Month: January 2019

Last week, CNIL, the French data protection agency, handed Google the largest ever GDPR penalty (€50m) for its lack of transparency in how it collected and used personal data for personalised advertising.

This is of course a landmark case in the implementation of GDPR. Importantly, it also shows that despite fears pre-May 2018, European DPAs will not be perturbed by the legal resources that some of the biggest companies in the world have at their disposal – despite the entirely predictable appeal that Google lodged almost immediately.

But the case also raised two interesting points for privacy professionals: a debate over bias in which cases are pursued by DPAs, and how the “one stop shop mechanism” is applied in practice.

1. Is there bias in which cases DPAs pursue?

Within many of the CNIL-Google media reports, there were accusations that CNIL showed nationalist bias in punishing US-based Google, while not displaying the same zeal in pursuing French or European organisations for similar offences. Others added that this case was a classic example of many European DPAs’ “anti-big” bias – a tendency to go “headline hunting” and target the biggest brands in order to demonstrate a dedication to protecting data subjects.

But these accusations miss the point.

If there is a conscious “anti-big” bias in data privacy (which would be no surprise given wider geo-political trends), then that bias sits predominantly with the data subjects, not the data protection authorities.
A DPA will rarely begin a case of its own volition. Faced with limited proactive investigative resource, DPAs are alerted to potential foul play by receiving complaints from data subjects, and on examination of their merits and the seriousness of the offence(s), may initiate proceedings.

Perhaps unsurprisingly, since GDPR’s go live, almost every European DPA has reported large numbers of data subjects objecting to the ways in which the likes of Google and Facebook have collected and used their data. These high numbers of complaints will be an unavoidable effect of being some of the largest companies in the world – as any missteps will impact more people – but also a function of the underlying but growing “anti-big” popular sentiment and mistrust of large enterprise.

Clearly any DPA in such a situation will feel compelled to prioritise the cases attracting the greatest outcry – especially in the face of inevitable media attention, and regardless of the data subjects’ possible bias or of the nationality of the alleged offending company.

Secondly, this particular case was originally brought by two lobbyists: La Quadrature du Net (LQDN), who acted on behalf of more than 10,000 data subjects, and NOYB, a very powerful privacy pressure group that is headed by no less than Max Schrems, who made his name in privacy by bringing a case against Facebook that led to the invalidation of Safe Harbour. No DPA could realistically deprioritise a genuine case brought to them by these two bodies, especially when supported by hundreds of additional individual data subjects.

So to answer the question above, yes there could well be a trend in how DPAs pursue some cases over others. But the bias actually sits mainly with the data subjects – and those bodies that represent them en masse – and their apparent own eagerness to retaliate against “big”.

2. The “one stop shop mechanism” in practice

This is a question of which DPA leads actions brought against companies. The “one stop shop mechanism” within the GDPR dictates that where an organization has entities in multiple EU countries, the DPA of the country where the organization’s “main presence” is located shall lead the proceedings.

The role of “leading proceedings” means being the sole authority that the organization needs to deal with and respond to, while also requiring the chosen DPA to collaborate with the DPAs of other affected countries before making any decisions.

There was a fear that this might lead to “DPA shopping”, as organizations who suspected actions may be brought against them could theoretically move their main presence to a country whose DPA is more lenient or less proactive.

However, this case has shown that this – fortunately – will not work. It was deemed that despite any theoretical role in Google’s organizational structure, Google’s EU HQ in Ireland could not be considered the European data controller as it did not have decision-making powers over how data is processed. Being a controller is a prerequisite for the “one stop shop” rule to apply, and in the absence of a central European controller anywhere else, all of Google’s European entities were deemed to be data processors, making all European DPAs, including CNIL, equally free to bring actions.

This goes back to the main theme of our blog a couple of weeks ago about the Uber decisions, and how DPAs will determine organizational liabilities based on actions, not titles – a theme we will no doubt see again and again and that companies need to be aware of.

But despite Google and Uber both being fined in the last couple of months, don’t fall into the trap of believing that DPAs are only interested in targeting the largest companies. We are seeing plenty of actions being brought against smaller companies whose actions have affected large numbers of data subjects.

In fact, this mistake is one of the falsehoods of GDPR that we uncovered in our popular download, the 10 Myths and Fairy Tales of GDPR.

We offer a range of privacy services –  ‘privacy-first’ data management consultancy and specific data privacy regulations assistance, and importantly, GDPR services. 

Every year since 2006, the privacy industry has celebrated Data Protection Day, or as it became known outside Europe, Data Privacy Day

The day typically marks an opportunity for experts from the worlds of business, academia, consultancy and lawmakers to announce collaborations, hold crucial debates and work together to drive the privacy industry forward.

Arguably, privacy’s most vital next step is to make implementations of new policies and processes as successful as possible. The awareness stage is over – the dramatic rise in legislation in recent years and months is testament to that. As is the degree of attention that the media and its audience is paying to it. But the nature of the stories that the media is most often reporting shows us what the next step is: making the execution of new privacy-first strategies as unobstructive as possible.

