Data Protection: An Overview of the General Data Protection Regulation Occurrences during the month of July
Data protection has rapidly progressed since the General Data Protection Regulation’s enforcement. The General Data Protection Regulation has in fact paved way for increased awareness, enforcement and higher data protection standards. This may be witnessed by observation of the major data protection events taking place in July, which saw an aggregate of over two billion records being breached, as well as some policy developments reflecting data protection’s advancements.
ePrivacy Cookie Law: the fulfilment of a complete data protection framework
In an analysis of the significance, successes and shortcomings of the General Data Protection Regulation throughout its year of enforcement, the European Commission has expressed its view of the current framework being incomplete. In a published report and communication to the European Parliament, persistent reference was made to the programmed regulation regarding ePrivacy cookie law, which will complete the data protection system. The French CNIL, have also published guidelines, complete with enforcement and sanctioning regimes, regarding all technologies enabling targeted advertising, all being regulated by the prospective ePrivacy regulation. This includes all technologies which store or access information on user devices connected to public networks.
Cybersecurity: the Solution to Data Protection Compliance in Modern Technologies
The value of cybersecurity has expanded due to recent digital advancements, through which technologies such as the Internet and Blockchain, have become exceedingly fundamental in personal and business activities, especially in correlation to data. The British ICO’s First Vice President states that
Data is becoming an invaluable element for a booming digital economy and is playing an increasingly vital role in developing innovative systems and machine learning.
Whilst the convenience and advantages of technology are unprecedented, the digital age has introduced unforeseen vulnerabilities through hacking amongst the major data threats technological systems face. This is why, as reflected by news related to Data Protection in July, such as the hacking attack on the Bulgarian Tax Revenue Agency, cybersecurity measures need to be applied more thoroughly.
Bulgaria’s Tax Revenue Agency Hack Compromises a Major National Database
In July, a hacking attack on the Bulgarian Tax Revenue Agency exposed basic personal data of the majority of the Bulgarian adult population, amounting to around 5 million victims. Targeted data includes social security information, income, names and home addresses, all of which being stable information of a virtually permanent nature. Due to the difficulty in recovering the privacy of data which has been circulated on Hacking forums and available for download, this breach is expected to be unrecoverable, with impacts being long-term. As the hacker took anonymous responsibility for this effective threat, remarks were made to the scant data protection standards of the agency, an allusion which has been corroborated by several field experts. In fact, the hack was successful even through elementary techniques, reflecting the insufficient cybersecurity and data protection measures adopted by the agency. Veselin Tselkov, a board member of the Commission for Personal Data Protection, has already mentioned the prospective liability to a maximal amounts of 4% global annual turnover or 20 million Euro fines incurred due to not upholding the integrity envisaged in the General Data Protection Regulation. The necessity of adequate cybersecurity measures has emerged substantially even in light of the Capital One hack in Virginia, in which the hacker accessed the data of more than 100 million individuals, with jeopardized data being that typically requested by credit card applications dating back since 2005.
British Information Commissioner’s Office launches a pivotal cybersecurity project
Whilst the increase in technological threats to data protection have burdened many national governments globally, the British ICO has embarked on partnerships with national entities such as Heathrow Airport and NHS Data as well as with 8 other entities through the ICO Sandbox Project. This is a national effort to adapt data protection compliance to the growing technological advancements and innovations of data-reliant services, forming an exemplary source for other European Union member states
Major General Data Protection Regulation Breaches during July
July has been no exception to the enforcement of General Data Protection Regulation enforcement. Numerous major breaches were reported throughout the European Union. These are crucial since through such cases, indirect legal precedence of influential case law is slowly accumulating.
Netherlands’ Haga Hospital incurs a GDPR fine of 460,000 Euros
Amongst breach developments occurring in July, one finds the Haga Hospital GDPR fine of 460,000 euros, which was imposed on the Hospital by the Authoriteit Persoonsgegevens after 87 employees accessed without authorization or good reason, the health data of a local celebrity admitted to the hospital. This exposed the Hospital’s shortcomings to comply with Article 32 of the General Data Protection Regulation, which enforces adequate technical and organizational security measures. This breach has provoked conversation regarding the increased importance of data protection in the healthcare environment.
British ICO investigates Tik Tok App’s treatment of minor data subjects
Whilst in its preliminary stage, the TikTok investigation has provoked deliberation of data protection in the context of minor data subject, as well as to the processing of data through mobile applications. Having already been fined 5.7 Million Dollars by the American Federal Trade Commission, TikTok, the viral mobile application, is currently being investigated by the British ICO after updates to its system dismissed all requests for parental consent for minors below 13 years of age. TikTok is primarily frequented by minors below the age of 16, this age being the minor age according to the General Data Protection Regulation. Data processed by TikTok includes photos, videos, names, emails, phone numbers and biographies, being made public by default. Such online profiles also allow any individual, including adults, to contact the minors on the platform based on the data acquired from the application. Apart from the issue of parental consent, the British ICO is also investigating the transparency and enablement of data subject rights after multiple claims that data requests for data erasure from concerned parents were not considered or responded. TikTok owners have expressed their will of cooperation with the British ICO as well as their commitment to uphold Data Protection.
Romania’s National Supervisory Authority imposes 130,000 Euro fine on Unicredit Bank S.A
Data Protection enforcement took a step forward in Romania after in July, the notice to fine Unicredit Bank for failure to afford adequate protection to customer data was published. UniCredit Bank infringed the General Data Protection Regulation by disclosing data of around 340,000 individuals to third parties, including ID numbers and home addresses. The main motivators for the applied GDPR fine include Unicredit Bank’s, improper data minimization, insufficient application of privacy by design and default, as well as failure of efforts to protect the rights of data subjects. This breach effectively reflects the importance of increased expected standard of data protection imposed by the General Data Protection Regulation.
PwC receive a 150,000 Euro GDPR fine by Hellenic Data Protection Authority
Price Waterhouse Coopers Business SA was targeted by an investigation instituted ex-officio by the Hellenic Data Protection Authority following complaints from employees alleging unlawful data processing as well as non-transparent and unfair processing. During investigation, the Greek authority discovered that regardless of required consent for particular processing operations, former legal basis for the same processing was not lawful. The Greek authority has taken a corrective stance by allowing a 3 month period for restoration of correct application of the Principles enshrined in the General Data Protection Regulation.
Data Protection Enforcement over Activities of Tech Giants
Facebook Fine and Settlement’s major impact to global Data Protection
Data Protection Investigation Probe launched against Apple Inc.
Apple Inc.’s is also currently impacted by General Data Protection Regulation enforcement, as the Irish Data Protection Commissioner has launched an investigation probe into their data protection compliance. This is the most recent of three investigations imposed on Apple Inc. for its lack of transparency, insufficient policies and for targeted advertising. In the coming months, the investigation should expose any shortcomings of Apple Inc. with regards to enablement of rights and transparency, both being rooted in the General Data Protection Regulation.
For more information on the General Data Protection Regulation
Get in touch with us