The Information Commissioner’s Office (ICO) has fined the Cabinet Office £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients online.
The New Year Honours list is supposed to “recognise the achievements and service of extraordinary people across the United Kingdom.” However in 2020 the media attention was on the fact that, together with the names of recipients, the Cabinet Office accidentally published their addresses; a clear breach of the General Data Protection Regulation (GDPR) particularly the sixth data protection principle and Article 32 (security).
The Honours List file contained the details of 1097 people, including the singer Sir Elton John, cricketer Ben Stokes, the politician Iain Duncan Smith and the TV cook Nadiya Hussain. More than a dozen MoD employees and senior counter-terrorism officers as well as holocaust survivors were also on the list which was published online at 10.30pm on Friday 26th December 2019. After becoming aware of the data breach, the Cabinet Office removed the weblink to the file. However, the file was still cached and accessible online to people who had the exact webpage address.
The personal data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times. The vast majority of people on the list had their house numbers, street names and postcodes published with their name. One of the lessons here is, always have a second person check the data before pressing “publish”.
This is the first ever GDPR fine issued by the ICO to a public sector organisation. A stark contrast to the ICO’s fines under the DPA 1998 where they started with a local authority. Article 82(1) sets out the right to compensation:
“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
It will be interesting to see how many of the affected individuals pursue a civil claim.
(See also our blog post from the time the breach was reported.)
This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a one place left on our Advanced Certificate in GDPR Practice course starting in January.
Last week, the UK Supreme Court handed down its much anticipated judgement in the case of Lloyd v Google LLC [2021] UKSC 50. It is a significant case because it answers two important questions (1) whether US style class action lawsuits can be brought for data protection claims and (2) whether damages can be claimed for mere “loss of control” of personal data where no actual damage has been suffered by data subjects. If the Supreme Court had decided that the answer to either of these questions was “yes”, it would have resulted in Data Controllers being targeted with much more costly data breach litigation.
The present case was brought by Richard Lloyd, a former director of consumer rights group Which?, who alleged that between 2011 and 2012, Google cookies collected data on health, race, ethnicity, sexuality and finance through Apple’s Safari web browser, even when users had chosen a “do not track” privacy setting on their phone. Mr Lloyd sought compensation, under section 13 of the old Data Protection Act 1998.
Mr Lloyd sought to bring a claim in a representative capacity on behalf of 4 million consumers; a US style “class action”. In the UK, such claims currently need consumers to opt-in, which can be a lengthy process (and costly). Mr Lloyd attempted to set a precedent for opt-out cases, meaning one representative could bring an action on behalf of millions without the latter’s consent. He sought to use Rule 19.6 of the Civil Procedure Rules which allows an individual to such bring a claim where all members of the class have the “same interest” in the claim. Because Google is a US company, Mr Lloyd needed the permission of the English court to pursue his claim. Google won in the High Court only for the decision to be overturned by the Court of Appeal. If Mr Lloyd had succeeded in the Supreme Court on appeal, it could have opened the floodgates to many more mass actions against tech firms (and other data controllers) for data breaches.
The Supreme Court found class actions impermissible in principle in the present case. It said that, in order to advance such an action on behalf of each member of the proposed represented class, Mr Lloyd had to prove that each one of those individuals had both suffered a breach of their rights and suffered actual damage as a result of that breach. Mr. Lloyd had argued that a uniform sum of damages could be awarded to each member of the represented class without having to prove any facts particular to that individual. In particular, he had argued that compensation could be awarded under the DPA 1998 for “loss of control” of personal data constituted by any non–trivial infringement by a data controller of any of the requirements of the DPA 1998.
The Supreme Court rejected these arguments for two principal reasons. Firstly, the claim was based only on section 13 of the DPA 1998, which states that “an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”. The court ruled that “damage” here means material damage, such as financial loss or mental distress, as caused by unlawful processing of personal data in contravention of the DPA 1998 (i.e. simply infringing the DPA 1998 does not in itself constitute “damage”). Secondly, in order to recover compensation under section 13 of the DPA 1998, it is necessary to prove what unlawful processing (by Google) of personal data relating to each individual actuallyoccurred. A representative claim could have been brought to establish whether Google was in breach of the DPA 1998 as a basis for pursuing individual claims for compensation but not here where Mr Lloyd was claiming the same amount of damages (£750) for each of the 4 million iPhone users.
