Included in this issue of Data & Privacy News: First GDPR Fine issued to Google by French authorities for lack of transparency; Irish Data Protection Commissioner launches investigation into Twitter over privacy rules breach and more...

First GDPR Fine issued to Google by French authorities for lack of transparency

The French Data Protection Authority – the Commission nationale de l'informatique et des libertés or CNIL – has issued the first fine for a breach of the General Data Protection Regulations (GDPR) to Google. The 50 million EUR fine was issued for lack of transparency, inadequate information and lack of valid consent for GoogleAds personalisation (in breach of the first data protection principle).

The CNIL's investigation into Google's practices was triggered by multiple complaints from privacy rights campaigners, received on 25 May 2018 when the GDPR came into force.

In its findings, the CNIL were particularly critical of Google's approach of publishing information about GoogleAds personalisation in different places, making it difficult for users to find this information.  Further, the information provided was not comprehensive and so the consent obtained was not "informed" and was therefore invalid.

The decision flags a potential change in general approach by data protection authorities, that not only big security breaches involving loss of data will trigger fines.

Irish Data Protection Commissioner launches investigation into Twitter over privacy rules breach

The Irish Data Protection Commissioner (DPC) has launched an investigation into Twitter after receiving a breach notification from the company on the 8 January 2019.

The inquiry is examining Twitter's compliance with the breach notification requirements under the GDPR, which requires that high risk personal data breaches must be referred to the appropriate data protection authority within 72 hours, and sets out the amount and type of information that must be supplied.  

Since November 2018, Twitter has been under investigation by the DPC for a number of breach notifications which relate to the introduction of the GDPR.

Thousands ask HMRC to remove voice data from third party database

More than 160,000 people have asked HMRC to remove phone call biometric data from a database held by a third party, following a change in the tax authorities opt out procedure. 

HMRC launched a Voice ID system in 2017, which captured callers' voice data, however it failed to give people an easy way to opt out.  As a result, HMRC amassed a database of over 7 million voice IDs which is held by a third party provider, with only 80 people taking steps to have their IDs removed under the old procedure.

Privacy group, Big Brother Watch, said the tax authority had railroaded people "into a mass ID scheme by the back door" and has reported them to the ICO, who are currently investigating the allegations. 

Tech giants fail to cope with subject access requests

Privacy rights group "None Of Your Business" (noyb), led by renowned data privacy activist Max Schrems, has filed numerous complaints in Austria identifying Netflix, Spotify, Amazon, Apple and Google as companies that don't fully comply with the rights of access requirements under the GDPR. 

The group submitted subject access requests to eight tech giants in 2018, and identified violations in each case. Some ignored the requests completely, others responded but after a delay, and some responses provided only incomprehensible raw data with no explanation as to how the data is processed.

The results from noyb's investigation highlight the potential difficulties in using automated systems to fulfil subject access requests.

Judicial review granted for immigration exemption under Data Protection Act 2018

Permission has been granted for judicial review of the "immigration exemption" in the Data Protection Act 2018, which prevents some people from obtaining government-held data about themselves. 

The3million group, an organisation championing the rights of EU citizens in the UK, has claimed the exemption is unlawful and will prevent individuals from challenging errors made by the Home Office. 

Digital campaigners, Open Rights Group, are also bringing the claim against the Home Secretary and the Secretary of State for Digital, Culture, Media and Sport, who have stated that the exemption is compatible with EU data regulations and charter rights.

Dutch surgeon wins landmark right to be forgotten case 

A Dutch surgeon has won a legal action to have Google search results of her name deleted.

In the "right to be forgotten" case, the surgeon's registration on the healthcare professionals register was initially suspended due to an investigation into her postoperative care of a patient. This was changed to a conditional suspension following an appeal, allowing her to continue to practise medicine.

However, the first Google search results of the doctor's name linked to a website which contained an unofficial blacklist, suggesting she was unfit to treat patients, and was contradictory to the disciplinary panel's findings.

The surgeon's lawyer said the ruling was ground breaking as it made sure doctors would no longer be judged by Google on their fitness to practise.