Data Watchdog Fines Equifax, Warns Canada's AIQ

British privacy watchdog the ICO says it has received c.500 calls per week to its breach reporting line since the launch of GDPR in May. This week the Office handed out its first enforcement notice under the new Act, and also fined credit reference agency Equifax Ltd for breaches of its predecessor.


The ICO fined Equifax Ltd £500,000 fine for failing to protect the personal information of up to 15 million UK citizens during a cyber attack between 13th May and 30th July 2017. Information lost or compromised ranged from names and dates of birth to addresses, passwords, driving licence and financial details. The attack happened in the US but affected 146 million customers globally, and the ICO said the UK arm of the company failed to take appropriate steps to ensure its American parent was protecting the information. A joint probe by the ICO and FCA (Financial Conduct Authority) revealed 'multiple failures' which led to personal information being retained for longer than necessary and vulnerable to unauthorised access.

Because the failings occurred before the onset of GDPR laws, the investigation was carried out under the Data Protection Act 1998, and the fine is the maximum amount allowed under the old law, five out of eight of whose data protection principles the company contravened. Information Commissioner Elizabeth Denham (pictured) said the company had received the maximum possible fine 'because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law'. She added: 'Many of the people affected would not have been aware the company held their data; learning about the cyber attack would have been unexpected and is likely to have caused particular distress'.


Canadian company AggregateIQ (AIQ) stands accused of various breaches of the new Act (ie GDPR), including processing data without a lawful basis and failing to provide clear information to individuals about its use; and has been given 30 days to 'audit, assess, implement and document' its data policies and practices or face a fine of up to £17m or four per cent of its annual global turnover.

In a statement on its home page the firm, which is appealing the notice, says it 'works in full compliance within all legal and regulatory requirements in all jurisdictions where it operates' and 'has never knowingly been involved in any illegal activity'. It continues: 'All work AggregateIQ does for each client is kept separate from every other client. AggregateIQ has never managed, nor did we ever have access to, any Facebook data or database allegedly obtained improperly by Cambridge Analytica'.


Separately, Deputy Information Commissioner, James Dipple-Johnstone told a conference last week that since May the Office has received around 500 calls per week to its GDPR breach reporting line. Roughly one third of these organisations decide that the breach does not meet the reporting threshold, after discussing it with ICO staff. Among the trends highlighted by Dipple-Johnstone, the ICO notes that some controllers are over-reporting, 'in an effort to be transparent and manage their perceived risk or because they think that everything needs to be reported'. The Office says it will discourage this once the new breach reporting threshold has become more familiar: in particular it notes that 'Organisations are not required to notify the data protection authority if the breach is unlikely to result in a risk to the rights and freedoms of the affected data subjects.

The ICO has not yet issued any fines under the new regime, but is involved in an ongoing investigation of a breach by British Airways, allegedly involving the theft of credit card data associated with the purchase of 380,000 airline tickets. The Office stresses once again that 'organisations should be able to mitigate the risk of hefty fines for a data breach by ensuring they have a good data governance system in place, and can demonstrate to the data protection authority that they have been taken all appropriate measures to meet their data protection obligations'.

Thanks to www.lexology.com for some of the above.

All articles 2006-23 written and edited by Mel Crowther and/or Nick Thomas, 2024- by Nick Thomas, unless otherwise stated.