Menu Close

In Persepctive: New breach notification requirements

Each week we review recent news and developments in the context of data protection and requirements under the General Data Protection Regulation (GDPR).  In our latest analysis Samad Miah, at Xcina Consulting looks at new requirements for notifying breaches from Ireland. Could the current guidelines in the UK come under review?  Noncompliance of the GDPR in the workplace and the airline industry are among other recent cases featuring in Europe.

Find out the details of these and other key emerging themes as events unfold.  Our analysis looks at what happened and why it matters, read our complete review below.

Irish Data Protection Commission changes their breach notification requirements

What happened

  • The Irish Data Protection Commission (DPC) has produced a new webform for data controllers to complete when notifying the regulator of a data breach.

  • This webform is divided into ten section and includes questions related to the timeline of the incident, details of the breach, the data subjects that are affected and the actions taken following detection of the breach (such as communication of the incident to relevant stakeholders).

  • The new form will also require users to specify whether the notifying person or the Data Protection Officer is the designated contact person for the DPC in relation to the breach notification, in order to streamline future correspondence and follow-up queries.

Why it matters

  • The GDPR introduced a duty on all organisations to report certain personal data breaches to the relevant data protection authority. This must be done within 72 hours of becoming aware of the breach.

  • If the breach is likely to result in a ‘high risk’ of adversely affecting individuals’ rights and freedoms, the data controller must also inform those individuals without undue delay.

  • The new webform produced by the Irish DPC will facilitate decision-making about whether or not businesses need to notify the relevant supervisory authority or the affected individuals, or both.

Employer is fined for using a video camera surveillance system to track employees

What happened

  • The Luxembourg data protection authority recently fined an employer €5,300 for using a video camera surveillance system on its premises and tracking devices in some of its employees’ vehicles.

  • This was considered a breach of the data minimisation principle as well as noncompliance of the ‘right to be informed’ under data protection law.

  • The field of vision of an installed camera was found to include the staff dining hall, an area designed for private use by the employee.

  • Employees were also not fully informed of the existence of a geolocation system within the vehicles they were operating.

Why it matters

  • Recording employees at their workplace is considered a ‘high risk’ processing activity and employees would not usually expect this to be happening without their prior notice, especially in areas usually considered private such as dining rooms and toilets.

  • The principle of data minimisation requires businesses to consider necessity and proportionality when processing personal data.

  • This involves considering whether anonymous information can be used instead and deciding whether less privacy-intrusive ways of processing personal data are available.   

Airline is fined €400,000 for not implementing appropriate security measures

What happened

  • The Dutch data protection regulator has fined Transavia Airlines C.V. (TACV) for not putting in place appropriate technical and organisational measures to prevent a personal data breach involving sensitive information.

  • In October 2019, an unauthorised third party gained access to personal data contained within TACV’s systems.

  • Following a root-cause analysis initiated by the business, it was found that the third party was able to infiltrate TACV’s systems using a process called ‘credential stuffing’ whereby commonly used passwords are used in a short period of time to gain access to a system.

  • The user account that was entered also had the highest privileges and access to other systems used by the business.

Why it matters

  • Information security is a key component of data protection law and is referred to throughout the text of the GDPR.

  • Businesses should consider a mix of technical and organisational measures (such as encryption and policies/procedures) to keep data secure.

  • It is also sensible to have all controls suitably audited and inspected on an annual basis so that there is a level of external assurance that can give confidence to senior management.

  • ISO 27001 is an international standard on how to manage information security that many businesses aim to receive certification in and should be considered by all organisations processing large quantities of personal data.

 

Stay in control of your inbox

Register your details to receive our featured insights,
news and analysis covered ‘In Perspective’ from our
Data Protection team.

Stay up to date and discover how the requirements impact your business. 

 

 

Samad Miah

Data Protection Consultant

Speak to me directly by Email, or
Telephone:+44 (0)20 3745 7843 

 

Samad has a strong track record in data protection, both as an industry practitioner and as a consultant, helping organisations successfully address their obligations towards the Information Commissioner’s Office and other regulatory bodies.

To discuss how the above or other data protection requirements impact your business, feel free to get in touch with our team. We provide our clients with pragmatic advice and support to help them achieve a robust and defensible position.

In our latest review of recent news and developments, Samad Miah, Data Protection Consultant at Xcina Consulting, looks at new requirements from the Irish Data Protection Commission in relation to data breach notification and two interesting cases in Europe involving noncompliance of the GDPR.

Find out the details of these and other key emerging themes as events unfold. Our analysis looks at what happened and why it matters, read our complete review below.

What happened

  • The defendant had installed security cameras and a smart doorbell on their house.

  • The smart doorbell is able to record both audio and video of the claimant’s house and garden.

  • The claimant argued that the installation of these security devices infringed data protection laws and contributed to harassment.

  • The judge upheld these claims and stated that the devices “unjustifiably invaded” the privacy of a neighbour.

  • The defendant now faces a potentially significant fine.

Why it matters

  • Article 2 of the UK GDPR states that data protection law does not apply to the processing of personal data by an individual in the course of a purely personal or household activity.

  • An example could be someone taking pictures of family members and sharing these with their friends on a social media platform.

