Data Management

Google’s £44 Million GDPR Fine

Google has been fined a massive 50 million euros (£44m) for breach of GDPR dating back to May 2018 and relating to how well people were informed about how Google collected data to personalise advertising, and the matter of consent.

Who?

Google (Alphabet Inc) has been fined £44 million by the French data regulator CNIL.  The two complaints that brought about the investigation and the fine were filed in 2018 by privacy rights groups noyb and La Quadrature du Net (LQDN).

Even though the fine is eye-wateringly large, the maximum fine for large companies like Google under GDPR could have been 4% of annual turnover, which could equate to around €4bn.

Ad Personalisation & Google

Google personalises the adverts that are displayed when a person is signed in to their Google account based on ad-personalisation settings. When a person is signed out of their Google account, they are still subject to ad-personalisation across the Web on Google’s partner websites and apps based on their browsing history, and on Google Search based on their previous activity such as previous searches.

What & Why?

The two privacy groups complained that Google didn’t have a valid legal basis to process user data for ad-personalisation because of issues relating to transparency and consent.

The reasons for Google receiving the fine were that:

  1. Google failed to provide its users with transparent and understandable information on its data use policies.  This was because the “essential information” that users would have needed to understand how Google collected data to personalise advertising, and the extent of that information, was too difficult to find because it was spread across several documents.  This meant that it was only fully accessible after several steps e.g. up to five or six actions. Ultimately, this meant that users were unable to exercise their right to opt out of data-processing for personalisation of ads.
  2. It was also found that the option to personalise ads was “pre-ticked” when creating an account.  This meant that users were essentially giving consent in full for all the processing operations purposes carried out by Google based on this consent.  Under GDPR however, consent should be ‘specific’ only if it is given distinctly for each purpose.

Other Complaints

Privacy group noyb has also filed more formal complaints against Amazon, Apple, Google, Netflix, Spotify, and other entertainment streaming services. The reason, according to noyb, is that when people request a copy of the personal data that these companies hold on them, some of it may not be supplied in a format that can be easily understood.  GDPR requires companies to supply users with a copy of their data that is both machine-readable and can be easily understood.

What Does This Mean For Your Business?

Even before GDPR was introduced, many technology and security commentators predicted that the big names e.g. Google and Facebook would be the first to be targeted by privacy campaigners, and that appears to be what is happening here. In this case however, the fact that the complaints have created a record-breaking fine shows that there was genuine concern about a lack of compliance with GDPR from a company that many would have expected to be on top of the legislation and setting an example. It is likely that Google will need to make some significant modifications to some aspects of its services now, and that this may prompt other large tech companies to do the same in order to avoid similar fines and bad publicity.

This case is a reminder to businesses, particularly larger ones, that although GDPR appears to have been buried by concerns about Brexit, the need to stay compliant with GDPR is an ongoing process and should still be high on business agenda.

Data Protection Trust Levels Still Low After GDPR

A report by the Chartered Institute of Marketing (CIM) has shown that as 42% of consumers have received communications from businesses they had not given permission to contact them (since GDPR came into force), this could be a key reason why consumer trust in businesses is still at a low level.

Not Much Difference

The CIM report shows that only 24% of respondents believe that businesses treat people’s personal data in an honest and transparent way.  This is only slightly higher than the 18% who believed the same thing when GDPR took effect 6 months ago.

Young More Trusting

The report appears to indicate that although trust levels are generally low, younger people trust businesses more with their data.  For example, the report shows that 33% of 18-24 and 34% of 24-35 year olds trust businesses with their data, compared with only 17% of over 55s.

More Empowered But Lacking Knowledge About Rights

Consumers appear to feel more empowered by GDPR to act if they feel that organisations are not serving them with the right communications.  For example, the report showed that rather than just continuing to receive and ignoring communications from a company, 50% of those surveyed said that GDPR has motivated them to not consciously opt-in to begin with, or if opted in, make them more likely to subscribe.

