Google reprimanded by Belgian SA

Google was reprimanded by the Belgian SA due to lack of transparency concerning a request to have articles delisted.

 

This recent decision by the Belgian SA concerns a lawyer who was previously disbarred less than 10 years ago, who had requested that articles and information concerning his disbarment be delisted. The complainant currently works as a legal advisor and had his complaint dismissed by the Belgian SA. According to this report by the EDPB, the Authority reprimanded Google for a lack of transparency in this case. Under the GDPR, the Belgian SA recognized some shortcomings in the manner in which Google handled the complainant’s request. 

 

Google reprimanded by Belgian Supervisory Authority despite the complaint made against the company being dismissed

 

While the Belgian Supervisory Authority dismissed complaints regarding Google’s refusal to delist, the Authority found it necessary to reprimand the company due to SuperSonics in the manner in which the delisting request was handled. Google did not honor the complainants request based on a reasoning that the public still has an interest to access the information concerning the lawyer in the search engine. The Belgian Supervisory Authority, while not in disagreement with this, found that the complainant was effectively ‘passed around’ from Google Ireland to Google LLC via Google Belgium, and that there were issues with the quality of the statement of why the delisting is refused. This statement was said to lack transparency, and to be in violation of Article 12 of the GDPR. 

 

The Belgian Supervisory Authority found issues with the quality of the response to the data subject’s request.

 

With regard to Article 17 of the GDPR, the Belgian Supervisory Authority found Google to be in violation of article 12 of the GDPR. Article 17 relates to the data subject’s right to erasure, and while the authority dismissed the complaints of the data subject in this instance, the company was found to be in violation of Article 12 due to the lack of transparency in responding to the data subject’s request. Article 12 states that “the controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language…” In this case, due to unclear identification of the controller, the authority found issues with the quality of the response to the data subject’s request, and reprimanded the company. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Privacy class action lawsuit against Google halted by UK Supreme Court

A privacy class action lawsuit against Google has been halted by the UK Supreme Court as claimant is unable to prove damage to affected users.

 

A billion dollar class action lawsuit against tech giant Google has been denied by the UK Supreme Court. The case, originally filed by Richard Lloyd, on behalf of a group called “Google, You Owe Us” relates to the unlawful tracking of millions of iPhone users. Between August 2011 and February 2012, Google allegedly bypassed iPhone security and collected personal data through the Safari browser. The lawsuit was filed on behalf of 4.4 million residents of England and Wales, claiming £3 billion in damages. However this case has been dismissed due to the fact that the claimant was unable to prove any damage to the individuals by Google’s alleged unlawful tracking and data collection, according to this report from IAPP.

 

The judge dismissed the privacy class action lawsuit, stating that the affected individuals suffered no material damage or distress as a result of the breach.

 

The class action, previously dismissed in 2018, but subsequently overturned by the UK Court of Appeal has now been dismissed by the UK Supreme court. The judge in this case, Judge George Leggatt concluded that there was no evidence of damage suffered by the individuals affected by this breach. Judge Leggatt said “The claimant seeks damages, for each individual member of the represented class without attempting to show that any wrongful use was made by Google of personal data relating to that individual or that the individual suffered any material damage or distress as a result of a breach.” Members of the public have expressed outrage at this ruling, claiming that it undermines equality, and that not enough has been done to protect the right of the individual against large tech firms like Google which break the law and put the personal data of citizens at risk.

 

 

Privacy experts have been following this case very closely, due to the implications the ruling would have on other class actions in the UK.

As similar cases circulate, privacy experts have been in a state of anticipation for the outcome of this class action lawsuit, knowing that the result of this may have far reaching implications. One such case is that of TikTok being accused of using children’s data without informed consent, as reported by BBC. Lawyers claim that TikTok takes children’s personal information, including phone numbers, videos, exact location and even biometric data, with neither adequate warning and transparency, nor the necessary consent required by law. Allegedly, children or parents are not being made aware of what is being done with that information. TikTok has called these claims baseless and expressed its intent to fight them.

 

 

“This case stems from the right to compensation provided by the (UK) GDPR, whereby any person who has suffered a material or non-material damage as a result of an infringement of the (UK) GDPR can claim compensation from the controller or the processor. As a first step, one should try to obtain compensation by writing to or speaking with the organisation directly. However, if no agreement is reached, a court claim can be made. The seriousness of the breach and the impact on the individual, especially in terms of the distress caused, are two of the determining elements. In order for a controller or a processor to be exempt from this liability, they will need to prove that they are not in any way responsible for the event giving rise to the damage” explains Cristina Contero Almagro, partner in Aphaia.

 

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data collected or processed? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Google and Amazon fined

Google and Amazon fined: CNIL has fined the two major companies for unlawful cookies.

Google and Amazon, fined by CNIL of France, for placing cookies on users’ computers without getting prior consent or giving satisfactory information.

The CNIL reported last week that both companies have been sanctioned, for their misuse of cookies which breached the French Data Protection Act. Following several investigations from December 12th 2019 to May 19th 2020 on amazon.fr and on March 16th 2020 on google.fr, the CNIL discovered that the websites of both of these companies violated Article 82 of the Data Protection Act. 

Google was found to have three violations of Article 82 of the DPA, while Amazon had two of those three.

Both websites, upon investigation, were found to have been placing cookies on users’ computers automatically, without any action required on their part, or prior consent required from the users. These cookies were deemed non-essential to the use of their service and should only be placed once the user has expressed their consent. This practice violates Article 82, of the DPA and fails to comply with the requirement of obtaining prior consent before placing cookies on users’ computers. 

