compliance of the company and its finances. The company only employs fourteen workers. In publishing its decision, CNIL stated that it sought to remind employees of their rights and employers of their obligations, particularly with respect to biometrics in the workplace. CNIL also intended to remind companies of the consequences for failing to respond to and comply with CNIL notices of default.
PUTTING IT INTO PRACTICE: Companies that use fingerprint systems have been focused on the cases coming out of Illinois; this fine is a reminder that these systems are regulated outside of the US heartland.
UK’s Data Protection Authority Enforces GDPR
Posted on October 10, 2018
The UK’s Information Commissioner’s Office (ICO) has issued its first GDPR notice to Canadian data analytics firm AggregateIQ Data Services Ltd. The company uses personal data to target political advertising at voters prior to elections. The ICO was concerned about the firm’s use of targeted advertising in the UK’s 2016 EU referendum and the 2016 US presidential election, something the ICO is otherwise investigating. In this case, the ICO accused AggregateIQ of failing to follow GDPR by using personal information without a legal basis under GDPR, and using it in ways that people would not have expected when they provided it. Although the data was gathered before GDPR went into effect on May 25, 2018, the ICO stated that GDPR applies due to AggregateIQ’s continued retention and processing of the information about UK residents after that date.
The ICO found that enforcement action was justified because AggregateIQ’s improper use was likely to cause “damage or distress” to the affected people. The ICO’s notice instructs AggregateIQ to cease all use of UK or EU citizens’ personal data for analytics and advertising, political or otherwise. Failure to comply could result in a fine of up to four percent of the company’s annual revenue, or 20 million euros, whichever is greater. AggregateIQ has appealed the notice to the UK’s First-tier Tribunal for Information Rights.
PUTTING IT INTO PRACTICE: This case is a reminder that regulators are gearing up to enforce GDPR. Of note here are both that the entity was Canadian, and that the information was collected prior to GDPR coming into effect.
Dramatic Increase in French Privacy Complaints Since GDPR
Posted on October 8, 2018
The French data protection authority CNIL has received 3,767 data protection complaints since EU’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018. According to CNIL this is a 64 percent increase compared to the same four-month period last year. CNIL also reported that it has received 600 data breach notifications during the same period. CNIL is in the process of developing new French regulatory tools under GDPR. It has already developed and proposed strict new biometric privacy regulations, and has nearly finalized a certification program for company Data Protection Officers. It is now developing regulations related to customer relations, human resources, and health monitoring.
PUTTING IT INTO PRACTICE: This report from the CNIL suggests that it will be following with enforcement actions in the near future.
                          Eye on Privacy 2018 Year in Review 38