TikTok fined by Dutch DPA

TikTok fined by Dutch DPA

TikTok fined by Dutch DPA for failure to provide translated information to users

The video sharing social networking app TikTok was recently fined by the Dutch DPA, according to this report from the EDPB. Upon investigation into apps typically used by minors, it was discovered that the information provided when installing the app (including the privacy policy) was only provided in English. By failing to provide this information in Dutch, TikTok violated the rights of Dutch speaking users, by their failure to give users clear, comprehensible information on what happens with their personal data. This in and of itself is a violation of their privacy rights. TikTok has been hit with a fine for €750,000, to which the company has objected. 

TikTok, fined by the Dutch DPA, and now being investigated by the Irish DPA after establishing headquarters in Ireland. 

While this initial fine was imposed by the Dutch DPA, and rightfully so, because at the time TikTok had no headquarters in the EU, the company has since established headquarters in Ireland. The initial fine could have been imposed by any EU member state, however, any subsequent investigations must be handled by the Irish Data Protection Commission. The Dutch Data Protection Authority can only be expected to assess the privacy statement related violation, which had ended by the time headquarters had been established in Ireland. When companies have no European headquarters, any EU member states can oversee its activities, however if there are European headquarters, this responsibility would fall on the country which houses the company‘s headquarters.

TikTok has made changes to their app to make it safer for child users. 

Since last October, when the Dutch DPA submitted the results of its investigations to TikTok, certain key changes have been made to protect users under 16 while they use this app. While these changes are not entirely foolproof because children can still pretend to be older by creating their account with false information, the DPA welcomes the adjustments made by TikTok to reduce the risk for child users. Partents are now able to manage their children’s accounts through their own accounts, or through the ‘Family Pairing’ feature. This will not prevent children from putting themselves at risk by lying about their age, however it will give parents the power to monitor their children’s accounts and provide greater security to them. 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Case between Schrems and Facebook

Case between Schrems and Facebook intensifies as further questions are raised

Case between Schrems and Facebook intensifies as questions are forwarded from Austrian Supreme Court to CJEU.

 

Austrian lawyer and activist, Maximilian Schrems is once again making headlines, as Austrian Supreme Court accepted his request to refer key questions regarding his Facebook case to the CJEU. The focal point of this privacy case is Schrems claim that Facebook violates user rights under EU GDPR with regards to consent, and the fact that the company uses consent as contract permission to push targeted ads. According to recent reports, in this long standing case between Facebook and Maximilian Schrems, questions are being raised about the legal basis of Facebook’s data use of its EU customers. 

Facebook has been processing user data under the EU GDPR on the basis of a contract, as opposed to user consent. 

 

Ever since the EU GDPR came into effect in 2018, Facebook has, instead of relying on consent or user data processing, claimed that users were now under contract to receive personalized advertising. The EU GDPR had raised the requirements for consent, and this move was seen as a way for Facebook to undermine the EU GDPR and avoid obtaining informed and freely given consent from its users. 

Mr Schrems was quoted as saying “Facebook tried to strip users of many GDPR rights by simply ‘reinterpreting’ consent to be a civil law contract.” 

 

Facebook was also accused of failing to adhere to the GDPR principle of data minimisation. 

 

Facebook was accused of collecting more data than deemed necessary, particularly through its ‘like’ feature, present on Facebook.com as well as several other websites and sources. Questions regarding this matter, as well as Facebook’s use of sensitive user data (for example a user’s political opinion or affiliation or their sexual orientation) for the purposes of personalized advertising, we’re forwarded to the CJEU. Schrems claims that these questions are crucial. According to Schrems “ Facebook may not be allowed to use all data for advertisements anymore, even when I got valid consent. Equally, it may have to filter sensitive data from political opinions or data on sexual orientation.“

 

Maximilian Schrems was awarded €500 in symbolic damages for obstructive tactics used against him by Facebook. 

 

Facebook was accused of creating an “Easter egg” hunt when asked by Max Schrems to provide him full access to his data. According to the court, Mr. Schrems got neither his raw data in it’s totality, nor did he receive very crucial information like the legal basis for the processing of his data. As a result he was awarded €500 in symbolic damages, due to Facebook’s obstructive tactics. Several questions have now been forwarded from the Austrian Supreme Court to the Court of Justice of the European Union regarding Facebook’s alleged non compliance with the EU GDPR. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Facebook and WhatsApp data sharing

Facebook and WhatsApp data sharing requires further investigation, says EDPB

Further investigations are  required by the Irish Supervisory Authority before making a final decision regarding Facebook processing WhatsApp user data. 

