Pop -up of "Privacy Agree" is a violation of the law, so you can pay 250,000 euros (about 33 million yen) -why?
On February 2, the Belgian Data Protection Organization (Be DPA) on February 2, the European Union (EU) privacy protection law "General Data Protection Rules" for the European category "IAB Europe", a US industry group that handles the technical standards of online advertising.(GDPR) was ordered to delete the collection data by 250,000 euros for sanctions.
The problem was the specification of "privacy agreement" for automatic trading of online advertising formulated by "IAB Europe".
This specification was compliant with the EU's privacy protection system such as GDPR, but the explanation to users and the protection of personal data were "insufficient."
In the EU, the "digital service bill", including targeting advertising regulations, has passed through the European Assembly, and a site that uses the service "Google Analytics" that analyzes the viewing data of the site by users is recognized as a GDPR violation.The flow of strictly dealing with the handling of large amounts of personal data centered on major US IT companies is increasing.
In Japan, on the other hand, in contrast to the EU, the report of the Ministry of Internal Affairs and Communications 'Intellows' Conference to enhance the protection of privacy is retreated by the opposition of industry groups, and Yahoo announced that it was suspended from Europe.
Is it "different, our house?"
Hirke Hymann, the director of Hirke Himans, announced on February 2, released by the Belgian data protection agency (Be DPA) on February 2, in the release of the GDPR violation of IAB Europe.
The claims were human rights organizations such as Panopticon Association (Poland), Bits of Freedom (Netherlands), and Human Rights Federation (France).
"IAB" is an online advertising industry group headquartered in New York in the United States.He works on technical standards and surveys on online advertising, with 45 countries, more than 700 media, brands, advertising companies, and IT companies."IAB Europe" is a European regional organization.
The problem was the standard, "Transparency and consent framework (TCF)", which was formulated by IAB Europe.The operation started in April 2018 and revised in August 2019 (V2).0) That's.
"TCF" has a specification for websites to obtain the use of personal data from users, and GDPR (enforced in May 2018) and e -privacy commands in the telecommunications service field (enforced in July 2002).It is stipulated for the purpose of compliance with.
As pointed out by the Belgian Data Protection Organization Himans, the focus of the claim was the automatic transaction (RTB] system in the automatic transaction (RTB] system for distributing users to users.It was the actual situation of handling and protection of personal data, and a preliminary explanation to users.
The Belgian Data Protection Organization has found a GDPR violation of "TCF".
When a user first browses a European website, etc., a pop -up is displayed as well as such an explanation and asks for consent to use personal data.This mechanism is the "consent management platform (CMP)".
The content of the user's consent is distributed in the real -time bidding system of online advertising as data called "TC string".
In real -time bidding, when the user browses the site, this "TC string" and related data are transmitted to the system, and an automatic bidding for personalized advertising is implemented.The mechanism in which a successful advertisement is displayed instantly is repeated at high speed.
The Belgian Data Protection Organization has found that this "TC string" is treated with the IP address of the user's terminal, which corresponds to personal data protected by GDPR.
GDPR must be handled in a legal, fair, and transparent embankment in the relationship with its data.Article 5).
The Belgian Data Protection Organization pointed out that the description of the user's consent was extremely ambiguous about the purpose of data processing, and did not meet "fairness and transparency".He pointed out that the legal basis for data processing was insufficient and did not satisfy "legal".The company has not been organized or technical for data protection.
He also states that the decision is not only for the Belgian Data Protection Organization.
The draft of this decision was sent to data protection agencies in 30 countries in the European Economic Area (EEA), including the EU to which GDPR was applied in November 2021, and was approved.
Similar claims are said to be nine since 2019, and similar judgments may be shown in the future.
In this decision, the Belgian Data Protection Organization has found that IAB Europe, an industry organization, is a "data administrator (controller)" who is responsible for managing personal data.
This is the most divided point of "IAB Europe"."IAB Europe" claimed that it only formulated "TCF" and would not be directly involved in the data.
As a reason for the certification, the data protection agency has the initiative in formulating the "TCF" that defines the specifications of personal data such as "TC string", and the authority to go afterwards to the personal data.It is said that it is considered a "data administrator" who is responsible for jointly with companies involved in the handling of personal data.
