Avast, a multinational cybersecurity and antivirus company, has been fined approximately €13.7 million by the Czech Republic’s data protection authority for illegally processing its customers’ data, including the sale of browsing data.
The illegal processing of data was first brought to light by PCMag and Motherboard. This was before Spanish not-for-profit NGO, FACUA, denounced the matter to the Spanish Agency for Data Protection (AEPD), which then transferred the case to Czech Republic authorities.
“(The data is) not associated with a name, email, or IP, but the crossing of such data with other information collected such as URLs visited can be analyzed to expose a user’s identity,” FACUA said in a post.
The GDPR could be violated if the user doesn’t give consent to the collection and transfer of their data.
FACUA also revealed that Avast sold its users’ private browsing data through its subsidiary Jumpshot. Some of this data belonged to large companies like Google, Microsoft, Sephora, Yelp, Home Depot, and more.
Jumpshot packaged the data into various products, assuring its clients that it could “provide companies with a more complete view of the entire online user journey.” The data sold included GPS coordinates, videos viewed on YouTube, LinkedIn profiles, Google Maps location searches, and Google web searches.
The Czech data protection authority found Avast guilty of “failing to sufficiently inform the data subjects (users of the Avast antivirus program and its browser extension) at the time the data was obtained from them, about the purposes of the treatment for which they were intended and on the legal basis of the treatment in question.”
The unauthorized processing occurred from an unknown date in April 2019 to July 2019. The Czech administration fined Avast €13,657,626 million in accordance with GDPR Articles 58 and 60.