Meta Slapped with 390 Million Euro Fine for GDPR Violations

A long-running investigation into the practices of obtaining consent from Facebook and Instagram users to use their personal data for advertising purposes has resulted in a €390 million ($414 million) financial penalty for Meta for violations of the European Union’s General Data Protection Regulation (GDPR).

The Irish Data Protection Commission (DPC) launched an investigation into Meta and its subsidiaries following two May 25, 2018 complaints from the privacy and data rights campaigner, Max Schrems and his organization NOYB, alleging Meta had bypassed the consent requirements of the GDPR by adding a clause to the terms and conditions of Facebook and Instagram that required users of those platforms to consent to behavioral advertising and other personalized services as a condition of using the platforms. Users that did not agree to the new terms and conditions of service would be prevented from using the platforms. The change to the terms and conditions occurred at midnight on May 25, 2018 – the date and time that the GDPR took effect.

The GDPR introduced new rights for EU citizens over their personal data, which includes the requirement for consent to be obtained before personal data can be used for tracking and online advertisements. The complaints alleged that by making consent part of the terms and conditions of service, users of Facebook and Instagram were forced into allowing their personal data to be used for advertising and other personalized services. The complaints also alleged that insufficient information was provided to users on how their data would be used.

Under the one-stop-shop provision of the GDPR, a single data protection agency is responsible for investigating allegations of GDPR violations when there has been cross-border processing of personal data. Ireland led the investigation because Meta’s EU base is in Ireland. The DPC submitted a draft decision to other EU privacy watchdogs that recommended fines of €36 million for Facebook and €23 million for Instagram over the alleged privacy violations; however, 10 data protection authorities raised objections to the decision and the two cases were referred to the European Data Protection Board (EDPB). The EDPB ruled that additional findings of infringements of the GDPR must be included and that the financial penalties should be increased.  The DPC then increased the financial penalties to €210 million for Facebook and €180 million for Instagram.

Meta and its subsidiaries have now been fined more than €1.3 billion ($1.37 bn) for violations of the GDPR and a decision in a case against the Meta subsidiary WhatsApp is due later this month. “We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines,” said a Meta spokesperson in response to the DPC’s decision. That said, Meta has set aside €2 billion to cover financial penalties for GDPR violations that will likely need to be paid in the next 12 months.

The post Meta Slapped with 390 Million Euro Fine for GDPR Violations appeared first on HIPAA Journal.

Study Identifies Risks Associated with 3rd and 4th Party Scripts on Websites

A recent study by Source Defense examined the risks associated with the use of third- and fourth-party code on websites and found that all modern, dynamic websites included code that could be targeted by hackers to gain access to sensitive data.

SOurce Defense explained that websites typically have their own third-party supply chains, with those third parties providing a range of services and functions related to site performance, tracking and analytics, and improving conversion rates to generate more sales.

The inclusion of third- and fourth-party code on websites also introduces security and compliance risks. On the compliance side, tracking code has the potential to violate data privacy laws such as the EU’s General Data Protection Regulation (GDPR) and from a security perspective, the code included on websites may have vulnerabilities that can be exploited by threat actors to gain access to sensitive data, including protected health information.

To explore the risks associated with third- and fourth-party code, Source Defense scanned the top 4,300 websites based on traffic and analyzed their results to identify the scale of the digital supply chain, how many partners are involved on a typical website, whether the inclusion of code by those partners leaves websites exposed to cyberattacks, whether sensitive data is being exposed, and the types of attacks that could be conducted on websites that take advantage of the digital supply chain.

The findings of the analysis are detailed in the report, Third-Party Digital Supply Chain Risk: Exposing the Shadow Code on Your Web Properties. Source Defense explained that there would be little point in a threat actor compromising a script on a static webpage; however, if scripts were included on webpages that collect sensitive data, threat actors could add malicious code to steal sensitive data. The researchers found that, on average, there were 12 third-party and 3 fourth-party scripts per website on web pages that collected data, such as login pages, account registration pages, and payment collection pages.

They identified six features on websites that could be exploited by threat actors that were commonly found on websites: Code to retrieve form input (49%), button click listeners (49%), link click listeners (43%), code to modify forms (23%), form submit listeners (22%), and input change listeners (14%). Every modern, dynamic website assessed for the study was found to contain one or more of those features.

