最有看点的互联网金融门户

最有看点的互联网金融门户
国际资讯监管与政策

首张GDPR执行通知发出 逾期未合规将罚款2000万欧元

国际资讯监管与政策

首张GDPR执行通知发出 逾期未合规将罚款2000万欧元

GDPR生效仅5天后,AggregateIQ就被证实保存了不该保存的数据……

近日,英国监管机构向加拿大数据公司AggregateIQ(AIQ)发出了该国首张GDPR执行通知,给这家与英国脱欧游说组织Vote Leave有关的公司留下30天整改时间;若逾期未合规,该公司将面临2000万欧元罚款。

英国信息专员办公室(ICO)称,AIQ留存英国公民数据的行为似乎对受影响公民造成了伤害,该公司违反了GDPR第5和第6条。

ICO已根据之前的数据保护立法对一批公司处以了最高50万英镑的罚款。

今年5月25日GDPR生效后,数据监管机构具备了对数据控制者处以最高2000万欧元(约1780万英镑)或公司总营业额4%的民事罚款的权力。

脱欧游说组织Vote Leave曾支付给AIQ270万英镑,用以在英国脱欧公决期间针对潜在投票人投放广告。

AIQ已针对该执行通知提起申诉。据BBC报道,该执行通知是作为ICO数据分析调查进展报告的附件,在7月时公布的。

AIQ发言人向《计算机商业评论》证实,他们确实提起了上诉,但拒绝进一步发表评论。

GDPR执行:判例

在通知中,ICO表示:专员已就AIQ为英国政治团体(Vote Leave、BeLeave、Veterans for Britain及DUP Vote to Leave)提供个人数据处理服务一事向AIQ质询其个人数据处理情况。

2018年5月30日与专员的联系中,AIQ承认仍持有英国公民的个人数据。该数据存储在代码仓库中,之前曾遭某第三方未授权访问。

美国慷孚系统公司的GDPR专家Nigel Tozer称,该执行通知主要针对的是出于非预期目的处理公民数据。

Nigel Tozer称:很多公司只关注该条例中固有的安全相关事项,该执行通知应被当成一次提醒,提醒各家公司企业,数据的保留和处理,包括5月25日之前收集的数据,都受到新条例的全权管辖。

无论公司规模或所处行业,该执行通知都应被当成一记警钟,希望能刺激很多公司重新审查自身当前个人数据的使用策略。

《通用数据保护条例》(GDPR)于今年5月25日在整个欧盟生效,更新了有关个人数据与隐私的各项法律法规。GDPR要求公司企业在知悉数据泄露的72小时内向相关机构报告个人数据泄露事件。

ICO表示,如果数据泄露有可能造成损及欧盟公民人权与自由的较高风险,公司企业必须立即通告受影响的个人。公司企业还应确保设置有健壮的数据泄露检测、调查及内部报告流程。

剑桥分析公司/Facebook丑闻触发了一场为期14个月的政治运动数据使用调查。7月,英国数据监管机构发布了该调查的中期报告,并在一份合作伙伴报告《民主崩坏?》中公布了由该调查导出的一些建议。

Just five days after GDPR came into affect, AggregateIQ confirmed it still held data it shouldn’t…

UK regulators have hit Canada’s AggregateIQ (AIQ) with the country’s first GDPR enforcement notice, giving the Vote Leave-associated data company 30 days to comply with data regulations or face a fine of up to €20 million.

AIQ’s continued retention of UK citizens’ data is likely to have caused “damage or distress” to those affected and the company is in breach of Articles 5 and 6 of GDPR, the Information Commissioner’s Office (ICO) said.

The enforcement notice comes as as the ICO has hit a string of companies with the highest fine – £500,000 – possible under previous data protection legislation.

GDPR came into force on May 25. It grants the data watchdog the power to impose a civil monetary penalty (CMP) on a data controller of up to €20 million (approx. £17.8 million) or four percent of global turnover. It also has new strengthened powers

AIQ was paid nearly £2.7 million by the Vote Leave campaign to target ads at prospective voters during the Brexit referendum.

The firm has appealed against the notice, an annex to the ICO’s data analytics investigation progress report, first published in July shows, as the BBC first reported.

An AIQ spokesman confirmed to Computer Business Review that they have appealed the notice but declined to comment further.

GDPR Enforcement: Test Case for ICO

“The commissioner has been in contact with AIQ regarding the processing of personal data by AIQ regarding the processing of personal data by AIQ on behalf of UK political organisations, in particular Vote Leave, BeLeave, Veterans for Britain and the DUP Vote to Leave,” the ICO said in the notice.

“In correspondence with the commissioner dated 30 May 2018 AIQ confirmed that personal data regarding UK individuals was still held by them. This data is stored on a code repository and has previously been subject to unauthorised access by a third party.”

Nigel Tozer, GDPR Specialist at Commvault, said the notice was served for processing people’s data “for purposes which they would not have expected”.

“Many organisations have been focussed on inherent security aspects of the regulation, so this should serve as a reminder that the retention and processing of data, including data which was collected before May 25th, is subject to the full rigours of the new regulation,” he said.

“Regardless of size or sector, this notice should serve as a wake-up call, and will hopefully spur many into a review of current policies around the use of personal data.”

The General Data Protection Regulation (GDPR) came into effect across the European Union on May 25, bringing laws and obligations around personal data and privacy up to date. It requires organisations to report personal data breaches to relevant authorities within 72 hours of becoming aware of the breach.

Organisations must also inform individuals without delay if a breach is likely to result in a high risk of adversely affecting their rights and freedoms, the ICO says. They must also ensure they “have robust breach detection, investigation, and internal reporting procedures in place”.

In July the UK’s data watchdog released the interim results of a 14-month investigation into the use of data in political campaigns – triggered by the Cambridge Analytica/Facebook scandal – and published recommendations resulting from the investigation in a partner report, “Democracy Disrupted?”


用微信扫描可以分享至好友和朋友圈

扫描二维码或搜索微信号“iweiyangx”
关注未央网官方微信公众号,获取互联网金融领域前沿资讯。

发表评论

发表评论

您的评论提交后会进行审核,审核通过的留言会展示在下方留言区域,请耐心等待。

评论

您的个人信息不会被公开,请放心填写! 标记为的是必填项

取消

互联网发展的“阿喀琉斯之踵”:如何保护用户数据

钱童心 | 第一财经 08-30

2018年值得关注的3大颠覆性fintech技术

PP 07-13

当区块链遇上GDPR,是雷霆还是雨露?

薄纯敏 | 亿欧网 07-08

GDPR的十个误解与争议

腾讯研究院... | 亿欧网 06-18

通用数据保护条例(GDPR)和区块链:威胁还是机遇?

Samuel Mar... 05-31

版权所有 © 清华大学五道口金融学院互联网金融实验室 | 京ICP备17044750号-1