First Casualties of GDPR?
The countdown to 25th May 2018 saw companies of all sizes in the UK take various steps to become GDPR compliant. This was driven primarily by a fear of the Information Commissioner’s Office (ICO) having the power to issue fines for up to €20 million or 4% of annual worldwide turnover, whichever is greater, from that date onwards. Previously, the maximum amount was limited to £500,000.
In less than a year since the GDPR came into force, several of the largest names in the world have already come under fire from complaints and at least one of these names, Google, has been fined. This article looks at some of these companies, the background to the breaches they experienced and the lessons to be learnt from their mistakes.
British Airways (BA) was one of the first high profile, post-GDPR breaches to occur last year. The company experienced a two-week long hack (21st August to 5th September) during which the credit card data of approximately 380,000 customers was compromised. The ICO is still investigating this matter and is yet to confirm how much it will fine BA, however there is one lesson to take away from what some are calling a test case for the GDPR in the UK: the importance of notifying the regulator on time.
Under the GDPR, companies that have experienced a significant breach have to report that breach to the relevant regulator (in the UK, the ICO), within 72 hours of becoming aware of it. This is not a lot of time, and to BA’s credit they reported the hack within one day of discovering it, thus complying with the regulation. Although not likely to stop BA being served with a significant fine, it will likely factor into the ICO’s consideration (along with any steps BA took to deal with the breach) and help to reduce the amount that is eventually decided upon.
The type of breach that is reportable to the ICO is anything that is likely to result in a risk to the rights and freedoms of the individual. For example, any breach that, if not dealt with, could result in financial loss or loss of confidentiality is reportable. As this was the kind of breach experienced by BA customers, notifying the ICO in time will work in BA’s favour when deciding on the fine to be awarded.
Morrisons faced a two-pronged claim, one for data protection and another for vicarious liability, after a disgruntled employee (an internal auditor) leaked the personal data of approximately 100,000 customers on a data sharing website. He did this in an attempt to hurt the company after a falling out and was subsequently imprisoned for his actions.
The High Court found that Morrisons were vicariously liable for the auditor, and this result was appealed to the Court of Appeal and has been appealed again to the Supreme Court. Interestingly, despite a data breach taking place the High Court did not find Morrisons liable under data protection law, and the judgment linked to this provides another valuable lesson for companies to take on board.
The High Court Judge found that Morrisons were not liable under data protection law because they were not the ones who misused the data (the employee copied the personal data onto his personal USB stick, took it home and uploaded the data from there at a later date). Importantly, the Judge also found that Morrisons’ internal system and data transfer procedure to be secure. Therefore, the strength of a company’s security measures and internal systems (including relevant documentation and policies) are an important factor when considering whether or not they are liable under data protection law.
Principle 6 of the GDPR requires companies to ensure that they maintain effective security when processing data by using appropriate technical or organisational measures. Common examples include password protecting or encrypting the data that is processed. It may be costly, and with hackers becoming increasingly sophisticated in their methods there is never a guarantee that all breaches can be avoided, but putting these legally required measures in place could help companies successfully defend against a data breach claim or prevent a breach from even taking place.
Google have recently been fined €50 million (£44 million) by France’s data regulator CNIL for breaching the GDPR.
Complaints were first filed against Google on the day the GDPR came into force and the focus of the complaints was on the legal basis for processing personal data for ad personalisation. Article 6 of the GDPR provides the legal bases on which processing must be based in order to be legal and the complainants argued that Google did not have a valid legal basis. CNIL investigated the complaint and found in favour of the complainants, stating that Google was not transparent in its processing activities because it did not adequately inform users of how it collected personal data for the purposes of personalising advertising. Linked to this, CNIL also found that there was a lack of valid consent to this personalisation.
The first lesson to take from this breach is transparency. Principle 1 of the GDPR requires personal data to not only be processed lawfully and fairly, but also in a transparent manner. This means that individuals need to know how and why their personal data is being processed and this information must be easy to understand. Unfortunately for Google, CNIL found that this information was scattered across several documents that were not easily accessible, making it difficult for people to understand fully what Google was doing.
The second lesson concerns the issue of consent. CNIL found that Google did not obtain valid consent, not only because of the issue of information being scattered amongst several documents, but also due to the use of pre-ticked boxes that allowed for the personalisation of ads when an account was created. The latter action is a direct contravention of the GDPR.
Taken together, these breaches provide useful information for companies looking to ensure that they do not find themselves in similar positions. They highlight the importance of making sure that companies are transparent with data subjects when it comes to processing personal data, to making sure that their security measures are strong and adhere to the GDPR’s requirements and, in the event that a breach takes place, that they are quick to take a view of whether or not to notify the ICO (as well as taking steps to deal with breach).
Other big name companies are facing accusations of breaching the GDPR, such as Amazon, Apple, Netflix and Spotify, and if other companies want to avoid being in the spotlight as well they should take a close look at how they process and protect personal data.
For advice on any of these areas, please contact us.