Legal Tech News Review Week 24 – 30 August 2020, by Eleni Kozari

COVID-19-related data breach is being investigated by the FBI


The U.S Federal Bureau of Investigation (FBI) is investigating a data breach potentially concerning the names, addresses and virus status of people that have been tested positive with COVID-19, in South Dakota.


The South Dakota’s Fusion Center has been employing a third-party provider to build an online portal, in order to help first responders, such as police, firefighters and EMTs, identify persons that have been tested positive to COVID-19 and hence, adopt the necessary precautionary measures, when handling emergency calls. As in the majority of states in the US, public officials are sharing the addresses of infected with COVID-19 people, with first responders, albeit in several states the names of those people are shared as well. However, certain states delete the information within a short period of time.


Although in the South Dakota first responders were not provided with patients’ names at first hand, the third-party provider had put labels to the respective patients’ files, enabling third-parties to possibly identify the patients by their names, addresses and their heath condition, after the breach it faced on its server, earlier in June. The compromised files were then shared online by hackers. Nevertheless, the files did not include Social Security Numbers, passwords or financial information.

See more here


Dutch Privacy Advocacy Group claims TikTok violates children’s privacy


Following US privacy and data protection considerations and allegations against TikTok’s privacy management techniques, a Dutch privacy advocacy group (SOMI) plans to file a complaint against the company for violation of children’s privacy and GDPR infringements, relating to data transfers. The Group will proceed with the complaint upon conducting a deeper research into the Company’s practices.


Aiming to enhance consumers’, including minors’, online protection against technological providers’ online dominance, the Group encourages parents around the EU to participate in the indented class-action against the company and contribute to information-gathering, in order to successfully formulate the legal claim.


According to SOMI, the China-based social media platform, albeit having been warned about its inadequate level of children’s protection, which have been contacted by unknown adults, and its insufficient parental supervision model, still engages in dubious privacy techniques. In particular, the Company permits the account creation by minors aged 13 and older, which however, can be easily circumvented by younger minors while such an age threshold requires parental consent in most EU countries for data processing.


In addition, the Company processes data, including sensitive data, even when it is inactive while it does not meet the GDPR’s requirements in terms of transparency and information provision, including data subjects’ rights and recipients of data. According to the Group, the Company has not adopted appropriate technical and organisational security measures while it falls short as regards GDPR’s data transfers requirements, since it allows data transfers to China, in the absence of the regulatory mandated safeguards.


On the other hand, the Company argues that users’ data is currently stored in the US and Singapore while it plans to initiate a European-based data center. In any case, according to the Company, the latter does not permit data transfers to the Chinese agencies.

See more here


U.S Chamber of Commerce in favour of blocking California’s net neutrality law


Following a series of regulatory and litigations actions, regarding both the Federal Communications Commission, initiated by the Obama’s agency and repealed by the Republican-led agency in 2018, and California’s pending legislation (Senate Bill 822) on net neutrality, the U.S Chamber of Commerce has publicly opposed to the enactment of the latter.


California’s Senate Bill would prohibit broadband carriers from blocking or prioritising traffic and certain websites, favouring their own video-streaming services, as well as from imposing higher fees for faster services. According to the Bill’s advocates, such provisions would limit broadband providers’ capability to put constraints upon consumer’s ability to access online services and content.


On the other hand, broadband carriers, the U.S Department of Justice and, now, the Chamber of Commerce argue that such a heavy-regulated enactment would hinder investment while the lack of ability to constrain the scope of the regulation related to the Internet within a single state, would give rise to further implications.


While the D.C Court of Appeals revoked the Obama-originated regulation, upon the FCC’s repeal, it did not address the FCC’s request to block individual states, such as California, from enacting their own broadband net neutrality laws.

See more here


Class-action lawsuit against Marriott International for 2018’s data breach


Marriott International had faced in 2018 a huge data breach, which compromised personal data of more than 300 million people. The affected data included credit card details, passport numbers and dates of birth of the concerned individuals. The data breach was caused by a hack of its global guest reservation database. However, the investigation about the breach revealed that unauthorised access to the company’s systems had been taking placing since 2014.


Accordingly, a legal action has been initiated against the company. Any of the concerned data subjects, having made a reservation to any of the affected hotels of the company, will be automatically included in the class-action unless they choose to refrain.


As regards the regulatory response, the ICO had initially (i.e. in 2019) declared its intention to impose a fine of around £100 million taking into consideration the number of the affected customers in the UK (about 7 million). However, upon the company’s repeal, the parties have agreed to extend the process until 30 September and after the expiration of this date, the ICO will issue its final decision.

See more here


ICO publishes Annual Track Survey Results


Acknowledging that the empowerment of digital services relies significantly on people’s trust and expectations regarding the fair and transparent handling of their personal data, the ICO conducts a survey of more than 2,000 people every year. Hence, the British watchdog has published its 2020 Annual Track Survey results.


As a general output, the ICO notices that public confidence remains consistent. Although the percentage of people demonstrating high trust has slightly diminished, the percentage of respondents with low trust has reduced as well. On the other hand, according to the Commissioner, there is a growing belief that the legal framework sufficiently protects the individuals’ rights and their personal information. Accordingly, a significant number of people are willing to exercise their freedom of information rights while the materialisation of their exercise in practice, still needs to be figured out.


For instance, the ICO refers to the public’s confidence upon the NHS and local GPs, which is higher, while telecommunication providers and financial service providers have also gained the public’s trust. However, in spite of the enhanced awareness of rights, individuals’ awareness as to how influence the use of their data in essence, by exercising their rights, still lags behind.

See more here