Irish Data Protection Commission fines Meta for Eur 265 million

What happened

• In August 2021, the UK announced the Republic of Korea as a priority country for data adequacy assessments alongside the United States, Australia, Singapore, the Dubai International Finance Centre and Colombia.
• After agreeing to a data adequacy agreement in principle in July 2022, the UK government announced that it had completed its full assessment of the Republic of Korea’s personal data legislation.
• The government has concluded that the Republic of Korea has strong privacy laws in place which will protect data transfers to South Korea while upholding the rights and protections of UK citizens.
• The regulations are expected to come into force on 19 December 2022.

Why it matters

• Organisations will be able to transfer personal data securely to the Republic of Korea without restrictions.
• Until now, organisations needed costly and time-consuming contractual safeguards, such as standard data protection clauses and Binding Corporate Rules.
• The new freedoms are expected to open up opportunities for many small and medium-sized businesses that may have avoided international data transfers to Korea due to these burdens.
• Removing barriers to data transfers is also expected to boost research and innovation by making it easier for experts to collaborate, notably on medical treatments and other vital research.
• This is the first independent data adequacy decision concluded by the UK government since the UK left the European Union. Others are expected to follow suit.

What happened

• Over a year after the Irish Data Protection Commission (DPC) launched its investigation into media reports of numerous Facebook users’ personal data being made available online, the regulator announced it was imposing a €265 million fine and other corrective measures on Meta for failing to protect its data adequately.
• The fine is for a data breach discovered in 2021. Personal data of high-profile EU officials were included in a leak of the 533 million records, including phone numbers, Facebook IDs, full names and birthdates that surfaced on a public forum and were circulating widely on the web.
• In addition to the fine, the authority imposed a reprimand and an order “to bring processing into compliance by taking a range of specified remedial actions within a particular timeframe.”
• The DPC argued that Meta failed to comply with the General Data Protection’s obligation to ensure privacy “by design and default,” meaning it had engineered its products in such a way that personal data could leak.

Why it matters

• The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default. The DPC examined the implementation of technical and organisational measures under Article 25 of GDPR.
• Facebook said at the time that the leaked information was “scraped”, but not hacked, by malicious actors through a vulnerability in its tools before September 2019. The social network said it patched the vulnerability in 2019, preventing further data from being harvested.
• “Scraping” uses automated software to lift public information from the internet that can then end up being distributed in online forums.
• Article 25 requires controllers to implement appropriate technical and organisational measures, such as pseudonymisation, to meet GDPR requirements and protect the rights of data subjects. These measures must provide protection not only against data breaches but also against the use of other unauthorised methods, such as data scraping.

What happened

• The Government has tabled amendments to its Online Safety Bill that significantly strengthen its ability to demand messenger apps, such as WhatsApp, Telegram and Signal, to monitor users’ messages if deemed necessary.
• The Home Office has drawn up these proposals to deal with terrorist and child sexual exploitation and abuse (CSEA) content. They will hand sweeping new powers to Ofcom to demand encrypted messenger apps scan users’ messages for such material.
• Legal analysis by Matrix Chambers has warned that the powers contained in the bill empower “the state to mandate, generalised, indiscriminate, bulk surveillance of the content of the communications of millions of people across a very wide range of platforms”.
• This could mean that the regulator, Ofcom, would have broader surveillance powers than many of the country’s leading intelligence services. According to Matrix Chambers, such powers would also contravene at least two articles contained in the European Court of Human Rights.
• The leading barristers’ chambers also raises grave concerns about the impact such powers would have on the ability of journalists to protect their sources. The legal briefing notes that under the amendment, there are “no enhanced safeguards to protect journalistic sources and/or confidential journalistic material”.

Why it matters

• In the UK, privacy activists are increasingly concerned over these new amendments to the UK’s proposed Online Safety Bill.
• The Open Rights Group (ORG) pointed out that the bill is about “more than moderation of harmful content – private chat platforms, such as WhatsApp, Signal, Facebook Messenger and Telegram, will also fall under the bill’s mandate.”
• Under the latest iteration, all these companies would be forced to scan for government-specified forms of illegal content using Home Office-approved systems.
• There are concerns that this would represent an intrusive form of surveillance that will compromise the end-to-end encryption that currently keeps chats confidential and secure, thereby undermining Internet users’ privacy, security, and free expression.
• The Center for Data Innovation also considers that the continued focus on age assurance and verification in the bill could hurt users’ privacy and anonymity and gate off entire Internet sections.
• The final decision on the Bill is expected on the 5th of December.