their data processors handling the data of their clients, customers or other data subjects.

The Danish DPA has suggested six different approaches to monitoring data processors, based on the level of risk.

In light of the importance of data controllers supervising their respective data processors, the Danish DPA has provided guidance for controllers regarding how, and how much they should supervise. The guide answers many questions on how much supervision is necessary and how it should be carried out. In addition, it provides a helpful approach of following guiding supervisory concepts, to help gauge the level of risk associated with the processing of certain data. Based on the level of risk, the guide from the Danish DPA suggests six different approaches to supervision, ranging from a very low risk supervisory approach to very high risk. These are outlined here:

Concept 1  (very low risk)

Do not do anything unless you become aware that something is wrong with the data processor.

Concept 2

The data processor confirms – preferably in writing – to you that all requirements in the data processor agreement are still complied with.

Concept 3

The data processor gives you annually – either directly or via its website – a written status of matters covered by the data processor agreement and other relevant areas (e.g. organizational or product changes).

Concept 4

The data processor has a relevant and updated certification or follows a so-called code of conduct that is relevant to your processing activities.

Concept 5

An independent third party has conducted documented supervision of the data processor in an area that also covers your processing activities.

Concept 6  (very high risk)

The data controller carries out a documented inspection of the data processor themselves – or together with others.

Deciding which approach would be appropriate in each data controller’s situation is important and would be determined based on the level of risk associated with the data being handled by the processor. However, some level of supervision of one’s data processor is necessary in every case. It then becomes important to assess the level of supervision necessary and to conduct supervision as needed.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.