Czech DPA Slaps Avast with $15M Fine for GDPR Violations

The Czech data protection authority imposed a 351 million CZK ($15M) fine on Avast Software, a cybersecurity firm, for unlawfully sharing personal data of millions of its antivirus users with a subsidiary company.

The DPA’s binding decision states that, during several months in 2019, Avast improperly transferred data on browsing histories and online behaviors of approximately 100 million Avast antivirus users to its petitioner, Jumpshot Inc., a terminated subsidiary company. Jumpshot marketed its ability to provide “insights into online consumer behavior,” claiming it followed “user journeys at an atomic level” for marketing and third-party sold databases.

Avast argued the data shared with Jumpshot was completely anonymized for analytical uses, but the DPA found the data was not fully anonymized but merely pseudonymized, as it could be re-identified and connected back to individuals. Users’ browsing data transferred with Jumpsack contained sensitive information regarding their habits, locations, wealth levels, age and preferences.

“Avast is among the world’s leading privacy protection data experts for cybersecurity, and customers could never have expected it to transact their personal data in this way,” stated DPA President Jiří Kaucký.

The DPA adds that Avast provided false information to its users – only anonymous trend analysis data would be shared and not detailed user profiles. The case involved multiple EU users, and the DPA coordinated with other European data authorities to determine the second-highest GDPR fine to date. Avast ceased transfers immediately and terminated the subsidiary since the GDPR breaches were first reported back in 2020.

However, the DPA illustrates how serious misuse of customer data can have consequences, especially for a cybersecurity company. The fine emphasizes an increasingly stringent enforcement stance among regulators as the public becomes more aware of online tracking and commercialization of record technology companies.

Avast can appeal the DPA’s verdict but is under pressure to improve its data comprehension arrangements to enable complete transparency for users.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.