LAST YEAR, the German newspaper Bild published a photograph of a Centra convenience store in Portarlington, Co, Laois. This small-town grocery is important to Germany because off to the side of it (helpfully circled in red by Bild for its hard-of-seeing readership) is the Office of the Data Protection Commissioner, and that office is a source of increasing concern to the German people and their government. The Bild article went on to state that the office, responsible for all of Facebook’s data Europe-side, has a staff of 22. The headline read “Facebook Controller: the Irish Data Protection Regulator Is So Tiny.”
Ireland is rapidly becoming the European base for the Big Data industry. Facebook, LinkedIn and Twitter all have offices here. This means that the data of many millions of European citizens is subject to Irish law. Data protection is a human right, closely bound up with privacy, and is unsurprisingly taken especially seriously by European countries whose citizens suffered under the police states of Nazis or Soviets, or even both.
It is the right not to have your personal information hoarded, sold, disclosed or otherwise misused. “Data Protection” may not stir passions like other rights do, but in an increasingly data-driven world, its importance cannot be overstated. We are already at risk of a two-tier privacy system, where the rich and famous can go to court for super-injunctions, while the ordinary citizen finds his personal data circulated wider and faster than ever before.
Privacy is an abstract right
But privacy is an abstract right, something that lawyers and academics get excited about but which, in countries lucky enough not to have suffered under a police state, does not always concern the ordinary citizen. This week however, things got a bit more real.
Loyaltybuild is an Irish based company that manages loyalty card schemes for a wide range of companies including, appropriately enough, Centra. It emerged this week that their data security was breached, and criminal hackers had accessed the personal information of over 1.5 million customers across Europe. Many of those had their credit card details compromised, and at least some of them have already had money stolen from their cards as a result.
This is obviously a criminal matter, but Data Protection laws are in place to ensure that such breaches never happen in the first place.
Firstly, it is open to question whether Loyaltybuild had any business having the credit card details at all. After all, their job was simply to keep records of purchases, not to handle payments. In any case, the Data Protection Act forbids retention of data for longer than it is required. Even if credit card details were required for Loyaltybuild’s purposes, holding them for (in some cases) two years after customers had cashed in their points and taken their rewards surely cannot have been necessary.
Perhaps more alarmingly, the credit card numbers were unencrypted and stored along with their 3-digit CVV codes. This is the data storage equivalent of writing your PIN number on the back of your card. It is contrary to industry best practice and to the DPA requirement that appropriate security measures be in place to prevent unauthorised access to data.
Finally, the Personal Data Security Code of Practice states that “All incidents of loss of control of personal data in manual or electronic form by a data processor (Loyaltybuild) must be reported to the relevant data controller (their various client companies) as soon as the data processor becomes aware of the incident”. The Data Controllers in turn must report the matter to the Office of the Data Protection Commissioner as soon as they become aware of the incident. Media reports suggest that this breach occurred a month ago. How long it took anyone to notice is unclear.
“Light touch regulation”
The Data Protection Commissioner has dispatched two investigators to Ennis to investigate the condition of the stable door. What is not known is whether Loyaltybuild was ever subject to an audit by the Office of the Data Protection Commissioner. It would seem likely that an audit would have uncovered the issues which led to the current debacle.
However, the Commissioner, as demonstated by his modest accommodation and staffing, is hamstrung by lack of funding. His options now that the horse has bolted are also limited. The law provides for fines of up to €3,000 on summary conviction. Fines of up to €100,000 are possible on indictment, though such a penalty has never been sought. Lack of resources means that prosecutions under the Data Protection Act average about one a year. Indeed, in his public statements, the Commissioner has been at pains to stress his preference for amicable solutions to breaches of the Acts.
What is afoot here is a rerun of the Celtic Tiger era “light touch regulation” of financial services. Ireland has again made a Faustian pact whereby we lure employers here on the understanding that they will not subject to too-stringent a regulatory system. As the Loyaltybuild breach has shown, this is a bargain that will probably end badly. And as with the financial services boom, it is making the Germans nervous.
Perhaps we will listen to them this time.
Fergal Crehan is a barrister practising in Data Protection law. He writes on legal subjects at www.fergalcrehan.com