Last week in Privacy (Week 42)

Belgian DPA finds serious infringements in IAB’s consent model


The Irish Council for Civil Liberties (“ICCL”) published an article according to which the Belgian supervisory authority, Autorité de protection des données Gegevensbeschermingsautoriteit (“APD-GBA”) has concluded its investigation into the IAB’s Transparency & Consent Framework (“TCF”), the flagship framework for gathering consent introduced by Interactive Advertising Bureau (“IAB”) and widely used by organisations including Google.


APD-GBA’s investigation follows series of complaints against the use of personal data in the real-time bidding (“RTB”) which broadcasts the private things that people do and watch online to tracking companies.


Dr. Johnny Ryan, a senior Fellow at the ICCL and one of the originators of the RTB campaign, calls the RTB as the biggest data breach in history. Earlier we wrote how the ICCL had submitted new evidence to Irish Data Protection Commission (“DPC”) detailing how Google shares personal data of very sensitive nature with 968 companies in connection with the RTB. The new submitted evidence demonstrates how people with AIDS, brain tumour, diabetes or people subject to abuse or incest are profiled and targeted with ads.


The initial report by the APD-GBA makes a number of findings - such as the TCF fails to comply with GDPR principles of transparency, fairness and accountability, but also the lawfulness of processing. In addition, the ADP-GBA found that the IAB has not appointed a Data Protection Officer nor does it maintain records of processing activities under the Article 30 of the GDPR. The report says that “the Inspection Service believes that IAB Europe is trying to avoid its liability to the GDPR, constituting an aggravating circumstance”.


The findings are now submitted to to the APD-GBA’s Litigation Chamber, and action will be taken in early 2021.


See the ICCL’s original article here.
Watch Johnny Ryan’s 4-minute video about RTB here.


ICO issues the final fine of 20 million pounds against the British Airways for a data breach


On July 8th 2019, the UK’s Information Commissioner’s Office (“ICO”) published a statement that the ICO intends to fine British Airways (“BA”) for infringements of the General Data Protection Regulation (“GDPR”). The proposed fine of 184 million pounds related to a cyber attack notified to ICO in 2018 where end user traffic on BA's website were diverted to a fraudulent website. Through this fraudulent website, end users’ personal data such as credit card numbers were collected by a malicious third party. The original proposal to fine BA £184 million was 1.5% of BA’s revenue in 2018.


The cyber attack involved series of stages which disclosed the inadequacies in BA’s security measures. On June 22 2018, the attacker gained access to BA’s IT-systems by obtaining the login credentials of an employee of BA’s subcontractor. Via this initial access, the attacker managed to gain access to parts of BA’s network that BA did not intend to be accessed by this subcontractor. Finally, the attacker obtained access to a file containing the username and password of a privileged domain administrator account which were stored in plain text, in a folder on a server. The attacker was able to access log files that contained payment card details for BA redemption transactions. The logging and storing of these details was designed to be a testing feature intended to operate when the systems were not live, but left activated as a result of human error. This error meant that the system had been unnecessarily logging payment card details since 2015.


The attacker is believed to have accessed the personal data of approximately 430 000 individuals, including names, addresses, credit card numbers and the CCV codes of 244 000 data subjects.


According to the ICO, the BA could have used numerous measures to prevent the risk of the attack. This preventative measures could have included limiting access to applications, data and tools to only that which are required to fulfil a user’s role, undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems and protecting employee and third party accounts with multi-factor authentication. Therefore the ICO found that BA failed to process personal data in a manner that ensured appropriate security of the data as required by Article 5(1)(f) and Article 32 of the GDPR.


See the British Airways penalty notice here


Norwegian DPA issues a fine of 276 000€ against the Bergen Municipality


The Norwegian Data Protection Authority (“Datatilsynet”) has given the Bergen municipality a final decision on an administrative fine of 3 million NOK (around 276 000€) for not implementing appropriate technical and organisational measures to achieve an adequate level of security and thus, not having ensured the confidentiality and integrity of personal data.


In October 2019, the Datatilsynet was notified of a personal data breach by Bergen municipality regarding their new tool Vigilo for communications between schools and home. In their press release, the Datatilsynet says that personal data had been available to unauthorised persons.


Read the Datatilsynet’s press release here.


Home webcams hacked and stolen footage sold on pornographic websites


Home webcams in Singapore, Thailand, South Korea and Canada have been hacked and the footage is sold online. The footage appears to be mainly from Internet Protocol (IP) cameras common in homes used to security purposes or to remotely monitor children, elderly and pets.


A group dedicated to hacking IP cameras is said being behind the attack and claimed to have shared more than 3TB of the stolen video footage.


Read more here.


The French Conceil d’Etat rejects the request to suspend the French Health Data Hub


In our last week’s blog post, we wrote about the French supervisory authority’s (“CNIL”) submission to French court according to which Microsoft should not be used to host the health data of French citizens in the French national health data hub due the fact that Microsoft cannot guarantee adequate level of data protection.


Earlier, several associations, unions and individual applicants have asked the Council of State for an interim relief, to rule in urgency, to suspend the processing of data related to the covid-19 epidemic on the French Health Data Platform because of the risks of possible personal data transfers of data to the United States. In its submission to the Council of State, the CNIL found it difficult to conclude with certainty that personal data would not be transferred to the United States as Microsoft is legally obliged to provide the US intelligence authorities with the data under the Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) and the Executive Order 12333.


In its decision on October 13 2020, the Council of State recognizes the existence of a risk of transfer of data from the Health Data Hub to the United States but rejects the original application allowing the hub to remain in the hands of Microsoft. The Council of State requests Microsoft to provide additional guarantees to prohibit any transfers to the United States and to work under the supervision of the CNIL.


According to the decision, the risk of potential transfers to the US does not justify the immediate suspension of the Health Data Hub as the hub is important in managing the current health data crisis.


See the press release of the Conceil d’Etat here.


The Dutch DPA conducts a research into the data processing agreements of 31 organisations in the private sector


The Dutch data protection supervisory authority, Autoriteit Persoonsgegevens (“AP”) has investigated the data processing agreements of 31 organisations in the private sector (from trade, healthcare, media, leisure and energy sectors). The aim of the research was to get a view on how organisations draft these agreements.


Based on the investigation, the AP provides several recommendations for organisations. The AP emphasises that periodically updated data processing agreements are part of good business operations.


Read the AP’s press release and access the report here