Data Protection News 2020/21

2020 Data Protection Summary Statistics

2020 was a record-breaking year, in terms of the value of fines from the ICO and the number of known cyber security threats worldwide.

The total value of fines issued by the ICO in 2020 exceeded £42 million, which was double the £21 million in fines issues in the preceding 10 years combined. The lion’s share of the 2020 fines were issued to British Airways (£20 million) and Marriot International (£18.4 million), which despite being high, were both significantly lower than the originally intended fines of £193 and £99 million, respectively.

The total number of reported records leaked in 2020 was 20.5 billion, and there were 1032 known incidents of data breaches and cyber-attacks. For comparison, 2019 saw 15 billion records leaked and 920 incidents, so both of these numbers are increasing gradually year on year.

New Data Protection Laws:

There were a number of new data protection laws that came into force in 2020. Many countries are trying to align local law with the GDPR, which is being considered a global gold standard. Like the GDPR, many of these legislations have an impact outside of the country of origin, so businesses operating in any of these countries should perform a risk assessment of these changes:

United States

Enacted the California Consumer Privacy Act of 2018 (CCPA), was effective from January 1st, 2020

South Korea

Amendments to the Personal Information Protection Act (“PIPA”) and the Network Act went into force on August 5th, 2020

Brazil

The Brazilian General Data Protection Law (LGPD), is in force since September 18th, 2020

Dubai

In July 2020 the Dubai International Financial Centre ("DIFC") brought a new Data Protection Law into effect, which became enforceable on 1st October 2020

New Zealand

The Privacy Act 2020 and its Information Privacy Principles (IPPs) came into force on 1st December 2020

Similarly, there are a number of Data Protection Laws due to come into force in 2021:

Singapore

A draft Personal Data Protection (Amendment) Bill was passed in the Singapore Parliament in November 2020. Certain sections of the Amendment Bill are in force, from February 1st, 2021

Panama

Data Protection Law No. 81 of March 26th, 2019 took effect on March 29th, 2021

Thailand

On 28th May 2019, the Personal Data Protection Act became law in Thailand. There was an original one-year grace period which was extended until 1st June 2021

South Africa

The Protection of Personal Information Act 4 of 2013 (POPIA) came into effect on 1st July 2020, with a one-year grace period for compliance

Republic of Northern Macedonia

Law on Personal Data Protection was effective 24th February 2020 and following an 18-month period comes into force on 24th August 2021

Bermuda

The Personal Information Protection Act 2016 (PIPA) is expected to come into force in 2021

Bosnia

The Draft Data Protection Law is expected to be adopted in its current text within 2021

India

Personal Data Protection Bill 2019 (the PDP Bill) is currently pending consideration of the Indian Parliament and is expected to come into effect towards the end of 2021

Canada

Personal Information Protection and Electronic Documents Act (PIPEDA) is expected to be replaced by a new federal statute sometime in 2021 or 2022

Q1 2021 Data Protection Fine and Breach Summary:

In Q1 of 2021, the ICO issued 11 fines to the value of £1.2 million. All of these fines were for unsolicited or nuisance messages – 6 related to phone calls made to TPS registered numbers, and the other 5 were for unsolicited marketing calls, emails and text messages. The largest of the fines was for £250,000, issued to Leads Work Limited, for the transmission of 2.7 million texts without informed consent. This resulted in a whopping 10,000 complaints over 41 days.

There were at least 3.25 billion records leaked globally between January and March 2021, through 337 publicly reported incidents. The biggest of these was a breach of 1.5 billion records, which was apparently a development database, accidentally exposed by the American internet giant Comcast.

There have been 4 multi-million GDPR fines in Europe so far this year:

€10,400,000, from German Data Protection Authority of Niedersachsen, on 8th January, to notebooksbilliger.de for failing to provide a legal basis for 2 years of video surveillance of employees
€8,150,000, from Spanish Data Protection Authority (AEPD), on 11th March, to Vodafone Espana for sending marketing messages to people even after they had lodged official objections
€6,000,000, from Spanish Data Protection Authority (AEPD), on 13th January, to CaixaBank for providing a new privacy notice for the transfer of customer data to all other companies in the group, without an easy option to refuse consent
€4,500,000, from Italian Data Protection Authority (Garante), on 25th March, to Fastweb SpA for aggressive telemarketing

There have been no massive UK based data breaches so far this year, but ransomware is by far the biggest running threat. Wentworth Golf Club, Trafford bin collections and UK Research and Innovation all suffered ransomware attacks in February. Dozens of schools and colleges were targeted during March. But the most controversial was Fatface, having paid a ransom of $2 million to the Conti ransomware gang in January, which only came to light in late March when they notified the data subjects and the ICO. According to the GDPR, such notifications should be made within 72 hours of the event. Furthermore, the notification to the data subjects were marked ‘confidential’ and data subjects were asked not to disclose the breach to anyone… and so of course people immediately took to social media to highlight the lack of transparency and point out the irony!

About the Author

News