UpData: July 2021

In this issue

In this issue we consider the recent changes in the AI space and look at why LinkedIn has once again made it into the news in relation to data 'scraping'. We also report in detail on what is thought to be the biggest claim for a data breach in British legal history, explore the new telecommunications bill that was passed in Australia and look further at the fight against ransomware hackers.

For the first time, a data protection authority, in this case Italy's GPDP, has levied a fine against  a company for GDPR breaches relating to its AI / algorithmic processing of personal data. Specifically, the GPDP found the Italian gig economy company to be in breach of the automated decision-making / explainability obligations under Articles 13 and 22 of the GDPR - our colleague, Minesh Tanna, has summarised the findings in his recent LinkedIn post. This is unlikely to be the last  challenge to AI / algorithmic systems that we see so watch this space.

Also in relation to AI, on 18 June 2021, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) published their joint opinion (the Opinion) on the European Commission's (EC) proposed artificial intelligence Regulation (the Proposal). Whilst the EDPB and EDPS welcomed the fact that the EC is addressing the use of AI within the EU and stressed that the Proposal has important data protection implications, they call for the Proposal to go further. Our Digital Business team have summarised the key points from the Opinion here.

LinkedIn is back in the firing line, after the personal data of 700 million users was put 'for sale' on a notorious hacking forum. Although the tech giant contends that "this was not a LinkedIn data breach" and that the user information was 'scraped' from LinkedIn as well as obtained from other sources, it marks an unsettling theme for the social media site, as it comes only three months after 500 million users' data was "leaked" in a similar way. In the US LinkedIn have been given permission by the Supreme Court to appeal the US Ninth Circuit Court of Appeals' ruling that data scraping is legal - we will keep you updated as to the outcome of the appeal, which we are sure will have wide-ranging ramifications for organisations that seek to utilise and profit from public data.

Recent updates:

British Airways flying high as data-breach compensation claim settles

Like many others, we have been closely watching the fallout from British Airway's (BA)  data breach in 2018 and the ensuing investigation by the Information Commissioners Office (ICO) that resulted in a record-breaking £20 million fine. In response to BA's breach, a group action was filed in April 2020 by 16,000 claimants alleging that the attack had failed on account of BA failing to put in place appropriate security measures. BA have now reached a settlement with a number of those claimants following mediation. We have reported on the settlement and the implications that flow from it here.

Head in the clouds: Australia passes US CLOUD Act-style law

In the latest addition to a growing cross-border framework, the Australian Parliament has passed the Telecommunications Legislation Amendment (International Production Orders) Bill (the Bill) which enables Australian authorities to compel the production of data from entities with a presence in the jurisdiction, even if it is stored abroad. The Bill follows similar legislation in other jurisdictions, such as the US's Clarifying Lawful Overseas Use of Data Act 2018 (CLOUD Act) and the UK's Crime (Overseas Production Orders) Act 2019, and forms part of a growing framework supporting cross-border investigations and cooperation in relation to the same. Although its efficacy remains to be seen, such legislation is indicative of the desire for public prosecutors to remain abreast of technological advancements, and the ever-evolving nature of data and crime. We explore the key provisions of the bill further here.

Colonial Pipeline: a victory in the fight against ransomware hackers

The FBI has recovered approximately 64 bitcoin that was paid by Colonial Pipeline to cyber-hackers following a ransomware attack. This development raises important questions for participants in the crypto-currency market, as well as for businesses more generally. However, it comes at a time when the threat posed by ransomware attacks looms larger than ever; whilst the recovery of these crypto-assets is no doubt an important victory in the fight against such attacks, the need for caution remains paramount. We consider the threat posed by ransomware attacks alongside the implications for the broader crypto-currency community who may now be wondering what the implications are for their own crypto assets in our article here.

Cyberattack: when paying the ransom does more harm than good...

The French Cybersecurity Agency has published a report on cyberthreats in France, discouraging the victims of a ransomware attack from paying the ransom. Among other things, the report highlights that paying a ransom does not guarantee that an attack is no longer present in the IT systems; that the attacker will communicate the appropriate decryption key; or that the data which was exfiltrated by the attacker will never be shared or disclosed to the public. We set out other key takeaways from the report here.

Get in touch

We are available to speak via email, phone and video conference so please do feel free to reach out to us if you would like to discuss any of the topics covered in this newsletter, or any other issues you are facing.