General Data Protection Regulation: Issues of compliance and non-compliance

GDPR

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection, designed to harmonize data privacy laws across Europe as well as to protect and empower all EU citizens data privacy. It was adopted in April 2016 and will come into effect on 25 May 2018. 

The biggest change to current regulations of data privacy comes with the extended jurisdiction of the GDPR; as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location and whether the processing takes place in the EU or not. 

The regulation also brings a new set of data subject rights, or digital rights, for EU citizens. These include among others the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose, and the right to be forgotten which entitles the data subject to have the data controller erase his/her personal data.

This story collects articles looking at what the new GDPR means for business and human rights in the digital economy and human rights concerns arising from non-compliance.

Get RSS feed of these results

All components of this story

Article
20 March 2020

EU: Employers allegedly abuse EU data privacy rules to hinder trade unions, study finds

Author: Samuel Stolton, EURACTIV.com

"Employers accused of abusing EU data privacy rules to hinder trade unions", 19 March 2020

A survey published today (19 March) by the European Trade Union Confederation (ETUC) highlights the plight of workforce collectives to mobilise by reaching out to employees digitally and attempt to campaign for better working conditions and fair remuneration.

The research comes at a time when millions of Europeans face an indeterminate period of remote working amid the current coronavirus outbreak...

“GDPR laws were put in place to protect people from the power of corporations but now corporations are misusing them to protect themselves from people power,” ETUC Deputy General Secretary Esther Lynch said.

“Access to the workplace is a basic trade union right and in 2020 that means digital access too...”

Lynch called upon the European Commission to promote trade union rights...

The trends highlighted in ETUC’s report bring to light the recent challenges for trade unions to mobilise their networks as a result of workplaces refusing access to employee data under the pretext that it is forbidden by the GDPR...

While there is cause for concern, the ETUC survey also highlighted positive cases such as in Germany, where the amended 2018 Federal Data Protection Act transposed Article 88 of the GDPR to good effect...

Read the full post here

Article
20 January 2020

Dating app Grindr shares personal data with ad tech services in violation of EU data protection law, complaint alleges

Author: Natasha Singer and Aaron Krolik, The New York Times

"Grindr and OkCupid Spread Personal Details, Study Says", 13 Jan 2020

Popular dating services like Grindr, OkCupid and Tinder are spreading user information like dating choices and precise location to advertising and marketing companies in ways that may violate privacy laws, according to a new report that examined some of the world’s most downloaded Android apps...

The report, “Out of Control: How Consumers Are Exploited by the Online Advertising Industry,” adds to a growing body of research exposing a vast ecosystem of companies that freely track hundreds of millions of people and peddle their personal information...

The Norwegian group said it filed complaints on Tuesday asking regulators in Oslo to investigate Grindr and five ad tech companies for possible violations of the European data protection law. A coalition of consumer groups in the United States said it sent letters to American regulators...

Match Group, which owns OkCupid and Tinder, said it worked with outside companies to assist with providing services and shared only specific user data deemed necessary for those services. Match added that it complied with privacy laws and had strict contracts with vendors to ensure the security of users’ personal data...

Grindr said it had not received a copy of the report and could not comment specifically on the content. Grindr added that it valued users’ privacy, had put safeguards in place to protect their personal information and described its data practices — and users’ privacy options — in its privacy policy...

The spread of users’ location and other sensitive information could present particular risks to people who use Grindr in countries [...] where consensual same-sex sexual acts are illegal...

[also refers to and includes comments from Twitter and AT&T.]

Read the full post here

Article
20 January 2020

Fines for European privacy breaches have reached €114 mln since GDPR came into force

Author: Reuters

European regulators have imposed 114 million euros ($126 million) in fines for data breaches since tougher privacy rules came into force in mid-2018, with approaches varying widely from country to country.

A report by law firm DLA Piper said France has imposed the biggest single fine - of 50 million euros against Google - while the Netherlands, Britain and Germany led in terms of the number of data breach notifications.

The General Data Protection Regulation was introduced in an effort to safeguard sensitive personal information and prescribes stiff penalties if companies lose control of data or process it without proper consent...

