One of the key challenges in privacy and data protection remains trust and accountability.
We witnessed a massive surge these last few years in the introduction of new laws protecting personal data of internet users. And yet, at the same time all these internet users are still heavily reliant on the willingness of the many online service providers to respect their privacy and right to data protection. Enforcement authorities do their best to incentivize service providers to comply with the laws that have been introduced, but enforcement takes time and money, and often a lot of both.
End of February 2024, this was once again demonstrated by a decision issued by the US Federal Trade Commission. Avast, a multinational cybersecurity firm headquartered in the Czech Republic, was fined $16.7 million for rather significant privacy violations committed between 2014 and 2020. The FTC held that Avast had sold the browsing history and related information of customers who used its antivirus products and related browser extensions to other companies. This was all the more appalling considering that Avast is a cybersecurity firm which users entrust with the safety of their devices and the data they contain.
While it may be good from a privacy perspective that the FTC has taken such action, one cannot but note how long it took for the FTC to come to this decision. The privacy and data protection violations committed by Avast were by no means “new” or unknown. The technology websites “Motherboard” and “PCMag” uncovered these violations in 2020. This triggered a Spanish consumer rights NGO called “Facua” to file a complaint with the Spanish data protection authority against Avast that same year. The complaint was then transferred to the Czech data protection authority which, as lead supervisory authority for Avast, was competent to lead the investigation. Ultimately, in March 2023, Avast was fined €13.7 million for its infringements of the GDPR for the same facts which have now also been investigated by the FTC.
In other words, it took authorities 3 years to wrap up their investigations. Luckily, Avast in this particular case ceased its infringing activities back in 2020 when the investigations began. Many other companies are not as diligent and often continue their infringing activities whilst investigations by enforcement authorities are on-going. In this particular case, it would have meant that Avast would have been able to continue its practices for another 3 years. This shows just how time consuming these (often technically complicated) investigations are.
It also shows however, just how important it is for internet users to remain in control over their own personal data. Trust and accountability are important legal principles and objectives, certainly, but in reality they will only be worth something if the other side (i.e. the service providers) choose to abide by them.
Hence, it only makes sense that internet users first and foremost rely on themselves when it comes to protecting their privacy and their personal data. The European Union funded TrustChain project that aims to develop a portfolio of services and solutions which give internet users, and citizens in general, the means to remain in control. These include solutions for decentralized identities and safe data sharing and commoditization.
For more information on how we do this stay tuned to TrustChain website, social media and Open Calls.
Author: Ruben Roex, TIMELEX