Category: Fines

Lloyd v Google: What DPOs need to know

Last week, the UK Supreme Court handed down its much anticipated judgement in the case of Lloyd v Google LLC [2021] UKSC 50. It is a significant case because it answers two important questions (1) whether US style class action lawsuits can be brought for data protection claims and (2) whether damages can be claimed for mere “loss of control” of personal data where no actual damage has been suffered by data subjects. If the Supreme Court had decided that the answer to either of these questions was “yes”, it would have resulted in Data Controllers being targeted with much more costly data breach litigation. 

The present case was brought by Richard Lloyd, a former director of consumer rights group Which?, who alleged that between 2011 and 2012, Google cookies collected data on health, race, ethnicity, sexuality and finance through Apple’s Safari web browser, even when users had chosen a “do not track” privacy setting on their phone. Mr Lloyd sought compensation, under section 13 of the old Data Protection Act 1998. 

Mr Lloyd sought to bring a claim in a representative capacity on behalf of 4 million consumers; a US style “class action”. In the UK, such claims currently need consumers to opt-in, which can be a lengthy process (and costly). Mr Lloyd attempted to set a precedent for opt-out cases, meaning one representative could bring an action on behalf of millions without the latter’s consent. He sought to use Rule 19.6 of the Civil Procedure Rules which allows an individual to such bring a claim where all members of the class have the “same interest” in the claim. Because Google is a US company, Mr Lloyd needed the permission of the English court to pursue his claim. Google won in the High Court only for the decision to be overturned by the Court of Appeal. If Mr Lloyd had succeeded in the Supreme Court on appeal, it could have opened the floodgates to many more mass actions against tech firms (and other data controllers) for data breaches.

The Supreme Court found class actions impermissible in principle in the present case. It said that, in order to advance such an action on behalf of each member of the proposed represented class, Mr Lloyd had to prove that each one of those individuals had both suffered a breach of their rights and suffered actual damage as a result of that breach. Mr. Lloyd had argued that a uniform sum of damages could be awarded to each member of the represented class without having to prove any facts particular to that individual. In particular, he had argued that compensation could be awarded under the DPA 1998 for “loss of control” of personal data constituted by any non–trivial infringement by a data controller of any of the requirements of the DPA 1998.

The Supreme Court  rejected these arguments for two principal reasons. Firstly, the claim was based only on section 13 of the DPA 1998, which states that “an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”. The court ruled that “damage” here means material damage, such as financial loss or mental distress, as caused by unlawful processing of personal data in contravention of the DPA 1998 (i.e. simply infringing the DPA 1998 does not in itself constitute “damage”). Secondly, in order to recover compensation under section 13 of the DPA 1998, it is necessary to prove what unlawful processing (by Google) of personal data relating to each individual actually occurred. A representative claim could have been brought to establish whether Google was in breach of the DPA 1998 as a basis for pursuing individual claims for compensation but not here where Mr Lloyd was claiming the same amount of damages (£750) for each of the 4 million iPhone users.

This case was decided under the DPA 1998.  Article 82(1) of the UK GDPR sets out the right to compensation now; “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”. The similar wording to the DPA 1998 means that the outcome would be the same if Mr Lloyd had commenced his action post GDPR.

The Lloyd-Google judgment means that those seeking to bring class-action data protection infringement compensation cases have their work cut out. However, claims under Art 82 can still be brought on an individual basis – in fact the judgment seems to indicate that individual cases can have good prospects of success. There is more to come in this area. TikTok is facing a similar case, brought by former Children’s Commissioner Anne Longfield, which alleges that the video-sharing app used children’s data without informed consent. 

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a one place left on our Advanced Certificate in GDPR Practice course starting in January.

advanced_cert

GDPR Fine for Charity E Mail Blunder

A Scottish charity has been issued with a £10,000 monetary penalty notice following the inadvertent disclosure of personal data by email. 

On 18th October, HIV Scotland was found to have breached the security provisions of the UK GDPR, namely Articles 5(1)(f) and 32, when it sent an email to 105 people which included patient advocates representing people living with HIV. All the email addresses were visible to all recipients, and 65 of the addresses identified people by name. From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk. 

The Information Commissioner’s Office (ICO) is urging organisations to revisit their bulk email practices after its investigation found shortcomings in HIV Scotland’s email procedures. These included inadequate staff training, incorrect methods of sending bulk emails by blind carbon copy (bcc) and an inadequate data protection policy. It also found that despite HIV Scotland’s own recognition of the risks in its email distribution and the procurement of a system which enables bulk messages to be sent more securely, it was continuing to use the less secure bcc method seven months after the incident.

On the point of training, HIV Scotland confirmed to the ICO that employees are expected to complete the “EU GDPR Awareness for All” on an annual basis.  The ICO recommended that staff should receive induction training “prior to accessing personal data and within one month of their start date.” Act Now’s e learning course, GDPR Essentials, is designed to teach employees about the key provisions of GDPR and how to keep personal data safe. The course is interactive with a quiz at the end and can be completed in just over 30 minutes. Click here to watch a preview. 

