Data Protection update - August 2019
Welcome to the August 2019 edition of our Data Protection bulletin, our monthly update on key developments in data protection law.
- Facebook’s ‘like’ button puts businesses at risk of breaching data protection laws
- Investigatory Powers Act remains standing in High Court ruling against Liberty
- CNIL faces lawsuit over its tracking-cookies plan
- Greek Data Protection Authority fines PWC
- Singapore's Personal Data Protection Commission fines five organisations
- Office 365 ban in German schools 'temorarily' lifted
- Concerns over DNA home testing
- Data regulator probes King's Cross facial recognition technology
- Facebook's cryptocurrency Libra faces privacy concerns ahead of 2020 launch
- Dutch Hospital fined on the grounds of insufficient security measures to protect patients' medical records
- GDPR and Norwich Parmacal relief
- Legal ombudsman faces claim over data breach
- Data rights for employees tested in court
- Regulator prohibits the use of transaction data for marketing purposes
- Twitter acknowledges misuse of user data
- ICO confirms timescales for responding to a SAR
- How much does a data breach cost?
- Sunderland City Council reported more than 150 data breaches last year
- Google temporarily stops Assistant audio transcriptions in the EU
- Epic Games hit with class action after data breach
- European Central Bank shuts down website in wake of hake
- Delta Airlines, Marritt and Accenture: are class action suits the way to react to data breaches?
- Ramifications of Capital One data breach continue to unfold
- Monzo urges 480,000 customers to change their pin numbers
- Major breach found in biometrics system used by banks, UK police and defence firms
- IT outage affects banking, leaving customers unable to pay bills
- Making it Easy Ltd fined £160,000 for spam calls
- Hudson Bay Finance Ltd issued with an enforcement notice for failing to respond to a SAR
- Former motor industry worker ordered to pay £25,500 from proceeds of data theft
- Life at Parliament View Ltd fined £80,000 for leaving 18,610 customers' personal data exposed for almost two years
The European Court of Justice has found that the operator of websites that make use of Facebook’s ‘like’ button, where that button causes the collection and transmission of individuals’ personal data, can be a controller jointly with Facebook with respect to that collection and transmission. The effect of this decision is that Facebook and the website operator would be jointly responsible for providing certain information to all data subjects when processing their personal data in compliance with EU data protection laws.
Fashion ID, a German online clothing retailer integrated the Facebook ‘like’ button on its website. As a result of this, the personal data of a visitor to Fashion ID’s website was transferred to Facebook Ireland. This transmission occurred without the visitor’s consent and irrespective of whether the user had clicked the ‘like’ button.
The court found that Fashion ID and Facebook Ireland were joint controllers in respect of the transmission of personal data to Facebook Ireland; however, the court held that the operator of such a website would not be a controller in respect of any subsequent processing of that data by Facebook.
When using social media plugins, like Facebook’s ‘like’ button, businesses must be mindful of their responsibilities to the users of their site, including the information obligations they must comply with and on what basis the processing of personal data to the likes of Facebook should take place.
The Investigatory Powers Act (the “Act”), an act permitting the large scale surveillance of electronics for use by the intelligence agencies has been upheld in a High Court case against human rights group, Liberty (for more information, please refer to our June update).
Judges in the High Court ruled that the safeguards implemented by the Act were sufficient to ensure that the privacy rights of the public would not be violated and that action would be taken if such events did occur. The court also found no part of the Act that did not comply with the European Convention on Human Rights.
In our July update we discussed the CNIL’s updated cookies guidance which included an updated definition of valid consent. The CNIL adopted a transition period until mid-2020 during which stakeholders must comply with the new cookies guidance relating to targeted advertising.
However, the civil rights group, La Quadrature du Net (“LQN”) and Caliopen filed a legal challenge against the CNIL’s plan to give companies a transition period following the publication of a recommendation to adapt the guidelines, during which period it will continue to accept that merely continuing to browse a site or app would be considered valid consent. This goes against the CNIL’s own guidance which states that consent must be a clear positive action and cannot be implied. This implied consent would be illegal from 2020 as per the CNIL’s plans but LQN and Caliopen argue that this practice should be illegal immediately as the CNIL’s current plans encourage the prolonged infringement of data privacy laws.
