Legal Tech News Review Week 12-18 October 2020, by Eleni Kozari

ICO fines British Airways £20m for 2018 data breach

After the 2019 notice of intent to fine, the ICO has eventually fined British Airways (BA) £20m for data protection failures in the light of the data breach that the company faced in 2018. The breach concerned personal data, including financial data, of more than 400,000 customers of the company.

The cyber-attack took place on 22 June of 2018 but it was only two months later that the company became aware of the security incident, upon notification by a third company, and thereafter informed the ICO. The affected data included names, addresses, payment card details as well as CVV numbers of thousands of customers of the BA. Access to BA employees’ and administrators’ accounts might also had been gained by the cyber-attacker.

Following a two-year investigation by the ICO, the Authority found that the company had failed to identify its security frailties and adopt and implement, accordingly, proper security measures vis-à-vis the significant amount of customers’ personal data that it was processing. On top of that, the company presented a significant lack of awareness, given that the detection of the data breach came two months after its occurrence.

According to the ICO, several adequate security measures that could prevent the incident, albeit absent from the company’s security and IT management framework, could easily be deployed since they were available at that time and would not require excessive cost or technical investment for the company. Indicatively, the company could have implemented access management measures pursuant to the least-privilege principle and impose multi-factor authentication for its employees’ and third party’s accounts. In addition, it should had performed penetration tests to identify the security weaknesses of its systems.

See more here

 

Two European Parliament’s Committees set out their priorities in the light of the Digital Services Act

In the light of the forthcoming Digital Service Act (DSA), the MEPs of the Internal Market Committee and the Legal Affairs Committee of the EU Parliament have outlined their priorities and insights as regards the regulation of digital services, including online platforms and digital services.

The Internal Market Committee has mandated the imposition of transparency and provision of information obligations upon online marketplaces providers while it stressed the need for sound consumer safeguards and effective supervision and enforcement.

On the other hand, the Legal Affairs Committee highlighted the protection of users’ fundamental rights as top priority. To this end, judicial redress and enhanced control of users over the online content delivered to them, should be ensured. In addition, the Committee recommended the enshrinement of users’ right to opt-out of content curation. The Committee also stressed the need for the designation of a European entity, competent to supervise and impose fines.

There were also calls for enactment of measures to combat fake news, hate speech and disinformation. Both Committees mandated the introduction of a binding “notice-and-action” mechanism for illegal online content. The Digital Service Act Package is expected to be published by the end of the year.

See more here

 

CNIL prompts French Service Providers to avoid US-based cloud companies for health data

The French Data Protection Authority has issued recommendations for French service providers, that process health data, regarding the use of cloud computing services. In the light of the CJEU’s ruling on the Schrems II case and the following considerations around the US surveillance laws and practices, CNIL has prompted French service providers to avoid using American cloud hosting companies altogether.

According to the Authority, even if a US-based company process data in Europe, it still falls under FISA 702 (Foreign Intelligence Surveillance Act) and the rest of US surveillance laws. Hence, in order to avoid falling within the remit of US regulations and rulings, CNIL recommends service providers that handle health data to avoid contracting with US companies at all.

In this context, France is preparing a national-wide hub for the storage of health data for scientific and knowledge-sharing purposes. The Hub aims at facilitating the sharing of aggregate data with public and private entities in order to empower research over rare diseases and diagnoses, by deploying AI.

See more here

 

California’s DoJ provided notice of a third set of proposed amendments to the CCPA

On October 12th of 2020, the Department of Justice (DoJ) of California, published its notice of a third set of proposed modifications to the California Consumer Privacy Act (CCPA). The DoJ will accept written comments to the proposed amendments by October 28.

The set of modifications include, inter alia, the provision of information by organisations to consumers, regarding their right to opt-out of the sale of their personal information in an offline context. To this end, the modification of the respective section (999.306, subd. (b)(3)), includes examples of offline methods for businesses to provide this opt-out notice to customers.

In addition, the proposed section 999.315, subd. (h), elaborates on how organisations ensure that the opt-out mechanism is easy and requires minimal steps. In the same section, the DoJ provides guidance as to when a business opt-out mechanism is considered to intentionally hinder or, in any case, have a chilling effect on consumers’ option to opt-out.

See more here

 

China’s first national data protection law 

The long-awaited national data protection law of China has been officially published in a draft edition. The latter has been submitted for its first review by the competent legislature committee.

The draft provides definition of sensitive private data, which include, inter alia, financial data and personal trajectory. As regards the enforcement and imposition of fines, the draft stipulates a spectrum of monetary fines up to 50 million yuan or 5% of the past year’s turnover.

In the context of cross-border and international data transfers, the draft law mandates major infrastructure service providers, that process a significant amount of personal data and transfer data overseas, to be subject to sound security assessment by Chinese authorities. On the other hand, in case international organisations and individuals violate Chinese people’s personal data or participate in processing activities that inflict damage to China’s national security and public interests, they will black-listed by the Cyberspace Administration of China.

Prompted by GDPR’s extraterritorial provisions, data protection experts in China recommend the imposition of fines to overseas entities and individuals as well, if found to violate China’s data protection law.

See more here