An American father of two school children has filed a law suit against Google alleging violation of privacy when collecting voice prints, face scans and other personal data from children. The father is now demanding compensation and that Google destroys all biometric data already collected from children/students.
The father argues that Google is violating the Children's Online Privacy Protection Act (COPPA), a federal law, as well as the Biometric Data Protection Act (BIPA) in the state of Illinois, where the family resides.
The Act under federal law prohibits internet companies from collecting personal data from children under the age of 13 without parental consent, and the Illinois Act prohibits the collection of biometric data, including facial recognition scans and voice prints without the user's consent.
The core of this case is Google's educational programs and Chromebooks, which have been distributed to students. Among others it is alleged that Google's "G Suite for Education" platform instructs children to speak into Chromebook microphones and look into the camera in order to collect biometric data.
According to the father, Google has never disclosed which data are collected, how long it is stored and for which purposes.
At this stage, the date for delivery of judgment is unknown.
The Danish Data Protection Agency (DPA) has expressed serious criticism in a case where the Danish Municipality of Kolding, since 2012, has been processing documents containing personal data in about 400,000 cases without taking appropriate technical and organisational measures.
The municipality has been using an electronic system for document handling (ESDH) for a number of years. In connection with an upgrade of the system, the municipality's supplier changed the rights management to the underlying file structure without the municipality being informed of such change. The documents, which under normal conditions could only be accessed through the ESDH system, were made available to 2,400 of the municipality's employees if the document file was accessed directly. This direct access to the documents was not logged.
The Municipality of Kolding had had annual audits performed of a number of the IT systems they were using. From the audit reports it appeared that the municipality's overall management of IT security in the accounting area was satisfactory. The audits did not include a general review of the technical and organisational security measures nor of the procedures for such.
The audits carried out in the period 2016-2018 had generally not considered personal data protection nor errors in the configuration of access rights, and no other control measures for such were made. In view of this and considering the specific lack of security on the document drive and access to documents bypassing any logging, no appropriate technical and organisational measures had been taken. It may have been a mitigating circumstance that the Municipality of Kolding in future, among other things, will perform scans for open drives on the network as part of their GDPR annual wheel.
Read the decision here (in Danish).
BroBizz A/S (Danish business developing and managing the BroBizz® concept, which ensures automatic payment on bridges, ferries and toll roads, and in car parks etc) has become subject to serious criticism from the Danish DPA in three cases where Brobizz A/S in connection with replying to customer inquiries disclosed personal data, including information about location to unauthorised third parties.
In one of the cases, a customer service representative disclosed a customer’s location data (regarding use of BroBizz transmitter) to the customer’s ex upon only having been provided with a phone number. In addition to location data, the ex was also confirmed of the fact that there were two passengers in the customer’s car when the customer passed the toll station on the Great Belt Bridge.
Brobizz A/S reported the three cases themselves as personal data breaches. In the light of the reported breaches, the DPA asked Brobizz A/S to forward, among others, their risk assessment for customer verification and several copies of the company's specific procedures and instructions, in particular regarding the identity of natural persons requesting access.
On the basis of the risk assessment, the DPA found that BroBizz A/S when assessing the level of a sufficient security level had not taken adequate account of the risks posed by the processing, in particular the risk posed by the unauthorised disclosure of or access to personal data.
Read the decision here (in Danish).
The Danish Data Protection Agency has also addressed the subject of ID validation in the Pandora decision, which is available here.
Datainspektionen (the Swedish DPA) has imposed a fine totalling SEK 200,000 (EUR 18,700) on Swedish Statens Servicecenter, which provides administrative assistance to other authorities and services to private individuals at 113 service offices in Sweden.
After receiving several reports regarding an error in the payroll management system of Statens Servicecenter resulting in unauthorised access to personal data, the Swedish DPA began investigating the matter.
The reported error meant that unauthorised individuals could access personal data from authorities using the service center for payroll management, and they could, in part, access personal data about the staff employed at the service center.
In reviewing the matter, the DPA established that Statens Servicecenter had not in due time informed the relevant authorities nor reported the matter to the DPA. In addition, the documentation was insufficient.
Statens Servicecenter had spent nearly five months notifying the affected authorities of the incident and nearly three months reporting it to the DPA.
In its decision, the DPA stated that when an incident of this nature is detected, it is important to inform the other authorities, who were also data controllers, as soon as possible so that they can report the matter to the DPA and take appropriate measures to minimise any risk. This lack of information led to a fine of SEK 150,000 (EUR 14,000). The fact that the breach was not reported to the Swedish DPA within 72 hours after Statens Servicecenter became aware of the incident led to an additional fine of SEK 50,000 (EUR 4,700).
The decision demonstrates the importance of immediately dealing with a data breach and at the same time reporting such to the relevant DPA so that any damage caused by the breach can be minimised. If a company does not already have a contingency plan for personal data breaches, the decision also demonstrates that this should be a priority.
The decision can be read here (in Swedish).