January
Kicking off the year with a bang, Lisbon council was fined €1.25m by the Portuguese regulator after sharing hundreds of demonstrators’ personal data with the embassies of several countries, including Russia, Cuba and Israel. The revelation caused significant controversy when it came to light in 2020 and was believed to have been a contributing factor to Mayor Medina’s defeat in the subsequent elections. Staying in Europe, January also saw the European Data Protection Supervisor (EDPS) order Europol to delete its vast store of personal information that it has collected and stored unlawfully. And the French regulator CNIL fined Google and Facebook millions of Euros because it ruled users couldn’t refuse cookies as easily as accept them.
February
In February, the marketing model of numerous businesses was thrown into doubt by the news that the Internet Advertising Bureau (IAB Europe) had been acting unlawfully under the GDPR. The trade body for the online advertising industry was fined €250,000, plus an additional €5,000 a day if it did not amend its practices within six months. IAB Europe would later appeal the decision made by the Belgian Data Protection Authority (APD) and the Belgian appeal court has referred certain questions to the European Court of Justice, so adding further to the delay in getting a final decision.
March
Just as spring was getting started, the UK High Court ruled against the Home Office over its policy to extract data from mobile phones seized from asylum seekers arriving on small boats. An investigation into Project Sunshine, as it was known, found that immigration officers lied to migrants by claiming they could be prosecuted for not handing over their mobile passwords, when there was no such offence. Staying with mobile phones, March also saw the publication of a Trinity College Dublin study, which revealed pre-installed apps on Android phones were collecting huge amounts of data for Google with no opt out for users.
April
Easter bunnies were happily foraging for chocolate eggs when it was announced that the Information Commissioner’s Office (ICO) was fining Reed Online Ltd £40,000 for sending more than 6 million marketing emails to people without consent. Reed had explained the emails were sent because of human error. They weren’t the only ones to fall foul of the regulations – Royal Mail and Halfords were also fined this year for similar activity. The Irish regulator was busy, fining the Bank of Ireland €463,000 for 22 personal data breaches that affected more than 50,000 customers. And this was the month that it was revealed Facebook doesn’t know what it does with user data, or where it goes, according to a leaked internal memo written by its privacy engineers.
May
It’s fair to say Clearview AI hasn’t had a great year. Its troubles certainly didn’t start in May but this was the month the ICO handed it a £7.5m fine for holding images of UK residents in its database, ordered the company to delete them, and not to collect anymore in the future. The UK was the third country to take action against the firm, following Italy and Australia. Greece became the fourth in July and France the fifth in October. May was also the month that Google was in the High Court to defend its use of the confidential medical records of 1.6 million Brits without their knowledge. And Swedish fintech Klarna was fined €724,000 for having an inadequate privacy notice on its website.
June
Half-way through the year, a US healthcare company announced it had suffered a massive online data breach that exposed the medical records of almost 70,000 customers, after an unauthorised individual gained access to an employee’s email account. Back in the UK, the police were in hot water after the ICO warned them to stop the mass collection of personal information from rape victims. John Edwards, the information commissioner said at the time: “Police or prosecutors are just not exercising the thoughtfulness and discipline we would expect and they’re going off on these quite wide fishing expeditions.”
July
As the weather warmed up, OpenSea, the world’s biggest marketplace for non-fungible tokens (NFTs), warned users to be on the alert for phishing attacks after it experienced a massive data leak. Its entire email database had been passed to an unauthorised external party by an employee at a firm OpenSea used to send automated emails. OpenSea had more than 600,000 users at the time, all of whom were told to presume they had been impacted. In other news, the privacy campaign group Big Brother Watch mounted a legal challenge against Southern Co-op for its use of a live facial recognition system in its stores. The technology is also used in shops such as Costcutter, Spar and Sports Direct.
August
While many Brits flew abroad for their first international holiday in two years, a major IT provider for the NHS was hit by a ransomware attack that would take weeks to solve. The incident at Advanced affected the system used to dispatch ambulances, book out-of-hours appointments and issue emergency prescriptions. Call handlers for the NHS 111 service had to resort to using pen and paper in the meantime. In France, the regulator fined the hotel group Accor €600,000 for sending unauthorised marketing communications. And the beauty retailer Sephora was hit with a bill of $1.2million for CCPA breaches in California.