End of Year Data Blast
UK & South Korea data transfers approved, Meta fines and competition inquiry, UK Online Harms update, Indonesia’s new Data Protection Act, ICO fine and reprimand issued, & Australia data fines increasing
UK – South Korea: The first independent UK adequacy decision.
The UK government has completed its full assessment of the Republic of Korea’s personal data legislation, concluding that the country has strong privacy laws in place which will protect data transfers while upholding the rights and protections of UK data subjects. The Data Protection (Adequacy) (Republic of Korea) Regulations 2022 will come into force on December 19th 2022. The effect of these regulations is to allow the transfer of personal data to entities in the Republic of Korea that are subject to the Personal Information Protection Act (PIPA) without the controller and processor being required to use additional safeguards, such as standard contractual clauses.
The Department for Culture, Media & Sport (DCMS) noted that the UK’s adequacy decision is broader than the EU’s with the Republic of Korea, in that UK organisations will be able to share personal data related to credit information with the Republic of Korea to help identify customers and verify payments. This will help UK businesses with a presence in the Republic of Korea to boost credit, lending, investment and insurance operations in the territory.
John Edwards, UK Information Commissioner said: “We provided advice to the Government during this assessment of the Republic of Korea, and we are satisfied with the Government’s recognition of similar data protection rights and protection in Korean laws. This will bring certainty to UK businesses and reduce the burden of compliance, while ensuring people’s data is handled responsibly.”
The DCMS estimated that the removal of barriers to data transfer with South Korea will help generate £14.8 million in annual business savings and increased exports, boosting the economy and research.
META fined €265 million
Following an inquiry commenced in April 2021, after a database of information on 533 million Facebook users (including phone numbers, Facebook IDs, names, locations, birthdates and email addresses) emerged on a hacking forum, the Irish Data Protection Commission (DPC) has imposed an administrative fine of €265 million on Meta Platforms Ireland Limited. According to a statement released by the DPC, the scope of the inquiry concerned an examination and assessment of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools.
Meta has been found in breach of the GDPR obligation for ‘Data protection by design and default,’ breaching articles 25(1) and 25(2) GDPR. The inquiry included cooperation with all of the other data protection supervisory authorities within the EU, which agreed with the decision of the DPC. Meta’s spokesperson said that: “Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.”
Online Harms Bill being steadily improved by dropping ‘legal but harmful’
The UK Secretary of State for Digital, Culture, Media and Sport (DCMS) has confirmed the highly controversial and legally confusing concept of ‘legal but harmful’ in the draft Online Safety Bill, has been dropped. She confirmed that these changes would only relate to adults and not to children, stating: ‘The bits in relation to children and online safety will not be changing — and that is the overarching objective of the bill and why we put it in our manifesto.’
Advocate General opines on Meta’s competition concerns
On September 20th 2022, the Advocate General of the Court of Justice of the European Union (CJEU) issued a formal, although not binding, Opinion in relation to the interplay of Competition Law and EU GDPR. The opinion follows a request for a preliminary ruling made by Higher Regional Court of Germany, in proceedings between Meta and the German Competition Authority, the Federal Cartel Office (FCO) concerning, amongst others, the competence of a national competition authority such as the FCO to examine the conduct of an undertaking in the light GDPR.
Meta operates Facebook, Instagram and WhatsApp, and collects data from other group services, as well as from third-party websites and apps via integrated interfaces or via cookies placed on the user’s computer or mobile device, linking those data with the user’s Facebook account and then using them for advertisement purposes. The FCO, wished to know if this was legally appropriate.
The Advocate General considered that the examination of an abuse of a dominant position on the market may justify the interpretation, by a competition authority, of rules other than those relating to competition law, such as those of the GDPR, specifying that such an examination is carried out in an incidental manner and without prejudice to the application of that regulation by the competent supervisory authorities, informing and, where appropriate, consulting that authority.
Indonesia passes its first Data Protection Act
The Personal Data Protection Act is the first comprehensive data protection law enacted in Indonesia. The Minister of State Secretariat will set a date for the Act to come into force, and organisations falling within its scope will have two years to come into compliance with its requirements. Indonesia has been under a considerable amount of pressure to pass the law following a series of security breaches at companies and government institutions. Only recently, the country’s National Cyber and Encryption Agency is currently investigating an alleged data leak of the personal data of 105 million Indonesians.
Modelled on European legislation, the Act requires public and private entities that handle Indonesian residents’ personal data to ensure the protection of the data in their systems, imposing monetary sanctions up to 2% of an organisation’s annual revenue and could see their assets confiscated or auctioned off, as well as prison terms of up to six years for falsifying personal data for personal gain. The Act will make Indonesia the fifth Southeast Asian country to have a specific law on personal data protection after Singapore, Malaysia, Thailand and the Philippines.
UK ICO fines Interserve Group Limited for breach of security obligations
The ICO has recently fined Interserve Group Limited £4.4 million for failing to keep employee personal data secure, in breach of GDPR Articles 5(1)(f) and 32. The violations made Interserve vulnerable to cyberattacks, and an extended attack took place between March and May 2020, allowing access to the data of up to 113,000 employees. The compromised personal data included contact details, national insurance numbers and bank account details, as well as sensitive personal data, including ethnic origin, religion, disabilities, sexual orientation and health information.
The original data breach was caused by a phishing email and malware was inadvertently downloaded onto an employee’s workstation. Interserve’s anti-virus software did quarantine the malware and alert the IT team, but not before the attacker had access to the systems. The ICO found that Interserve failed to act quickly on the original alert of suspicious activity; it also had outdated systems and a lack of trained staff, which left the company exposed to cyber-attacks.
John Edwards, the Information Commissioner stated:
‘The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.’
ICO Reprimands Department for Education
In early November, the ICO issued the Department for Education (DfE) a formal reprimand due to the latter’s poor due diligence and information security. The DfE uses a database called the Learning Records Service (LRS) to store pupils’ qualifications. Trust Systems Software UK Ltd (t/a Trustopia), a third party screening company, was able to access the LRS to check whether individuals opening gambling accounts were over 18. Trustopia ran over 20,000 searches between 2018 and 2020 on children whose records were in the database.
The DfE only became aware of this issue after an article in the press. At that point, over 12,000 organisations had access to the LRS (mostly school, colleges and universities, who used it to verify qualifications). The ICO found that the DfE failed to comply with its obligations. It said that the use of the children’s data was not fair, lawful and transparent, and it failed to stop unauthorised access or have proper oversight on data usage.
The ICO reprimand included clear measures that the DfE needed to take to improve its data protection practices. These measures included taking steps around the transparency of the processing of data in the LRS, and informing data subjects of their rights. In accordance with the ICO’s recent policy with regard to fining public bodies, the ICO issued the reprimand instead of a fine. However, it noted, that had a fine been issued, it would have been for £10 million.
Australia is updating its Privacy Act 1988 (Cth) (Privacy Act). There are three main changes; increased penalties; expansion of the extra-territorial application of the Privacy Act; and increased enforcement and information sharing powers for regulators. We will be reviewing them in more depth in a later Data Blast, but for now draw attention to the fact the new penalty provisions are a significant increase on fining powers. They are applicable not only for data breaches, but also to ‘serious’ or ‘repeated’ interferences with privacy. This also applies to failing to respect the obligations under the Australian Privacy Principles (such as collection, use, disclosure and storage requirements).