Privacy

France's data protection censor, the Commission Nationale de l'Informatique et des Libertés or CNIL, has fined Google and Amazon a total of 135 million euro between them for violating the country's data protection laws. Google was fined a total of 100 million euro, while Amazon was fined 35 million euro.

The companies were fined for the lack of user consent for cookies placed of their French websites. Although both have since updated their websites to require a user's consent before placing cookies, CNIL criticized their cookie information banners for not providing enough information, or for making it clear enough that visitors can turn down these cookies. The regulator gave both a deadline of three months to fix the outstanding issues.

A spokesperson from Amazon said the company disagreed with CNIL's decision. Google said it stands by its efforts to provide information about tracking and control to users.

Town halls are harvesting millions of highly personal details about residents using Covid software, the Daily Mail has revealed.

A private firm Xantura has signed lucrative deals with local authorities to garner the data which can be used to identify people in need of support or else predict who is likely to break lockdown.

The Chartered Institute of Public Finance and Accountancy, a joint partner with Xantura in the scheme, said OneView aimed to build on Operation Shield, which identified 1.5million individuals at high risk of Covid.

The information is culled from council records and includes family debt levels, living arrangements, income, school absences and exclusions. It is fed into a profiling system called Covid OneView to create a risk analysis for households and individuals who are believed to be vulnerable.

Town halls say the aim is to help identify those most at risk from coronavirus. But a council presented slides at a video conference last month showing the information could be used to predict who might break isolation rules.

The Daily Mail investigation found that the information Covid OneView can gather included notes on: Unfaithful and unsafe sex, emotional health and wellbeing, sleep issues and dangerous pets Anger management issues and socially unacceptable behaviour Financial details, including debt, low income and tax arrears School attendance, low school commitment and free school meals

Jake Hurfurt of Big Brother Watch, a privacy campaigning group, said:

This underlines the shift toward mass surveillance and data harvesting that has been triggered by the pandemic. It's scandalous that councils are using huge amounts of personal information and experimental algorithms to assign people 'risk scores and predictions behind closed doors. People have a right to know how their data is used and how decisions are made about their lives.'

 

 

In a landmark decison that shines a light on widespread data protecton failings by the entire data broker industry, the UK data protection censor ICO, has taken enforcement action against Experian, based in part on a complaint made by Privacy International in 2018.

Privacy International (PI) welcomes the report from the UK Information Commissioner's Office (ICO) into three credit reference agencies (CRAs) which also operate as data brokers for direct marketing purposes. As a result, the ICO has ordered the credit reference agency Experian to make fundamental changes to how it handles people's personal data within its offline direct marketing services.

Experian now has until July 2021 to inform people that it holds their personal data and how it intends to use it for marketing purposes. The ICO also requires Experian to stop using personal data derived from the credit referencing side of its business by January 2021.

The ICO investigation found widespread and systemic data protection failings across the sector, significant data protection failures at each company and that significant invisible processing took place, likely affecting millions of individuals in the UK. As the report underlines, between the CRAs, the data of almost every adult in the UK was, in some way, screened, traded, profiled, enriched, or enhanced to provide direct marketing services.

Moreover, the report notes that all three of the credit referencing agencies investigated were also using profiling to generate new or previously unknown information about people. This can be extremely invasive and can also have discriminatory effects for individuals.

Experian has said it intends to appeal the ICO decisions saying:

We believe the ICO's view goes beyond the legal requirements. This interpretation (of General Data Protection Regulation) also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis.

Australia's eSafety Commissioner Julie Inman-Grant has rejected the practicality of a know your customer-type ID verification requirement for social media companies to ensure the age of their users.

Addressing Senate Inman-Grant said such a regime works in the banking industry as it has been heavily regulated for many years, particularly around anti-money laundering:

It would be very challenging, I would think, for Facebook for example to re-identify -- or identify -- its 2.7 billion users, she said. How do they practically go back and do that and part of this has to do with how the internet is architected.

While she admitted it was not impossible, she said it would create a range of other issues and that removing the ability for anonymity or to use a pseudonym is unlikely to deter cyberbullying and the like. Similarly, she said, if the social media sites were to implement a real names policy, it wouldn't be effective given the way the systems are set up. She added:

I would also suspect there would be huge civil libertarian pushback in the US.

I think there are incremental steps we could make, I think totally getting rid of anonymity or even [the use of] pseudonyms on the internet is going to be a very hard thing to achieve.

I want to be pragmatic here about what's in the realm of the possible, it would be great if everyone had a name tag online so they couldn't do things without [consequence].

A group of tech companies, publishers, and activist groups including the Electronic Frontier Foundation, Mozilla, and DuckDuckGo are backing a new standard to let internet users set their cookie privacy settings for the entire web.

Under EU law, every website needs to ask for permission from users before being able to set cookies. In particular this applied to cookies that allow website usage analytics and also for website history snooping that is used for targeted advertising. This permission is only mandatory in the EU and parts of the USA but no doubt this will spread.

Companies often try and make opting out from tacking cookies difficult by asking users to drill down into multiple forms, or else to present the options in such a way as to hide the ramifications of the choice.

Now there the group of companies are champion a new standard new standard, called Global Privacy Control , which lets users set a single setting in their browsers or through browser extensions telling each website that they visit not to sell or share their data. It's already backed by some publishers including The New York Times , The Washington Post, and the Financial Times, as well as companies including Automattic, which operates blogging platforms wordpress.com and Tumblr.

Advocates believe that under a provision of the California Consumer Privacy Act, activating the setting should send a legally binding request that website operators not sell their data. The setting may also be enforceable under Europe's General Data Protection Regulation, and the backers of the standard are planning to communicate with European privacy regulators about the details of how that would work.

It is expected to take a little while for this new standard to get legal backing, and in the meantime it will be implemented as simply advice to websites of a users privacy preferences.

If adopted the move will be a massive improvement for user privacy, but one also needs to know that estimates suggest that this would lead to a halving of advertising income for websites, which may then lead to the end of some websites maintaining a free service.

ICO consultation on the draft Statutory guidance

We are running a consultation about an updated version of the Statutory guidance on how the ICO will exercise its data protection regulatory functions of information notices, assessment notices, enforcement notices and penalty notices.

This guidance is a requirement of the Data Protection Act 2018 and only covers data protection law under that Act. Our other regulatory activity and the other laws we regulate are covered in our Regulatory action policy (which is currently under review).

We welcome written responses from all interested parties including members of the public and data controllers and those who represent them. Please answer the questions in the survey and also tell us whether you are responding on behalf of an organisation or in a personal capacity.

We will use your responses to this survey to help us understand the areas where organisations and members of the public are seeking further clarity about information notices, assessment notices, enforcement notices and penalty notices. We will only use this information to inform the final version of this guidance and not to consider any regulatory action.

We will publish this guidance after the UK has left the EU and we have therefore drafted it accordingly.