New national privacy bill

New national privacy bill proposed in Canada.

New national privacy bill proposed in Canada, is expected to significantly increase protections to Canadians’ personal information. 

Bill C-11, Canada’s newly proposed national privacy bill, which is also referred to as Digital Charter Implementation Act, 2020, will give Canadians more control and transparency when companies handle their personal information, and therefore expected to increasingly protect their personal information. This bill is said to reshape Canada’s privacy framework.  In the wake of the “Schrems II” judgment in the EU, and with the U.S. examining its own federal privacy legislation, international data flows have been challenged, inspiring the introduction of further legislation in that regard. 

This new bill was introduced by Minister of Information Science and Economic Development, Navdeep Bains, who brought up an important point on the need for interoperability with both EU and U.S. legislation.

The President of the Canadian Internet Registration Authority, Byron Holland, applauded the bill and said, “Companies that handle massive troves of personal data must be held accountable for protecting that data, be transparent about how they use it, and face real consequences should they break the trust of their users.” Minister of Information Science and Economic Development, Navdeep Bains said, “As Canadians increasingly rely on technology we need a system where they know how their data is used and where they have control over how it is handled. … For Canada to succeed, and for our companies to be able to innovate in this new reality, we need a system founded on trust with clear rules and enforcement.” He also  brought up an important point on the need for interoperability with both EU and U.S. legislation, and adequacy to be achieved through  this legislation.

The new national privacy bill in Canada, if passed, could mean several significant changes, including the possibility for hefty fines, for companies found to be in violation. 

If the bill passes, there could be fines of up to five per cent of global revenue or $25 million CAD, whichever is higher, for companies found to be in violation. Bill C-11 also includes the Personal Information and Privacy Protection Tribunal Act as well as the Consumer Privacy Protection Act. This bill would also give the federal privacy commissioner the power to make orders, including the ability to force an organization to comply and to order a company to stop collecting data or using personal information.

The Digital Charter Implementation Act focuses on key principles, including algorithmic transparency, data mobility, de-identified information, withdrawal of consent and disposal of personal information.

This new Digital Charter Implementation Act focuses on key principles, including algorithmic transparency, data mobility, de-identified information,and finally, withdrawal of consent and disposal of personal information. In this fact sheet, the in-depth clarifying questions surrounding DCIA 2020 are answered, including insight on how this new legislation may promote a strong Canadian digital environment, 

Do you require assistance with GDPR or CCPA compliance? Aphaia provides both GDPR and CCPA adaptation services, including data protection impact assessments and Data Protection Officer outsourcing.

ICO fines Ticketmaster UK

ICO fines Ticketmaster UK Limited 1.39 million Euros, over chatbot cyber attack.

ICO fines Ticketmaster UK Limited 1.39 million Euros under the GDPR, for failing to prevent chatbot cyber attack.

 

The ICO has fined Ticketmaster UK in relation to a recent data breach which potentially affected over 9 million customers across the EU. This data breach was orchestrated via a chatbot which the company installed on its online payment page. The company’s failure to protect their customers’ information is a breach of the GDPR. 

 

In February 2018, several Monzo bank customers reported fraudulent transactions. In addition, the Commonwealth Bank of Australia, Barclaycard, MasterCard and American Express all made reports to the company suggesting fraud. Nine weeks after being alerted, Ticketmaster began monitoring network traffic via its online payment page. The breach began in February 2018, however the penalty which ensued relates to the breach over the period from May 25, 2018, upon the implementation of the new rules under the GDPR.  

 

This data breach potentially affected millions of customers as their payment information became compromised.

 

The data breach in question included names, payment card numbers, expiry dates and CVV numbers, potentially affecting 9.4 million of Ticketmaster’s customers across Europe with approximately 1.5 million in the UK. The investigations uncovered that, as a result of the breach, 60,000 payment cards from Barclays Bank customers were subjected to known fraud. An additional 6,000 cards were replaced by Monzo by the bank due to suspected fraudulent use.

The ICO found that there weren’t adequate security measures in place to protect customers’ data.

 

The ICO’s investigation revealed that Ticketmaster’s decision to include the chat-bot, hosted by a third party, on its online payment page allowed an attacker access to customers’ financial details. Deputy Commissioner, James Dipple-Johnstone said “Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.” The ICO found that Ticketmaster failed to assess the risks of using a chat-bot on its payment page, to identify and implement appropriate security measures to avoid the risks, and to identify the source of suggested fraudulent activity in a timely manner. The ICO issued Ticketmaster UK Limited with a notice of intent to fine on 7 February 2020, and received written representations in response. 

The ICO fines Ticketmaster UK under the GDPR on behalf of all EU authorities, taking into account the impact of the COVID-19 pandemic.

 Since the breach happened before the UK left the EU, the ICO acted as the lead supervisory authority. The ICO completed the Article 60 GDPR process prior to the issuing of the penalty. This article provides that the lead supervisory authority shall cooperate with the other supervisory authorities concerned in an endeavour to reach consensus. The process included submitting a draft decision to the other supervisory authorities for their opinion and taking their views into consideration.When deciding on a fine, the ICO considered not only affordability, but the economic impact of COVID-19 among other factors.

