How to effectively evade the GDPR and the reach of the DPA (PART 1)


This is a post in a series of posts :

As my regular readers know I reluctantly trust anything that isn't tested and battle proof. In the last 2 years, I applied the same logic that I apply to vulnerability research to the Data Privacy environments and proceeded to test a broad range of Data Subject Rights. Expect a few disclosures following this one.

In true Information Security Fashion (insiders will understand) have attributed this weakness the ID :
  • CDPWE-0001 - Does not designate a Representative in the European Union

Introduction

When I searched Google for my name an interesting website came up in the results. A company called "Rocket Reach" allowed others to buy access to my personal data. I was intrigued as I have never given any consent for Rocketreach to store (or even sell) my data and I saw no other legal basis for RocketReach processing of my data.

"Rocket Reach" a data broker that describes it's service as :
"Connect directly with the right decision makers, using the world's largest and most accurate database of emails and direct dials. Real-time verified data for 430 million professionals across 17 million companies, worldwide.Trusted by over 5.0 million users — powering sales, recruiting, and marketing at companies large and small.
Prospect, connect and converse with your leads at scale."

Issuing a DSAR

On the 5th of April  2019, I asked Rocketreach access to my personal data (Data Subject Access Request) and asked for the purpose and the legal basis of processing. Instead of giving me access to my data and reply adequately, RocketReach decided to delete/remove all traces of it and informed me that it did so the same day.

While it might be surprising to some, this is actually a common reaction to DSARs when the Data Controller realizes the data they have may have no real legal basis.

Filing a complaint 

On the 05th of April 2019, I filed a complaint with the Luxemburgish Data Protection Agency (CNPD). The reference for this complaint is #3018 (For those that want to request information/documents from the CNPD).

Waiting for roughly a year

"We agree with you but we can't do anything, sorry, move on"

On the 6th of March 2020 (1 year!) the CNPD responded as follows (Original Version on top, the Translated version at the bottom).

Monsieur Zoller,
La Commission nationale pour la protection des données (CNPD) se permet de revenir vers vous concernant votre réclamation du 5 avril 2019 à l’encontre de la société RocketReach.
Dans le cadre de l’instruction de votre réclamation, la société RocketReach nous a communiqué qu’elle considère que ce sont les utilisateurs de ses services, et non elle-même, qui sont les responsables du traitement pour ce qui concerne les données à caractère personnel traitées sur son site internet.
Par ailleurs, il ressort également de cette instruction que la société RocketReach est une société située aux Etats-Unis d’Amérique ne disposant pas d’un représentant dans l’Union au sens de l’article 27 du règlement général sur la protection des données (RGPD).
Au sujet des responsables du traitement établis dans des pays tiers, comme les Etats-Unis d’Amérique, nous souhaitons attirer votre attention sur le considérant (116) du RGPD qui précise que:
« Lorsque des données à caractère personnel franchissent les frontières extérieures de l'Union, cela peut accroître le risque que les personnes physiques ne puissent exercer leurs droits liés à la protection des données, notamment pour se protéger de l'utilisation ou de la divulgation illicite de ces informations. De même, les autorités de contrôle peuvent être confrontées à l'impossibilité d'examiner des réclamations ou de mener des enquêtes sur les activités exercées en dehors de leurs frontières. Leurs efforts pour collaborer dans le contexte transfrontalier peuvent également être freinés par les pouvoirs insuffisants dont elles disposent en matière de prévention ou de recours, par l'hétérogénéité des régimes juridiques et par des obstacles pratiques tels que le manque de ressources. »
Dans le cas de votre réclamation cela signifie que, bien que nous ne partagions pas le point de vue de RocketReach et que nous sommes au contraire d’avis que cette société est bien à considérer comme responsable du traitement pour les traitements de données à caractère personnel effectués sur son site internet, il nous est impossible de poursuivre plus en avant le traitement de votre réclamation. En effet, nous ne disposons pas des pouvoirs de mener des enquêtes et de faire appliquer les décisions que nous serions amenés à prendre sur le territoire des Etats-Unis d’Amérique.
Nous sommes dès lors au regret de vous informer que nous considérons qu’il nous est impossible de poursuivre de façon effective le traitement de votre dossier. 
Veuillez agréer, Monsieur Zoller, l’expression de nos sentiments distingués.

