“Worst breach of personal data in Singapore’s history” attracts highest penalties totalling S$1 million

On 14 January 2019, Singapore’s Personal Data Protection Commission issued its grounds of decision against Singapore Health Services Pte. Ltd. (SingHealth) and Integrated Health Information Systems Pte. Ltd. (IHiS) for what has been coined the “worst breach of personal data in Singapore’s history”.

The unprecedented cyber attack on SingHealth’s patient database system led to the exfiltration of 1.5 million patients’ personal data and nearly 160,000 patients’ outpatient prescription records.

The commission received several complaints from members of the public regarding this data breach and commenced its investigations thereafter.

Continue Reading

HM Treasury inquiry into IT failures in the financial services sector

At the end of 2018 the UK Treasury Committee announced that it would launch an inquiry into information technology (IT) failures in the financial services sector. The Treasury Committee has stated that it will appoint a specialist advisor to help provide analysis and aid the inquiry.

The past 18 months have seen numerous IT failures in the financial services sector. Equifax, Barclays and TSB have all suffered incidents, to name a few. TSB is arguably the highest profile case, when 1.9 million customers were logged out of their online banking accounts for up to a month and with some customers also claiming to have been able to view other customers’ bank details. This occurred after the bank attempted to migrate customer information from its former owner to current owner Banco Sabadell.

The inquiry by the Treasury Committee is set to explore the common causes of such operational incidents, to better understand what consumers have lost as a result of the failures, and also to determine whether regulators such as the Bank of England Prudential Regulation Authority and the Financial Conduct Authority have the necessary ability and power to hold firms involved to account. Continue Reading

Draft ethics guidelines for trustworthy artificial intelligence published by the European Commission

On 18 December 2018, the European Commission published draft ethics guidelines for trustworthy AI. The guidelines are voluntary and constitute a working document to be updated over time. The guidelines have been opened up to a stakeholder consultation process.

The guidelines recognise that there are benefits to be gained from AI, but that humankind can only reap the benefits if we can trust the technology (in other words, that the technology contains trustworthy AI). An overarching principle in the guidelines is that AI should be human-centric, with the aim of increasing human well-being.

Trustworthy AI is defined as having two components:

  1. respect for fundamental rights, ethical principles and societal values – an “ethical purpose”, and
  2. be technically robust and reliable.

The guidelines set out a framework for implementing and operating trustworthy AI, aimed at stakeholders who develop, deploy or use AI.

Continue Reading

Data brokers begin 2019 with new Vermont law

A new Vermont law enforcing data security and annual disclosure obligations on data brokerage companies (e.g., Acxiom, Experian, Epsilon) came into effect on January 1, 2019.  Data brokers are required to register annually with the Vermont Attorney General and pay an annual registration fee.  Annually, data brokers must release information regarding practices related to the collection, storage and sale of personal information, applicable opt-out practices (if any) and the number of data breaches experienced during the prior year along with the total number of consumers affected by such breaches (if known) to the State Attorney General.  If brokers do not comply with the new laws, they could be considered in violation of Vermont’s consumer protection law.  To read more on the new law, visit our AdLaw By Request blog.

Brexit countdown: UK government to amend domestic data protection legislation

The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 have been laid before the UK Parliament.

The regulations are introduced under the European Union (Withdrawal) Act 2018. The Withdrawal Act grants powers to correct deficiencies in UK legislation that will arise as a result of Brexit.

The regulations introduce a large number of technical amendments to UK law. The main amendments are made to:

  1. the General Data Protection Regulation 2016/679 (GDPR) as retained by UK law;
  2. the Data Protection Act 2018 (DPA 2018); and
  3. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

When the United Kingdom (UK) leaves the European Union (EU), the UK will no longer be subject to obligations under GDPR (except for processing still caught by the GDPR’s extra-territorial scope). However, the Withdrawal Act provides that the text of the GDPR will form part of UK domestic law after Brexit (UK GDPR). As a result, the text of UK GDPR must be amended to remedy potential deficiencies for when the UK is no longer part of the EU. The text of the DPA 2018 must also be amended to implement UK GDPR.

Continue Reading

First two Singapore data protection enforcement decisions issued in 2019

On January 3, 2019, Singapore’s Personal Data Protection Commission issued two grounds of decision against Bud Cosmetics and AIG Asia Pacific Insurance Pte Ltd & Toppan Forms (S) Pte Ltd.

