As the leading data protection conference welcomed 2,000 delegates to the Queen Elizabeth II Centre in Westminster last week, news broke of the Irish Data Protection Commission’s (DPC) intention to investigate Google and Tinder regarding issues that were in focus at the event.
Last week the Irish Data Protection Commission (DPC) revealed it has been taking notifications from EU-based consumer organisations, which question Google’s transparency in its processing location information.
In reference to the inquiry, the DPC said it seeks to establish “whether Google has a valid legal basis for processing the location data of its users and whether it meets its obligations as a data controller with regard to transparency.”
A spokesperson from Google said:
“We will cooperate fully with the office of the Data Protection Commission in its inquiry, and continue to work closely with regulators and consumer associations across Europe.
“In the last year, we have made a number of product changes to improve the level of user transparency and control over location data.”
Complaints have also been sent to the DPC regarding data processing behaviours at dating app Tinder.
The Irish Data Commissioner said:
“The inquiry of the DPC will set out to establish whether the company has a legal basis for the ongoing processing of its users’ personal data and whether it meets its obligations as a data controller with regard to transparency and its compliance with data subject right’s requests.”
In response, a spokesperson for the Match Group, Tinder’s parent entity, underlined how “transparency and protecting users’ personal data” is of “utmost importance” to the Group.
The multiple risks of non-compliance
The penalty for breaking GDPR rules can be up to 4% of annual turnover or 20 million euros, whichever is greater.
However, the DPC’s investigation was subsequently reflected in a drop in Alphabet’s stock market performance, illustrating the very immediate negative repercussions a potential data breach can have on any organisation.
The revelations broke as industry experts debated the vital importance of compliant data handling at PrivSec London, a conference that explores the relationship between data privacy and cyber security.
Opening PrivSec London in the conference’s Privacy and Security theatre, Baroness Neville-Rolfe reminded delegates of the fundamental importance of data in our modern society.
“Data is the oil equivalent of an extraordinary digital revolution, affecting almost everything on the planet. The issue of privacy has gone up and up the agenda. This is the age of data. There are new risks and new opportunities,” Baroness Neville-Rolfe said.
“The idea of a data leak should be keeping us awake at night,” she added.
As Brexit looms, companies are under increased pressure to ensure that cross-border data transfers are set to comply with legislative frameworks such as the GDPR beyond December 2020, when Britain officially leaves the EU.
A full day of discussion was devoted to the topic in PrivSec London’s Brexit theatre.
Flor McCarthy, Director at EU Business Partners, said:
“In terms of transfers, the critical thing to think about is that the UK is in transition to being a full-scale 3rd country. The first step is identifying what international data transfers are happening. What provisions can you make to allow those transfers to take place?”
Describing an uncertain future for international data transfer laws, Abigail Dubiniecki, Founder, Strategic Compliance Consulting Ltd, said:
“The day after Brexit through to 31 December 2020 we will be in a transition period. The ICO has assured us it’s ‘business as usual’ for data protection. But post December 31, 2020, we have a huge unknown.
“There could be a new trade deal with the EU that clearly sets out the new UK-EU relationship. There could be a no-deal, cliff-edge situation, an extension, or maybe the UK will have another deal in the works (unlikely).
“The UK may or may not be found to be ‘adequate’ for the purpose of data flows. In this case, uncertainty delayed, is certainty denied.
“We have to plan for multiple scenarios. But one thing is certain for data protection. Whether you’re in or out, EU’s data protection and privacy laws impact businesses around the world. Comply / align or lose market access.
“Even if you’re a UK-only business, the GDPR has been incorporated into UK law through the Data Protection Act 2018. Stick to the principles and the good practices the GDPR has forced upon us and go beyond. Privacy and trust are business differentiators.”
CEOs, CISOs and IT practitioners can keep up with the debate surrounding international data transfers at forthcoming PrivSec events. Click here for more information.
Stay on top of all the key cybersecurity and data privacy issues affected by the UK’s withdrawal from the EU at Brexit Briefing by PrivSec, coming to a central London venue on 18th March 2020.
Contact firstname.lastname@example.org for more information.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/