The Greek Data Protection Authority (the “GDPA”) has fined PWC €150,000 for unlawfully processing employee data. Following an investigation, the GDPA found that PWC was processing employee personal data on the basis of consent, despite the fact that consent must be freely given making it (normally) inappropriate in the context of employment due to the imbalance of power between employer and employee.
PWC had also led its employees to believe that it was processing their data on the basis of consent when in fact it was processing their data under an entirely different legal basis and had not informed its employees of this in violation of the principle of transparency.
Singapore’s Personal Data Protection Commission has imposed fines on five organisations, with the total fine amounting to $117,000.
CDP and Toppan Security Printing were fined $24,000 and $18,000 respectively for the unlawful disclosure of CDP’s account holders’ personal data.
Horizon East Ferry was fined $54,000 for failing to implement appropriate data protection policies and practices to protect the personal data of its customers. Genki Sushi was fined $16,000 for a similar offence.
Championtutor was also the subject of a financial penalty for failing to have a data protection officer.
A restriction on the use of Microsoft software was imposed in the state of Hesse in Germany after it was discovered that Office 365 disclosed information on students and teachers to US officials. Following discussions between Microsoft and the Hessian Data Protection Commissioner, the restriction has now been lifted subject to certain conditions being met, such as a block on the transmission of any diagnostic data.
The decision comes in the wake of a prolonged debate in Germany regarding cloud software due to the fact that a large amount of the data is sent back to the US.
The Hessian data protection authority is expected to deliver a more permanent assessment of data protection in schools over the next few months.
Complaints have been made to the ICO about three of the biggest home DNA testing companies, AncestryDNA, 23andMe and MyHeritage. A freedom of information request has shown that the ICO received 16 complaints about security, the use and disclosure of data and the right to prevent the processing of data. The ICO has since raised its concerns and offered advice to the companies in question to ensure compliance with data protection laws.
The facial recognition system at King's Cross station in London is to be investigated by the ICO. The ICO will inspect the technology and assess how it is operated due to concerns about the increased use of facial recognition technology and its compliance with data protection laws.
Argent, the developer at King’s Cross, claims that the technology is for safety purposes but has not shed any light on how long it has been using facial recognition cameras, what the legal basis is for their use, or what systems it has in place to protect the data it collects.
The launch of Facebook’s cryptocurrency has been set back by concerns over privacy. ‘Libra’ will be an online payment method spread across Facebook’s channels, in an attempt to reach further into the consumer market and immerse its users in the world of online transactions, as successfully pioneered in China under ‘WeChat’.
The use of bitcoins in Libra has raised concerns over the regulation of the system. The well-known digital coin has remained largely unregulated since its creation in 2008, leading to concerns that crypto-exchange hacks and money laundering will be rife in Facebook’s new programme.
Some companies supporting the Libra introduction have already implemented techniques to overcome these privacy concerns, such as Calibra’s implementation of verification and anti-fraud processes to pre-empt and prevent data leak issues. However, more action is required to reassure Facebook users willing to adopt the new cryptocurrency system that their data will remain protected.
Dutch Hospital fined on the grounds of insufficient security measures to protect patients’ medical records
HagaZiekenhuis has been fined €460,000 due to an absence of appropriate security measures protecting its patients’ files. The system used by the hospital did not have appropriate access controls or an adequate authentication process as required by Article 32 of the GDPR.
The Dutch Data Protection Authority ruled against the HagaZiekenhuis and demanded that suitable security measures should be implemented to protect the sensitive files handled at the hospital. If the hospital does not comply, a further penalty of €100,000 will be due every two weeks until such measures are implemented.
In the case of Mircom International Content Management & Consulting Ltd v Virgin Media Ltd the claimants sought so-called ‘Norwich Pharmacal’ relief (a form of disclosure) against Virgin Media. In response, Virgin Media argued that the GDPR had affected the operation of this relief.
The court was asked to consider whether IP addresses were personal data and whether, if disclosure was granted to the claimants, the claimants would be data controllers of that data.
