What’s Happening in the World?
While the field of Data Protection is developing at an accelerating pace in our country, worldwide innovations continue to remain on the radar of the Personal Data Protection Authority (“Authority”).
From the examples we have repeatedly encountered before, we witness that the Authority keeps up with the world agenda, especially the European General Data Protection Regulation (“GDPR”) regulations, and tries to catch up with the requirements of the fast-moving data privacy world.
As GRC Legal Law Firm, we closely follow the world agenda and present a selection of the current developments for your information with this content.
The news below belongs to September 2022.
G7 x Cross-Border Data Transfer
Representatives of data privacy regulators from the G7, an international association of seven countries, met in Bonn, Germany to discuss ways to make data transfers between countries with 64% of global wealth more reasonable and enforceable.
Agreements favouring bilateral data transfers already existed between most members of the G7 – the United States (“US”), the United Kingdom, Germany, Italy, France, Japan and Canada. However, the final and legally valid text of a new US-European Union (“EU”) agreement has not yet been published, after negotiators said they had reached a preliminary agreement in March 2022.
The Court of Justice of the European Union ruled in 2020 that the previous data transfer agreement between the US and the EU, referred to as Privacy Shield, was illegal because opponents of Privacy Shield successfully argued before the court that US government surveillance posed a threat to the privacy of Europeans if personal data of European citizens were transferred to the US. Therefore, even after the new agreement was published, the authorities in European countries had to ratify it. The abolition of the Privacy Shield is thought to leave the data transfers of all international companies in limbo.
German Federal Data Protection Commissioner Ulrich Kelber, who hosted the G7 meeting, said the aim of the meetings was to better understand the local rules in each jurisdiction and to gradually harmonise regulators’ approaches to privacy. There were also discussions on techniques to properly anonymise data or extract details that identify an individual, and the trend towards closer cooperation between antitrust and privacy regulators, he said.
In conclusions published after the meeting, the regulators committed to co-operate on lawful methods for moving data and to “create options for businesses to choose cross-border transfer tools that suit their business needs”. However, countries need legislation that guarantees that individuals’ personal data is only accessed when strictly necessary for national security purposes, it said.
The companies urged US and European officials to speed up negotiations on a new agreement to replace the Privacy Shield, which thousands of businesses use to move personal data. Following the court ruling, European lawmakers criticised US intelligence practices and some called for a US Federal Privacy Act guaranteeing rights.
“What’s really happening is a recognition of the difficulties these jurisdictions have in moving data between each other,” said Estelle Massé, global data protection lead at the non-profit Access Now, adding that “international talks between regulators can ease tensions and make it easier to find ways to move data.”
It was emphasised that even with data transfer agreements that facilitate international trade for many companies, some sensitive data, such as national security information, may need to remain in a single jurisdiction. Regulators from the G7 countries need to better understand how domestic law rules affect some types of information and how data such as personal health and medical data can be used and sold, “We do not think we are ready to create such a market for such data between the seven countries at this time.”
Germany x Cookie Policy
According to several reports in the German media, the German government has begun work on a regulation that would set out the requirements for “consent management services”, which are services for collecting and storing the consent of website users for the placement of cookies and similar technologies.
These services are planned to serve as an alternative to cookie panels and, unlike others, will be able to collect cookie consent for multiple websites at once. These services, through special software applications, will accept the permissions given by users for one website as given for another website, and will allow generalisation and ranking of permissions by device or website categories.
In this draft regulation, a measure was also considered to prevent these cookie permissions collected at one time from misleading users or being used against them. Accordingly, users will be asked to review their cookie permissions every six months.
By regulating permission management services, the government aimed to incentivise the use of websites and thus reduce the amount of cookie panels on the Internet. However, it was decided that advertising-funded websites should be exempted from this single way of collecting consent, meaning that advertising-funded websites will continue to collect cookie consent from users individually. As permitted by German law, such advertising-funded websites will offer their users two different options: free use with advertising cookies and ad-free use for a fee.
