Skip to main content

GDPR: Key cases so far

GDPR: Key cases so far

Google fined by national French data protection regulator

On 21 January, Google LLC (Google’s French arm) was fined €50million by the Commission Nationale de l’information et des Liberties (CNIL) for various failings under GDPR.

The main failing CNIL found was that individuals using Google’s services were not furnished with the requisite “fair processing information” (the information usually provided in privacy notices) by seemingly omitting to inform individuals about why Google processed their personal data how long their data was kept. The ruling also attacked the accessibility of the information saying that although most of the information was there, it was scattered around it site via various different “links”. The second key failing was not meeting the GDPR standard of “consent” when providing personalised advert content. Under GDPR, consent must be sufficiently informed, specific, unambiguous, granular and be gained through a form of active acceptance. In the first instance the CNIL did not consider the consent to be informed enough as it ruled users were not given enough information about what giving their consent would mean in terms of the ad personalisation services Google would then push. The fine was also imposed in light of Google not ensuring that consent met the GDPR threshold through using pre-ticked boxes and not separating out consents for advert personalisation from other processing by Google.

The takeaways for your organisation are to ensure it’s easy for your customers or service users to understand what you do with their data. Privacy notices should be clearly signposted, and be as accurate as possible about what data is collected and why it is used. It also reminds us of the strict threshold consents must reach before they are valid. Businesses are certainly becoming more savvy when it comes to making sure individuals an give consent for different purposes, but it’s not uncommon to still come across the pre-ticked box! If your organisation relies on consent and would like Thorntons to review how you use it, please get in touch and we can give advice on whether you are meeting the GDPR standard.

Marriot International suffer unprecedented data breach

On 19 November last year, Marriott International announced that the personal data of 500 million of its customers had been compromised. The group, which operates hotel chains under the brands W Hotels, Sheraton, and Le Méridien among many others, said that they had reason to believe that certain of their computer systems had been hacked in 2014 which has now led to this breach. The number of people affected, which data relates to customer bookings from 2014 onwards, has now been revised and whilst they still cannot state the exact number, it believes the number of customer records now totals around 383 million. This remains an extremely large number of affected customers, and the hackers were able to access personal details, passport numbers, and in some cases payment information.

Although a breach of this scale is rare, there are various pointers that all organisations can take from this case. Firstly, it’s a reminder to continuously monitor the technical and organisational security measures protecting personal data. Testing and monitoring of your organisation’s security should be subject to regular review. Secondly, it’s a reminder to have in place a practical guide for how to respond to a data breach. As well as having a clear process for how to report and assess breaches internally, your guide should be clear on what kind of breaches should be reported to the ICO, and perhaps statements to release to the media. Lastly, this case is a reminder of conducting regular audits of data held so that your organisation is always aware of how much data it actually holds. Marriott’s reduced forecast of the number of data subjects affected is based on the fact they have now discovered that many of the accounts compromised actually relate to the same individual. If Marriott had an up-to-date list of active customers it potentially could have been able to respond more quickly.

The ICO takes action against organisations for failing to pay the new data protection fee

At the end of September, the ICO announced that it had begun formal enforcement action against organisations for failing to pay the new data protection fee. Since 25th May when GDPR came into force, organisations which are classified as data controllers have been required by the Data Protection (Charges and Information) Regulations 2018 to register with the ICO, and pay the applicable fee. Whilst the specific organisations have not been named, the ICO has confirmed they have issued 900 notices of intent to fine organisations which span “the public and private sector including the NHS, recruitment, finance, government and accounting”. Of those 900, to-date 100 penalty notices have been issued which range from £400 to £4000, although the ICO has confirmed that the maximum could be £4350 depending on aggravating factors. If you are unsure whether your organisation is required to pay a fee, please get in touch and we can advise accordingly.

The ICO issues its first Enforcement Notice for a breach of GDPR

The ICO has issued its first formal notice under the GDPR to AggregateIQ Data Services Ltd (“AIQ”). AIQ, a Canadian company, was involved in targeting political advertising on social media to individuals whose information was supplied to them by various political parties and campaigns (such as Vote Leave, BeLeave, Veterans for Britain, and DUP Vote to Leave).