It was held that IP addresses were indeed personal data. The court also accepted the claimant’s argument that, if disclosure was made, they would not determine the purposes and means of the processing of the data; this would be determined by the civil procedure rules and the conditions under which the information was shared, and therefore the claimants would be recipients of the personal data as opposed to controllers. As the claimants were deemed to be merely data recipients, the GDPR would have no effect on the application for relief.
The legal ombudsman is being sued by former complainants whose contact details were accidentally disclosed in an email. The ombudsman had emailed a number of former complainants asking them to review their experience of the complaints procedure, however the names and contact details of the recipients were included in the address bar in error and were visible to each individual recipient. This constituted a breach of data protection laws by virtue of being a disclosure of personal data without a lawful basis.
The ombudsman has said that it contacted the ICO immediately after becoming aware of the breach. The ICO confirmed that no further action was required as it considered the remedial action taken by the ombudsman to be satisfactory.
Under the Data Protection Act 2018 (“DPA 2018”), data subjects have a right of appeal to the First-tier Tribunal (“FTT”) if they consider that the ICO has not handled their complaint appropriately. In Tabidi v Information Commissioner, the court found that this right is limited to the ICO’s procedural failings and cannot be used as a right to appeal against a substantive decision of the ICO.
In Tabidi, the applicant complained to the ICO that he had not received a reply to the subject access request (“SAR”) that had been submitted to the Employment Tribunal. The ICO decided that the Employment Tribunal was not required to respond to the SAR due to the DPA 2018 exemption for data processed by a judicial office holder or tribunal acting in a judicial capacity.
Mr Tabidi applied to the FTT for an order requiring the ICO to progress his complaint; however Mr Tabidi’s application was refused on the grounds that procedurally, the ICO had taken appropriate steps to investigate the complaint and therefore there were no grounds for the FTT to change the substantive decision of the ICO.
The Dutch Data Protection Authority (“Dutch DPA”) has written to the Dutch Banking Association stating that the processing of individuals’ transaction data for the further purpose of direct marketing to the same individuals may not be compliant with the GDPR.
On a post to its own website, Twitter has admitted that where its users had chosen specific settings in relation to the company’s use of their personal data, those choices had not been respected.
In its announcement, Twitter acknowledged that where a user had viewed an advertisement for a mobile application and had subsequently interacted with the mobile application, Twitter may have shared that user’s data with its advertising partners even where it had no permission to do so. Twitter also admitted that it had shown its users adverts based on inferences made by the company about those individuals even where those users had not given it permission to do so.
Twitter has said that it resolved all these issues on 5 August 2019 but its investigation is ongoing.
In an announcement posted on its website, the ICO has updated its guidance on timescales for responding to SARs and other individual rights requests.
The new timescale states that the day of ‘receipt’ is considered ‘day one’ in terms of calculating the response time; for example, a SAR received on 3 September should be responded to by 3 October. Organisations must still comply with a request without undue delay and within one month of receipt, and the advice remains that all SARs should be treated properly and carefully.
Security software provider IBM Internet Security Systems has published a new report to help calculate the cost companies incur when experiencing a data breach. IBM studied 507 companies and interviewed 3,211 individuals, collecting several data points to quantify the financial impact of a data breach. The 2019 report found that the average total cost of a data breach in the UK is approximately £3.1 million. The UK ranked sixth in terms of total cost per country and the US topped the rankings with an average cost of $8.19 million. The industry experiencing the highest average cost of a data breach globally was healthcare, while the highest average industry cost in the UK was services. The report also found that the average time taken to identify and contain a breach in the UK was 243 days. The full report can be accessed here.
New figures reveal that Sunderland City Council experienced more than 150 reported data breaches in 2018. Data protection officer, Rhiannon Hood, speaking to the Audit and Governance Committee on 26 July, stated that Sunderland Council “took quite a draconian approach to this, we require reporting of very low-level incidents”. The council uses a traffic-light system to rate the severity of the breaches; the majority (62 per cent.) were found to be low level ‘green’ breaches, while 29 per cent. were rated ‘amber’ and 2 per cent. rated ‘red’. A total of seven incidents were referred to the ICO (more information can be found here).