  • However, in the case of domestic CCTV systems, this exemption only applies to the person’s own private property and garden and not outside the property boundary e.g. public footpaths and shared spaces.

What happened

  • From August 2011 to February 2012, Google is alleged to have installed software on Apple iPhones by bypassing protections within the device’s Safari web browser (i.e. the ‘Safari Workaround’).

  • This allowed Google to track these iPhone users across websites, and to collect information about their internet usage and browsing habits.

  • Mr Lloyd issued a representative claim for damages for breach of the Data Protection Act 1998, on behalf of himself and all those allegedly affected by the Safari Workaround. This is known as a representative action.

  • Mr Lloyd argued that the affected individuals could claim damages for ‘loss of control’ over their data, uniformly, without the need for individual assessments of damages.

  • Google argued that the conditions of a representative action had not been established because the affected individuals had varying entitlements to damages and ‘loss of control’ damages were not available in English law.

  • Mr Lloyd lost in the High Court, won in the Court of Appeal and has now lost in the Supreme Court.

Why it matters

  • The Supreme Court found that a claim for damages for the unlawful processing of data under the Data Protection Act 1998 requires proof of damage in the form of either material damage (such as financial loss) or mental distress. The damage could not simply be the unlawful processing itself or ‘loss of control’.

  • The court also stated that it would need to consider the extent of the unlawful processing in the individual case in order to rule out that the damage was more than just trivial (and therefore potentially subject to a compensation claim). This is not possible in a representative action.

  • Whilst privacy campaigners may be frustrated by this decision, data controllers can breathe a sigh of relief after hearing the court’s reasoning. The threat of a costly representative action following a personal data breach is not on the horizon.

  • This case serves as an important reminder that in order to claim compensation for a non-trivial personal data breach, proof must be shown of material damage or distress. The contravention itself is not enough – i.e. the ‘cause’ must have an ‘effect’.

What happened

  • In July this year, Amazon was fined a record $865 million (or €746 million) for noncompliance of the GDPR, particularly in relation to the way the business collects personal data.

  • The appeal was filed at the Luxembourg Administrative Tribunal a couple of weeks ago.

  • Amazon continues to receive a significant amount of scrutiny over its business practices in Europe, with probes also being carried out in Germany and the UK.

Why it matters

  • Whilst the full details of the fine have not been disclosed, it is believed that it relates to how the company processes personal data to show customers relevant advertising.

  • In most cases, presenting website visitors with personalised adverts requires the use of cookies and other similar technologies.

  • Data protection law states that placing a cookie or other similar technology on a user’s device/browser requires freely given and unambiguous consent.

What happened

  • Early in September this year, the Irish data protection regulator fined WhatsApp €225 million.

  • The issues that were identified included failures to provide the required privacy information to WhatsApp users and non-users and failures to make privacy information available in an easily accessible form.

  • The decision of the Irish data protection regulator reveals a lot about how businesses should comply with the transparency requirements of data protection law, particularly when it comes to compiling privacy notices.

Why it matters

  • Privacy notices act as one way in which organisations can inform individuals about what they are doing with their personal data.

  • The issues identified by the Irish data protection regulator provides some useful insights for businesses to consider with preparing their privacy notices.

  • This includes avoiding the use of ‘linked documents’ so that the user is able to access all the information in one place rather then through different webpages.

  • As well as this, the lawful basis for processing and the purpose for processing must be provided at a granular level of detail and on each and every processing operation respectively.

What happened

  • In September, the UK government published its consultation paper on proposed reforms to the country’s data protection regime.

  • Following Brexit, the UK is now free to develop its own data protection laws.

  • The consultation paper includes recommendations to replace the requirement for businesses to designate a Data Protection Officer, remove obligations relating to the completion of Data Protection Impact Assessments and introduce a fee regime when responding to a data subject access request.

  • Cookies and other similar technologies are also covered within the paper including proposals to permit businesses to use analytics cookies without the user’s consent.

Why it matters

  • Many businesses have been working to ensure they have an effective privacy programme in place to achieve accountable data protection practices.

  • The changes that are being suggested will compel businesses to, once again, reassess what they are doing and act accordingly.

  • Whilst many of the proposals indicate a ‘watering-down’ of current requirements, UK businesses that target and monitor individuals in the EU would still be affected by the EU GDPR.

  • The UK’s data protection regulator, the ICO, also felt that changes to help businesses avoid performing a risk assessment when processing personal data based on legitimate interests would create problems in how individuals are able to object to such processing.

 

Stay in control of your inbox

Register your details to receive our featured insights,
news and analysis covered ‘In Perspective’ from our
Data Protection team.

Stay up to date and discover how the requirements impact your business. 

 

 

Samad Miah

Data Protection Consultant

Speak to me directly by Email, or
Telephone:+44 (0)20 3745 7843 

 

Samad has a strong track record in data protection, both as an industry practitioner and as a consultant, helping organisations successfully address their obligations towards the Information Commissioner’s Office and other regulatory bodies.

To discuss how the above or other data protection requirements impact your business, feel free to get in touch with our team. We provide our clients with pragmatic advice and support to help them achieve a robust and defensible position.