After an investigation by the ICO, AIQ was found not to have adequately complied with its obligations as a controller under the GDPR by: (1) not processing personal data in a way that the data subjects were aware of, (2) not processing personal data for purposes for which data subjects expected, (3) not having a lawful basis for processing, (4) not processing the personal data in a way in a way which was compatible with the reasons for which it was originally collected, and (5) not issuing the appropriate fair processing information to those individuals (commonly communicated through a privacy notice).

As well as those practical failings, the ICO also considered that it was likely that those individuals whose information was passed to AIQ and used for targeted advertising were likely to cause those individuals damage or distress through not being given the opportunity to understand how their personal information would be used.

The most interesting point about this case is that although the company is based in Canada, the ICO has still exercised its authority over those organisations which process data of those in the UK and ordered that AIQ must now erase all the personal data it holds on individuals in the UK. For a company which mainly deals in data and analytics, this could have a detrimental impact on its business operations in the UK. Although AIQ was passed the personal data from other organisations, this enforcement action demonstrates that it is still AIQ’s responsibility to ensure that their use of the data was not incompatible with any of the purposes for which it was originally intended, and still incumbent on them to ensure individuals were aware of what they were doing with it. In addition, whilst there has been and continues to be a lot of emphasis in the media of the risk of large fines under GDPR, it is notable that no monetary penalty has been issued by the ICO, although the ICO has reserved its ability to do so should AIQ not comply with this notice.

Morrisons held liable for the wrongful acts of its rogue employee by the Court of Appeal (England)

The circumstances of this interesting case centre around an employee whose rogue actions were still considered by the court to be attributable to the employer as a breach of the Data Protection Act 1998. The employee was employed by Morrisons Supermarkets as an internal IT auditor who in 2014, knowingly decided to copy the personal data of around 100,000 of Morrisons’ employees onto a USB stick. At home, the employee then posted the personal data, which included names, addresses and bank details, onto the internet under the name of another Morrisons employee in an attempt to cover his tracks.

In finding that Morrisons was vicariously liable for the actions of the rogue employee, the Court concluded that there was a sufficiently close link between the employee’s job role, and the wrongful action. That the wrongful event occurred outside the workplace was irrelevant, as the Court found that the employee in question was acting “within the field of activities assigned”. Because the employee had access to the compromised personal data in the course of carrying out his role in facilitating payroll, he was specifically entrusted with that kind of information in order to do his job, so the Court decided that there was a sufficient link between the job role and the wrongful disclosure.

The key, striking, message from this case is that it is possible for employers to be held liable for rogue actions taken by its employees. Although this particular employee was obviously not acting within the expected confines of his job role, it is interesting that the Court still determined that employers may be liable for acts that it would normally reasonably consider out of its control. Although this incident occurred in 2014 and therefore decided under the Data Protection Act 1998, this case demonstrates how vital it is that organisations put in place appropriate technical and organisational security measures adequate for the type of data that is being held and also taking into account the risk of disgruntled employees and what they may do with their access to the information. This case also acts as a reminder of ensuring your staff are trained and aware of data protection and the role they personally can play in the protection of data, not just focusing on technical computer security which a lot of organisations pay more attention to. As remarked in this judgment, it also serves as a reminder of having adequate insurance in place in the event of a major data breach.

The ICO receives notification of thousands of breaches

Although organisations could report data breaches to the ICO under the Data Protection Act 1998, you will be aware that under GDPR there is mandatory reporting of breaches to the ICO in cases where there is a “risk to the rights and freedoms of individuals”. The ICO has now reported that it has received notification of more than 8000 breaches in the 6 months since GDPR came into force. Last summer the ICO observed that many breaches that were being reported did not necessarily meet the threshold of risk, however they do welcome the honesty and transparency coming from organisations under legislation which is designed to strengthen rights for individuals.

With breaches requiring to be reported to the ICO within 72 hours of becoming aware, it is vital that mechanisms are in place internally for employees to understand how to report a breach and complete a risk assessment in the appropriate time-frame to assess whether it is reportable. If you would like any help compiling a data breach policy or risk assessment framework tailored to your organisation please get in touch.

Related services

About the author

Loretta Maxfield
Loretta Maxfield

Loretta Maxfield

Partner

Data Protection & GDPR, Intellectual Property

For more information, contact Loretta Maxfield on +44 1382 346814.