Taking Back Control

This week Google was fined £44 million by the French data protection watchdog National Commission on Informatics and Liberty (CNIL) for a major data breach. CNIL held that Google had failed to provide users with transparent and understandable information on its data use policies. Under GDPR consent needs to be “specific” and “unambiguous.” Google users were not asked to opt in for their personal data to be used in ad targeting, but to agree to Google’s terms and privacy policy en masse. What's important to note about this fine is that CNIL was acting on behalf of over 10,000 people who had lodged a complaint with La Quadrature du Net (LQDN) and None Of Your Business (NOYB).

GDPR (General Data Protection Regulation) came into force in the EU on 25^th May 2018. It was long overdue. GDPR replaced the EU’s Data Protection Directive 1995 that was drawn up before the advent of online advertising and social media which largely relies on a business model which harvests personal data to sell to third parties for personalised advertising. GDPR was designed to govern society driven by technology and applies to data owned by EU citizens. Countries do not need to draw up independent legislation but some have interpreted parts of the legislation in slightly different ways.

Last month the Italian regulator found that Facebook had breached articles 21, 22, 24 and 25 of the country’s consumer code by failing to be transparent about how user data would be used for commercial purposes.

The Irish Data Protection Commission has launched a formal investigation into a data breach that affected nearly 50m Facebook accounts, which could result in a fine of over £2 million. This is the first case under GDPR which examines if a data controller has followed rules concerning the security of data processing.

These claims by European countries suggests that GDPR was much needed as the existing processing and safeguards were not robust enough for some of the world’s most successful data driven organisations, even with oversight and audit by world famous names. 

APMG has seen the impact of GDPR from both ends. We have had a few data requests which we have been able to close within one month, the allocated time a data controller must respond to a data subject access request. At an individual level we have been subject to the loss of personal data, most recently through an hospitality organisation based outside Europe and their initial response was poor with a total disregard for helping to minimise the impact and lack of understanding of the consequences of the loss.

Although the legislation is complex there are a few key principles to GDPR and these align with the key principles of basic cyber security / hygiene.

As we have more control over our personal data and greater responsibilities for the protection of our customers’ and clients’ personal data, clarity around the rules and regulations isn’t a bad thing, and an investment of a little time and effort will pay dividends over the longer term and may help avoid, or at least mitigate, any breach penalties.

EU subjects are not just fighting back to take control of their data. They are demanding transparency of how the data giants are processing their data and want to be reassured their personal information such as passwords and user names will be kept safe from hackers. But one thing is certain. This week’s fine will certainly not be the last. Last year California became the first US state to pass its own state privacy legislation and this year I believe we will see similar cases from US citizens who want to take back control of their personal data.