This case was decided under the DPA 1998. Article 82(1) of the UK GDPR sets out the right to compensation now; “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”. The similar wording to the DPA 1998 means that the outcome would be the same if Mr Lloyd had commenced his action post GDPR.
The Lloyd-Google judgment means that those seeking to bring class-action data protection infringement compensation cases have their work cut out. However, claims under Art 82 can still be brought on an individual basis – in fact the judgment seems to indicate that individual cases can have good prospects of success. There is more to come in this area. TikTok is facing a similar case, brought by former Children’s Commissioner Anne Longfield, which alleges that the video-sharing app used children’s data without informed consent.
This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a one place left on our Advanced Certificate in GDPR Practice course starting in January.
A Scottish charity has been issued with a £10,000 monetary penalty notice following the inadvertent disclosure of personal data by email.
On 18th October, HIV Scotland was found to have breached the security provisions of the UK GDPR, namely Articles 5(1)(f) and 32, when it sent an email to 105 people which included patient advocates representing people living with HIV. All the email addresses were visible to all recipients, and 65 of the addresses identified people by name. From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk.
The Information Commissioner’s Office (ICO) is urging organisations to revisit their bulk email practices after its investigation found shortcomings in HIV Scotland’s email procedures. These included inadequate staff training, incorrect methods of sending bulk emails by blind carbon copy (bcc) and an inadequate data protection policy. It also found that despite HIV Scotland’s own recognition of the risks in its email distribution and the procurement of a system which enables bulk messages to be sent more securely, it was continuing to use the less secure bcc method seven months after the incident.
On the point of training, HIV Scotland confirmed to the ICO that employees are expected to complete the “EU GDPR Awareness for All” on an annual basis. The ICO recommended that staff should receive induction training “prior to accessing personal data and within one month of their start date.” Act Now’s e learning course, GDPR Essentials, is designed to teach employees about the key provisions of GDPR and how to keep personal data safe. The course is interactive with a quiz at the end and can be completed in just over 30 minutes. Click here to watch a preview.
HIV Scotland was also criticised for not having a specific policy on the secure handling of personal data within the organisation. It relied on its privacy policy which was a public facing statement covering points such as cookie use, and data subject access rights; this provided no guidance to staff on the handling of personal and what they must do to ensure that it is kept secure. The Commissioner expects an organisation handling personal data, to maintain policies regarding, amongst other things, confidentiality (see our GDPR policy pack).
This is an interesting case and one which will not give reassurance tothe Labour Relations Agency in Northern Ireland which had to apologise last week for sharing the email addresses and, in some cases ,the names of more than 200 service users. The agency deals confidentially with sensitive labour disputes between employees and employers. It said it had issued an apology to recipients and was currently taking advice from the ICO.
Interestingly the ICO also referenced in its ruling, the fact that HIV Scotland made a point of commenting on a similar error by another organisation 8 months prior. In June 2019, NHS Highland disclosed the email addresses of 37 people who were HIV positive. It is understood the patients in the Highlands were able to see their own and other people’s addresses in an email from NHS Highland inviting them to a support group run by a sexual health clinic. At the time HIV Scotland described the breach as “unacceptable”.
The HIV Scotland fine is the second one the ICO has issued to a charity in the space of 4 months. On 8th July 2021, the transgender charity Mermaids was fined £25,000 for failing to keep the personal data of its users secure. The ICO found that Mermaids failed to implement an appropriate level of security to its internal email systems, which resulted in documents or emails containing personal data being searchable and viewable online by third parties through internet search engine results.
Charities need to consider these ICO fines very carefully and ensure that they have polices, procedures and training in place to avoid enforcement action by the ICO.
This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a few places left on our Advanced Certificate in GDPR Practice course starting in January.
The first GDPR fine issued by the Information Commissioner’s Office (ICO) has been reduced by two thirds on appeal.
