Tag: GDPR

  • Microsoft’s Illegal Student Tracking in 365 Education: Data Privacy Impact

    Microsoft’s Illegal Student Tracking in 365 Education: Data Privacy Impact

    Key Takeaways

    1. Microsoft faces privacy issues in Europe after being found to have illegally tracked students using its 365 Education platform.
    2. The Austrian Data Protection Authority ruled that Microsoft did not provide students access to their personal data and shifted GDPR responsibilities onto schools.
    3. The ruling highlights violations of Article 15 of the GDPR, which requires clear information on data processing and sharing.
    4. Microsoft claims compliance with data protection standards but faces criticism for transferring responsibility to educational institutions.
    5. The case reflects broader concerns about how tech companies manage data from minors in educational settings, especially post-pandemic.

    Microsoft is currently dealing with a significant privacy challenge in Europe. This comes after Austria’s Data Protection Authority determined that the company “illegally” tracked students using its 365 Education platform. This decision was based on a complaint from the Austrian privacy group, noyb. They claimed that Microsoft did not allow students to access their personal data and pushed the responsibilities of GDPR onto schools.

    Background of the Issue

    The problem traces back to the COVID-19 pandemic, a time when many schools adopted Microsoft 365 for online learning. With this shift to a digital platform, new privacy concerns emerged as student information was managed through a corporate cloud service.

    When students voiced concerns or sought access to their data, Microsoft directed them back to their respective schools. This was problematic since schools were only able to provide limited data information.

    Regulatory Findings

    The authority found that this method contravened Article 15 of the GDPR. It stated that Microsoft, acting as the data controller, is required to provide comprehensive information on how user data is processed and if it’s shared with outside parties.

    Furthermore, the Austrian authority instructed Microsoft to clarify certain technical phrases like “internal reporting,” “business modelling,” and “improvement of core functionality.” Additionally, national and federal education bodies were mandated to ensure similar transparency within a timeframe of ten weeks.

    Microsoft’s Response

    Microsoft asserted its compliance by stating, “Microsoft 365 for Education meets all required data protection standards,” and indicated it would review the ruling. Nevertheless, data protection attorney Max Schrems from noyb emphasized that this situation illustrates a wider problem. “Big Tech providers try to get all the power, but shift all responsibilities to European customers,” stated Schrems.

    The software giant also contended that its subsidiary in Ireland was in charge of 365 Education, claiming that jurisdiction lies there. However, the Austrian authority dismissed this argument, indicating that key decisions were made by Microsoft in the US.

    Conclusion

    This case underscores an escalating global issue regarding how large tech companies manage data collected from minors in educational environments, particularly after the pandemic, when a greater number of students rely on platforms like Microsoft 365 and Google Classroom for remote learning. If the ruling is upheld, it could significantly alter the way technology companies handle data responsibilities within Europe’s educational landscape.

    Source:
    Link

     

    Tags: ,
  • Google Fined €325 Million by France for GDPR Cookie Violations

    Google Fined €325 Million by France for GDPR Cookie Violations

    Key Takeaways

    1. CNIL fined Google €325 million ($381 million) for breaching GDPR and cookie laws.
    2. Google displayed ads in Gmail without user consent and improperly used tracking cookies during sign-up.
    3. Investigations were prompted by a complaint from privacy group None of Your Business (NOYB) in August 2022.
    4. Google must cease showing ads in user inboxes without approval and comply with future regulations to avoid daily fines.
    5. This is not Google’s first penalty from CNIL; it faced a €50 million fine in 2019 and additional fines in 2020 and 2021 for similar violations.

    France’s data protection agency, known as the Commission Nationale de l’Informatique et des Libertés (CNIL), has imposed a hefty penalty of €325 million ($381 million) on Google for breaching GDPR and cookie laws.

    Consent Issues

    In a recent press release, CNIL pointed out that Google was showing ads within user emails on Gmail without obtaining their permission first and placed tracking cookies for new accounts during the sign-up phase.

