Record fine issued by the Czech DPA for the sharing of de-identified but not truly anonymous data

Reading Time: 4 minutes

Authors:  

Claire Looney | Senior Data Protection Advisor
Ciaran Greaney | Senior Data Protection Advisor

Date: 28 May 2024

The Czech Data Protection Authority (DPA) recently upheld a complaint relating to processing by Avast Software (Avast). The fine resulting from the decision constitutes the Authority’s highest ever fine – equivalent to €13.7m. The fine was due to Avast’s disclosure of user browsing data relating to more than 100 million of its antivirus program users to third parties for statistical analysis purposes. While Avast maintained the data was anonymous, the Czech DPA found that Avast had failed to fully anonymise the data, and the disclosure of personal data to third parties for statistical purposes was deemed unlawful. 

An investigation was initiated following the Czech DPA’s receipt of an anonymous complaint in 2020. The complaint alleged that Avast had, for a period of time in 2019, collected browsing data from its users, which was ultimately sold to third parties. The data was alleged to have been pseudonymised, rather than fully anonymised. It was alleged that the browsing data was linked to individual users through a unique identifier, offering in-depth insights into user browsing behaviour online.  

This article will explore the key issues that were identified during the DPA’s investigation and highlight considerations for organisations in the treatment that should be applied to personal data prior to it being considered truly anonymous, and outside the scope of the GDPR.   

Background 

The Czech DPA upheld the complaint, making findings that Avast, the data controller, had no legal basis to disclose the personal data to a third party for the purposes of statistical analysis. Further, it was found that Avast had failed to fulfil its transparency obligations to the data subjects concerned as it was not made clear that their personal data would be processed for this purpose.  

Avast issued an appeal, citing that they had utilised thorough anonymisation techniques and that users were generally aware that their data would be used for statistical purposes.   

Issues 

The decision by the Czech DPA centred on whether the personal data concerned had been fully anonymised prior to its disclosure. Avast argued that all identifiers, including those which could indirectly identify the data subjects and/or those from which the users’ identity could be inferred, had been removed from the dataset.  

Personal Data Vs Anonymised Data  

Under the GDPR, anonymised data is not considered personal data. A data controller does not therefore require an Article 6 legal basis to process anonymous data – including for disclosure to third parties. However, personal data must be subject to an effective anonymisation process which strips the identifiers of data subjects to the point that they are no longer identified or identifiable, having regard to all methods likely to be used by a controller or third party to identify the data subject.  

In this instance, the data controller considered that the data had been fully anonymised. while the Czech DPA maintained that it remained personal data on the basis that the merging of datasets could result in the reidentification of data subjects, the program users.  

Of note, the reidentification of users, while deemed possible, was contractually prohibited by the controller.  The controller argued that an unlawful act (contractual breach) should not be deemed to be a means reasonably accessible to the controller to result in the reidentification of data subjects. Taking a different view to the data controller in its decision – the Czech DPA deemed that that the merging of datasets by the third party, even in breach of a contractual commitment, was a means reasonably likely to result in reidentification.  

Avast appealed the DPA’s original finding that the processing was unlawful, claiming the data was fully anonymised and also citing alleged procedural flaws and challenging the severity of the fine, arguing that there was no harm caused to users. This appeal did not succeed; rather the Czech DPA affirmed its findings that the controller processed the personal data in breach of its transparency obligations and with no legal basis.  

The DPA held that the data was not fully anonymised as not all identifiers had been removed and so the information that was transferred to third parties was still personal data. The transfer therefore required a legal basis under Article 6. 

The DPA found that the lack of transparency resulted in users being unaware that their personal data would be used to analyse trends from their online behaviour before being transferred or sold to third parties for commercial purposes. The DPA also noted the distinction between the expectations of users for their data to be used by the controller for its own statistical analysis purposes, as opposed to the processing of users’ personal data by a separate entity for purposes distinct from the services provided by the controller. The information provided to users by Avast also failed to communicate any legal basis for the processing of their personal data for this purpose, in breach of Article 13 GDPR.  

The Czech DPA considered the record fine of €13.9m appropriate, having regard to the scope of the processing involving more than 100 million users, and the potential impact on their rights.   

When removing identifiers from personal data before using that data for other purposes – including disclosure to third parties – data controllers must be able to evidence that all identifiers have been removed. Failure to do so could result in unintended processing of personal data, to which data protection law will continue to apply, creating compliance, reputational and financial risks. Controllers must also recognise that even the successful anonymisation of personal data must account for a legal basis for the act of anonymising those personal data, while ensuring that the processing meets the controller’s transparency obligations to data subjects. 

Our Data Protection and Cyber-risk team have extensive experience advising clients on their obligations relating to anonymisation and pseudonymisation of personal data. To discover how our data protection solutions can help support and augment your data protection programme, visit our data protection page or contact our team directly. 

Related posts

Let's discuss your career