An analysis was conducted of between 40 and 50 websites in industries where there is a higher-than-average risk. The researchers found that higher-risk industries such as healthcare had more than the average number of scripts. Healthcare websites had an average of 13 third-party and 5 fourth-party scripts on sensitive pages.

There may be a legitimate reason for including these scripts on the pages but adding that code introduces risk. “For example, a script might allow form fields to be changed or added on the fly to provide website users with a more personalized experience,” explained Source Defense in the report. “However, a threat actor could exploit this capability to add additional fields asking for credentials and personal information, which would then be sent to attacker’s website.”

“This data makes it clear that managing risk inherent in third- and fourth-party scripts is both a very necessary and a very challenging task,” explained the researchers, who recommend assessing websites for third party code, educating management about the risks, implementing a website client-side security solution, categorizing and consolidating scripts, and finding ways to recuse exposure and compliance risks.

The post Study Identifies Risks Associated with 3rd and 4th Party Scripts on Websites appeared first on HIPAA Journal.

WhatsApp Slapped with €225 Million GDPR Violation Penalty

WhatsApp has been fined €225 million ($265 million) by the Irish Data Protection Commission (DPC) for violations of the EU General Data Protection Regulation’s (GDPR) requirements for transparency about the processing of the personal data of EU data subjects.

The DPC launched an inquiry into WhatsApp in December 2018 which was focused on a narrow aspect of GDPR compliance, which solely looked at compliance with the data processing transparency requirements of the GDPR.

The DPC identified several “severe” violations of the GDPR. The violations included a lack of transparency about the sharing of personal data of app users with companies owned by its parent company Facebook, a failure to provide users and non-users of its app with clear, transparent, or sufficient information about the level of data processing, a lack of sufficient granularity regarding the legal basis for some of the data processing activities, and WhatsApp’s statement about the transfer of data to non-EEA jurisdictions was deemed to be adequate. The DPC determined WhatsApp had failed to meet the transparency requirements of Articles 12-14 of the GDPR and issued a draft decision in December 2020 suggesting a financial penalty of between €30-€50 million to resolve the case.

The Irish DPC is the lead supervisory authority in the EU as WhatsApp and its parent company Facebook have their European base in Dublin, Ireland; however, since the data processing activities of WhatsApp spans several countries, the draft decision of the DPC was reviewed by other supervisory authorities in the EU. 8 of those supervisory authorities objected to the DPC’s draft decision and called for a far greater financial penalty to be imposed.

The objections were referred to the European Data Protection Board (EDPB) as the Irish DPC was unable to reach an agreement with the objecting supervisory authorities. According to the EDPB, “This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision.”

The EDPB determined that the turnover of Facebook should have been taken into consideration when determining an appropriate GDPR fine since the DPC had presented both Facebook and WhatsApp as a single undertaking in the draft decision. The total turnover of both the parent company and the subsidiary therefore needed to be considered. The failure to ensure transparency was determined to be in violation of Article 5(1)(a) of the GDPR due to the “gravity and the overarching nature and impact of the infringements.”

Following the ruling of the EDPB, the DPC increased the financial penalty fourfold. In addition to the financial penalty, WhatsApp has been ordered to bring its data processing in line with the GDPR.

WhatsApp has issued a statement announcing its intention to appeal the fine. The appeals process is likely to take some time, so it may well be years before the fine is actually paid.

The financial penalty is the highest ever imposed by the Irish DPC to resolve GDPR violations. Should the penalty stand, it will be the second largest fine to resolve GDPR violations to date, behind the €746 million financial penalty imposed on Amazon by the Luxembourg supervisory authority in July. That penalty is also being appealed.

The post WhatsApp Slapped with €225 Million GDPR Violation Penalty appeared first on HIPAA Journal.

Record GDPR Fine of $886 Million Imposed on Amazon

The Luxembourg Data Protection Authority – Commission Nationale pour la Protection des Données (CNPD) – has slapped with a €746 million ($886 million) financial penalty to resolve alleged violations of the EU General Data Protection Regulation (GDPR).

The GDPR, which took effect on May 25, 2018, gave EU citizens new rights over their personal data and placed restrictions on uses and disclosures of personal data by individuals and companies doing business with EU citizens.

In 2018, the French privacy advocacy group La Quadrature du Net filed a complaint with CNPD over Amazon’s alleged violations of the GDPR. CNPD has jurisdiction as Amazon has its European headquarters in Luxembourg. The financial penalty will close that complaint, although Amazon is planning to appeal the fine and that process is likely to take several months or years.