HIV Scotland was also criticised for not having a specific policy on the secure handling of personal data within the organisation. It relied on its privacy policy which was a public facing statement covering points such as cookie use, and data subject access rights; this provided no guidance to staff on the handling of personal and what they must do to ensure that it is kept secure. The Commissioner expects an organisation handling personal data, to maintain policies regarding, amongst other things, confidentiality (see our GDPR policy pack).

This is an interesting case and one which will not give reassurance to the Labour Relations Agency in Northern Ireland which had to apologise last week for sharing the email addresses and, in some cases ,the names of more than 200 service users. The agency deals confidentially with sensitive labour disputes between employees and employers. It said it had issued an apology to recipients and was currently taking advice from the ICO.

Interestingly the ICO also referenced in its ruling, the fact that HIV Scotland made a point of commenting on a similar error by another organisation 8 months prior. In June 2019, NHS Highland disclosed the email addresses of 37 people who were HIV positive. It is understood the patients in the Highlands were able to see their own and other people’s addresses in an email from NHS Highland inviting them to a support group run by a sexual health clinic. At the time HIV Scotland described the breach as “unacceptable”. 

The HIV Scotland fine is the second one the ICO has issued to a charity in the space of 4 months. On 8th July 2021, the transgender charity Mermaids was fined £25,000 for failing to keep the personal data of its users secure. The ICO found that Mermaids failed to implement an appropriate level of security to its internal email systems, which resulted in documents or emails containing personal data being searchable and viewable online by third parties through internet search engine results.

Charities need to consider these ICO fines very carefully and ensure that they have polices, procedures and training in place to avoid enforcement action by the ICO. 

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a few places left on our Advanced Certificate in GDPR Practice course starting in January.

The WhatsApp GDPR Fine 

mika-baumeister-uKdkh25_wc0-unsplash

On 2nd September, the instant messaging service WhatsApp was fined €225 million by the Irish Data Protection Commission (DPC) under GDPR. It is the largest fine issued by the DPC and the second highest in the EU (In July Luxembourg’s National Commission for Data Protection fined Amazon €746 million after finding that the way the e-commerce giant handles people’s personal data, especially around personalised ads, was not GDPR compliant).

The background to the WhatsApp fine is an investigation by the DPC, which started in December 2018. WhatsApp users are required to provide the company with all their contacts’ phone numbers. Some of these will inevitably belong to non-WhatsApp users.
The DPC found that these numbers were also personal data because the subjects were identifiable and consequently WhatsApp was the data controller in relation to such data.

The DPC then evaluated WhatsApp’s compliance with the transparency obligations set out in Articles 14 and 12(1) of GDPR. WhatsApp argued that it took “appropriate measures” to inform non-users of the “very limited ways” in which it processed their personal data.
This was supposedly done by stating users provide the company with all their contacts’ phone numbers in their privacy policy. 

The DPC rejected this argument, pointing to the lack of a discoverable and accessible “public notice” that would provide non-users of WhatsApp services with the information they are entitled to under Article 14. For example, they should be provided with details about the “circumstances in which any non-user personal data is shared with any of the Facebook Companies”(Facebook bought WhatsApp in 2014). It emphasised that the burden of providing such information is outweighed by “the role and utility of the right to be informed”.

The DPC also ruled that WhatsApp had not complied with Article 13 in relation to the privacy information it provided to users. It specifically assessed the extent to which WhatsApp explained its relationship with the Facebook companies and any consequent sharing of data. It criticised the manner in which the information is spread out “across a wide range of texts”, and how a significant amount of it is so high level as to be meaningless. It pointed out how the Facebook FAQ is only linked to WhatsApp’s privacy policy in one place. The information being provided was “unnecessarily confusing and ill-defined”. 

In addition to the fine, the DPC has also imposed a formal reprimand (under GDPR Art. 58(2)(b)) along with an order (under GDPR Art. 58(2)(d)) for WhatsApp to bring its processing into compliance by taking a eight specified remedial actions.  WhatsApp has 3 months to comply. One of the remedial actions is to remind users of their GDPR rights which will lead to substantially more work for WhatsApp in meeting these requests.

Data Controllers need to assess how well their privacy policies and notices comply with Article 13 and 14. This cases shows that regulators are willing to enforce GDPR transparency obligations on data controllers even where the obligations are difficult to meet because, like WhatsApp, they have millions of non-service user data subjects with whom there is no direct relationship.

WhatsApp has confirmed that it will appeal the decision. 

Most of our courses are now available as both classroom and online options. The GDPR Practitioner Certificate is our most popular certificate course with may courses filling up fast. We have added more dates.

First GDPR Fine Issued to a Charity

christopher-bill-rrTRZdCu7No-unsplash

On 8th July 2021, the Information Commissioner’s Office (ICO) fined the transgender charity Mermaids £25,000 for failing to keep the personal data of its users secure.
In particular this led to a breach of the Articles 5(l)(f) and 32(1) and (2) of the GDPR. 

The ICO found that Mermaids failed to implement an appropriate level of organisational and technical security to its internal email systems, which resulted in documents or emails containing personal data, including in some cases relating to children and/or including in some cases special category data, being searchable and viewable online by third parties through internet search engine results.  