While both google.fr and amazon.fr issued brief statements via a banner pop-up to the bottom of their screens, informing visitors of either the company’s confidentiality agreement (in the case of Google), or the users acceptance of cookies by their use of the website (in the case of Amazon), both of these banners were found to have inadequately informed users, resulting in further breaches to Article 82. In Google’s case, this banner did not inform users at all, on the cookies which had already been automatically placed on their computers. The “Consult now” button which was placed on the banner at google.fr also did not lead users to any information on those cookies. 

On amazon.fr, while the banner informed users of their automatic acceptance of cookies by using the site, this information was found to be neither clear nor complete. The banner did not specify that cookies placed on users’ computers were mainly used to display personalized ads. It also failed to explain to the user that it could refuse these cookies or how to do it.

In addition, on google.fr, even after using the mechanism provided through the “Consult now” button, to deactivate the personalisation of ads, one of the advertising cookies remained stored on the user’s computer and continued to read information intended for the attached server. The “opposition” mechanism on google’s website was deemed faulty and resulted in an additional violation of the DPA, Article 82.

Google and Amazon fined a total of 100 million euros and 35 million euros respectively. 

GOOGLE LLC was hit with a fine of 60 million euros, and GOOGLE IRELAND LIMITED was fined 40 million euros. The authority justified these fines, and their decision to make them public, by the seriousness of Google’s triple breach of Article 82, the search engine’s reach and the fact that nearly fifty million users were affected by this breach. The advertising revenues generated by companies like Google are indirectly generated from the data collected by the advertising cookies placed on users’ computers. Since a September 2020 update on google.fr, cookies are no longer automatically placed on users’ computers, however the information banner still did not inform users residing in France of the purposes for which cookies are used, nor does it inform them that they could refuse these cookies. In addition to the fine charged to GOOGLE LLC and GOOGLE IRELAND LIMITED, an injunction was also placed under the penalty, threatening a 100,000 euro per day fine, if after three months, companies were still not adequately informing users, in accordance with DPA article 82. 

AMAZON EUROPE CORE was fined 35 million euros, and the fines were also publicized due to the seriousness of the breaches. It was considered that, given the popularity of the website amazon.fr, millions of France’s residents visited this site daily, having cookies placed on their computers. In addition, the main activity of the company is the sale of consumer goods, therefore the personalized ads, made possible by the use of those cookies, lead to a significant increase in the visibility of its products on other websites. It was also taken into account that, until the restructure of the website amazon.fr in September 2020, the company was continuously placing cookies on the computers of users living in France, without informing them. Regardless of the path that led users to the site, they were either insufficiently, or not at all informed that cookies were being placed on their computers. Amazon is also faced with the threat of an additional 100,000 euro per day fine, if they are not in accordance with the act within three months. 

CNIL has released amended guidelines and recommendations regarding the use of cookies, in accordance with the GDPR. 

On October 1st 2020, the CNIL released its guidelines on the use of cookies and other tracking devices. These guidelines are part of its action plan on targeting advertising and the enforcement of the GDPR. CNIL is asking all parties to comply with the rules clarified therein, specifying that their adaptation period should not exceed six months. CNIL has also indicated that it will continuously monitor other requirements which have not been modified and, if necessary, adopt corrective measures to protect the privacy of individuals.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Google Wins landmark privacy case on right to be forgotten

Google Wins landmark privacy case on right to be forgotten

Judges at the Court of Justice of the European Union this week ruled that Google does not have to apply the GDPRs right to be forgotten globally.

 

On Tuesday September 24th, in what is being lauded as a landmark privacy case, Luxembourg-based judges said operators of a search engine are not required to carry out a de-referencing on all versions of its search engine. This means that firms like Google—when acting on an individuals request to remove personal data; i.e their right to be forgotten,—only need to remove links from search results in Europe and nowhere else.

The court ruling stemmed from a May 2015 dispute between French Data Protection Authority, the CNIL, and Google Inc where the CNIL gave Google Inc formal notice to apply de-referencing requests to all its search engines domains and name extensions. Google Inc however refused to do so and confined itself to removing the links in question from only the results displayed in EU member states. As a result on March 10, 2016, the CNIL imposed a EUR100,000 penalty on Google Inc. Google subsequently requested that the Council of State, France, annul the March 10, 2016 adjudication on the grounds that the right to be forgotten does not necessarily require that the links at issue are to be removed, without geographical limitation, from all its search engines domain names.

 

On Tuesday the court ruled in favor of Google Inc, concluding that:

Currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.

However, EU law requires a search engine operator to carry out such a de-referencing on the versions of its search engine corresponding to all the Member States and to take sufficiently effective measures to ensure the effective protection of the data subjects fundamental rights. Thus, such a de-referencing must, if necessary, be accompanied by measures which effectively prevent or, at the very least, seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subjects name from gaining access, via the list of results displayed following that search, through a version of that search engine outside the EU, to the links which are the subject of the request for de-referencing.

GDPR’s Right to Be Forgotten

An individual’s right to request to have personal data erased falls under article 17 of the GDPR. This is known as their right to erasure or the right to be forgotten. This right is however not absolute and only applies in certain circumstances.

According to the ICO an individual has the right have their personal data erased if:

“the personal data is no longer necessary for the purpose which you originally collected or processed it for;
you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
you are processing the personal data for direct marketing purposes and the individual objects to that processing;
you have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
you have to do it to comply with a legal obligation; or
you have processed the personal data to offer information society services to a child.”

Dr Bostjan Makarovic, Aphaia managing partner, further explains: “Like other GDPR rights, one could not expect the right to be forgotten to apply globally, without limitations. The latest ECJ Google right to be forgotten ruling further clarifies the limits of the GDPR’s extraterritorial effects.”

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.