In the related field of infosecurity, it has long been lamented that the easiest way to guarantee a breach is to make your processes and policies so frustrating that your workforce circumvent them. Privacy is the same.

Too many times have we seen reports of businesses completing their privacy audits, implementing new policies, but ‘frontline’ teams nonetheless either actively or naively bypassing them and falling foul of privacy legislation.

So our contribution to Data Privacy Day is aimed to help the industry better understand the nuances of privacy – not only in terms of what it requires, but also in terms of how to deliver it successfully.

We have built a dedicated resources page for Data Protection Day, including downloadable guides and observations from real-life client scenarios. We have also updated our famous Data Privacy Periodic Table with new legislation and future developments to be aware of, especially for today.

In the meantime, Happy Data Protection / Privacy Day!

Data Privacy News: What’s in a name? What the Uber fines teach us about local data privacy enforcement

The Uber data breach of 2016 is creating quite the ripple effect.

Most obviously, the hack’s revelation, and the media furore that accompanied it, caused numerous boards and management teams to ask the dreaded question of their data security teams, “Could this happen to us?” And many answers will have been sheepishly and concerningly in the affirmative.

But the ramifications go far beyond the reignited cybersecurity question. It has also highlighted an interesting legal point – and one that is often overlooked.

Uber 2016 data breach timeline – edited highlights

The Uber data breach of 2016 is creating quite the ripple effect.

Most obviously, the hack’s revelation, and the media furore that accompanied it, caused numerous boards and management teams to ask the dreaded question of their data security teams, “Could this happen to us?” And many answers will have been sheepishly and concerningly in the affirmative.

But the ramifications go far beyond the reignited cybersecurity question. It has also highlighted an interesting legal point – and one that is often overlooked.
October and November 2016 – Uber is hacked through a vulnerability in GitHub (an online resource for developers) which led them to Uber’s AWS login credentials. 57 million customers’ and drivers’ names, email addresses and mobile phone numbers are exposed, along with the driving licence and journey details for the 600,000 drivers affected. Uber conceals the hack and pays the hackers $100,000 to delete the data.
November 2017 – breach is revealed by Bloomberg and confirmed by Uber. Joe Sullivan, Chief Security Officer, and one of his deputies are fired for their roles in the cover-up, which was also known about by the then CEO, Travis Kalanick. Dara Khosrowshahi, who had taken over as Chief Executive Officer in the previous September, pledges transparency for the future.
May 2018 – GDPR comes into force, meaning the breach can only be penalised under pre-existing data protection laws, not GDPR.
July 2018 – Uber announces former Intel chief privacy and security counsel Ruby Zefo as Uber’s first Chief Privacy Officer and TomTom’s ex-VP for Privacy Security, Simon Hania, joins Uber as its first DPO.
September 2018 – US court fines Uber $148m as part of a legal settlement, avoiding a public court case in an action brought by 50 US states and the District of Colombia.
November 2018 – British and Dutch regulators impose fines on Uber of £385,000 ($490,760) and E600,000 ($678,780) respectively. Uber said in a statement, “We’re pleased to close this chapter on the data incident from 2016.”
December 2018 – the French Data Protection Authority fines Uber E400,000 ($460,000).

The events of November and December of last year are signalling a very interesting pattern that data privacy professionals need to take careful note of.

The Dutch regulator, the Autoriteit Persoonsgegevens, has ostensibly taken the lead on this case on behalf of all of Europe, on the basis that Uber’s European presence is headquartered in the Netherlands.

However, it is the way that the UK Information Commissioners Office (ICO) and the French Commission Nationale de l’Informatique et des Libertés (CNIL) have acted that has sparked the most interest. Not only have they fined the Dutch HQ for the impact of the breach on their own respective citizens, but they have also taken the additional steps of fining the local entities separately.

Why is this important?

Because Uber tried to prevent exactly this happening with its carefully worded intra-company agreements. In these documents, each of its local corporate entities were named as mere “processors” of personal data, not “controllers”, meaning under pre-GDPR legislation, they could not be held ultimately liable, nor fined.

But the French and British regulators disagreed. They ruled that the deciding factor was not how the corporate entity was named or considered by Uber’s internal privacy structure, but how they acted in practice. And because they performed the role of a local data controller, they could be held responsible for their part in the local infringements (such as not reporting the breach to the relevant regulators within 72 hours), just as the European headquarters could be fined for its role in the wider offences (such as failing to identify and rectify the vulnerability itself).

In other words, role-based liability comes down to how you act, not what you call yourself.

Lawyers will not find this ruling surprising at all. This is a standard tenet of common law.

However, many privacy professionals are not necessarily so experienced in the way the law works. Those companies whose privacy teams are experts in technology, security and policy, and not law, may overlook the need to ensure that the way their local offices operate reflects what the privacy structure expects, creating legal vulnerabilities in the process.

This is presumably exactly what has happened to Uber. Rather than their legal and privacy team trying to pull off a ruse based on a technicality, it appears that there is a clear mismatch between what the privacy structure anticipated of the local entities’ roles and how they acted in reality.

As we have said in these Data Privacy news blogs many times before, data privacy is a multi-faceted discipline, and far more complex in practice than many realise.