[61]. DATA BREACHES IN THE TECHNOLOGY LAW WORLD.
By: Nasir Fatimah Olawumi.
[61.1]. Introduction:
As of September 2023, Didi Global, a Chinese vehicle-for-hire corporation, had received the largest fine globally for data privacy violations. China’s data privacy regulator punished the firm 1.19 billion US dollars, or 8.026 billion Chinese yuan, in July 2022.
According to reports, Google has been surreptitiously gathering and pilfering the personal data of iPhone users, then exploiting it for profit without the owners' permission. Google consented to pay a US$22.5 million civil penalty in August 2012 in order to resolve accusations made by the US Federal Trade Commission. Nonetheless, Google consented to pay US$17 million in November 2013 to resolve lawsuits launched against it in the US based on customer complaints.
[61.2]. Data Breach:
According to Chapter 1 Art. 4(12) of the General Data Protection Regulation(GDPR), personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
In the current data-driven world, digital global economy that the globe has become, data breaches are now frequently occurring. In Nigeria, The Nigerian Data Protection Act 2023 ("NDPA" or "Act"), which was ratified on June 12, 2023, governs data protection and privacy. The NDPA specifies the actions that organizations must take after experiencing a data breach and contains laws that regulate data breach situations.
A breach of a data controller’s or data processor’s security that results in, or is reasonably likely to result in, the accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to, personal data that is transmitted, stored, or otherwise processed is referred to as a personal data breach under the NDPA.
[61.3]. A Case study into the Realm of Data Breach:
A number of individuals have filed legal charges against Google for mishandling personal data and using it for profit. The most prevalent ones are typically those who use Apple devices, such as PCs and iPhones.
In VIDAL-HALL v. GOOGLE INC (INFORMATION COMR INTERVENING), The claimants are three individuals who used Apple computers. Each of them accessed the internet using Apple Safari Browser. The matter at hand pertains to the utilization of the "Safari workaround." The main thrust of the complaint is that the defendant used a little text string stored on the user’s device called a cookie to gather private information about the claimants' internet usage through their Apple Safari browser (the Browser-Generated Information, or BGI) without the claimants' knowledge or consent. A little data block called a "cookie" is downloaded onto a user’s device each time they visit a website.
A "third party cookie" is one that is set on the user’s device by a third party whose content appears on the website, as opposed to the website the user is visiting. Third-party cookies are frequently used to collect data on how people use the internet, specifically on certain websites.
The "DoubleClick Ad cookie" from Google was a type of cookie that could function as a third-party cookie. If the user navigated to a website with DoubleClick Ad content, it would be installed on their device. Google was able to recognize visits by the device to any website showing an advertisement from its extensive Page 5 advertising network and gather a significant quantity of data thanks to the DoubleClick Ad cookie. It could determine the time and date of each visit to a certain website, the length of time the user spent there, the length of time they spent on each page, and the duration of time they spent viewing each advertisement.
In certain instances, the user’s approximate geographic location could be ascertained using the browser’s IP address.. While Safari’s default settings prohibited all third-party cookies, Apple created specific exceptions to these settings since they would have made it impossible to access some widely used online features. Before the system was altered in March 2012, these exclusions were in effect. However, the exceptions allowed Google to create and apply the fix for Safari in the interim. It had the effect of instantly installing the DoubleClick Ad cookie on an Apple device anytime a user visited a website with DoubleClick Ad content, without the user’s knowledge or consent.
- Issue
As a result, Judith Vidal-Hall, Robert Hann, and Marc Bradshaw filed a claim, claiming that Google had violated its statutory obligations under the Data Protection Act, exploited their private information, and breached their confidence. Act 1998 (the "DPA") by monitoring and gathering data about their online activity without their knowledge or permission. Contrary to Google’s claimed position that browser-generated content could not be tracked or collected without the user’s express permission, the claimants' computers had the cookies installed without their knowledge or agreement.
Google said that because the information was browser-generated and maintained apart from information that could be used to identify a specific person, it did not meet the DPA’s definition of personal data. The judge described Google’s response as "surprising" and decided that behavioral data gathered by third-party cookies did qualify as personal data, even in cases where it was not directly linked to information that might be used to identify an individual.
Similarly in the case of LLOYD v GOOGLE LLC[2021] UKSC 50 where Lloyd had issued a claim against Google LLC, alleging breach of its duties as a data controller under section 4(4) of the Data Protection Act 1998 (“the DPA 1998”).
[61.4].Conclusion:
In conclusion, as the world is becoming more technologically advanced, we need to be informed that data breaches are a serious concern for both individuals and businesses. Having a response strategy in place to lessen the harm caused by a security incident and taking the required steps to avoid data breaches are imperative. We must all assume responsibility for safeguarding our sensitive information given the rise in the quantity of personal data being shared and kept online.