 

The ICO statement is available in their website.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Guernsey-based law firm

Guernsey-based law firm fined after sharing “highly confidential and sensitive” information.

Guernsey-based law firm fined over 11,000 Euros by the DPA, after sharing “highly confidential and sensitive” information via emails and post.

 

Trinity Chambers LLP sent private details about an individual and their family via emails and post, the Data Protection Authority (ODPA) found. The Office of the Data Protection Agency recently released a statement containing the details surrounding this case.

 

An investigation found that due to repeated human error, sensitive information about the data subject and their family was distributed.

 

Following a complaint made to the Authority under section 67 of the The Data Protection (Bailiwick of Guernsey) Law, 2017, an investigation was conducted under section 68. The complaint related to the alleged unauthorised disclosure of personal data as a result of repeated human error. According to the report, a lack of security had given “unconnected” third parties access to the data. The breach of data by Trinity was the result of “repeated human error”,  the investigation uncovered. It was found that Trinity Chambers LLP sent files via email and in the post including highly confidential and sensitive personal information relating to the complainant and their family without appropriate security. This information was then unwittingly accessed by unconnected third parties who  were totally unaware of the nature or sensitivity of the content.

 

Guernsey based law firm fined to reflect the gravity of the effect of data breach.

 

The Bailiwick’s Data Protection Commissioner Emma Martins said the ODPA was “disappointed” by the firm’s response. She went on to say “There is little evidence that the controller in this case engaged in a timely manner with the complaint or appreciated the impact of the breach on the individuals concerned.” She added that the fine aimed to reflect “the serious nature and impact of failing to look after personal data”, and its potentially “significant” impact in a small community.

 

The Firm was fined 11.2 thousand Euros for failure to safeguard personal data.

 

While the personal data involved did not constitute special category data as defined in the Law, it was highly sensitive and private for the individuals involved. As a result of the investigation, the Authority determined that Trinity Chambers LLP breached the Law in relation to the unauthorised disclosure of personal data to a third party. The Authority has fined Trinity Chambers LLP £10,000 to reflect the serious nature and impact of failing to look after personal data. The fine also reflects the lack of engagement by the controller and concerns that there has been a lack of appreciation of the potential wider impact of the breach for the individuals affected.

 

Trinity Chambers law firm has not appealed the decision, according to the ODPA.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

A data broking investigation

A data broking investigation by ICO results in enforcement action against Experian.

A data broking investigation conducted over the past two years has resulted in an enforcement action against the company Experian.

 

A data broking investigation into Experian as well as Equifax and TransUnion and their use of personal data within their data broken businesses has resulted in enforcement action. The ICO published a report earlier this month, on the findings of their extensive investigation into these data broking companies, their processes, and the legislative framework which led to this outcome.

 

The investigation found significant processing of personal data unbeknownst to the data subjects, by the CRAs; Equifax, TransUnion and Experian.

 

The investigation by the ICO uncovered how these three CRAs (Credit Reference Agencies) were trading, enriching and enhancing people’s personal data without their knowledge. This personal data was then used by commercial organizations, political parties and charities to find new customers, build profiles about people, and also identify the people most likely to be able to afford their goods and services.

 

The ICO defines data broking as “the practice of obtaining information about individuals and trading, including by licensing, this information or information derived from it as products or services to other organisations or individuals. Information about individuals is often aggregated from multiple sources, or otherwise enhanced, to build individual profiles.” Collecting and using an individual’s personal data without their knowledge goes against data protection law.

 

Through the data broking investigation, the ICO uncovered several data protection failures at each company. 

 

Through their investigation the ICO found that the personal data provided to each of these CRAs which would then be used to provide the statutory credit referencing function, was also being used for marketing purposes in limited ways. Some of the CRAs also engaged in profiling to generate new information or previously unknown information about the data subjects. 

 

These companies also failed to be transparent. While they did provide some privacy information on their websites, it did not clearly explain what they were doing with people’s data. In addition to this, they were using some lawful bases incorrectly to process the data. 

 

While all three companies were at fault, only Experian was subjected to enforcement action because they did not do enough to improve compliance.

 

All three CRAs made improvements to their Direct Marketing Services business as a result of the work done by the ICO. In addition to this, Equifax and TransUnion withdrew some of their products and services. For this reason the ICO has chosen not to take any further action against them. 

 

While Experian has also made some progress, the ICO found that the company did not go far enough. This CRA does not accept accountability for making changes set out by the ICO, and as a result, were not prepared to issue privacy information directly to data subjects, nor were they prepared to stop using credit reference data for direct marketing purposes.

 

Experian is now expected to make necessary changes to their framework within 9 months or risk further action including being fined.

 

The ICO decided to issue an enforcement notice, as it is seen at the most effective way of achieving compliance in this situation. The notice orders Experian to make the necessary changes within 9 months or risk further action. The company now risks being hit with a fine of up to €20 million or 4% of it’s total annual worldwide turnover. This notice from the ICO also requires Experian to inform people that hold their personal data. The company must also stop using the data derived from the credit referencing side of its business by January 2021.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.