The complaint related to how Amazon obtains consent from consumers to use their personal data for delivering targeted advertisements.  CNPD has not publicly disclosed the exact nature of the alleged violations and issued a statement saying it is against Luxembourg law to comment on individual legal cases.

The fine was imposed on Amazon on July 16, 2021 and was disclosed by the retail giant in its July 30 Q2 Securities and Exchange Commission (SEC) filing. Amazon said the fine is “without merit” and that it will be rigorously defending itself in this matter. “We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation,” said in a statement.

The GDPR violation penalty is substantial, but it could have been far higher. The maximum penalty for a violation of the GDPR is €20 million, or 4% of global annual revenue for the previous year, whichever is higher. In 2020, Amazon generated $386 billion in revenue globally, so the maximum financial penalty would have been $15.4 billion.

While massive financial penalties are possible for egregious violations of the GDPR, in the three years that compliance with the GDPR has been enforceable there have been few large fines. The previous record, set in 2020, was the €50 million ($59.4 million) fine for Google that was imposed by the French Data Protection Authority, followed by the €35 million ($41.6 million) fine for the clothing retailer H&M (Germany), and the €27.8 million ($33 million) fine for Telecom Italia (Italy).

The post Record GDPR Fine of $886 Million Imposed on Amazon appeared first on HIPAA Journal.

Twitter Hit with $544,000 Penalty for Violating GDPR Data Breach Provisions

Twitter has been hit with a €450,000 ($544,600) financial penalty for violations of the data breach provisions of the EU’s General Data Protection Regulation (GDPR). The fine was issued by the Data Protection Commission (DPC) in Ireland over a privacy breach reported to the DPC by Twitter in January 2019.

The DPC received a breach notification from Twitter International Company on January 8, 2019 and an investigation was commenced on January 22, 2019 to determine whether Twitter was in compliance with its responsibilities under the GDPR.

Twitter had received a notification from a researcher on December 26, 2018 advising the company about the flaw. Twitter users have the option of having their Tweets protected or unprotected. If Tweets are protected, only a specific set of individuals are able to view those Tweets – the individual’s followers. Unprotected tweets are in the public domain and can be viewed by anyone.

The bug changed protected Tweets to unprotected Tweets without the user’s knowledge if the user changed the email address associated with their account on an Android device. Twitter determined the bug was introduced on November 4, 2014 but was unable to determine which users were affected prior to September 5, 2017. The issue was corrected on January 11, 2019. Between September 5, 2017 and January 11, 2019, 88,726 EU and EEA users had been affected.

Article 33(1) of the GDPR requires companies to notify the appropriate Data Protection Authority within 72 hours of the discovery of a data breach. The Irish DPC found Twitter to have violated this GDPR provision. Article 33(5) of the GDPR requires companies to promptly document a breach and detail the data involved and the measures that have been taken to address the breach to allow the data protection controller to assess compliance. The DPC found Twitter had failed to adequately document its breach.

A financial penalty was deemed appropriate and was issued as “an effective, proportionate, and dissuasive measure,” according to a statement issued by the DPC.

Twitter worked closely with the DPC and fully assisted in the investigation and accepted there had been a failure in its incident response process. This was “An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying the IDPC outside of the 72-hour statutory notice period,” said Damien Kieran, Twitter’s chief privacy officer and global data protection officer in a statement. “We have made changes so that all incidents following this have been reported to the DPC in a timely fashion.”

This is the first cross-border penalty to be issued by the Irish GDPR watchdog and, while sizeable, is a tiny fraction of the penalty that could have been issued. The maximum penalty for a GDPR violation is €20 million ($24.2 million) or 4% of global annual turnover, whichever is greater.

The maximum financial penalty would have been €138 million ($168 million). The fine therefore equates to around 0.1% of global annual turnover for 2019, or around 1.5 hours of revenue for Twitter.

The post Twitter Hit with $544,000 Penalty for Violating GDPR Data Breach Provisions appeared first on HIPAA Journal.

ICO Fines Marriott International £18.4 Million for GDPR Violation

The Information Commissioner’s Office (ICO), the data protection authority in the United Kingdom, has imposed a £18.4 million ($23.8 million) financial penalty on Marriott International for violations of the EU’s General Data Protection Regulation (GDPR).

