GDPR Enforcement Continues
This past Monday was Data Privacy Day. To mark the occasion, you could find countless articles offering tips and strategies for minimizing the vulnerability of one’s personal data. I don’t want to focus too much on the fine details, since everyone else has done so (including us in the past), but the same steps as we’ve recommended before hold as true as ever today. Preventative measures, like watching out for phishing links and using different login credentials across platforms and services; and proper response practices, such as vigilant monitoring of all your important accounts, credit card statements, etc.
Even as it may seem that cyber criminal methods keep evolving in complexity, these tried and true strategies are still effective.
Consumers can also take some comfort from recent developments in Europe aimed at protecting them and their data. GDPR continues to demand compliance and dole out penalties to those who fail to measure up or ignore the regulations. Nor does it appear to be discriminating. Last week, we observed an Irish regulator opening an investigation into Twitter for privacy issues on Android devices. Also last week, France’s Commission Nationale de l’Informatique et des Libertés (CNIL) fined Google for the equivalent of around $57 million for insufficient transparency with users, invalid consent to process their personal data, and obfuscating information as to how Google collected and used data to personalize advertisements. This action stemmed from complaints brought by separate agencies, None Of Your Business (NOYB) and La Quadrature du Net, on behalf of over 10,000 people in total.
Moreover, Google employed the sneaky tactic of using a specific, one-time consent as blanket consent for the rest of its processing operations. Under GDPR, this is not allowed, and consent must be obtained for each individual case.
NOYB’s chairman, Max Schrems, praised the enforcement of GDPR penalties, adding, “Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products.”
(As an aside, this is interesting in that “interpreting the law differently” also tends to be the excuse major video game publishers use when trying to circumvent gambling regulations while also wanting to put gambling mechanics in their games; it’s nice to see it get ignored here.)
While Schrems is not alone in his approval, there are of course some dissenting voices. Balbix interim CISO Jonathan Bensen (there sure are a lot of us in these posts lately), states that “If the CNIL wanted to take a step in the right direction, it should suggest Google change the language in its terms of service versus imposing a fine without offering a solution.” That’s all well and good, but my only issue with that is that it’s not necessarily CNIL’s job to fix Google’s problem. They are a regulatory body, not a consultant.
Regardless of position, all agree that this action is a strong signal of intent from European regulators to strictly enforce GDPR standards, no matter what the target.