Current Case Status; Yahoo, Equifax, Shine, Uber

The request was partially successful.

Dear Information Commissioner’s Office,

there have been a number of cases in recent months that have faded from the news, but the ICO assured were the subject of a thorough investigation.

For each of the following could you please disclose to me,

- The present status of the case
- Correspondence in the last 12 months with the company involved concerning the circumstances of the incident
- Any fines, penalties, or enforcement actions imposed as a consequence

1) Yahoo's recent belated admission that every single account was breached in the 2013 attack (https://ico.org.uk/about-the-ico/news-an...)
2) Equifax's recent belated admission that UK data had been transferred to the USA and breached at scale (https://ico.org.uk/about-the-ico/news-an...)
3) Shine/Rainbow's trials of unlawful mobile network surveillance/adblocking technology (https://www.whatdotheyknow.com/request/3...)
4) Uber's belated admission that a large volume of personal information has been breached (https://ico.org.uk/about-the-ico/news-an...)

Empirically it appears there is an unspoken ICO policy toward US/foreign companies in violation of the UK Data Protection Act, exempting them from all manner of enforcement proceedings. Other examples might include Phorm, Google (Streetview, Gmail, Deepmind), Bluecoat and others. If not, please could you cite one or more examples to the contrary where a foreign registered entity has faced notable ICO enforcement action for a breach of the DPA/PECR.

Yours faithfully,

P. John

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

 

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

 

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

 

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

 

If you have requested advice - we aim to respond within 14 days.

 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

 

Copied correspondence - we do not respond to correspondence that has been
copied to us.

 

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

 

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

 

Yours sincerely

 

The Information Commissioner’s Office

 

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[2]http://www.ico.org.uk/tools_and_resource...

 

Twitter

Find us on Twitter at [3]http://www.twitter.com/ICOnews

 

The ICO's mission is to uphold information rights in the public interest.
To find out more about our work please visit our website, or subscribe to
our e-newsletter at ico.org.uk/newsletter.

If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies without
passing to any third parties.

If you'd like us to communicate with you in a particular way please do let
us know, or for more information about things to consider when
communicating with us by email, visit ico.org.uk/email

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. http://www.ico.org.uk/tools_and_resource...
3. http://www.twitter.com/ICOnews

Tim Turner left an annotation ()

Is it possible that in the case of foreign / US companies, they are not processing data in the UK, and therefore ICO may not have the power to enforce against them?

P. John left an annotation ()

Canadian hacker behind 500M Yahoo hack reveals Russian connection
https://www.hackread.com/canadian-hacker...

P. John left an annotation ()

@Tim Turner...

To deal with each in turn,
Yahoo were email providers to British Telecom, and it would seem a large number of British Telecom users were affected by the hacks for an extended period.
The Equifax case concerns data that should have been retained in the UK, but was transferred overseas, seemingly outside the protection of Privacy Shield/Safe Harbour regulations.
The Shine case concerns covert trials of mass surveillance software, on UK telecommunications, by 3UK.
And Uber likewise concerns data about UK citizens who were hiring UK based taxi services.
In each case the ICO has power to act, either against the offending company directly or the data controller who hired them.

Information Commissioner's Office

21 December 2017

 

Case Reference Number IRQ0712847

Dear Mr John
 
Thank you for your recent request for information. We received your
request on 23 November 2017.
 
We have considered your request under the Freedom of Information Act 2000.
 
Your request
 
For each of the following could you please disclose to me,
- The present status of the case
- Correspondence in the last 12 months with the company involved
concerning the circumstances of the incident
- Any fines, penalties, or enforcement actions imposed as a consequence
1) Yahoo's recent belated admission that every single account was breached
in the 2013 attack ([1]https://ico.org.uk/about-the-ico/news-an...
2) Equifax's recent belated admission that UK data had been transferred to
the USA and breached at scale
([2]https://ico.org.uk/about-the-ico/news-an...
3) Shine/Rainbow's trials of unlawful mobile network
surveillance/adblocking technology
([3]https://www.whatdotheyknow.com/request/3...
4) Uber's belated admission that a large volume of personal information
has been breached ([4]https://ico.org.uk/about-the-ico/news-an...
 
Our response 
 
Points one, two and four
 
I can confirm that we do hold information within the scope of your request
relating to points one, two and four.
 
We are not able to disclose the information that you have asked for in
these points. This is because all of it is exempt. Please see below for my
explanation about why this is the case.
 