    This fine comes after multiple investigations carried out between 2022 and 2023 regarding Gmail, which were initiated due to a complaint from the privacy group None of Your Business (NOYB) in August 2022.

    Advertisements in Gmail

    These investigations uncovered that Google had been displaying ads that were camouflaged as emails in the “Promotions” and “Social” sections of Gmail. CNIL emphasized that user consent was necessary for such advertisements.

    Additionally, another issue raised was how Google prompted users to agree to cookies for Gmail, but it failed to adequately inform them that these cookies would be utilized for displaying personalized ads.

    Future Compliance

    In addition to the substantial fine, Google is now required to take appropriate actions to ensure this does not occur again and must cease showing ads in users’ inboxes without their approval. If Google fails to comply, it could face daily fines of up to €100,000.

    This isn’t the first instance of Google facing scrutiny from CNIL. Back in 2019, the company was fined €50 million for similar GDPR violations related to advertising. Moreover, in 2020 and 2021, Google faced further fines for cookie-related breaches.

    Previous Penalties

    In 2021, the French competition body, Autorité de la Concurrence, also fined Google $590 million in a dispute regarding compensation for news media.

    A spokesperson for Google commented to Reuters that the company is currently reviewing the ruling, claiming that Google has always given users the option to control the advertisements they wish to see.

    Source:
    Link

     

    Tags: ,
  • Legal Win Against YouTube After 5.5 Years of Battle

    Legal Win Against YouTube After 5.5 Years of Battle

    Key Takeaways

    1. Noyb filed an access request under GDPR for personal data from major streaming services, but companies like Apple, Amazon, and Google did not comply.
    2. After five years of legal action, the Austrian Data Protection Authority ruled in favor of noyb, supporting users’ rights to personal data.
    3. Google attempted to delay the process through legal maneuvers, including trying to move the case to Ireland.
    4. Prolonged legal battles drain resources from NGOs and hinder individuals’ rights, making it difficult for them to advocate for themselves against large corporations.
    5. If Google does not appeal, it must comply with the information request, but the potential for fines and legal costs remains uncertain.

    What has been a completely normal process has extended over several years. A while back, the data protection group noyb made an “access request” for personal data to major streaming services like Amazon, Apple Music, Spotify, Netflix, and YouTube. As per GDPR (Article 15), these companies are “required to provide users with a copy of their personal data, along with extra information about how it is processed, including the sources and recipients of the data, the reasons for processing, and how long the data will be kept.”

    Companies’ Non-compliance

    Despite the requests, all contacted companies either couldn’t or didn’t want to meet these demands. In January 2019, noyb took action by filing a complaint against eight firms, including Apple, Amazon, and Google, with the Austrian Data Protection Authority (DSB). Now, after more than five years, a ruling has finally been made: the DSB has sided with noyb.

    Delays and Legal Maneuvers

    During these five years, Google has found numerous ways to stall what should be a straightforward process. For instance, they tried to move the case to Ireland, where, according to noyb, the enforcement of data protection has notable flaws. Noyb has expressed confusion over why a multi-billion dollar corporation would prefer a prolonged legal battle rather than simply honoring users’ rights to information.

    Impact on Individuals and NGOs

    These drawn-out legal proceedings not only drain resources from NGOs like noyb but also strip individuals of their basic rights. Ordinary people find it challenging to stand up against such practices. Often, they feel compelled to give up their rights or endure years of waiting for them to be enforced, especially if they consider entering a lengthy and expensive legal fight against a massive corporation.

    If Google decides not to appeal, it will have to fully comply with the information request. The noyb report does not mention if the proceedings may also lead to a fine, leaving that uncertain. However, Google will probably need to cover the legal expenses stemming from this loss.

