Author Archives: Data Compliant

Facebook data breach – €265million fine

The Irish DPC has issued a fine of €265 million to Meta Platforms Ireland Limited (MPIL) – the data controller of the Facebook network – after a 19-month enquiry. The DPC also issued a reprimand and has imposed a range of specified remedial actions to be completed within three months.

While the Irish DPC is the lead regulator, this decision included cooperation with the other EU data protection supervisory authorities.  This has been a surprisingly swift process, largely due to the EU countries being in agreement over the issue.

The enquiry began in April 2021.  Over 530 million Facebook users’ personal data — including email addresses and mobile phone numbers — were reported to have been exposed online. It appears that the data had been scraped maliciously from Facebook profiles, using a Contact Importer tool provided by Facebook. In September 2019, Facebook adjusted the tool to prevent further malicious activity. The DPC focussed its enquiry on tools running from 25 May 2018 (when GDPR came into force) and September 2019” (when Facebook made its security amendments).

The core issue that led to the fine was Meta’s failure to meet the obligations around Data Protection by Design and Default (Article 25 of the GDPR) by implementing appropriate technical and organisational measures.

Data Protection by Design and Default

Data Protection by Design and Default is not new.  But while in the past it’s been “advisable”, it is now, under GDPR, a legal requirement. Which means that you must, by law, have appropriate technical and organisational measures in place to ensure you comply effectively with data protection principles; and that you protect and safeguard individuals’ rights.

In practice, this means that you must think about data protection and privacy compliance – up-front. And build it into all the data processing you undertake. It has to be embedded throughout your business and all its practices.  And it’s important that it starts at the very beginning of the process, from concept and design stage, and runs right through the lifecycle of any personal data processing you do. 

This is the requirement that the DPC determined that Meta did not meet.

Meta Statement

In response to the DPC actions, Meta says it is “reviewing this decision carefully”, and stated: “We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers… Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge … Protecting the privacy and security of people’s data is fundamental to how our business works. That’s why we have cooperated fully with the Irish Data Protection Commission on this important issue. “

Total Meta GDPR fines?

This latest fine brings the total amount of fines imposed since Autumn 2021 by the DPC on Meta to €912m.  Previous fines include €405m just a couple of months ago (teenagers’ Instagram accounts displayed their phone numbers and email addresses on a “public-by-default” setting); In March 2022, a GDPR fine of €17m was levied;  and in September 2021 a €225m fine was issued over “severe” and “serious” infringements by WhatsApp .

Avoid GDPR Fines

Privacy by Design and Default is at the heart of the GDPR. A Data Protection Impact Assessment (DPIA) is just one of the vital tools businesses need to help them meet their compliance and security obligations. It is an essential means of demonstrating that you put compliance and the security of your data subjects at the heart of everything you do.   

Consider the individuals whose data you are processing. What will be the impact on them? Will the processing be fair? Is it even legal? Would they expect you to process it in this way? Have you made them aware? Have you told them their rights? Will their data be safe? Have you done your due diligence on your suppliers? Do you have the right contracts? What are the risks? How can the risks be mitigated? Do you have appropriate organisational processes in place? What technical safeguards do I have / need? 

Asking yourselves questions like this will help you be sure you are taking appropriate steps towards meeting your obligations when processing personal data.

If you have questions or concerns about the practicalities around Data Protection by Design and Default, or how best to conduct a DPIA, or if you would like to chat about your own measures in this area, please call 01787 277742 or email dc@datacompliant.co.uk. You can find information about some of our services here.

Victoria Tuffill  29th November 2022

ICO fine of £4.4 Million for data breach  

We are now seeing larger fines under the GDPR and DPA.  Most recently, Interserve Group Ltd has been fined £4,400,000 because of a cyber attack relating to 113,000  employees. The ICO determined that Interserve broke data protection law by failing to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information. 

Despite Interserve having a number of policies and standards around information security, the breach happened like this:

Key issues

The individual who received the email did not recognise the email as a phishing email.  This could have been been mitigated by the provision of effective training, including, specifically, phishing training, and ongoing monitored phishing tests to all employees.

The employee was working from home so the zip file which the employee opened was not routed through Interserve’s Internet Gateway System (designed to restrict access to malicious sites).  The ICO determined Interserve was using outdated software systems and protcols, and had insufficient risk assessments within the business.

The system reported that the automated removal of malware files had been successful. But this was not verified at the time, and the attacker still had access to the systems – including access to privileged servers with restricted access.  The breach was not identified until a routine maintenance check a month later.  The ICO investigation determined that Interserve failed to follow up on the original alert of suspicious activity.

