Amazon facing lawsuit in Germany

Amazon facing lawsuit in Germany, accused of breaking EU’s privacy laws.

Amazon facing lawsuit in Germany after being accused of breaking EU’s privacy laws against the EU-US Privacy Shield.


The global giant Amazon is currently facing a lawsuit and has been accused of breaking the privacy laws in Europe, according to this recent article from Politico. The company has been accused of using the infamous Privacy Shield despite its previous invalidation in Europe which has led to this lawsuit. The basis is that the Court of Justice of the European Union made clear that transferring data through the Privacy Shield was no longer allowed following July’s Schrems II judgment. This ruling invalidated the EU-US privacy shield. The reason for the invalidation was that the CJEU decided that shipping data outside of the EU put it at risk. According to the CJEU, US surveillance customs are more intrusive than they should be and go beyond what is acceptable for privacy. While Amazon understands that the Privacy Shield is invalid, it appears that they have continued to use this invalidated transfer mechanism.

Standard Contractual Clauses are still a viable option for companies needing to transfer data.

Standard Contractual Clauses (SCCs) are another option for the technological giants and are used by the likes of Google and Facebook. The difference is that exporting data from the EU using the SCC requires more supervision, and better ensures the safety of the data. While the SCC gives these companies an alternative, the clauses come with caveats, and are not entirely free of problems. Right now, the giant Facebook stands against the Irish data regulators regarding their use of the clauses.

EuGD takes legal action against Amazon.

EuGD (Europäische Gesellschaft für Datenschutz) decided to take action putting forth the formal legal complaint that escalated the conflict. The recent article by Vincent Manancourt, features a statement from Johann Hermann, the current head of EuGD, the group behind the legal complaint. “The [Court of Justice of the European Union] has made it clear that data transfers to the U.S. on the basis of the Privacy Shield are no longer permitted. If the world’s leading cloud company and largest e-commerce provider remains inactive for more than two months and ignores consumer rights, that is unacceptable,” said Mr Hermann, head of Europäische Gesellschaft für Datenschutz (EuGD). Moreover, the founder of EuGD, Thomas Bindl, said that taking the legal route was a decision made taking into consideration similar conflicts.

Despite the noise and controversy surrounding the conflict and impending lawsuit, it is still necessary to wait and see the developments in court. However, regardless of the result in the ruling, this will likely inspire greater vigilance and compliance on the part of companies who may also be transferring data out of Europe.


Do you make international data transfers to third countries? Are you affected by Schrems II decision? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We also offer CCPA compliance services. Contact us today.


CPS Advisory fined

CPS Advisory fined for unauthorized cold calls

CPS Advisory faces ICO fine for making more than 100,000 unauthorized pension-related direct marketing calls. 


As technological advances, globalization—and now worldwide health & safety threats (such as COVID-19)—continue to catapult our world further into the remote sphere, more and more businesses are turning to cold calling and other such distanced customer engagement methods to keep their businesses alive. Yet if companies are not diligent, what may seem a prudent, practical, inevitable business development solution—especially in these unprecedented 2020 times—could plunge them into some serious hot water. This is the case for Swansea, UK based company CPS Advisory (CPSAL). 


According to the ICO,  an investigation into CPS Advisory’s operations revealed that during the period January 11 2019 to April 30 2019, the company made 106,987 unsolicited direct marketing calls related to occupational pension and/or personal pension schemes contrary to regulation 21B of PECR. 


The ICO article summarizes that “under the new law, companies can only make live calls to people about their occupational or personal pensions if:

  • the caller is authorised by the Financial Conduct Authority (FCA), or is the trustee or manager of an occupational or personal pension scheme;
  • the recipient of the call consents to calls, or has an existing relationship with the caller and the relationship is such that the recipient might reasonably envisage receiving unsolicited calls for the purpose of direct marketing in relation to occupational pension schemes or personal pension schemes; and
  • the recipient of the call has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of the recipient’s contact details for the purpose of such direct marketing, at the time that the details were initially collected and, where the recipient did not initially refuse the use of the details, at the time of each subsequent communication.


