Sept. 11, 2018: This article was edited to remove an erroneous characterization of the frequency with which cease-processing orders might be used as an enforcement tactic. We apologize for the error.
At the IAPP’s annual Privacy Bar Forum earlier this year, Irish Data Protection Commissioner Helen Dixon discussed the ability of data protection authorities under the EU General Data Protection Regulation to order companies to cease all processing when necessary. This remedy may not be as well understood as the infamous administrative fines of up to 4 percent of global turnover. But it may affect organizations just as much, if not more so.
There are a range of corrective powers an EU DPA may exercise under the GDPR, depending on the circumstances of each case. One of these is the power to impose a temporary or definitive ban on processing under Article 58 of the GDPR. Of course, clear procedural safeguards would have to be implemented in exercising such a power, which would have far-reaching effects. Under Recital 129 of the GDPR, a DPA must exercise its powers “in accordance with appropriate procedural safeguards ... impartially, fairly and within a reasonable time. In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with” the regulation. Consequently, DPAs would seek a very compelling set of circumstances to implement such a ban.
Cease processing orders are not new remedies under the GDPR. Ireland’s former commissioner, Billy Hawkes, put one in place against the company Loyaltybuild in 2013 following a data breach. The enforcement notice required that the company cease processing all personal data from November of 2013 to late January of 2014, when the company fulfilled all actions listed in the enforcement notice.
So what was the Loyaltybuild case all about and how might organizations face similar outcomes under the GDPR?
Loyaltybuild: Enforcement authorities can suspend processing operations
On Nov. 5, 2013, The Irish Times posted an article informing the public of a data breach that occurred exclusively within SuperValu’s Getaway Breaks rewards program, which was discovered by its parent company, Loyaltybuild Ltd. 11 days prior. SuperValu is a grocery store that also facilitates the program Getaway Breaks with Loyaltybuild, a U.S.-owned company. At the time, SuperValu informed its customers that Getaway Breaks’ system would remain temporarily suspended until the Loyaltybuild system had been given the “all clear.” In addition, SuperValu stated that “all of their payment card information it [held was] encrypted.”
On Nov. 12, just one week later, more than 1.5 million people were shocked to learn that they possibly had their personal information compromised in Loyaltybuild’s major security breach, including 70,000 SuperValu Getaway Breaks customers who had made a purchase between January 2011 and February 2012. The Irish Times described the event as “the worst data breach in the history of the state.” In total, the credit card details of nearly 400,000 European citizens, 70,000 of whom were based in Ireland, were compromised due to the data breach. In addition, 1.1 million people in Europe had other information compromised, including names, addresses, telephone numbers, and emails. Commissioner Hawkes confirmed that the financial information had been stored in unencrypted form, along with the three-digit security codes printed on customers’ cards. According to The Irish Times, “one of the first things the commissioner has been trying to establish is why credit card information had been retained by Loyaltybuild.”
At the time of the data breach, companies were required to report a breach of this type to the Office of the Data Protection Commissioner within two working days. Although Loyaltybuild became aware of the breach Oct. 25, the DPC did not receive notice until a week later, Nov. 1. On Nov. 12, the DPC's inspection team investigated Loyaltybuild’s data security and found serious issues including “a lack of procedures to ensure that the data was protected and managed properly.” Loyaltybuild informed the office that it had been “inadvertently recording full credit card details in unencrypted format and that it was not a part of their recorded process.”
Upon learning this information, the commissioner issued an enforcement notice against Loyaltybuild Nov. 13, requiring that Loyaltybuild:
- Notify all its clients about the security breach and advise them to notify affected individuals.
- Delete all personal data held for the purpose of providing services to its clients.
- Achieve PCI-DSS compliance in respect of its processing of payment card data, verified by an independent third party.
- Implement a series of changes to its procedures to bring them in line with industry best practices.
- Cease processing personal data until it had satisfied the DPC that these requirements were being met.
In addition to these, the DPC also issued advice to individuals to monitor their bank accounts and to ensure that they could identify any unusual activity of all payments being processed against their debit/credit card.
Loyaltybuild employed a company to carry out its PCI certification and engaged a third-party auditor to scrutinize its procedures and policies, which had provided the DPC with regular updates in 2014. Most importantly, Loyaltybuild ceased to handle any credit card information and instead had customers process credit card payments through a third-party processor’s website.
In addition to this, the DPC found it necessary to perform an assessment of any data protection issues in the relationship between various data controllers that Loyaltybuild had contracts with as a data processor. Specifically, the DPC reviewed each contract to determine if it:
- Specified ownership of data.
