A complaint was made in September 2018 by Jim Killock and Dr Michael Veale to the ICO about the systemic breaches of the GDPR by the AdTech industry, focusing on the role of the IAB (Interactive Advertising Bureau), a trade industry body as the rule setter.

The ICO’s investigation which was concluded in June 2019 found the AdTech industry to be in breach of the GDPR with widespread and systemic problems with industry practices such as collecting and sharing people’s browsing history without any control over who ends up accessing such personal information.

However, despite founding unlawful practices, the ICO decided to close the investigation in September 2020 without taking any substantive action. The ICO had also ‘paused’ enforcement during the first COVID lockdown.

The co-complainants (Jim Killock and Dr Michael Veale) are now taking the regulator to court over its refusal to take substantive action against what their own investigation concluded were very serious and extensive unlawful practices.

Jim Killock, Executive Director of the Open Rights Group and one of the two complainants, said:

“The AdTech industry has driven a coach and horses through the GDPR and the ICO’s own investigation has highlighted widespread systemic abuses in the AdTech industry practices. But instead of taking action against, it has decided to close the investigation. We are determined to ensure that the law is enforced even when the regulator can’t be bothered to protect our rights and liberties.”

Dr Michael Veale, an academic at the University College London (UCL) who sits on the Advisory Council of the Open Rights Group and is a co-complainant against the AdTech industry to the ICO, said:

“The ICO is expected to protect individuals against complex misuses of their sensitive data by entire industries acting outside the law, not just the simple, low-hanging fruit it can easily enforce against. This lawsuit is about stopping the ICO sweeping the most difficult cases under the carpet. Adtech isn’t simple — but dealing with illegal adtech is the ICO’s job.”

Ravi Naik, Legal Director of the data rights agency AWO who is instructed to act on behalf of the complainants, said: 

“Our clients simply want to the ICO to act to prevent widespread and systemic abuses of human rights; abuses that the ICO has acknowledged occur. Rather than take steps to address those problems, the ICO have acted against our clients and closed their complaints because our clients asked them to take action. This appalling state of affairs has left our clients with little option than to take the Commissioner to the Tribunal. That the Commissioner is being taken to the Tribunal because of a refusal to act to protect our rights speaks volumes of the Commissioner’s record.

“Our clients seek no more than the protection of our rights. Why the Commissioner is refusing to act to protect us all is a matter they will have to justify to the Tribunal.”

Source: ORG

Photo by Andre Hunter on Unsplash

The post Open Rights Group is taking the ICO to court over the regulator’s failure to stop unlawful practices by the AdTech industry appeared first on GDPR Register | Compliance tool for privacy experts.

The Data Protection Commission (DPC) has handed down a €65,000 fine to Cork University Maternity Hospital (CUMH) after the personal data of 78 of its patients was discovered disposed of in a public recycling facility elsewhere in the county.

The complaint was first raised with the DPC in June 2019 after a member of the public, who had discovered the documents, brought the matter to the HSE’s attention.

The executive then reported the data breach to the DPC.

The breach, an infraction of the hospital’s responsibilities under the EU’s General Data Protection Regulation (GDPR) which is understood to have consisted of a large number of documents, equated to the personal data of 78 people and the special category personal data of six of them.

Special category data under GDPR is the information of a particularly sensitive nature, the exposure of which could be expected to significantly impact the rights and freedoms of data subjects or could be potentially used against them in a discriminatory fashion.

It includes information regarding individuals’ race or ethnicity, religious beliefs, political opinions, biometric (identifiable) data, sexual orientation, and health data.

The breach at CUMH is believed to have comprised sensitive health data of patients, including medical histories and future planned programmes of care.

In its decision, handed down on August 18, the DPC said that the HSE had infringed Articles 5 and 32 of the GDPR by failing to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its use and disposal of hardcopy documents containing patients’ personal data”.

It is unknown whether or not any individual or individuals were held accountable for the breach, or how the documents came to be disposed of in the manner in which they were.

Regardless of what individual disposed of the documents, the hospital, as data controller, would have been deemed responsible.

The DPC said it had applied an administrative fine of €65,000 on the HSE for its infringements. The ruling has not been appealed.

“Cork University Maternity Hospital accepts the findings of the report of the Data Protection Commission in full and are working to implement all recommendations in the report,” said a spokesperson for the hospital.

They said that all patients affected by the breach had been notified of it.

