What is the "privacy consent" display of the Privacy Law violation and the sanctions of 30 million yen?
The pop -up of "privacy consent" is a violation of the law, so you can pay 250,000 euros (about 33 million yen) -why?
On February 2, the Belgian Data Protection Organization (Be DPA) was on the IAB Europe, a European category of the US industry, which handles the technology standard for online advertising, and the European Union's Protection Protection Law "General Data Protection Rules"(GDPR) was ordered to delete the collection data by 250,000 euros for sanctions.
The problem was the "privacy consent" specification for automatic trading of online advertising formulated by IAB Europe.
This specification was compliant with the EU's privacy protection system such as GDPR, but the explanation to users and the protection of personal data were "insufficient."
In the EU, the "digital service bill", including targeting advertising, passes through the European Council, and the site that uses the service "Google Analytics" to analyze the viewing data of the site by users is recognized as a GDPR violation., The flow of strictly dealing with the treatment of large amounts of personal data centered on major US IT companies is increasing.
On the other hand, in Japan, the report of the Ministry of Internal Affairs and Communications' experts to enhance the protection of the Privacy Protection has receded due to the rebound of the industry group, and Yahoo announces the suspension of browsing from Europe.
Is it "different, our house?"
● Inconformed to GDPR
In the release of the decision to violate the GDPR against IAB Europe on February 2, a Belgian data protection agency (Be DPA) announced on February 2, Hirke Himans commented.
The claims were human rights organizations such as Panopticon Association (Poland), Bits of Freedom (Netherlands), and Human Rights Federation (France).
"IAB" is an online advertising industry group headquartered in New York in the United States.He works on technical standards and surveys on online advertising, with 45 countries, more than 700 media, brands, advertising companies, and IT companies."IAB Europe" is a European regional organization.
The problem was the standard "Framework of Transparency and consent", which was formulated by IAB Europe.The operation started in April 2018 and revised in August 2019 (V2).0) That's it.
"TCF" has a specification for websites to obtain the use of personal data from users, and the E privacy command in the field of telecommunications service (in July 2002).It is stipulated for the purpose of compliance.
As pointed out by the Belgian Data Data Protection Organization, the focus of the claim was an automatic transaction (RTB] system for distributing a personalized advertisement to users.It was the actual situation of handling and protection of personal data and a prior explanation to users.
● Personal data for real -time bidding
The Belgian Data Protection Organization has found a GDPR violation of "TCF".
When a user first browses a European website, etc., a pop -up is displayed, asking for consent to use personal data.This mechanism is the "consent management platform (CMP)".
The content of the user's consent is distributed in the real -time bidding system of online advertising as data called "TC string".
In real -time bidding, when the user browses the site, this "TC string" and related data are transmitted to the system, and an automatic bidding for personalized advertising is implemented.The mechanism in which a successful advertisement is displayed instantly is repeated at high speed.
The Belgian Data Protection Organization has found that the "TC string" is treated with the IP address of the user's terminal, which is the personal data protected by GDPR.
GDPR must be handled in a legal, fair, and transparent embankment in the relationship with its data.Article 5).
The Belgian Data Cosmetic Organization pointed out that the description of the user's consent was extremely ambiguous, and that it did not meet "fairness and transparency" at the time of user consent.He pointed out that the legal basis for data processing was insufficient, and "legal" was not satisfied.The company has not been organized or technical for data protection.
He also states that the decision is not only for the Belgian data protection agency.
The draft of this decision was sent to data protection agencies in 30 countries in the European economic domain (EEA), including the EU, which is applied to GDPR, in November 2021, and has obtained approval.
The same claims are said to be nine since 2019, and similar judgments may be shown in the future.
● Responsibility as a data administrator
In this decision, the Belgian Data Cosmetic Organization has found that IAB Europe, an industry organization, is a "data administrator (controller)" that is responsible for managing personal data.
This is the most divided point of "IAB Europe"."IAB Europe" claimed that it has just formulated "TCF" and is not directly involved in the data.
As a reason for the certification, the data protection agency is the "IAB European" leading "TCF", which is the "TCF" that defines the handling specifications of personal data such as "TC string", and the authority to postpone personal data.It is said that it is considered a "data administrator" who is responsible for jointly with companies involved in the handling of personal data.
