The Chancellor of the Exchequer Philip Hammond presented his Autumn Budget to the House of Commons this week. It confirmed that the Centre for Data Ethics and Innovation will be created as “a world-first advisory body to enable and ensure safe, ethical innovation in artificial intelligence and data-driven technologies”. Please find a summary of all the key Budget announcements here.
On day 5 of the Data Protection Bill in the Lords debate began with the ICO’s role including its register of data controllers. Parliamentary Under-Secretary of State at DCMS Lord Ashton of Hyde said that the register was introduced by the 1998 Act to support the proper implementation of data protection law and to facilitate the commissioner’s enforcement activity. He said at that time it was a feasible and effective measure but now with more than 400,000 data controllers registered, a figure that is growing rapidly, it is becoming increasingly difficult and time consuming for the commissioner to maintain an accurate central register. He said the Government does not think the maintenance of the register would be a proportionate use of the ICO’s resources, rather the commissioner’s efforts are best focused on addressing breaches of individuals’ personal data. He said this would not mean an absence of oversight by the commissioner; records would still have to be made available upon request. Read more here.
The Lords continued into the night with debate on exemptions, proportionality of penalties, and the balance between privacy and freedom of expression. Read more here.
Who’s getting it wrong?
Hamilton Digital Solutions has been fined £45,000 by the ICO for sending over 156,000 spam texts. The ICO has also warned that if it continues with any more illegal marketing it will face further legal action. Read more here.
Since April the ICO has issued £2m in fines for nuisance marketing showing they take it very seriously. The ICO has another £1.4m in fines in the pipeline over the coming months. It is also continuing to pursue directors who try to avoid fines for nuisance marketing by putting their firms into liquidation. Read more here.
Uber: Everything we know so far
On Tuesday Uber acknowledged that it concealed a massive global data breach of the personal information of 57 million customers and drivers in October 2016 and failed to notify the individuals and the regulators. It also paid the hackers responsible $100,000 to delete the data and pressured them to sign non-disclosure agreements to keep the breach quiet. Company executives then pretended it was part of a ‘bug bounty’ saying they paid the hackers to test the strength of their security software.
Hackers stole personal data including names, email addresses and phone numbers as well as the names and driver’s license numbers of about 600,000 drivers in the US. Uber said more sensitive information such as location data, credit card numbers and bank details had not been compromised although many may not take their word on this.
Uber’s chief executive, Dara Khosrowshahi, said the company had “obtained assurances that the downloaded data had been destroyed”.
Uber has said it cannot yet confirm how many customers in the UK had their details compromised, despite having over a year to establish this since the breach occurred. Theresa May’s official spokesperson said: “The National Cyber Security Centre is working closely with domestic and international agencies, including the National Crime Agency and the Information Commissioner’s Office, to investigate if and how this breach has affected people in the UK”. Uber did not notify individuals in the UK, the UK government of UK regulators at the time the hack was discovered in October 2016.
On Thursday morning digital minister Matt Hancock said in the Commons that the UK authorities are verifying the extent and amount of information compromised and hope to publish details of the impact in the next few days. Read more here.
The ICO deputy commissioner James Dipple-Johnson also commented saying the incident raises “huge concerns around Uber’s data protection policies and ethics” and that “deliberately concealing breaches from regulators and citizens could attract higher fines for companies”. Find the ICO’s statement here.
The European Union’s Article 29 working party group will discuss the breach early next week.
The revelation of this breach and its cover-up will almost certainly have an impact on Uber’s appeal to get its ban in London turned over. If TfL is not satisfied that Uber can protect the personal data of drivers and customers in London it could be the final nail in the coffin for Uber’s operations in London. This potential loss of revenue along with likely fines and legal action from multiple authorities both here and abroad means Uber is in for a much bigger hit to its bank account than the $100,000 it paid the hackers.