In 2018 Equifax was fined £500,000 following investigation of a security breach in the US which affected up to 15 million UK citizens. The investigation was carried out by the ICO in parallel with the FCA and revealed multiple data protection failures, in fact the Information Commissioner’s Office reported that Equifax had contravened five out of the (then) eight data protection principles including retention of personal data for longer than was necessary, failure to provide adequate security from unauthorised access, lack of legal basis for transferring UK citizens’ personal data outside of the EEA and failing to provide information about the type and extent of personal data processing taking place.
Due to the timing of the incidents the fine was issued under the 1998 Data Protection Act not GDPR where fines are potentially much higher. The £500,000 fine levied was the maximum allowed under the 1998 Act.
In November IAPP submitted evidence to support the ICO’s continued audit activity in respect of both Experian and Equifax to assess their compliance with GDPR. IAPP described the companies as “major credit reference agencies who through their marketing activities also act as data brokers.” The submission included evidence against consumer marketing data brokers, Acxiom and Oracle and advertising companies Quantcast, Tapad and Criteo.
The IAPP investigation, based on information provided by the companies concerned in Privacy Notices and in response to Subject Access Requests, revealed that the personal data processing by Experian and Equifax had no lawful basis and where special category data was being processed there was no lawful basis under Article 9 of GDPR. The processing dd not comply with the Data Protection Principles around transparency, fairness, lawfulness, purpose limitation, data minimisation, accuracy and integrity or confidentiality. IAPP also raised concerns about compliance with subject rights including the right to information (Privacy Notices).
Data brokers Experian and Equifax have been around for decades but keep a relatively low profile with consumers. Many citizens are unaware that data brokers hold their personal data and the extent of profiling activity, they are not aware that their personal data is shared for commercial purposes, with whom it is being shared or the consequences of the processing or where the processing takes place. This was a key issue for the Information Commissioner when announcing the fine in September 2018: “Many of the people affected would not have been aware the company held their data; learning about the cyber attack would have been unexpected and is likely to have caused particular distress.”
Microsoft investigated by Dutch data protection authorities
In November 2018 Microsoft was challenged by the Dutch authorities that it was processing personal data without the knowledge of data subjects and further, that it exports personal data outside of the EEA without the knowledge of data subjects and contrary to the prohibition against such exports unless additional compliance requirements are met. The charges relate to Windows 10 Enterprise and Microsoft Office.
Microsoft states that it collects data for functional and security purposes but the investigation revealed that the data collected includes email subject lines and snippets of content where the content is changed or corrected.
The content was found on servers in the US which is a breach of GDPR as it is not stated in the relevant Privacy Notice and Microsoft’s initial reaction was that the data was not stored outside the EEA, only later investigation revealed that it was in fact stored in the US too.
The Dutch Data Protection Authority has concluded that Microsoft has contravened GDPR “on many counts” including the principles of transparency, purpose limitation and fair and lawful processing. The Dutch authorities have given Microsoft time to remedy the data protection shortfalls and will revisit the situation in April 2019.
Google and the French data protection authorities
On 21 January 2019 it was reported that Google had been fined by the French data protection authorities for breaches of data protection including failing to be transparent with data subjects about its data processing activities, not having legal grounds for the processing and lack of consent to the use of personal data to personalise advertisements.
Google were fined €50 million, the first major fine levied under GDPR.
The French investigation was prompted by complaints made by two privacy rights groups in May 2018.
What can we learn from this?
European Data Protection Authorities continue to target high risk personal data processing activities. Some of the first data protection cases involved credit reference agencies and the massive problems caused for consumers where identities were confused, previous occupants at an address tainted current occupants’ applications for credit and spouses were linked for credit reference purposes. Experian and Equifax are credit reference agencies as well as data brokers.
Compliance with more hidden aspects of data protection, like meeting lawful grounds for processing, are being tested. The new requirement to state in Privacy Notices the lawful grounds relied upon for data processing means that it has to be considered whereas previously it might only have been an afterthought if challenged to specify the grounds. More aspects of data protection compliance are in the public domain as a result of GDPR such as data retention period, international transfers of personal data outside of the EEA and the measures in place to keep that data secure, data sharing and outsourcing. As this information is now in the public domain, in Privacy Notices published to websites and in consumer facing documentation. the regulators have easy access to it.
Also it is worth noting the role played by consumer rights champions in bringing to light data protection abuses. These organisations are able to investigate data handling practices and report back to the regulator with devastating effect.