Cookie management service providers will be required to comply with the regulation and register with an independent organisation to be established in accordance with the regulation. Although it is not yet clear what other obligations it will impose as it is still in draft form, it is said that it is already foreseen that cookie management service providers should not pursue economic interests while collecting permissions and managing data.
The German government is expected to share the draft regulation with business associations and federal states for review soon. After detailed analyses, the draft proposal will also be sent to the European Union Commission for further comments. After the necessary evaluations and adjustments, the government plans to implement the draft regulation by 2023.
Twitter x Zatko
Peiter Zatko, Twitter’s former chief security officer who was fired after his allegations, spoke to US lawmakers about how Twitter officials misled the public about the platform’s security. He filed an 84-page whistleblowing complaint about security practices at the social network, alleging that Twitter’s security standards were “10 years behind”, that users’ data was not sufficiently protected and that too many staff had access to it.
Zatko stated that he had heard from Twitter staff that Twitter was carrying advertisements from “organisations that are or may be affiliated with the Chinese government”, which posed a national security risk, and that when he raised this with Twitter executives, he was told that he could not afford to lose this revenue stream.
He also stated that he was uncomfortable with Twitter’s attitude towards other national security issues raised by Twitter, and explained that half of the company consists of engineers and that all of these engineers have access to users’ personal information. In this context, it is thought that nearly 4000 Twitter employees have access to users’ personal information.
Zatko stated that he was concerned that a malicious employee could obtain personal information without leaving any trace and that Twitter does not record the activities of employees accessing this data. Stating that Twitter’s security systems make it difficult to track possible espionage, Zatko also claimed in a previous statement that an Indian agent was hired by the company.
Zatko said that people’s personal information was being put at risk, noting that the information kept on users consisted of “phone number, IP address, e-mail address, device type, browser type, location where the user connected”. He reminded that this information is of a nature that may cause people to be targeted in the real world.
When Zatko testified at a controversial senate hearing in the 3rd week of September 2022, lawmakers repeatedly criticised not only the social media company, but also federal regulators who had allegedly been closely monitoring the company for years.
Iowa Senator Chuck Grassley said, “For nearly 10 years, I have been concerned that the Federal Trade Commission (“FTC”) has not taken strong enough action or had enough information to ensure Twitter’s compliance with the consent decree. Congress should pay attention to the FTC’s ability, or lack thereof, to successfully oversee these important matters.”
Zatko’s testimony in the 3rd week of September 2022 drew attention to the lack of sufficient resources to deal with billion-dollar technology companies such as Twitter.
Zatko stated that Twitter, which committed to protecting user data and maintaining a strong information security programme under the FTC consent order, allegedly did not take US regulators seriously and actively misled them, and that some of the foreign regulators were much more intimidated than the FTC. He cited as an example that the French Privacy Regulator has terrified Twitter, with French authorities investigating possible privacy violations demanding concrete and quantitative data from Twitter at short notice to support the company’s compliance claims, and threatening high penalties for non-compliance that could directly impede Twitter’s future growth.
Zatko claimed that Twitter is not afraid of the FTC because the commission has largely allowed the company to “self-assess” its compliance audits and tends to impose one-time fines that are seen internally as little more than the cost of doing business.
In response to Zatko’s allegations, Twitter argued that the whistleblower’s claims about the company were rife with inconsistencies and inaccuracies, and that Zatko was not involved in efforts to prepare company compliance reports and did not fully understand Twitter’s legal obligations.
There have been other instances in past years that have led critics to doubt whether the FTC is up to the task. In 2013, despite the advice of antitrust staff, it unanimously decided not to prosecute Google due to competition concerns, and in 2019, even though a privacy settlement with Facebook led to a record $5 billion fine and numerous new legal obligations, critics felt that the FTC should have insisted on holding CEO Mark Zuckerberg and Sheryl Sandberg personally liable for the resulting scheme. As with Facebook, recent allegations against Twitter could lead to billions of dollars in new FTC fines.
