As we continued to deal with the ongoing Covid pandemic, 2021 was another noteworthy year for data protection. The challenges of keeping personal information safe – especially with a sizeable at-home workforce – continued. However, despite having months to step up to the challenge, too many organisations failed to put the necessary data protection processes and training in place. Worryingly, most UK businesses and individuals experienced at least one data breach during the pandemic.
One of the many lessons highlighted over the past year, is the inextricable link between health and data, with effective use of the latter undoubtedly helping to save many lives. However, long-term use of NHS information remains contentious, especially when it comes to data sharing. Ultimately, key questions remain, including what does an individual know about the consent they have given for processing their data, where will their data be used, and how many times?
In more positive news, 2021 saw record data protection fines issued by the regulators.
In January, in the first significant tech GDPR case, Twitter was fined €450,000 by the Irish Data Protection Commissioner (DPC) for privacy breaches. This was the first time a multinational tech firm had been held to account by the Irish regulator since GDPR. In July, Luxembourg’s data protection regulator stated its intention to fine Amazon £636 million. This was the biggest GDPR penalty issued to date at more than double every other GDPR fine combined. Fifteen times larger than the previous record fine issued by France’s data protection regulator against Google, this was good news for consumers as it demonstrated a willingness to scrutinise and punish large tech companies over privacy and misinformation concerns.
Championing individual data protection rights, in June, the British Airways (BA) data breach was resolved on confidential terms following successful mediation and negotiation. We represented many clients in this case. We would encourage anyone who has suffered a GDPR violation to talk to our specialist lawyers and benefit from an experienced firm with a proven track record in holding well-funded organisations to account.
In our 2021 Year in Review report, our expert data protection lawyers look at some of the key cases and developments that occurred in the world of data breach law over the last 12 months.
HEAD OF DATA BREACH
On 22 December 2020, Transform admitted to a data security incident. The REvil ransomware group, which has previously attempted to extort companies and public figures including Donald Trump, Lady Gaga and Madonna, was responsible. The group said it had obtained some of “the most important documents, personal data of customers, as well as intimate photos of these customers (this is not a completely pleasant sight)”.
In January 2021, we launched a group action to help affected patients claim compensation.
Estate agent Foxtons discovered that it had experienced a huge data breach. Despite an investigation finding 16,000 card details, addresses and correspondence related to this violation on the dark web, Foxtons decided not to warn its customers.
Just before Christmas 2020, NOW: Pensions experienced a serious data breach. In January, it was revealed that the privacy failure put 30,000 customers at risk after sensitive personal details were posted on the internet.
Blackpool Council experienced a data protection failure when it accidentally breached the data of 428 people, including some personal information about local landlords.
In the first major tech GDPR case, Twitter was fined €450,000 by the Irish Data Protection Commissioner (DPC). The penalty was issued as Twitter failed to promptly declare and properly document a data breach.
Our firm took significant steps forward in our claim against British Airways when we issued against the airline, making us one of only two firms in the UK acting against BA at that time.
Uber lost a judgment in the Netherlands where it was challenged over drivers’ alleged ‘robo-firings’. The Court of Amsterdam ordered Uber to reinstate six drivers who claimed they were unfairly terminated “by algorithmic means.” Uber was also ordered to pay the fired drivers compensation.
We support Uber drivers in England & Wales who have GDPR concerns over Uber’s facial recognition software, algorithmic accountability, and automated decision-making processes.
Indian stock trading firm Upstox suffered a severe security breach. Millions of customers – including those in the UK – could have had their personal information compromised after hackers targeted the business.
Interest free credit provider DivideBuy was the latest fintech company facing legal action after the business failed to protect its customer data.
Almost 500 British police officers issued a compensation claim in the High Court against Paymaster 1836, the pensions part of Equiniti Group.
“This data breach has had a significant impact on the individuals affected. Equiniti has thus far failed to recognise the seriousness of the data violation and the consequences on the many police officers involved. The breach included highly confidential information, which, placed in the wrong hands, could have significant repercussions, including identity theft, fraudulent activities resulting in financial losses, and emotional distress. Equiniti had a duty to protect this information and should be held accountable for its failure. It should compensate victims fairly.”
Kingsley Hayes, Head of Data Breach
Over 100 special forces troops were publicly identified in an email security breach. Given that the names of those in special forces units are strictly protected, this was a severe breach that could have serious repercussions on UK intelligence and those whose data was revealed.
The Interactive Advertising Bureau (IAB) and others were sued over what was described as “the world’s largest data breach”. The IAB is the industry body for digital advertising. Members include Facebook, Google, and Amazon. The case focused on real-time bidding, a multi-million-dollar industry in which advertising space is auctioned on a webpage or app as it loads.
“The data captured in real-time bidding helps to build a unique user profile, which can include things like a person’s sexual orientation, religion, political persuasion, location, debts, income, health concerns, and what they are reading, watching, and listening to. This is a huge amount of information to hold and share on an individual without their consent. When you consider that most people are not aware that their data is being captured and shared in this way, this is a problem.”
Legal and professional services firm Gateley experienced a significant cyberattack. Client data was stolen in the attack by an external source.
Some customers and employees of Carnival Corp. cruise lines had their personal information stolen. The brands affected by the cruise data breach included Carnival Cruise Line, Holland America Line and Princess Cruises.
Amazon faced a fine of £636 million by Luxembourg’s data protection regulator for breaching the GDPR. The huge fine was the biggest GDPR penalty to date and more than double every other GDPR fine combined.
Guntrader.co.uk experienced a serious data breach. In total, around 111,000 records were stolen, and thousands of customers had their names and addresses published on the dark web.