In December 2019, Doorstep Dispensaree Ltd, a company which supplies medicines to customers and care homes, was the subject of a Monetary Penalty Notice of £275,000 for failing to ensure the security of Special Category Data. Following an investigation, the ICO ruled that the company had left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The ICO launched its investigation after it was alerted by the Medicines and Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry into the company.
The unsecured documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people. The ICO held that this gave rise to infringements of GDPR’s security and data retention obligations. It also issued an Enforcement Notice after finding, amongst other things, that the company’s privacy notices and internal policies were not up to scratch.
On appeal, the First Tier Tribunal (Information Rights) ruled that the original fine of £275,000 should be reduced to £92,000. It concluded that 73,719 documents had been seized by the MHRA, and not approximately 500,000 as the ICO had estimated. She also held that 12,491 of those documents contained personal data and 53,871 contained Special Category Data.
A key learning point from this appeal is that data controllers cannot be absolved of responsibility for personal data simply because data processors breach contractual terms around security. The company argued that, by virtue of Article 28(1) of GDPR, its data destruction company (JPL) had become the data controller of the offending data because it was processing the data otherwise than in accordance with their instructions. In support of this argument it relied on its contractual arrangement with JPL, under which JPL was only authorised to destroy personal data in relation to DDL- sourced excess medication and equipment and must do so securely and in good time.
The judge said:
“The issue of whether a processor arrogated the role of controller in this context must be considered by reference to the Article 5(2) accountability principle. This provides the controller with retained responsibility for ensuring compliance with the Article 5(1) data processing principles, including through the provision of comprehensive data processing policies. Although it is possible that a tipping point may be reached whereby the processor’s departure from the agreed policies becomes an arrogation of the controller’s role, I am satisfied that this does not apply to the facts of this case.”
This case shows the importance of data controllers keeping a close eye on data processors especially where they have access to or are required to destroy or store sensitive data. Merely relying on the data processor contract is not enough to avoid ICO enforcement.
Our GDPR Practitioner Certificate is our most popular certificate course available both online and classroom. We have added more dates.
So much has happened in the world of data protection recently. Where to start?
International Transfers
In April, the European Data Protection Board’s (EDPB) opinions (GDPR and Law Enforcement Directive (LED)) on UK adequacy were adopted. The EDPB has looked at the draft EU adequacy decisions. It acknowledge that there is alignment between the EU and UK laws but also expressed some concerns. It has though issued a non-binding opinion recommending their acceptance. If accepted the two adequacy decisions will run for an initial period of four years. More here.
Last month saw the ICO’s annual data protection conference go online due to the pandemic. Whilst not the same as a face to face conference, it was still a good event with lots of nuggets for data protection professionals including the news that the ICO is working on bespoke UK standard contractual clauses (SCCs) for international data transfers. Deputy Commissioner Steve Wood said:
“I think we recognise that standard contractual clauses are one of the most heavily used transfer tools in the UK GDPR. We’ve always sought to help organisations use them effectively with our guidance. The ICO is working on bespoke UK standard clauses for international transfers, and we intend to go out for consultation on those in the summer. We’re also considering the value to the UK for us to recognise transfer tools from other countries, so standard data transfer agreements, so that would include the EU’s standard contractual clauses as well.”
Lloyd v Google
The much-anticipated Supreme Court hearing in the case of Lloyd v Google LLC took place at the end of April. The case concerns the legality of Google’s collection and use of browser generated data from more than 4 million+ iPhone users during 2011-12 without their consent. Following the two-day hearing, the Supreme Court will now decide, amongst other things, whether, under the DPA 1998, damages are recoverable for ‘loss of control’ of data without needing to identify any specific financial loss and whether a claimant can bring a representative action on behalf of a group on the basis that the group have the ‘same interest’ in the claim and are identifiable. The decision is likely to have wide ranging implications for representative actions, what damages can be awarded for and the level of damages in data protection cases. Watch this space!
Ticketmaster Appeal
In November 2020, the ICO fined Ticketmaster £1.25m for a breach of Articles 5(1)(f) and 32 GPDR (security). Ticketmaster appealed the penalty notice on the basis that there had been no breach of the GDPR; alternatively that it was inappropriate to impose a penalty, and that in any event the sum was excessive. The appeal has now been stayed by the First-Tier Tribunal until 28 days after the pending judgment in a damages claim brought against Ticketmaster by 795 customers: Collins & Others v Ticketmaster UK Ltd (BL-2019-LIV-000007).
