ICO fines Ministry of Defence for Afghan evacuation data breach

The UK Information Commissioner’s Office (ICO) has imposed a £350,000 fine on the Ministry of Defence (MoD) for a data breach involving the personal data of individuals seeking relocation to the UK after the Taliban’s takeover of Afghanistan in 2021.  

On September 20, 2021, the MoD mistakenly revealed personal details of 245 Afghan nationals eligible for evacuation in a group email. The recipients’ email addresses were visible to all, and 55 had thumbnail images on their profiles. The breach was exacerbated when two individuals responded to the entire list, with one disclosing their location.  

The initial email was sent by the UK’s Afghan Relocations and Assistance Policy (ARAP) team tasked with aiding the relocation of Afghans who worked with the UK Government. The ICO found that if the information had been obtained by the Taliban, it could have posed a life-threatening risk to the individuals involved.  

The ICO determined that between August and September 2021, the MoD violated the UK General Data Protection Regulation (UK GDPR) by failing to have appropriate technical and organisational measures in place. This failure was determined to have significantly jeopardized the security of personal data handled by the ARAP team, particularly through human error leading to data disclosure.  

Besides the incident on September 20, 2021, MoD’s investigation uncovered two other similar data breaches. These occurred on September 7, 2021, involving 13 email addresses, and on September 13, 2021, involving 55 email addresses, both due to the misuse of the “To” field in emails. Some email addresses were repeated across these instances, bringing the total count of unique email addresses disclosed to 265.  

The ICO’s investigation revealed that during the infringement period, the MoD lacked specific operating procedures for the ARAP team regarding secure group email communications with Afghan nationals seeking relocation. ARAP team members had to depend on the MoD’s general email policy, without receiving tailored instructions about the security risks associated with sending group emails containing sensitive information.  

Meta faces 550M euro lawsuit for ‘systematic’ GDPR violations  

Meta is facing a lawsuit in Spain for alleged “non-systematic and massive non-compliance” with EU GDPR. AMI, an association of more than 80 news publishers, is seeking €550 million in damages over claims that Meta breached competition and data protection law. 

The litigants allege that Meta has repeatedly failed to comply with the GDPR by ignoring the failing to obtain consent for targeted profiling. AMI claim that Meta’s access to large volumes of personal data obtained without a valid legal basis enables the company an illegitimate competitive advantage.   

Meta was fined €390 million in January of this year after EU data protection authorities found that “performance of a contract” was not a valid legal basis for it to track and profile users to target them with ads. 

Following the decision, Meta switched its legal basis for behavioural advertising to “legitimate interests” across the European Economic Area (EEA) but was forced to abandon this position following a case involving the German competition authority at the Court of Justice of the European Union (CJEU). 

In November, Meta switched to “consent” as its third legal basis in 2023. However, the company asked users choose between paying a monthly subscription for an ad-free version of its products or providing “consent” to behavioural advertising. Some commentators have questioned whether this subscription model meets the GDPR’s requirements around “freely given” consent.   

Meta’s new “consent or pay” model is already the subject of complaints from other privacy and consumer rights groups, adding additional pressure on the company alongside the AMI’s competition law allegations.  

Singapore issues health care sector cyber security guidelines

Three Singaporean agencies have jointly issued new Cyber and Data Security Guidelines for Healthcare Providers in advance of Singapore’s Health Information Bill (“HIB”), a new health data security law due to take effect in mid-2024.  

The guidelines cover cyber and data security measures governing the storage, access, use and sharing of health information, with an aim to improve security posture amongst healthcare providers in the lead up to the HIB.  

In the coming months, the authorities will survey healthcare providers about their: 

  • IT setup, resourcing and capabilities, and 
  • Their current cyber and data security readiness. 

The guidelines currently aim to promote early awareness and familiarity of security requirements among healthcare providers but will eventually be imposed as regulatory requirements under the HIB.  

NCMEC expresses child protection concerns over Meta’s end-to-end encryption plan

The US National Center for Missing & Exploited Children (NCMEC) has expressed concerns over child safety and privacy protection following Meta’s recent decision to enable end-to-end encryption (E2EE) by default on its Messenger platform.  

The NCMEC says implementing E2EE on Messenger will make communications on the application “go dark”, allegedly putting child safety at risk. The group has urged Meta to put the encryption project on hold until it can detect material being shared.  

Meta argues that Messenger has becomes an outlier among messaging platforms as more and more are implement E2EE to prevent cybersecurity risks. The company believes it will continue to be able to mitigate child safety issues via other technologies currently used to detect spam and scams.   

Meta also cited the child safety benefits of new account features that make it harder for users to find and contact people they do not know, including children. However, child safety groups argue that the rollout of E2EE is likely to results in a substantial drop in reports concerning endangered children.   

As a global B Corp organisation, HewardMills is ready to partner and support your organisation’s needs to safeguard personal data and tackle challenging ever-evolving global data protection regulatory requirements. Contact our team if you want to discuss any of the topics or regulatory updates discussed.

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.