Data security: to err is (often) human

Legal Watch – November 2019.

Data security: to err is (often) human. This was the conclusion reached by public authorities responsible for the protection of personal data, meeting in Tirana from October 21 to 24.

Several resolutions were adopted at the international conference, which brings together supervisory authorities, the private sector and civil society every year.

These include two resolutions aimed at improving cooperation between public authorities across borders and for better implementation of the GDPR, a resolution on social media and violent extremist content, and the one we are dealing with here, on human error in security breaches.

As a reminder, under the GDPR, a security breach concerns any situation in which personal data is accidentally or unlawfully:

• Destroyed
• Lost
• Altered
• Disclosed
• Or when unauthorized access to data is observed.

This is therefore a particularly broad scope of application, with consequences for the data controller who must, depending on the impact of the security breach, notify the CNIL and the persons concerned by the incident.

More than a year after the GDPR came into force, we see that a large proportion of fines imposed for non-compliance with the Regulation are due to a lack of security in data processing. 

The various authorities in Europe have also received a large number of notifications and are beginning to have a clearer picture of the origins of security problems, which should help improve prevention in this area.

The observation is as follows: A large portion of security breaches come from employees unintentionally disclosing information to unauthorized recipients, or to persons misled into transmitting identifiers and access codes to information.

In addition to implementing robust data protection techniques in the design of systems ("privacy by design"), the resolution calls for developing a culture of data protection within the company. The following measures are highlighted:

• Regular training, education and awareness programs for employees on “privacy” and data security aspects;
• Training in detecting and reporting security breaches;
• Regular monitoring and audits of practices and systems implemented to protect data.

A useful reminder: encryption remains a highly relevant means of protecting data, combined with other technical and organizational measures. The CNIL and ANSSI (French Data Protection Agency) published a wealth of practical information online in October to mark Cybersecurity Month.

And also:

• In France :

The French supervisory authority published its 2019-2021 roadmap in mid-October. in order to communicate its priorities in terms of personal data protection. There are five areas of work:

• The digital challenges of citizens’ daily lives;
• Balanced regulation (support and repressive action);
• A significant investment in European cooperation;
• Cutting-edge expertise in digital and cybersecurity;
• An innovative public service mission based on humanist values.

The CNIL also took a position on October 17 on two facial recognition systems implemented in schools.

She considered these projects, applied to students who were mostly minors and with the sole aim of streamlining and securing access, to be "neither necessary nor proportionate to achieve these ends."

These decisions can be compared to the one taken by the Swedish supervisory authority at the end of August in the context of facial recognition in schools, this time with the aim of monitoring attendance.

• In Europe:

Compensation for violation of the law: The conditions under which an individual can claim compensation in the event of a violation of his rights are clarified by case law.

The latest decision, taken by the London Court of Appeal on October 2, awards compensation for fraudulent collection of data by Google on the iPhones of more than four million users, in the absence of proof of damage: the Court specifies that a person's control over their data has a value, so the loss of this control must also have a value.

Therefore, a person can recover compensation under the law without proving financial loss or distress.

We note the link between this decision and Article 82 of the GDPR, which establishes the existence of material and immaterial damage and leaves the burden of proving that it is not responsible for the damage to the data controller.

• In the United States:

International data transfers: On October 23, the European Commission published the conclusions of the third annual review of the "Privacy Shield," which governs the transfer of data to the United States for companies that have signed up to it.

The report confirms that the system continues to provide an adequate level of protection.

It highlights improvements made to the implementation of the "Shield" and mentions remaining weaknesses, including the length of time required to obtain (re)certification and the verification of false certification claims made by some companies.