Age Appropriate Design Code
This code came into force on 2 September 2020, with a 12 month transition period. The Code sets out 15 standards organisations must meet to ensure that children’s data is protected online. It applies to all the major online services used by children in the UK and includes measures such as providing default settings which ensure that children have the best possible access to online services whilst minimising data collection and use.
With less than four months to go (2 September 2021) the ICO is urging organisations and businesses to make the necessary changes to their online services and products. We are planning a webinar on the code. Get in touch if interested.
AI and Automated Decision Making
Article 22 of GDPR provides protection for individuals against purely automated decisions with a legal or significant impact. In February, the Court of Amsterdam ordered Uber, the ride-hailing app, to reinstate six drivers who it was claimed were unfairly dismissed “by algorithmic means.” The court also ordered Uber to pay the compensation to the sacked drivers.
In April EU Commission published a proposal for a harmonised framework on AI. The framework seeks to impose obligations on both providers and users of AI. Like the GDPR the proposal includes fine levels and an extra-territorial effect. (Readers may be interested in our new webinar on AI and Machine Learning.)
Publicly Available Information
Just because information is publicly available it does not provide a free pass for companies to use it without consequences. Data protection laws have to be complied with. In November 2020, the ICO ordered the credit reference agency Experian Limited to make fundamental changes to how it handles personal data within its direct marketing services. The ICO found that significant ‘invisible’ processing took place, likely affecting millions of adults in the UK. It is ‘invisible’ because the individual is not aware that the organisation is collecting and using their personal data. Experian has lodged an appeal against the Enforcement Notice.
Interesting that recently the Spanish regulator has fined another credit reference agency, Equifax, €1m for several failures under the GDPR. Individuals complained about Equifax’s use of their personal data which was publicly available. Equifax had also failed to provide the individuals with a privacy notice.
Data Protection by Design
The Irish data protection regulator issued its largest domestic fine recently. Irish Credit Bureau (ICB) was fined €90,000 following a change in the ICB’s computer code in 2018 resulted in 15,000 accounts having incorrect details recorded about their loans before the mistake was noticed. Amongst other things, the decision found that the ICB infringed Article 25(1) of the GDPR by failing to implement appropriate technical and organisational measures designed to implement the principle of accuracy in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects (aka DP by design and by default).
Data Sharing
The ICO’s Data Sharing Code of Practice provides organisations with a practical guide on how to share personal data in line with data protection law. Building on the code, the ICO recently outlined its plans to update its guidance on anonymisation and pseudonymisation, and to explore the role that privacy enhancing technologies might play in enabling safe and lawful data sharing.
UK GDPR Handbook
The UK GDPR Handbook is proving very popular among data protection professionals.
It sets out the full text of the UK GDPR laid out in a clear and easy to read format. It cross references the EU GDPR recitals, which also now form part of the UK GDPR, allowing for a more logical reading. The handbook uses a unique colour coding system that allows users to easily identify amendments, insertions and deletions from the EU GDPR. Relevant provisions of the amended DPA 2018 have been included where they supplement the UK GDPR. To assist users in interpreting the legislation, guidance from the Information Commissioner’s Office, Article 29 Working Party and the European Data Protection Board is also signposted. Read what others have said:
“A very useful, timely, and professional handbook. Highly recommended.”
“What I’m liking so far is that this is “just” the text (beautifully collated together and cross-referenced Articles / Recital etc.), rather than a pundits interpretation of it (useful as those interpretations are on many occasions in other books).”
“Great resource, love the tabs. Logical and easy to follow.”
GDPR fines are like a number 65 bus. You wait for a long time and then three arrive at once. In the space of a month the Information Commissioner’s Office (ICO) has issued three Monetary Penalty Notices. The latest requires Ticketmaster to pay £1.25m following a cyber-attack on its website which compromised millions of customers’ personal information.
The ICO investigation into this breach found a vulnerability in a third-party chatbot built by Inbenta Technologies, which Ticketmaster had installed on its online payments page. A cyber-attacker was able to use the chatbot to access customer payment details which included names, payment card numbers, expiry dates and CVV numbers. This had the potential to affect 9.4million Ticketmaster customers across Europe including 1.5 million in the UK.