The ICO’s investigation began after it received a data breach report from the charity in relation to an internal email group it set up and used from August 2016 until July 2017 when it was decommissioned. The charity only became aware of the breach in June 2019. 

The ICO found that the group was created with insufficiently secure settings, leading to approximately 780 pages of confidential emails to be viewable online for nearly three years. This led to personal data, such as names and email addresses, of 550 people being searchable online. The personal data of 24 of those people was sensitive as it revealed how the person was coping and feeling, with a further 15 classified as Special Category Data as mental and physical health and sexual orientation were exposed. 

The ICO’s investigation found Mermaids should have applied restricted access to its email group and could have considered pseudonymisation or encryption to add an extra layer of protection to the personal data it held.  

During the investigation the ICO discovered Mermaids had a negligent approach towards data protection with inadequate policies and a lack of training for staff. Given the implementation of the UK GDPR as well as the wider discussion around gender identity, the charity should have revisited its policies and procedures to ensure appropriate measures were in place to protect people’s privacy rights. 

Steve Eckersley, Director of Investigations said: 

“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with. Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse. 

“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.” 

Up to April 2021, European Data Protection regulators had issued approximately €292 million worth of fines under GDPR. The greatest number of fines have been issued by Spain (212), Italy (67) and Romania (52) (source).  

Up to last week, the ICO had only issued four GDPR fines. Whilst fines are not the only GDPR enforcement tool, the ICO has faced criticism for lack of GDPR enforcement compared to PECR

The first ICO GDPR fine was issued back in December 2019 to a London-based pharmacy. Doorstep Dispensaree Ltd, was issued with a Monetary Penalty Notice of £275,000 for failing to ensure the security of Special Category Data. In November 2020, Ticketmaster had to pay a fine of £1.25m following a cyber-attack on its website which compromised millions of customers’ personal information. Others ICO fines include British Airways and Marriott which concerned cyber security breaches.  

It remains to be seen if the Mermaids fine is the start of more robust GDPR enforcement action by the ICO. It will certainly be a warning to all Data Controllers, particularly charities, to ensure that they have up to data protection data policies and procedures.  

Act Now Training’s GDPR Essentials e learning course is ideal for frontline staff who need to learn about data protection in a quick and cost-effective way. You can watch the trailer here. 

We only have two places left on our Advanced Certificate in GDPR Practice course starting in September.  

Ticketmaster Fined £1.25m Over Cyber Attack

0_MGP_CHP_270618TICKETMASTER_0736ticketmasterJPG

GDPR fines are like a number 65 bus. You wait for a long time and then three arrive at once. In the space of a month the Information Commissioner’s Office (ICO) has issued three Monetary Penalty Notices. The latest requires Ticketmaster to pay £1.25m following a cyber-attack on its website which compromised millions of customers’ personal information.  

The ICO investigation into this breach found a vulnerability in a third-party chatbot built by Inbenta Technologies, which Ticketmaster had installed on its online payments page. A cyber-attacker was able to use the chatbot to access customer payment details which included names, payment card numbers, expiry dates and CVV numbers. This had the potential to affect 9.4million Ticketmaster customers across Europe including 1.5 million in the UK. 

As a result of the breach, according to the ICO, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6000 cards were replaced by Monzo Bank after it suspected fraudulent use. The ICO said these bank and others had warned Ticketmaster of suspected fraud. Despite these warnings it took nine weeks to start monitoring activity on its payments page. 

The ICO found that Ticketmaster failed to: 

  • Assess the risks of using a chat-bot on its payment page 
  • Identify and implement appropriate security measures to negate the risks 
  • Identify the source of suggested fraudulent activity in a timely manner 

James Dipple-Johnstone, Deputy Information Commissioner, said: 

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not. 

Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud. 

The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.” 

In a statement, Ticketmaster said:  

“Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO.
We plan to appeal [against] today’s announcement.” 

Ticketmaster’s appeal will put the ICO’s reasoning and actions, when issuing fines, under judicial scrutiny. This will help GDPR practitioners faced with similar ICO investigations.   

Ticketmaster is also facing civil legal action by thousands of fraud victims. Law firm Keller Lenkner, which represents some of these victims, said: 

“While several banks tried to alert Ticketmaster of potential fraud, it took an unacceptable nine weeks for action to be taken, exposing an estimated 1.5 million UK customers,” said Kingsley Hayes, the firm’s head of cyber-crime.  

Data Protection Officers are encouraged to read the Monetary Penalty Notice as it not only sets out the reasons for the ICO’s conclusion but also the factors it has taken into account in deciding to issue a fine and how it calculated the amount. This fine follows hot on the heels of the British Airways and Marriott fines which also concerned cyber security breaches. (You can read more about the causes of cyber security breaches in our recent blog post.) 

75% of fines issued by the ICO under GDPR relate to cyber security. This is a top regulatory priority for the ICO as well as supervisory authorities across Europe.
Data Protection Officers should place cyber security at the top of their learning and development plan for 2021.  

We have some places available on our forthcoming Cyber Security for DPOs workshop. This and other GDPR developments will be covered in our next online GDPR update workshop.