English Translation

Mr. Zoller,
The National Commission for Data Protection (CNPD) would like to get back to you regarding your complaint of 5 April 2019 against the company RocketReach.

Rocket Reach has informed us that it considers that it is the users of its services, and not itself, who are responsible for processing personal data processed on its website. Furthermore, it also emerges from this instruction that RocketReach is a company located in the United States of America that does not have a representative in the Union within the meaning of Article 27 of the General Regulation on Data Protection (RGPD). 

As regards data controllers established in third countries, such as the United States of America, we would like to draw your attention to recital (116) of the GDPR which states that: 'When personal data crosses the external borders of the Union, this may increase the risk that individuals may not be able to exercise their data protection rights, in particular to protect themselves against unlawful use or disclosure of such information.
Similarly, supervisory authorities may be faced with the impossibility to investigate complaints or activities outside their borders. Their efforts to work together in the cross-border context may also be hampered by insufficient preventive or remedial powers, heterogeneous legal regimes and practical obstacles such as lack of resources. » 

In the case of your complaint, this means that, although we do not share RocketReach's view and to the contrary believe that RocketReach is the data controller for the processing of personal data on its website, we are unable to take any further action in relation to your complaint. We do not have the authority to investigate and enforce any decision we would have to take in the United States of America. 

We regret to inform you that we consider it impossible for us to proceed with the processing of your case.

In Summary -  Rocketreach has not met the requirement of the GDPR to name an EU representative (Art27) to account for the processing of European Personal Data, they furthermore process data with no legal basis of millions of European data subjects. In their answer, the CNPD makes it sound like it is optional, it isn't. Instead of pursuing Rocketreach locally on that basis alone, the CNPD just gives up arguing it has no jurisdiction in the US.

In other words, just don't designate a representative in Europe, build your business model around the illegal exploitation of data from millions of European data subjects and you are fine?

I  am fully aware that I could engage in legal procedures.  That's however not in my interest as I don't want to bear the costs and efforts. The overall question you should ask yourself is: Do we need a European Institution that handles extra-territorial investigations and fines? Why should it take the time, money, and energy from an individual when the DPA is supposed to defend the rights of the data subjects?

What the CNPD could have done according to [1]
  • to impose a temporary or definitive limitation including a ban on processing;
  • to order the suspension of data flows to a recipient in a third country or to an international organisation.
  • to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;
  • to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;

[1] https://cnpd.public.lu/en/commission-nationale/pouvoirs.html

Instead, Rocketreach just continues to sell the personal data of millions of European data subjects like nothing ever happened. Including all of the below :


Members of the CNPD

Members of the European Data Protection Board


CNIL











This post has not much "added value" for Security Professionals, it is intended for local broader audiences.

This is a quick post to clarify some ambiguity that I have seen in the reporting and associated discussions.

In the recent weeks it came to light that a Ransomware Group dubbed REvil has been publishing a note that they compromised and extracted information from the Luxembourgish Supermarket Chain "Cactus Group". This was covered by Luxemburgish media, exposing the topic to a broader audience and shedding light on activities commonly dubbed "Ransomware".

 Here is a small list of local press coverage:

All of the above are referencing a blog post by Cyble, Inc on the matter.

Some clarifications :
  • The primary source of the screenshots is not Cybel Inc. The source is a TOR Website where (presumably) "REvil" is publishing notices to companies that don't pay their ransom, the Cactus Group is one of them. 
  • There are more screenshots and details that journalists would discover if they would track down the source website.  In particular, a few datasets that beg the question of why they were highlighted in the first place.
More general information on "Revil/Sodinokibi" :