Sign up for the DPO Europe Newsletter

We will share useful materials with you and talk about the latest news from the world of privacy.

Rules, sanctions & Twitter | Privacy Digest

About FTC privacy rulemaking process, French DPA’s €60 million sanction for an hashtag#adtech company and unxpected Twitter’s security glitch – read and enjoy!

South Korean DPA fines Google and Meta a combined $72M for several privacy violations

The South Korea DPA has hit Google with a fine of $50M and Meta with $22M after finding they violated the country’s privacy law. Google did not clearly inform users of the collection and use of other companies’ behavioral information when they signed up for its service and set the default choice to “agree” while covering up further options available via the setting screen.

Meta also did not specify legally required details that consumers must know and did not obtain users’ consent as the company gathered and used their behavior information for personalized advertisements when users signed up.

This is the largest penalty in South Korea for violating personal information protection laws and the country’s first sanction pertaining to the collection and use of behavioral information on online customized advertising platforms. Google and Meta disagree with the fines and might seek a ruling from a court.

Former head of security discloses shocking details about Twitter’s cybersecurity posture

Peiter Zatko, Twitter’s former head of security, testified before the US Senate Judiciary Committee after he filed a whistleblower complaint with the Federal Trade Commission (FTC). His revelations outlined a pattern by company leadership to ignore security vulnerabilities, covering up security failures, and misleading regulators, lawmakers and even its board of directors.

Zatko explains that most of the issues stem from the huge volume of data that Twitter processes and the fact that Twitter doesn’t know what data they store and where they store it. He also revealed that Twitter’s access controls are weak, thus giving employees access to more data than they should, and that Twitter’s internal systems did not keep a log of all engineers who accessed any specific data sets.

Overall, Zatko thinks that only 20% of Twitter’s data is accounted for – the rest is not properly classified and maintained. Finally, Zatko stated that US regulators cannot keep up with Big Tech firms in terms of enforcing rules against them.

French DPA imposes fine of 250K euro over data retention and security violations

The French DPA investigated a legal service provider for violating several obligations under the GDPR. The investigations focused in particular on the data retention periods and the security measures implemented.

The provider stated that the personal data of members and subscribers would be kept for 36 months from the last order for a service and/or document, but the French DPA found that the data of 25% of the users was kept beyond the decided retention periods. Moreover, it was discovered that the provider did not require the use of a strong password when creating an account on their website because the size of the passwords was limited by their own systems.

The provider also transmitted by e-mail and in plaintext non- temporary passwords for accounts, but also stored in plaintext passwords, secret questions and their answers used by users during the password reset procedure. The provider has already taken some actions to remedy the found violations.

Contact Sales

Learn what Data Privacy Office Europe can do for you.

Fill out the form and we will contact you as soon as possible!