“The HSE takes all breaches of data protection seriously and all such cases are fully investigated to establish how they occurred and preventative measures are put in place to reduce the risk of such breaches happening again,” they said.

“This is in addition to a comprehensive training and development programme for staff in GDPR as well as a range of policies and procedures designed to protect personal data.”

The DPC also ordered the HSE to bring its systems for processing and disposing of patients’ information “into compliance” with GDPR standards and issued the executive with a formal reprimand regarding same.

The decision is just the fifth fine handed down by the DPC since GDPR came into force in May 2018. The other four were delivered to child and family agency Tusla.

Source: Irish Examiner

Photo by Steve Johnson on Unsplash

The post Cork hospital fined €65k after patients’ personal data found in public recycling facility appeared first on GDPR Register | Compliance tool for privacy experts.

Today, the Irish High Court has ordered the DPC to cover the costs of Mr Schrems’ legal team in relation to this summer’s decision on EU-US data transfers before the Court of Justice of the European Union (CJEU). The DPC is not entitled to their costs from Facebook, except the cost for three court days will have to be covered by Facebook.

• Judgment as delivered

Background. Mr Schrems filed a complaint against Facebook in 2013 in the wake of the disclosures by Edward Snowden on Facebook’s cooperation with the US Security Agencies, like the NSA.

After a first trip to the CJEU in 2015 on the “Safe Harbor” Decision, the Irish DPC filed another lawsuit against Mr Schrems and Facebook to “clarify” the interpretation of EU law.

5 years, 6 weeks, 45.000 pages. The second case ran for more than five years before three courts in Ireland and on EU level. Up to 25 solicitors and barristers attended the hearings before the Irish High Court. More than 45.000 pages of documents were submitted by Facebook and more than six weeks of hearings were necessary to deal with the different arguments. In particular, Facebook took every option to expand and delay the procedure.

Mr Schrems ultimately succeeded with his arguments against the Irish Data Protection Commission (DPC) and Facebook before the CJEU. He is now entitled to at least have his legal costs from the plaintiff (the DPC) covered under the “loser pays” principle.

Max Schrems: “I filed a short complaint and suddenly I was named as defendant in an extremely complicated case that was to a large part not necessary in my view. Our arguments ultimately succeeded at the European level. The DPC now has to pick up the legal bill for this case, other than three days that Facebook needs to pay.”

Costs Decision. The court decided today that the DPC has to recover all costs of Mr Schrems, but that Facebook has to recover the DPC’s and Mr Schrems costs for three days of the hearings. In these three days Facebook as unsuccessfully tried to amend the judgment by the High Court. Today’s decision is a decision in principle, while the exact amounts of legal costs will be determined at a later stage. No damages or other payments were sought by Mr Schrems. The recovery he sought is purely to cover the costs of his legal representation and necessary expenses.

About € 2.9 Mio have already gone to the DPC’s own lawyers in the EU-US data transfer litigation (Link). These costs will ultimately have to be covered by the Irish taxpayer, as the DPC was unsuccessful in the case and in the attempt to recover these costs from Facebook, other than three days of the more than six weeks of hearings. The DPC’s 2021 budget was increased to €19.1 Mio, tenfold within seven years. Nevertheless, the DPC’s lawyer bill for this case alone amounts to 15% of the DPC’s budget for 2021.

Max Schrems: “I worked countless unpaid hours on this case. The costs that we now seek are the external costs for the necessary legal representation by solicitors and barristers in Ireland that had to deal with five years of court hearings and more than 45.000 pages of documents. Instead of making a decision already in 2015 the DPC has invested Millions into a case that has delayed the procedure for five years and that they have ultimately lost. The Irish taxpayer now has to pick up parts of the bill for this exercise.”

No decision by DPC after 7 years and 5 judgments. The second reference to the CJEU has apparently not brought the necessary “clarity” required by the DPC. Despite the enormous costs: The data protection watchdog has refused to determine Mr Schrems’ complaint, despite the CJEU judgment.

Instead of making a final determination after seven years, the DPC decided to start a second inquiry into Facebook. Facebook immediately obtained a Court Order restraining the DPC from proceeding with a new inquiry until the Court determines its legality. Mr Schrems, in turn, filed legal actions to finally get his case decided. The three parties will therefore see each other again in December and January to have the Court decide on the next steps.

