Posted on Categories electronic identification, privacy/personal data protection

Verification of age to access pornographic content

An anti-obscenity association issued a proposal for an Act on Protection of Minors against Pornographic Content on 16 December 2019. It has gained the official support of the Family Council, which recommended to the Prime Minister that the proposal be adopted for further legislative work. The Minister of Family, Labour and Social Policy announced that work on the bill should conclude in the first half of 2020. The need to restrict children’s access to pornography is obvious, but the proposal has generated much controversy, mainly due to the proposed mechanism for age verification, which may invade internet users’ privacy. The proposal would also impose additional obligations on telecommunications operators, electronic service providers, and payment service providers.

Continue reading “Verification of age to access pornographic content”
Posted on Categories privacy/personal data protection

The right to be forgotten only in the EU

The Court of Justice of the European Union has once again spoken about the limits of the right to be forgotten. This time, it answered requests for a preliminary ruling in the case of Google v CNIL (Commission Nationale de l’Informatique et des Libertés, the French public authority responsible for regulating personal data processing). The case concerned a fine of EUR 100,000 which the CNIL imposed on Google after it refused to remove, in the exercise of a data subject’s right to be forgotten, links from all language versions of its search engine.

Continue reading “The right to be forgotten only in the EU”

Posted on Categories privacy/personal data protection

A fine for facial recognition

Recently, the Swedish supervisory authority responsible for compliance with the General Data Protection Regulation imposed a fine of approximatively EUR 20,000 for the use of technology to monitor students’ attendance. Importantly, the processing of personal data in the form of images of students was not carried out on a permanent basis, but was a short-term test to assess the usefulness of such a solution in the schools’ activity.

Continue reading “A fine for facial recognition”

Posted on Categories IT, privacy/personal data protection

CNIL fines insurance broker for online breach of personal data

We wrote several months ago about the imposition of fines by the French data protection authority CNIL (Commission Nationale de l’Informatique et des Libertés) for data protection breaches. Recently CNIL has imposed more fines, including for violation of standards for secure processing of personal data on a website.

The case involved an auto insurance broker. On the broker’s website, users could request a calculation of insurance premiums, conclude an insurance contract, and log on to their account, where various types of personal data were accessible, such as bank statements and information about driving-licence suspensions or convictions for traffic violations.

Continue reading “CNIL fines insurance broker for online breach of personal data”

Posted on Categories privacy/personal data protection, telecommunication

Collection of marketing consents probed by consumer watchdog

After a proceeding lasting two years, the Office of Competition and Consumer Protection (UOKiK) issued a decision on 30 May 2019 in the case of the Polish telecom Netia concerning the method of collecting marketing consents, and the wording of the consents, obtained for Netia by its business partners. UOKiK found that a substantial showing was made that Netia’s practice of making telephone calls to consumers who were not Netia subscribers, and had not given prior consent to contacts by telephone, violated the collective interests of consumers.

Continue reading “Collection of marketing consents probed by consumer watchdog”

Posted on Categories privacy/personal data protection

Processing of location data may require a data protection impact assessment

On 17 June 2019 the president of Poland’s Personal Data Protection Office (UODO) issued the Communication on the List of Personal Data Processing Operations Requiring an Assessment of the Impact of Processing on the Protection of Personal Data. The legal basis for issuance of the communication is Art. 35(4) of the EU’s General Data Protection Regulation, under which each member state’s supervisory authority must establish and publish a list of the kinds of processing operations which are subject to the requirement for a data protection impact assessment. At the same time, the prior list, enclosed with the communication of 17 August 2018, was repealed. The new list reflects the opinion issued by the European Data Protection Board and covers personal data processing activities connected with offering of goods and services to data subjects or monitoring of their behaviour in multiple EU member states.

Continue reading “Processing of location data may require a data protection impact assessment”