The Italian supervisory authority investigates the profiling and tracking systems used by Pornhub
The Italian supervisory authority submitted a request for clarification to MG Freesites Ltd, the Cypriot company which manages the Pornhub site, regarding the Italian version of the site. Further to a complaint lodged by a user, the Italian authority intends to shed light on a number of aspects of the processing. The company will have to clarify whether it carries out profiling of users, and, if so, by what means and for what purposes.
As regards the use of cookies and other tracking tools other than technical ones, the company will have to indicate the legal basis of the processing (both for users who have created an account on the platform and for unauthenticated ones), the type and nature of any data collected, as well as the technical methods for obtaining consent and what information has been provided to users.
MG Freesites will also have to clarify whether the data collected is communicated to third parties, specifying any recipients and clarifying whether this circumstance has been previously disclosed to users.
Lastly, the Authority asked what measures have been taken to verify the users’ age and to allow users to exercise their rights regarding the protection of personal data.
The company has 20 days to respond to the Italian authority’s requests.
Developments on the rules governing the transfer of data between UE and the US
On 10 July, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. The adequacy decision concludes that the United States ensures an adequate level of protection – compared to that of the EU – for personal data transferred from the EU to US companies participating in the EU-U.S. Data Privacy Framework.
An adequacy decision is one of the tools provided under the General Data Protection Regulation (GDPR) to transfer personal data from the EU to third countries which, in the assessment of the Commission, offer a comparable level of protection of personal data to that of the European Union.
As a result of adequacy decisions, personal data can flow freely and safely from the European Economic Area (EEA), which includes the 27 EU Member States as well as Norway, Iceland and Liechtenstein, to a third country, without being subject to any further conditions or authorisations. In other words, transfers to the third country can be handled in the same way as intra-EU transmissions of data.
The adequacy decision on the EU-U.S. Data Privacy Framework covers data transfers from any public or private entity in the EEA to US companies participating in the EU-U.S. Data Privacy Framework.
Adequacy does not require the third country’s data protection system to be identical to the one of the EU, but is based on the standard of ‘essential equivalence’. It involves a comprehensive assessment of a country’s data protection framework, both of the protection applicable to personal data and of the available oversight and redress mechanisms.
With the adoption of the adequacy decision, European entities are able to transfer personal data to participating companies in the United States, without having to put in place additional data protection safeguards.
US companies can certify their participation in the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations. This could include, for example, privacy principles such as purpose limitation, data minimisation and data retention, as well as specific obligations concerning data security and the sharing of data with third parties.
Web scraping to form telephone directories is unlawful
Web scraping is illegal, and everybody knows. The Italian Supervisory Authority has reiterated the concept and imposed a fine of 60,000.00 euros to the owner of the website www.trovanumeri.com. The fine comes from the contestation of the constitution and online dissemination of a phone directory formed by drawing data through web scraping (automated search in the web). The current legislation allows to form phone directories only extracting data from the DBU which is the database containing all the numbers and identification data of mobile and landline phone users. The website owner did not have a legal basis to process data. The website lacked information on how to contact the data controller and to ask for the right to object if the dedicated form did not work. There was no indication on the website owner, whose identification took a long time. The Italian Supervisory Authority has declared unlawful the collection, storage and publication of personal data and has imposed a fine of 60,000.00 euros. In fixing the amount of the fine, account was taken of the gravity of the infringement, of the high number of users involved, of the duration of the infringement and of the intentional nature of the conduct of the website owner. The fine was not too high because the website owner is a small business.
Fine for Benetton Group for unlawful processing of fidelity card holders’ data
Benetton Group has received a fine of 240,000.00 euros for having unlawfully processed personal data of customers and ex-customers holding a fidelity card. Personal data were collected through subscription to fidelity card, newsletter and e-commerce. Promotional e-mails to the holders of the fidelity card had been sent without prior consent or even when the data subjects had exercised the right to object to the processing for marketing purposes.
The cookie policy did not allow users to make their own choices and did not indicate that profiling cookies were collected as stated in the banner: it only informed about marketing cookies, and third parties marketing and retargeting cookies. The data collected for the loyalty programme were stored for longer than indicated in the records of processing activities (two years for both marketing and profiling purposes), as the filing system contained information on purchases starting from 2015 (receipts detail, products purchased and points awarded), also with regard to the data subjects who had not given their consent for profiling purposes.
Security requirements were not met, as the filing systems, located in seven Countries, were accessible from any device connected to the Internet, through a single password and account.
The fine was decided taking into account the high number of data subjects concerned and the considerable duration of the infringements, as well as the reiteration of the infringements despite the subsequent decisions of the Italian supervisory authority. Another element which contributed to the decision of the fine was the economic availability of the company.
Benetton Group will have to delete or anonymise data of former customers dating back more than ten years and implement appropriate organisational and technical measures to ensure that the data are properly stored according to the principles of purpose and minimisation.
To learn more, contact me.
Leave a Reply