With this decision, "IAB Europe" imposes a sanctions of 250,000 euros, stops and deletes all illegally collected personal data, and further eliminates the action plan to eliminate illegal status.It was submitted to and ordered to carry out within six months.If this deadline is delayed, a 5,000 euros (about 660,000 yen) will be imposed per day.
"IAB Europe" can file a complaint within two months.
In response to this decision, "IAB Europe" announced a comment.Among them, "I will refuse to be a data administrator about TCF", and the following states, "I will consider all legal options."。
● Flow of strengthening personal data protection
In Europe, the tide of personal data protection that aims at huge IT companies in the United States is clear.
On January 20, the European Parliament passed the “Digital Service Bill” focusing on the regulations of huge IT companies, such as fake news measures.The bill also includes deceptive guidance (dark pattern), prohibit contracts, simplify options for targeting advertising, and ban targeting advertisements to minors.
In addition, the Austrian Data Protection Organization (DSB) was on December 22, 2021, and for health sites that used Google's site analysis service "Google Analytics", the personal data of the United States, which has not sufficient protection levels.Sending has been certified as a GDPR violation.
※参照:Googleへの個人データ送信、「違法」決定が相次ぐわけとは?(01/17/2022)
According to the decision of the Austrian data protection agency, Google is a US company and is subject to data monitoring by foreign information monitoring law (FISA) by US information agencies, etc.It is not effective because it does not eliminate the potential of monitoring and access by an intelligence agency in the United States. "This data transmission is "GDPR violation".
Similar claims will be 100 in the EEA area.
Regarding the transmission of data to the United States, the EU Judicial Court has a similar certification, and the EU and US privacy agreements, "Safe Harbor Agreement," and "Privacy Shield Agreement," has been invalidated one after another.
※参照:「プライバシー保護失格」2度目のちゃぶ台返し、Facebookはデータ移転ができなくなるのか?(07/18/2020)
※参照:「米国はプライバシー保護不適合」EU判決でネット騒然(10/17/2015)
In addition, the French data protection agency (CNIL) (CNIL) was the highest in Google, saying that the lack of rejection buttons was provided on January 6 violating the data protection law.It impose a sanctions of € 150 million (about 20 billion yen) and a Facebook (meta) of 60 million euros.
In addition to this, the EU is also considering the "E Privacy Regulations" to replace the current e -privacy command, and at the end of November 2021, a bill focusing on online political advertisements.
● "Unlike, our home"
There were several movements in Japan, which was recognized in January 2019 that it was at a personal data protection level in January 2019.
The Ministry of Internal Affairs and Communications' expert's meeting, "Electric Communications Business Governance Study Group," published a report on January 14 for the revision of the Telecommunications Business Law.However, the content of privacy protection, including initial user IDs, has receded significantly due to opposition from IT companies and others.
Yahoo also announced on February 1 that it would stop using the EEA and the UK on April 6, stating that "it was determined that it was unable to continue in terms of corresponding costs for compliance with laws and regulations."The EEA is an area to be applied to GDPR, and the UK has the same law as GDPR.
Yahoo's monthly active users are 68 million on smartphones, and the largest in Japan, with a computer's largest in Japan.
On January 24, the Personal Information Protection Committee has published the current status of personal information protection of 25 countries, including the United States, as a "survey on the protection of personal information in foreign countries."The original is the report of the outsourcing announced in November 2021.
The November report also states the so -called "Government Access", such as the United States, such as the EU judicial court, such as the EU Judicial Court, such as the Foreign Information Surveillance, which is based on the invalidation of privacy agreements.
However, a US (Federal) material published by the Personal Information Protection Committee on January 24 said, "It is a system that imposes business operators to cooperate with government information gathering activities, which is the right to interest.In the column of "things that may have a significant impact, there is a" - "mark, and there is no special description or comment.
The EU's privacy and Japan's "privacy" seem to be different.
The "rules" of "Otai, Uchiga Uchi" (NHK "Cam Kam Evribood" Episode 65
(※2022年2月7日付「新聞紙学的」より加筆・修正のうえ転載)