Data Blast: Amended Europol Regulation, UK ICO Announces Criminal Prosecutions and more…

European Data Protection Supervisor (EDPS) not keen on Amended Europol Regulation…

According to the EDPS, the new rules, which are about to come into force will:

“[W]eaken the fundamental right to data protection; [will] not ensure an appropriate oversight of Europol; and [will] considerably expand the mandate of Europol with regard to exchanges of personal data with private parties, the use of artificial intelligence, and the processing of large datasets.”

The new rules will allow Europol, in specific circumstances, to process large datasets, increasing the volume of personal data processed and stored by the Agency. The new rules will allow Member States to retroactively authorise Europol to process large data sets that were shared with the Agency prior to the rules coming into force. The EDPS does not consider that this is legal, especially as it would include datasets that the EDPS ordered Europol to delete in January this year.

In its statement, the EDPS said:

“The EDPS remains committed to closely supervising the compliance of Europol’s data processing operations with the applicable legal framework, and to use its advisory, investigative and corrective powers, when necessary.”

It will be interesting to see what the EDPS does in practice and we will update you on this in future blogs.

UK ICO Announces Criminal Prosecutions for use of Personal Data for Marketing

The ICO has announced that it has commenced criminal proceedings against eight individuals who are alleged to have unlawfully accessed and obtained personal information from vehicle repair shops in an attempt to reach people to pursue personal injury claims. Between December 1st 2014 and November 30th 2017, the defendants are alleged to have conspired to obtain the personal data with regard to road traffic accidents belonging to hundreds of thousands of individuals. The defendants are now being prosecuted under s1 of the Computer Misuse Act 1990 (unlawful accessing of personal data held on computers) and for conspiring to commit an offence under s55 of the Data Protection Act 1998 (unlawful obtaining of personal data). The first hearing will take place on October 27th 2022.

Oracle accused of profiting from sale of dossiers on people’s political views and online purchases

Johnny Ryan, senior fellow of the Irish Council for Civil Liberties, is suing technology giant Oracle in California for creating dossiers on over 5 billion users that included political views and online purchases. Ryan alleges (on behalf of a class action) that Oracle then sold these dossiers to third parties without the consent of the individuals in question for targeted advertising and other purposes. Oracle is also alleged to have allowed third party data brokers to traffic in personal data on its Oracle Data Marketplace obtained without the consent of data subjects in question.

Oracle has allegedly violated the US Federal Electronic Communications Privacy Act, the constitution of the state of California and the California Invasion of Privacy Act among other legislation. The Plaintiffs allege that:

“Oracle and other data brokers act as central nodes in the ‘adtech’ network, where massive volumes of personal information on the world’s population is aggregated and used to identify and profile individuals for ‘targeted advertising’ or other commercial and political purposes.”

In a statement, Ryan said:

‘Oracle has violated the privacy of billions of people across the globe. This is a Fortune 500 company on a dangerous mission to track where every person in the world goes, and what they do. We are taking this action to stop Oracle’s surveillance machine.’

New York Requires Attorneys to Complete Data Protection Training

In June, the New York Bar became the first US state bar to require attorneys to complete at least one credit of cybersecurity, privacy and data protection training as part of their continuing legal education (‘CLE’) requirements. This has taken effect from July 2022.

Attorneys have the option of having the required hour of cybersecurity, data privacy and data protection training related to their ethical obligations. Alternatively, the credit may concern general cybersecurity, data privacy and data protection issues and count towards their general CLE requirements.

Do Not Keep Passwords in Plain Text Files

The Danish DPA (‘DDPA’) has reprimanded the largest Danish retail group, Salling, for violating Art. 32(1) GDPR by storing passwords in plain text files, which allowed unauthorised persons access to this personal data.

Salling runs several websites (including Føtex, Bilka, Netto, Salling and Carl Junior), which customers can access using the same username and password. Salling established a tool to monitor incidents and events with regard to customers’ access to the website. The monitoring tool produced a system log with stored customers’ usernames and unencrypted passwords for the website ‘hjem.foetex.dk’ by mistake. This meant that all Salling employees could access this data. If an authorised person got access to the Salling system, they could access the customer’s name, address, email address, telephone number, masked card information and purchase history.

The DDPA stressed that where confidential information is held about a large number of users, higher requirement must be in place to prevent unauthorised access. In particular, this means that data controller must store passwords in an irreversible encrypted form at all times. The DDPA stressed that shopping platforms are well known targets of cyberattacks, so storing passwords in plain text poses a high risk to data subjects.

For more information please contact Partners, James Tumbridge at jtumbridge@vennershipley.co.uk or Robert Peake at rpeake@vennershipley.co.uk.