British Airways Data Breach: ICO announces potential £183 million ‘mega fine’

  • The ICO has published a notice of its intent to fine British Airways £183.39 million for its 2018 data breach where the personal data of 500,000 customers was stolen by hackers;
  • This is the first ‘mega fine’ issued by a European data regulator since the implementation of the GDPR;
  • The ICO acted as lead supervisory authority and has confirmed that it has been liaising with other EU privacy regulators;
  • No details have yet been published by the ICO regarding the specific GDPR infringements involved;
  • British Airways now has the chance to respond to the notice of intent, after which a final decision will be made by the ICO.

Continue reading

ICO fines EE £100,000 for sending text messages to customers without their consent

The ICO has fined EE £100,000 under the Data Protection Act 1998 (“DPA“) for sending text messages to customers without their consent, in breach of the Privacy and Electronic Communications Regulations 2003 (“PECR“).

Background

In February and March 2018 EE sent direct marketing text message to customers informing them that they would soon be eligible for a handset upgrade, and that they could “countdown” to their upgrade date using the “My EE” app. The text message also promoted other features of the My EE app.

In March 2018, EE sent a second batch of messages to customers who had not downloaded or interacted with the My EE app following the first message. Continue reading

Cookie Compliance: How can companies get it right when the regulator does not?

  • The UK privacy regulator has admitted that its own cookie consent process does not comply with the current GDPR and ePrivacy rules.
  • According to the regulator, a new process will be implemented during the week beginning 24th June 2019, which could give organisations a valuable insight into how to navigate the complex interaction between the GDPR and ePrivacy rules in a compliant manner.
  • The regulator has also promised detailed guidance on cookies “soon“.

Continue reading

Google DeepMind trial failed to comply with data protection law

On 3 July 2017 the Information Commissioner’s Office (“ICO“) determined that the Royal Free NHS Foundation Trust (the “Trust“) had breached the Data Protection Act 1998 (the “Act”) when it provided patient details to Google’s DeepMind.

The Trust provided personal data of approximately 1.6 million patients to Google’s Deep Mind as part of clinical safety tests of a new application ‘Streams’. The application is designed to provide an alert, diagnosis and detection system for acute kidney injury. However an ICO investigation found several issues with the way in which the personal data was handled, including that patients were not adequately informed of how their data would be used (i.e. as part of the clinical safety tests). These shortcomings amounted to non-compliance with at least four of the eight data protection principles under the Act. Continue reading

Big Data Regulation: Coming soon to a business like yours?

The Financial Times recently referred to Big Data as “a vague term for a massive phenomenon that has rapidly become an obsession with entrepreneurs, scientists, governments and the media“. And it does seem to appear from the headlines that there isn’t a real world situation that Big Data cannot be applied to – for example, in the aftermath of the recent US General Election, questions have been asked to whether there was a failure of Big Data to accurately predict the result.

The reference to a “vague term” also seems to be in keeping with the various different definitions of Big Data quoted in the market. The data protection regulator in the UK refers to Big Data as “a way of analysing data that typically uses massive datasets, brings together data from different sources and can analyse the data in real time. It often uses personal data, be that looking at broad trends in aggregated sets of data or creating detailed profiles in relation to individuals, for example lending or insurance decisions“.

But however it is defined, it seems that there is a Big Data opportunity for business not just in how much data an organisation has, but in how it can use that data to save time and money, develop new products, manage risk and make smarter strategic decisions. This opportunity is only likely to increase as more activity is conducted online, and technology solutions such as the internet of things further increases the amount of data being collected.

The meteoric rise of Big Data has not however only presented opportunities for business. Perhaps unsurprisingly, it has also caught the attention of various sectoral and cross-sector regulators, looking to ensure that the use of Big Data technology does not negatively impact consumers or otherwise circumnavigate existing legal protections and regulations. In this article, we will look at a few of the different regulators examining the Big Data phenomenon to investigate the theory that Big Data technology has created a perfect storm of regulatory activity for business. Continue reading