See below for the latest Data Blast from our legal team: Company fined over €450,000 for delayed reporting of a data breach; South Korea set to join list of recognised countries for EU data flows; UK sets out procedures for recognising adequate data protection standards in third countries; Children’s data in the spotlight as TikTok is subject to a new class action suit…

Booking.com fined for late reporting of data breach

On 31 March 2021, the Dutch Data Protection Authority (DPA) announced that it had fined Netherlands-based Booking.com €475,000 for failing to report a data breach within 72 hours of becoming aware of it.

The 2019 breach stemmed from unauthorised access to login credentials, which allowed hackers to gain access to the personal data of over 4,000 users. Compromised user details included names, postal addresses, phone numbers and credit card numbers.

The Dutch DPA explained that Booking.com was made aware of the breach on 13 January 2019, but failed to report the breach until 7 February 2019, over 3 weeks after the breach and considerably longer than the 72 hour window provided for in the General Data Protection Regulation (GDPR). Booking.com informed affected users on 4 February 2019, and the Dutch DPA stated that the company took certain unspecified steps to mitigate the damage to users, while also offering compensation for damage suffered. The DPA’s statement (found here, in Dutch) does not provide the company’s reason for the delayed reporting of the breach, but confirms that the company will not appeal the fine.

Monique Verdier, Vice President of the Dutch DPA, explained in a statement that, ‘a data breach can happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the repetition of such a data breach, you must report this in time. That speed is very important. . . . Such a large company, with valuable personal data of millions of customers in its systems, has a great responsibility.’

European Union completes adequacy talks with South Korea

On 30 March 2021, the European Commission (EC) announced that it had concluded discussions with the Republic of Korea regarding an adequacy decision.

The discussions highlighted the convergence of South Korean and European data protection laws, specifically the recent introduction of South Korea’s Personal Information Protection Act (PIPA) which, amongst other changes, enhances the authority of the Personal Information Protection Commission (PIPC), the South Korean data protection authority.

An adequacy decision, which will dovetail with the EU and Korean free trade agreement, will apply to both the public and private sectors, enabling the free flow of personal data between the EU and South Korea. To date, the EC has recognised 12 countries as providing an ‘essential equivalent level of protection’ for personal data, and recently provided a draft decision with respect to the United Kingdom (previously covered here).

The EC will now commence its decision-making procedure to adopt an adequacy finding in the next few months, which will require obtaining an opinion from the European Data Protection Board (EDPB) and a ‘green light’ from a committee comprising representatives from all EU Member States.

Relatedly, it was announced on 14 April 2021 that the EDPB had adopted its opinion on the draft UK adequacy decision issued by the EC in February 2021 (previously covered here). While non-binding, the EDPB’s opinion will bolster the EC’s decision, and a UK adequacy decision will be formally adopted if approved by the EU Member States acting through the European Council.

UK ICO and Government agree future Adequacy Decision procedure

On 19 March 2021, a Memorandum of Understanding (MoU, found here) between the UK Information Commissioner’s Office (ICO) and the Secretary of State for Digital, Culture, Media & Sport (DCMS) regarding post-Brexit UK adequacy assessments.

The MoU details the procedure by which third countries will negotiate adequacy decisions, which allow for the free transfer of UK-collected personal data to the relevant jurisdiction, with DCMS. The MoU refers to these adequacy decisions as ‘adequacy regulations.’

Prior to Brexit, the UK adopted the European Commission’s existing adequacy decisions, but will decide any future adequacy decisions going forward. While the Secretary of State for DCMS will be responsible for these decisions, the DCMS will be required to consult the ICO (and other appropriate persons) before coming to a decision on adequacy. Under the MoU, the ICO and DCMS must work closely together, sharing information and expertise; the DCMS, however, will not be bound by the ICO when making adequacy decisions.

After signing the MoU, the UK government announced that it plans to expand the list of ‘adequate’ countries, which is consistent with the government’s pledge to consider ways to advance UK data protection laws independently of the EU laws following Brexit. The ICO’s press release can be found here.

TikTok sued over use of children’s data

On 21 April 2021, it was announced that TikTok is facing a lawsuit, brought by former Children’s Commissioner for England, Anne Longfield, regarding its collection and use of children’s data.

TikTok has over 800 million users worldwide and its parent firm, China-based ByteDance, derives a majority of its profits from advertising revenues.

The class-action lawsuit has been filed on behalf of millions of children who use TikTok in the UK and EU, and alleges that the social media platform has been illegally collecting and using their personal data since 25 May 2018, when the GDPR went into effect. If successful, it is alleged that the compensation owed under the lawsuit could amount to billions of pounds.

The suit alleges that TikTok (and parent firm ByteDance) collects children’s personal data, including videos, phone numbers, exact location and biometric data, without meeting the GDPR thresholds for transparency of information about data usage and consent by children and/or their parents. Lawyers representing the claimants state that the personal data being collected by TikTok amounts to ‘a severe breach of UK and EU data protection law.’

A statement by the claimant described TikTok as ‘a data collection service that is thinly veiled as a social network,’ and stated that children’s parents have a right to know what private information is being collected through the app. A spokesperson for TikTok stated that ‘[p]rivacy and safety are top priorities for TikTok’ and that the claim lacked merit.

The lawsuit is the most recent in a series of legal actions concerning TikTok; ByteDance was fined a record $5.7 million by the US Federal Trade Commission in 2019 for mishandling children’s data collected by TikTok. ByteDance has also been fined by South Korean data protection authorities over its collection of children’s data, and has been investigated by the UK ICO.

For more information please contact Partner, James Tumbridge at jtumbridge@vennershipley.co.uk.