Amazon

Top 10 EU and UK Data Breach fines of 2021: a selection – Suneet Sharma

The Privacy PerspectiveLeave a comment

This is my selection of the top 5 data breach fines in the EU and the United Kingdom in 2021, many of which have featured in our Law and Media Round Ups over the past year.

EU Fines

  1. Amazon Europe Core S.a.r.l €746,000,000

 Luxembourg’s National Commission for Data Protection issued a fine under the GDPR to Amazon Europe Core S.a.r.l. Amazon plans to appeal the penalty stating “there has been no data breach, and no customer data has been exposed to any third party… these facts are undisputed. We strongly disagree with the CNPD’s ruling.” Whilst Luxembourg’s national data protection law precludes the Commission from commenting on individual cases Amazon disclosed the fine in a filing of its quarterly results with the US Securities and Exchange Commission.

From what we can gather the fine came following a May 2018 complaint by La Quadrature du Net.  The fine is by far the biggest under the GDPR to date.

Bloomberg has the initial report. The fine attracted much coverage from the BBCPinsent Masons and the Hunton Privacy Blog.

  1. Whatsapp Ireland Ltd   €225,000,000

On 2 September 2021 the Irish Data Protection Commission announced a fine of €225,000,000 to Whatsapp. The investigation began on 10 December 2018 and it examined whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service. This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.

The case is notable due to its cross-border nature, which required data protection authorities in France, Germany and the Netherlands to consider it. The fine was considered by the European Data Protection Board, which mandated a reassessment and increase. WhatsApp disagreed with the fine, calling it “wholly disproportionate”.

The IAPPBird & Bird and Pinsent Masons have coverage of the fine.

  1. Notebooksbillinger.de  €10,400,000

The State Commissioner for Data Protection in Lower Saxony fined notebooksbilliger.de AG €10,400,000, issued in December 2020. The Commission found that the company has been using video surveillance to monitor its employees for at least two years without any legal justification. Areas recorded included workspaces, sales floors, warehouses and staff rooms.

Whilst the company argued the cameras has been installed to prevent theft it first should have tried to implement less serve means. Furthermore, the recordings were saved for 60 days which was much longer than deemed necessary.

“This is a serious case of workplace surveillance”, says the State Commissioner for Data Protection in Lower Saxony, Barbara Thiel. “Companies have to understand that such intensive video surveillance is a major violation of their employees’ rights”. While businesses often argue that video surveillance can be effectively used to deter criminals, this does not justify the permanent and unjustified interference with the personal rights of their employees. “If that were the case, companies would be able to extend their surveillance without limit. Employees do not have to sacrifice their personal rights just because their employer puts them under general suspicion”, explains Thiel. “Video surveillance is a particularly invasive encroachment on a person’s rights, because their entire behaviour can theoretically be observed and analysed. According to the case law of the Federal Labour Court, this can put staff under pressure to act as inconspicuously as possible to avoid being criticised or sanctioned for their behaviour”.

Data Privacy ManagerData GuidanceSimmons & Simmons and Luther have commentary.

  1. Austrian Post  €9,500,000

The Austrian Data Protection Authority issued a fine of €9,500,000 to the Austrian Post alleging that it had not enabled data protection enquiries via email.

In October 2019 the Post received a €18,000,000 fine for processing personal data on the alleged political affinity of affected data subjects. The fine was later annulled in a November 2020 court decision. The Post has announced it plans to appeal this second penalty. “The allegations made by the Authority mainly relate to the fact that, in addition to the contact opportunities made available by Austrian Post via mail, a web contact form and the company’s customer service centre, inquiries about personal data must also be made possible via e-mail. Austrian Post also intends to launch an appeal against this decision.”

See coverage from Data Guidance.

  1. Vodaphone Espana   €8,150,000

From April 2018 to September 2019, 191 complaints were received for similar cases concerning telephone calls and SMS messages to citizens who had opposed the processing of their data for advertising. The failure of Vodapone to avoid advertising actions to those citizens who had exercised their rights of opposition or erasure of their data justified a fine.

Coverage was broad with Compliance WeekData Guidance and Stephenson Harwood commenting.

United Kingdom Fines

UK fines- the ICO has issued 35 monetary penalty notices thus far in 2021. Below we take a look at a selection of the fines.

  1. Clearview AI  £17 million

The Information Commissioner’s Office (“ICO”) has issued a provisional view of the imposition of a £17m fine over Clearview AI..  The BBC cites that the firms’ database has over 10bn images. The ICO has issued a provisional notice to stop further processing of the personal data of people in the UK and to delete any such data following alleged serious breaches of the UK’s data protection laws.

In a joint investigation with the Australian Information Commissioner (“AIC”) the ICO concluded that the data, some scraped from the internet, was being processed, in the case of UK persons, unlawfully in some instances.

Clearview AI Inc’s services were being used on a free trial basis by some law enforcement agencies. This has been confirmed to no longer be the case.

