Who’s getting it wrong?
The ICO has fined mobile network provider EE £100,000 for sending text messages to its customers without their consent. The purpose of the texts was to encourage EE customers to use the firm’s app and also to upgrade their handsets. EE said it believed at the time that the messages were service messages rather than direct marketing. However, the ICO found, in conformity with its own previous guidance, that where service messages include promotional material they count as marketing messages. “These were marketing messages which promoted the company’s products and services,” said Andy White, director of investigations at the ICO. Read more here.
The privacy regulator in Hong Kong has ordered Cathay Pacific to overhaul all of its systems containing personal data following a major data breach disclosed by the airline last year. In October 2018, the company disclosed a “data security event” in which it said information concerning approximately 9.4 million people was compromised. According to statements it issued at the time, Cathay Pacific found there had been unauthorised access to customers’ names, nationality, date of birth, phone number, email, address, passport number, identity card number, frequent flyer programme membership number, customer service remarks, and historical travel information, as well as some current and expired credit card information. Hong Kong’s Privacy Commissioner, Stephen Wong, found that Cathay Pacific had “adopted a lax attitude towards data governance” and said that the airline was responsible for a number of breaches of Hong Kong’s Personal Data (Privacy) Ordinance. Read more here.
The ICO has issued two enforcement notices to the Metropolitan Police Service after it learnt that a backlog of over 1,700 subject access requests for copies of data from UK citizens has been left unanswered. It has also ordered the Met Police to make changes to its internal systems and policies to ensure that data subjects are kept up to date on any delays. Read more here.
Law enforcement agencies in the UK have halted all work with the UK’s largest private forensics provider following a ransomware attack. Eurofins, which carries out DNA analysis, toxicology, ballistics and computer forensics work, detected a breach of its system on 2nd June. The National Crime Agency is leading a criminal investigation into the issue. ICO Deputy Commissioner for Operations, James Dipple-Johnstone, said: “We are working with partners and other stakeholders nationally and internationally, to establish the scale and extent of the incident and to ensure that the interests of UK citizens are protected.” Read more here.
Don’t miss another news roundup, subscribe to our mailing list and receive a monthly email with essential data protection news and insights. Subscribe here.