With this decision, the IAB Europe will impose a sanctions of 250,000 euros, suspend and delete all illegally collected personal data, and to further eliminate illegal statuses.Submitted to and ordered to carry out within six months.If the deadline is delayed, a 5,000 euros (about 660,000 yen) will be charged per day.
"IAB Europe" can file a complaint within two months.
In response to this decision, "IAB Europe" announced a comment.Among them, he said, "We will refuse to be a data administrator about TCF," and stated that the response to the decision was "consider all legal options."。
In Europe, the trend of strengthening personal data protection aimed at huge IT companies in the United States.
On January 20, the European Parliament passed the “Digital Service Bill” focusing on the regulations of huge IT companies, such as fake news measures.The bill also includes deceptive guidance (dark pattern), prohibit contracts, simplify options for targeting advertising, and prohibit targeting advertising to minors.
In addition, the Austrian Data Protection Organization (DSB) was on December 22, 2021, and for health sites that used Google's site analysis service "Google Analytics", the personal data to the United States, which has not sufficient protection levels.Sending has been certified as a GDPR violation.
※参照:Googleへの個人データ送信、「違法」決定が相次ぐわけとは?(01/17/2022 新聞紙学的)
According to the Austrian data protection agency, Google is a US company and is subject to data monitoring by foreign information monitoring law (FISA) by US information agencies, etc.It is not effective because it does not eliminate the potential of monitoring and access by US information agencies. "This data transmission is "GDPR violation".
Similar claims will be 100 in the EEA area.
Regarding the transmission of data to the United States, the EU Judicial Court has also obtained a similar certification, and the EU and the US privacy agreement, "Safe Harbor Agreement," and "Privacy Shield Agreement," has been invalidated one after another.
※参照:「プライバシー保護失格」2度目のちゃぶ台返し、Facebookはデータ移転ができなくなるのか?(07/18/2020 新聞紙学的)
※参照:「米国はプライバシー保護不適合」EU判決でネット騒然(10/17/2015 新聞紙学的)
In addition, the French data protection agency (CNIL) (CNIL) was the highest in Google, saying that the lack of refusal buttons on January 6 violated the country's data protection law.It imposes a sanctions of € 150 million (about 20 billion yen) and a Facebook (meta) of € 60 million.
In addition to this, the EU has been considering the "E privacy rules" to replace the current e -privacy command, and at the end of November 2021, a bill focusing on online political advertisements.
There were several movements in Japan, which was recognized as a mutually sufficient personal data protection level in January 2019.
The Ministry of Internal Affairs and Communications' expert meeting meeting, "Electric Communication Project Governance Study Group," published a report on January 14 for the revision of the Electricity Communication Business Law.However, the content of privacy protection, including initial user IDs, has receded significantly due to opposition from IT companies and other industry groups.
Yahoo also announced on February 1 that it would stop using the EEA and the UK on April 6 stating that "it was determined that it was unable to continue in terms of response costs for compliance with laws and regulations."EEA is an area to be applied to GDPR, and Britain has the same law as GDPR.
Yahoo's monthly active users are 68 million on smartphones and 12 million on personal computers, the largest in Japan.
On January 24, the Personal Information Protection Committee has published the current status of personal information protection of 25 countries, including the United States, as a "survey on the protection of personal information in foreign countries."The original is the report of the outsourced outsourced announced in November 2021.
The November report also states the so -called "Government Access", such as the United States, such as the EU Judicial Court, such as the Foreign Information Surveillance, which is based on the invalidation of privacy agreements.
However, the US (Federal) material published by the Personal Information Protection Committee on January 24 said, "It is a system that imposes business operators to cooperate with government information gathering activities, and is the right and interests of the person.In the column of "things that may have a significant impact, there is a" - "mark, and there is no special description or comment.
The EU's privacy and Japan's "privacy" seem to be different.
The "rules" of "Otai, Uchiga Uchi" (NHK "Cam Cam Evribadi" Episode 65
(※2022年2月7日付「新聞紙学的」より加筆・修正のうえ転載)
![A workaround that can be used immediately after the iPhone 13 freezes (Lifehacker [Japan version]) --Yahoo! News](https://website-google-hk.oss-cn-hongkong.aliyuncs.com/drawing/article_results_7/2022/3/3/45e4bce7ecbeb696b3a7fb4669c70965_1.jpeg)