As a result of the breach, according to the ICO, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6000 cards were replaced by Monzo Bank after it suspected fraudulent use. The ICO said these bank and others had warned Ticketmaster of suspected fraud. Despite these warnings it took nine weeks to start monitoring activity on its payments page.
The ICO found that Ticketmaster failed to:
Assess the risks of using a chat-bot on its payment page
Identify and implement appropriate security measures to negate the risks
Identify the source of suggested fraudulent activity in a timely manner
James Dipple-Johnstone, Deputy Information Commissioner, said:
“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not.
Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.
The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”
In a statement, Ticketmaster said:
“Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal [against] today’s announcement.”
Ticketmaster’s appeal will put the ICO’s reasoning and actions, when issuing fines, under judicial scrutiny. This will help GDPR practitioners faced with similar ICO investigations.
Ticketmaster is also facing civil legal action by thousands of fraud victims. Law firm Keller Lenkner, which represents some of these victims, said:
“While several banks tried to alert Ticketmaster of potential fraud, it took an unacceptable nine weeks for action to be taken, exposing an estimated 1.5 million UK customers,” said Kingsley Hayes, the firm’s head of cyber-crime.
Data Protection Officers are encouraged to read the Monetary Penalty Notice as it not only sets out the reasons for the ICO’s conclusion but also the factors it has taken into account in deciding to issue a fine and how it calculated the amount. This fine follows hot on the heels of the British Airways and Marriott fines which also concerned cyber security breaches. (You can read more about the causes of cyber security breaches in our recent blog post.)
75% of fines issued by the ICO under GDPR relate to cyber security. This is a top regulatory priority for the ICO as well as supervisory authorities across Europe. Data Protection Officers should place cyber security at the top of their learning and development plan for 2021.
The Information Commissioner’s Office (ICO) has issued a fine to Marriott International Inc for a cyber security breach which saw the personal details of millions of hotel guests being accessed by hackers. The fine does not come as a surprise as it follows a Notice of Intent, issued in July 2018. The amount of £18.4 million though is much lower than the £99 million set out in the notice.
The Data
Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.
The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number. The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK.
TheCyber Attack
In 2014, an unknown attacker installed a piece of code known as a ‘web shell’ onto a device in the Starwood system giving them the ability to access and edit the contents of this device remotely. This access was exploited in order to install malware, enabling the attacker to have remote access to the system as a privileged user. As a result, the attacker would have had unrestricted access to the relevant device, and other devices on the network to which that account would have had access. Further tools were installed by the attacker to gather login credentials for additional users within the Starwood network. With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker.
The ICO acknowledged that Marriott acted promptly to contact customers and the ICO. It also acted quickly to mitigate the risk of damage suffered by customers. However it was found to have breached the Security Principle (Article 5(1)(f)) and Article 32 (Security of personal data). The fine only relates to the breaches from 25 May 2018, when GDPR came into effect, although the ICO’s investigation traced the cyber-attack back to 2014.
Data Protection Officers are encouraged to read the Monetary Penalty Notice as it not only sets out the reasons for the ICO’s conclusion but also the factors it has taken into account in deciding to issue a fine and how it calculated the amount.
It is also essential that DPOs have a good understanding of cyber security. We have some places available on our Cyber Security for DPOs workshop in November.
The Information Commissioner, Elizabeth Denham, said:
“Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.”
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
Marriott said in statement:
“Marriott deeply regrets the incident. Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems. The ICO recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”
Marriott has also said that it does not intend to appeal the fine, but this is not the end of the matter. It is still facing a civil class action in the High Court for compensation on behalf of all those affected by the data breach.
This is the second highest GDPR fine issued by the ICO. On 16th October British Airways was fined £20 million also for a cyber security breach. (You can read more about the causes of cyber security breaches in our recent blog post.) The first fine was issued in December 2019 to Doorstep Dispensaree Ltd for a for a comparatively small amount of £275,000.
Even with the best data protection training and awareness programme, mistakes can and do happen when organisations process personal data of a sensitive nature. Personal data can be lost or simply sent to the wrong person. Two recent Hight Court cases involve local authorities seeking injunctions in an attempt to limit the impact caused by inadvertent disclosures.