But some lawmakers this week expressed disappointment with the FTC’s penalties against Twitter so far and doubts about the regulators’ behaviour in deterring future data breaches.
Legislators have consistently called for more resources to be devoted to enforcement. While there have been some attempts to expand FTC budgets and hire more in-house experts, former officials and consumer advocates have described staff as overwhelmed and beaten down by the armies of lawyers that tech giants can bring in.
Google & Meta x South Korea
South Korean authorities announced that Google and Meta were fined $71.8 million for violating the country’s privacy law.
According to the statement made by the observers, Google and Meta were found not to have obtained proper consent in the process of collecting information from users who visited their websites and used other websites and applications for customised advertisements.
Google did not clearly inform users who signed up for its service about data processing and other companies’ behavioural information, and set the default option to “accept” while hiding other options available through the settings screen, the country’s authorities said in a press release.
A spokesperson at the Personal Information Protection Commission (“PIPC”) alleged that Meta collected and used behavioural information from users who were not informed of legally important-to-know details, did not consent, and did not register, to display personalised ads. The PIPC ordered Google and Meta to correct the violations and fined Google $50 million and Meta $22 million.
Observers said it was the largest fine for violations of personal information protection laws in South Korea and the country’s first sanction for the collection and use of behavioural information in online customised advertising platforms.
Overseas watchdogs have fined Google and Meta for non-compliance with data protection regulations in recent years. In 2019, the French Data Protection Watchdog (Commission nationale de l’informatique et des libertés, CNIL) issued the first GDPR fine of $57 million for transparency and consent violations. Facebook-owned WhatsApp was fined $267 million for violating the GDPR transparency principle last year, while Germany’s Federal Cartel Office ordered Meta to limit its collection of data about users from third-party websites without their consent. This order remains under legal investigation in the EU.
A spokesperson for Google said: “We disagree with the PIPC’s findings and will review the written judgement once it is shared with us. We have always demonstrated our commitment to continuous updates that provide users with control and transparency while delivering the most useful products possible. We are committed to engaging with PIPC to protect the privacy of South Korean users.”
Instagram x Ireland
Following the binding dispute resolution decision of the European Data Protection Board (“EDPB”), the Irish Data Protection Commission (“DPC”) adopted its decision regarding Instagram and imposed a record GDPR fine of €405 million. The fine is levied against Meta Platforms Ireland Limited (“Meta IE”), an Irish subsidiary of Meta.
The Lead Supervisory Authority’s (“LSA”) final decision follows an ex officio investigation into the public availability of email addresses and/or phone numbers of children using Instagram’s business account feature and the existence of a default public setting for children’s personal Instagram accounts during the investigation period.
“This is a historic decision, not only because of the high fine, but also because it is the second highest fine since the entry into force of the GDPR and the first EU-wide ruling on children’s data protection rights,” said Andrea Jelinek, President of the EDPB. With this binding decision, the EDPB makes it clear that companies targeting children should be more careful. Children deserve special protection in relation to their personal data.”
The EDPB’s binding decision was adopted on the basis of Article 65 of the GDPR after the LSA triggered a dispute resolution procedure regarding objections raised by several Concerned Supervisory Authorities (CSA’s) belonging to the DPC. Among others, the CSAs raised objections regarding the legal basis of the processing and the determination of the fine. The DPC then amended its draft decision following a dispute resolution process.
It is also understood that this is the EDPB’s first binding decision addressing the lawfulness of processing under Article 6, one of the key pillars of the GDPR, and the EDPB has provided further clarification, in particular, on the applicability of the legal bases of performance of contract and legitimate interest.