How to prevent such breaches

The ICO statement focuses on training, monitoring and systems – John Edwards, the Information Commissioner said:

“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”

 

Written by Victoria Tuffill

31st October 2022

If you are concerned about potential breaches, or what to do if you have a breach, we’d be happy to help.  Take a look at our security services or contact us on 01787 277742 or dc@datacompliant.co.uk.  

Digital Services Act

EU Digital Services Act (DSA) – how will it affect you?

There’s a lot of buzz about the new upcoming legislation (Digital Services Act (DSA) and Digital Markets Act (DMA)) for digital services within the EU.  And on 23rd April, Parliament’s Internal Market Committee endorsed the provisionally reached agreement with EU governments on the Digital Services Act.

UK Impact

As these are EU regulations, they will not strictly form part of UK law.  But they will apply to all businesses who offer their services to the EU.  They are also likely to impact the UK’s law reform – and we have already seen some information about the Data Reform Bill in the Queens Speech last week.  

EU Digital Services Act 

The basic principle behind the EU’s Digital Services Act (DSA) is simple: 

If it’s illegal offline … it’s illegal online

The DSA applies to all businesses who act as online intermediaries and provide services in the EU.   The most stringent requirements will affect very large online platforms or search engines – those with over 45 million monthly active users in the EU – for example Google, Facebook, Amazon and so on.

It is designed to protect users’ fundamental rights in digital space, and fight the spread of illegal content and practices. For example, counterfeit online sales, manipulation of information / provision of disinformation, breach of users’ fundamental rights and so on.

Summary of Obligations

For marketers and retailers, the following issues will be particularly relevant:

  • Special protection measures are required to ensure minors’ safety online
  • No targeted advertisements based on the use of minors’ personal data is allowed
  • No targeted advertisements tailored to people’s ethnicity or sexual orientation
  • Additional information must be collected from traders wanting to use selling platforms, and platforms will need to try to verify the information
  • Platforms will need to run random product checks to attempt to avoid sales of counterfeit or dangerous products
  • Dark patterns (for example “bait and switch”, disguised ads, hidden costs, friend spam, misdirection etc) are banned
  • Platforms using algorithms to help online users access relevant content or information, will need to provide some explanation of how the algorithms work.
  • Large platforms will have to offer users a system for recommending content that is not based on such profiling.
  • Promoted content must be clearly labelled as such

Other more general requirements include:

  • Strict requirements to remove illegal content, and to moderate content which may be harmful
  • Consumers will be able to seek compensation for damages caused by a non-compliant platform 
  • Crisis mechanism has been added – to enable the Commission to mandate specific actions around the crisis (for example taking down war propaganda in the case of Russia – Ukraine war).

Penalties for non-compliance

Large platforms will have to assess these risks routinely, and take steps to minimise them. Their risk assessments will be subject to independent audits – failing the audit could lead to fines up to 6% of global turnover.

The DSA runs in parallel with the Digital Markets Act (DMA) – more of that in my next blog.

 

Victoria Tuffill

20th May 2022

If you are concerned about this new legislation, or would like to chat about how it might impact you and your business, just get in touch.  Call us on 01787 277742 or email dc@datacompliant.co.uk  And do have a look at our services to see if we can help you with your more general data protection needs.

Queens' Speech - Data Reform Bill

Data Reform Bill – Queen’s Speech

In the Queen’s Speech on 10th May, 2022, The Prince of Wales stated that a Data Reform Bill will be introduced. This follows the Government’s September 2021 consultation paper on reforms to the UK’s data protection regime. There is no time-frame for delivery of the bill, but the announcement is encouraging for businesses who want to see less red tape around data protection.  

However, there are concerns that following this course may lead to the EU withdrawing the UK’s adequacy status.  Adequacy status is designed to make it easy to transfer personal data between the UK and the EEA. So its loss could increase both administration and costs of such transfers.

More details of the Data Reform Bill will be provided over time.  In summary:

Purpose

  • Create a new pro-growth, trusted UK data protection framework 
  • Focus on privacy outcomes rather than box-ticking
  • Protect UK citizens’ personal data to a gold standard
  • Modernise the Information Commissioner’s Office (‘ICO’)
  • Ensure the ICO has the power it needs to take stronger action against organisations who breach data rules
  • Increase industry participation in Smart Data Schemes (where customer data is shared with authorised third-party providers on the customer’s request).