The ICO’s preliminary view is that Clearview AI Inc appears to have failed to comply with UK data protection laws in several ways including by:

  • failing to process the information of people in the UK in a way they are likely to expect or that is fair;
  • failing to have a process in place to stop the data being retained indefinitely;
  • failing to have a lawful reason for collecting the information;
  • failing to meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the GDPR and UK GDPR);
  • failing to inform people in the UK about what is happening to their data; and
  • asking for additional personal information, including photos, which may have acted as a disincentive to individuals who wish to object to their data being processed.

Information Commissioner Elizabeth Denham commented:

“I have significant concerns that personal data was processed in a way that nobody in the UK will have expected. It is therefore only right that the ICO alerts people to the scale of this potential breach and the proposed action we’re taking. UK data protection legislation does not stop the effective use of technology to fight crime, but to enjoy public trust and confidence in their products technology providers must ensure people’s legal protections are respected and complied with.

Clearview AI Inc’s services are no longer being offered in the UK. However, the evidence we’ve gathered and analysed suggests Clearview AI Inc were and may be continuing to process significant volumes of UK people’s information without their knowledge. We therefore want to assure the UK public that we are considering these alleged breaches and taking them very seriously.”

 The ICO press release can be found here and the AIC press release here.

The previous statement of the ICO on the conclusion of the joint investigation can be found here.

  1. Cabinet Office  £500,000

The Cabinet Office was fined £500,000 on 2 December 2021 for disclosing the postal addresses of the 2020 New Years honours recipients online. In finding that the Cabinet Office failed to put appropriate technical and organisation measures in place the ICO noted that the data was accessed 3,872 times.

The ICO received three complaints from affected individuals who raise personal safety concerns and 27 contacts from individuals citing similar concerns. Steve Eckersley, ICO Director of Investigations, said:

“When data breaches happen, they have real life consequences. In this case, more than 1,000 people were affected. At a time when they should have been celebrating and enjoying the announcement of their honour, they were faced with the distress of their personal details being exposed.

“The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety.

 “The fine issued today sends a message to other organisations that looking after people’s information safely, as well as regularly checking that appropriate measures are in place, must be at the top of their agenda.”

The Guardian reports on the data breach as does Data Guidance.

  1. EB Associates Group Limited  £140,000

The ICO issued its largest fine to date to EB Associates Group Limited for instigating over 107,000 illegal cold calls to people about pensions. The practice has been banned since 2019.

Andy Curry, Head of ICO Investigations, said:

“Our priority is to protect people and we will always take robust action against companies operating illegally for their own financial gain.

“Cold calls about pensions were banned to protect people from scammers trying to cheat them out of their retirement plans.

“We encourage anyone who receives an unexpected call about their pension to hang up and then report it to us.”

The fine was covered by professional pensions.

  1. Mermaids  £25,000

It is unfortunate at times that some charities which do the most sensitive of work also hold the most sensitive data. It makes data protection compliance all the more critical. Unfortunately, the transgender rights charity Mermaids fell afoul of data protection laws in the creation of an email group that was not sufficiently annexed or encrypted to protect the data it contained.

The result was that the 780 email pages were identifiable online over a period of three years. This led to the personal information of 550 people to be searchable online. Furthermore. the personal data of 24 of those people revealed how they were coping and feeling. Finally, for a further 15 classified as special category data as mental and physical health and sexual orientation were exposed.

Steve Eckersley, Director of Investigations at the ICO said:

“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often-vulnerable people it works with. Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.

 “As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”

This serves a warning call for charities who process sensitive personal data – under the GDPR and the framework of self-reporting you need to have appropriate technical measures in place. Failure to do so puts users’ data at risk and leaves them vulnerable. Mermaids’ penalty was imposed for the data being at risk for the period of 25 May 2018 to 14 June 2019.

It is notable that Mermaid’s data protection policies and procedures were not updated to reflect GDPR standards. Post the implementation of the Data Protection Act 2018 data protection practices are taking increasing importance and a robust review with practical changes to data harvesting, management, retention and rights handling is now a necessity.

DAC Beachcroft comments as does Slaughter and Maythe Independent and EM Law.

  1. HIV Scotland  £10,000

In a cautionary tale for those using bulk email practices HIV Scotland was fined £10,000 for sending an email to 105 people which included patient advocates representing people living in Scotland with HIV. All the email addresses were visible to all recipients, and 65 of the addresses identified people by name.

From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk. The ICO’s investigation found inadequate staff training, incorrect methods of sending bulk emails by blind carbon copy and an inadequate data protection policy.

Ken Macdonald, Head of ICO Regions, said:

“All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care. This avoidable error caused distress to the very people the charity seeks to help.

 “I would encourage all organisations to revisit their bulk email policies to ensure they have robust procedures in place.”

The BBCKeller Lenker and the Times have coverage.  

Suneet Sharma is a junior legal professional with a particular interest and experience in media, information and privacy law.  He is the editor of The Privacy Perspective blog.