The Marriott Data Breach Fine

Niagara Falls, Ontario, Canada - September 3, 2019: Sign of Marriott on the building in Niagara Falls, Ontario, Canada. Marriott International is an American hospitality company.

The Information Commissioner’s Office (ICO) has issued a fine to Marriott International Inc for a cyber security breach which saw the personal details of millions of hotel guests being accessed by hackers. The fine does not come as a surprise as it follows a Notice of Intent, issued in July 2018. The amount of £18.4 million though is much lower than the £99 million set out in the notice.  

The Data 

Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.  

The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number. The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK. 

The Cyber Attack 

In 2014, an unknown attacker installed a piece of code known as a ‘web shell’ onto a device in the Starwood system giving them the ability to access and edit the contents of this device remotely. This access was exploited in order to install malware, enabling the attacker to have remote access to the system as a privileged user. As a result, the attacker would have had unrestricted access to the relevant device, and other devices on the network to which that account would have had access. Further tools were installed by the attacker to gather login credentials for additional users within the Starwood network.
With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker. 

The ICO acknowledged that Marriott acted promptly to contact customers and the ICO.
It also acted quickly to mitigate the risk of damage suffered by customers. However it was found to have breached the Security Principle (Article 5(1)(f)) and Article 32 (Security of personal data). The fine only relates to the breaches from 25 May 2018, when GDPR came into effect, although the ICO’s investigation traced the cyber-attack back to 2014. 

Data Protection Officers are encouraged to read the Monetary Penalty Notice as it not only sets out the reasons for the ICO’s conclusion but also the factors it has taken into account in deciding to issue a fine and how it calculated the amount.  

It is also essential that DPOs have a good understanding of cyber security. We have some places available on our Cyber Security for DPOs workshop in November. 

The Information Commissioner, Elizabeth Denham, said: 

“Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.”

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.” 

Marriott said in statement:  

“Marriott deeply regrets the incident. Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems. The ICO recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”

Marriott has also said that it does not intend to appeal the fine, but this is not the end of the matter. It is still facing a civil class action in the High Court for compensation on behalf of all those affected by the data breach.  

This is the second highest GDPR fine issued by the ICO. On 16th October British Airways was fined £20 million also for a cyber security breach. (You can read more about the causes of cyber security breaches in our recent blog post.) The first fine was issued in December 2019 to Doorstep Dispensaree Ltd for a for a comparatively small amount of £275,000. 

This and other GDPR developments will be covered in our new online GDPR update workshop. Our next online GDPR Practitioner Certificate is fully booked.We have added more courses. 

First Fine under GDPR

canstockphoto3157426

The Information Commissioner’s Office (ICO) has issued the first fine under GDPR to a London-based pharmacy. Doorstep Dispensaree Ltd, has been issued with a Monetary Penalty Notice of £275,000 for failing to ensure the security of Special Category Data.

The company, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people. The ICO held that this gave rise to infringements GDPR’s security and data retention obligations. Following a thorough investigation the ICO also concluded that the company’s privacy notices and internal policies were not up to scratch.

The ICO launched its investigation into Doorstep Dispensaree after it was alerted to the insecurely stored documents by the Medicines and Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry into the pharmacy. Steve Eckersley, Director of Investigations at the ICO, said:

“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”

Doorstep Dispensaree has also been issued with an enforcement notice, under Section 149 of the Data Protection Act 2018, due to the significance of the contraventions. It has three months to:

Training seems to feature heavily in the ICO’s Enforcement Notice. GDPR requires all organisations to ensure that their employees are aware of their role in protecting personal data. How to do this without them spending valuable time away from the office or overspending the training budget?

GDPR Essentials is a new e learning course from Act Now Training designed to teach those working on the frontline essential GDPR knowledge in an engaging, fun and interactive way. In less than one hour employees will learn about the key provisions of GDPR and how to keep personal data safe. Click here to read more and watch a demo.

After issuing Notices of Intent to two high profile companies for millions of pounds (British Airways and Marriot) the Information Commissioner has finally issued an actual fine, albeit for a much lower amount and to a less well known company. Data Controllers and Processors need to read the penalty notice carefully and ensure that are not repeating the same mistakes as Doorstep Dispensaree Ltd.

These and other GDPR developments will be discussed in detail in our GDPR update workshop.

The Facebook Data Breach Fine Explained

2000px-F_icon.svg-2

 

On 24th October the Information Commissioner imposed a fine (monetary penalty) of £500,000 on Facebook Ireland and Facebook Inc (which is based in California, USA) for breaches of the Data Protection Act 1998.  In doing so the Commissioner levied the maximum fine that she could under the now repealed DPA 1998. Her verdict was that the fine was ‘appropriate’ given the circumstances of the case.  For anyone following the so-called Facebook data scandal the fine might seem small beer for an organisation that is estimated to be worth over 5 billion US Dollars. Without doubt, had the same facts played out after 25th May 2018 then the fine would arguably have been much higher, reflecting the gravity and seriousness of the breach and the number of people affected.