    Source:
    Link

     

    Tags: , ,
  • German Authorities Urge Google and Apple to Remove Deepseek App

    German Authorities Urge Google and Apple to Remove Deepseek App

    Key Takeaways

    1. Deepseek has been prohibited in Italy, and German officials are taking action to remove it from Google and Apple’s platforms.
    2. Allegations include violations of EU data protection laws, particularly regarding user data transfer to China without adequate safeguards.
    3. The app collects sensitive user information, raising concerns about potential access by Chinese authorities.
    4. The Berlin data protection authority may impose fines of up to 4% of Deepseek’s global revenue, but enforcement against a foreign entity is challenging.
    5. The request to block Deepseek follows a previous warning to halt data transfers, and while it may be removed from app stores, it will still be accessible via web browsers.

    Deepseek has been prohibited in Italy, and now German data protection officials are taking action against the widely-used AI application from China. According to Der Spiegel, the Berlin Commissioner for Data Protection and Freedom of Information has filed a complaint with both Google and Apple, formally asking them to remove the Deepseek app from their platforms, making it unavailable to users in Germany.

    Allegations of Data Violations

    The basis for this request is purported violations of data protection laws, particularly concerning the transfer of user data from Europe to China. The company has not presented adequate proof that user data is safeguarded in China in a similar way as it is in Europe. According to the EU’s GDPR (General Data Protection Regulation), protecting user data is a fundamental requirement for its transfer to nations outside the EU. However, this does not ensure that other Chinese firms or the Chinese government cannot access data from European users.

    Concerns Over User Data

    This situation is particularly alarming because the chatbot app gathers a wide variety of potentially sensitive information about its users, such as text inputs, chat histories, uploaded files, location details, and device data. Chinese authorities may potentially gain access to all this information, which is already in the possession of the state for all domestic businesses.

    Possible Penalties and Future Actions

    The Berlin data protection authority has the option to impose a fine that could reach up to 4% of the company’s worldwide revenue. Nonetheless, as officials have indicated, enforcing this against a foreign entity would be a challenging task. It is worth noting that this action did not come without prior warning; in May, Berlin’s data protection officials had already set a deadline for the company to halt data transfers to China. Since the Deepseek developers failed to meet this deadline, the request for blocking has been made under the Digital Services Act. Apple and Google are now required to make a decision regarding the blocking very soon. However, the model will still remain accessible through web browsers in the future.

    Source:
    Link

    Tags: , ,
  • DeepSeek App Pulled from Italian Stores Due to Privacy Issues

    DeepSeek App Pulled from Italian Stores Due to Privacy Issues

    DeepSeek, a startup from China focusing on artificial intelligence, has recently faced significant regulatory challenges in Italy. Its app has unexpectedly disappeared from both Apple’s App Store and Google Play. This action comes after Italy’s data protection authority, Garante, initiated a formal investigation into how DeepSeek manages and gathers user data. Concerns surrounding data privacy and safety have put the AI firm under a microscope, mirroring similar worries expressed in the United States and Australia.

    Italian Authority Demands Clarity on Data Usage

    Italy’s privacy regulator has granted DeepSeek and its associated companies a 20-day period to reveal essential information related to their data handling practices. Authorities are requesting specifics about the types of personal data collected, how it is sourced, its intended use, and whether the information is stored on servers located in China. Additionally, they have inquired about how DeepSeek communicates data processing practices to both registered and unregistered users, especially when information is sourced via web scraping techniques.

    Privacy Issues Amid Rapid Success

    Concerns regarding privacy have escalated following DeepSeek’s rapid ascent. The launch of its AI assistant, which rivals OpenAI’s ChatGPT, saw the app quickly rise to the top of download lists across various nations, causing unease among competitors in the US tech sector. Concurrently, US officials are evaluating possible national security threats linked to the widespread use of a Chinese AI model, with the US Navy specifically cautioning its personnel against using DeepSeek.

