See below for the latest Data Blast from our legal team: Data brokers fined in France; Danish fine highlights importance of employee data training & checking who is making subject access request; European Board confirms that ‘cookie walls’ are off limits; UK local council suffers embarrassing location data breach...
CNIL warns data brokers against website scraping for marketing purposes
The French data protection authority (CNIL) has published an update (here, in French) on enforcement activities undertaken against businesses using website scraping to build databases of contacts, which were then sold to estate agencies for marketing purposes. In response to complaints from data subjects, the CNIL carried out investigations of numerous businesses which were scraping online marketplaces, message boards, and online directories, to collect identity and contact details for individuals; those details were then sold on to businesses such as estate agencies who used the data to target marketing materials by email and/or by phone.
The CNIL found numerous breaches of data protection law both by the data brokers and those engaged in direct marketing, not least that marketing was directed at individuals registered on the national ‘do not call’ list. Most notably, the CNIL concluded that the personal data which was publicly available online could not simply be ‘reused’ by a new data controller, without the knowledge of the individuals concerned. The CNIL found that individuals were not informed that their data had been acquired, even once marketing communications were sent. The sending of direct marketing materials to individuals gave rise to yet another breach, as the individuals had not consented to such communications.
The CNIL’s activities reflect growing concern both in Europe and elsewhere, over the practices of data brokers, who play a central role in online advertising. The European Data Protection Board has commissioned a study into the practices of data brokers with a view to determining GDPR compliance, and the UK’s Information Commissioner has expressed her view that the ‘real time bidding’ ecosystem which underpins targeted online advertising is not compliant with data protection laws.
Danish data protection authority highlights the importance of employee training and security procedures for subject access requests
On March 5th 2020, the Danish data protection authority (Datatilsynet) issued a decision against the company BroBizz, which provides automated payment services for bridges and ferries, after the company repeatedly disclosed personal data without first confirming the identities of those requesting the disclosure. The decision cited lacking security measures, insufficient employee training, and a failure to appreciate the risks associated with improperly disclosed location data.
The decision followed three data breaches by BroBizz, in which the company released personal data – including vehicle location data – to individuals making Subject Access Requests who were not, in fact, the individuals to which the personal data related. In one incident, the former romantic partner of the data subject made a request to BroBizz for disclosure of the location of the vehicle transponder on her former partner’s vehicle; using only the telephone number associated with the account to verify the requester’s identity, BroBizz disclosed the data.
In its decision, Datatilsynet recalled that, under Art. 12 GDPR, if a reasonably doubt exists regarding the identity of an individual making a subject access request (or exercising any other data subject rights) the data controller should request further necessary information in order to confirm their identity. Failure to have in place such security procedures to safeguard data was found to be a breach of Art. 32 of the GDPR.
The Datatilsynet rejected the initial risk assessment submitted by BroBizz – required under GDPR Art. 33 and 34 when communicating the occurrence of a data breach to a supervisory authority and to data subjects – as the company concluded the risk to data subjects was limited simply to data being provided to the incorrect person. Unsurprisingly, the Datatilsynet found a higher degree of risk from the improper disclosure of location data in particular, as it presents risks to the personal security of the data subject.
In addition to insufficiently developed security procedures, BroBizz was found to have failed in its obligation to maintain appropriate employee training on data protection matters. BroBizz submitted that universal training had been given in May 2018 (when the GDPR took effect), and that new employees received training; otherwise, an ad hoc approach was adopted. The Datatilsynet concluded that such training was evidently insufficient in light of the multiple data breaches which had been identified.
New guidelines on cookie consent highlight risk areas for websites
The updated guidance confirms that user consent will not meet the GDPR requirement where:
- A user simply scrolls down a webpage, or otherwise continues to interact with a webpage, as this does not represent a clear affirmative action by the user in respect of the setting of cookies.
The updated EDPB guidance is consistent with the approach taken by the ICO and other national regulators in respect of the use of non-essential cookies. The updated EDPB guidance serves as a usual reminder for website owners to review and consider their approach to cookies, to ensure that non-essential cookies are deployed only with valid user consent.
ICO notified of data breach after 9 million car journey logs left exposed by Sheffield Council ANPR system
Sheffield Council and the South Yorkshire Police both notified the Information Commissioner’s Office following revelations that a database containing logs of vehicle journeys captured by the city’s automated number plate recognition cameras (ANPR) were left unsecured and publicly accessible via the internet. The exposed data records were uncovered by an information security researcher and a journalist, who were able to access the ANPR system’s management dashboard simply by inputting its IP address into a web browser.
The ANPR system in Sheffield was installed following the adoption in 2014 of the city’s ‘clean air zone,’ whereby drivers are charged a daily rate in order to access the city centre. ANPR systems typically employ CCTV cameras to capture images of vehicles, and then identify number plate details in those images using software; those cameras may capture the faces of individuals in vehicles or pedestrians who pass within a camera’s field of view.
What is most concerning about the identified data breach, is that the unsecured ANPR data revealed the travel records for vehicles over an extended period of time; those with access to the records could, therefore, track a vehicle’s movements as it passed various ANPR capture points, at different times of day, and indeed across days and even weeks of activity. The system also contained a real time map function, showing the positioning of vehicles as they passed ANPR check points.
Location data has the potential to reveal considerable personal data about an individual, particularly in combination with other publicly accessible data, and access to an individual’s travel history could be attractive to malicious actors. The ANPR breach comes at a time of heightened public concern over the use of data gathering technologies by public authorities as they seek to adopt technological measures to combat Covid-19. The ICO’s Opinion on one proposed contact tracing solution (which we reported on here) notably considers data security to be an essential element of any viable technological solution. In the wake of the Sheffield breach, other public authorities will most certainly be verifying their own security measures and data retention practices, both in relation to ANPR systems and more broadly.
For more information please contact Partner, James Tumbridge at firstname.lastname@example.org.