Yahoo case highlights pivotal role of Irish data watchdog

• Decision makers at businesses should note growing influence of Irish authority
• ODPC becoming more prominent as UK's data watchdog's role diminishes due to Brexit
• GDPR compliance and enforcement could be heavily shaped by ODPC

Karen Gallagher of Pinsent Masons, the law firm behind Out-Law.com, said the Office of the Data Protection Commissioner (ODPC) is likely to be active in leading investigations into data breaches that affect consumers across the EU.

Gallagher was commenting after the watchdog announced the results of its investigation into a data breach experienced by Yahoo in 2014. Yahoo's subsidiary for Europe, the Middle East and Africa (EMEA) is based in Ireland and reported the breach to the ODPC in September 2016.

According to the ODPC, approximately 39 million Europeans were affected by the data breach, which the company previously claimed stemmed from a "state-sponsored" cyber attack.

When it reported the incident, Yahoo announced that the data that might have been stolen included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.

The ODPC investigated the relationship that Yahoo EMEA had with its parent company based in the US, Yahoo Inc. The US parent was a processor of the EU data affected by the breach, according to the ODPC, and Yahoo EMEA had obligations as data controller to ensure the processor's data security policies and procedures conformed to EU data protection law.

However, the ODPC found failings with Yahoo EMEA's oversight of Yahoo Inc's security measures, and said the Irish-based company did not do enough to ensure Yahoo Inc "complied with appropriate technical security and organisational measures as required by data protection law". It also criticised the company's reliance on "global policies" on security.

The watchdog said Yahoo EMEA, which is now Oath EMEA following the acquisition of Yahoo by US telecoms company Verizon last year, is obliged to take "specified and mandatory actions within defined time periods" to become compliant.

"Yahoo should ensure that all data protection policies which it uses and implements take account of the applicable data protection law and that such policies are reviewed and updated at defined regular intervals," the ODPC said.

It said it has also "directed Yahoo to update its data processing contracts and procedures associated with such contracts to comply with data protection law" and "to monitor any data processors which it engages for compliance with data protection law on an ongoing basis in accordance its obligations under EU data protection law and as given effect or further effect in Irish law".

The watchdog said it plans to engage "closely" with Oath EMEA "to monitor the quick and comprehensive implementation of these actions", and said the company could be served with enforcement notices if it fails to comply. The ODPC said it will also "actively monitor Oath EMEA’s ongoing data processing operations" for compliance with the GDPR.

"The conclusion of this major investigation by the ODPC highlights the central role the ODPC has played and will continue to play in policing the compliance of major multinational companies with their data protection obligations," Gallagher of Pinsent Masons said. "Many of these companies have their European headquarters in Ireland, meaning that under the GDPR one stop shop mechanism, the ODPC will be the lead supervisory authority for their data processing activities, including investigating data breaches."

"It can be expected that GDPR's new requirement of mandatory reporting of data breaches to the local data protection supervisory authority within 72 hours where there the breach presents a risk of damage to the rights and freedoms of a data subject, will result in more notifications and thus more investigations by the ODPC in the future," she said.

"As the ODPC itself has highlighted, to facilitate decision-making and determine whether or not an obligation to notify arises, organisations need to have a high-quality risk management process and robust breach detection, investigation and reporting processes in place. The reality is that breaches do and will happen, but, as was the case in the Yahoo investigation, organisations will be examined by the regulator not only on the basis of the steps they have taken to protect the data they hold, but also on how well they have prepared themselves to quickly and effectively deal with a breach," Gallagher said.

In addition to reporting the 2014 data breach, believed to have impacted at least 500 million of its account holders globally, Yahoo also announced in 2016 that a further data breach had occurred in August 2013. The company subsequently admitted that all three billion of its users may have been impacted by that breach.

The ODPC said it had not investigated the 2013 breach because Yahoo EMEA was not a data controller under Irish data protection laws at the time of that incident, and therefore not subject to its jurisdiction.