Top 5 data breach fines since the implementation of the GDPR

Given the growing enforcement of the General Data Protection Regulation and the increased fine limits these laws impose we bring you our analysis of the 5 highest fines, along with the comments from the data protection regulators that issued them. These fines together showcase the practical implications of the new regulation and how some of the biggest companies fell foul of sanctions. Analysis is given as at 24 December 2020.

Continue reading

The Schrems II case- EU-US data transfers left in question

The European Court of Justice has handed down its highly anticipated ruling in the Schrems II case. The case considered the validity of the EU-US Privacy Shield and the efficacy of Standard Contractual Clauses (“SCC”) as data transfer protection mechanisms.

In this landmark case it was found that the EU Commission’s adequacy decision around the EU-US Privacy Shield framework was invalid. The leaves the mechanism for conducting EU-US data transfers in question. This matter maybe covered by recent discussions between the UK and US around entering into a seperate data sharing agreement. However, in the interim a transitional mechanism is sorely needed alongside guidance for data processors to give clarity to how data sharing between the countries can be regulated and data subjects rights safeguarded.

The SCC regime was affirmed to be valid however, it was suggested that companies and regulators enter into a case by case basis analysis of risk. In particular, it was highlighted that such an assessment should take place where government access to data is mandated. This is a highly topical issue in the US given current efforts to put in place a federal data protection regime.

For more details on the Schrems II case see-

The IAPP

INFORRM

Law firm Bird & Bird

The ICO‘s press release

Privacy protection in practice: The coronavirus and healthcare data

TTP extends its best wishes to all those impacted by the coronavirus and hopes that all are safe and well. For those readers based in the UK the NHS coronavirus guidance can be found here and Government guidance here. Stay home, stay safe.   Continue reading

Morrisions data breach vicarious liability case before UK Supreme Court

Following its data breach in November 2013 the Morrisons data breach case is now before the UK Supreme Court. The breach involved the personal data of 5,500 employees.

An employee, Mr Skelton, took a memory stick containing the records of employees home. In January 2014 he uploaded the contents onto a data sharing website, later sending it to newspapers. Continue reading

Citation: The Guardian: Edward Snowden on encryption

The Guardian has released an excellent piece from Edward Snowden on the importance of encryption.

The piece considers the importance of encryption as a standard and by design as a mechanism to protect from surveillance. The article itself considers the benefits of end-to-end encryption- where data is encrypted at source and encrypted throughout processing. In these cases third party interference typically attempts to interfere with the intial processing of data prior to encryption, embedding itself throughout the process thereafter.

Messaging services such as Facebook and WhatsApp operate via end to end encryption to protect messages by design. However, much is left to be done to ensure data ecosystems have sufficient protection- third party vendors and intermediaries must ensure the same high level of data protection to ensure holistic data protection.

For the purposes of data protection legislation encryption is considered an act which processes data in and of itself. This means the act of encryption will usually bring the processing party into the remit of data protection legislation.