In the wake of the news that Google Assistant audio recordings were leaked to a Belgian news outlet, Google has suspended transcriptions in the UK. A Google spokesperson told CNBC that it had paused all recordings in the EU shortly after the leak. Google has defended its practice by saying it transcribes only 0.2 per cent. of the audio recordings, but it is unclear as to whether this violates the GDPR, and similar allegations have plagued Amazon’s Alexa recordings. Google will suspend audio transcripts for at least three months as the European data protection authorities continue to investigate.
In November 2018, a data breach exposed the personal details of Fortnite players and left their accounts vulnerable to an attack. US firm Franklin D Azar & Associates is preparing a class action lawsuit against Epic Games, asking for those affected by the breach to join the action. Franklin D Azar & Associates have accused Epic Games of ignoring earlier warnings from Check Point, a cybersecurity research firm, who claimed that they had “successfully exploited a security vulnerability on an old, unsecured webpage operated by Epic Games”. Such lawsuits are becoming increasingly common, in particular in the realm of data protection law.
The European Central Bank (“ECB”) has confirmed that its ‘BIRD’ website, which provides the banking industry with information on how to produce statistical and supervisory reports, was hacked and infected with malicious software. The website, hosted by an external provider, was suspended and sent offline while the ECB contained the breach. The ECB has said that whilst none of its internal systems or market sensitive data were affected, the contact information of 481 subscribers of the site’s newsletter may have been obtained. According to news outlets the malware attack had gone undetected for several months.
Delta Air Lines Inc. is suing an artificial intelligence company that hosted a chatbot on their website. Delta has accused 7.ai Inc. of failing to have sufficient safeguards to prevent a 2017 hack that exposed the credit card details of customers. The suit further alleges that 7 waited for more than five months to inform the airline of the security lapse. The airline informed customers and regulators of the incident last year, stating that credit card details and other personal information from up to 825,000 customers were exposed. They are now pursuing 7 for the costs related to the breach, which (according to the case filed) totalled millions of dollars. Delta itself has been the subject of a class action suit related to the breach.
In separate but related news, consultancy firm Accenture PLC is being sued for allegedly playing a part in a data breach that Marriott International Inc. disclosed in November 2018. The ICO had proposed a fine totalling $124 million against the hotel chain, but the US has seen class-action lawsuits from consumers, financial institutions, investors and the city of Chicago consolidated, bringing together more than 80 cases against Marriott. Accenture has been added to the complaint, with the plaintiffs alleging that the firm failed “to maintain adequate security controls to detect and neutralize known and obvious security threats” in Starwood Hotels’ reservation system.
An enormous data breach, thought to have affected 106 million people, is continuing to attract attention. It has now been revealed that Italian bank UniCredit and car manufacturer Ford have launched their own investigation into whether their data has been made vulnerable by the Capital One breach. The breach also leaves Amazon on the hook, as their web services cloud was the storage platform for Capital One data.
Paige Thompson, a former Amazon web services employee who has been arrested by the justice department, is alleged to be the hacker behind the security breach. The initial news of the breach sent the value of Capital One shares plummeting down 5.9 per cent. The case has sparked further worries for businesses looking to move to Amazon’s cloud-based system, although Capital One is understood to have been using its own web-app to access the cloud in this case. Capital One stated the issue arose due to a “firewall misconfiguration”, but there are fears Ms Thompson may have shared the data she accessed with others.
It has also been reported that Republican members of the House Committee on Oversight and Reform (the main investigative committee of the US House of Representatives) are also probing the Capital One breach. They have launched an inquiry into both Capital One and Amazon, and are particularly concerned about the allegation that Capital One only learnt about the hack after they had received an email informing them that data was available on GitHub, the hosting platform for software development.
Digital bank Monzo has urged nearly half a million customers to change their pin numbers, stating that their personal information was left exposed to unauthorised staff for a period of six months. Monzo has been steadily building its reputation amongst millennial customers and has plans to move to the US; the bank is now valued at £2 billion. Such data breaches present serious reputational risks, especially for newer, app-based banks, whose USP is their digital fluency.
Monzo encouraged users to update their app and change their pin numbers, insisting it was a precaution and that no one outside the bank had access to the data. They apologised for potentially mismanaging the customers’ data and have reported the breach to the ICO as a safeguard.
