Data Protection: An Overview of the General Data Protection Regulation Occurrences during the month of April
In April, the Tech Giant Facebook ran into legal issues by facing a mass action law suit for a personal data leak that was discovered in 2019, however downplayed by the company as a sector specific issue. Meanwhile, the EU Digital Green Certificate or COVID-19 passport project received a dose of data protection related criticism, and Italian data protection authority issued one of its heaviest fines for a downright non-compliance of its GDPR duties.
Facebook is up against a mass action law suit and a regulatory probe
Facebook is facing a mass action law suit over the leak that occurred in 2019 when 530 million Facebook users from 106 countries, including over 32 million records on users in the US and 11 million on users in the UK were allegedly scrapped from the social network platform by hackers. In early April,this information, which contained phone numbers, birth dates, and email addresses, Facebook ID, employers and relationship status, was made available for free on a hacker website. This publication of personal data on the hacker website forced Facebook to address the issue and provide explanation.
On April 16, it was announced that Digital Rights Ireland shall be commencing a mass action law suit against the tech giant, and called out to the individuals in the European Union and the European Economic Area to join the lawsuit and claim compensation if their data has been breached. The organisation invited these individuals to confirm whether they had suffered any such breach to their personal data by entering their email or mobile number in the web page https://haveibeenpwned.com/, which is specifically designed to provide information on the data breaches where a person’s mobile number or email has been involved.
Digital Rights Ireland also stated that it is not only the compensation which makes this mass action worth joining; it is equally important to make it clear that large data controllers must abide by the rules and failing to do so will bring consequences.
In the meantime, Facebook commented on the issue by stating that the data was leaked not through hacking but by ‘’scraping’’ which is a tactic that uses automated software to collect data publicly available online. It promised that it continues to strengthen the system to make future scraping without permission more controlled and restricted. It referred to the scraping cases of LinkedIn and Clubhouse to show that it’s impossible for companies to avoid such scraping incidents. Although Facebook strives to downplay the situation by making the issue appear as widespread, the circumstances of these cases are different. In case of LinkedIn and Clubhouse, the information that was scraped was always available to anyone who was not a contact of the person. However, Facebook’s data included emails and phone numbers that are supposed to be visible only to those who the user is connected to.
Furthermore, an internal communication email dated the 8th of April 2021 which fell in the hands of Belgium’s Data News reveals that Facebook wishes to normalize this issue as a sector specific problem that will continue to persist in the future.
Facebook commented that the data scraped was old (from 2019) and refused to take the blame for the incident, insisting that the data comes from publicly available information. However, the argument does not hold much water as the information included, does not change (such as birth date) or rarely changes such as personal data, including, email addresses and phone numbers.
Apart from the mass action law suit, the Irish Data Commissioner has commenced a probe into the issue, after being hesitant considering that the leak occurred before GDPR was applicable and would render the investigation complicated. The Commissioner after inquiring Facebook has concluded that the company might have and may continue to infringe the GDPR and Data Protection Act of 2018, and thus the investigation is appropriate.
Vaccination certificates proposal receives criticism
On 17 March 2021, the European Commission presented a proposal for a Regulation on a Digital Green Certificate, which would be valid in all European Union member states. The certificate is to certify that the person has either received any duly authorised vaccine, recovered from COVID-19 or has been tested. The certificate is to allow the person, including third country nationals in possession of the certificate and staying or residing in a member state, to travel without the respective restrictions across the European Union. The European Commission is also working with the World Health Organisation with the aim of achieving recognition of the certificate in countries outside of European Union.
As it was officially envisaged, the Digital Green Certificate would hold only key information, including name, surname, date of birth, date of issuance, relevant information about vaccine/ test/recovery and a unique identifier. The information may not be retained by visited countries, and only validity and authenticity of the certificate must be checked by verifying the issuer, while the health data is to remain in the issuing member state.
The certificate project is seen as desirable and a great step towards normality. Notwithstanding, a coalition of 28 advocacy and civil liberties groups, including European Digital Rights (EDRi) and Civil Liberties Union for Europe had voiced their concerns over the move and its compatibility with the Charter of Fundamental Rights of the European Union and seeming lack of guarantees built into the regulations that the certificates will be used only in line with scientific guidance.
While some of the concerns are related to discrimination in terms of freedom of movement, and discriminating between vaccinated and unvaccinated individuals, as well as those whose residence status is not established, such as immigrants, a large part of the argument relates to data protection. The coalition stated that it is alarmed about the verification of the authenticity and validity of certificates containing no safeguards against surveillance by the issuing authority. It was of the opinion that the information on verification instances and details on the verification process should not be available to the issuer to avoid surveillance of movement. Furthermore, concern was expressed also regarding the extension of data processing for other purposes, as many countries have already announced that they plan to use the certificates for regulating entry to different places, such as business spaces, sport and worship establishments and gatherings. This would enable the issuer to monitor not only the movement, but also the religious affiliations and other aspects of private life. Thus, the coalition called for appropriate amendments of the respective regulations, including, those ensuring further processing is prohibited or strictly regulated to avoid providing low quality privacy standards to the rest of the world.
The concerns relating to the purpose limitation were seconded by the Italian data protection authority Garante, who also pointed out that the system may eventually contain inaccurate and obsolete data, as well as data which is not relevant. For example in its opinion the date of person’s onset of illness might not be necessary to be included in the certificate, as the expiration date of the certificate may be adequate to ensure the achievement of the respective purpose (in terms of period of a person is considered safe for travel).
Italian Data Protection Authority imposes its fifth largest fine of €4.5 million
The Italian data protection authority Garante on April 2 issued its fifth largest fine to an internet service provider Fastweb S.p.a. after receiving hundreds of complaints by individuals.
The case surrounds the company’s large-scale aggressive telemarketing practice that resulted in individuals receiving unsolicited promotional calls without them having given consent for such communication. The affected received phone calls from unregistered phone numbers were targeted at them or in many cases meant for other persons.
Garante found that Fastweb was contracting unprofessional call centres that fail to abide by the marketing rules. Among the issues found, was that these call centres used fictitious numbers and numbers not registered with the Register of Communication Operators for calling users and had not linked the contact lists they used with exclusion catalogs. In addition, the contractors had strived to gather numbers from WhatsApp contact lists to carry out the unsolicited calls. Thus, there was no concern for the lack of legal basis for such calls.
In addition to the fine itself, Garante imposed restrictions on Fastweb, among which, is the prohibition to use data lists collected by third party partners, if no proof of consent can be presented.