In Redbridge LBC v Jennings [2020] 5 WLUK 122 (to the best of our knowledge, only reported on Westlaw) the London Borough of Redbridge was granted an injunction to prevent X from publishing highly sensitive information about another family, that the Council had inadvertently sent to X. London Borough of Lambeth v Anthony Amaebi Harry [2020] EWHC 1458 (QB) was partly about a Breach of Confidence action by Lambeth Council against the Respondent who had also received third-party personal data. Let’s consider both cases and what we can learn from them.
The Disclosures
In the Redbridge case, a council employee wrote to X regarding her family. However the employee inadvertently included documents, containing highly sensitive information about another family (Family A), in the envelope. When X received the documents, she realised that she should not have seen them and so she returned them to the council. However, it later transpired that X had taken copies of the documents and that she planned to visit Family A to inform them about the council’s error. X also indicated that she would not destroy the copies that she had retained but she would give them to her solicitor. It is clear that X understood the confidential nature of the documents, and that she did not intend to share them with anybody else. However, it appears that she intended to retain the documents (in the hands of her solicitor) for the purpose of pursuing her own data protection claim against the council. X alleged that information about her family had been sent to a third-party who had “knocked on her door to return the documents”. At the time of writing it is uncertain whether X has brought such an action.
In the Lambeth case, Mr Harry made a subject access request (in November 2018) to the Council seeking information held about his child. It appears that another person (HJ) had made allegations to the Council about the care that Mr Harry and his wife were providing for their child. Lambeth Council provided the information to Mr Harry by electronic means. However it turned out that Mr Harry was able to manipulate the data (by removing the redactions that the Council had made) and was able to identify HJ, who had made the initial allegations. He commenced legal proceedings against HJ for defamation.
Lambeth Council sued Mr Harry for Breach of Confidence. It claimed that the information was provided to Mr Harry in circumstances where he knew it was confidential and that he had breached that confidentiality by “unredacting” the data, retaining it and using it as evidence to start court proceedings against HJ. The Council’s rationale for bringing the Breach of Confidence action was that informants have an expectation of confidentiality. The Council obtained an interim injunction in February 2019 to restrain Mr Harry from using the information he had acquired.
A Notifiable Data Breach
Both cases involve a personal data breach as defined by GDPR Article 4 (12):
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
Article 33 of GDPR requires a Data Controller to notify the Information Commissioner’s Office (ICO) about a personal data breach “without delay and where feasible, not later than 72 hours after becoming aware of it”. Notification is not required if the personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. Disclosing highly sensitive information about one family to another is likely to be a notifiable breach. A failure to adequately redact the name of a person who makes confidential allegations is also likely to have the same result.
The problem with inadvertent and accidental disclosures is the Data Controller may not necessarily be aware of them for some time. In the Redbridge Council case, X told the Council she had received the documents by mistake. According to the Article 29 Data Protection Working Party Guidelines on Personal Data Breach Notification under Regulation 2016/67, when a third party informs a Data Controller that they have accidentally received the personal data of one of its customers and provides evidence of the unauthorised disclosure, the Data Controller has become “aware” of the personal data breach. Where a Data Controller has been presented with clear evidence of a confidentiality breach then there can be no doubt that it has become “aware”. In the Redbridge case the Council took a decision to self-refer to the Information Commissioner’s Office; although interestingly the facts suggest that this happened prior to the GDPR coming into force.
In the Lambeth Case it is not entirely clear when or how the Council became aware that Mr Harry had been able to manipulate the data. However the facts, as recorded in the judgement, suggest that it became aware sometime in late 2018 when the ICO investigated complaints made by Mr Harry about the Council’s handling of his subject access request. In other words, it does not look like the Council was aware of the breach until the ICO investigated, although this is not certain from the limited factual information in the judgment.
