Dutch DPA imposes fine

Dutch DPA imposes fine for delayed report of a data breach

Dutch DPA imposes fine on international travel agency booking.com, for their delayed action in reporting a significant data breach. 


Netherlands based international travel agency, Booking.com was recently hit with a fine for their delayed action in reporting a data breach. The breach was discovered on January 13, 2019, after having occurred in December of 2018. However the incident was not reported to the DPA until February 7th 2019. Data breaches must be reported to the relevant authorities within 72 hours of their discovery, making this report about 22 days late. As a result, the Dutch DPA imposed a fine of €475,000 on the company. 


Because booking.com is an international company with customers from a range of different countries, the investigation into the breach was international in scope. The investigation however was conducted by the Dutch DPA, due to the fact that the company is based in the Netherlands. 


Cyber criminals posed as booking.com staff in emails and on the phone in order to steal personal information. 


These cyber criminals were able to collect information by posing as booking.com staff in emails and on the telephone. This scam targeted 40 hotels in the UAE in December 2018. The phishers, by using the booking information of these customers to appear more credible when posing as booking.com staff, attempted to gather as much personal and financial information on as many customers as they could, in order to steal money from them. This data included login credentials, as well as financial information. The scope of this data breach was so wide that the criminals were able to access the data of over 4000 people, including the credit card information of over 280 people. In 97 of those cases, even the security code for the credit card was obtained.


Booking.com does not object to the fine imposed and has compensated their customers for the financial losses suffered as a result of the breach. 


Although booking.com was made aware of the breach on 13 January 2019, it was not until February 4, 2019 that they informed the affected customers. Further still, the company waited until February 8 to inform the DPA of the breach. The company has offered several solutions including financial compensation for any losses suffered by their customers. Booking.com will not lodge any objections or apply for review of the fine imposed. 


There has been a significant increase in cyber crimes over the past year, making enhanced security measures even more invaluable. 


In recent times, particularly since 2020 there has been a significant increase in personal data theft and related attempts. 2020 saw a rise of 30% more data theft than the previous year. Many individuals have personally fallen victim and suffered financial losses as a result of phishing and other forms of data theft for the purposes of accessing financial information. DPAs have remarked on the explosive increase in these cases over the last year. Enhanced security, as well as timely reporting in the event of a breach, can greatly reduce the impact that this sort of theft has on individuals. 


Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Facebook data leak

Facebook data leak affects over half a billion users worldwide

Facebook data leak results in the personal information of over half a billion users being made available publicly and free of charge. 


Facebook has recently been implicated in a massive data leak affecting over a half a billion users, as reported by Business Insider earlier this month. The personal data leaked was gathered during a data breach two years ago. However, in recent times, an individual has published all of this personal information in a black market online hacking forum, free of charge. It is believed that this information was previously available for sale but has since gone down in value, and is now being offered for free on a hacking forum. This data was obtained through the misuse of a feature prior to 2019 and affects approximately 533 million users, from over 100 countries. 


The personal data leaked does not include login information, however the details included contain enough information to facilitate impersonation or fraud. 


The personal data affected includes information like full names, identification credentials, locations, dates of birth, email addresses, and phone numbers. The information does not include financial information or health information. It is also said that login information is not included in the data, however, the information put out there could potentially be used for hacking. Security experts say that this information could be used to impersonate individuals and commit fraud. Facebook’s Product Management Director, Mike Clark says that this information was not obtained through hacking, but rather by scraping it from the platform, much like what happened with Facebook in their 2016 Cambridge Analytica fiasco. 


The Facebook data leak had resulted in information which was once available for sale in January, now published free of charge on a hacking forum. 


The data was first discovered in January, on a hacking forum where an individual or entity advertised an automated bot which could provide certain user data from Facebook. At the time this data was confirmed to be legitimate. However, since then the data has been publicized and is now available for free in a low level hacking forum. This information was discovered earlier this month by Alon Gal, the chief technology officer of the cybercrime intelligence firm, Hudson Rock. 

Facebook reports that the vulnerability which led to the data scraping has since been rectified, and that the company does not intend to notify the individual users affected by this leak. 


Facebook officials want to assure the public that the platform’s vulnerability which led to the 2019 data breach has since been rectified. The social media company has not notified the over 533 million users who were affected by this data breach, and according to company officials, they do not intend to do so. Facebook’s spokesman said the social media company was not confident that it had full visibility on which users would need to be notified. They also considered the fact that users could do nothing to fix the issue as well as claims that the data was already publicly available in their defense for not notifying users.


“One needs to understand that, under GDPR, data breaches of such nature need to be notified to data protection authorities and very likely to the affected users as well” comments Dr Bostjan Makarovic, Aphaia’s Managing Partner.


Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Digital Green Certificates

Digital Green Certificates: the EDPB and EDPS release a joint opinion

Digital Green Certificates have been a topic of debate lately, and the EDPB & EDPS have released a joint opinion on this, regarding data protection and privacy.

Digital Green Certificates, which some refer to as “vaccine passports” are, contrary to popular belief, not specific to vaccines. In actuality, the digital green certificates or passes, as they would preferably be called, are proposed to be a QR code with information on a person’s status with regard to the COVID-19 virus. The specifics of the information may be pertaining to the vaccine and have details on which vaccine was taken and when it was administered, or it may contain information on a negative COVID-19 test and the date on which the last test was taken. This scannable code may also contain information on antibodies present in a person’s system, if they have developed antibodies from being infected with and recovering from this virus. Vaccines are not mandatory at this time, and the digital green certificates proposed by the European Commission are intended to make it easier to identify someone’s current status with regard to COVID-19, whether vaccinated or not, making travel throughout the EU more seamless, for anyone traveling during this global pandemic. 

The EDPB and EDPS released this joint statement specific to the aspects of the Proposal pertaining to personal data protection. 

The Commission first published the proposal for a Regulation of the European Parliament and of the Council the issuance, verification and acceptance of certificates of vaccination, testing and recovery to third-country nationals who are legally staying or residing in any of the EU Member States during the COVID-19 pandemic on March 17th. The EDPB & EDPS note that the aim of this proposal is to facilitate the exercise of the right to free movement within the EU during the COVID-19 pandemic. Due to the particular importance of these proposals and their impact on individual rights and freedoms regarding the processing of personal data, the EDPB and EDPS released their joint opinion specific to the aspects of the proposal relating to personal data protection. The organisations highlight that it is essential that the proposal is consistent and does not, in any way conflict with the application of the GDPR. 

Digital Green Certificates should be approached from a holistic and ethical standpoint, as asserted by the EDPB and EDPS in their joint opinion. 

The EDPB and EDPS suggest that the Commission take a holistic and ethical approach to the proposal in an effort to encompass all the issues related to privacy and data protection, and fundamental rights in general. They note that data protection is not an obstacle to fighting the current pandemic and that compliance with data protection law will only aid by helping citizens trust the frameworks provided in those efforts. The EDPB and EDPS advise that any measure adopted by Member States or EU institutions must be guided by the general principles of effectiveness, necessity and proportionality. In addition, they note that the World Health Organisation (WHO) in its ‘ interim position paper: considerations regarding proof of COVID-19 vaccination for international travelers’ stated that “(…) national authorities and conveyance operators should not introduce requirements of proof of COVID-19 vaccination for international travel as a condition for departure or entry, given that there are still critical unknowns regarding the efficacy of vaccination in reducing transmission.” 

The EDPB and EDPS, in their joint opinion, state that these green certificates must not lead to the creation of any central database of personal data at the EU level, under the pretext of the Digital Green Certificate framework. In addition, they made specific mention that these certificates should be made available in both digital and paper based formats, to ensure the inclusion of all citizens, regardless of their level of engagement with technology. The organisations also call for clarification on the proposal’s stance on the manner in which these certificates will be issued, whether automatically, or upon request of the data subject. Recital 14 and Articles 5(1) and 6(1) of the Proposal currently state “(…) Member States should issue the certificates making up the Digital Green Certificate automatically or upon request (…)”

The EDPB and EDPS are glad to note the considerations to the rights and freedoms of individuals, as well as compliance with data protection regulation, included in the Proposal. 

The organisations are pleased to note that the Proposal explicitly states that compliance with European data protection regulation is key to the cross border acceptance of vaccination, test and recovery certificates. Recital 38 of the proposal states that “[i]n line with the principle of minimisation of personal data, the certificates should only contain the personal data necessary for the purpose of facilitating the exercise of the right to free movement within the union during the COVID-19 pandemic”. The EDPB and EDPS recommend the inclusion of reference to the GDPR in the main text of the proposal, as it is the legal basis for the processing of personal data, for the issuance and verification of interoperable certificates, as acknowledged in Recital 37. 

Article 3(3) of the Proposal states that citizens can obtain these certificates free of charge,and may renew these certificates to bring the information up to date, or replace as necessary. While the EDPB and EDPS commend this, the organisations also recommend clarifying that the original certificate, as well as modifications shall be issued upon request of the data subject. This is very important for maintaining accessibility for all persons. 

The EDPB and EDPS call for attention to data minimisation, as well as clarification on the validity period of the data processed. 

