404 Not Found

The best summary of the final point reached today is the famous privacy activist Max Schrems: “A whole industry of consultants and designers develop crazy click labyrinths to ensure imaginary consent rates. Frustrating people into clicking ‘okay’ is a clear violation of the GDPR’s principles. Under the law, companies must facilitate users to express their choice and design systems fairly. Companies openly admit that only 3% of all users actually want to accept cookies, but more than 90% can be nudged into clicking the ‘agree’ button”

Current Issues In Cookie Compliance

As can be seen in the image above, the control of cookies is made “difficult” with great effort.

Although, the section on cookies in EU legislation is quite clear: “…Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. …The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible.”

The practice we frequently encounter in daily life on the subject is that while it is very easy to accept all cookies, an option such as rejecting all cookies is not used on almost any site (Luckily, Jurcom GRC Services allows you to reject all cookies with a single click.) and it is very difficult to turn off the use of cookies.

When we evaluate it fundamentally, we can say that the use of the legislation is wanted to be disabled with “design” and move away from the essence of the regulation.

In particular, the French Data Protection Authority (CNIL) publishes very detailed guides in order to put an end to this practice, and by giving large fines to large institutions such as Amazon and Google, it intimidates everyone in the industry.

With the intense complaints (It is aimed to make 10,000+ complaints within the campaign.) made by the privacy activist group NOYB (None of Your Business) in addition to CNIL, it is aimed to bring the industry into compliance. Our wish is that all institutions comply with the legislation in a short time and privacy-based designs become widespread.

See also, Facebook Faced Data Breaches After Google

Sources:

https://techcrunch.com/2021/05/30/europes-cookie-consent-reckoning-is-coming/

https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058

https://noyb.eu/en/noyb-aims-end-cookie-banner-terror-and-issues-more-500-gdpr-complaints

The post Invisible Cookie Walls Must Be Completely Come Down! appeared first on Jurcom GRC.

The Norwegian Data Protection Authority (‘Datatilsynet’) announced, on 24 March 2021, that it had fined Ålesund Municipality NOK 50,000 (approx. €5,000) for the use of a training app (Strava) that logs training and allows users to analyze and compare their data with their own or others’ training logs by two schools without previously conducting the required Data Protection Impact Assessment (‘DPIA’). In particular, Datatilsynet noted that the schools had been using the app, whose download on pupils’ phones was mandatory, to enable teachers to monitor students’ completion of the required assignments.

Further to this, Datatilsynet highlighted that the use of such an app entailed location tracking, possible processing of special categories of personal data, and systematic monitoring, and that, therefore, before its use, a DPIA was required. In addition, Datatilsynet found that the Municipality, apart from failing to conduct a DPIA, had not established specific procedures for risk assessment with respect to the downloading and use of certain apps.

This decision shows that the DPIA requirement should be considered in the case of processing special categories of personal data, location tracking, and systematic monitoring.

Particular emphasis was placed on the following factors in Datatilsynet’s assessment of whether or not to impose a penalty for a data breach:

1. The nature, severity, and duration of the violation, taking into account the number of data subjects affected by the nature, scope, or purpose of the relevant activities and the extent of the damage they suffered,
2. Whether the data breach was committed intentionally or negligently,
3. Any measures taken by the data controller or data processor to limit the damage suffered by the data subjects,
4. The degree of responsibility of the controller or processor, taking into account the technical and organizational measures they have implemented in accordance with Articles 25 and 32,
5. Any relevant previous violations committed by the data controller or data processor,
6. The degree of cooperation with the supervisory authority to remedy the data breach and reduce the possible negative effects of the breach,
7. If the measures referred to in Article 58 (2) have previously been taken against the data controller or data controller concerned in respect of the same subject matter, such measures are complied with,
8. The categories of personal data affected by the breach,
9. The manner in which the supervisory authority became aware of the breach, in particular, whether and, if so, to what extent the data controller or data processor has notified the breach,
10. Compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42,
11. Any other aggravating or mitigating factor in the case, e.g. financial benefits obtained, or losses avoided, directly or indirectly, as a result of the infringement,

You can read the announcement here and the decision here, both only available in Norwegian.

A few contents that may be of interest to you; French DPA – CNIL Opens Investigation Into The Clubhouse App

The post GDPR Fine-About Failure To Conduct A DPIA For A Training App appeared first on Jurcom GRC.