In the last two months, two household names have been fined by the UK data protection authority, the Information Commissioner’s Office (ICO). Equifax, having lost around 146m individuals’ personal data, and Facebook, having failed to protect profile data from misuse by an app developer which fed into the Cambridge Analytica scandal.
Both of these cases have been handled under the old rules, as the infractions took place before May 25th 2018 – so, that’s the EU Directive, as implemented the UK Data Protection Act 1998 (the DPA 1998). In relation to the Facebook case, the ICO has explicitly said that the fines would have been considerably higher under the General Data Protection Regulation (GDPR), but the DPA 1998 has a cap of £500k on fines, so these fines are both the maximum possible penalty under that Act.
There are lessons to be drawn from both breaches which may help to predict the regulator’s views on penalties under GDPR. In a sense, the Facebook case is less complex – it has been cited for (1) failing to provide proper notice or seek proper consent for processing activities, breaching Data Protection Principle 1, and (2) failing to take adequate technical or organizational measures to protect personal data.
Both of these failures relate to the fact that Facebook didn’t disclose to its users the level of access that an app developer was able to get both to their personal data, contained in their profiles, and that of their friends, did not communicate to their friends that their data was also being processed by the developer, and then, when it did try and improve its procedures on data handling, failed to meaningfully enforce them against the app in question. The circumstances around this are, in a way, quite specific – relating to the misuse of the data and the ensuing political scandal – but the data protection lessons apply more widely.
Equifax has also been cited for multiple failings – most of which can be boiled down to the failure of a subsidiary to properly control personal data being processed by a parent company on its behalf; to recognise, in effect, that the EU-based entity is required to be the senior partner in decision-making in respect of data about its data subjects, whatever the organizational hierarchy.
While the root cause of the breach was a hack on the back of failures to patch vulnerabilities and follow internal policies and procedures, it was compounded by the UK entity not being informed of the breach, data about UK data subjects not having been deleted by the US entity when no longer required, and there not being adequate terms in place to audit or enforce the duties of the Data Controller – the UK subsidiary – against the Data Processor – the parent company.
Both of these cases highlight the risks faced by companies by other parties processing their data. In the case of Equifax, the multiple principle breaches were a result of improper controls within a group of affiliates that did not properly recognise or allow for the legal duties of a subsidiary under data protection law. This can be difficult to achieve; many companies reach for the Standard Contractual Clauses as the ‘easy’ compliance framework, and there is a risk attached to that decision.
Leaving aside the potential ‘Shrems 2’ case (following the originally Shrems case which saw Safe Harbor being struck down), which could lead to the SCCs being ruled unlawful, because the Clauses are, by their nature, ‘off the peg’, they don’t encourage an internal discussion about the use of data, and are often seen by non-data protection practitioners as the only thing that needs to be put in place to ensure compliance for cross-border transfers. They can therefore provide a false level of assurance, disregarding elements like Data Protection by Design, minimisation, meaningful audit, and the need to provide instructions to processors.
More widely, it shows the need to ensure that suppliers of any type are subject to proper due diligence, contractual controls and ongoing management, including making sure that instructions are followed on deletion, and that incident reporting mechanisms are in place. Equifax fell down on all of these areas, and in doing so compromised the data of 15m UK citizens, of which 20,000 were deemed to be at higher risk of fraud.
The Facebook case is different in that this was a Controller to Controller transfer of data, rather than to a supplier. However, it still shows a lack of control and understanding of what was being done with the data, compounded by failures to properly implement internal policies and procedures.
Both of these cases highlight the importance of understanding (the first step of which is taking an interest in) what companies who have access to your data are actually doing with it. This can be a challenge – there may be internal challenges to be met, or commercial requirements that mean it’s more convenient to ignore the risk. The fines levied on both companies, while substantial in the history of data breach fines, are a drop in the ocean in relation to their bottom lines.
But that was the whole reason for the increased penalties under the GDPR – to highlight that privacy and data protection is not just another risk to be managed, but to change the order of magnitude to ensure that it’s a board and shareholder issue.
If these two penalty notices indicate anything, it’s that when the regulators start to look at a breach, they will often quickly find multiple infractions, and will fine accordingly. Given the further large breaches that have taken place since May 25th – BA (twice now), Facebook (again) and Cathay Pacific to name but a small few – it can only now be a matter of a very small amount of time before we see how that stacks up.