Data Protection: An Overview of the General Data Protection Regulation Occurrences during the month of February
February, a month like any other, continued to provide us with insights from the data protection world, as much as Facebook continued accumulating legal issues in Europe with a notable antitrust penalty and fresh class action law suit. Meanwhile, Portugal provides a hope of reaching an end to the protracted
e-Privacy Regulation disagreements, and a Dutch hospital receives a fine for not keeping its health data safe from unauthorised access.
Facebook hit with 7 million Euro fine by the Italian Antitrust Authority
The Italian Antitrust Authority has reacted to Facebook Ireland Ltd and its parent company’s Facebook Inc. failure to comply with the Authority’s order to remove information that gives a misleading understanding of Facebook’s user data use practice, and publish statement clarifying the matters on the homepage available in Italy, the app and on each user’s page. Consequently, the two companies earned in total a fine of 7 million Euros.
At the core of the matter is Facebook’s practice of inviting individuals to join the platform based on inappropriate information as to the collection and use of data, as well as the gratuitous nature of the service even though the users do not pay for the service directly. They do so by providing their data that is the backbone of the tech giant’s business and generate its revenue. Facebook, instead of providing information on the remunerative nature of the service, insisted on the service being free of charge.
The authority found that the claim that the service is free was, in fact, removed. However, the information Facebook did provide was incomplete and failed to distinguish the usage of data required for personalization of the service and use for targeted marketing.
Originally, in 2018 the authority had fined Facebook with a 10 million euro penalty for providing misleading information to its users as to the data collection and sharing. Even though tech giant did manage to half the fine to 5 million euros, the authority’s position was upheld in court. Notwithstanding the court siding with the authority, Facebook did not follow the order to correct the situation.
Facebook’s second UK class action lawsuit in Britain
The Facebook continues to be under fire as another class action lawsuit in London High Court had been initiated over failure to protect personal data of approximately a million of persons in England and Wales. The lawsuit was initiated by a journalist who claims Facebook failed to prevent his data being compromised.
The claim arose in connection with the 2018 scandal that Facebook suffered pertaining to harvesting of data en masse without obtaining consent of users from 2013 to 2015 through a third party application, carrying an inappropriately amusing name “This Is Your Digital Life”. The said app transferred the data of users of the app and persons being Facebook ‘’friends’’ with those users to Cambridge Analytica, a UK based political consultancy firm used by presidential candidate Donald Trump in the 2016 U.S. election campaign. However, according to Facebook’s spokesperson, UK’s Information Commissioner’s Office’s investigations never produced evidence of any UK or EU user’s data being transferred by this app’s developer to Cambridge Analytica.
In response, the journalist stated that it is not about where the data went, but, rather about Facebook not showing care and not looking after it.
The first class action lawsuit in Britain was initiated basing on similar claims pertaining to third-party apps harvesting data of ‘’friends’’ without their permission or knowledge in October.
Is Portugal to be the final step in the story of the controversial e-Privacy Regulation?
The latest news about the EU problem child e-Privacy Directive hint that the seemingly never ending process is nearing its final chapter in Portugal, which would be the ninth EU presidency to have been working on the Regulation, following Malta, Estonia, Bulgaria, Finland, Romania, Austria, Croatia and Germany.
The e-Privacy Regulation is intended to harmonise the legislation focused on protection of data in electronic environment across all the member states and replace the e-Privacy Directive that came into force in 2002. The regulation has been a rather controversial endeavor for European Union since it was first conceived in 2017. Many disagreements on a common approach between member states as to the text of the Regulation resulted in an unexpectedly long process of passing the legislation, even though initially e-Privacy reform was swiftly accepted in the respective parliament’s committee.
A significant part of the issue was the diametrical views on privacy in France, who was pressuring on the legality of mass surveillance, whilst Germany strived to use the e-Privacy Regulation to enable more stringent privacy rules. The latest version of the text suggests that France has reached its aim, as the text includes provisions that allow for more discretion of the public authorities to retain and use data.
Notwithstanding, compromises were made, including in regards to exception to cookie practices, to reach a balance between protection of the private life and promotion of innovation. Regardless, the agreement was not without criticism as both certain MEPs and privacy activists expressed dissatisfaction against it allowing ’’mass surveillance’’ in accordance with national data retention laws, and not following the principles set out in GDPR, particularly, the removal of privacy by design and by default from the original text.
After reaching the final compromise from all the states, final text shall be discussed further in the Council and Parliament. The regulation shall enter into force 20 days after its publication and will be applicable after another year.
Dutch hospital receives the highest fine of the month for the lack of sufficient measures
The Dutch data protection authority Autoriteit Persoonsgegevens issued a fine to Amsterdam Hospital OLVG, as it was found that the hospital had not implemented sufficient measures to prevent unauthorised access to medical records. The data protection authority had received a number of complaints. After investigating OVLG’s information systems, particularly, verification and authentication upon logging into the information system, it was discovered that access to the medical records was not secured appropriately.
The data protection authority noted as one of the two failures, the fact that no two-factor authentication was implemented to prevent unauthorised employees from accessing medical records not necessary for their work. Only a two-factor authentication was ensured where a user logged in from outside the hospital’s network. Furthermore, when a user logged in from within, merely the username and password were required to access the medical records.
The second breach that was identified was the lack of monitoring of audit trail, i.e. the hospital did not monitor the records of access to the medical records often enough. While the records were available and monitoring was envisaged in its internal policies, failing to monitor regularly had prevented the hospital to screen out unauthorised access.
OVLG during the investigation rectified the situation by implementing the measures required, however, considering the sensitivity of the health data, as well as other relevant aspects of the case, it did not dodge the fine.