Max Schrems: “Kafka could not have made this procedure up. Five Courts have dealt with this complaint for over seven years. We have won at every stage, but the DPC had still not decided on a complaint from 2013. It is either total mismanagement of the procedures or simply unwillingness to do their job – either way the situation is highly problematic.”

Source: noyb

Photo by Robert Anasch on Unsplash

The post Irish DPC to cover € 2.9M of legal bill of EU-US data transfer case appeared first on GDPR Register | Compliance tool for privacy experts.

Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.

The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.

The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK.

The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR).

Information Commissioner, Elizabeth Denham, said:

”Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

The ICO’s investigation traced the cyber-attack back to 2014, but the penalty only relates to the breach from 25 May 2018, when new rules under the GDPR came into effect.

Because the breach happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.

In July 2019, the ICO issued Marriott with a notice of intent to fine. As part of the regulatory process, the ICO considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty.

Details of the cyber attack

In 2014, an unknown attacker installed a piece of code known as a `web shell’ onto a device in the Starwood system giving them the ability to access and edit the contents of this device remotely.

This access was exploited in order to install malware, enabling the attacker to have remote access to the system as a privileged user. As a result, the attacker would have had unrestricted access to the relevant device, and other devices on the network to which that account would have had access.

Further tools were installed by the attacker to gather login credentials for additional users within the Starwood network. With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker.

The ICO acknowledges that Marriott acted promptly to contact customers and the ICO. It also acted quickly to mitigate the risk of damage suffered by customers, and has since instigated a number of measures to improve the security of its systems.

Source: ICO

Photo by ActionVance on Unsplash

The post ICO fines Marriott International Inc £18.4million for failing to keep customers’ personal data secure appeared first on GDPR Register | Compliance tool for privacy experts.

Updating name allegedly only possible in case of marriage.

After changing her surname and consequently her email address, an Austrian passenger of Wizz Air needed to update her data stored with the company using her right to rectification provided by GDPR. As the passenger couldn’t do this herself, she filed a “rectification request” for her surname and email address with Wizz Air’s Data Protection Officer (DPO).

Three months later, the data subject still had not received any response. She submitted a new request to change her surname using the company’s contact form. Customer Service told her that she could not change her surname online except in case of marriage. In her case, she would need to call the Wizz Air Call Center, which costs of more than 1 Euro per minute.

35,67 Euros later – a partial success. 

Only after being on the phone for about 32 minutes did Wizz Air change the passenger’s surname, however, they still did not change her email address. Even minor inaccurate data often has real life consequences: Information about a cancelled flight was sent to the passenger’s former email address. As a result, the passenger only coincidentally learned about the cancelled flight in the last minute, as the notification was sent to the passenger’s former email address.

“Wizz Air requires passengers to keep their account data accurate. By law, updating your data must be free, so low costs airlines can’t make compliance with the GDPR another one of their hidden fees.” – Ala Krinickytė, data protection lawyer at noyb

The GDPR gives customers the right to correct their information free of charge (Article 12(5) GDPR). By forcing customers to call their expensive hotlines for changes, Wizz Air fails to let customers exercise this “right to rectification”. The case of the passenger is not an isolated one. Other Wizz Air customers have complained about similar issues too (for example here).

“The GDPR states controllers should take ‘every reasonable step’ to ensure that data is accurate. In this case, it feels like Wizz Air failed to take any steps at all. The request for rectification is probably the least contentious data protection request a data subject can submit to the controller. Especially with airlines, it is of great importance that their passenger lists matches the passports. They make things more complicated and costly than necessary.” – Ala Krinickytė, data protection lawyer at noyb

Complaint filed, with a potential fine of up to €97 million.

Due to the fact that Wizz Air has shown a systematic failure to deal with the right to correct personal data without undue delay and free of charge, noyb has filed a complaint with the Austrian data protection authority.

“According to Forbes, Wizz Air is now ‘Europe’s largest airline’, which makes it all the more important for them to adjust their practices and ensure their customers’ GDPR rights. Given that this is a larger problem at Wizz Air, the data protection authority should impose an effective and dissuasive fine. Companies need to understand that they can’t simply ignore their passengers’ data protection rights.” – Ala Krinickytė, data protection lawyer at noyb

Original article: NOYB

Photo by Markus Winkler on Unsplash.

The post Wizz Air: €1 for a flight, €35 for your GDPR right appeared first on GDPR Register | Compliance tool for privacy experts.

The post IAB Europe’s ad tracking consent framework found to fail GDPR standard appeared first on GDPR Register | Compliance tool for privacy experts.