The Facts

In summary, the Facebook (FB) companies permitted Dr Aleksandr Kogan to operate a third-party application (“App”) that he had created, known as “thisisyourdigitallife” on the FB platform. The FB companies allowed him and his company (Global Science Research (GSR) to operate the app in conjunction with FB from November 2013 to May 2015. The app was designed to and was able to obtain a significant amount of personal information from any FB user who used the app, including:

  • Their public FB profile, date of birth and current city
  • Photographs they were tagged in
  • Pages they liked
  • Posts on their time lime and their news feed posts
  • Friends list
  • Facebook messages (there was evidence to suggest the app also accessed the content of the messages)

The app was also designed to and was able to obtain extensive personal data from the FB friends of the App’s users and anyone who had messaged the App user. Neither the FB friends or people who had sent messages were informed that the APP was able to access their data, and nor did they give their consent.

The APP was able to use the information that it collected about users, their friends and people who had messaged them, in order to generate personality profiles. The information and also the data derived from the information was shared by Dr Kogan and his company with three other companies, including SCL Elections Ltd (which controls the now infamous Cambridge Analytica).

Facebook Fine Graphic

In May 2014 Dr Kogan sought permission to migrate the App to a new version of the FB platform. This new version reduced the ability of apps to access information about the FB friends of users. FB refused permission straight away. However, Dr Kogan and GSR continued to have access to, and therefore retained, the detailed information about users and the friends of its users that it had previously collected via their App. FB did nothing to make Dr Kogan or his company delete the information.  The App remained in operation until May 2015.

Breach of the DPA

The Commissioner’s findings about the breach make sorry reading for FB and FB users. Not only did the FB companies breach the Data Protection Act, they also failed to comply or ensure compliance with their own FB Platform Policy, and were not aware of this fact until exposed by the Guardian newspaper in December 2015.

The FB companies had breached s 4 (4) DPA 1998  by failing to comply with the 1stand 7th data protection principles. They had:

  1. Unfairly processed personal data in breach of 1st data protection principle (DPP1). FB unfairly processed personal data of the App users, their friends and those who exchanged messages with users of the APP. FB failed to provide adequate information to FB users that their data could be collected by virtue of the fact that their friends used the App or that they exchanged messages with APP users. FB tried, unsucesfully and unfairly, to deflect responsibility onto the FB users who could have set their privacy settings to prevent their data from being collected. The Commissioner rightly rejected this. The responsibility was on Facebooks to inform users about the App and what information it would collect and why. FB users should have been given the opportunity to withhold or give their consent. If any consent was purportedly  given by users of the APP or their friends, it was invalid because it was not freely given , specific or informed. Conseqauntly, consent did not provide a lawful basis for processing
  2. Failed to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data, in breach of the 7th data protection principle (DPP7). The processing by Dr Kogan and GSR was unauthorised (it was inconsistent with basis on which FB allowed Dr Kogan to obtain access of personal data for which they were the data controller; it breached the Platform Policy and the Undertaking. The processing by DR Kogan and his company was also unlawful, because it was unfair processing.  The FB companies failed to take steps (or adequate steps) to guard against and unlawful processing.  (See below). The Commissioner considered that the FB companies knew or ought to have known that there was a serious risk of contravention of the data protection principle sand they failed to take reasonable steps to prevent such a contravention.

Breach of FB Platform Policy

Although the FB companies operated a FB Platform Policy in relation to Apps, they failed to ensure that the App operated in compliance with the policy, and this constituted their breach of the 7th data protection principle. For example, they didn’t check Dr Kogan’s terms and conditions of use of the APP to see whether they were consistent with their policy (or presumably whether they were lawful). In fact they failed to implement a system to carry out such a review. It was also found that the use of the App breached the policy in a number of respects, specifically:

  • Personal data obtained about friends of users should only have been used to improve the experience of App users. Instead Dr Kogan and GSR was able to use it for their own purposes.
  • Personal data collected by the APP should not be sold or third parties. Dr Kogan and GSR had transferred the data to three companies.
  • The App required permission from users to obtain personal data that the App did not need in breach of the policy.

The FB companies also failed to check that Dr Kogan was complying with an undertaking he had given in May 2014 that he was only using the data for research, and not commercial, purposes. However perhaps one of the worst indictments is that FB only became aware that the App was breaching its own policy when the Guardian newspaper broke the story on December 11 2015. It was only at this point, when the story went viral, that FB terminate the App’s access right to the Facebook Login. And the rest, as they say, is history.

Joint Data Controllers

The Commissioner decided that Facebook Ireland and Facebook Inc were, at all material times joint data controllers and therefore jointly and severally liable. They were joint data controllers of the personal data of data subjects who are resident outside Canada and the USA and whose personal data is processed by or in relation to the operation of the Facebook platform. This was on the basis that the two companies made decisions about how to operate the platform in respect of the personal data of FB users.

The Commissioner also concluded that they processed personal data in the context of a UK establishment, namely FB UK (based in London) in respect of any individuals who used the FB site from the UK during the relevant period. This finding was necessary in order to bring the processing within scope of the DPA and for the Commissioner to exercise jurisdiction of the two Facebook companies.