When a Data Controller becomes aware that personal data has been unlawfully disclosed to a third party, it needs to contain the incident and assess the risk that could result from it. One way of doing this is to request the recipient to either return the information or to securely destroy it. However the Article 29 Guidelines make it clear that the Data Controller must “trust” the recipient to do this. In both cases it was quite clear that the recipients had no intention of safely destroying the personal data or returning it to the respective councils. In both cases the recipients intended to use the data as evidence in their own legal claims. In both cases the Councils sought an injunction to prevent the recipients from misusing private information and/or a Breach of Confidence.
Injunctions and Offences
Before granting an injunction, the High Court is required to consider whether an injunction would affect a person’s right to freedom of expression; for example his/her right to publish the information online or via the press. It can only grant an injunction if it is satisfied that publication should not be allowed.
In the Redbridge case the Court considered that the information was highly sensitive and that there would be a breach of confidentiality if the documents were either revealed to the press or published on-line. It therefore granted the injunction. In the Lambeth case the Court granted an interim injunction but the case concerning the Breach of Confidence has been listed for trial in July 2020 where Mr Harry will argue that he has a public interest defence.
In April 2020 the ICO decided to prosecute Mr Harry (in the Lambeth case) for the two offences of knowingly or recklessly re-identifying de-identified personal data, without the consent of the Data Controller, contrary to under s.171(1) of the Data Protection Act 2018 (“the DPA”) and the offence of knowingly or recklessly processing re-identified personal data, without the consent of the data controller, contrary to the S.171(5). There are no further details about this prosecution at this moment in time.
Lessons Learnt
The incidents in the cases referred to above were not major cyber-attacks or large-scale disclosures. In one case personal data was inadvertently put into an envelope. In another personal data was not properly redacted. But the consequences were potentially severe and could have had significant and adverse consequences for the data subjects concerned.
Both cases show that, although breach notification goes a long way towards addressing issues of awareness and accountability, Data Controllers may need to take further legal action, in the form of an injunction, to prevent collateral damage from an accidental disclosure. The ICO can use its enforcement powers under the DPA 2018 to prosecute people who unlawfully reidentify personal data and seek to process it, but this may come too late if the damage is already done.
GDPR is going global! Ibrahim Hasan is delivering a webinar which will give you a whistle-stop tour of data protection laws around the world. Want a GDPR qualification Our next online GDPR Practitioner Certificate course is fully booked. There are a few places remaining on the course starting at the end of August.
On 19th May 2020 it was reported that in January 2020 EasyJet was subject to what they describe as a “highly sophisticated” cyber-attack, resulting in the personal data of over 9 million customers being “hacked”. Detailed information about the attack is sparse, with most media sources repeating the same bare facts. Some of the information below is based on the media reports and emails sent to EasyJet customers. At the time of writing there was no information about this on the Information Commissioner’s Office web site.
What little information is available points to a number of breaches of the General Data Protection Regulation (GDPR) which could result in the Information Commissioners Office (ICO) imposing a monetary penalty.
However, in view of the ICO’s reassessment of its regulatory approach during the current Coronavirus pandemic and reports that it has further delayed the imposition of its £183 million fine against British Airways, readers may be forgiven for thinking that EasyJet will not be on the receiving end of a fine any time soon. In any event, it seems likely that the ICO will be forced to consider the fact that EasyJet, along with the whole airline industry has been very severely affected by the Coronavirus and faces huge financial pressures.
The consequences for EasyJet in respect of this breach will remain unclear for many months and may disappoint customers whose personal information has been stolen.
Breach of Security
All Data Controllers must comply with the data protection principles set out in Article 5 of GDPR. In particular, Article 5 (1) (f) (the security principle) requires Data Controllers to process personal data in a manner that “ensures appropriate security” of the personal data that they process. That includes protecting against “unauthorised or unlawful processing and against accidental loss, destruction or damage.” This obligation to process personal data securely is further developed in GDPR Article 32 which requires Data Controllers to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. The steps that a Data Controller has to take will vary, based upon “the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”. In other words, Data Controllers must implement security measures that are “appropriate to the risks” presented by their processing, which reflects the GDPR’s risk-based approach. So, for example, a village hairdresser will not be expected to take the same amount of security precautions as an international airline handling personal data (and often Special Category Data) about millions of people. We do not know what cyber-security precautions EasyJet had in place to prevent this-attack, however it is arguable that it should have reviewed its security arrangements (which it may well have done) in the wake of the British Airways attack that was widely reported in September 2018.