Benefits

The Data Reform Bill promises benefits both to business and consumers:

  • Increase competitiveness and efficiency of UK businesses
  • enable public services to share data to improve delivery of services
  • enable data to be used to empower citizens and improve their lives, through more effective delivery of public healthcare, security, and government services
  • create a clearer regulatory environment
  • enable personal data to fuel responsible innovation and drive scientific progress
  • provide citizens with greater clarity on their rights

More on Data Protection in Queen’s Speech

There are two other noteworthy bills mentioned in the Queen’s Speech:

  • Product Security and Telecommunications Infrastructure Bill, whose purpose is to improve cyber resilience and digital connectivity for individuals and businesses; and make sure that smart consumer products (for example smartphones and televisions) are more secure against cyber attacks.
  • Draft Digital Markets, Competition and Consumer Bill, whose purpose is to “promote competition, strengthen consumer rights and protect households and businesses. Measures will also be published to create new competition rules for digital markets and the largest digital firms.”

 

Victoria Tuffill

16th May 2022

If you need help with your data protection, or have concerns over current issues, just get in touch.  Have a look at our services.  Or call us on 01787 277742.

Trans-Atlantic Data Privacy Framework

What’s next for data transfers between US and EU?

Agreement in principle

U.S. President Biden and the European Commission President Ursula von der Leyen have reached agreement in principle over a new trans-Atlantic Data Privacy Framework.  While this is encouraging, the process of drawing up the detail within the agreement is likely still to take several months.

The White House issued a statement. This demonstrated how the two core issues that caused previous agreements to break down have been addressed:

  • intelligence surveillance of EU personal data:  the U.S. is agreeing to limit its intelligence gathering activities to that which is necessary “to advance legitimate national security objectives”.
  • an effective remedy to address complaints raised about US authorities’ access to EU citizens data: the U.S. proposes to provide an independent Data Protection Review Court. This will include individuals from outside the US government

Whether these measures will be enough to satisfy the EU is unclear, and will depend on the detail of how these issues will be handled in practice.

What does this mean for the UK?

One of the ongoing considerations of the UK government is that of “adequacy decisions”.  UK adequacy decisions are designed to enable data transfers between the UK and countries which meet data protection standards equivalent to those in the UK.  The government has been considering implementing a number of new “adequacy” decisions, including the U.S.

However, there is always a tricky balance between UK issuing adequacy decisions, and the impact that may have on the UK adequacy decision in place with the EU. 

So from a UK perspective, an EU-US data transfer agreement will make it more straightforward for the UK and US will reach their own separate agreement to enable transfers between UK and US.  Or the UK may adopt the EU/US adequacy decision to retain parity with EU laws.  Watch this space…..

 

Victoria Tuffill

8th April 2022

 

If you need help with your data protection, have concerns over data transfers, just get in touch.  Have a look at our services.  Or call us on 01787 277742.

 

 

Data Protection and Fingerprints

Under the EU General Data Protection Regulation (GDPR), biometric data is considered special category data, which requires more stringent conditions for processing.  Fingerprints are an example of biometric data, and employers need to consider carefully how and where they use such data.

When processing any personal data, an organisation needs to have legal grounds for doing so.  And, in the case of special category data such as fingerprints, an additional Article 9 Condition must be applied.

A company in Holland, who used fingerprints inappropriately to monitor their employee’s attendance and time registration, was recently fined E750,000.

The company had obtained Consent from its employees, but under the GDPR Consent must be freely given, which means that the individuals must be allowed to refuse to give Consent.  Because there is a significant imbalance in power between an employer and an employee, it can be difficult for employers to demonstrate that employees have been given an genuine opportunity to refuse Consent.

In this case, some employees had felt obliged to give Consent, so the Dutch DPA found that the company did not have valid legal grounds to process the data for this purpose. 

Though there may be an appeal, this illustrates the seriousness of processing special category data in a way that is not considered unnecessary or disproportionate.

If you have any questions about biometric data or data protection in general, please contact us via email team@datacompliant.co.uk or call 01787 277742.

Victoria Tuffill, 25th May, 2020

 

Cybercriminals are increasingly impersonating WHO and the UN

Research by British security software and hardware company Sophos found that coronavirus email scams tripled in the last week of March, and we can expect the volume to be increasing. Over 3% of global spam is related to coronavirus, with many of these fraudulent emails impersonating the World Health Organisation or even the United Nations.

Chester Wisniewski, Principal Research Scientist at Sophos, said:

“Cybercriminals are wasting no time in shifting their dirty, tried-and-true attack campaigns towards advantageous lures that prey on mounting virus fears. Criminals often dip a toe in the water when there is a new or sensational topic in the news.”

He detailed a case in which his company tracked an email pretending to come from a WHO address, purportedly giving health advice in an attachment. But after inspection, the text matched a previous spam campaign from “a familiar criminal.”

While most of these spam operations are used to get information from people, there are even more aggressive cybercriminals out there.

Threatening extortion campaigns are also being pursued. In these, messages over social media or email threaten to give the victim or the victim’s family coronavirus unless they pay up. With the amount of information online, and the procedures used to construct holistic user profiles based on miscellaneous knowledge, attackers can make it seem like they know everything about a victim just by giving a few details. This makes the attacker seem like they have the capacity to execute their threats, and inevitably, people end up being exploited.

