That fact has been reinforced by recent enforcement action taken against Yahoo – action which should prompt general counsel to review what data processing arrangements are in place across their organisation and potentially update them.
- Intra-group data processing must be governed by written contracts
- New contract obligations apply under the GDPR
- Group-wide policies on data security not enough to comply with data protection law
- Case should prompt review of intra-group data processing arrangements
On Tuesday, the UK's Information Commissioner's Office (ICO) fined Yahoo's UK arm £250,000 after finding the company responsible for a serious breach of UK data protection laws.
Yahoo! UK Services Limited was fined after a cyber attack in 2014 led to hackers obtaining the security credentials of some Yahoo employees which they then used to access personal data belonging to an estimated 500 million user accounts globally. The ICO said that more than 515,000 of the accounts were in the UK and that Yahoo's UK subsidiary was the data controller responsible for ensuring the personal data for those account holders was secure.
The cyber attack that hit Yahoo was targeted at data stored by Yahoo Inc., the US-headquartered parent company in the Yahoo group.
Like many international businesses, Yahoo has servers based in the US where it stored the personal data of its users, including those of UK account holders. By storing personal data on the servers, Yahoo Inc. was considered by the ICO to be a data processor, acting on behalf of Yahoo's UK arm in processing the personal data of the UK account holders.
Under EU data protection laws, data controllers are required to have a written contract in place with data processors stipulating the scope of the processing involved and mandating that the processor puts technical and organisational measures in place to provide for adequate security of the personal data.
However, according to the ICO, Yahoo's UK arm did not have a data processing contract in place with Yahoo Inc. nor give its US parent "any instructions" on the steps it should take to protect the personal data it was responsible for as data controller.
The UK watchdog also found that Yahoo's UK division did not have appropriate monitoring systems in place to "protect the credentials of Yahoo employees with access to the personal data of Yahoo customers from being compromised" and stop the transfer of personal data from the UK to the US going ahead prior to being investigated.
The ICO said there has been "no satisfactory explanation" for the failure of Yahoo's UK subsidiary to safeguard the data, and described the company's "inadequacies" as "systemic" issues that "appear to have been in place for a long period of time without being discovered or addressed". The inadequacies "put the personal data of up to 515,121 data subjects at risk", it said.
The watchdog ruled that Yahoo's UK arm breached the UK's old Data Protection Act. The Act applied in this case because of when the security incident affecting Yahoo occurred and despite the fact the Act was replaced by new data protection legislation on 25 May this year when a new Data Protection Act took effect to supplement the General Data Protection Regulation (GDPR).
The £250,000 penalty represents half the maximum fine that the ICO has the power to serve under the old Act.
The obligation to have a written contract in place with data processors also applies to data controllers under the new GDPR. Businesses face a maximum penalty of up to 2% of their annual global turnover, or €10m, whichever is highest, for failing to meet that obligation under the new Regulation.
The ICO's latest warning on intra-group data processing arrangements in this case is not in isolation.
The Office of the Data Protection Commissioner (ODPC) in Ireland also investigated the data breach stemming from Yahoo's 2014 security incident. Yahoo's main business in Europe, the Middle East and Africa (EMEA) is based in Ireland. Like in the UK case, the Irish arm relied on Yahoo Inc. as a data processor.
In its statement issued last week, the ODPC found failings with Yahoo EMEA's oversight of Yahoo Inc's security measures, and said the Irish-based company did not do enough to ensure Yahoo Inc "complied with appropriate technical security and organisational measures as required by data protection law". It also criticised the company's reliance on "global policies" on security.
Organisations should ensure even where intra group data processing agreements are in place that they amend those contracts to include the mandatory contractual provisions introduced under Article 28 of the GDPR.
Businesses should not assume that intra group arrangements are low risk because the counterparty is not external, particularly if the data processing in question is high risk in nature due the volume or sensitivity of the data.
Kathryn Wynn is an expert in data protection law at Pinsent Masons, the law firm behind Out-Law.com.