A Proposition for A More Effective GDPR Enforcement
Recent headlines on the news :
- Former and current Morgan Stanley customers have filed a putative class-action lawsuit alleging negligence and invasion of privacy over the firm’s failure to properly scrub decommissioned hardware of personal information such as social security numbers, account numbers and other personal data.
- Garmin Paid Millions Of Dollars In Ransom After Attack – Report
- Canon website down after major ransomware attack
- Almost two months after a high-severity flaw was disclosed – and seven months after it was first reported – Netgear has yet to issue fixes for 45 of its router models.
- Suspected Russian hackers stole content of ex-UK trade minister’s email account
- Intel hacked: Confidential intellectual data obtained and leaked by anonymous hacker
- interior design platform confirms data
- Thousands of websites at risk from critical WordPress plugin vulnerability
- Beware of find-my-phone, Wi-Fi, and Bluetooth, NSA tells mobile users
- Third Party Data Breach of GE Vendor Exposes Highly Sensitive Employee Information
- Twitter hack court hearing ‘Zoombombed’ with porn
- Hackers are charging millions to cover up GDPR breaches, researchers claim
These are just a few from this week’s headlines on data breach and security. Obviously, it’s not anymore IF but WHEN a breach will happen. You can check the freshly published Pokemon study of 524 breaches that occurred between August 2019 and April 2020, in organizations of all sizes, across 17 countries and 17 industries- Cost of Data Breach.
We, in Europe, have one of the most protective data regulations, called the General Data Protection Regulation, passed by all EU members states in 2016 that enters into effect after a two year period of adaptation, in 2018. GDPR compliance imposes accountability measures such as running a Data Protection Impact Assessment to trace where the data is stored, where it comes from, who can access it, how long the data is retained, what are the legal basis of data processing, imposing an obligation of transparency and so on. By requiring data minimisation, purpose limitation, an obligation of security and integrity, risks should be minimised.
So why do we still see so many data breaches? Had the courts and jurisdictions run a DPIA, they would avoid the bad surprise of ‘zoombombarding’. Legal professions should really not use a technology without making sure the personal data they handle are safely secured. Politicians, just like the legal professionals should not use insecure email accounts. Encryption is a requirement when handling sensitive data and bound by an obligation of confidentiality. Why do we still read ‘The British government does not explicitly bar the use of private email accounts for official business, but says all information must be handled in accordance with the law, including the Official Secrets Act.‘
So why, 4 years after the GDPR which actually replaced a pre-existing Data Protection Directive that was mostly reinforced by the GDPR, has still let these breaches to happen ? In others words, we ought to ask, what the national EU Data Protection Authorities have been doing ?
DPAs are said under staffed, and under resourced. The UK ICO in particular have been dragging their feet with an enforcement against British Airway and Marriott International whom have each had a severe data breach affecting large number of customers data. An intention to fine was issued that keeps being pushed back in the case of the two companies. £183m for BA and £99m for Marriott. Marriott has obtained another six months prolongation and BA is said to eventually pay only less than 11% of the original amount. Of course in the current economic context, big fines can be fatal, they will eventually hurt the customers. Who wants to see the UK British Airways to file bankruptcy? So what else can be done as no enforcement means no incitement to comply with the regulation. Even if in final GDPR compliant is beneficial for the company, it necessitate an initial investment.
I suggest a better option. As still in 2020, fours years after the adoption of the regulation, many ignore their obligations, I suggest the fines to be less financial with more incentives :
First, make sure these companies are compliant, cease and delete all customer data unlawfully obtained. Offer protection to the customers whose data has been breached. Why not offer some sort of compensation to the victims such as free standby tickets or hotel rooms.
Furthermore, as it is obvious that general public and many companies lack information on Data protection, GDPR and data security.
- As it is obvious that the U.K. ICO feel trembling fining BA and Marriott with big fines that will kill them or end up costing money to their customers.
- As BA and Marriott are both companies with high volume customer, same applies to EasyJet as well victim of a data breach.
I suggest they’d be submitted to an obligation to run public awareness campaigns on GDPR and data security in all their public places : aeroplanes, airports, hotel rooms, offices, etc… short videos, posters, tracts,…. like entertaining short videos on plane or before boarding, on their websites or leaflets.
What do you think?
While the UK ICO are still dragging their feet, the French DPA CNIL, acting as lead supervisory, has fined an eCommerce business in cooperation with other national DPAs. Spartoo has been fined for EUR 250,000 for violations of articles 5-1 c), 5-1 e), 13 and 32. Basically, infringement of the principals of data minimisation, data retention period, password security and lack of transparency. Spartoo was also ordered to bring its processing into compliance with the GDPR within three months from the notification of the decision, under a penalty of EUR 250 per day of delay. What triggered the investigation of this company in particular is unkown. In its annual report, the CNIL announced 300 controls. 8 sanctions : 7 fines for a total of 51 370 000 euros, including the biggest fine in Europe to Google (Have they actually paid?) 5 injunctions. From 11 000 complaints in 2018they had 32 % increase for the first 7 months of 2019. CNIL had announced their priorities : cookies, recruitment agencies and real estate.
The most active of all, the Spanish AEDP as reported by the GDPRHub :
he Spanish DPA (AEPD) fined two telecommunications companies for the following violations of Article 6 GDPR:
€75,000 against Telefonica for transmitting a claimant’s personal data without consent. Read more or edit on GDPRhub…
€80,000 against Orange for allowing a client’s personal data to be used for the fraudulent hiring of 6 telephone lines. Read more or edit on GDPRhub…
€70,000 against Telefonica for using a customer’s data to incorrectly issue them invoices for services associated with another person. Read more or edit on GDPRhub…
€55,000 against Telefonica for continuing to process a complainant’s data following an identity theft. Read more or edit on GDPRhub…
The AEPD also issued the following fines:
€40,000 against an airline for a breach of Article 15 GDPR Read more or edit on GDPRhub…
€18,000 against a bank for violating Article 6(1) GDPR Read more or edit on GDPRhub…
€6000 against a company for infringing cookie rules under Article 22(2) of the Spanish Law of Information Society Services (LSSI) and Article 13 GDPR Read more or edit on GDPRhub…
The AEPD also held that a city council breached data confidentiality principles under Article 5(1)(f) by publishing a census featuring individuals’ names, surnames and ID card numbers. Read more or edit on GDPRhub…