Almost EUR 14mn for illegal data transfer of cybersecurity giant
- Author: Wolfgang von Sandersleben, DP-Dock GmbH
- Last updated: June 2024
- Category: Data Security
The importance of data protection can be hard to grasp for not only individuals but also companies. However, when even one of the leading experts in Cybersecurity has to pay more than 10MM Euros because of a violation of the GDPR, adequate protection mechanisms seem of greater necessity. On the April 10th, 2024 the Czech DPA decided to impose a fine of 13.9MM Euros to the Cybersecurity giant Avast because they were practicing illegal transfers of user data to a subsidiary company, named Jumpshot – remember: as per Art. 83 (5) GDPR the administrative fine imposed by a DPA can be up to 20MM EUR or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher.
The whole case concerned data of over 100MM users which had been derived from the own core product Avast is offering, but also from associated browser extensions. The collected data then had been transferred to Jumpshot which sold the data to Google, Microsoft and other key actors that use data for profiling. Even though the data had been anonymized, through IDs and movement profiles Jumpshot was able to connect the data to identifiable persons. Avast, in 2020, had claimed they did not sell the data in the beginning, whereas shortly after the claims got publicized, Avast closed their subsidiary to not further harm its public reputation, since their mission is to create a safer digital environment.
However, the efforts to regain trust in the public sphere were probably crushed by the DPA decision in April. Not only did Avast wrongfully transfer data, but they also misinformed their customers about the concerned transfers by stating that the data had been anonymized and processed solely for statistical purposes.
Outside the EU, Avast also had to pay another large fine of 16.5 MM USD, imposed by the US trade authority on the legal basis of mis-conduct of the browser extension which was initially created to provide extra protection. The case of Avast demonstrates the seriousness of unlawful data transfers and unauthorized selling of personal data, where services like DPOs are essential to stay aligned with the EU GDPR especially for those companies residing outside the EU.
For more info please click here.