As you will be aware, investigations are currently taking place into
Equifax, Uber and Yahoo and, as you know, we have published a number of
statements regarding these matters in the last few months. The links are
as follows:
 
Equifax:
 
[5]https://ico.org.uk/about-the-ico/news-an...
 
Yahoo:
 
[6]https://ico.org.uk/about-the-ico/news-an...
 
Uber:
 
[7]https://ico.org.uk/about-the-ico/news-an...
 
All of these statements are recent and explain that the investigations are
ongoing.
 
We previously explained in October 2017 that we are not able to disclose
information in relation to Equifax. We explained that the investigation
was at an early stage and that remains the case. We are unable to disclose
correspondence in the past 12 months with Yahoo or Uber for the same
reasons.
 
Section 44 FOIA (section 59 DPA) 
 
To the extent that the information was provided to us by the named data
controllers, and where that information is reflected in our own
correspondence, it is exempt by virtue of section 44 (prohibitions on
disclosure) of the FOIA which by virtue of section 59 of the DPA means
confidential information provided to us in the course of our regulatory
work is exempt unless we can meet one of an exhaustive list of lawful
bases on which to disclose it. We do not have a lawful authority in this
instance.
 
Section 44(1)(a) of the FOIA states;
‘(1) Information is exempt information if its disclosure (otherwise than
under this Act) by the public authority holding it -
(a) is prohibited by or under any enactment’

The enactment in question is the Data Protection Act 1998 (DPA) and
specifically section 59 of the DPA. Section 59 states that neither the
Commissioner nor his staff shall disclose;
“any information which:
 

 1. has been obtained by, or furnished to, the Commissioner under or for
the purposes of the information Acts.
 2. relates to an identified or identifiable individual business, and
 3. is not at the time of disclosure, and has not been available to the
public from other sources,

unless the disclosure is made with lawful authority.”

Section 59(1)(a) is satisfied because the information was furnished to the
ICO for the purposes of the Information Acts. The ‘information Acts’ are
defined as the Data Protection Act 1998 and, by amendment, the Freedom of
Information Act 2000 (you can read the annotated Data Protection Act 1998
on our website in the Legislation section).

Section 59(1)(b) is satisfied as it relates to identifiable businesses.

In relation to section 59(1)(c), the information has not been disclosed to
the public and therefore this does not provide a route to disclosure.
Section 59(2)(b) provides circumstances where lawful authority could be
achieved. We can say that in relation to (a) we do not have consent from
the data controllers to disclose this information and in relation to (b)
the information was not provided to the ICO for the purpose of being made
public. 

In relation to (c) - we do not consider that the ICO must disclose this
information in order to discharge a function under the information Acts or
a Community obligation.

Further, in relation to (d) a disclosure would not be for the purposes of
proceedings.

Finally, we turn to (e). We should clarify that the public interest
threshold here is very high, not least because disclosure in contravention
of section 59 by the Information Commissioner or his staff may constitute
a criminal offence (s.59 (3)). 
 
Section 31
 
This information has been withheld in accordance with section 31 of the
FOIA. We consider that the disclosure of this information would be likely
to prejudice “Law Enforcement”.

Section 31 refers to circumstances where the disclosure of information
“would, or would be likely to, prejudice – … the exercise by any public
authority of its functions for any of the purposes specified in subsection
(2).” 
 
The purposes referred to in sections 31(2)(a) and (c) are –
“(a) the purpose of ascertaining whether any person has failed to comply
with the law” and
 “(c) the purpose of ascertaining whether circumstances which would
justify regulatory action in pursuance of any enactment exist or may arise
…”    
 
These purposes apply when the Information Commissioner is considering
whether or not to take regulatory action regarding compliance with the
Data Protection Act.
 
However this exemption is not absolute. When considering whether to apply
it in response to a request for information we must consider whether the
public interest favours withholding or disclosing the information.   

In this case the public interest factors in favour of disclosing the
information are as follows –

 

* Increased transparency in the way in which the ICO carries out
investigations and in contemporary decision making.
* Increased transparency in the information that has been provided by
these companies to the ICO.
* We recognise that there might be a very large number of affected
individuals across these cases and therefore that they are likely to
have a heightened interest in the way the cases are progressing and
that this heightens the wider public interest as the services provided
by these companies are used by very many people. 
* Members of the public who have a particular interest in specific
sectors/data controllers would benefit from further information about
the way the ICO handles the compliance issues associated with them.

