Regulatory bodies across the EU have issued a string of high-profile GDPR (General Data Protection Regulation) fines in August.
Among the headlines is a preliminary €60 million fine for the French firm Criteo, a €1.1 million penalty for Volkswagen and a €10 million sanction for Google.
You can find out more about each of those incidents in this blog.
Criteo faces €60 million fine for targeted advertising campaign
The French tech giant Criteo has received a €60 million fine after it was found to have breached the GDPR’s rules on targeted advertising.
Criteo, which claims to have captured the identity and interest data of 72% of all Internet users, came under investigation after a complaint lodged by Privacy International.
The digital rights advocacy group accused Criteo of running a “manipulation machine”, with an array of tracking techniques and data processing practices being used to profile web users.
The information was then sold to advertisers, who used the data to provide “individual-level shopper predictions”.
Privacy International – which lodged its complaint in 2018, soon after the GDPR took effect – argued that Criteo didn’t have a legal basis to process this information.
Following a lengthy investigation, France’s data protection authority, CNIL, has provisionally agreed.
A spokesperson for Privacy International said it received the CNIL’s preliminary decision because complainants are entitled to receive progress of their claims.
However, the decision has not yet been publicly announced, and a final decision isn’t expected until next year.
Volkswagen’s “unusual attachments” result in €1.1 million penalty
Volkswagen has been fined €1.1 million for using surveillance cameras in breach of the GDPR.
According to the data protection authority for Lower Saxony, a Volkswagen test vehicle was stopped by Austrian police near Salzburg in 2019, the police having noticed “unusual attachments” on it.
The attachments turned out to be cameras, which were being used “to test and train the functionality of a driver assistance system”.
However, Volkswagen’s use of those cameras breached the GDPR in four ways:
- It neglected to add signs to the vehicle to inform other road users that they were being recorded, in violation of Article 13.
- It did not have a data processing agreement with the company that was carrying out the test, in violation of Article 28.
- It had not conducted a DPIA (data protection impact assessment), in violation of Article 35.
- There was no explanation of any technical and organisational measures implemented, in violation of Article 30.
The Lower Saxony authority acknowledged that these were all relatively minor violations. State Data Protection Officer Barbara Thiel said: “The actual research trips were not objectionable under data protection law.
“We have no objections to the collection and further processing of personal data.”
Google in hot water over multiple compliance failures
The Dutch government recently imposed new restrictions on the use of Google Chrome OS and the Chrome web browser in schools after concerns were raised about Google’s data privacy practices.
Officials fear that Google shares students’ personal data with advertisers, who use the information for purposes other than that for which it was originally processed.
It would be a violation of Article 5 of the GDPR (General Data Protection Regulation), which states that personal data must be collected for “specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.
The only exception to this requirement is if the information is used for archiving in the public interest, for scientific or historical purposes, or for statistical purposes.
That isn’t the only penalty hanging over Google. rom Spain’s AEPD (Agencia Española de Protección de Datos) that it intends to fine Google €10 million for a pair of “very serious” GDPR infringements.
Both incidents concern the way Google transfers EU residents’ data to the Lumen Project, an academic research venture based in the US.
The project is helmed by Harvard’s Berkman Klein Center and is supported by the Electronic Frontier Foundation. Its research involves collecting cease-and-desist letters regarding online activity and analysing how they affect free speech.
Google has contributed to the archive since 2002, following a request from the Church of Scientology to remove content in a bid to silence critics.
The AEPD found that Google’s involvement in the project breached individuals’ right to be forgotten. Its investigation revealed that the form users had to complete to remove their data was faulty and confusing.
Although the AEPD has little recourse against the Lumen Project, because it is based outside the EU, the organisation is believed to have honoured the data protection body’s request to delete the information of users who were found to have been included in its data without a legal basis.
How to meet your GDPR compliance requirements
To avoid making the same mistakes these organisations made, you must ensure that you understand the GDPR’s requirements.
With our Certified GDPR Foundation Training Course, you’ll receive a comprehensive introduction to your compliance requirements delivered by an experienced data privacy consultant.
This training session is built on the foundations of our extensive practical experience delivering data protection support to clients.
The course is ideal for those who handle personal data on a regular basis and need an understanding of their data processing obligations. Those who take the training course will learn how to achieve GDPR compliance and be equipped to spot compliance weaknesses.
