Czech DPA fines Avast $15M over GDPR violations

The Office for Personal Data Protection said Avast conducted “unauthorized processing of personal data of users” of its antivirus program and browser extension, according to a translated fine notice published April 15.

The penalty is a record under the GDPR in the Czech Republic, according to the GDPR Enforcement Tracker.

In February, the U.S. Federal Trade Commission proposed Avast pay $16.5 million over its alleged deceptive data selling practices.

The details: In 2019, the data of 100 million Avast users was transmitted to its subsidiary Jumpshot, which made the behavioral data of customers available to marketers, the Czech DPA alleged.

In an emailed statement, an Avast spokesperson said the Czech DPA’s decision related to past data processing activities by Jumpshot, which Avast voluntarily closed in January 2020.

“We disagree with the DPA’s decision and characterization of the facts, and we are assessing our next steps, including further judicial action,” the statement read.

The Czech DPA further alleged Avast falsely claimed to have anonymized the data and that the purpose of the data processing was only to create statistical analyses.

The Czech DPA led the case on behalf of its EU counterparts in accordance with the GDPR’s one-stop shop mechanism.

In the fine notice, Jiří Kaucký, chairman of the Czech DPA, said Avast customers could not expect the company, “one of the leading experts in cybersecurity,” would share personal data in “which not only their identity could be determined but also … their interests, preferences, residence, assets, profession, and other data related to their privacy.”

Company response: “Avast has reaffirmed its commitment to keeping its customers’ data safe and private and has continued to take proactive measures to ensure that its privacy practices are a top priority. Avast also maintains active participation in global privacy-first organizations and initiatives,” the spokesperson said.