The fines to date pale in comparison to multibillion-euro penalties imposed in EU anti-trust cases, but they are likely to rise over time as appeals and litigation subject the sanctions to scrutiny and create legal precedents...

Read the full post here

Article
19 August 2019

Facebook recording of user audio prompts EU privacy regulator to investigate company's handling of personal data

Author: Thomson Reuters via CBC

"Facebook recording of user audio prompts probe from EU privacy regulator", 14 August 2019

Facebook's lead regulator in the European Union is seeking information over how it handled data during the manual transcription of users' audio recordings, Ireland's Data Protection Commision said on Wednesday.

Bloomberg reported on Tuesday that Facebook had been paying outside contractors to transcribe audio clips from users of its messenger service.

According to the report, the audio in question came from users who chose the option in Facebook Messenger to have their chats transcribed for them. The chats were transcribed by artificial intelligence and the contractors were brought in to check the accuracy, the report said.

Facebook, which has been facing broad criticism from lawmakers and regulators over its privacy practices, said in response to the Bloomberg story: "Much like Apple and Google, we paused human review of audio more than a week ago." ...

"Further to our ongoing engagement with Google, Apple and Microsoft in relation to the processing of personal data in the context of the manual transcription of audio recordings, we are now seeking detailed information from Facebook on the processing in question and how Facebook believes that such processing of data is compliant with their GDPR obligations," the commission... [also refers to WhatsApp, Instagram]

Read the full post here

Article
5 August 2019

German data protection authority orders Google to halt human review of voice AI recordings over privacy concerns

Author: Natasha Lomas, Techcrunch

"Google ordered to halt human review of voice AI recordings over privacy risks", 2 August 2019

A German privacy watchdog has ordered Google to cease manual reviews of audio snippets generated by its voice AI. 

This follows a leak last month of scores of audio snippets from the Google Assistant service...

The Hamburg data protection authority told Google of its intention to use Article 66 powers of the General Data Protection Regulation (GDPR) to begin an “urgency procedure” [...] last month. 

Article 66 allows a DPA to order data processing to stop if it believes there is “an urgent need to act in order to protect the rights and freedoms of data subjects”.

This appears to be the first use of the power since GDPR came into force...

Google says it responded to the DPA on July 26 to say it had already ceased the practice — taking the decision to manually suspend audio reviews of Google Assistant across the whole of Europe...

It’s not clear whether Google will be able to reinstate manual reviews in Europe in a way that’s compliant with the bloc’s privacy rules. The Hamburg DPA writes in a statement [in German] on its website that it has “significant doubts” about whether Google Assistant complies with EU data-protection law.

“We are in touch with the Hamburg data protection authority and are assessing how we conduct audio reviews and help our users understand how data is used,” Google’s spokesperson also told us...

The DPA also urges other regional privacy watchdogs to prioritize checks on other providers of language assistance systems — and “implement appropriate measures” — name-checking rival providers of voice AIs, Apple and Amazon .

This suggests there could be wider ramifications for other tech giants operating voice AIs in Europe flowing from this single notification of an Article 66 order...

Read the full post here

Article
21 January 2019

France fines Google €50 million for "lack of transparency & valid consent regarding advert personalization" using GDPR rules

Author: Euronews

France's regulatory body dealing with data privacy has fined Google €50 million regarding advertisers’ access to users' personal data, it announced on Monday.

The National Commission on Informatics and Liberty (CNIL) said Google LLC received the financial penalty for a "lack of transparency, inadequate information and lack of valid consent regarding advert personalization."

It marks the first time the CNIL has used the EU's strict General Data Protection Regulation (GDPR)...

The authority said Google did not take appropriate measures when asking users for their data.

"The restricted committee observes that the users’ consent is not sufficiently informed," the CNIL wrote in a statement...

Google said in a statement: "People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR.

"We're studying the decision to determine our next steps."

Read the full post here

Article
7 August 2018

UK: Deliveroo's employment practices contradict GDPR regulations & undermine workers' rights, says union

Author: Aliya Ram, Financial Times

"Deliveroo’s substitute courier policy called into question", 6 August 2018

Deliveroo narrowly avoided demands for union recognition and workers’ rights last year, after giving couriers the option of substituting people to deliver food on their behalf. The Central Arbitration Committee, a government body that oversees the regulation of UK labour laws, ruled that the contractual promise meant riders were self-employed, not workers entitled to collective bargaining powers and other rights...