More than one million fingerprints may have been leaked, along with further sensitive data, after a biometric security firm experienced a security breach. Suprema (the security company responsible for the Biostar 2 biometrics lock system) has contracts with the Metropolitan Police, defence contractors and banks. Fingerprints, facial recognition information, unencrypted usernames and passwords, and personal information of employees are among the categories of data reportedly leaked as a result of the breach.
The vulnerability in the system was discovered by researchers working with cybersecurity firm VPNMentor. According to reports, the exposed data was made private again on 13 August 2019; it is unclear for how long it was accessible.
Several of the UK’s largest banks and building societies experienced simultaneous issues, stemming from an IT outage at US payments company TSYS. As reported in the Financial Times, TSYS have apologised for the problems that hit RBS, Nationwide and Tesco Bank. The outage left customers with monthly bills due around this time unable to meet their obligations. In fact, customers of RBS were particularly badly hit, 20 August being the deadline for their credit card customers to pay balances without incurring interest or charges.
IT outages are a huge threat to online banking; potential claims from customers who may have suffered losses because of them must also be considered. According to the FCA, there was a 138 per cent. increase in IT outages in 2018. This may correlate with the increased use of online and mobile banking, but as the industry grows, the potential risks stemming from an outage continue to grow in magnitude.
The ICO has handed down a fine and issued an enforcement notice on Making it Easy Ltd., a Clydebank-based boiler replacement firm. The company was found guilty of making over 1 million marketing calls between May and December of 2018. 80 per cent. of the calls were made to people registered with the Telephone Preference Service (the “TPS”), meaning the majority were unlawful.
The TPS and the ICO received almost 200 complaints about the calls, with some alleging that the company called itself the National Heating Advisory Service. Despite not using their trading name on any cold calls, the ICO was able to trace the calls back to Making it Easy Ltd. Making it Easy Ltd informed the ICO that it had purchased the data from a third party. Stephen Eckersley, ICO’s Director of Investigations, said:
“Making it Easy Ltd made a substantial number of marketing calls to people who had made clear that they did not want to receive them. They also deliberately gave vague and misleading information to people they called, and failed to take basic steps to ensure it had valid consent to make these calls. This is unacceptable, it is against the law and we will continue to hold firms to account and issue fines if necessary.”
The ICO has made its disdain for such practices clear, and the increased leaking and hacking of information will surely see an increase in this behaviour. Companies are advised to subscribe to the TPS to ensure they are not in breach of privacy laws.
The ICO has handed issued an enforcement notice to Hudson Bay Finance Ltd for failing to respond to a SAR. The complainant contacted the ICO in September 2018 after filing a SAR in March 2018 and receiving no response.
The enforcement notice records that the ICO contacted the data controller in 2019 by phone and post but the response was entirely inadequate: “the data controller refused to engage and hung up the telephone”. A final notice has now been issued, and failure to respond to that is a criminal offence.
A motor industry worker has been fined £25,500 after having been sentenced to six months in prison in November 2018. At a hearing in Wood Green Crown Court, Mustafa Kasim of Palmer’s Green was found to have benefited from his offences, making thousands from the confidential data he had stolen.
Mike Shaw from the ICO said:
“Personal data obtained in this way can be a valuable commodity and selling it may seem like an easy way to make money but the penalties can be severe. The outcome of this case should serve as a deterrent to others.”
Mr Kasim must pay the confiscation order within three months under the Proceeds of Crime Act 2002 or could face a 12 month prison sentence. He was also ordered to pay £8,000 costs.
Life at Parliament View Ltd fined £80,000 for leaving 18,610 customers' personal data exposed for almost two years
An estate agency has been fined £80,000 for failing to keep tenants’ data safe. The ICO found that 18,610 customers' personal data was left exposed for almost two years. This data included highly confidential documents, such as bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords.
The agent, Life at Parliament View Ltd, had transferred the personal data from its server to a partner organisation but failed to switch off an ‘Anonymous Authentication’ function. The ICO found that the estate agent “had failed to adequately train its staff, who misconfigured and used an insecure file transfer system and then failed to monitor it. These shortcomings have left its customers exposed to the potential risk of identity fraud.”