DATA PROTECTION AND GDPR

DATA PROTECTION AND GDPR: LESSONS LEARNED FROM 2021

The data protection industry is constantly evolving as the GDPR is implemented by organisations and enforced by the Data Protection Authorities. 

 

New year, new beginnings? That is not always the case, at least definitively not when the previous year has provided valuable insights for the upcoming one. Considering that the GDPR has been in application since 2018, it is still a relatively new piece of legislation about which stakeholders are still learning, including organisations, Data Protection Authorities (DPAs) and the broader society. This is the reason why we need to take a close look to any development in the industry, as it may be determining for the future of data protection. In this post we go through the main takeaways of 2021.

Schrems II and new SCCs

After Schrems II and the caveats that the CJEU added to the use of SCCs, the EU Commission adopted a new set of SCCs for the transfer of personal data to third countries in June 2021 as we informed in Aphaia’s blog. These new SCCs brought practicality and flexibility through a modular approach which makes them suitable for any type of data transfer, regardless of the role taken by the controller or the processor as the data exporter or the data importer. The new SCCs also include a toolbox and some supplementary measures aimed at helping controllers and processors to make safe international data transfers, built on the need for performing a Data Transfer Impact Assessment which the parties can use to identify the risks of the transfer and their ability to comply with the clauses. 

It should be noted that the ICO has not pronounced about the new SCCs yet. The ICO is planning to produce its own SCCs for restricted transfers made from the UK.

Other updates

Together with the new SCCs for international data transfers, the EU Commission also published a set of SCCs covering Article 28 GDPR requirements. However, unlike SCCs for international data transfers, these are not mandatory and controllers and processors can still use their own terms in data processing agreements.  

Not new in 2021 but still work in progress over the year, we find the rules on cookies and the concept of joint controllership. Many organisations are still updating their cookie banners to include toggles or checkboxes for each not strictly necessary cookie. Cookies are also relevant in terms of data protection roles as, as any other joint personal data processing, if there are two or more parties involved, they may trigger joint controllership as a result of converging decisions.

GDPR enforcement

The impact of the work carried out by the DPAs is not clear at this stage. First because the GDPR has only been around since 2018 and we all are still learning, secondly because GDPR investigations are lengthy and consume a lot of time, running into several months, and thirdly because each DPA has its own criteria beyond Article 83 GDPR. For example, Portugal’s GDPR national implementation legislation places a 3 year moratorium on administrative fines to public bodies. On the other hand, in Spain no fines can be imposed on the public sector. Aligned actions and criteria would help to enhance the consistency mechanism, contributing to the consistent application of the GDPR throughout the EU.  

The role of the DPAs may also change in the upcoming years as new pieces of legislation enter into force, such as the EU AI Regulation Proposal.

The regulatory fines

Regarding fines, it should be noted that the GDPR fines have ramped up significantly in recent months, although it should be taken into account that not only the amount of the fine is important when it comes to infringements, but also the cost that the process implies for the organisations involved and the damage to the corporate reputation. 

 

I had the chance to discuss this with JC Gaillard from Corix Partners in their Cyber Security Transformation Podcast. You can access it [here].

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

 

Controller and processor fined after app collected an unnecessary amount of data

Controller and processor fined by Icelandic DPA after app collected an unnecessary amount of data without the necessary consent.

 

 

At the start of the COVID-19 pandemic the Icelandic government issued gift cards to adult citizens due to the economic strain brought on by the effects of the pandemic. They were issued through an app that was created extremely quickly due to time constraints. As a result, the app settings were inadequately adjusted. This led to several personal data issues, specifically the unnecessary collection of substantial amounts of personal data and the collection of access rights to users’ mobile devices. There were several complaints to the Icelandic DPA when the app was first published, from data subjects concerned about the amount of personal data that the app was using as well as the access rights that the app had to their mobile devices.

 

An unnecessary amount of data was being processed, without the necessary consent.

 

Due to the speed of publication of the app, coupled with human error, an unnecessary amount of personal data was processed. This was due to the fact that the app’s settings were not adjusted appropriately. These settings also led to the collection of access rights on users’ mobile devices. The Icelandic DPA then discovered that the necessary consent was also not obtained from data subjects. This was a violation of Article 7 of the GDPR, which outlines the conditions for valid consent.  In addition, Article 12 (transparency) and Article 13 (information to be provided where personal data are collected from the data subject) we’re not met, the Icelandic DPA concluded that the information given to data subjects was insufficient.

 

The controller and processor were both fined €50,800 and €27,100 respectively.

