Irish Data Protection Commission (DPC) issued a total of €390 million in fines to Meta
In the early days of 2023, the Irish Data Protection Commission (DPC) issued a total of €390 million in fines to Meta. Investigations related to the provision of Facebook and Instagram services by Meta started on two different complaints that essentially raised the same issues. According to the decision, the company had been obtaining prior informed consent from individuals to provide personalized or behavioral advertising to users. However, with an update to its terms of service in 2018 when GDPR came into effect, the company changed its legal basis and forced users to accept the processing of their data for advertising purposes. DPC imposed fines of €210 million for Facebook and €180 million for Instagram on Meta Ireland for this violation.
WhatsApp will pay 5.5 million €
WhatsApp has been fined €5.5 million by the Irish Data Protection Commission for violating data protection laws. Following the total fine of €390 million imposed on Meta companies Facebook and Instagram, WhatsApp has also faced sanctions for trying to force users to accept changes to its terms of service, similar to its sister companies, and for non-compliance with transparency obligations. The company has six months to bring its data processing activities in line with GDPR. The authority stated that the relatively lower fine was due to WhatsApp already being fined €225 million for failing to fulfill its obligations. With this fine, the total amount of fines imposed on Meta by the Irish Data Protection Commission reaches €1.3 billion.
CNIL has fined Apple 8 million €
The French Data Protection Authority (CNIL) has fined Apple €8 million for collecting identifiers from users who visited the App Store on the iPhone operating system version 14.6 without obtaining prior consent. According to CNIL, the amount of the fine was determined by evaluating the scope of processing limited to App Store, the number of individuals in France affected by this practice, and the profits generated by the data collected through these identifiers.
The Finnish authority fined a healthcare company 230,000 €
The Finnish Data Protection Authority has imposed an administrative fine of €230,000 on Viking Line for processing the health data of its employees unlawfully. According to a complaint filed by a former employee, the company has been storing the health data of its employees in a human resources system for 20 years and has been incorrectly maintaining some information. The company was found to have violated various data protection regulations, including failing to inform its employees properly about the processing of their personal data and retaining incorrect data about its employees for a considerable period of time. As a result of these violations, the company was fined and received a reprimand from the Data Protection Authority.
CNIL has fined TikTok €5 million
The French Data Protection Authority CNIL has fined TikTok €5 million for failing to provide users with an equivalent opportunity to reject cookies as the option to accept them. According to the decision, TikTok provided users with a mechanism to instantly accept cookies on the platform, but did not offer an equivalent option to refuse them. Additionally, it was stated that users were not sufficiently informed about the purposes of cookies.
CNIL fined a company 3 million € for conducting unauthorized advertising activities
The French Data Protection Authority CNIL has imposed a 3 million € fine on mobile app developer Voodoo for using a technical identifier (IDFV) to advertise without users’ consent. Following its checks on Voodoo and several other iPhone apps, CNIL found that the app continued to be tracked for advertising purposes through technical identifiers even if it was explicitly rejected by the user. In addition to the administrative fine, the company will have to pay 20,000 € for each delay if it does not link the use of technical identifiers for advertising purposes to user consent within 3 months.
Portuguese authorities imposed an administrative fine on a public institution
The Portuguese Data Protection Authority (CNPD) has imposed an administrative fine of €4.3 million on the Portuguese National Institute of Statistics (INE) for violating census regulations. According to the decision, the INE, a public institution, required individuals to answer many questions, including those related to religion and health, through an online survey. Additionally, the institution violated transparency obligations by failing to provide users with detailed information, and it did not perform a Data Protection Impact Assessment (DPIA) before starting data processing activities related to the survey.
4 million data breach notifications related to records were reported to the KVKK
In January, three data breach notifications were submitted to the Personal Data Protection Authority regarding more than 4 million affected records in total. According to the notifications, the data breach was caused by a short-term port vulnerability during the installation of a program used for personnel and accounting operations at one of the branches, which resulted in a cyber attack. Personal data affected by the breach included the names, Turkish identity numbers, addresses, photos, professional information, and blood type information of employees and patients.
The Turkish Personal Data Protection Authority has published the updated administrative fines
The Personal Data Protection Authority (KVKK) has announced the updated amounts of administrative fines that will be applicable for the year 2023. Accordingly, with the revaluation rates, the range of administrative fines that may be imposed for non-compliance with personal data protection regulations will vary between 29,582 TL and 5,971,989 TL depending on the type of violation, as of the year 2023.
Mailchimp announced that dozens of customers’ data have been exposed
Email marketing and newsletter giant Mailchimp announced that it has been hit by a social engineering attack and that dozens of customers’ data have been exposed. According to the company’s statement, an unauthorized person gained access to one of the tools used by teams who meet with customers face-to-face for customer support and account management, using a social engineering method targeting the company’s employees and contractors. As a result, 133 Mailchimp accounts were affected by this breach. Although this is Mailchimp’s first attack in 2023, it is not the first breach the company has faced in a long time. The company had previously said that it had suffered a social engineering attack in August 2022, which put customer support personnel’s identities at risk and allowed uninvited guests to access Mailchimp’s internal tools.
Thousansd of PayPal accounts breached
According to the security breach notification made by Pay Pal on January 18th, unauthorized access was obtained to thousands of user accounts through an identity filling attack by the attackers. The notification stated that personal data of the relevant individuals, including “name, address, social security number, individual tax number, and date of birth,” may have been accessed. The company announced that it provided free access for two years to identity monitoring services provided by Equifax to its customers affected by the breach.