In April 2010, the Information Commissioner was given powers to impose a penalty of £500,000 under the Data Protection Act. It wasn’t until GDPR came into force replacing that Act – eight years later – that we saw a maximum fine. And like London buses, you wait ages and then two come along at once!
Equifax
Equifax have the dubious honour of being the first to receive a £500,000 fine (PDF). Of course, prompt payment gets them a 20% discount to £400,000.
Anyway, the fine was for a cyber attack in 2017 which affected data controlled by Equifax in the UK but held in the USA by Equifax Inc. It affected 15 million unique records of UK individuals including name, date of birth, telephone number and driving licence number. The ICO concluded Equifax had failed to take “appropriate technical and organisational measures” against unauthorised and unlawful processing of that data. Also, Equifax Inc had held onto the data in the USA for longer than necessary for the purposes for which it was transferred there.
It is a catalogue of errors including: failing to undertake adequate risk assessments of the security, failing to incorporate the required contractual clauses for the transfer in its data processing agreement, failing to encrypt data, poor reliance upon consent, not carrying out an audit of Equifax Inc despite having the power to do so, failing to address known IT vulnerabilities, not having up-to-date software. The list goes on.
So, Facebook then. Unless you have recently returned from a long stint on the International Space Station, you will be aware of the reports of Facebook user data being used in political campaigns.
The ICO served notice in June 2018 that it would issue a maximum penalty. It took onboard Facebook’s representations following this and then issued it regardless. Although the decision is addressed to Facebook Ireland and Facebook US, the ICO found processing in the context of UK users. In total, 87 million Facebook users were affected.
In its decision (PDF), the ICO said that Facebook had permitted third-party apps access to data of the users who had installed the apps. This included not only user’s names and gender on their public Facebook profile, but also, birthdate, “current city”, photos in which they were tagged, pages the user had liked, posts on the user’s timeline, news feed posts, friends lists, email addresses and even content of Facebook messages. It also included some data of users’ friends.
This data was shared with many companies – Toronto Laboratory for Social Neuroscience, Euonia Technologies and SCL Elections which controls Cambridge Analytica – and is likely they used it for political campaigning.
Again, there were several breaches including: unfairly processing personal data, collecting data without informing users (or their friends), consent was not freely given, failure to monitor compliance of the app with Facebook’s policy, failure to take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data. In fact, the ICO was critical that the first time Facebook seemed aware of what was going on was when The Guardian published a report in December 2015. Since then Mark Zuckerberg has appeared before US Congress to answer questions but three years after the story broke, UK and Canadian MPs are still trying to get answers from him.
We always knew that if it’s free, you’re the product. We just didn’t know the extent of this. And the ICO wasn’t happy so it issued the maximum penalty of £500,000. It’s clear the ICO wanted to go higher: “…but for the statutory limitation on the amount of the monetary penalty, it would have been reasonable and proportionate to impose a higher penalty”. Again, with prompt payment, this will reduce to £400,000.
GDPR is bigger & better
The moral of the story is usually the same when it comes to data breaches:
- TAKE
- BETTER
- CARE
- OF
- DATA!
Of course, as everyone knows, the new fines under GDPR are much higher:€20,000,000 or 4% of global turnover. Now we await to see how high they’ll go. Some would say it’s about time the ICO had some real teeth to be able to match the Financial Conduct Authority. Earlier this year the FCA imposed a penalty of £16,400,000 on Tesco Personal Finance (PDF) for a “largely avoidable” cyber attack in 2016 which left its customers exposed and which netted the hackers £2.26m. In fact, the fine would have been £23,428,500 but Tesco agreed to settle early in the FCA’s investigation which led to a 30% discount! Your move ICO…
Oh and when you share this post, please make sure you do so on your Facebook page too!
Image courtesy of Serge Bertasius Photography at FreeDigitalPhotos.net
The Cloud Lawyer 