Data Protection: An Overview of the General Data Protection Regulation Occurrences during the month of August

Data Protection within Europe has been steadily developing since the introduction of the General Data Protection Regulation.  In August, such developments have included a number of breaches, GDPR fines and advancements in current Data Protection proceedings pertaining to relatively monumental judgements.  Whilst the arising breaches vary considerably in nature and characteristics, the main themes emerging this month include biometric data, breach notifications and voice recognition.

Data Protection in Malta: HSBC Bank Fined for Employee Data Breach

Adjudicated under the jurisdiction of the preceding Data Protection laws, the local Data Protection Commissioner imposed a 5000 Euro fine on HSBC Bank, following an incident relating to a former employee’s data occurring a few years ago.  The incident occurred when HSBC Bank processed data pertaining to the employee’s private financial records, collected by HSBC Bank for purposes related to the employee’s personal bank accounts. These records were processed unduly as to conduct investigations on whether the employee was in breach of his employment contract. This counters the General Data Protection Regulation and preceding domestic laws on account of there being lack of knowledge or reasonable expectation that data other than that collected as employee data would be used for such purpose. The commissioner expressed this as being an abuse of power since the reasonably expected processing was exceeded both with regards to the relationship with the individual as an account holder as well as that of an employee.  Apart from this, the Maltese Data Protection Commissioner also discussed the legality of processing and retention of data collected from social media.  In this case, the same employee had complained that HSBC Bank was processing and monitoring two posts published by the individual in a closed platform. This was done with the knowledge of the employee with intent of using it in defamation proceedings. Whilst the Data Protection Commissioner did not impose sanctions, he stated that if the post is monitored for use in court proceedings, it may be processed or retained until lapse of the prescriptive period or adjudication of the action.

Other Data Protection Developments within the European Union: Breach Notifications 

Ireland’s Data Protection Commission has released GDPR guidelines on the obligations of breach notification placed on controllers and processors, which are bound by the General Data Protection Regulation to report discovery of a breach to the supervisory authority within 72 hours of discovery. Where there is an element of high risk, the responsibility of notification expands, demanding notifications of concerned individuals. These GDPR guidelines encapsulate the requirements and obligations binding the controllers by virtue of Article 29 Working Party as well as the General Data Protection Regulation. 

Within the same period, news surfaced about the Stock X breach, being a GDPR hack concerning a fashion and sneaker trading platform established in America, having a relatively large customer base within the EU. The breach was discovered when the Stock X app experienced an unexpected and unscheduled system update requesting a change in password for all users.  Whilst Stock X claimed this as being prevention to suspicious activity, a seller confirmed that the mandatory update was a measure undertaken by the app owners to contain a hack of 7 million records occurring 3 months before.  The data was published online and listed for sale on the dark web, leading to several buys in the mentioned timeframe. The data included names, email addresses and passwords which were not appropriately protected by adequate hashing algorithms. Whilst the General Data Protection Regulation has not yet been enforced, GDPR breaches include both the inadequate standards of data protection adopted as well as the company’s efforts to conceal the occurrence of the breach, both from the Supervisory Authority and from targeted individuals.  This has sparked conversation on the breach notification obligations imposed by the General Data Protection Regulation and the now ancillary guidelines published in Ireland.

Other Data Protection Developments within the European Union: British Airways

Currently in the aftermath of the monumental GDPR fine imposed in July, British Airways has yet again gained traction as a new privacy vulnerability has been exposed.  It has also refused to be held imputable for the cause of the GDPR fine. In fact, amidst the reputational, legal and monetary repercussions of the imposed GDPR fine, British Airways has confirmed the theft of personal data of customers, however has also claimed that no proof has been drawn to the responsibility of British Airways. Therefore, they have expressed that the airline may not be fined or held responsible without the link between non-compliance and the breach.

Apart from this, there has also been an allusion to a security flaw in their e-ticketing system, since an online link used as part of the process gives the passengers access to their online account without need to sign in.  Lack of encryption gives access to anyone having the booking reference and surname.  The issue of using such a URL arises since use of a public or shared WIFI network allows access to the persons’ private account and entailed personal data. Whilst contact and booking information is exposed, passport and payment information is not accessible. Privacy Professionals have since stressed about the importance of encryption and password protection when utilizing URL links, especially where Personal Identifiable Information is visible and modifiable. This issue also outlines the importance and applicability of security by design, avoiding such imperceptible and unencrypted data to be accessed by unauthorized individuals.

Data Protection Enforcement on Tech Giants

Luxembourg takes on Amazon Alexa : Emerging Discussions Regarding Voice to Text Transcriptions

Luxembourg’s CNPD, being the Data Protection Commissioner responsible, has initiated discussions with Amazon regarding voice recordings utilized by Alexa Smart Assistant’s, being a service integrated in various modes, including talkative refrigerators amongst other unusual products.  Since GDPR investigations have not yet been instituted, professional secrecy is currently binding both the CNPD and Amazon, who are currently refusing disclosure of further information. Initial concerns had arisen after Bloomberg interviewed staff tasked with the transcriptions, who exposed this operation. They disclosed that the operation was assigned to employees and outsourced individuals who could carry on the processing through teleworking.  Due to a technological failure, an issue arose as private conversations beyond the authorized recording were being transcribed, without authorisation.  This is what makes this a matter of privacy.  Amazon claims that this was done in an attempt to upgrade and modify the technology’s voice recognition. Amazon Alexa’s chief, Dave Limp acknowledged that the terms and condition were not clear enough to inform customers of human review, being in breach of the General Data Protection Regulation. Amazon’s reaction to the discussions manifested in the granting of express options to users who are now able to exclude their recordings from human review as well as manual reviews of supervised technological learnings. Amazon has also promised modifications to the clarity of their privacy policies and terms and conditions. External implications of this has led other companies, such as Apple and Google to suspend similar operations related to EU data subjects.  The Irish Data Protection Commissioner has contacted both companies as to discern data protection compliance for the mentioned processing.

Apart from Google, Amazon and Apple, claims regarding Facebook Messenger have also emerged after Bloomberg News reported that General Data Protection Regulations are being breached by Facebook Messenger due to processing and transcription of personal data occurring in an attempt of improving voice recognition. Facebook Messenger had adopted limitations to the operations through opt-in controls and request for permission of microphone access. However, this permission fails to inform users of human intervention.  Ireland’s Data Protection Commissioner is involved in enquiries with regards to Facebook’s General Data Protection Regulation compliance in the transcription operations.

For more information on the General Data Protection Regulation
Get in touch with us

   📧 ybusuttil@easl.com.mt

📞 2166 1273

Share this post?

Get in
Touch

+356 2166 1273