The ICO investigated Marriott over its massive data breach that affected 339 million customers, 30.1 million of whom reside in the EU including 7 million in the UK. The ICO investigators identified multiple security failures and determined Marriott had failed to implement appropriate technical and organizational measures to protect the personal data of EU citizens being processed on its systems, in violation of the GDPR.

The data breach in question affected Starwood Hotels and Resorts Worldwide, which Marriott acquired in 2016. In July 2014, hackers attacked Starwood and installed a web shell on one of its websites which allowed them to access a server and install a remote access Trojan, which gave the attackers persistent access. The attackers were able to explore the network and used Mimikatz tool to steal passwords, then installed malware that allowed them to steal payment card data and personal information. The attackers had full access to the initial compromised device and other devices on the network which the compromised account had access to. The breach was discovered four years later.

The types of data stolen by the attackers varied from individual to individual and may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty program membership numbers.

The financial penalty could have been considerably higher. Under the GDPR, companies found to have violated GDPR provisions can be fined up to €20 million (£18,077,500 / $23,582,460) or 4% of global annual turnover, whichever is greater. In 2019, the ICO announced its intention to fine Marriott £99.2 million ($128.2 million) for the data breach but after considering Marriott’s representations, the speed and thoroughness of its breach response, and the impact COVID-19 has had on the hotel group, the decision was taken to reduce the financial penalty.

The ICO notes that when the breach was discovered, Marriott acted quickly and reported the breach to the appropriate data protection authorities and promptly notified affected customers. Since the breach, Marriott has implemented a range of new measures to improve system security and rapidly detect breaches should they occur. Marriott has issued a statement confirming it will appeal the financial penalty.

The post ICO Fines Marriott International £18.4 Million for GDPR Violation appeared first on HIPAA Journal.

Google Slapped with $8 Million GDPR Penalty

Google has been slapped with a 75 million kroner ($7.8 million) GDPR fine by the Swedish Data Protection Authority (DPA) over the failure to comply with ‘right-to-be-forgotten’ requests from EU citizens to have webpages removed from its search engine listings.

The right to be forgotten in the EU predates GDPR. It was first introduced in EU legislation in 2014 following a ruling by the Court of Justice of the European in the case, Google Spain SL, Google Inc v Agencia Española de Protección de Datos, Mario Costeja González. The law requires search engines to remove links to freely accessible webpages that appear in search results generated from a search of an individual’s name, if that individual requests the listing is removed and if certain conditions are satisfied.

GDPR strengthened the right to be forgotten. If a request is received from an EU citizen who wishes to exercise the right to be forgotten, provided the request does not collide with the right of freedom of expression and information, “personal data must be erased immediately where the data are no longer needed for their original processing purpose, or the data subject has withdrawn his consent and there is no other legal ground for processing.”

Google has received millions of requests from EU citizens to have content delisted and approximately 45% of those requests have been fulfilled.

The Swedish DPA conducted an audit of Google in 2017 to assess how Google was handling requests to delist webpages indexed by its search engine and Google was ordered to delist several webpages.

In 2018, the Swedish DPA followed up on the audit and discovered Google had not delisted all the search results detailed in the order. The GDPR fine relates to two of the listings Google was ordered to remove. In one case, Google’s interpretation of the web addresses that needed to be removed was determined to be too narrow. In the second case, Google failed to delist the search result listing without undue delay.

The Swedish DPA also found that when Google delists webpages notifications are sent to website owners alerting them about the removal of the content from its listings and information is provided about who made the request. These notifications ensure website owners are made aware of the delisting, but by doing so the website owners can simply republish the delisted content on a different URL.

The Swedish DPA said that this approach undermines the effectiveness of the right to be forgotten, stating “Google does not have a legal basis for informing site owners when search result listings are removed, and furthermore gives individuals misleading information by the statement in the request form.”

“We disagree with this decision on principle and plan to appeal,” said a spokesperson for Google in a statement about the financial penalty. Under EU law, the appeal must be launched within 3 weeks.

The post Google Slapped with $8 Million GDPR Penalty appeared first on HIPAA Journal.

German Telecoms Firm Slapped with $10.56 Million GDPR Penalty

A data protection authority in Germany has issued one of the largest ever GDPR penalties to the telecommunications and hosting firm 1&1 Telecommunications. The fine was issued for a failure to implement appropriate technical and administrative measures to authenticate individuals in its call centers.

