Czech Republic: Data protection authority fines Avast 13.9 million euros
The antivirus software company Avast must pay a high GDPR fine because it illegally transferred user data to its subsidiary Jumpshot.
The antivirus software company Avast was fined for passing on customer data without their consent.
(Bild: Zolnierek/Shutterstock.com)
After around five years of dispute, a final decision has now been made: The antivirus software manufacturer Avast must pay a fine of around 13.9 million euros (351 million Czech crowns) for violations of the General Data Protection Regulation (GDPR). The fine was imposed by the Czech data protection authority, as the company is headquartered in Prague. The inspectors sensed massive GDPR violations as early as 2020 after Avast had transferred user data from its own core product and associated browser extensions to its subsidiary Jumpshot on a large scale without a corresponding legal right to such processing.
According to the final decision published by the European Data Protection Board (EDPB) on April 10, 2024, the transferred data concerned around 100 million users. In particular, it also included "pseudonymized internet browsing histories" of the data subjects, linked to a unique identifier. Furthermore, Avast had "misinformed its customers about the aforementioned data transfers" and claimed that these were anonymized and used exclusively for statistical trend analyses.
Aggravating: Avast presents itself as an expert in cyber security
The Czech auditors came to the conclusion that browsing history on the internet - even if it is not complete - can constitute personal data. This is because it is possible to re-identify at least some of those affected. Avast's infringement is all the more serious as the company is "one of the leading experts in cybersecurity" and offers tools to protect users' data and privacy. Specifically, the supervisory authority considers Articles 6 and 13 of the GDPR to have been violated, which deal, for example, with the requirement for informed consent and the obligation to provide information when collecting personal data from the data subject.
In 2020, Avast assured users that it takes their privacy concerns very seriously. This is why Jumpshot was closed. Although the company no longer considers the approach to be appropriate, all actions were absolutely legal under the GDPR.
Further penalty by US trade authority
The data protection authorities initiated the proceedings based on media reports from the end of 2019 and beginning of 2020 and anonymous tips. The period of the disputed transfers was between April and July 2019. The supervisory authority issued its first relevant decision on 14 March 2022, against which Avast filed an appeal under administrative law, which the supervisory authority has now rejected. This means that all legal remedies have been exhausted. The decision can therefore now be enforced.
The US trade authority, the Federal Trade Commission (FTC), has imposed another large fine of 16.5 million US dollars on the antivirus software provider. This also relates to the misconduct of the browser extension, which was supposed to provide tracking protection, and the transfer of data to Jumpshot.
(mki)
