Updata Bulletin - Summer 2019

Selected data protection legal and regulatory developments in the UK, EU and internationally. Highlights include the first significant GDPR fines, the largest data protection fine ever and new guidance from the ICO on the use of artificial intelligence.

Enforcement Action

British Airways: The ICO have announced that it intends to impose a fine of £183.39m on British Airways in respect of the well-publicised data breach, in which, beginning in June 2018, the data of 500,000 customers was compromised. See our article here and ICO’s announcement here.

Marriot International: The ICO has announced that the international hotel group Marriott is to be fined almost £100m as a consequence of a severe data hack. The fine would be the second largest GDPR fine ever. See our article here and ICO’s announcement here.

Facebook: Following a settlement last week the US Federal Trade Commission has imposed a fine of $5bn on Facebook in relation to its privacy law violations in connection with the Cambridge Analytica scandal. The sheer scale of the fine, more than twice the maximum level possible under GDPR, and the market reaction to it raise a number of interesting questions. See our article here and FTC’s announcement here.

Experian: The ICO issued Equifax (a credit reference agency and part of the Experian group) with a fine of £500,000 for failing to protect the personal information of up to 15 million UK citizens during a cyber attack in 2017. The ICO’s probe was carried out in parallel with the FCA revealed multiple failures at the credit reference agency which led to personal information being retained for longer than necessary and vulnerable to unauthorised access. The relevant conduct took place prior to the implementation of the GDPR; the £500,000 fine represents the maximum allowed under the DPA 1998.

Published Guidance

ICO, "Guidance on the use of cookies and similar technologies": The ICO has addressed the impact of the Privacy and Electronic Communications Regulations (PECR) on company’s use of cookies and similar ‘online identifiers’. Their recent guidance sets out the stricter standards of consent and transparency and aims to encourage companies which operate an online service to promptly review their use of web-based technologies. Available here.

ICO, "Guidance on human bias and discrimination in AI technologies": The ICO’s guidance explains flaws in the data used to train and test such systems can result in algorithms that treat people less favourably on the basis of certain characteristics, such as disability, race and gender and the impact this has on data protection. The guidance also clarifies what organisations can do to manage the risk of discriminatory outcomes in AI systems. Available here. The guidance forms part of the ICO's ongoing call for input on developing its framework for auditing AI. The ICO stated that it is in the midst of engaging with organisations on this work and that it plans to publish a formal consultation paper by January 2020. The ICO's work on AI also includes guidelines to assist organisations explain decisions made by AI to the individuals affected.

ICO annual report 2018-19: On 8th July, the ICO published its first annual report since the GDPR was implemented, covering key issues such as complaints, the preparation of statutory codes, investigations and fines. Data protection complaints made to the ICO almost doubled since 2017-18 with complaints about subject access requests at the top of the list. Clearly this is an area that organisations should continue to focus on as part of their ongoing compliance programmes.

NCSC, "Active Cyber Defence - The Second Year": In its active cyber defence report for 2019, the NCSC discusses its strategy and actions taken to reduce cyber-attacks. In 2018 it was focused on dealing with fraudulent websites and phishing campaigns. Future areas of focus include the development of a new automated system to allow the reporting of suspicious emails and the creation of a web-based tool to help critical national infrastructure providers scan their internet-connected infrastructure for vulnerabilities. Available here.

NCSC, "Small Business Guide: Response and Recovery": The NCSC has published guidance that aims to help small to medium sized organisations prepare their response to and plan their recovery from a cyber incident. Available here.

EDPB, "Guidelines 3/2019 on processing of personal data through video devices": The European Data Protection Board (EDPB) has adopted guidelines on the processing of personal data through video devices, which are open for consultation until 9 September 2019. Some of the key issues addressed in the guidelines are: lawfulness of processing; special categories of personal data; and disclosure to third parties. Available here.

In the news

Capital One announces data security incident: Capital one announced that on 19 July 2019 it was victim to an unauthorized access by an individual who obtained the personal information of its customers; the breach affected 106 million individuals. The FBI has arrested the person responsible, a former Amazon Web Services employee. FT article here. The data breach was the result of the individual hacking “improperly secured Amazon cloud instances” has led to fears relating to the security of cloud based systems and wider industry fears; UniCredit, Ford and Vodafone are reported as also having had their systems breached.

Hacked forensic firm pays ransom after malware attack: It has been reported that Britain’s largest private forensics provider has paid a ransom to hackers after its IT systems were brought to a standstill by a cyber-attack. It has not been confirmed how much money was paid or when the payment was made. See here.

The FT have reported that the ICO is looking at 12 further significant cases: Following the announcement by the ICO of its intent to fine British Airways and Marriott International a combined amount of £282m for data breaches, it seems that the ICO are not intending to stop there. The FT reports on the significant spike in interest for security, cyber insurance and legal advice. See here.

The FOI requests continue to expose cyber weaknesses in the financial services sector: The FCA has confirmed that in November 2018 four UK banks were targeted by hackers. In total, £1,169,758.82 was stolen from customer accounts, due to the exploitation of a well-documented weakness in mobile telephone networks. See here.

ICO joins international signatories in raising Libra data protection concerns: The Information Commissioner’s Office (ICO) has joined data protection authorities from around the world in calling for more openness about the proposed Libra digital currency and infrastructure. See here.

New ransomware targets US and European companies: A new type of ransomware, called Sodinokibi, is attacking companies across the US and Europe, prompting a surge in claims on cyber insurance policies. It has been reported that the Sodinakibi ransom demand was $150,000 in May, against an average of under $50,000 for other types of ransomware. See here.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.