1&1 Telecommunications, a subsidiary of United Internet Group, is one of the largest telecommunications and mobile service providers in Germany. The firm was investigated by the Federal Commissioner for Data Protection and Freedom of Information (BfDI) after a report was received that the only information required to authenticate customers in its call centers was a name and data of birth – Information that can easily be found on social media sites. If a correct name and data of birth was provided, it was possible to obtain an extensive range of sensitive information on customers.

BfDI determined that 1&1 Telecommunications had failed to comply with Article 32 of the EU’s General Data Protection Regulation. Article 32 requires appropriate technical and administrative measures to be put in place to protect the processing of personal data. The inadequate authentication measures meant the confidentiality of customer data was put at risk. Since the failure had potential to place its entire customer base at risk, a financial penalty was deemed appropriate.

On December 9, BfDI announced that a penalty of €9.55 million ($10,556,000) had been issued. The financial penalty took into account the relatively small size of the company and the level of transparency and cooperation in the investigation. When contacted by BfDI and advised about the GDPR violation, 1&1 Telecommunications implemented an additional authentication measure and cooperated fully with the investigation. The company also continued to improve its authentication processes and will now require customers to provide a PIN before any data is disclosed.

1&1 Telecommunications believes the fine is disproportionate and that the fine was calculated based on wider company sales. The Telecommunications company will appeal the fine and is considering suing BfDI. While the financial penalty is significant, it is much lower than the maximum possible penalty for a GDPR violation, which is €20 million ($22,110,800) or 4% of global annual turnover, whichever is greater.

This is the second multi-million Euro GDPR penalty to be issued in Germany the past two months. In October, the Berlin Data Protection Authority, Berliner Beauftragte für Datenschutz und Informationsfreiheit, imposed a €14.5 million ($16.26 million) penalty on the German property company Deutsche Wohnen. The company was storing data on current and former tenants in a system that did not allow data to be deleted. Data was being retained long after the purpose for which the information had been collected had been satisfied.

BfDI also announced on December 9 that a €10,000 ($11,033) financial penalty was imposed on Rapidata GmbH for a violation of Article 37 of GDPR. The company had failed to appoint a data protection officer, despite repeated requests from BfDI.

The State Commissioner for Data Protection and Freedom of Information in Rhineland-Palatinate also issued a GDPR fine in December. A hospital in the state of Rhineland-Palatinate in Germany must pay €105,000 ($93,525) to resolve violations of several provisions of GDPR related to patient admissions, which could easily lead to patient mix-ups. The investigation uncovered multiple technical and organizational failures related to patient and privacy management.

The post German Telecoms Firm Slapped with $10.56 Million GDPR Penalty appeared first on HIPAA Journal.

Sweden Issues GDPR Fine to School for Unlawful Use of Facial Recognition Technology

The Swedish Data Protection Authority (DPA) has issued its first ever financial penalty for a violation of the EU’s General Data Protection Regulation (GDPR).

The 200,000 SEK fine (€19,000/$21,000) was issued to a high school in Skellefteå which conducted a pilot study that used facial recognition technology to monitor student attendance. Assisted by IT company Tieto, the school used CCTV cameras and facial recognition technology to monitor the attendance of 22 students at school. The trial ran for three weeks in late 2018.

The aim of the trial was to determine whether facial recognition technology could be used in place of standard roll calls in classes. Under Swedish law, schools are required to conduct a roll call at the start of each lesson, which places a considerable administrative burden on teachers and reduces the time spent teaching students.

According to Tieto, the school was losing 17,280 hours a year simply marking attendance. That equates to 10 full time jobs.

The pilot was conducted with the best intentions but the DPA determined the school violated several articles of GDPR. GDPR was introduced to protect the privacy of EU citizens and give them much greater control over the use of their personal data.

The DPA determined the school unlawfully processed the biometric data of its students and failed to conduct a proper impact assessment. Facial recognition data is treated as sensitive information and requires greater protection that other, less-sensitive data types. The school also failed to notify the DPA about the pilot.

The school maintained it had obtained consent from all students involved in the pilot, but the DPA determined the consent to be invalid as there was “a clear imbalance between the data subject [student] and the controller [municipality].”

The financial penalty could have been much more severe. The GDPR penalty structure permitted a maximum fine of €1 million ($1.1 million) for the violations.

The post Sweden Issues GDPR Fine to School for Unlawful Use of Facial Recognition Technology appeared first on HIPAA Journal.