There are naturally certain categories and data fields of personal data which would need to be processed within the framework of the Digital Green Certificates. As a result, the EDPD and EDPS consider that the justification for the need for personal data fields needs to be clearly defined in the Proposal. In addition, the organizations ask that further explanation be provided as to whether all of the categories of personal data provided for are necessary for inclusion in the QR code for both digital and paper certificates. They note that data minimisation can be achieved using an approach of differently comprehensive data sets or QR codes. In addition, the organizations note the lack of specificity with regard to an expiry date or validity period for each certificate in the draft Proposal. It is also important to note that the EDPB and EDPS clearly state that given the scope of the draft of the proposal, and the context of the global pandemic, the statement of the disease or agent from which the individual has recovered should only be limited to COVID-19 and its variants. 

The EDPB & EDPS iterate the importance of adequate technical and organizational privacy and security measures in the context of the proposal.

With regard to the Digital Green Certificate, the organizations suggest that privacy and security measures should be specially structured to ensure compliance by the controllers and processors of personal data required by this framework.  The opinion states that controllers and processors should take adequate technical and organizational measures to ensure a level of security that is appropriate to the level of risk of the processing of this personal data in line with Article 32 of the GDPR. These measures should include the establishment of processes for regular assessment of the effectiveness of the privacy and security measures which are adopted. 

While the EDPB and EDPS are pleased to note the clarification, within the Proposal, of the roles of data controllers and processors, the organisations suggest that the Proposal specify, through a comprehensive list, all entities foreseen to be acting as controllers or processors of the data in EU Member States, taking into account the use of these certificates in multiple member states by persons traveling throughout the EU. They also suggest that the Proposal should provide clarification on the role of the Commission with regard to data protection law in the context of the framework, guaranteeing interoperability between the certificates. In addition, the organisations call for attention to compliance with Article 5(1)(e) of the GDPR, with regard to the storage of personal data, as well as clarification on the storage period that Member States should not exceed, beyond the pandemic. Furthermore, the EDPB and the EDPS recommend that the Commission explicitly clarifies whether, and when any international transfers of personal data are expected, as well as safeguards within the legislation to ensure that third countries will only process the personal data for the specific purposes that this data is exchanged, according to the framework.

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Facebook case forwarded

German Facebook case forwarded to ECJ with questions pending

Facebook case forwarded to ECJ after Facebook appealed German competition authority’s order to halt data collection practices. 


In recent times, Facebook has come under fire for its data collection practices, which span several integrated platforms. The company has been accused of ‘superprofiling’, and has been in court with German authorities regarding a pro-privacy order, to stop combining user data across platforms without consent.  This order has been met with much resistance, and an appeal from Facebook has led German authorities to seek guidance from the European Court of Justice. 


Facebook was accused of abuse of power for collecting and sharing data across platforms without user consent. 


There has been major concern over Facebook sharing data between its platforms, including Instagram, WhatsApp, and Occulus as well as third party apps. This, coupled with the volume of data Facebook collects freely without the need for user consent has led to the tech giant being accused of abuse of power by German authorities. There has been some pushback on this, particularly from Düsseldorf’s Higher Regional Court Judge in preliminary hearings regarding the matter. Judge Jürgen Kühnen argued that Facebook’s data use did not result in an abuse of its dominant position in the market. The contention here is that Facebook’s ability to build a unique database for each individual gives the tech firm an unfair market advantage over other companies who do not have access to that much intricate data on users. The Bundeskartellamt (Federal Cartel Office, FCO) claims that this data collection is not lawful under the EU’s legal framework, as it essentially does not give users a choice. 


German Competition Authority has attempted to place restrictions on Facebook’s collection of user data. 


Earlier this year, Germany’s competition authority placed restrictions on Facebook’s data-processing activities. Facebook was ordered to stop combining data collected from WhatsApp, Instagram and other third parties, until they had received voluntary user consent. This would have led to Facebook needing to considerably reduce its collection and combining of user data, until it receives consent from users. Under Facebook’s terms and conditions, users operate on the social networking platform under the precondition that their data would be collected. However, in February of this year, the competition authority came to a preliminary decision regarding this practice and ordered Facebook to stop combining and collecting user data across these platforms until it has received genuine consent from users. This decision, however, was not final and left room for appeal from Facebook. 


Facebook appealed the decision, arguing that its terms allowed users to fully benefit from their services, and as a result this case has been forwarded to the ECJ. 


Facebook appealed the decision made by the German Competition Authority in February of this year. At the time, Facebook said in a blog; “While we’ve cooperated with the Bundeskartellamt for nearly three years and will continue our discussions, we disagree with their conclusions and intend to appeal so that people in Germany continue to benefit fully from all our services.” The German authority maintains that the social media company is guilty of a level of exploitative abuse which violates EU regulation. As a result, questions regarding this case have been forwarded to the European Court of Justice in order to arrive at a final conclusion. 


Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.