Data Protection News Mar 19

Q1 2019 Round-up of Data Breaches and ICO Fines
Google Slapped with 50 Million Euro Fine
Overview of the California Consumer Privacy Act
March 28 2019
Headline: Google 50 Million Fine

In January 2019, the French Data Protection Authority (CNIL) fined Google 50 Million Euros. The investigation was initiated from complaints by two privacy advocacy groups, including a petition of 10,000 signatures.  The CNILs findings were generally around a lack of transparency but more specifically, that users are not sufficiently informed about how Google collect data for ad personalisation. Essential information such as purposes for processing and retention periods are excessively split across several different documents and there are pre-ticked consent boxes which are also a violation of GDPR. Unsurprisingly, Google have decided to appeal the decision – do you think it will be upheld?

Data Breaches

The number of Data Breaches reported in the media for this quarter was higher than usual, at 180. And the number of estimated records breached has reached a record high of 4.7 Billion.
The biggest global breaches from Q1 2019 were:

• exposed 809 million records online
• 773 million records on the dark web containing plain text passwords
• 617 million records were hacked from 16 sites and put up for sale
• CVs of 202 million Chinese users exposed

Many of the huge exposed datasets are turning up on ‘Big Data’ technology such as MongoDB.

ICO Fines

In contrast to the ever-increasing fines being issued in the last few years, Quarter 1 in 2019 sees the lowest total number of ICO fines in 3 years. The fines total £280,000 and were all based on a lack of consent for marketing:

• Alistar Green Legal Services fined £80,000
• Eldon Insurance services fined £60,000
• Vote Leave and Leave EU Groups had 3 fines totaling £100,000
• Grove Pensions Solutions fined £40,000

For more detailed information about ICO fines, see the ICO enforcement webpage:

California Consumer Privacy Act

As one of my learned contacts recently stated – “a rising tide lifts all boats” – and this is the effect we are starting to see since the introduction of the GDPR last year.

GDPR was a paradigm shift for data protection, in that its geographic application extended well beyond its origin. There are several laws now being passed which have a similarly global reach – this means we all need to be aware of and comply with them.

One such piece of legislation is the California Consumer Privacy Act (CCPA) coming into force in January 2020.

California’s population and economic size are significant – if California were a country, it would be the fifth largest economy in the world, so it is a marketplace that many global companies interact with. If you collect and disclose or sell information about US citizens, you will likely have to comply with the CCPA.  If you are already complying with the GDPR, the impact should be minor.

CCPA has many similarities to the GDPR, for example having greater levels of protection for the handling (and selling) of information about children.

CCPA also bestows several individual rights for Californian residents, including the right of access, the right to be informed, the right to deletion and the right to say ‘No’ to their information being sold.

However, there are also some key differences. CCPA does not put the same level of onus on accountability and governance as the GDPR does, which mandates the Data Protection Officer role and Data Protection Impact Assessments. Conversely, CCPA does specify the obligation for companies to train their staff, which is not explicitly spelled out in the GDPR.

One of the specific requirements for CCPA is that any company that sells information about Californian residents must provide a ‘clear and conspicuous’ link on their website home page titled: “Do Not Sell My Personal Information” to enable individuals to opt-out. This will therefore be an important and visible compliance action if you collect and sell US citizen data.

It is a fascinating balance to strike, that as the value of data continues to significantly increase, so do the risks and liabilities.

The data protection revolution is still unfolding and the business case for becoming a highly trusted data processor continues to gain strength.