Our firm was contacted by many gun owners who were extremely worried about this breach and the possible impact.
Following the Guntrader data breach, Google took down a CSV file linked to a Google Earth map that showed the exact locations of affected customers’ homes. The map was created by animal rights activists and posted on a blog that encouraged people to “contact as many [gun owners] as you can in your area and ask them if they are involved in shooting animals”.
Data revealed that the health sector had the highest number of non-cyber related data breach incidents between April and June. The sector was responsible for more than a quarter of all reported incidents (27%). Kingsley Hayes examined data violations in the health sector in Legal Futures.
Kingsley also discussed the legal obstacles the NHS will need to overcome before it uses algorithmic decision making to tackle record waiting list backlogs. Kingsley’s article was published in ISBuzz news and can be found here.
Technology is being used to help sportspeople reach their full potential. Everything they do is measured including their health, performance, sleep, and diet. Clubs and sports teams understand that analytics can improve their chances of winning and most players are happy to have their data analysed to benefit their individual and team performance. But their information could be being exploited in ways they have not agreed to.
Protecting the rights of athletes, we launched an action to help them get compensation.
T-Mobile admitted that, once again, hackers had accessed its systems. The confirmation of the latest T-Mobile breach came after some customer data was found for sale on a cybercriminal forum. This was the fifth T-Mobile hack in recent years.
Property service company Liberty suffered a cyberattack. Liberty is part of social housing group ForViva, which manages homes on behalf of thousands of tenants across the North West. ForHousing, which is also part of the ForViva group, was also a victim of the ransomware attack. However, ForViva claims that no tenant or staff data from its ForHousing’s systems were accessed.
Kingsley Hayes commented on the DSG Retail (Dixons) judgment.
Kingsley’s comments were published in Global Data Review and can be found here.
The Ministry of Defence (MoD) experienced two severe data breaches that could put lives at risk. In both cases, people were mistakenly ccd into an email, meaning their email addresses were visible to all the recipients. Not using the bcc functionality when sending to multiple people is a common data privacy mistake, and one that the MoD should have processes in place to prevent. The emails were sent by the Afghan Relocations Assistance Policy (ARAP), the team charged with facilitating the evacuation operation. If this data falls into the hands of the Taliban, the consequences could be fatal.
Computer Weekly published an article reporting on the second MoD data breach, which revealed the names and email addresses of those who may be eligible to relocate to the UK.
Kingsley Hayes commented: “The Ministry of Defence has launched an investigation into the data privacy failures and has reportedly taken steps ‘to ensure this does not happen in the future’. But with two serious data breaches happening within days, and another breach happening only a few months ago when a member of the public discovered sensitive documents at a bus stop, serious questions must be asked about how such violations are allowed to happen.
“Furthermore, while the immediate priority must be to secure the safety of those put at risk by the MoD’s haphazard email processes, those responsible must ultimately be held to account. Lives have been put at risk and this is simply unforgivable.”
Kingsley’s comments were published in Computer Weekly and can be found here.
The Labour Party experienced a data security incident involving “a significant quantity of party data”. The data privacy failure occurred when a third party that handles data on behalf of the Labour Party was subject to a cyber incident. While the Party was made aware of the incident on 29 October 2021, it took five days to inform those who could be affected.
We launched an action to help those involved in this data privacy failure.
Kingsley Hayes commented on the Labour Party data breach which revealed information regarding the Party’s members and supporters. He said:
“We do know that the privacy violation only affects a third party’s systems and that the Labour Party’s own data and systems are unaffected. However, this is likely to be of little comfort to anyone whose personal data has been compromised. The fact that people have been put in this position in the first place is a serious failure.”
Kingsley’s comments were published in Information Security Buzz News and can be found here.
A data protection case against Google (Lloyd vs Google) resulted in disappointing news for data privacy rights. Lord Leggatt, one of the five Supreme Court justices who considered the case said that it was “unsustainable” that individuals affected by the data breach could be awarded a uniform sum, without having to prove financial loss or mental distress.
The judgement could impact some current data breach actions. However, this decision does not mean that individuals cannot hold organisations to account for personal data protection failures. People still have a right to compensation if they have suffered actual, or potential, financial loss or psychological injury following a data breach.
Simplify Group, a company that provides conveyancing services to several leading agencies, experienced a ‘major security breach’. Simplify was forced to take down many of its online systems after the incident- thought to be a cyber-attack. As a result, sellers and buyers across the UK were left in conveyancing chaos as they could not proceed with or complete their transactions.
We launched a group action compensation claim after multiple conveyancing firms were affected including Premier Property Lawyers, JS Law, DC Law, and Advantage Property Lawyers.
When it comes to legal support, large organisations are smarter and better resourced than ever before. And it can be difficult for some law firms to stand up to such strength when representing clients after a data breach.
Our data breach team has the legal expertise and resources necessary to take on the corporate giants. We have supported thousands of multi-claimant and group-action data breach clients, and we can do the same for you.
Data breaches are on the rise. And no organisation – regardless of size or type – is safe. Our expert lawyers help clients make successful personal data breach claims across a vast range of sectors.
Too many companies are falling short when it comes to data security, and this is making it easier for online criminals to exploit your data. We help clients make successful cybercrime claims against companies that have failed in their data protection responsibilities.
Data protection matters, so we make sure our clients are compensated for any GDPR violations that impact their legal rights. Our expert data rights lawyers help clients make a wide range of successful GDPR claims – including automated decision-making violations and facial recognition infringements.
Find out more about making a no-win, no-fee claim.