The Use of Data Analytics for Political Purposes

The Commissioner considered that some of the data that was shared by Dr Kogan and his company, with the three companies is likely to have been used in connection with, or for the purposes of, political campaigning. FB denied this as far as UK residents were concerned and the Commissioner was unable, on the basis of information before her, whether FN was correct. However, she nevertheless concluded that the personal data of UK users who were UK residents was put at serious risk of being shared and used in connection with political campaigning. In short Dr Kogan and/or his company were in apposition where they were at liberty to decide how to use the personal data of UK residents, or who to share it with.

As readers will know, this aspect of the story continues to attract much media attention about the possible impact of the data sharing scandal on the US Presidential elections and the Brexit referendum. The Commissioner’s conclusions are quite guarded, given the lack of evidence or information available to her.

Susan Wolf will be delivering these upcoming workshops and the forthcoming FOI: Contracts and Commercial Confidentiality workshop which is taking place on the 10th December in London. 

Our 2019 calendar is now live. We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now. 

Need to prepare for a DPO/DP Lead role? Train with Act Now on our hugely popular GDPR Practitioner Certificate.

LGL Advert

 

Equifax Ltd fined £500,000 for significant breaches of the DPA 1998

31dc574c-e8f4-4849-a8d4-46fe2f3ff80d

On 20th September the Information Commissioner issued Equifax Ltd with a £500, 000 monetary penalty, the biggest fine it has issued to date, and the maximum allowed under the Data Protection Act 1998.  Although half a million pounds might sound a significant amount of money, it represents a relatively modest amount compared to the fine the company might have received had the breech occurred 12 months late, under the GDPR regime.

In this blog we consider the incident, the actions of the parties and we speculate on what type of sanctions the company could have faced under the GDPR.

The background

Equifax Ltd is a major credit reference agency based in the UK.  Since 2011 it has offered a product called the Equifax Identity Verifier (EIV) which enables clients to verify the identity of their customers, online, over the telephone or in person. To verify an individual’s identity, the client enters that individual’s personal information on the Equifax system, which is then checked against other sources held by Equifax Ltd.  Initially the EIV was processed by its US parent, Equifax Inc.  Equifax Ltd in the UK was the data controller and Equifax Inc in the USA was the data processor.  In 2016, Equifax Ltd transferred the data processing for the EIV product to the UK. This required the migration of the personal data to the UK. However, the US company did not then delete all the UK personal data from its system, which its should have done as it had no lawful reason for continuing to store this data.

The cyber-attack incidents

Equifax Inc was subject to a number of cyber-attacks, between 13 May and 30 July 2017.  During this period the attackers exploited a vulnerability in the US company’s online consumer-facing disputes portal. This enabled the attackers to access personal data of about 146 million individuals in the USA. Additionally, they were able to access the name and date of birth of up to 15 million UK individuals, contained in the EIV dataset.  In addition, in respect of some 637,430 UK data subjects their telephone numbers and driving license numbers were also a compromised.

An additional data set (the GCS dataset) was also attacked and this allowed the hackers to access the email addresses of over 12,000 UK individuals. More significantly, for another 14,961 UK residents the compromised data was account information for Equifax’s credit services and included data subjects’ name, address, date of birth, user name, password (in plain text), secret question and answer (also in plain text), credit card number (obscured) and some payment amounts. This personal data was held in a plain text file, as opposed to the actual data base. The storage of password data in plain text was contrary to the company’s Cryptography Standard which specifically required that passwords were to be stored in encrypted, hashed, masked, tokenised or other form.  The file was held in a file share, which was accessible to multiple users.

In March 2017 Equifax Inc., received warning of the vulnerability of its Apache Struts 2 web application framework (that it used in its consumer facing online disputes portal). The warning came from the US Department of Homeland Security Computer Emergency Readiness Team which identified a critical level of vulnerability. The US company disseminated this warning to key personnel, but the consumer facing portable was neither identified or patched.

Equifax Inc. became aware of the cyber attack on 29 July 2017, and then further aware that the data of UK individuals had been compromised by late August 2017.  However, Equifax Inc failed to warn Equifax Ltd until late September 7th, 2017, at least a week after it became aware the UK personal data had been compromised.

Equifax Ltd notified the ICO on 8thSeptember. In this respect, its behaviour would have met the strict breach notification requirements of the GDPR which require a data controller to notify the Commissioner within 72 hours of become aware of the breach.  Initially they reported that about 1.49 million individuals’ data had been lost. This was later revised upwards to 15 million data subjects. They also indicated, incorrectly, that the data accessed did not include residential addresses or financial information.