[T]he Independent Workers Union of Great Britain [...] said Deliveroo’s data protection obligations under the EU’s General Data Protection Regulation contradicted the substitute policy...

Deliveroo’s data terms say couriers must keep customer information safe.

“You have the right, without the need to obtain Deliveroo’s separate prior approval, to arrange for a substitute to process the customer data on your behalf...” the policy says...

But under the UK’s Data Protection Act, which translates GDPR into UK law, Deliveroo is ultimately responsible for keeping data safe and would need to be informed when a courier appointed a substitute.

“This sounds awfully like Deliveroo has an absolute right to refuse consent to the use of a substitute by a Deliveroo rider,” said Mr Moyers-Lee, [general secretary for the IWGB]...

Deliveroo said: “The courts have made clear that Deliveroo riders are self-employed and we are confident that Deliveroo’s data policy is consistent with the right to substitute.

“We continue to make the case that the government should end the trade-off between flexibility and security by allowing companies like Deliveroo to offer further benefits without the risk of reclassification.” [also refers to Uber and Airbnb]

Read the full post here

Article
31 May 2018

Facebook & Google first co's to face complaints of GDPR noncompliance over 'forced consent'

Author: Alex Hern, The Guardian

"Facebook and Google targeted as first GDPR complaints filed", 25 May 2018

Facebook and Google have become the targets of the first official complaints of GDPR noncompliance...

Across four complaints, related to Facebook, Instagram, WhatsApp and Google’s Android operating system, European consumer rights organisation Noyb argues that the companies have forced users into agreeing to new terms of service, in breach of the requirement in the law that such consent should be freely given...

In a statement, Google said: “We build privacy and security into our products from the very earliest stages and are committed to complying with the EU general data protection regulation. Over the last 18 months, we have taken steps to update our products, policies and processes to provide users with meaningful data transparency and control across all the services that we provide in the EU.”

Facebook’s chief privacy officer [...] told the Guardian: “We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information. Our work to improve people’s privacy doesn’t stop on 25 May..."

Read the full post here

Article
12 April 2018

Instagram to build new tool allowing users to download personal data in preparation for GDPR

Author: Alex Hern, The Guardian

Instagram has confirmed it will let users download their personal data, including previously shared photos, videos and messages, as it prepares for the European data regulation GDPR...

GDPR (General Data Protection Regulation) brings with it a number of rights for individuals, including to demand deletion of data, to opt out of future data collection, and to view the personal data a company possesses and to download it in a format that can be moved over to competitors.

These were the requirements Instagram would fulfil shortly, the company confirmed to TechCrunch. “We are building a new data portability tool,” a spokesperson said. “You’ll soon be able to download a copy of what you’ve shared on Instagram, including your photos, videos and messages...

It is unclear whether the company will also include details of a user’s advertising profiling in its data download...

A number of data breaches may also be made public next month as companies race to beat the GDPR deadline...

According to EUObserver, the European commission intends to police that deadline according to the date of disclosure, not the date of the underlying breach.

Read the full post here

Article
5 April 2018

Europe is trying to force Facebook to take customers’ privacy seriously

Author: Emily Stewart, Vox

The first major government crackdown on Facebook and big tech in the wake of the Cambridge Analytica scandal and growing concerns about data privacy isn’t going to come from [...] Washington. Instead, it’s likely to come from Europe. 

On May 25, Europe will enact the General Data Protection Regulation or GDPR... The law requires companies to be transparent with what information they’re gathering and why... 

The law will put data privacy and protection at the center of technology design...

What the law does, essentially, is unify rules for how companies handle European citizens’ data, expand the scope of what personal data is, strengthen transparency and consent conditions, and set specific penalties for enforcement...

In the case of the GDPR [...] there’s a risk of putting too much weight on the shoulders of individual users to figure out what to allow to happen with their data. “To the extent that the EU has barreled forward with consent being the key, in this environment when we can’t really know what’s being collected about us all the time and what’s being used, putting the onus on a person to use judgment to allow or disallow something could be problematic...

Read the full post here