 

The Icelandic DPA, in coming to a decision on a fine for this, took into account the fact that there were multiple GDPR violations. There were several GDPR violations associated with the use of this app including Principles relating to processing of personal data (Article 5), Lawfulness of processing (Article 6), Conditions for consent (Article 7), Processing of special categories of personal data (Article 9), Transparency (Article 12), Information to be provided where personal data are collected from the data subject (Article 13), Responsibility of the controller (Article 24), Data protection by design and by default (Article 25), and Processing contract (Article 28(3)), Security of processing (Article 32). In addition to this, the Supervisory Authority considered the nature and scope of the processing as well as the number of data subjects possibly affected. Both the Ministry of Industries and Innovation and the company YAY ehf we’re fined €50,800 and €27,100 respectively.

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Poor personal data security by Dutch airline leads to a fine

Poor personal data security leads to a fine from the Dutch DPA, after security flaws cause a major hack.

 

An airline has recently been hit with a €400,000 fine from the Dutch DPA following a major hack, attributable to poor data security. The airline Transavia suffered a hack of two accounts in the company’s IT department, giving a hacker potential access to the personal data of over 25 million passengers. An assessment has since revealed that the personal data of 83,000 passengers was downloaded by the hackers.

 

There were three security flaws which made the company more susceptible to easily being hacked.

 

Hackers were able to download the personal information of 83,000 passengers from this airline’s database. This was made very easy due to three security flaws, the first of which was the use of very simple passwords which were evidently easy to guess. In addition, there was no multi-factor authentication in place, meaning that the one password was all that was needed to access those accounts. To further compound the situation, the access rights for these two accounts were not limited to what was necessary, making several of the company’s systems available to the hackers once they gained access to those two accounts.

 

This situation has been taken very seriously and highlights the importance of maintaining robust security systems and measures. In this case, the hacker was able to access the personal data of millions, simply by breaking into the system with a very simple password. One of those passwords was one that for years has been at the top of the list of most-used passwords, for example “123456”, “Welcome” and “password”.’

 

The personal data of 83,000 people was downloaded, including health data of 367 people.

 

Once the hacker gained access to those two accounts in Tansavia’s IT department, they gained access to the personal data of 25 million people which included their names, dates of birth, gender, email addresses, telephone numbers, flight information and booking numbers. The information downloaded related to 83,000 people, including a list of passenger data from 2015 containing names, dates of birth and flight information. The data also included the health information of 367 people who needed to request special considerations like wheelchairs due to health issues.

 

The Dutch DPA has reported an uptrend in data theft in recent times.

The data breach which led to this international investigation was but one of numerous attacks recorded in recent years. From September to November 2019, these hackers had access to Transavia’s accounts and were stealing personal information. In 2020, the Dutch DPA recorded an increase of 30% in the number of hacks reported, majority of them with the aim of stealing data. The authority has advised that data theft can be avoided by improving security measures.

 

 

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Record EU GDPR fine repealed by Amazon

Amazon has repealed the record EU GDPR fine on the basis that there was no data breach.

 

In July, we reported that Amazon was facing a possible fine for alleged GDPR violations totalling €350 million. According to this Bloomberg report, Amazon is now repealing this fine, which stands at €746 million. The CNPD, Luxembourg’s privacy watchdog hit Amazon with this record-breaking fine, claiming that it’s processing of user data was a violation of the EU GDPR. This fine is the result of a 2018 complaint from French privacy rights group La Quadrature du Net.

 

Amazon has repealed the record EU GDPR fine, claiming that there has been no data breach.

 

Amazon has disagreed with the CNPD’s findings, claiming that there has been neither a data breach, nor any customer data exposed to a third party. The world’s largest online retailer has also stated that there are guidelines as to what employees are allowed to do with customer data, which is collected in order to improve the customer experience. Some lawmakers and regulators have voiced concerns that the data collected is being used to give the company an unfair advantage in the marketplace. Amazon is being scrutinized by EU authorities over its use of data from sellers on its platform as they question whether it unfairly favors its own products.

 

The initially proposed fine of roughly 2% of Amazon’s global sales rose to the maximum fine under the EU GDPR – 4% of the company’s annual global sales.

 

Under the EU GDPR, regulators can fine companies up to 4% of their annual global sales. The fine proposed at first was roughly 2% of Amazon’s global sales at €350 million, but following the gaining of approval from other regulators in the Bloc, the fine now stands at €746 million. This fine is related to alleged compliance issues surrounding the company’s collection, storage and use of user data.

While Amazon stated that there has been no data breach, sources claim that their manner of storing user data violated the GDPR.

 

While Amazon claims that there has been no data breach, according to whistleblowers who previously worked with the company as information security officers, the manner in which data is stored on Amazon’s databases make it impossible for the company to comply with Article 17 of the GDPR. Article 17 states that data subjects have the right to request that all their personal data be erased by a data controller, and to have that request fulfilled without delay. Allegedly, data stored by Amazon is at risk, as there is a lack of clarity on what data is being stored, where it is stored and who can access it, making it impossible to fulfill the requirements of Article 17 of the EU GDPR.

 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.