The Information Commissioner’s Findings

On the facts, the Information Commissioner decided that although the information systems in the USA were compromised, Equifax Ltd was the data controller responsible for the personal data of its UK customers. The Commissioner found that Equifax had failed to take appropriate steps the ensure its US parent, and data processor, was protecting the information. The Monetary Penalty Notice lists the various contraventions of the DPA 1998:

  • Principles 5, 2 and 1
    • Following the migration of the EIV dataset from the US to the UK, it was no longer necessary for the US company to keep any of the data. The data set had not been deleted in full and was kept longer than necessary.
    • In relation to the GCS dataset stored on the US system, Equifax Ltd was not sufficiently aware of the purpose for which it was being processed until after the breach. In the absence of any lawful purpose the retention was unnecessary.
    • The UK company failed to follow up or check that the data had been removed from the US systems, or to have an adequate process in place to check this was done.
  • Principle 7
    • Equifax had not undertaken an adequate risk assessment (s) of the security arrangements put in place by its data processor before transferring the data to it or following the transfer.
    • The Data Processing Agreement between Equifax Ltd and Equifax Inc was inadequate and failed to provide appropriate safeguards/ security safeguards or the standard clauses.
    • Equifax Ltd had failed to ensure adequate security measures were in place. The Commissioner identified numerous examples of the inadequacy of the safeguard that were in place, including the lack of encryption; the use of plant text data, allowing multiple users to have access to plaintext files; failing to address IT vulnerabilities; having out of date software; failing to undertake sufficient and regular system scans
    • Poor communications between the UK and US companies particularly in relation to the US company’s delay in making the data controller aware of the breach.
  • Principle 8
    • The Data Processing Agreement between Equifax UK and Equifax Inc was inadequate in that it failed to incorporate the standard contractual clause as a separate agreement and/or to provide appropriate safeguards for data transfers outside the EEA.
    • There was therefore a lack of a legal basis for the international transfer of this data.

Overall the Information Commissioner found multiple failures at Equifax Ltd, which led to personal information being kept longer than necessary and vulnerable to unauthorised access. Given the nature of the breaches, individuals were exposed to the risk of financial and identity fraud. The Commissioner concluded that the maximum financial penalty it could levy was proportionate in all the circumstances.

What difference would it make if this happened under the GDPR?

If the same breaches had occurred post May 25th then both Equifax Ltd and Equifax Inc., might find themselves in a substantially different situation.

The level of fine: The most obvious difference would be in relation to the level of fine that the ICO could impose. Under Article 83 GDPR the ICO can impose a fine of up to £17 million (20m Euro) or 4% of global turnover. Equifax Ltd is part of a global group that operates or has investments in over 24 countries. According to its 2016 Annual Report the Equifax Group’s global annual revenue for 2016 was $3.144.9 billion. 4% of this is about $125 million. In 2016 the UK company, Equifax Ltd, recorded revenue of £114.6 million. This alone could lead to a fine of over £4.5 million.

Data Subjects’ rights to sue for damages: Although this is not a new right under the GDPR, the GDPR now expressly permits individuals to sue for both material (financial) and non-material damage, such as distress. In many respects this represents a bigger risk for companies such as Equifax who are processing data whose loss could cause significant harm to data subjects. Given the heightened awareness amongst the public of the GDPR, it is not difficult to anticipate that these type of high-volume breaches could result in class actions for compensation.

Breach Notification: Article 33 imposes a condition that data processors must notify data controllers ‘without undue delay’ if they become aware of a data breach. The delay on the part of the US company in informing the UK company would constitute a breach of Article 33.

Notifying Data Subjects: Under Article 34 GDPR the Data Controller has a duty to notify data subjects that their personal data has been breached, where the breach is likely to result in a high risk to their rights and freedoms.  Equifax Ltd issued a press releaseon 7thOctober 2017 saying that I would we will now begin writing to all impacted customers with immediate effect. This again does not meet the requirements of notification ‘without undue delay’.

We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now. New Dates added for London!

Need to train frontline staff quickly? Try our extremely popular GDPR e-learning course.

Dont forget about our GDPR Helpline, its a great tool to use for some advice when you really need it.

‘The Great CPS Data-breach!’

canstockphoto6448307

 

 

 

 

 

 

 

 

 

 

 

 

No, this isn’t a new multi-million pound blockbuster, but instead a £200,000 error the Crown Prosecution Service probably wishes it had never made.

On the 4th November 2015 the Information Commissioners Office (ICO) issued a £200,000 monetary penalty notice under the Data Protection Act 1998 on the Crown Prosecution Service (CPS) for the lack of effective security and controls around DVD videos of police interviews after they were stolen (while being stored on laptops) from a 3rd party private film studio.

Imagine the scene, it’s the year 2002 and new technologies are coming in, for the recording & editing of films.  So you, as a modern and practical Crown Prosecution Service, look for a company that can offer these things quicker, better and cheaper than you can do in-house. So you commission an informal 6 month trial with a guy with a studio based in Manchester. After 6 months he seems to do a good job, he’s no George Lucas but you’ll roll with him beyond the 6 months.

Now as these things do, your ‘video editing man’ changes offices to a new location that, by all accounts, is a little bit lacking in basic things (like security and working CCTV). But no matter, we can’t judge those on where they operate and the service isn’t affected – if anything it’s a nice new shiny studio.

However, on a day in September 2014 (the 11th to be precise) a burglar just happens to wonder past and manages to get into the studio, steals 3 laptops that are currently being worked on by your video editor and runs off with them. The police catch up with ‘him’ 8 days later and as luck would have it, they also recover the laptops. But that’s OK, as it’s only 43 data subjects, you got the laptops back and there is a password on each of the laptops right?

