TikTok fined by Dutch DPA

TikTok fined by Dutch DPA

TikTok fined by Dutch DPA for failure to provide translated information to users

The video sharing social networking app TikTok was recently fined by the Dutch DPA, according to this report from the EDPB. Upon investigation into apps typically used by minors, it was discovered that the information provided when installing the app (including the privacy policy) was only provided in English. By failing to provide this information in Dutch, TikTok violated the rights of Dutch speaking users, by their failure to give users clear, comprehensible information on what happens with their personal data. This in and of itself is a violation of their privacy rights. TikTok has been hit with a fine for €750,000, to which the company has objected. 

TikTok, fined by the Dutch DPA, and now being investigated by the Irish DPA after establishing headquarters in Ireland. 

While this initial fine was imposed by the Dutch DPA, and rightfully so, because at the time TikTok had no headquarters in the EU, the company has since established headquarters in Ireland. The initial fine could have been imposed by any EU member state, however, any subsequent investigations must be handled by the Irish Data Protection Commission. The Dutch Data Protection Authority can only be expected to assess the privacy statement related violation, which had ended by the time headquarters had been established in Ireland. When companies have no European headquarters, any EU member states can oversee its activities, however if there are European headquarters, this responsibility would fall on the country which houses the company‘s headquarters.

TikTok has made changes to their app to make it safer for child users. 

Since last October, when the Dutch DPA submitted the results of its investigations to TikTok, certain key changes have been made to protect users under 16 while they use this app. While these changes are not entirely foolproof because children can still pretend to be older by creating their account with false information, the DPA welcomes the adjustments made by TikTok to reduce the risk for child users. Partents are now able to manage their children’s accounts through their own accounts, or through the ‘Family Pairing’ feature. This will not prevent children from putting themselves at risk by lying about their age, however it will give parents the power to monitor their children’s accounts and provide greater security to them. 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

emergency measures for children’s protection

EU approves emergency measures for children’s protection

Temporary emergency measures for children’s protection have just been adopted by European Parliament.

 

Temporary emergency measures for children’s protection were adopted by European Parliament on July 6th. This regulation will allow electronic communication service providers to scan private online messages containing any display of child sex abuse. The European Commission reported that almost 4 million visual media files containing child abuse were reported last year. There were also 1,500 reports of grooming of minors by sexual predators. Over the past 15 years, reports of this kind have increased by 15,000%. 

 

This new regulation, which is intended to be executed using AI, has raised some questions regarding privacy. 

 

Electronic communication service providers are being given the green light to voluntarily scan private conversations and flag content which may contain any display of child sex abuse. This scanning procedure will detect content for flagging using AI, under human supervision. They will also be able to utilize anti-grooming technologies once consultations with data protection authorities are complete. These mechanisms have received some pushback due to privacy concerns. Last year, the EDPB published a non-binding opinion which questioned whether these measures would threaten the fundamental right to privacy. 

 

Critics argue that this law will not prevent child abuse but will rather make it more difficult to detect and potentially expose legitimate communication between adults. 

 

This controversial legislation drafted in September 2020, at the peak of the global pandemic, which saw a spike in reports of minors being targeted by predators online, enables companies to voluntarily monitor material related to child sexual abuse. However, it does not require companies to take action. Still, several privacy concerns were raised regarding its implementation, particularly around exposing legitimate conversation between adults which may contain nude material, violating their privacy and potentially opening them up to some form of abuse. During the negotiations, changes were made to include the need to inform users of the possibility of scanning their communications, as well as dictating data retention periods and limitations on the execution of this technology. Despite this, the initiative was criticized, citing that automated tools often flag non relevant material in the majority of cases. Concerns were raised about the possible effect this may have on channels for confidential counseling. Ultimately, critics believe that this will not prevent child abuse, but will rather make it harder to discover it, as it would encourage more hidden tactics. 

 

This new EU law for children’s protection is a temporary solution for dealing with the ongoing problem of child sexual abuse. 

 

From the start of 2021, the definition of electronic communications has been changed under EU law to include messaging services. As a result private messaging, which was previously regulated by the GDPR, is now regulated by the ePrivacy directive. Unlike the GDPR, the ePrivacy directive did not include measures to detect child sexual abuse. As a result, voluntary reporting by online providers fell dramatically with the aforementioned change. Negotiations have stalled for several years on revising the ePrivacy directive to include protection against child sexual abuse. This new EU law for children’s protection is but a temporary measure, intended to last until December 2025, or until the revised ePrivacy directive enters into force. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Fine imposed for unsecured website

Fine imposed for unsecured website

Fine imposed for unsecured website for registration of new orthodontic patients. 

 

Patient personal data was found to be at risk, including citizen service numbers, when an orthodontic practice allowed new patients to sign up via an unsecured website. According to this report, several fields of mandatory personal information were captured on an unsecured connection. This could have resulted in a data breach, which could have led to fraud, with several individuals affected, including minors. The Dutch DPA has imposed a fine of €12,000 on an orthopedic practitioner. 

Sensitive personal data was at risk of being accessed by unauthorized parties. 

 

An unsecured connection was used to capture mandatory personal information from new patients signing up for orthodontic services. 