The public interest factors in maintaining the exemption are as follows -

 

* We consider that the disclosure of this information would be likely to
compromise our ability to investigate and therefore affect the
discharge of our regulatory function in vital areas, including our
ability to influence the behaviour of data controllers and to take
formal action. 
* There is a public interest in maintaining the ICO’s ability to
conduct investigations as it sees fit without undue external
influence.
* There is a public interest in the ICO being able to maintain effective
and productive relationships with the various organisations it
communicates with regarding its investigations. It is essential that
these organisations continue to engage with us in a constructive and
collaborative way without fear that the information they provide to us
will be made public prematurely, or even at a later date, if it is
inappropriate to do so. The level of cooperation may be adversely
affected if details that are provided to us are routinely made
public. Routine disclosure during an investigation would be likely to
result in caution from the organisations we require to further any
investigation and consequently prejudice the ICO’s ability to deliver
the levels of service required of it. There is a strong public
interest in the ICO being an effective and efficient regulator.
* Whilst, as above we recognise the weighty interest in these particular
cases and data controllers, it follows that it there is considerable
interest in ensuring that we have a safe space in which to conduct our
investigations without diversion of resources.
* We go some way to meeting the public interest in disclosure by
publishing updates.

 
Having considered the arguments both for and against disclosure we do not
find that there is sufficient weight in the arguments that favour
disclosure. We consider that it would be likely that the disclosure of the
withheld information would discourage full and frank discussions and may
damage the ICO’s ability to conduct investigations fairly and
proportionately. It could also jeopardise the ICO’s ability to obtain
information in the future. The arguments in favour of maintaining the
exemption are particularly strong whilst our investigation into a
particular matter is ongoing.
 
Point three
 
There has not been an investigation/case regarding Shine/Rainbow. As
previously advised in response to earlier requests, we have been in
contact with Three about Shine via our Liaison teams.
 
The formal enforcement action we take is available on our website at the
following link:
 
[8]https://ico.org.uk/action-weve-taken/enf...
 
Similarly, the ICO procedure for issuing monetary penalties can be
accessed via this link:
 
[9]https://ico.org.uk/media/about-the-ico/p...
 
A list of civil monetary penalties can be found at the following link:
 
[10]https://ico.org.uk/media/2014859/civil-m...
 
Our regulatory action policy can be found at the following link:
 
[11]https://ico.org.uk/media/about-the-ico/p...
 
Finally, we can only take enforcement action and impose civil monetary
penalties against data controllers within our jurisdiction.
 
Next steps
 
I hope this response is clear. If you would like me to clarify anything
about the way your request has been handled please contact me.
 
You can ask us to review the way we have handled your request. Please see
our review procedure [12]here.
 
Following our internal review, if you remain dissatisfied with the way we
have handled your request, there is a statutory complaints process and you
can report your concern to the regulator.
 
To make such an application, please write to our Customer Contact Team, at
the address given or visit the ‘Complaints’ section of our website to make
a Freedom of Information Act or Environmental Information Regulations
complaint online.
 
Yours sincerely
  
 
Janine Gregory
Lead Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0303 123 1113  F. 01625 524510  [13]ico.org.uk  [14]twitter.com/iconews
Please consider the environment before printing this email
For information requests please use [15][ICO request email]
 
 
 
 

References

Visible links
1. https://ico.org.uk/about-the-ico/news-an...)
2. https://ico.org.uk/about-the-ico/news-an...)
3. https://www.whatdotheyknow.com/request/3...)
4. https://ico.org.uk/about-the-ico/news-an...)
5. https://ico.org.uk/about-the-ico/news-an...
6. https://ico.org.uk/about-the-ico/news-an...
7. https://ico.org.uk/about-the-ico/news-an...
8. https://ico.org.uk/action-weve-taken/enf...
9. https://ico.org.uk/media/about-the-ico/p...
10. https://ico.org.uk/media/2014859/civil-m...
11. https://ico.org.uk/media/about-the-ico/p...
12. https://ico.org.uk/media/about-the-ico/p...
13. http://ico.org.uk/
14. https://twitter.com/iconews
15. mailto:[ICO request email]

Leigh Park Initiative left an annotation ()

So, for whatever reason, whether enforcement action is being taken or not, at whatever stage, the UK public, and in particular, the data subjects affected, will be given the minimum information, as slowly as possible. "Nothing to see here - move along please" (Frank Drebin). Which suggests to me that the scale of these multiple breaches, and the blatant disregard of the relevant legislation by the companies, is of such a scale and severity, that it is way beyond the technical, and legal capacity of our national data "regulator" to either comprehend, investigate or enforce against.

As a BTYahoo customer affected by the Yahoo breach, I have (after at least four years) still been given no useful information by either BT, or the UK data "regulator".