Monthly Archives: July 2019

Framework for EU-US data flows under scrutiny as ‘Schrems II’ case takes place at the CJEU

For those unfamiliar with the Schrems saga, a brief catch-up may be required. The original case, now known as ‘Schrems I,’ involved an Austrian activist, Max Schrems, filing a complaint with the Irish Data Protection Agency against Facebook. The complaint was that Facebook had allowed US authorities to access his personal data on social media in violation of EU data protection law. This case ultimately found its way to the Court of Justice of the European Union (CJEU) and resulted in the invalidation of the ‘Safe Harbor Framework,’ which was the framework companies relied on to transfer data from the EU to the US. This is largely because legislation in the States does not have adequate limits on what data authorities may access.

With the Safe Harbor Framework invalidated, the Irish DPA asked Max Schrems to reformulate the case. On the 9th July, ‘Schrems II’ was heard at the CJEU in Luxembourg. This case took aim at EU Standard Contractual Clauses (SCC), which Facebook has been relying to legitimise its international data flows. Advocates for Schrems also called for invalidation of the EU-US Privacy Shield, arguing it provides inadequate protection and privacy to data subjects.

The hearing included many supporters of SCC, who emphasised the role of DPAs in enforcing SCC and suspending data flows where necessary and appropriate. The CJEU will likely not reach a decision until early 2020, but with the two remaining frameworks for legitimate EU-US data flows under such heavy scrutiny, data protection practitioners should be preparing for the impact these potential invalidations will have on their clients’ or their companies’ data flows.

Harry Smithson, July 2019

Two high-profile GDPR fines for British Airways and Marriott International, Inc

The Information Commissioner’s Office (ICO) has released two statements this week declaring intention to fine British Airways and Marriott International, Inc £183.39m and £99m respectively for breaches of the General Data Protection Regulation (GDPR). In both cases, which affect data subjects from countries across the world, the ICO was the lead supervisory authority acting on behalf of other EU Member State data protection authorities.

These punitive measures are provided under the GDPR, and are the largest fines issued by the ICO to date. These fines both therefore break the former record, which was the £500,000 fine issued to Facebook last year for the social media giant’s role in the Cambridge Analytica scandal (which was actually the maximum fine possible under the previous, much more lenient legislation, since much of the action had taken place prior to GDPR’s implementation).

These two warning shots are fines amounting to 1.5% of the respective company’s global turnover, out of a possible 4% provided by GDPR. This leniency is availed by the companies’ willingness to cooperate with the authority and make immediate improvements where possible. However, it is expected that the companies will appeal the decision.

Failure to protect their customers’ data due to negligent digital security was at the heart of the decisions. The ICO discovered that from June to September 2018, users of BA’s website were being diverted to a fraudulent site used to harvest data. Roughly 500,000 customers had their personal information compromised in this way. Arguably on an even greater scale, the hotel giant Marriott was found to be presiding over a system exposing 339 million guest records to the internet.

Due diligence is the important aspect to these decisions, associated to the principle of ‘accountability’ defined in the GDPR. In the case of BA, poor security arrangements on the website were responsible for the cyber attackers being able to harvest personal data relating to log-in details, payment cards, travel bookings, names and addresses. Similarly, Marriott had failed to pursue due diligence when the company acquired Starwood (a hotel chain), which maintained a vulnerability in its guest reservation database dating back to 2014.

Marriott’s CEO has emphasised the fact that their subsidiary was victim to a cyberattack indeed the company itself notified data protection authorities of the breach, but as the Information Commissioner Elizabeth Denham has stated, “the GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

These decisions set a strong precedent, and will hopefully encourage companies to take greater responsibility for the personal data they hold. Being victim to a cyberattack is not in itself an excuse: companies and organisations must demonstrate that they have attempted to take appropriate and robust security measures. The accountability principle as explained in the GDPR is very clear on this.

Harry Smithson, July 2019

University data protection policies under scrutiny as report finds threats of cyber attacks

A report published by the Higher Education Policy Institute and conducted by Jisc, a digital infrastructure provider for HE, has emphasised the expanding risks of cyberattacks among UK universities and academic institutions in general. Last year saw an increase (17%) in attacks and breaches from the year before, and the trend is likely to continue. The cyberattacks will not only increase in frequency, but also in sophistication.

It is common knowledge that the higher education sector is expanding massively as more and more young people at home and abroad become students in the UK. On top of this, universities have become increasingly involved in cyber security research, making these institutions ever more desirable targets for, in the report’s words, “organised criminals and some unscrupulous nation states.” According to separate research conducted by VMware, 36% of universities believe that a successful cyberattack on their research data would pose a risk to national security.

The report (titled “How safe is your data? Cyber-security in higher education”) begins by relating a couple of everyday scenarios in academia in which cyberattacks can easily occur. These scenarios include a Distributed Denial of Service (DDoS) attack on a student using a Virtual Learning Environment (VLE); and a ransomware infection affecting a university’s digital infrastructure after a member of staff visits a website containing malicious code.

Threats such as these compound the sector’s somewhat underreported history of data protection challenges (to put it lightly). Thousands of records, many containing special category data (prior to the GDPR, ‘sensitive personal data’), have been breached across a host of institutions throughout 2017 and 2018. A whistle-stop tour of these incidents might include the University of East Anglia’s email scandal in which a spreadsheet containing health records connected to essay extensions was leaked to hundreds of students; the University of Greenwich receiving a £120,000 fine for holding data on an unsecured server; and Oxford and Cambridge research papers being stolen and sold on Farsi language websites.

To understand the extent of vulnerability that the HE sector’s data protection policies and practices have demonstrated, one need only look at Jisc’s penetration tests on an array of institutions’ resilience to ‘spear-phishing,’ an attack in which a specific individual is targeted with requests for information (often an email using the name of a senior member of staff, requesting, for example, gift voucher purchases or the review of an attached document

containing malware). 100% of Jisc’s attempts to use spear-phishing to gain access to data or find cyber vulnerabilities were successful.

Data protection policies come hand in hand with cyber security. Vast amounts of information are stored and used in university research projects, containing data relating not only to students and faculty, but to many external individuals and third parties. Robust data protection policy, including appropriate training for staff and regular risk assessments that analyse cybersecurity penetrability, is vital to reduce the risk of phishing and vulnerability to breaches and hackers.

As the report concludes, “It is imperative that those in higher education continually assess and improve their security capability and for higher education leaders to take the lead in managing cyber risk to protect students, staff and valuable research data from the growing risk of attack.”

Harry Smithson, June 2019