The Encryption debate is far from ‘going dark’

Shortly after the release of the communiqué from the most recent ministerial meetings of the ‘Five Countries’ security alliance — Australia, Canada, New Zealand, the UK and the US — at the end of July, we warned that the issue of the use of, and access to, encrypted services and technologies ‘remains front of mind for the alliance and further legislative or regulatory action in the Five Countries may follow’.

This week, It became clear that three of the Five Countries planned to follow through. On 4 October 2019, representatives of the Australian, UK and US governments planned to release:

Continue reading

CALCULATION GUIDELINES ON GDPR FINES IN GERMANY

In our latest report, we informed you about new developments regarding imposed sanctions by Data Protection Authorities (“DPA”) in Germany and Austria and about a model for calculating fines imposed under the General Data Protection Regulation (“GDPR”) proposed by the Conference of the German “Independent Data Protection Supervisory Authorities of the Federal Government and the States” (Datenschutzkonferenz – “DSK”). The DSK is the joint coordination body of the German data protection authorities.

Continue reading

‘MEGA-FINES’ AND COMPENSATION – HOW MIGHT COMPANIES BE AFFECTED? DEVELOPMENTS IN DATA PROTECTION LAW SEPTEMBER 2019

In this update, we provide you with a brief summary of two recent developments in relation to sanctions imposed under the General Data Protection Regulation (“GDPR”).

  • Firstly, the Berlin Data Protection Authority (“Berlin DPA”) recently announced its willingness to impose multimillion-euro fines for breaches of the GDPR. This shows that also in Germany significant fines can no longer be ruled out. It appears that Berlin DPA is following in the footsteps of the French Data Protection Authority (“CNIL”) and the UK Information Commissioner’s Office (“ICO”) which have both previously imposed fines in the millions.
  • Secondly, for the first time a court has awarded immaterial damages compensation for a GDPR breach in Austria.

We take a look at what this means for companies and the developments that have been made since the implementation of the GDPR.

Continue reading

GDPR used to gain access to fiancée’s personal data: Exposing vulnerabilities in Data Subject Access Requests

  • A recent test DSAR has demonstrated companies’ differing approaches to DSAR compliance
  • Despite the DSAR being made by a third party on behalf of the data subject, it is clear companies are uncertain regarding when or how they should ask for ID verification
  • ICO guidance urges data controllers to be satisfied that any third party making a DSAR is entitled to act on behalf of the individual data subject

Background

Article 15 of the GDPR gives data subjects the right to obtain a copy of their personal data held by data controllers who process their personal data.  Over the course of the past year, we’ve seen increasingly innovative uses of this right, as demonstrated recently by James Pavur, a researcher at the University of Oxford. Continue reading

Storming the Breaches: DCMS releases Cyber Security Breaches Survey 2019

Cyber-attacks are a continuous threat to both businesses and charities. From the Cyber Security Breaches Survey 2019 (available here as a PDF), we can see that fewer businesses are identifying breaches than in previous years, but the ones that are identifying breaches are typically experiencing more of them. Approximately 32% of businesses and 22% of charities report having cyber security breaches/attacks in the last 12 months. The most common type of cyber security breaches reported are: Continue reading

A Clearer Roadmap to Recovery: the roles of NCSC and ICO clarified at CYBERUK

The National Cyber Security Centre (NCSC) and the Information Commission Office (ICO) have clarified their roles in relation to breaches of cyber security.  NCSC manages cyber incidents at a national level to prevent harm being caused to both victims and the UK overall. It helps manage the response at a governmental level and seeks to ensure that lessons are learned to help deter future attacks. The ICO is the independent regulator for enforcing and monitoring data protection legislation and the competent authority for Digital Service Providers under the Network and Information Systems (NIS) Directive. The ICO is the first port of call for organisations who have suffered a breach of cyber security. Continue reading

A year in the life of GDPR: Statistics and stories from the ICO

The introduction of the GDPR on 25 May 2018 caused a widespread re-think about data protection and privacy rights. From individuals being more aware of their rights, to corporate institutions working hard to ensure compliance and avoid the hefty new penalties the regulations can impose, data protection has undoubtedly been at the forefront of people’s minds since May 2018. At the heart of these changes, from the UK’s perspective, is the Information Commissioner’s Office (the “ICO“), who are the supervisory authority responsible for overseeing all data protection concerns and processing based in the UK. A year after coming into effect, we’ve taken a look at the impact that the GDPR has had on the ICO and its activities, looking at key differences between the years before and after the regulations were introduced. Continue reading

Marriott/Starwood Data Breach: ICO intention to issue another big £99 million ‘mega fine’

  • Just one day after its notice of its intent to fine British Airways £183.39 million, the ICO has issued a further notice of intent to fine Marriott International £99.2 million for its own data breach;
  • The systems of the Starwood hotel group were originally compromised in 2014, prior to the acquisition of Starwood by Marriott in 2016 – the breach itself was not discovered until 2018 following completion of the corporate acquisition;
  • The fine shines a spotlight on the importance of data and cyber due diligence in corporate transactions;
  • No details have yet been published by the ICO regarding the specific GDPR infringements involved;
  • Marriott now has the chance to respond to the notice of intent, after which a final decision will be made by the ICO.

Continue reading