Well unfortunately no, that isn’t OK. And the Information Commissioner agrees. In the ICO’s decision notice he outlines that various things were not in place here that really should have been given the level of sensitivity of the data concerned. Below are extracts from the 5 main areas the ICO cites as the mean breaches of the DPA.

  1. Unencrypted DVDs containing the videos were delivered to X using a national courier firm. The sole proprietor used public transport to take the DVDs to X premises if a case was urgent.
  1. The CPS was not aware of any security risks posed by editing videos of police interviews at X premises either in 2002 or 2006.
  1. The CPS had no guarantee that the sole proprietor would store the unencrypted DVDs in a lockable cabinet and return or securely destroy the DVDs at the end of the case.
  1. The CPS failed to monitor the sole proprietor in relation to any security measures taken by him.
  1. The CPS did not have a DPA compliant contract with the sole proprietor in relation to the processing.

All the usual culprits are there;

  • Lack of encryption,
  • Lack of secure transfer of data,
  • Lack of 3rd party auditing and,
  • Lack of 3rd party contract.

But above all what this notice outlines is a fundamental lack of understanding or awareness of what data is being processed here. The DVDs contained information relating to the witness and victims of crimes of a sexual or violent nature. It is reported that at least 1 of the files concerned that was stolen related to a high profile individual. And that’s just on these DVDs. What about all the other DVDs that have entered that studio since 2002?

While there is no evidence in the ICOs decision notice that other losses have occurred, the circumstances around this theft have been in place since 2002. It could be lucky that only one theft has occurred, but then again how we do know that this is indeed the only theft?

I know when these notices come out those of us that have been fighting the good data protection fight for some time will pick apart the incident and indeed say, “If you’d only have done this…” but the points we raise are all valid. This is very much a case of where everything is wrong. Not one aspect of this situation works in the CPS’ favour. Well apart from the fact the laptops were eventually recovered. But as the ICO points out, there is no proof that the DVDs were not accessed as only a password existed on them. So technically that doesn’t really help you either.

To help avoid the loss of any personal data there are a couple of best practice steps that organisations can take.

  1. Write a standard DPA clause or contract for use by and any all 3rd party suppliers and get it inserted in all contracts but current and future. If the current ones already have one then fine, make sure it’s at the same level or better than your template and go from there.
  1. If its sensitive personal data and it’s leaving your premises as a basic rule always ensure it is encrypted to a decent standard at all times. There is rarely an acceptable situation where the sending of sensitive personal data on a DVD out of the business that doesn’t have a decent level of encryption on it. If such a scenario does come up, then guard & monitor it and manage & document the risk.
  1. If you’ve got a 3rd party going anywhere near your sensitive personal data then watch and monitor them closely. They are as much a threat to your information as internal staff, and you wouldn’t (hopefully) leave your internal staff to handle sensitive personal data in any way they see fit so why would you for a 3rd party?

Having worked in the Social Care & legal industries I know how easy it is to become desensitised to the data that you hold and process daily. But always remember and be aware of the sensitivity of the data in your hands. That’s very easier said than done but that principle, once engrained in your thinking, then means you’ll stop and think before commissioning something or sending something that you really shouldn’t have.

Now I’m going to do some jiggery-pokery here, and bear with me on this as it’s not going to be exact but let’s see if we can work out what a fine would be under the new Data Protection Regulation. Now I accept that this is not an exact science as the text is still draft and the exact mechanism for fines is not agreed yet but let’s just imagine.

So, under the current framework the ICO can fine up to £500,000 for such a breach but instead valued the breach at the £200,000 level based on the severity, compensating controls, political nonsense etc. That works out as two fifths or 40% of the full amount he can fine.

Under the GDPR council text, because of the level of failing here in various areas, I believe that this breach would meet the definitions outlined in Article 79a (3a-h). Sections 1 & 2 of Article 79a do outline breaches but article 1 outlines relatively small offences and article 2 only covers some of the breaches outlined here. The limit of such a fine under that section is 1 million Euros or 2% of global annual turnover for the previous year (if an undertaking). If we assume the limit would be 1 million Euros (give the public sector nature of the controller) then let’s apply the same % as the ICO applied here.

40% of 1 million is 400,000 euros. In today’s currency (as of 13th November and according to google) that equates to a fine of £283,556.79 under the GDPR. Not much of an increase when you think about it.

However, if this fine was for an “undertaking” (currently not defined in the GDPR but the link contains the UK definition) the fine value could increase substantially. If we were to take the CPS public finances as an example their turnover for 2014 was £581.9 million pounds. 2% of that is £11,638,000. If we then take 20% of the 11.6 million we end up at a fine of £2,327,600 under the GDPR.

Now the above is not an exact science, as I’ve stated, as the mechanisms for determining fine amount are still to be agreed but those mechanisms will need to be as proportional as possible. By just using the current model (which the ICO seems to defend) the same incident could mean the difference between a fine of just under £300k for a public sector body (not an undertaking) or a fine of £2.3 million for a private sector undertaking.

Seems a little disproportionate does it not?

 

Scott Sammons an Information Risk and Security Officer in the Medico-Legal Sector and blogs under the name @privacyminion. Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate.

Read more about the EU Data Protection Regulation. Attend our full day workshop.