ITP Techblog

Brought to you by IT Professionals NZ
« Back to Security & Privacy

The privacy paradigm shift - huge fines show privacy issues can no longer be ignored

Frith Tweedie, Guest Post. 30 August 2019, 1:48 pm
The privacy paradigm shift - huge fines show privacy issues can no longer be ignored

The past 18 months has seen an unprecedented level of global attention on privacy issues. And a recent spate of huge fines shows that privacy regulators are not afraid to flex their muscles when it comes to requiring businesses to take their privacy law obligations seriously. 

The Cambridge Analytics scandal erupted in early 2018, demonstrating how our data can be "weaponised" against us and the risks posed to basic democratic processes.

That was followed in May by the introduction of Europe's game-changing General Data Protection Regulation (GDPR). Combining the threat of fines of up to €20 million or four per cent of annual global annual turnover - whichever is higher - with its extra-territorial effect, the GDPR has encouraged both individuals and organisations around the world to sit up and pay attention to privacy and data protection issues.

The message is clear: data privacy and consumer trust issues cannot be ignored.

The big-dollar cost of GDPR violations

Fifteen months on from the enactment of GDPR, European data protection regulators are hitting their stride.

In January 2019, the French privacy regulator fined Google €50 million (NZ $86 million) under GDPR for transparency and consent violations in relation to use of personal data in personalised ads. The regulator's decision gives a clear message to all organisations collecting personal data online that information as to data processing practices must not be "described in a too generic and vague manner". The decision also emphasised that regulators are prepared to enforce GDPR's notoriously onerous consent requirements.

Two recently announced GDPR fines dwarf even the Google sanctions. They also demonstrate that GDPR risks are not the exclusive preserve of Big Tech companies, signalling the need for both robust security practices and the inclusion of privacy law considerations in M&A due diligence.

On 8 July 2019, the ICO issued a notice of its intention to fine British Airways £183 million (NZ $346 million) for poor security arrangements that resulted in British Airways website traffic being diverted to a fraudulent website. The personal information of approximately 500,0000 individuals was compromised, including log in, payment card and travel booking details.

Information Commissioner Elizabeth Denham said "the law is clear - when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights".

Only a day later, the ICO issued a further notice of its  intention to fine US-based Marriott International Inc (Marriott) £99 million (NZ $187 million) for GDPR violations as a result of a data breach at the Starwood hotels group in 2014. Although not discovered until 2018, the cyber incident occurred two years before Starwood was acquired by Marriott in 2016 and involved the exposure of 339 million guest records, including those of 30 million EU residents.

The ICO's investigation found that "Marriot failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems". It emphasised the importance of "carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected. Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public."

A global trend for privacy sanctions

The US Federal Trade Commission (FTC) formally announced its staggering US$5 billion settlement with Facebook on 24 July 2019, following its investigation into the Cambridge Analytica scandal. The FTC had charged Facebook with eight separate privacy-related violations, including that the company made deceptive claims about consumers' ability to control the privacy of their personal data.

As well as the record-breaking and "history-making" $5 billion payment, Facebook has agreed to an order that, among other things, prohibits Facebook from making misrepresentations about the privacy or security of consumers' information and the extent to which it shares personal data and requires Facebook to implement a reasonable privacy program.

The Facebook FTC fine came only days after Equifax agreed to pay at least $575 million - and potentially up to $700 million - as part of a settlement with the FTC, the US Consumer Financial Protection Bureau and 50 US states and territories. That settlement stems from Equifax's 2017 data breach, one of the largest in US history, affecting approximately 147 million people or almost 50% of the US population. According to the complaint, "Hackers were able to access a staggering amount of data because Equifax failed to implement basic security measures," including storing passwords and network credentials in plaintext.

What does this mean for us here in New Zealand?

Those fines, combined with a seemingly insatiable media appetite for privacy breach stories, have put privacy issues squarely in the spotlight.

While falling well short of introducing the comprehensive privacy protections of GDPR or even the California Consumer Privacy Act 2018, New Zealand's Privacy Bill will summon a new era of transparency through the introduction of mandatory reporting of privacy breaches next year. 

If the international experience is anything to go by, New Zealand is likely to see a significant uplift in reported data breaches once the changes become law. And the implications for kiwi businesses with lax security that are not prepared to address, manage or notify a data breach are significant and extend well beyond the bottom line. While the maximum fine of $10,000 barely registers alongside the GDPR and FTC fines, the collateral damage to an affected company's reputation is likely to be significant once damaging stories hit the headlines.

If data is the new oil, then data breaches are the new oil spills. New Zealand organisations would be well advised to pay attention to the growing regulator, consumer and investor focus on privacy, understand their obligations - and take action now.

Frith Tweedie leads the Digital Law team at EY Law New Zealand. First published in LawNews.


You must be logged in in order to post comments. Log In

Web Development by The Logic Studio