We’ve pulled together the five biggest stories from the past month to help you keep abreast of the latest data privacy news.
The ICO (Information Commissioner’s Office) announced its intention to fine hotel chain Marriot International over a data breach affecting 339 million guest records that was discovered in 2018. The incident began in 2014 in the Starwood Hotels group’s systems. The ICO investigation found that Marriott had failed to undertake sufficient checks of Starwood’s systems while acquiring the chain in 2016, and therefore found it to be in breach of the GDPR, as the breach had been ongoing when the Regulation came into effect.
2. Worldwide data protection authorities call on businesses behind new Libra digital currency to address privacy concerns
The ICO along with data protection authorities in Albania, Australia, Burkina Faso, Canada, the European Union and the US have requested more information from the creators of the Libra digital currency and infrastructure – one of which is Facebook – about their intended data privacy practices. They ask for specifics about how the Libra Network will incorporate privacy by design, ensure that all data processors are identified and undertake DPIAs. EU investigators are also looking into the cryptocurrency.
3. Facebook ups its privacy game
Facebook announced an initiative to host pop-up coffee shops across the UK in August offering free drinks to people who took part in a privacy settings check-up. It also released a new tool that allows Facebook users to limit how businesses and other apps use their data. The tool is designed to “shed more light” on online tracking, and lets users remove information such as shopping habits and browser history from their profile.
A high school in Sweden has been fined the equivalent of £16,932 after it spent three weeks using facial recognition technology to take attendance in a trial of 22 students. The school board said it had gained consent for the trial, but the Swedish data protection authority found the consent to be invalid because the students are dependent on the school board.
A security researcher has contacted dozens of companies with bogus DSARs (data subject access requests) to assess how many would wrongly disclose personal information. James Pavur contacted businesses in the UK and US asking for information they held on his fiancée. Pavur gave inadequate proof of his identity to see if organisations would still send him the data, which he did not have the right to access.
Comment from GRCI Law’s Head of DPO Services, John Potts:
August was a busy month for data protection news. Our clients often struggle with the complexities of data protection law, and we find ourselves offering advice across the globe as organisations worldwide sit up and pay attention.
On the subject of facial recognition, there is little doubt that its use by private organisations and law enforcement will continue to attract the attention of civil liberties groups, the ICO and the Surveillance Commissioner within the UK, and supervisory authorities across other member states. It is imperative that data controllers in all sectors fully understand their legal obligations and liabilities in this challenging area.
Many of our clients find DSARs incredibly time consuming to deal with. The task of validating the identity of a DSAR applicant has been largely overshadowed by the pressing need to respond within the newly defined timescale. Failing to confirm the identity of an applicant can turn what appears a relatively simple exercise into a major breach of data security.
GRCI Law has experience with helping our clients navigate the data protection landscape, from assisting with DSAR fulfilment to advising on the use of emerging technology. Read about Privacy as a Service to find out how we can assist you.