The Week In Perspective – Amazon appeals its record GDPR fine
What happened
- In July this year, Amazon was fined a record $865 million (or €746 million) for noncompliance of the GDPR, particularly in relation to the way the business collects personal data.
- The appeal was filed at the Luxembourg Administrative Tribunal a couple of weeks ago.
- Amazon continues to receive a significant amount of scrutiny over its business practices in Europe, with probes also being carried out in Germany and the UK.
Why it matters
- Whilst the full details of the fine have not been disclosed, it is believed that it relates to how the company processes personal data to show customers relevant advertising.
- In most cases, presenting website visitors with personalised adverts requires the use of cookies and other similar technologies.
- Data protection law states that placing a cookie or other similar technology on a user’s device/browser requires freely given and unambiguous consent.
Twitter fined of €450,000 confirmed for data breach by the Dublin Circuit Court
What happened
- The Irish Data Protection Commission has had its decision to impose an administrative fine on Twitter confirmed by the Dublin Circuit Court.
- Twitter was fined €450,000 for failing to notify the Data Protection Commission of a personal data breach within 72 hours of becoming of aware of it and for failing to adequately document the breach.
- The breach related to a bug whereby if a Twitter user with a protected account for Android changed their email address, their account would become unprotected.
Why it matters
- When a business becomes aware of a personal data breach that results in a high risk to the rights and freedoms of data subjects, it must report it to the relevant data protection authority within 72 hours.
- This is a requirement of Article 33 of the GDPR.
- A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
- Organisations are advised to have robust incident reporting and assessment processes in place to ensure that all breaches are reported early and that senior stakeholders are informed in a timely manner.
Online dating platform fails to obtain valid consent
What happened
- The Danish data protection regulator found that an online dating service had not obtained valid consent for its processing of personal data.
- New users of Dating.dk had to agree to its terms and conditions and Privacy Policy rather than consent to their personal data being processed.
- It was also found that the company had not implemented appropriate security measures and performed a complete risk assessment of the processing activities.
- The Danish data protection regulator has ordered the company to bring its processing operations in line with the GDPR.
Why it matters
- Dating services usually require the user to input details about their sexual orientation.
- This is defined as ‘special categories’ of personal data under the GDPR and requires additional considerations when using this information.
- In most cases, explicit and unambiguous consent is required to process this personal data. Relying on the user to agree to the service’s terms and conditions and Privacy Policy would be insufficient.
- A Data Protection Impact Assessment (templates found widely online) should also be completed to assess and mitigate the risks associated with processing special categories of personal data on a large scale.
UK’s ICO fines HIV Scotland
One more thing…
The UK’s data protection regulator has fined HIV Scotland £10,000 after the charity sent out an email that indirectly revealed the HIV status of dozens of people. The ICO’s investigation also found that staff had inadequate training and insufficient data protection policies. You can find the ICO’s full enforcement notice here.