 

The EDPB had adopted an urgent binding decision pursuant to Article 66 of the GDPR, requiring the Irish Supervisory Authority to carry out an investigation, rather than taking final measures, following a recent change in WhatsApp’s Terms of Service and Privacy Policy. The Supervisory Authority has adopted provisional measures towards Facebook Ireland, ordering a ban on the company processing user data from WhatsApp for their own purposes. However, the EDPB believes that further investigations are required to gain clarity on the processing activities in question. 

 

The EDPB concluded that the situation does not require any final measures as the conditions to demonstrate the existence of an infringement or an urgency have not been met. 

 

 The conclusion from the EDPB based on the evidence presented was that no final measures needed to be taken by the Supervisory Authority at this time. For one, the EDPB believes that there is a high likelihood that WhatsApp user data is already being processed by Facebook Ireland on the basis of joint controllership. The data is likely being processed in this way for the purpose of safety, security and integrity of all Facebook Companies including WhatsApp. Nonetheless, the EDPB is unable to determine with certainty what processing operations are indeed being carried out and in what capacity they are being carried out. This is due to various uncertainties and ambiguities in information provided to WhatsApp users. That being established, further investigations are required into those conditions before making any final decisions, especially considering the absence of any indication of a clear infringement or a need for urgency in this matter. 

 

The EDPB says further investigations are required by the Supervisory Authority to determine whether Facebook Ireland acts as a processor or joint controller with WhatsApp Ireland. 

 

While it is likely that Facebook is operating as a joint controller with respect to the processing of WhatsApp user data, the EDPB considers this to be unclear at this time and would like the Irish Supervisory Authority to further investigate and clarify whether Facebook Ireland is indeed acting as a joint controller or a processor. Currently, there is a lack of sufficient information regarding how data is processed for marketing purposes among the various Facebook Companies. Further investigations are required to also determine whether there is proper legal basis for those processing activities under the GDPR. 

 

The official binding decision will be published on the EDPB’s website once it has been properly assessed to ensure that any confidential information is redacted. However all relevant Supervisory Authorities, as well as Facebook Ireland and WhatsApp Ireland have been informed of the EDPB’s decision. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

LinkedIn users’ data for sale

LinkedIn users’ data for sale on hacking forum – 700 million affected

The details of 700 million LinkedIn users were recently posted for sale on a notorious hacking forum. 

 

The details of 700 million LinkedIn users were recently posted for sale on a popular hacking forum. Last month, a user put information for sale on RaidForums, where it was spotted by Privacy Sharks, a news site. The seller provided a sample of 1 million records, which Privacy Sharks viewed and investigated, confirming the validity of the records which included names, gender, phone numbers, email addresses and work information. This is the second instance this year of LinkedIn user information being scraped and posted for sale online. In April, a total of 500 million LinkedIn users were affected in a similar event. 

 

LinkedIn’s investigation revealed that the data was scraped from LinkedIn as well as other other sources. 

 

LinkedIn maintains that this compilation of information of 700 million users was not the result of a data breach, and that the information is all publicly available. The company reported that no private LinkedIn member data was exposed. The ongoing investigation has so far uncovered in an initial analysis, that the data includes information scraped from LinkedIn as well as other sources. LinkedIn has released a statement, stating that they determined that the information which was posted for sale was “an aggregation of data from a number of websites and companies.” The company also states that scraping, and other misuse of members’ data violates its terms of service, and that it will work to stop any entities misusing LinkedIn members’ data, and hold them accountable. 

 

LinkedIn has sought legal action in the past for violation of its terms of service, by data scraping. 

 

While no one has been named as being responsible in this case, LinkedIn is currently in an almost 2-year legal battle to protect its user data and terms of service by seeking litigation over data scraping. In September of 2019, LinkedIn sought legal action against data analytics organization hiQ Labs in the United States Court of Appeals for the Ninth Circuit. At the time, hiQ Labs was found to have been using automated bots to scrape information from public LinkedIn profiles, at which time LinkedIn served them with a cease and desist, claiming that this violated their terms of service. In this case the court ruled that data scraping was legal. The information was all publicly available and was being collected by this data analytics organization. However, LinkedIn once again brought this case before the courts last month, in this instance, going to The Supreme Court. The Supreme Court threw out the lower court’s original ruling, giving LinkedIn another opportunity to plead its case in the 9th circuit. No statement has been made as to whether legal action will also be taken in this instance. 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.