top of page

Avast fined 350 million for user data abuse

Translation provided by Milo Dvorak

18. 4. 2024

Business Newsletter #26

Data privacy has become an integral part of our everyday life as we all spend an enormous amount of time on the computer and working online, leaving, often unknowingly, a trait known as digital footprint that is, sadly, frequently abused by a number of entities.

Published by on 15 April 2024.

newsletter 26
Download MP3 • 3.12MB

Avast has received a record fine of CZK 351 million from the Office for Personal Data Protection for unauthorised data handling of their antivirus programme users. According to the authority, for part of 2019, Avast transferred non-anonymised data about approximately 100 million users to its subsidiary Jumpshot, as stated in a press release today. This fine, the highest since establishing the office in 2000, is final. Comments from the company are currently being sought.

Avast processed personal data from users of their namesake antivirus programme and its browser extensions. During the investigated period in 2019, they transferred some data to their subsidiary Jumpshot, presented as a company providing data to marketers, offering insights into online consumer behaviour.

The Office for Personal Data Protection stated that Avast inaccurately informed users of the antivirus programme, claiming that they were transmitting anonymous data for trend analysis. "Although Avast claimed to use robust anonymisation techniques, it became abundantly clear during the proceedings that the data transmitted from individual installations of the antivirus software was not anonymised," the authority noted. Based on the transmitted data, at least some of the subjects could be re-identified. Moreover, the purpose of processing the data was not just to create statistical analyses, as Avast had claimed.

The authority in its ruling highlighted that Avast, a leading cybersecurity expert, offers the public tools for data protection and privacy. “Their customers could not expect that such a company would transmit their personal data or any data that could reveal not only their identity but possibly also interests, preferences, residence, financial status, profession, and other private information," stated Jiří Kaucký, the chairman of the Office for Personal Data Protection.

The fine of CZK 351 million is the highest ever imposed by the Office for Personal Data Protection, as previous maximums were in the millions. In 2017, a penalty of CZK 4.2 million was imposed on Eurydikapol (formerly JH HOLDING s.r.o.) for distributing unsolicited commercial communications. Among the highest penalties ever imposed by the authority is a fine of CZK 3.6 million given to the service provider T-Mobile for a breach of their customers' personal data.

Avast is facing issues not only in the Czech Republic but also in the United States, as at the end of February this year, the US Federal Trade Commission reported that Avast had to pay a fine of $16.5 million (over CZK 393 million) in the United States and stop selling user data for advertising purposes. According to the American committee, the company misleadingly stated how it used users' browsing activity data. Such data was then sold without adequate prior warning or consent.

Avast, part of Gen Digital following a 2022 merger with the US NortonLifeLock, had voluntarily shut down its subsidiary Jumpshot in January 2020, ending their activities.

In the third fiscal quarter ending last December, Gen Digital's net profit decreased by 13% to $144 million (approximately CZK 3.4 billion). Over nine months, the company's profit increased by 11% to $482 million (about 11.5 billion).

bottom of page