Privacy Alerts – Week 37


Instagram fined 405 million Euros

Irish Data Protection Authority DPC has imposed a fine of 405 million Euros on Instagram for violation of the GDPR, the highest penalty ever in DPC history. Instagram allowed children between the ages of 13 and 17 to create business accounts that by default showed their personal data. Only a year earlier, Instagram made a software change which appeared to have eliminated standard visibility of teenagers’ contact details.

As a rule, in cases where the impact of privacy infringements goes beyond one single nation, decisions on the actual fine are made on the basis of common consent. Here, in an investigation headed by the Irish DPC, the suggested penalty amount was not met with general agreement. The case was then deferred to the European Data Protection Board (EDPB).

At least six more DPC investigations of Meta companies are still outstanding.

CJEU and children’s fingerprints

In Belgium, at the end of 2019 a regulation was introduced which makes fingerprinting a mandatory part of the process of identity card or residence permit application – for children as well. In a case filed with the Belgian Council of State, this has been objected to by the Flanders Coalition of Children’s Rights and the Human Rights League, who argue that the arrangement constitutes an overly invasive infringement on the privacy of all individuals concerned, while also claiming that there are insufficient safeguards for the integrity and confidentiality of the processed fingerprint data.

The Belgian Council of State has now requested a prejudicial ruling on the matter from the Court of Justice of the European Union. Recently, a German court has asked the CJEU for a similar ruling on fingerprints used for e-IDs.

Iceland – One DPO, four hats

The Icelandic Data Protection Authority (‘Persónuvernd’) has recently conducted an assessment of a genetic research firm, taking a close look at the company’s Data Protection Officer (DPO) and the execution of tasks related to the function. In the end, the Persónuvernd concluded that there were no irregularities with regard to the requirement of assigning a DPO (Art. 37), the requirement of involving the DPO in relevant matters (Art. 38,1) and the requirement of providing the DPO with appropriate means for the performance of his or her duties (Art. 38(2)).

The Persónuvernd did find, however, that the company was insufficiently meeting the obligation of safeguarding the DPO’s independence (Art. 38(3). At the time of the investigation, the acting DPO also served as a substitute CEO, senior legal advisor and member of the board of directors. In the Persónuvernd’s view, a textbook case of conflicts of interest waiting to happen.

NGOs – World Bank supports privacy-destroying systems

A collective of NGOs, activists and researchers has published a letter to the World Bank summoning the institution to abort its new digital ID4D identification program. Access Now, Privacy International, researchers from NYU and others claim that ID4D facilitates “surveillance, exclusion and discrimination”.

Marianne Díaz Hernández of Access Now: “By implementing digital ID systems that are unchecked, untested, and, most importantly, at odds with human rights, this high-level institution is not only risking the privacy of millions, but setting a dangerous precedent for global decision-makers.”

ID4D, or ‘Identification for Development’, is a technology supporting systems which, in essence, combine public and private services and usually process digitised biometric data within a centralised framework which is highly sensitive to the risk of data breaches.

Oracle faces class action

In the United States, Oracle is facing a new class action lawsuit. According to the claim before the court, the company, its advertising technology and publicity subsidiaries have systematically been violating the privacy of billions of people worldwide, with the information on individual persons being used including purchase details, GPS locations and even gambling histories. The three plaintiffs, Dr Johnny Ryan from the Irish Council for Civil Liberties (ICCL), Mike Katz-Lacabe from The Center for Human Rights and Privacy (CeHRP), and Dr Jennifer Golbeck from the University of Maryland (UMD), have filed the case on behalf of “global internet users victimized by Oracle’s privacy violations”.

Ryan: “We are taking this action to stop Oracle’s surveillance machine.”

Dutch DPA says government must stop automatic data transfers to church authorities

In a recently published advice, chairman of the Dutch Data Protection Authority (AP) Aleid Wolfsen has summoned the government of The Netherlands to stop automatically forwarding changes in the personal data of church members to the respective community councils. In the AP’s view, this is a clear case of information transfer which requires explicit consent from existing as well as new church members.

Currently, city councils are automatically sharing information on address changes and changes in marital status through the national foundation of church member administration (SILA) which includes seven denominations. The total number of affected data subjects is around five million.

Festival goers’ passwords and private information leaked

As a result of human error, the passwords and personal data belonging to 130,000 visitors of the Amsterdam DGTL techno festival recently became publicly available, as reported by Dutch TV channel RTL Nieuws. The leak happened when a staff member inadvertently put the entire event website code online. In total, 100,000 passwords and personal data related to 130,000 festival visitors were leaked, the festival database containing names, addresses, dates of birth, email addresses and phone numbers.

RTL Nieuws was alerted to the data breach by a lead from an anonymous Dutch hacker, who reported the incident both to the festival organisation and to the website developer. While both parties kept pointing fingers at each other, however, no action was taken for a period of several months.

Meanwhile, the organisation has notified the affected data subjects while also reporting the data breach to the AP.

Recent publications

Privacy Weekly

Subscribe to Privacy Weekly and stay up to date on recent privacy trends and developments.

In search of

Free GDPR|Check

Connect with us

Subscribe to Privacy Weekly

Subscribe to Privacy Weekly
A privacy alert, blog post or white paper in your inbox every Thursday!

We use only functional and analytical cookies to ensure that we give you the best experience on our website. This means that our cookies do not collect personal data. Learn more.