Are Website Owners Responsible for Privacy Accidents?
“Error is far more common than malice.”
There are many versions of this sentiment out there, but this is how I usually phrase it based on my experience with privacy and security incidents. When it comes to discussing privacy violation examples, accidental violations can easily apply to everyone.
When something goes wrong with data, you need to find out how and why and make sure it never happens again. Part of the process is that you absolutely need to find out whether it’s the result of a malicious actor. You shouldn’t assume it’s a hostile action and let that restrict your thinking because mistakes, and their close cousins, carelessness and negligence, are a lot more frequent.
Some of the most high-volume GDPR incidents result from external malicious actors (British Airways or Marriott, for example), and some are the result of companies deliberately doing things they shouldn’t. But others are inadvertent; they’re situations where a company did something with data that violates the GDPR without realizing they had. That’s still a violation – they’re expected to know where they’re sending data and be diligent about confirming it, and they failed on that point – but there’s no malicious actor to blame, just plain error and failure to catch it.
The Folksam Incident
In November 2020, Folksam, which insures about half of Sweden’s population, announced that they had inadvertently disclosed private information on about a million of their customers. This privacy violation example incident sent customer data out to a group of sizeable US-based tech companies, apparently including Facebook, Google, Microsoft, and LinkedIn. The personal data disclosed included financial identifiers like the Swedish social security number (used for banking) and whether individuals had bought pregnancy insurance (possibly sensitive data under GDPR). In the absence of legal grounds for this transfer outside of the EU/EEA – which are unlikely to exist if they didn’t do it on purpose – it’s an illegal transfer.
Over the past six months, EU data protection authorities have made it clear that they pay attention to inappropriate data transfers to the US. This incident involves both a massive number of data subjects and potentially dangerous information, so they could well decide to make an example of Folksam.
In mitigation, Folksam points out that there’s no evidence that the data has been used in an “inappropriate manner,” but if it’s been used by parties in the US at all, even for targeted marketing, the authorities may well disagree.
How Privacy Automation could have helped
Unlike the British Airways incident, which has been extensively analyzed as a classic privacy violation example, we don’t know the details of what happened at Folksam yet. We do know three high-level facts. First, personal data about customers was traveling to multiple third parties outside the geographic scope of the EU. Second, Folksam didn’t do it on purpose. And third, Folksam was unaware of it.
These facts strongly suggest that the data was leaking out through third-party code, which was either directly associated with the US companies involved or indirectly funneled data to them down the line. Indirect transmission seems more likely since a large EU-based company like Folksam should broadly be aware of what code they’ve put on their website (and this wasn’t a case where code was changed maliciously), but we will learn more as the resulting enforcement case plays out.
Lokker Privacy Automation
One thing’s for certain: if Folksam had been using the Lokker™ Privacy Automation Platform to monitor their site for cross-border data transfers, they would have quickly known that the transfer to the US was happening. A privacy violation alert would have flagged the situation for attention so Folksam’s web staff could fix it – or, if they were using the option to block cross-border data transfers by default, the Lokker platform would have stopped those data flows from ever occurring in the first place.
Even if the code was innocuous, and then something had changed to move data outside GDPR jurisdiction, Lokker’s continuous monitoring can catch the change before data could cross a border. If the data transfer had been automatically blocked, there would never have been a GDPR violation to report. It would have been just another day’s work for Folksam’s web staff, and the world wouldn’t be talking about Folksam as a company that’s just had a data incident involving a million customers’ information.