There is no doubt that the incident amounts to a “personal data breach” under GDPR Article 4 (12) since it involves a breach of security leading to the unauthorised access of the personal data of about 9 million people. Of the 9 million people affected, 2,208 had their credit card details stolen.
Breach Notification
When a Data Controller becomes aware of a “personal data breach” it must notify the ICO “without undue delay, and where feasible not later than 72 hours after becoming aware of it” (GDPR Article 33). The controller is relieved from this duty where the breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. That does not appear to be the case here given both the scale of the attack and the fact that the hackers gained access to customers’ credit card details and travel plans. The media reports indicate that the ICO was informed about the attacks that took place in January 2020, but there is no indication exactly when it was informed. If EasyJet did not notify the ICO within the time frames of Article 33, then this constitutes a further breach of the GDPR.
Phased notification is allowed though when a Data Controller does not have all the full details of the data breach within the 72 hours. This is likely to be the case in the EasyJet case where they instructed an immediate forensic investigation to establish the nature and extent of the breach, but the initial notification should have been within the 72 hour period as per Article 33.
Notifying Easy Jet Customers
GDPR Article 34 requires a Data Controller to notify any Data Subjects when the personal data breach is “likely to result in a high risk to the[ir] rights and freedoms”. The threshold for communicating a data breach to Data Subjects is higher than for notifying the ICO and therefore it will not always be necessary to communicate with affected Data Subjects.
Data Controllers must assess the risk on a case by case basis. However, the Article 29 Working Party Guidelines on Breach Notification suggests that a high risk exists when the breach may lead to identity theft, fraud or financial loss. This would appear to be the case in the EasyJet breach. The GDPR does not state any specific deadline for notification but it does say that it should be “without undue delay”.
Media reports suggest that EasyJet customers were notified in two separate tranches.
The first notification to customers, whose credit details were stolen, was sent by email in early April. The second tranche, to all other customers, was sent by 26th May.
Customers who received emails at the end of May were advised that their name, email address and travel details were accessed (but not their credit card or passport details).
The purpose of notifying customers is to enable them to take steps to protect themselves against any negative consequences of the breach. The email suggested that customers take extra care to avoid falling victim to phishing attacks.
It remains to be seen whether EasyJet customers were notified “without undue delay” given that the airline became aware of the breach in January but the first notification to customers whose credit card details were stolen was not until end of April. It is plausible that this may have been too late for some customers. If this is the case then not only would this result in a further breach of the GDPR, but could expose EasyJet to claims for compensation under GDPR Article 82. Indeed, according to SC Magazine, a law firm has already issued a class action claim in the High Court. Note that according to Google v Lloyd (and now under GDPR) claimants not do now have to show direct material damage to claim compensation.
Will Easy Jet Be Fined?
The details available to date certainly suggest a breach of Article 5 (1) (f) and possibly Article 32. In addition, it may be the case that EasyJet failed to notify their customers without undue delay and have breached Article 34. Breaches of these provisions could theoretically result in the ICO imposing a monetary penalty of up to 4% of EasyJet’s total worldwide annual turnover in respect of a breach of Article 5 and up to 2% of its total worldwide annual turnover for breaches of Articles 32 and 34.
It is too early to compare the circumstances of the EasyJet breach with the British Airways breach. The numbers of Data Subjects whose credit card details were involved in the BA attack was reported to be half a million (compared to 9 million with the EasyJet attack). However the number of people whose credit card details were stolen in the BA attack was much greater (about 380,000 booking transactions), although British Airways notified its customers immediately. Therefore the scale and gravity of the two breaches are not identical. The ICO will need to take these factors into account in deciding on the level of any fine. The maximum that she could fine is (as stated above) up to 4% of EasyJet’s annual turnover. It is not clear what this figure is but the EasyJet Annual Report for 2019 states that the company’s total revenue in 2019 was £6,385 million. In contrast BA’s total revenue was £12.2 billion. The fine will almost certainly be smaller than that imposed on British Airways, but it really remains to be seen how the ICO will react to the financial pressure that EasyJet are clearly under as a result of the Coronavirus pandemic. All we can do is watch this space.