The post Instagram is under investigation over handling of children’s data appeared first on GDPR Register | Compliance tool for privacy experts.

An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.

ICO investigators found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time.

Addressing these security issues would have prevented the 2018 cyber-attack being carried out in this way, investigators concluded.

Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.

“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.

In June 2019 the ICO issued BA with a notice of intent to fine. As part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty.

Details of the cyber attack

The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.

Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.

Failure to prevent the attack

There were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network. These include:

• limiting access to applications, data and tools to only that which are required to fulfil a user’s role
• undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems;
• protecting employee and third party accounts with multi-factor authentication.

Additional mitigating measures BA could have used are listed in the penalty notice.

None of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft Operating System used by BA.

Since the attack, BA has made considerable improvements to its IT security.

Lack of awareness of the attack

ICO investigators found that BA did not detect the attack on 22 June 2018 themselves but were alerted by a third party more than two months afterwards on 5 September. Once they became aware BA acted promptly and notified the ICO.

It is not clear whether or when BA would have identified the attack themselves. This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.

Original article: ICO

The post ICO fines British Airways £20m for data breach affecting more than 400,000 customers appeared first on GDPR Register | Compliance tool for privacy experts.

Irish Data Protection Commission is getting more than €2 million extra budget in 2021, giving the digital privacy watchdog a ten-fold increase in funding since 2014.

Budget 2021 estimates show that the commission, headed by Helen Dixon, will get €19.1 million next year, a 13 per cent increase on this year’s €16.9 million allocation.

The pledge means that the office’s budget will have multiplied by 10 since 2014, when the Government provided it with €1.9 million.

Welcoming the news, Ms Dixon pointed out that her office was at the “frontline of EU data protection” and said that the extra cash would help the organisation build its capacity.

Tech giants Facebook, Google, Linkedin and Twitter all have European operations in the Republic, making the Data Protection Commission responsible for policing their activities.

The office said that the 2018 introduction of the EU’s General Data Protection Regulation significantly increased its work, resulting in 85,000 contacts, 16,000 complaints, 14,000 breach notifications and 3,000 requests for guidance.

“2021 promises to be another extremely busy year at the Data Protection Commission,” said Ms Dixon.

She added that next year’s allocation would allow it continue with work including completing a new case management system and further developing its information technology systems.

Original article: The Irish Times

The post Irish Data Protection Commission to receive €2 million extra funding appeared first on GDPR Register | Compliance tool for privacy experts.

Amazon faces a lawsuit in Germany over claims it has continued to transfer data to the United States using an invalidated transfer mechanism known as Privacy Shield.

The move comes after the EU’s top court struck down Privacy Shield in July over fears of U.S. snooping, throwing billions of euros in transatlantic digital trade into a legal limbo.

According to the lawsuit, which is due to be filed in a Munich court on Friday, Amazon continues to use Privacy Shield as a legal basis to send data to the U.S. in violation of the July ruling.

“The [Court of Justice of the European Union] has made it clear that data transfers to the U.S. on the basis of the Privacy Shield are no longer permitted. If the world’s leading cloud company and largest e-commerce provider remains inactive for more than two months and ignores consumer rights, that is unacceptable,” said Johann Hermann, head of Europäische Gesellschaft für Datenschutz (EuGD), the group behind the legal complaint.

Other U.S. tech giants, including Google and Facebook, have dropped the use of the Privacy Shield since the ruling, switching instead to standard contractual clauses (SCCs) — another data transfer instrument.

But use of SCCs is also contentious, with Facebook currently in a court battle with the Irish data protection regulator over its use of the instrument.

EuGD’s lawsuit — which is on behalf of a German consumer — also takes issue with Amazon’s failure to tell the individual what data it holds on them and what it does with the information, in violation of EU rules.

The German group’s founder, Thomas Bindl, said that they had decided to take the legal route rather than file a complaint with a data protection regulator to speed up the process.

“Max Schrems’ experience showed us that it just takes too long with the regulator,” said Bindl, referring to Austrian campaigner Schrems’ battle with the Irish data protection commission over the slow pace of various complaints into Big Tech.

Bindl is not alone. With regulators faltering, privacy activists and consumer groups are increasingly turning to Europe’s court system for results. 

Original article: POLITICO

The post German lawsuit accuses Amazon of breaking EU privacy law appeared first on GDPR Register | Compliance tool for privacy experts.