Quotes from caselaw 3: Fairhurst v Woodard (Case No: G00MK161) – A cautionary tale for neigbours implementing surveillance

The Privacy Perspective1 Comment

I am satisfied that the
extent of range to which these devices can capture audio is well beyond the
range of video that they capture, and in my view cannot be said to be
reasonable for the purpose for which the devices are used by the Defendant,
since the legitimate aim for which they are said to be used, namely crime
prevention, could surely be achieved by something less. A great deal of the
purpose could be achieved without audio at all, as is the case with the bulk
of CCTV systems in use in public places in this country, or by a microphone that only picks up sound within a small diameter of the device.


That finding means that I am satisfied that the processing of such audio
data by the Defendant as data controller is not lawful. The extent of the
range means that personal data may be captured from people who are not
even aware that the device is there, or that it records and processes audio
personal data, or that it can do so from such a distance away, in breach of
the first principle.”

Melissa Clarke HHJ. at p.137

In Fairhurst a neighbour complained that use of several cameras, including a Ring doorbell, amounted to nusiance, harassment and breach of the Data Protection Act 2018.

The claims of harassment and data protection succeeded. It was, in particular, noted that the audio recording capabilities of the devices were much broader in than the video recording capability. As the above quote shows, the extent processing of the audio recording data was such that it was unlawful under data protection laws.

The audio recording capability of the Ring device extended 40-68ft (12-20m).

Amazon released a statement following the finding in the case: “We strongly encourage our customers to respect their neighbours’ privacy and comply with any applicable laws when using their Ring product.”

The case serves as a cautionary tale for those seeking to implement surveillance around their homes that impinge upon their neighbours.

INFORRM has an excellent case comment for interested readers. As does the Guardian.

Citation: Privacy International: Amazon’s contract with the NHS raises data privacy concerns

The Privacy PerspectiveLeave a comment

Privacy International (“PI”) has scrutinized Amazon’s contact with the Department of Health to harvest data for Alexa services.  The contract started from 14 December 2018 and will be in effect till 15 October 2024.

The contract covers Amazon using the data of the NHS website and integrating it with Alexa, allowing Alexa to better respond to medical questions. This permits Alexa to better respond to a range of medical questions with the vetted information available from the NHS website. Readers should note that the arrangement DOES NOT SHARE THIRD-PARTY HEALTHCARE DATA. The focus is permitting Alexa to access the NHS website’s publically available data to enhance its response to heathcare questions. Patient data, as far as we know, was not part of the agreement.

PI then goes on to scrutinize the contract in detail giving an overview of the key terms and conditions. The article also covers the commercial vs public interest issues arising from the redaction of parts of the contract, raising matters of transparency in government contracting.

The sharing of data under this agreement permits Alexa to use data gathered from the NHS website. This is for informational purposes as the site is typically a first port of call for those concerned about symptoms. By integrating this data Amazon helps Alexa enhance its service offering. It has notably been said, by the Guardian, that such accessibility was granted free of charge.

 

Privacy concerns around Amazon’s Ring

The Privacy PerspectiveLeave a comment

“A home security product upscaled and diversified into law enforcement and integrated with video software brings with it some serious privacy concerns.”

What is the Ring?

door wooden bell old

The Ring is Amazon’s bestselling smart security device product line. The most notable of which is the Ring doorbell which allows users to monitor movement by their front doors, video and receive mobile notifications whenever someone presses the doorbell. Users can also benefit from an App which is installed on their mobile, monitors local news and allows social media style sharing with other Ring users.

Ring additionally offers security services, cross-selling into the wider security service market.

Ring and law enforcement

Recent controversy was sparked when it was found that the Ring in partnering with over 400 police departments in the United States. The extent of the Ring’s collaborative efforts extend to targeting ad words to users encouraging that they share live video feed footage with law enforcement. This in and of itself is a significant extension in police surveillance meriting further legislative scrutiny.

However, pair this with the fact that the Ring’s being dubbed as “the new neighborhood watch”- it becomes a little disconcerting.

It is well-established that people’s likeness is considered personal data and that the recording of individuals without their consent is potentially invasive. There are also civil liberties concerns regarding the police acquiring these live video feeds for their own use.

This has drawn the attention of the Senator for Massachusetts, Edward Markey, who recently published a letter sent to Amazons CEO Jeffery Bezos, highlighting civil liberties concerns with the Ring. This highlights issues previously raised in the United Kingdom in relation to the use of facial recognition software; its potential to racially profile individuals. Whilst this was considered by the Administrative Court to be too an intangible argument lacking sufficient supporting data, further scrutiny would be most welcome.

And it looks like further scrutiny seems forthcoming. In his letter Senator Markey highlights 10 key concerns around the Ring system, demanding a response from the Amazon CEO by 26 September 2019. We highly recommend readers consider the letter in its entirety here.

Voice command data and privacy protection, Part II- Apple’s Siri

The Privacy PerspectiveLeave a comment

Apple recently released a statement on its development of automated assistant Siri’s privacy protections. The result is a move towards doing everything right in safeguarding consumer privacy. When compared to Amazon’s protections for its Alexa service market shifts and best practice become clear, making for better adherence to the seven data protection principles underpinning the GDPR.
Continue reading