    Data Transparency Under Fire

    Transparency in how data is managed remains a critical point of contention. According to the company’s privacy policy, user data is kept on secure servers in China and might be shared with affiliated organizations and service providers. Despite this, Euroconsumers—a group of European consumer advocates—has raised concerns regarding the sufficiency of these notifications and questioned DeepSeek’s compliance with the European Union’s General Data Protection Regulation (GDPR).

    Italy’s examination of DeepSeek is not a new development. Earlier in 2023, the country temporarily prohibited ChatGPT due to worries about user data protection. In response to these issues, OpenAI made several adjustments to its platform, including enhanced transparency about data processing, providing users with opt-out choices, and instituting age verification measures aimed at protecting children under 13. These modifications ultimately led to the reinstatement of the chatbot.

    Future Implications for DeepSeek

    As DeepSeek continues to expand its presence worldwide, the regulatory hurdles it faces are intensifying. The company is required to provide answers to the Italian regulator by February 17, a deadline that could significantly impact its future operations in the European market. Should authorities determine that privacy laws have been violated, DeepSeek may encounter severe penalties or operational restrictions, potentially setting a precedent for the examination of AI products created outside Western jurisdictions.

    Tags: , ,
  • OpenAI Fined €15 Million by Italy’s Data Protection Authority

    OpenAI Fined €15 Million by Italy’s Data Protection Authority

    The Italian Data Protection Authority has revealed that it has imposed a €15 million fine on OpenAI for multiple breaches of the EU’s GDPR regulations. The agency claims that the creator of ChatGPT collected personal data without a lawful reason and also failed to report a security breach that occurred in March 2023.

    Concerns About Child Safety

    Additionally, the agency pointed out that OpenAI lacked proper “mechanisms for age verification,” which could lead to children under 13 being exposed to responses that are not suitable for their level of maturity and understanding. This raises serious concerns about the safety of young users interacting with the platform.

    Required Actions by OpenAI

    The authority has mandated that OpenAI establishes a “six-month institutional communication campaign across radio, television, newspapers, and the Internet.” This campaign aims to enhance public knowledge and awareness regarding how ChatGPT operates, as well as how it collects and manages user data.

    In a response shared with Euro News, OpenAI described the ruling as “disproportionate” and expressed its intention to challenge the decision. The spokesperson mentioned that the penalty was “almost 20 times” the revenue generated by the company in Italy for the year.

    Source: Link

    Tags: , ,
  • Terms Update Allows X to Sell User Data to Third Parties

    Terms Update Allows X to Sell User Data to Third Parties

    The social media site X, which used to be called Twitter, has updated its general terms and conditions (T&Cs). Now, these terms permit the sharing of customer data with third parties. This allows X to sell user data to various companies, which can then utilize it for their own needs, like training their artificial intelligence systems.

    Changes Coming Soon

    These alterations to the T&Cs will take effect on November 15, 2024, and will automatically apply to all users. The new privacy policy mentions:

    “If you do not opt out, recipients of the information may in some cases use it for their own independent purposes, including, for example, to train their artificial intelligence models, in addition to the purposes specified in X’s Privacy Policy.”

    Criticism and Concerns

    X has faced backlash for its management of user data for a while now. In 2023, the firm, owned by Elon Musk of Tesla and SpaceX fame, was criticized by the EU Commission for breaching the General Data Protection Regulation (GDPR) and the Digital Services Act (DSA). This incident involved unlawful micro-targeting in political ads. The recent modifications to the terms and conditions are expected to intensify discussions about user data protection.

    Users can choose to object to their data being shared. However, this requires them to take action, which means they must be aware that their data is being shared in the first place. Even though there are still a few days until October 15, X has yet to disclose where users can find the opt-out option.

    New Measures Against Data Collectors

    Alongside the updates to the data protection policy, X is also putting stricter rules in place against external data harvesters. The new T&Cs will impose hefty fines for those using automated tools to gather large amounts of data from the platform. If an account is found to be viewing 1 million posts in a 24-hour period, it will incur a fine of $15,000, with the same penalty applying for each additional million posts viewed.

    Tags: , ,