fbpx

Free tools and resources for Data Protection Officers!

Category Archives for "Other"

Swedish DPA digs into Spotify’s responses to SARs

The Swedish data protection authority – Datainspektionen – had initiated a review of Spotify Technology S.A.’s responses to data subject access requests (SARs).

Investigation was initiated following a number of complaints regarding how Spotify manages data subject access requests (SARs). Article 15 of the General Data Protection Regulation (GDPR) provides individuals with right to access their data any company holds about them.

Swedish DPA noted that the information Spotify provided to users in response to a SAR is incomplete and not sufficiently clear. Therefore Datainspektionen asked Spotify to detail how it handles SARs, in particular, what information it provides, what information the copy of personal data includes, and how the information is presented to data subjects.

Source: Datainspektionen granskar rätten till registerutdrag

The New York Times analysed 150 Privacy Policies of popular services

The New York Times analysed 150 Privacy Policies of popular services. The average policy took 18 minutes to finish and required a college-level reading ability.

Despite efforts like the General Data Protection Regulation (GDPR) to make policies more accessible, there seems to be an intractable tradeoff between a policy’s readability and length. Even policies that are shorter and easier to read can be impenetrable, given the amount of background knowledge required to understand how things like cookies and IP addresses play a role in data collection.

As data collection practices become more sophisticated (and invasive), it’s unlikely that privacy policies will become any easier to comprehend.

Read full article: Opinion | We Read 150 Privacy Policies. They Were an Incomprehensible Disaster. – The New York Times

CNIL Fines French Real Estate Service Provider for Data Security and Retention Failures

On June 6, 2019, the French Data Protection Authority (the “CNIL”) announced that it levied a fine of €400,000 on SERGIC, a French real estate service provider, for failure to (1) implement appropriate security measures and (2) define data retention periods for the personal data of unsuccessful rental candidates.

Source: CNIL Fines French Real Estate Service Provider for Data Security and Retention Failures

Spanish DPA fines soccer league 250K euros

La Liga has been fined 250,000 euros for violating the Spanish Data Protection Agency (AEPD) and the European General Data Protection Regulation (GDPR).

La Liga was using their mobile app to detect the bars that screen football matches without paying by activating the microphone of any user’s mobile so that it can detect sounds that bars emits if a private signal is used. AEPD found that information presented to users was opaque.

Source: Spanish DPA fines soccer league 250K euros

Facebook launches app that will pay users for their data

A new Facebook app will allow users to sell the company data on how they use competitors’ apps.

Facebook announced Tuesday that it is recruiting participants to download its new app Study from the Google Play store. Once it is downloaded, it will transmit data with Facebook on what other apps the users have, what features they use, and how much time is spent on them.

New app comes months after Apple cracked down on Facebook for similar apps that paid users for extensive data on phone usage.

Source: Facebook launches app that will pay users for their data | Technology | The Guardian

How did UK’s Government decide that the immigration exemption was in “the general public interest”?

The immigration exemption in Schedule 2 (paragraph 4) of the Data Protection Act 2018 (DPA2018) has always been controversial; it is subject to a judicial review by the High Court, in London, on July 23 & 24.

The controversy arises because an exemption that was not needed by the immigration authorities under the DPA1984, nor under the DPA1998, has nothing to do with crime, tax, any compulsory court order, any mandatory disclosure requirement or national security issue.

Full article: Judicial review: how did the Government decide that the immigration exemption was in “the general public interest”?

One Year Into GDPR, Most Apps Still Harvest Data Without Permission

Unauthorized data harvesting from mobile apps has continued nearly unabated in the year since Europe’s General Data Protection Regulation came into force last May.

In a recent test conducted for AdExchanger, mobile analytics company Kochava examined the behavior of the top 2,700 apps in the Google Play store in the United States compared with France, where GDPR applies.

Source: One Year Into GDPR, Most Apps Still Harvest Data Without Permission | AdExchanger

Google faces privacy complaints in European countries

Google’s privacy woes are set to increase after campaigners on Tuesday filed complaints to data protection regulators in France, Germany and seven other EU countries over the way it deals with data in online advertising.

At issue is real-time bidding, a server-to-server buying process which uses automated software to match millions of ad requests each second from online publishers with real-time bids from advertisers.

Source: Google faces privacy complaints in European countries – Reuters

EDPS flags data protection issues on EU institutions’ websites

An inspection carried out by the European Data Protection Supervisor (EDPS) on the websites of major EU institutions and bodies revealed data protection and data security issues in seven out of the ten websites inspected.

The inspection revealed that several of the websites were not compliant with the Regulation or with the ePrivacy Directive and did not follow the EDPS Guidelines on web services. One of the issues encountered was third-party tracking without prior consent. This is especially problematic in cases where the third-party concerned operates under a business model based on the profiling and subsequent behavioural targeting of website visitors. Other issues encountered included the use of trackers for web analytics without visitors’ prior consent and the submission of personal data collected through web forms using non-encrypted connections.

Each of the institutions concerned has received recommendations from the EDPS on how to ensure their websites are fully compliant with data protection rules and the relevant institutions have reacted swiftly to start rectifying the problems identified.

Source: EDPS press release

Belgian Data Protection Authority issues its first fine

On Tuesday 28 May 2019, the Belgian Data Protection Authority (DPA) imposed its first financial penalty since the entry into application of the GDPR.

The administrative fine amounts to EUR 2 000 and concerns the misuse of personal data for election purposes. Although the fine is modest, the message is not: Data protection is an important matter to us all, but data controllers must assume their responsibility, especially if they have a government mandate.

Read more: Belgium: Belgian Data Protection Authority issues its first fine

>