Meta IE relied on these two legal bases as an alternative for publishing the email addresses and/or telephone numbers of children using Instagram business accounts. The EDPB found that there was no reason for the LSA to conclude that such processing was necessary for the fulfilment of a contract. Consequently, Meta IE could not rely on Art. 6(1)(b) GDPR as a legal basis for this processing.
As regards legitimate interest, which was emphasised as an alternative legal basis for the processing, the EDPB found that the publication of the children’s e-mail addresses and/or telephone numbers did not meet the requirements under Art. 6/1/f GDPR, as it did not pass the balancing test taken into account in determining legitimate interest even if the processing was unnecessary or deemed necessary.
The EDPB finally instructed the LSA to reconsider the administrative fine provided for under Art. 83(1) and (2) GDPR. In this action, the EDPB aims to impose an effective, proportionate and dissuasive administrative fine for the additional infringement, taking into account the nature and seriousness of the infringement as well as the number of affected data subjects, and to ensure that the final amounts of administrative fines are effective, proportionate and dissuasive.
The present decision is without prejudice to any assessment that the EDPB has been requested to make in other cases, including involving the same parties.
IHG x TeaPea
Intercontinental Hotels Group (“IHG”) suffered a cyber-attack: UK-based IHG, which operates 6,000 hotels worldwide, including the Holiday Inn, Crown Plaza and Regent brands, announced to the BBC that cyber-attackers, who identified themselves as a Vietnamese couple, carried out a cyber-attack “for fun” and deleted the hotel chain’s data.
It was stated that the cyber attackers tried a ransomware attack in the first step and deleted a large amount of data after they were blocked. It was understood that the Vietnamese couple could easily access the databases because the FTSE 100 company used a very weak password in the form of “qwerty1234”.
In order to ensure cyber security, data controllers should use strong passwords and change their passwords periodically, which is the most effortless and costless measure that can be taken. With this incident, it has once again been revealed how negligence in taking the necessary administrative and technical measures invites cyber-attacks.
Some time ago, IHG announced on social media that the company was “undergoing system maintenance work” for 24 hours after its customers started reporting widespread reservation and registration problems. Shortly after this announcement, IHG announced to its investors that it had been cyber-attacked, and in its official notification to the London Stock Exchange, IHG stated that “reservation channels and other applications were severely disrupted”.
The cyber attackers, who called themselves TeaPea, contacted the BBC via Telegram, an encrypted messaging application, and transmitted evidence of their cyber attack as screenshots. These images, which IHG confirmed, showed that the company’s internal Outlook emails, Microsoft Teams chats and server directories were accessed.
“Our attack was originally planned as ransomware, but the company’s Information Technology (“IT”) team continued to isolate the servers before we had a chance to deploy it,” TeaPea said. So we decided to have a bit of fun, and we launched a wiper attack instead.”
The wiper attack in question is known to be a type of cyber attack that destroys documents and files irreversibly.
Cyber security expert Rik Ferguson, vice president of security at Forescout, said: “Sensitive data should only be accessible to employees who need it in the course of their work, and at this point, employees should be able to access this data in a minimal way, at the level of need. Leaving a highly complex password in the open is just as insecure as a simple password.” He drew attention to another important administrative and technical measure, access authorisation.
Describing how the breach occurred, TeaPea added that an employee of IHG gained access to the internal IT network by downloading malware attached to an email attachment and bypassed the two-factor authentication system, and once inside the internal password vault, they were able to access the most sensitive company data. “The username and password of the safe was open to all employees. So 200,000 staff could see it. The password was also very weak.”
American Airlines x Data Breach
American Airlines (“AA” or the “Company”), a popular airline, recently announced that a number of account holders and employees were victims of a cyber attack in July and that it is taking steps to prevent a similar incident from occurring in the future.
In a notice to affected account holders and employees, American Airlines said that it had discovered that an unknown cyber attacker had compromised their accounts to gain access to personal information belonging to certain members of American Airlines.
According to Bleeping Computer, Andrea Koos, American Airlines’ senior director of corporate communications, said that the cyber attackers had conducted a phishing campaign to compromise employee accounts, but did not explain how the attack was carried out or exactly how many account holders and employees were affected by the data breach.
AA reported that the cyber-attack affected the names, dates of birth, addresses, telephone numbers and e-mail addresses of employees and users. In addition, it was announced that details about official identity information such as driver’s licence, passport information and/or certain medical information provided by users and employees were also accessed.
The company has implemented additional technical measures to prevent similar incidents that may occur in the near future. According to Experian’s official website, in order to better protect the accounts of users and employees, the company has provided a free two-year subscription to the Experian Identity Works portal, which provides users with protection against identity theft and unauthorised access to credit files. It was also emphasised that AA employees and account holders will only be able to monitor their Experian accounts within 48 hours of registration.
What happened?
It is known that American Airlines has been subject to data breaches before. According to CNN, the company was part of a group of companies affected by a data breach in 2021 caused by the misconfiguration of a setting in Microsoft software. According to UpGuard, this misconfiguration resulted in the personal information of millions of people being exposed for months.
Optus x Data Breach
Optus, Australia’s second largest telecommunications company, suffered a major data breach with the personal information of potentially millions of its customers compromised due to a malicious cyber attack. The attackers are believed to be a criminal organisation or working for a state-sponsored organisation.
Scamwatch, managed by the Australian Competition and Consumer Commission: “If you are an Optus customer, your name, date of birth, phone number, email addresses may have been published. For some customers, identifying information such as a driving licence or passport number may also be in the hands of criminals. It is important to be aware that you may be at risk of identity theft and take immediate action to prevent harm.” In addition, it was announced that payment information and account passwords were not compromised, and telephone services were working safely.
Optus did not disclose the number of its 9.7 million subscribers in Australia who were subject to the breach, but Kelly Bayer Rosmarin, CEO of Optus, stated that the number was “significant”.
In a statement on its website, The Office of the Australian Information Commissioner (OIAC) said: “Even if a thief only has access to a small amount of your personal information, they can steal your identity if they can learn more about you from publicly available sources. This includes social media accounts, which may include your date of birth, photos, and information about your family. Identity fraud can cause someone to use another person’s identity to open a bank account, obtain a credit card, apply for a passport or engage in illegal activities.”
Optus said it will contact all customers it believes are at high risk of being compromised by sending personal notifications and offering third-party monitoring services, while Scamwatch advised Optus customers to secure their personal information by changing their online account passwords and enabling multi-factor authentication for banking.
“Customers affected by the attack should place limits on their bank accounts, monitor unusual activity and request a ban on credit reports if any fraud is suspected,” Scamwatch said in a statement. You need to be aware that you may be at risk of identity theft and take immediate action to prevent harm. Fraudsters may use your personal information to contact you by phone, text or email. Never click on links sent by someone who contacts you out of the blue and do not provide personal or financial information to them. Recognise that you may be at risk of identity theft and take immediate action to prevent harm. Scammers may use your personal information to contact you by phone, text or email. Never click on links sent by someone who contacts you out of the blue and do not give them any personal or financial information.”
Home Affairs Minister Clare O’Neil stated that the Australian Cyber Security Centre is providing technical assistance to Optus and that they are aware that Australian companies and organisations are constantly targeted by cybercriminals and hostile countries.
O’Neil also said, “All Australians and Australian organisations need to strengthen their cyber defences to help protect themselves against online threats.” She also advised people who are concerned that they may be victims of cyber attacks to visit cyber.gov.au.
Morgan Stanley x SEC
American financial services giant Morgan Stanley agreed to pay a $35 million penalty to the Securities and Exchange Commission (SEC) for data security breaches on Tuesday 20 September 2022.
The SEC’s complaint stated that the firm allowed approximately 1,000 unencrypted hard drives (Hard Disk Drives, “HDDs”) and approximately 8,000 backup tapes from decommissioned data centres to be resold on auction sites without being wiped, and that the improper disposal of the devices, which reportedly began in 2016, was part of a comprehensive failure that exposed the data of 15 million customers.
Morgan Stanley allegedly contracted an unnamed third-party migration company with no experience in disabling storage media to deal with the hardware rather than working with an internal IT team to destroy the hard drives, but when their business relationship soured, the storage devices were auctioned online without being wiped.
“This is an astonishing security lapse by one of the world’s most prestigious banks, which is expected to have well-established procedures in system lifecycle management,” said Jordan Schroeder, Chief Information Security Officer (CISO) at Barrier Networks, a cyber security services company in Glasgow. “Other businesses should use this as an example of why it is critical to have processes in place for the proper disposal of IT equipment. Because IT systems hold confidential information, it is important to work with a trusted provider that can dispose of data without jeopardising it. Any company that fails to do so may be in breach of the European General Data Protection Regulation (“GDPR”) and other privacy statutes and could face similar penalties.”
Morgan Stanley agreed to pay the fine, but said in a statement to The Business Standard that there was no indication that any customers were affected.
The news comes just weeks after the Irish Data Protection Commission (Ireland’s Data Protection Commission, “DPC”) fined Instagram 405 million euros as part of an investigation into the processing of children’s data, which we reported in the previous issue of What’s Happening in the World Newsletter.
Meta x Data Breach
After Apple updated its privacy rules in 2021 to allow iOS users to easily disable all tracking by third-party apps, the Electronic Frontier Foundation reported that Meta lost $10 billion in revenue over the next year as many users disabled in-app tracking.
As it is seen, Meta’s business model is based on the circulation of user data for advertising activities, so Meta has started to look for new ways to compensate for this sudden revenue loss.
Former Google engineer Felix Krause claimed in a statement that Meta injected a code to compensate for the financial losses it suffered, that this code directed users to open the links they clicked on within the browser, and that this code allowed it to track every activity on any website, including changing external websites and tracking passwords without user permission.
Recently, three Facebook and iOS users reportedly prepared to file a class action lawsuit against Meta on behalf of all affected iOS users, accusing Meta of concealing privacy risks, circumventing iOS users’ privacy choices, and capturing, tracking, and recording all activity on third-party websites viewed in Facebook or Instagram’s browser, and using all this collected data for targeting/advertising cookie activities.
The plaintiffs have supported this claim with form entries and screenshots, stating that Meta has a system that provides a secret pass to access personally identifiable information, private health details, text entries and other sensitive confidential findings without users’ knowledge and consent through its “in-app browser”.
The most recent complaints were filed in California and Louisiana. The complaints pointed to Meta’s previous wrongdoing in collecting user information without authorisation, noting that the Federal Trade Commission investigation resulted in Meta being fined $5 billion.
The complaints stated that this code injection tactic, which is understood to be used by Meta to “eavesdrop” on users, is actually known as the JavaScript Injection Attack. It was specifically emphasised that this system allows the manipulation of the website or web application and the collection of personally identifiable information or sensitive data such as payment information.
The plaintiffs rejected the possibility that the relevant code injection process could be for security, as Whatsapp, another popular Meta application, does not use the same tactic. It was also noted that Meta does not mention in-app browser tracking in its off-Facebook activity settings, where users can monitor how their data is collected from businesses or websites. The complaints alleged that Meta’s existing policies were also deliberately designed to keep users in the dark, and the lawsuit suggested that millions of users may have been affected since Meta began adding this code to third-party websites.
It was reported that if the plaintiffs win, each user deemed to be affected by this situation will be entitled to “statutory damages of $100 per day for each day of violation or up to $10,000” under the Wiretap Act, and “statutory damages of $5,000 per violation” for violations of the Children’s Internet Protection Act (CIPA).