13th Newsletter -> 1 - 7 October 2016

TalkTalk gets record £400,000 fine

The UK Information Commissioner Office (ICO) has decide to issue TalkTalk Telecom Group PLC, a TV, broadband, mobile and phone provider, with a monetary penalty under Section 55A of the Data Protection Act 1998, because of the serious contraventions of the data protection principles by TalkTalk. The ICO performed an investigation on cyber attacks on TalkTalk that occurred in October 2015 and it had concluded that an attack could have been prevented if TalkTalk had taken basic steps to protect customers’ information. The investigators found that the cyber attack between 15 and 21 October 2015 took advantage of technical weaknesses in TalkTalk’s systems and the attackers performed an SQL injection attack using an automated tool knows as SQLmap. The database software used by TalkTalk was an outdated version of MySQL which contained a bug that allowed for hackers to easily bypass the security.

They were thus able to access the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. Even more worryingly, the hackers were able to access bank account details and sort codes in 15,656 cases. The ICO found that TalkTalk failed to take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data in contravention of the seventh data protection principle at Part I of Schedule 1 of the DPA. The ICO has decided that the appropriate amount of the penalty for the violations is £400,000, which can be reduced by 20% to £320,000 if TalkTalk pays before the 1 November 2016 and does not exercise its right to appeal.

Read more HERE

Read the complete ICO Notice HERE


EDPS’s Opinion on Big Data Mergers and Proposal on the establishment of The Digital Clearing House

Giovanni Buttarelli, the European Data Protection Supervisor (EDPS), has issued an Opinion on coherent enforcement of fundamental rights in the age of big data, where he gave his views on Big Data mergers. He believes that such mergers should be accompanied by more accountability, especially from regulators which should administer a healthy dose of scepticism when dealing with such mergers and be more conversant with new technologies. According to the EDPS the data protection, consumer and competition law each in theory serve common goals but they do not cooperate enough.  The EDPS has noted that this is not just an EU issue and despite the differences in legal cultures the EU, U.S., Japan and Latin America should “push in the same direction”.

The EDPS has proposed to establish the so called The Digital Clearing House (DCH), a voluntary network of regulators at national and EU level willing to share information and ideas on how to make sure web-based service providers are more accountable for their conduct. For an authority to be able to join this network it should fulfil the criteria of a shared aim and be willing to share information and to collaborate. The main tasks of the DCH would be to:

- discuss the most appropriate legal regime for pursuing (cross-border) cases or complaints related to online services;

- determine “theories of harm” relevant to merger control cases and to cases of exploitative abuse and to develop guidance document;

- discuss regulatory solutions for certain markets where personal data is a key input as an efficient alternative to legislation on digital markets which might stifle innovation;

- assess the impact of sanctions and remedies on digital rights interests of individuals;

- generally identify synergies and foster cooperation between enforcement bodies.

Read more HERE

Read the Press Release HERE

Read EDPS’s full Opinion HERE


Irish DPC to Look Into Yahoo’s e-Mail Scanning

It has been reported this week that Yahoo complied with a classified U.S. government demand to search customers' incoming emails for specific information provided by U.S. intelligence officials. Yahoo responded by stating it was "a law abiding company, and complies with the laws of the United States” and it declined to confirm whether the company scanned users' emails.

Ireland’s Data Protection Commissioner (DPC), where Yahoo's European headquarters is based, said that it was making enquiries about the matter. The DPC stated that “any form of mass surveillance infringing on the fundamental privacy rights of EU citizens would be viewed as a matter of considerable concern”. 

This news presents another blow in a short period of time to Yahoo’s privacy and data protection reputation. In our 11th edition of our newsletter we have reported that Yahoo has revealed that hackers stole data from around half a billion accounts in 2014. The Irish DPC has at the time requested information from Yahoo on the nature and extent of the security breach, but has not revealed any findings yet.

Read more HERE

Read more about the hacking attack on Yahoo in the 11th edition of our Newsletter


FCC Proposes New Broadband Privacy Rules

The Federal Communications Commission proposed new rules that will put broadband providers under a stricter privacy regime than the one imposed on websites like Google and Facebook, which are regulated separately by the Federal Trade Commission. Most notably the new rules will require Internet Service Providers (ISPs) to get opt-in consent from consumers before sharing Web browsing data and other private information with advertisers and other third parties. ISPs are opposed to these new rules saying that they should not face stricter rules than websites. Even though the rules will not directly affect Google it also argued that the FCC rules for ISP’s should be similar to the FTC’s rules for websites. The company believes opt-in consent should only be required for the most sensitive data, like health and financial information.

Read more HERE


UK IC: It’s not privacy or innovation – it’s privacy and innovation.

Elizabeth Denham, the UK Information Commissioner (IC), delivered her first speech as an IC, where she pointed out that data protection law is not standing in the way of success. The personal information economy can be a win-win situation for everyone. In order to achieve that  the IC suggests that firstly organisations need to make sure they are following the law as it stands. Businesses should construct their privacy framework as a foundation of trust and try to make it future proof. But most important is the initial plan and the IC promoted a privacy by design plan.

Read the whole Speech HERE