– Latest sanctions & breaches: Google, Facebook, Uber, Bouygues Telecom, etc.
– What’s new at the CNIL? Appointment, cooperation agreement & guidelines on data transfer published.
– Data transfer outside UE: adequacy decision on Japan, Privacy shield with the US
Latest sanctions and breaches
> Knuddels vs Germany: The first fine under GDPR has been given to Knuddels – a German social platform – which has been fined of 20.000€ for a breach of security concerning more than 800 000 users.
> Facebook vs Italy: Facebook was fined 10.000.000€ for misleading “users to register on the platform, without informing them immediately and adequately, in the opening phase of an account, harvest activities, for commercial purposes, data that they will have provided”.
> Uber vs France: The CNIL sanctioned Uber of 400.000€ fine for having insufficiently secured the data of its users. Uber has also been sanctioned by the Dutch authority (600.000€) and the English one (365.000£) for having failed to comply with the obligation to secure the data.
> Bouygues Telecom vs France: CNIL sanctioned Bouygues of 250.000€ fine for having insufficiently secured the data of its users. A vulnerability allowing access for more than two years of 2 million customers contracts and invoices by modifying a URL address had been detected.
> Google vs France: The CNIL issues 50.000.000€ fine against Google for a lack of transparency and information and a lack of legal basis for the processing of personal data for advertising purposes. Google appeals against this decision. To be continued…
> Facebook vs England: Internal documents show that the social network gave Microsoft, Amazon, Spotify and others far greater access to people’s data than it has disclosed… Scandal revealed by the New York Times.
> Adverline vs France: The advertising agency, Adverline, has been subject to a cyber attack. 277 websites have been compromised due to malware placed in ads to capture customers’ banking data.
> NOYB – None Of Your Business: NOYB filed complaints against 8 companies, including Youtube, Spotify, Netflix, Apple Music, Amazon Prime, etc. for not respecting the rights for data subjects to access their data.
What’s new at the CNIL?
> Marie-Laure Denis has been nominated at the CNIL presidency.
> A new cooperation agreement has been signed between the CNIL and the DGCCRF for a stronger collaboration to protect customers and to carry out joint controls.
> CNIL published new guidelines on data transfer to partners for electronic prospection: the person must be able to identify the commercial partners and be informed of changes to this list. This goes much further than is required by the GDPR.
Data transfer outside UE
> Japan: An adequacy decision on Japan has been adopted by the European Commission, which creates the world’s largest area of safe data flows.
> Privacy Shield: On December 19, EU gave D. Trump 2 months to appoint a permanent mediator to deal with complaints under the Privacy Shield.
By Claire Girette, Sutter Mills’ DPO