On April 15, 2024, the Office for Personal Data Protection (ÚOOÚ) announced that it imposed a fine of CZK 351 million (approx. $14.8 million) to Avast Software s.r.o. (Avast) for violations of the General Data Protection Regulation (GDPR) following an investigation by the ÚOOÚ into its 'Jumpshot division.'

Background to the case

In particular, the ÚOOÚ stated that as part of the provision of antivirus software services, Avast processes the personal data of users using the software, and in the year 2019, Avast had transmitted pseudonymized internet browsing history linked to a unique identifier of approximately 100 million of its users to Jumpshot, Inc (Jumpshot). The ÚOOÚ highlighted that Jumpshot provides user data to marketers for gaining insight into online consumer behavior and tracking the user journey.

Findings of the ÚOOÚ

The ÚOOÚ found that the users were wrongly informed by Avast about the transfer of anonymous data for the purpose of trend analysis and that the transmitted data from individual antivirus software installations was not anonymized and data subjects could be re-identified. Moreover, the ÚOOÚ addressed the legal basis for the processing and found that the purpose of processing the data was not only to create statistical analyses, as claimed by Avast.

Outcomes

In light of the above, the ÚOOÚ imposed a fine of CZK 351 million (approx. $14.8 million) on Avast for GDPR violations. In addition, the ÚOOÚ noted that the case was of cross-border processing of personal data in the EU, and therefore addressed the violation alongside other concerned supervisory authorities in the EU as part of the European Data Protection Board's (EDPB) 'One Stop Shop' cooperation mechanism.

You can read the press release here and the document on the EDPB's mechanism here, both only available in Czech.