- Specified a data retention period and data deletion requirements.
- Required compliance with data protection legislation.
- Specified appropriate security requirements.
- Required data confidentiality.
- Restricted further processing.
- Specified actions to be carried out on receipt of a subject access request.
- Specified actions upon termination of the contract.
- Allowed for the right to audit the data processor.
According to the DPC, there were issues with one or more of the above within each of the contracts it examined. In addition, none of the contracts had set a retention policy that set out the time frame for holding data in respect of its customers. As a result, the DPC also sent out two enforcement notices to two data controllers Nov. 13, which also required extensive notice to individuals affected and updates to data processing.
Loyaltybuild ceased processing all personal data from Nov. 13, 2013, to late January of 2014, as stated by the DPC's website. On March 12, 2014, The Irish Times announced Loyaltybuild had invested 500,000 euros in new security systems after the criminal attack on the personal data of about 1.5 million people across Europe, which included about 90,000 Irish customers of various companies in Northern Ireland.
Although Loyaltybuild claimed everything was back on track in March of 2014, it seems the setback was a costly one and has followed them years after. On Jan. 21, 2017, Independent.ie came out with an update on the status of Loyaltybuild. Here it was stated that “the decision to downsize the Irish operation [following] three years after the 2013 cyberattack put Loyaltybuild’s Irish business out of action for seven months, costing the company millions of euro in lost revenues.” In 2015, Loyaltybuild experienced a pretax loss of 9.1 million euros, the primary motivation for the company to downsize. The restructure ultimately cost the company 780,000 euros, and “the firm’s relationship with a significant client ended on December 31 at last.” In addition, directors’ pay in 2015 fell from 803,353 to 394,382 euros, and Irish revenues fell from 6.3 million to 5 million euros. This occurred without any court actions or identified customers, but simply as a result of the DPC's investigation and preceding enforcement notice.
GDPR and enforcement authority priorities
Loyaltybuild provides insight into how enforcement authorities may exercise the ability to suspend data processing. Those curious about possible enforcement actions in the GDPR age will want to review the conversation with Commissioner Dixon that took place at the IAPP’s Privacy Bar Forum March 29. This should serve as a reminder that the most dangerous enforcement that may result from failure to comply with the GDPR may not necessarily be the fines (see also the article explaining what businesses will have to do in order to incur the oft-quoted fine of 4 perfect of global turnover). To provide an example, Commissioner Dixon reiterated that in view of the 320 million data subjects in the EU that might have an issue related to Facebook and Google, enforcement authorities will maintain a reactive priority, as well as a proactive priority.
As a reactive priority, Dixon noted that the GDPR enforces a new mandatory obligation to report breaches within 72 hours of organizations becoming aware of the breach. This will likely give data protection authorities enhanced awareness of security and data abuses that were not previously apparent due to lack of prior disclosure. Some of the direction of enforcement will depend on these new results, which may open a new line of pressing issues. According to Dixon, her first priority is transparency, and the Article 29 Working Party guidelines provide assistance on what this means. Dixon restated the goal for businesses is avoiding passive phrases like “we may use your data to …” because such language does not provide clear information to consumers. For example, if a bank says they may use data for some blanket purpose, consumers and enforcement authorities alike are left wondering what they mean. Are they using data to track what data subjects buy, where they travel, or something else entirely?
In addition, Dixon noted that the GDPR retains the requirement that DPAs handle every complaint logged accordingly, which will require DPAs always be reactive. This includes the failure to deliver on the rights of access, for example, which already comprise more than 50 percent of the complaints her office deals with now. Future examples may include the failure to comply with the right to data portability, or right to object to processing. In addition, Dixon points out that the right to object to processing attracts higher fines and is the issue that will lead enforcement authorities quickest to your door.
Proactive enforcement priority
Dixon stressed her office’s proactive enforcement priority will be mostly centered around transparency. Transparency is key for the office because it is central to empowering data subjects and giving them the control that the GDPR aims to return to data subjects. In addition, the exercise of many fundamental rights simply can’t happen without transparency. Enforcement authorities have always worried that information is not properly communicated and explained by controllers. Dixon stated privacy notices have evolved in legalese, becoming far too opaque to data subjects. Because the GDPR is prioritizing the requirement of transparency, enforcement authorities will do so as well. As an example, Dixon noted that where possible, generic phrases, like “we may use your personal data to improve our products,” should be avoided.
In light of the Loyaltybuild decision, if organizations don’t begin enacting these updates there are more than just the new GDPR fines to worry about.
If you want to comment on this post, you need to login.