Bud Cosmetics

The facts of this case were as follows:

  • Bud Cosmetics is an organic and natural skincare retailer with retail outlets in Singapore and an online store.
  • It collected customer information for membership registration and maintained two separate databases: one for online registrations and another for registrations in person at its retail outlets.
  • As part of its marketing activities, Bud Cosmetics sent its customers e-newsletters with its latest promotional offers and products. Such e-newsletters were generated by selecting members’ email addresses from both online and offline databases based on certain criteria. After an e-newsletter was sent out, the customer mailing list for that particular e-newsletter would be stored in an archive folder.
  • An individual complainant discovered a URL link to a member list of Bud Cosmetics’ when she conducted a search using her name on the Internet. The list contained the names, dates of birth, contact numbers, email addresses and residential addresses of approximately 2,300 persons.
  • The member list was located in the image folder for an e-newsletter that was sent out in 2012 and hosted on a third-party server based in Australia. This system was hacked in April 2012. Bud Cosmetics switched web hosting companies in 2013, and engaged a U.S. entity with servers located in Provo, Utah.

Continue Reading

Social plug-ins – Advocate General issues opinion on joint controllership case

On 19 December 2018, the Advocate General (AG) delivered an opinion in a case concerning Fashion ID and Facebook, which considered the parties’ status as joint controllers, under the Data Protection Directive 95/46/EC (DP Directive), when a social plug-in had been embedded.

Fashion ID’s website inserted Facebook’s ‘Like’ button as a plug-in, allowing personal data, such as the user’s IP address and browser journey, to be transferred to Facebook regardless of whether the user clicked on the Facebook Like button. A consumer protection association brought a claim against Fashion ID, arguing that the use of the Facebook Like button was a breach of data protection laws.

The AG’s opinion focuses on four main areas. The first proposal within that opinion is that the DP Directive did not preclude national legislation granting standing to public service associations for them to protect consumers. The remaining three proposals are discussed further below.

Continue Reading

Digital transformation of health and care

In April 2018 the European Commission (Commission) published its Communication on the digital transformation of health and care in the Digital Single Market (Communication). The Commission outlined the need for reforms to health care systems and the development of innovative digital solutions. On 6 December 2018, the European Economic and Social Committee (EESC) published its opinion on the Communication (Opinion) in which it expressed its agreement with the vision set out by the Commission.

Opinion of the European Economic and Social Committee

The EESC noted its support of the Commission’s proposed action in relation to three main areas: (i) secure access of the public to, and sharing of, health data across borders; (ii) disease prevention and personalised health and care; and (iii) digital tools for citizen empowerment and person-centred care.

The Opinion focuses on the impact of digital transformation on five main areas:

Continue Reading

The fintech Carney-val

Mark Carney’s extension as the governor of the Bank of England to January 2020 was put in place to ensure a smooth Brexit.

Mr Carney has become increasingly vocal in his attempts to maintain financial stability during that period. This has resulted in ‘Brexiteers’ hurling accusations of fuelling “Project Hysteria” after the bank published its economic analysis of Brexit at the end of November. To help mitigate such gloomy predictions, what else could Mr Carney do to support an orderly exit (and possibly create a lasting legacy for himself)?

Back in June, Mr Carney spoke about modernising the UK bank payment system by rebuilding the Bank of England’s real time gross settlement (RTGS) service “so that new private payment systems, including those using distributed ledgers, can simply plug into our system”, which includes those running off blockchain technology.[1]

Continue Reading

London as the capital of FinTech

London has historically been considered the centre of European financial services. Now it is also viewed as the capital of financial technology (FinTech). However, with the likelihood of a no-deal Brexit becoming ever more real, and increasing attempts to lure FinTech firms to the continent, London’s title is under threat.

London provides a haven where FinTechs have been able to grow operational expertise, supported by the combination of significant and sophisticated investment, tech-skilled talent, tech-minded people, a pragmatic and forward-thinking regulator, and a supportive government with its own strategy on FinTech. These have been the key ingredients for a rich stew that has allowed operational expertise to grow in this new sub-sector. This recipe has resulted in London enjoying so much FinTech success that it now has the highest number of unicorn FinTech companies in Europe. With less than 100 days until the United Kingdom’s departure from the European Union, it is more important than ever for Britain to consider how to best retain its FinTechs. Read more about London’s FinTech dominance on our FinTech Update blog.

LexBlog