 

The unsecured website being used to capture information from new patients included a form, requiring the input of personal data into mandatory fields. The required information included patients’ parents’ information, their general practitioner, insurance information as well as their dentist and citizen service number. This information was sent over an unencrypted connection, making it unsecured. Individuals submitting their personal information while signing up on the website of an orthodontic practitioner are trusting that their sensitive data will be protected. In addition, the majority of orthodontic patients are children and young adults, so this case involved the personal data of several children. Data protection laws have specific safeguards for the sensitive data of children, who are considered a particularly vulnerable group. 

 

Fine imposed for unsecured website after a complaint was lodged about a privacy violation. 

 

A complaint was lodged with the Dutch DPA regarding a privacy violation. Because the complaint was regarding poor security within the health sector, a sector with particularly strict privacy requirements, this complaint was taken very seriously by the DPA. Monique Verdier, the DPA’s deputy chair commented on the situation stating “When you register with an orthodontist, you entrust your personal data to them. This is data that the practice needs, but it is also of interest to criminals. Taking good care of your patients includes taking good care of their personal data. This applies to all care providers, not just large institutions.” It is a business’ responsibility to ensure that its website is GDPR compliant, and to secure customer data and websites, preventing possible data breaches, phishing, and other forms of malicious online activity. A fine of €12,000 was imposed on the orthodontic practitioner for this infraction. 

 

An objection to this fine was lodged, which the DPA declared unfounded. 

The fine imposed on the orthodontic practitioner is not final, and was challenged by the provider. While the fine may be revocable, the DPA has called the objection by the practitioner unfounded. An application for judicial review can be submitted to the district court to have the €12,000 fine revoked. If this is done, the final decision will rest in the hands of the district court. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

The ICO has fined three companies for nuisance marketing

The ICO has fined three companies for a total of £415,000 due to nuisance marketing practices after receiving several complaints.

 

The ICO has fined three companies a total of £415,000 for nuisance marketing. Colour Car Sales Limited, Solarwave, and LTH Holdings were fined for various offenses including unsolicited calls and spam text messages. Many of the individuals receiving phone calls complained that they had been on the telephone preference service and should not have been receiving them. In all cases, the companies lacked the valid consent required in order to send direct marketing to customers. This is a violation of the Privacy and Electronic Communications Regulations (PECR). Under the PECR, the ICO has the power to impose a fine of up to £500,000 on a data controller for various violations of privacy rights in relation to electronic communications.

 

Colour Car Sales Ltd was found to have been sending spam text messages directing people to various car finance websites.

 

A credit intermediary for used car finance, Colour Car Sales Limited of Stroke-on-Trent was found to have sent several spam text messages between October 2018 and January 2020. These messages were sent to numerous people directing them to various car finance websites. Several complaints were made by the recipients of those text messages, to the ICO. This was a violation of regulation 22 of the PECR. Regulation 22 applies to the transmission of unsolicited communications via electronic mail to individual subscribers. This regulation prohibits the sending or initiating of unsolicited communications for the purposes of direct marketing by email. This form of communication is only allowed in instances where the contact information was received from the individual during the course of negotiations or a sale, and the recipient has been given a free and simple means of refusing the use of their contact details for those purposes.

 

Solarwave Ltd was fined for making unsolicited marketing calls about solar panel maintenance to people registered with the TPS.

 

Solarwave Limited, a Solar energy company in Grays, Essex was found to have made over 73,000 unsolicited marketing phone calls. These calls were made between January and October 2020. These calls were made to people who should not have been receiving phone calls at all, as they were all registered with the Telephone Preference Service (TPS) list. This list clearly outlines those individuals who have rightfully opted out of receiving unsolicited marketing calls and it is imperative to ensure that this list is adhered to, so as to avoid violating that right. Various complaints were made against the company, claiming that the company consistently called customers and even ignored stop requests. The company was found to have violated regulation 21 of the GDPR. This regulation applies to the making of unsolicited calls which can only be made if an individual has given their consent to that company to receive such calls, if the number is registered with the Telephone Preference Service.

 

Over the course of a year, LTH Holdings was found to have been making unsolicited calls selling funeral plans to people who are registered with the TPS.

 

1.4 million calls were made between May 2019 and May 2020 by LTH Holdings, a telephone marketing company from Cardiff. The ICO also received 41 complaints against this company and has reported that the company’s marketing techniques had become persuasive, aggressive and coercive which raised much concern. What was found to be of particular concern is the fact that the target market possibly included people who tend to have been more vulnerable. LTH holdings was also found to be in violation of regulation 21 of the PECR. The ICO commissioner maintains a list of registered numbers belonging to subscribers who have notified them that they do not wish to receive unsolicited calls at the moment, under regulation 26 of the PECR. The TPS is a limited company who operates on the commissioners behalf maintaining this register. Businesses a.m. to make direct marketing phone calls can subscribe to the TPS for a fee, and stay up-to-date on this list to ensure that they do so within regulation.

 

The companies were fined a total of £415,000 for the various offenses.

 

After receiving several complaints of misconduct against the three companies the ICO issued enforcement notices ordering them to stop marketing until consent has been obtained. A fine of 170,000 pounds was imposed on Colour Car Sales Limited for the spam text messages, while Solarwave and LTH Holdings were fined £100,000 and £145,000 respectively, for making unsolicited phone calls. This is a total of £415,000 which the ICO has fined and will be working to recover from the three companies. Under the PECR, the ICO has the power to impose a fine on a data controller of up to £500,000 on individual companies.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.