Other more sophisticated scammers use HMRC or departmental logos and graphics to get information from consumers, offering spurious sums of money under the guise of lockdown or furlough relief. In the United States, there has been evidence of insurance scams, such as fake COVID-19 health insurance offered at competitive rates.

Scammers and con-artists are sensitive to the news cycle, trends and the current political or economic climate. They will often seem persuasive because what they claim will seem salient, despite the content having most likely been tweaked from a previous scam based on a different news item or trending phenomenon.

Do not let criminals make you take rash decisions over fear of current market turmoil.

If you have any questions about data protection, please contact us via email team@datacompliant.co.uk or call 01787 277742.

Harry Smithson, 10th April 2020

Fighting fake science: the Counter Disinformation Cell’s crackdown on coronavirus lies

Claims that gargling water for 15 seconds can cure COVID-19 symptoms, or that holding your breath for a certain amount of time is a valid test for the virus, have made the rounds on social media – with some organisations emailing their employees or clients statements along these lines. As Paymaster General Penny Mordaunt explained, “this is the kind of false advice we have seen coming from sources claiming to be medical experts.”

Following advice from the National Cyber Security Centre, who discovered a spike in cyber-attacks exploiting the coronavirus in March, the government has stepped up its measures against disinformation, with the Rapid Response Unit operating from No.10 and the Cabinet Office around the clock.

This unit is part of the wider DCMS’s Counter Disinformation Cell. So far, the Cell has been collaborating with social media platforms to remove misinformation and in some cases challenge misleading or false statements with direct rebuttal.

Accuracy is at the heart of the General Data Protection Regulation (GDPR). While that regulation applies to personal data, ensuring that your organisation has a healthy and robust data policy with accuracy at its heart is important not just for data protection compliance, but for the fight against disinformation.

The government is asking the public to help stop the spread of potentially highly dangerous misinformation by following official guidance – the ‘SHARE’ checklist, which entails assessing these things before posting on social media:

  • Source: make sure information comes from a trusted source
  • Headline: always read beyond the headline
  • Analyse: check the facts
  • Retouched: does the image or video look as though it has been doctored?
  • Error: look out for bad grammar or spelling

Harry Smithson, 2nd April 2020

Be wary: the pandemic offers fraudsters a golden opportunity

For responsible citizens like most of us, washing our hands regularly and observing the lockdown measures will be our primary acts of vigilance against the pandemic. But some people will always find ways to exploit exceptional circumstances, and there is a further complication we should be vigilant against, too: fraud.

Coronavirus makes fraud much easier to perpetrate. Panic caused by the pandemic can make us think less clearly, and therefore make us more susceptible to pressure over the phone and to misinterpreting legitimate vs. illegitimate agents.

Here’s an example. You receive a call from your mobile network operator. They tell you that your account has been closed due to non-payment because of an expired debit card. He explains that the operator’s debt collection department is working from home due to coronavirus.

Such a call may not necessarily be suspect – but it would be easy to pull off fraud in this context. The man on the phone does not necessarily need to work for the operator to know that the debt collection department would be working from home – this would constitute external fraud. But there is also the possibility for internal fraud, in which someone who works for the network operator exploits their situation of working from home where there are fewer controls on phishing for card details.

If something like this happens to you, remember:

  • Don’t be fooled when people apply pressure on you, regardless of context;
  • If someone calls you and it sounds credible, go to their website and make your payment online, or call a number provided yourself;
  • Check whether someone is calling from home or not;
  • Even if the call is legitimate, you may prefer to avoid giving them your card details since they are in an uncontrolled environment;
  • Continue to be alert to emails with links to fraudulent website addresses.

Keep well and stay safe.

Harry Smithson, 26th March 2020

Google’s British service users’ data to get US oversight

Amid perceived (or professed) uncertainty around the UK’s future GDPR adequacy status, Google executives have opted to transfer oversight of their UK data subjects from their EU subsidiary Google Ireland Limited to their American HQ Google LLC.

Cited by outlets such as Reuters and The Guardian, Lea Kissner, Google’s former lead for global privacy technology, has stated,

“There’s a bunch of noise about the UK government possibly trading away enough data protection to lose adequacy under GDPR, at which point having them in Google Ireland’s scope sounds super-messy. […] Never discount the desire of tech companies not be caught in between two different governments.”

It’s important to remember that the UK doesn’t yet retain GDPR adequacy status, which is subject to current Brexit negotiations. Officially, the Government is seeking adequacy status, and data protection regulations are not expected to constitute an obstacle to any UK-EU departure deal.

Harry Smithson, 28th February 2020