December 7, 2022
Estimated reading time: 6 minutes
Why are organizations failing with data?
The global data landscape is expanding constantly, along with the regulations that national and international authorities put in place to manage it.
Data is a critical resource: not only do companies use customers’ personal data to enhance their products and services but to develop new offerings that drive revenue.
The importance of personal data to a commercial business reflects its sensitivity: while data may be extremely useful for tailoring services to customer needs, it may also be exploited for criminal purposes and used, for example, to steal customer identities for the purposes of theft, fraud or associated activities such as money laundering or the financing of terrorism.
In response to that threat, governments across the world have introduced data control laws that impose strict obligations on organizations that collect, handle, and share customer data.
Those laws, such as the EU’s General Data Protection Regulation (GDPR), or the California Consumer Privacy Act (CCPA), have added significant complexity to the data regulation compliance challenge, and impose financial penalties for compliance violations (along with reputational damage).
Unsurprisingly, many businesses have struggled to adapt to the new climate, leading to numerous high-profile regulatory violations and enforcement actions from data authorities.
Data regulations are not going away and, as further laws are tabled in numerous jurisdictions, it is crucial that companies understand the compliance challenges that they face, and why data compliance failures are happening.
With that in mind, let’s take a closer look at some of those recent high-profile failures, and the enforcement actions that followed.
Clearview AI Inc – Greece
In July 2022, Greece’s data regulator, the Hellenic Data Protection Authority (DPA) concluded an investigation against Clearview AI Inc and issued a fine of 20 million euros for violations of the GDPR.
The investigation found that Clearview AI, a facial recognition technology company, had violated several GDPR articles over its use of personal ‘selfie’ images that it had scraped from the internet in order to build an identity-matching service for law enforcement authorities.
The violations specifically related to Clearview AI’s failure to obtain explicit consent from the owners of the selfie images to process their personal data. In its defense, the company argued that, since it did not have a physical presence in the EU, it did not have to comply with GDPR rules.
In addition to the financial penalty, the Hellenic DPA ordered Clearview AI to satisfy the complainant’s request for access to their personal data, delete all other personal biometric data obtained in this way from Greek subjects, and banned it from continuing to use its facial recognition technology to collect and obtain personal data in Greece.
Clearview AI has also been fined by British and French data regulators for personal data violations.
Volkswagen – Germany
In July 2022, Germany’s Lower Saxony DPA found that the automobile company, Volkswagen, had violated GDPR regulations during its testing process for a driving assistance system. The violations were related to an exercise involving a test car that was equipped with cameras and was stopped by police officers who had noticed the attachments.
Following an investigation, authorities found that the images recorded by the car’s cameras had violated the GDPR in several ways, including failing to inform other road users that their personal data was being processed and stored, and why that data was being collected.
Volkswagen had also failed to enter into a data processing agreement with the service provider it had engaged to carry out the testing. The Lower Saxony DPA characterized the violations as relatively minor, but nonetheless imposed a fine of 1.1 million euros – which Volkswagen accepted.
The severity of the fine reflects the importance with which authorities are treating data protection laws, even when violations are deemed to be minor.
Criteo – France
In August 2022, the French DPA, the Commission Nationale Informatique & Libertés (CNIL), announced that it was imposing a 60 million euro fine against an advertising technology company, Criteo, following a multi-year investigation.
The investigation was launched in 2018 when the data privacy group, Privacy International, complained that Criteo was using personal data tracking techniques that violated the GDPR. The CNIL subsequently found that Criteo was tracking internet users in order to build profiles which could be sold to companies (without user consent) for targeted behavioral advertising, a practice not in keeping with GDPR rules.
While Privacy International characterized Criteo’s activity as a ‘manipulation machine’, the company has disagreed with the CNIL’s findings and entered into an appeal process.
The decision (if upheld) suggests that DPAs are increasing their scrutiny of ad technology companies as a regulatory priority, and may mean that businesses in the sector should review their deployment of targeted ads.
Easylife – UK
In October 2022, The UK’s Information Commissioner’s Office (ICO) found that catalog retailer, Easylife Ltd, had violated data protection laws by misusing the personal data of over 145,000 customers, and by making over 1,345,000 predatory marketing calls.
The ICO’s investigation found that Easylife, which sells a range of household items, had been using data from prior purchases to make assumptions about customers’ medical conditions, and then selling those customers targeted health products.
Easylife customers did not know that their data was being used to target them, and had not consented to it being used in this way. The ICO also found that Easylife had made predatory marketing calls to customers that had not agreed to receive those types of calls.
While Easylife accepted the fine issued for its predatory call activities, citing its failure to properly screen against the UK’s Telephone Preference Service (TPS) database, it disputed the finding that it had targeted customers, arguing that it was ‘trying to minimize the number of calls made to customers’ and that the fine was ‘out of all proportion to the alleged wrong’.
Easylife’s response suggests that it failed to properly understand how the UK’s data regulations applied to its company and underestimated the severity of the ICO’s subsequent enforcement action.
Understanding data failure trends
The recent pattern of data failures suggests that companies across the EU are struggling to achieve compliance in a rapidly changing regulatory landscape.
Data laws are becoming more important to both individuals and businesses, reflecting a growing awareness of the value of personal data, such as biometric information and financial habits, across every level of society and business.
Looking more closely at the failures outlined above, certain trends emerge:
- Familiarity: Data protection is often unfamiliar regulatory territory for many organizations, which do not realize that new laws apply to them, or that they need to adjust their existing compliance solutions.
- Complexity: The personal data landscape changes rapidly and intersects with existing regulations and commercial practices. Similarly, many new data regulations are complex and firms are struggling practically to understand how to achieve compliance.
- Enforcement: Where firms are involved in data protection violations or engage in risky data practices, they often misunderstand the severity of the penalties they face, and the regulatory enthusiasm to enforce them. At the same time, regulators are electing to impose stronger penalties as a way to reinforce the impact of new data regulations.
- Legacy solutions: Where companies do engage with the new administrative burden imposed by data regulations they often rely on existing and legacy solutions to achieve compliance. When these old solutions prove inadequate, the resulting failures expose firms to significant regulatory risks.
The data challenge is already a crucial regulatory priority, and companies must take the new risks seriously and get used to implementing suitable tools and systems to achieve ongoing compliance.
The pace of change in the data landscape means that manual compliance is no longer an option: instead, companies must seek to implement automated solutions capable of coping with both the volume of data that must be collected and analyzed and the complexity of incoming regulations.
Manual processes are not scalable and sustainable anymore.
Ease the burden of current and upcoming data regulations by using CUBE’s Automated Regulatory Intelligence (ARI). By automating the process, firms can mitigate compliance gaps and improve overall operational and commercial efficiencies.
Compliance doesn’t have to be a burden. Gain access to regulations that matter most to your business, all in one place.