Whilst the security breach often grabs the headline, such incidents often reveal breaches of wider data protection principles that then become the focus of regulatory scrutiny and civil claims. Indeed, there are many recent examples of organisations finding themselves in that exact situation.

 

Earlier this month, the case of an 87-year old man who was harassed for donations 731 times in five years demonstrates how data protection breaches can occur without security being an issue. The man had been bombarded by cold callers after failing to tick a "do not share my details" box in a lifestyle survey he filled out in 1994. The ICO criticised the organisations’ use of old data and vowed to investigate any malpractice. The incident highlights the need for organisations to monitor how long data has been held for and that it being held lawfully. In our view, there certainly appears to have at least been a breach of Principle 5 of the DPA.

The Vidal-Hall v Google litigation highlights the civil liability exposures to wider data protection breaches in the absence of any breach of security. The case concerns Google’s allegedly secret monitoring of internet users and the claimants’ allegations include Google’s breaches of Principles 1, 2, 6 and 7 of the DPA (only Principle 7 relates to security). As we reported last month, the litigation has spurred a potential £30m group litigation.

Even the much publicised hacking of Ashley Madison raises wider data protection breaches: the hackers revealed that the company held data including IP addresses and the individual's geolocation to the nearest 3 metres. Such location data may have been entirely unnecessary for the operation of the website.

The Ashley Madison breach also highlights the cross-jurisdictional nature of data breaches: the company is based in Toronto with website terms and conditions subject to Cypriot law. Ashley Madison may be subject to European data protection law if it controlled the processing of users’ data through an “establishment” in a European country, or through the “use of equipment” in a European country. It has been submitted that the meaning of “equipment” can be wide enough to include cookies or an app installed on a mobile device.

At the PLUS Cyber symposium in Chicago last week, we were struck by the increasing concerns expressed by US companies over EU data protection issues and the cross-jurisdictional reach of European law. Cases like Vidal-Hall and incidents such as Ashley Madison are highlighting the potential risks and liabilities that accompany the commercial benefits of the “big-data” age.

• CMA publishes guidance on consumer rights
• ICO guidance on DPA crime and tax ememptions published
• Carphone Warehouse customer data "breached by a sophisticated cyber-attack"
• Plethora of case law on subject access requests
• ICO consult on updating the direct marketing guidance
• Cold calling clinic receives first Claims Management Regulator fine since new powers were awarded
• PRA Cyber Resilience Capabilities Questionnaire
• Target and Visa agree data breach settlement
• FTC takes action on Safe Harbor claims
• Lloyd's report on the use of drones
• ICO comments on jurisdiction in light of the Ashley Madison data leak
• ICO Monetary Penalties
• ICO Undertakings
• ICO Enforcement Notices

• David Smith Deputy ICO expresses optimism on finalisation of GDPR
• EDPS release free GDPR comparison app

• Poland - Update to Polish data protection laws
• Hungary - Decision issued on data protection aspects of asset transfers
• Ireland - National cyber security strategy published
• South Korea - Update to Personal Information Protection Act
• Ireland - The Irish High Court refuses to grant declaration as to the identity of the data controller
• Hungary - Decision issued on employee monitoring
• Germany - Bundesrat warns of decline in protection of consumers in new European regulation
• UAE - Consultation issued on new european regulation
• Spain - New director for Spanish data protection authority
• Germany - Online retailers fined for unlawful transfer of customer data
• South Korea - Relaxation of regulation of location data
• South Korea - New mobile app guidance issued
• China - Ruling issued on lawful use of cookies
• Columbia - Guidelines for data protection compliance issued
• Canada - Payments securities white paper released
• Canada - Joint BYOD guidance issued
• US - Draft framework for internet of things released

---