Data Protection Enforcement Action on the Rise

The reasons for enforcement action are wide-ranging and we have summarised several case studies below. However, many fall within the data breach category because personal data is not adequately safeguarded. Generally, firms can expect to experience a data breach at some point. This is often due to human error, so it is essential to have measures in place to prevent these, mitigate the risks, and be prepared to respond appropriately.

Financial institutions keep high-value data and the increase in digital transformations provides an increasing opportunity for cyber-attackers to acquire the data.

These incidents highlight the importance of preserving the data subject’s right to privacy. It is becoming increasingly important to safeguard the personal information of your most important stakeholders against accidental or unlawful loss, disclosure, and access. Inadequate management of this could result in the theft or loss of personal data, which would have severe repercussions for a firm in the form of monetary loss, reputational harm, and legal penalties.

Other reasons may include:

• incorrect data processing notifications to the supervisory body in your jurisdiction
• failing to inform data subjects of the required information upon the collection of their data, including data subject rights
• data subject requests not being recognised and acted upon
• failing to report data breaches to the supervisory body or data subject, where required
• inadequate internal controls to safeguard data.

Here, we look at some of the most significant financial penalties that financial institutions have been subject to recently and try to understand what we can learn from these.

Flagstar Bank, June 2022

Last year, a significant data breach at Flagstar Bank, one of the most prominent financial institutions in the US, allowed the social security numbers of approximately 1.5Mn clients to be released, forcing them to pay $5.9Mn in out-of-court settlements. As soon as they learned of the data breach, Flagstar Bank began incident response procedures and reported that their investigations concluded that there was no evidence of misuse. Despite this, customers were still urged to check their credit regularly and report any unusual activity.

What can we learn from this? Although the precise attack vector was not disclosed, it emphasises the importance of covering every potential vulnerability, from internal threats to ransomware defence to third-party risk. Data Protection Officers should work with the IT function to ensure appropriate technical and organisational measures are in place to protect personal data.

Capital One, December 2021

A software engineer at Amazon Web Services accessed and exposed Capital One’s bank account details of over 100Mn individuals, which resulted in a class-action lawsuit brought by US consumers in December 2021, resulting in Capital One agreeing to pay $190Mn.

What can we learn from this? This incident highlights the importance of regular penetration tests, ensuring incident response plans are in place, and conducting due diligence on third parties who may be processing personal data.

CaixaBank, January 2021

The largest fine ever levied by the Spanish Data Protection Agency (“AEPD”) of $6Mn was imposed on CaixaBank, S.A.

According to the AEPD, CaixaBank relied on ‘legitimate interests’ without any reason. The applicable law requires a legitimate interests assessment to be conducted and recorded before relying on legitimate interests. Moreover, the business did not obtain customers’ consent in a manner compatible with the GDPR. Under the GDPR, the requirements for relying on consent are rigorous, including the requirement to opt-in for the consent to be relied upon.

The Privacy Policy of CaixaBank was considered non-compliant by the AEPD for giving ambiguous and contradictory information regarding its data processing procedures.

What can we learn from this? Explore whether other legal bases may be appropriate before relying on consent, as it can be onerous. If you must rely on consent, ensure it meets your jurisdiction’s regulatory requirements. Data protection policies and procedures should be regularly reviewed and updated where necessary.

BBVA, December 2020

The AEPD’s second-largest penalty was against Banco Bilbao Vizcaya Argentaria, S.A. (“BBVA”). BBVA received a €3Mn penalty for delivering short message service (“SMS”) communications to customers without their permission. In most cases, sending direct marketing messages requires consent that complies with GDPR.

The remaining €2Mn of the fine was connected to BBVA’s Privacy Policy, which was inadequate in explaining how the bank gathered and used the personal information of its clients.

What can we learn from this? Firms wishing to conduct direct marketing should adhere to the explicit marketing rules within their jurisdiction before issuing any marketing material. Privacy policies should accurately reflect each firm’s data processing operations.

Square, April 2022

Unauthorised downloads of client information reports were made by a Square (now known as ‘Block’) employee. The data is thought to have covered 8.2Mn current and past clients and included data such as names, brokerage account numbers, portfolio values, and holdings.

The breach was brought about by an internal threat that employees were managing as part of their regular duties, something which would have been impossible to identify using traditional insider threat monitoring techniques.

What can we learn from this? This highlights the importance of adequately training all employees involved in data processing operations and introducing access controls where possible.

The data protection regimes in the UAE are similar to the GDPR in many ways, including the requirements for businesses to implement effective systems to safeguard the data they hold. It also highlights the importance of allocating responsibility for compliance with the data protection legislation.

Regulators in the region have started to take enforcement action against firms within their jurisdiction who are not taking their data protection obligations seriously. In 2022, the DIFC Commissioner of Data Protection introduced a supervision and enforcement section to the DIFC website. It is also expected that the ADGM Commissioner of Data Protection will release supervision and enforcement information to the public in the coming months.

In 2022, the DIFC Commissioner’s Office conducted 105 inspections, on target with their aim to conduct at least 100 supervisory actions, including inspections, per year. Forty-one fines were issued during 2022, a reduction from the 146 issued in 2021. While there are definitive improvements in compliance, there is still room for improvement.

The DIFC Commissioner’s Office released two decision notices in 2022, in brief:

FTI Consulting, September 2022

In September 2022, the DIFC Commissioner found that FTI Consulting was in contravention of the DIFC Data Protection Law in relation to the following matters:

• not providing valid notice to data subjects that contacts of new or existing employees would be collected and used for marketing purposes
• not responding to the valid 5 December 2021 subject access request within the period prescribed by the DIFC DP Law.

The firm was subsequently fined $15,000.

What can we learn from this? A Privacy Notice should be provided to all data subjects, including employees, to inform them of the purpose of collection and how it will be used, amongst other things. Firms should have in place subject access request procedures and also training to ensure that employees can identify any SARs and ensure that they are treated as per the regulations.

Quilter, December 2022

In December 2022, a Decision Notice was published by the DIFC Commissioner, which confirmed that Quilter failed to provide the required information concerning the transfer of personal data to a third country, resulting in the firm being fined $2,000 for incorrect notification to the Commissioner.

What can we learn from this? Firms should consider the adequacy of any jurisdictions they wish to transfer data to and whether notification to the Commissioner regarding any jurisdictional transfers is needed.

The data protection frameworks in the UAE and around the world continue to evolve rapidly, thus, contributing to the confidence and ease of firms and investors doing business around the globe.

In the UAE, protecting one’s privacy and personal information is a basic right, and businesses are expected to abide by the necessary data protection laws and regulations. The data protection regimes are generally set against the global standard for data protection.

It is essential to understand the importance of data protection for the reasons such as protecting your employees’ and clients’ personal information, complying with regulations, protecting privacy, and staying informed of the current trends in order to make informed decisions. There is also a reputational element which is of importance to well-regarded firms.

Firms can ensure they are compliant by adopting a proactive strategy that involves being aware of the pertinent laws, implementing suitable security measures, and informing staff, including conducting training, conducting routine audits, responding to data breaches, and subject access requests. Organisations can secure personal data and adhere to requirements by adopting these actions.