Reading the Czech decision a bit more (it’s a long text), it’s quite fascinating. It’s a second instance ruling, and the authority appears to have rejected Avast’s appeal in all points. Even more so: they are explaining to Avast that the privacy law doesn’t work the way Avast thinks it does.

Did Avast decide to represent themselves without proper legal advice? Did they hire incompetent lawyers? Did their lawyers just give up, seeing this case as hopeless? Beats me. But they seem to have acted similarly incompetent here as with their media response.

In particular, Avast tried to argue down the imposed fine based on the fact that the decision refers to a data collection period of “merely” two months. And they get the explanation that, as far as GDPR is concerned, violating the privacy of 100 million users on a single day would have already been sufficient. There is also the clarification that the data protection authorities aren’t as naive as to assume that violations only happened during these two months.

And they also didn’t like Avast’s “but no actual harm was done” defense:

“the harm caused to data subjects cannot be individually examined due to the large number of data subjects affected. As already stated, the privacy of data subjects has been compromised by the conduct of the Accused, and the effects on the rights of individual subjects may become apparent in the future. Furthermore, it cannot be safely stated that users have not been identified, nor that they are not already being targeted in any way based on knowledge of their preferences or behaviour.”

Now to the funny part: Avast accuses the data protection authority of damaging them by publishing a short announcement back in 2020. Mind you, the media shitstorm against Avast was already in full swing. And so the data protection authority simply states:

“the Charged Company’s shares on the Prague Stock Exchange had significantly fallen even before the press release was issued”

And on the claim that Avast should be excused because they didn’t know they were violating privacy laws:

“At this point, the Appellate Authority considers it necessary to recall that the Charged Company provides software designed to protect the privacy of its users. As a professional in the information and cyber field, the Charged Company is thereby also expected to be extremely knowledgeable in the field of data protection. The Accused was aware of the risks of data processing and of the difficulty of achieving complete anonymisation of data (especially in a rapidly evolving technological environment) but decided to monetise the data of its users in the abovementioned manner anyway.”

For some context: the first-instance decision fell in 2022. It looks like it might not have been triggered by my investigation at all but rather by a complaint a few months earlier. That seems to be the reason why they are talking about data collection between April and July 2019.