Data Protection News Roundup – 25th September 2018

Who’s getting it wrong?

The ICO has issued Equifax with a £500,000 fine for failing to protect the personal information of up to 15 million UK citizens during its cyber attack in 2017 which affected 146 million of its customers globally. The ICO investigation found that Equifax Ltd was responsible for the personal information of its UK customers. Investigators found significant problems with data retention, IT system patching, and audit procedures and that the company failed to take appropriate steps to ensure its American parent Equifax Inc, which was processing the data on its behalf, was protecting the information. Due to the breach occurring in 2017 the investigation was carried out under the Data Protection Act 1998 rather than the GDPR. The £500,000 fine is the maximum allowed under the previous legislation. Read more here.

Twitter has told an undisclosed number of users their private messages may have been leaked to third-parties for more than a year. The software “bug”, which has since been fixed, involved direct messages between users and businesses that offer customer services via Twitter. Twitter said the issued has persisted since May 2017 and was discovered on 10th September. Read more here.


Other News

The ICO has issued the first ever violation notice of the GDPR to AggredateIQ, a Canadian data analytics firm that campaigned for Brexit. The company was linked to the Facebook and Cambridge Analytica scandal. The ICO notice accused AggregateIQ of violating Articles 5, 6 and 14 of the GDPR because it “processed personal data in a way that the data subjects were not aware of, for purposes that they would not have expected, and without a lawful basis for that processing.” AggregateIQ is thought to have “micro-targeted” possible voters through Facebook using data gathered by pro-Brexit campaigns. It spent $2m on Brexit-related advertisements on Facebook alone. The company may have thought it was in the clear because it gathered all the data under question before the May 25 start-date of the GDPR legislation but it was still holding the data when the law came into effect, making it liable, the ICO has said. Read more here.

Leave a reply

You must be logged in to post a comment.