As a result of this breach, the ICO Monetary Penalty Notice notes that the Information Commissioner decided to issue CPSAL with a monetary penalty under section 55A of the Data Protection Act 1998 (DPA).


PECR & GDPR – how do they fit


According to the ICO, “the GDPR does not replace PECR, although it changes the underlying definition of consent. Existing PECR rules continue to apply, but use the new GDPR Standard of consent. 


“This means that if you send electronic marketing or use cookies or similar technologies, from 25 May 2018 you must comply with both PECR and the GDPR.”


Does PECR apply to you & your company? 


The ICO offers that although some of the rules apply only to organisations that provide a public electronic communications network or service, PECR will apply to you if you:

  • market by phone, email, text or fax;
  • use cookies or a similar technology on your website; or
  • compile a telephone directory (or a similar public directory)

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Hungarian DPA fined Forbes

Hungarian DPA fined Forbes for GDPR violation.

Hungarian DPA fined Forbes for failing to carry out a legitimate interest assessment in relation to two of their publications and to inform data subjects in advance about the results.


The Hungarian DPA came to a decision this July, to fine Forbes for violating various articles of the GDPR with regard to two of the company’s publications. The EDPB recently reported that in relation to both printed and online versions of the Forbes publication in September 2019 and in January 2020, one containing the largest family undertakings, and the other, the 50 richest Hungarians, the Publisher violated the GDPR. In addition, the Authority accused Forbes of failing to provide adequate information to the Complainants about all the essential circumstances of data processing, and of their rights to object to the processing of their personal data. 


The company infringed on several sections of the GDPR in releasing those publications.


In both of the DPA’s decisions, No. NAIH/2020/1154/9 of 23 July 2020, and No. NAIH/2020/838/2 of 23 July 2020, Forbes was found to have been in infringement of Article 6(1)(f) of the GDPR. This article states that “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”


In failing to inform the Complainants of their option to exercise their rights, Forbes infringed on Articles 5(1)(a), 5(2), 12(1) and 12(4), as well as Articles 14, 15 and 21(4) of the GDPR. The relevant sections of Article 5 of the GDPR calls for personal data to be processed lawfully, fairly and in a transparent manner, and that the controller is in fact responsible for, and must be able to demonstrate compliance with the aforementioned requirements. Article 12 outlines the fact that the controller must take appropriate measures to provide any relevant information to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. It also mentions that if the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay of the reasons why, within no more than one month of receipt of the data subject’s request. Articles 14 and 15 speak to the right of the data subject, to obtain from the controller, confirmation as to whether or not their personal data is being processed and to obtain access to information on the personal data being processed, and also clear information on where this data has been obtained, together with other relevant elements around the processing. In this instance, Forbes also denied the data subjects the right to object to the publishing of this personal data, by neglecting to inform them and gain their consent, which violates Article 21.

The Hungarian DPA fined Forbes and gave the company several orders for corrective action.


The Hungarian DPA imposed a fine of 5,600 € for one of the infringements and 7,000 € for the other. The company was also ordered to undertake several corrective actions. Forbes was ordered to meet its obligation to provide information to the Complainants in relation to the data processing, including information concerning the interests of the Publisher, as well as of Complainants considered in the course of interest assessment and the result of the interest assessment, the information on the right to object and the information concerning possibilities of the enforcement of rights. The company will also need to modify its practices related to providing information in advance in accordance with the legal regulations in force and the provisions of these decisions, and to carry out the interest assessment including the second 

individual interest assessment following the objection in accordance with the legal regulations 

and these decisions, if in the course of data processing envisaged in the future, the Publisher intends to use legitimate interest as the legal basis.


The Authority is not opposed to “rich lists” but maintains that they must be done in accordance with the GDPR and preferably with minimal information released on data subjects. 


