Man holding smartphone with Twitter logo with the finger on the screen. Commercial, october and 'The Information Commissioner`s Office ICO of the the United Kingdom U.K. website homepage.'

Data privacy group found to have breached online privacy rules

Image credit: Dreamstime

The Information Commissioner’s Office admitted to wrongdoing by an affiliated data privacy group over allegations of violating privacy rules.

A whistleblower who stumbled across it by accident raised a breach of privacy rules with E&T. It involves the Global Privacy Assembly (GPA). GPA says its mission is to help members fight for an environment in which privacy and data protection authorities around the world are able to effectively fulfil their mandates.

Experts found that the GPA allowed social media company Twitter to track users without their consent. The data Twitter collects is personally identifiable information (PII) and therefore must have consent to a higher degree to satisfy GDPR, explained the whistleblower.

Daniel Johannsen at privacy and analytics firm Cybot said there was also no mention of the GPA’s privacy policy. There was an embedded Twitter feed on the website, he said, “but they should ask for consent to be compliant”.

Jamal Ahmed, privacy consultant at Kazient, is concerned, given that Elizabeth Denham, the UK’s Information Commissioner and ‘flag bearer for data privacy in the UK’ sits on the group’s executive committee. “We must practice what we preach, especially if you have the Information Commissioner at your table. Data privacy is a human right and it is not up to organisations to pick and choose when they deny individuals that.”

The person who complained to the ICO told E&T: “The notable aspect of this is the hypocrisy, not the severity. If I were a member, I’d be embarrassed of my association with this assembly and not noticing this failure sooner.” The complainant also said the breach is severe for the users affected, including those who work in regulation or journalism, anyone with an interest in the underpinning political topic – “this sharing of data is one of the worst possible in regard to their professional or political interest. It may not be the most popular website or largest list of users, but it’s a very significant failing.”

The regulatory body, which directly reports to Parliament, responded by saying it agrees with the analysis on GPA’s website. “The inclusion of the feed on the website without an appropriate cookie consent plugin was an oversight by us for which we apologise. Following the receipt of the [complaint] email we have removed the embedded Twitter feed from the website and we will only re-instate the feed when the issue of consent has been resolved.” Louise McCallum, the lead case officer at the ICO, wrote: “I would like to thank [the sender of the complaint] for bringing this matter to our attention.”

A GPA spokesperson responded:“After becoming aware of concerns in relation to the embedded Twitter feed on our website, we removed it immediately. We will be reinstating the embedded Twitter feed alongside a legally compliant cookie consent tool on our website, as well as updating our privacy policy.”

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles