Last week in privacy (week 44)

UK’s ICO issues a £18.4 million fine against Marriott as a result of an attack on Marriott’s IT systems that lead to a data breach of millions of customers


UK’s ICO issues a £18.4 million fine against Marriott International Inc. as a result of an attack on Marriott’s IT systems that lead to a data breach of millions of customers.


Marriott estimates that 339 million data subjects were affected following a data breach in 2014 on Starwood Hotels and Resorts Worldwide Inc (“Starwood”), a company that Marriott acquired in 2016.


In 2014, the IT systems of Starwood were compromised by an unknown attacker. In 2016, Marriott acquired Starwood but did not detect the attack until September 2018. Marriott argued that it was able to carry out only a limited due diligence on the Starwood’s IT systems and databases.


After the acquisition by Marriott, the IT systems of Starwood and Marriott were kept separate but Marriott had planned to integrate the systems to create unified network within Marriott’s security footprint. ICO’s penalty notice concerns the period after 25th of May 2018, when the EU’s General Data Protection Regulation (“GDPR”) had become applicable. During this period, the attacker had gained access to personal data including credit card details of Starwood’s customers.


The ICO’s conclusion was that between 25th of May 2018 and September 2018 Marriott failed to comply with its obligations under the articles 5(1)(f) and and 32 of the GDPR, as Marriott failed to process personal data in a manner that ensured appropriate level of security.


ICO found four principal failures, 1) insufficient monitoring of privileged accounts, 2) insufficient monitoring of databases, 3) control of critical systems and 4) lack of encryption.


See ICO’s penalty notice here.


Irish High Court orders Data Protection Commission (DPC) to cover all legal costs to Max Schrems on Schrems II

The Irish Data Protection Commission must pay the legal costs of privacy activist Max Schrems regarding on the EU ruling on Facebook’s EU-US data transfers. The Schrems II took over five years in three different Irish and EU courts. It all started when Max Schrems filed a complaint on Facebook’s data transfers to US. After the first round on CJEU (Safe Harbor), the Irish DPC filed another lawsuit against Max Schrems and Facebook wanting the court to clarify the meaning of the EU law.

Max Schrems’ arguments against the DCP succeeded at the court and he is now entitled to have his legal fees covered. The Irish High Court ruled on October 30th, 2020 that the DCP will have to pay for Max Schrems’ legal fees and is not entitled to their costs from Facebook, other than for 3 three court days. The court ordered Facebook to cover the bill for 3 court days where the social media giant tried to amend the Court’s judgement. The exact amount of legal fees is to be decided later. Max Schrems has not sought after any damages or other fees than the legal costs.

Read the judgment here.


EDPS issues a new strategy: EU institutions to carry out a Transfer Impact Assessments (TIA)

European Data Protection Supervisor issued a strategy for EU institutions to comply with the Schrems II ruling. The strategy addresses actions for different time frames in international transfers of personal data to third countries, especially to the United States and urges EU institutions to assess their risk adversity continuously.  The goal of the strategy is to ensure that the ongoing and future international data transfers comply with the EU Charter of Fundamental Rights and EU data protection law.

The strategy is based on the accountability and cooperation of controllers to ensure the compliance with EU data protection laws and that the essentially equivalent level of protection applied in the EU is guaranteed when EUIs transfer personal data outside of the EEA. The EDPS identified as priority criteria transfers carried out by EUIs or on their behalf in the context of controller to processor contracts and/or processor to sub-processor contracts, particularly towards the United States. An action plan was developed to streamline compliance and enforcement measures, by distinguishing between short-term and medium-term compliance actions.

As a short-term compliance measure, the EDPS issued EU institutions to complete a mapping exercise identifying which on-going contracts, procurement procedures and other types of cooperation involve transfers of data. Institutions must report the following transfers to EDPS: 1) transfers that do not have a valid transfer mechanism 2) transfers that are based on derogations 3) transfers to private entities towards the United States presenting high risks for data subjects, such as transfers to US entities subject to US surveillance laws (FISA 702 or Executive Order 12333) involving large scale processing operations.

EDPS states that it strongly encourages EUIs to avoid processing activities that involve transfers of personal data to the United States.

As a medium-term compliance action, the EDPS will provide guidance and pursue compliance and enforcement measures for transfers towards the United States or other third countries on a case-by-case basis. EU institutions are asked to carry out case-by-case Transfer Impact Assessments (TIAs) to identify for the specific transfer in question if an essentially equivalent level of protection, as provided in the EU/EEA, is provided in the United States or another third country of destination.

Based on these Transfer Impact Assessments that are supposed to be carried out with the help of data importers, EU institutions should make a decision if it is possible to continue the transfers identified in the mapping exercise (a short term compliance action).  EU institutions will be asked to report to the EDPS on the use of derogations, on transfers that are continued towards a third country that do not have an essentially equivalent level of protection, and on transfers that are suspended or terminated because of the absence of an essentially equivalent level of protection in the country of destination.

EDPS will also start to explore the possibility of joint assessments of the level of protection of personal data afforded in third countries in order to provide guidance to controllers.

Read more here.


Apple faces antitrust complaint in France over Privacy Changes

Tech giant Apple has been hit with an antitrust complaint in France filed by advertising companies and publishers. The complainants argue that the privacy changes Apple plans to introduce are anticompetitive. This case is one of the first legal summons to online privacy actions based on antitrust.

 Apple plans to update its software to force apps to obtain opt-in consent from people to share an identifier used for ad targeting and measuring campaign performance. The complaint claims that only few Apple users will provide consent to be tracked. According to the Wall Street Journal the complainants argue that Apple will make it more difficult for AdTech companies to track audiences and for publishers and game developers to sell personalized advertising.

Traditionally, the competition laws are meant to protect the competition and are not intended to protect the privacy of consumers and only recently the competition regulators have started to become interested in the data that technology giants collect, store and analyze.

See the original news of the complaint here.