When the Hungarian DPA arrived at its position on the matter, it also did not decide that lists of businessmen and companies should never be made in this form of Fashion. Forbes may compile lists, on the basis of business data that is accessible to the public, however the publication of those lists is subject to the requirements of the GDPR, and the publisher as controller has to comply with these stringent requirements. The general practice in the Hungarian market, of which the authority approves is that the various rich lists or publications listing the richest Hungarians, did not in all cases include the name of the data subject, but rather initials and minimal information instead of presenting the activities of the data subject. The publishing of this personal data should follow the well grounded objection by the data subject.


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Lincolnshire Police Trial CCTV

Lincolnshire Police Trial CCTV: this technology can even detect moods!

Lincolnshire police trial CCTV technology which can detect moods, eyewear and headgear, but not  before a human rights and privacy assessment is carried out.


Lincolnshire police will soon debut their trial of CCTV cameras in Gainsborough. This is a new, more complicated and potentially controversial type of Surveillance technology. Although the funding for this project has been approved and received, due to privacy concerns surrounding the use of this technology, the implementation of the new equipment is at a standstill. Key legal considerations need to be made before this could be released and used in the general public, as this technology has the ability to search for persons using parameters surrounding their mood, or their apparel such as hats or sunglasses. Due to the fact that the police have full control of the search parameters; the technology is inherently problematic, as was in case of court rulings as recently as 2018. 


A Welsh national had brought a legal case against the authorities for their use of a very similar facial recognition technology, and this has raised the specter of many ideological and privacy concerns when it comes to the Police having unquestionable access to intrusive means of surveillance, and monitoring persons who may not be suspected or involved in any crimes. Although Mr. Bridges did not have instant success with his claim, as his first petition to the High Court was denied, in his subsequent Court of Appeal claim; three out of five of the unconstitutional breaches of privacy Mr. Bridges presented were ratified as legally valid in the court. 


The police have acknowledged, and made attempts at addressing the public’s privacy concerns regarding the use of this technology.


Privacy concerns are a very important consideration prior to the establishment of this new technology for everyday use. The police have tried to give some assurance to the public that their rights are of paramount importance  in the means and the protocols surrounding this technology and how it is used. The local police have also released some preliminary information which may ease public anxiety around the implementation of this technology; the scans are not being done in live time and also, all footage is deleted after 31 days. 


Legislation continues to be introduced regarding privacy and surveillance.


There are also larger debates surrounding the appropriate search terms allowed and under what circumstances they can be implemented in a situation where this new surveillance technology is to be in use. Legislation around government surveillance also has seen changes in recent years since the Ed Bridges case, and it continues to be reformed, in an attempt to encompass everyone’s well-being without stripping them of the fundamental privacies and rights allotted to them. 


According to Cristina Contero Almagro, partner at Aphaia, ‘The risk is twofold: first, the police using the technology without the appropriate safeguards and second, the information being compromised and used maliciously by third-parties which may access it unlawfully. Considering the nature of the data involved, it is essential to put in place strong security measures which ensure the data will be adequately protected. It is important to note that once that biometric information has been exposed, the damage to the rights and freedoms of the affected data subjects is incalculable, as it is not something that can be changed like a password’.


‘Any facial recognition that includes profiling should be viewed with suspicion,’ comments Dr Bostjan Makarovic, Aphaia’s Managing Partner. ‘The challenge is that there is no way to object to such profiling because it takes place in real time as one enters a certain area. Law enforcement and public safety are important reasons but should not be used as a blanket justification without further impact assessment.’  

Does your company utilize facial recognition or process other biometric data? If yes, failure to adhere fully to the guidelines and rules of the GDPR and Data Protection Act 2018 could result in a hefty financial penalty. Aphaia provides both GDPR adaptation consultancy services and CCPA compliance, including data protection impact assessments, EU AI Ethics assessments and Data Protection Officer outsourcing. Contact us today.