This feeling of empowerment was also illustrated back in August in a report based on a study by business intelligence and data management firm SAS.  The SAS study showed that more than half of UK consumers (55%) looked likely to exercise their new GDPR rights within the first year of GDPR’s introduction.

Unfortunately, even though many people feel more empowered by GDPR, there still appears to be a lack of knowledge about exactly what rights GDPR has bestowed upon us. For example, the report shows that only 47% of respondents said they know their rights as a consumer in relation to data protection.  This figure has only increased by 5% (from 43%) since the run-up to GDPR.

What Does This Mean For Your Business?

The need to comply with the law and avoid stiff penalties, and the opportunity to put the data house in order meant that the vast majority of UK companies have taken their GDPR responsibilities seriously, and are likely to be well versed in the rights and responsibilities around it (and have an in-house ‘expert’). Unfortunately, there are always a few companies / organisations that ignore the law and continue contacting people.  The ICO has made clear examples e.g. back in October Manchester-based Oaklands Assist UK Ltd was fined £150,000 by the ICO for making approximately 64,000 nuisance direct marketing calls to people who had already opted out of automated marketing.  This is one example of a company being held accountable, but it is clear from the CIM’s research that many consumers still don’t trust businesses with their data, particularly when they hear about data breaches / data sharing on the news (e.g. Facebook), or continue to have their own experiences of unsolicited communications.

It may be, as identified by the CIM, that even though GDPR has empowered consumers to ask the right questions about their data use, marketers now need to answer these, and to prove to consumers how data collection can actually benefit them e.g. in helping to deliver relevant and personalised information.

The apparent lack of a major impact of GDPR on public trust could also indicate the need for an ongoing campaign to drive more awareness and understanding across all UK businesses.

£385,000 Data Protection Fine For Uber

Ride-hailing (and now bike and scooter-hiring) service Uber has been handed a £385,000 fine by the ICO for data protection failings during a cyber-attack back in 2016.

What Happened?

The original incident took place in October and November 2016 when hackers accessed a private GitHub coding site that was being used by Uber software engineers. Using the login details obtained via the GitHub, the attackers were able to go to the Amazon Web Services account that handled the company’s computing tasks and access an archive of rider and driver information. The result was the compromising (and theft) of data relating to 600,000 US drivers and 57 million user accounts.

The ICO’s investigation focuses on avoidable data security flaws, during the same hack, that led to the theft (using ‘credential stuffing’) of personal data, including full names, email addresses and phone numbers, of 2.7 million UK customers from the cloud-based storage system operated by Uber’s US parent company.

The ICO’s fine to Uber also relates to the record of nearly 82,000 UK-based drivers, including details of journeys made and how much they were paid.

Attackers Paid To Keep Breach Quiet

Another key failing of Uber was that not only did the company not inform affected drivers about the incident for more than a year, but Uber chose to pay the attackers $100,000 through its bug bounty programme (a deal offered by websites and software developers to offer recognition and payment to those who report software bugs), to delete the stolen data and keep quiet about the breach.

Before GDPR

Even though GDPR, which came into force on 25th May this year says that the ICO has the power to impose a fine on a data controller of up to £17m or 4% of global turnover, the Uber breach took place before GDPR.  This means that the ICO issued the £385,000 fine under the Data Protection Act 1998, which was in force before GDPR.

Other Payments and Fines

Uber also had to pay a $148m settlement agreement in a case in the US brought by 50 US states and the District of Columbia over the company’s attempt to cover up the data breach in 2016.

Also, for the same incident, Uber is facing a £533,000 fine from the data protection authority for the Netherlands, the Autoriteit Persoonsgegevens.

What Does This Mean For Your Business?

As noted by the ICO director of investigations, Steve Eckersley, as well as the data security failure, Uber’s behaviour in this case showed a total disregard for the customers and drivers whose personal information was stolen, as no steps were taken to inform anyone affected by the breach, or to offer help and support.

Sadly, Uber joins a line of well-known businesses that have made the news for all the wrong reasons where data handling is concerned e.g. Yahoo’s data breach of 500 million users’ accounts in 2014 followed by the discovery that it was the subject of the biggest data breach in history to that point back in 2013. Similar to the Uber episode is the Equifax hack where 143 million customer details were stolen (44 million possibly from UK customers), while the company waited 40 days before informing the public and three senior executives sold their shares worth almost £1.4m before the breach was publicly announced.

This story should remind businesses how important it is to invest in keeping security systems up to date and to maintain cyber resilience on all levels. This could involve keeping up to date with patching (9 out of 10 hacked businesses were compromised via un-patched vulnerabilities) and should extend to training employees in cyber-security practices, and adopting multi-layered defences that go beyond the traditional anti-virus and firewall perimeter.

Companies need to conduct security audits to make sure that no old, isolated data is stored on any old systems or platforms, thereby offering no easy access to cyber-criminals. Companies may now need to use tools that allow security devices to collect and share data and co-ordinate a unified response across the entire distributed network.

Even though the recent CIM study showed that less than one-quarter of consumers trust businesses with their data security, at least the ICO is currently sending some powerful messages to (mainly large) businesses about the consequences of not fulfilling their data protection responsibilities.  For example, as well as the big fine for Uber, back in October, the ICO fined a Manchester-based company £150,000 for making approximately 64,000 nuisance direct marketing calls to people who had opted out via the TPS, and earlier this month, a former employee of a vehicle accident repair centre who stole customer data passed it to a company that made nuisance phone calls was jailed for 6 months following an ICO investigation.

Business Concerns Over ‘Secondary Data’

A study by data protection and management company ‘Cohesity’ has shown that most companies store up to 10 copies of their ‘secondary data’ in different locations and must use multiple products to manage it.

The Problem With Secondary Data

Secondary data (not production data) e.g. all the data that a company collects from other sources such as reports, stats, information from trade / industry publications etc tends to be stored by businesses over time in the hope that it has / will have value to the business, could help the business to avoid problems, and could reveal more business opportunities with analysis. One main problem with the storing of secondary data, which has long been known about, is that it is often fragmented and / or trapped e.g. it is stored across many clouds, remote offices / edge locations, and / or is trapped inside a siloed infrastructure. This can result in problems such as the cost, complication and confusion of duplicated copies stored in different places and using resources to maintain and store data that may not be serving the current needs of the digital business, or adding value because of how it is stored.

The Research

Not surprisingly, the research by Cohesity, a company that offers platforms where all secondary data can be stored, appears to back up the fact that companies have a problem with secondary data fragmentation.  For example, the results of the survey, which drew upon responses from 250 UK IT decision-makers as part of a wider study involving 650 IT decision-makers in the US, France, Germany, Australia and Japan, found that most UK organisations store up to 10 copies of the same secondary data, use four or five different products to manage it, and keep it in up to four locations. These locations may include two or three different public cloud storage providers.

The research showed that the average number of copies of the same datasets of secondary data held by UK respondents is five, and that around 30% of IT teams’ time is spent managing secondary data.

Why?

The research findings indicated that 92.5% of UK respondents store multiple copies of production data in separate locations because their disaster recovery (DR) policies say they must, but when it comes to the reasons for storing so much secondary data, the findings are less clear.

The research findings do, however, show that there has been a big increase in secondary storage data volumes e.g. in 2016 to 2017 the UK average is was 38.5% rise.  This trend is also predicted to continue.

Redundant Copies In The Cloud

The research findings show that 41% of UK organisations replicate redundant copies of data held in one public cloud to another public cloud.

What Does This Mean For Your Business?

Many UK businesses appear to be storing increasing amounts of secondary data in a fragmented way with no clear plan on the horizon about what to do with it all.  Instead of being able to organise the data and use it to generate value and competitive advantages, many businesses are wasting money and resources in keeping often duplicated data stored in limbo across disparate locations.

Businesses may be able to save themselves money and turn the secondary data burden into a value-generating asset by switching to a secure, paid-for consolidated platform solution.  This could help solve the current fragmentation problems, free-up resources, could help businesses to start using the data productively, and help businesses to find an effective way of managing what looks likely to be an increasing amount of secondary data going forward.